RISK ASSESSMENT QUESTIONNAIRES
RISK ASSESSMENT QUESTIONNAIRES
Purpose: To establish a risk rating for systems in a bank, and then rank the system by risk.
Sources: Concepts obtained from FFIEC IS Examination Handbook, OCC Bulletin 98-3, and OCC Bulletin 99-9.
Methodology: Collect responses from business and IT areas using the two questionnaires shown below. Use the Reference Chart shown below to understand how the information collected in the questionnaires can be used to assign risk ratings on the Risk Chart. Using a numeric risk rating that makes sense in your environment (we use a scale of 1-5, with 5 being a high risk) assign a numeric rate to row item. When you have completed a chart for each system within your environment, you will be able to rank the systems by risk exposure.
System Name ________________
Risk Chart
|Risk Factors |Explanation |Rating |
|1. Quantity of Risk |
|Transaction Dollar Exposure | | |
|Transaction Volume | | |
|Complexity of Hardware and Software | | |
|Volume and Risk exposures relative to internal control exceptions | | |
|Potential for financial loss due to: error or fraud; competitive disadvantage; incomplete | | |
|information; operational disruption; or personnel factors (experience / staffing/ turnover). | | |
|Out-sourcing (Controls over external activities) | | |
|Internet or other new business activities | | |
|2. Quality of Risk |
|Separation of Risk Taking and Risk Management responsibilities | | |
|Ongoing Risk Identification and Risk Measurement Systems to monitor risk | | |
|Policies for oversight responsibility of the systems and Policies for Systems Development and| | |
|Policies for Change Management | | |
|Monitoring Systems Capacity | | |
|Assuring the Integrity and Security of Systems | | |
|Documenting System (programming) History | | |
|Effective Internal Accounting Controls | | |
|Effective Recovery Planning, Training & Testing | | |
|Other Risks Which Are Identified by the Auditor | | |
Reference Chart (Risk Chart with References to the Questionnaires)
|Risk Factors |Explanation |Rating |Source (Where the risk is |
| | | |mentioned) |
| | |IT Risk Questionnaire|Business Area | |
| | |Item |Questionnaire Item | |
|1. Quantity of Risk | | | | |
|Transaction Dollar Exposure | | |2 |FFIEC IS Exam Handbook page|
| | | | |2-2 |
|Transaction Volume | | |2 |FFIEC IS Exam Handbook page|
| | | | |2-2 |
|Complexity of Hardware and Software | |3 |4, 12 |FFIEC IS Exam Handbook page|
| | | | |2-2 |
|Volume and Risk exposures relative to internal control | |6, 8 |3 |FFIEC IS Exam Handbook page|
|exceptions | | | |2-2 |
|Potential for financial loss due to: error or fraud; | |4, 6 |1, 3, 5, 10 |FFIEC IS Exam Handbook page|
|competitive disadvantage; incomplete information; operational| | | |2-2 |
|disruption; or personnel factors (experience / staffing/ | | | | |
|turnover). | | | | |
|Out-sourcing (Controls over external activities) | |1 |6 |FFIEC IS Exam Handbook page|
| | | | |2-3 |
|Internet or other new business activities | |8 |12 |FFIEC IS Exam Handbook page|
| | | | |2-3 |
|2. Quality of Risk | | | | |
|Separation of Risk Taking and Risk Management | | |8, 16 |FFIEC IS Exam Handbook page|
|responsibilities | | | |2-3 |
|Ongoing Risk Identification and Risk Measurement Systems to | |8, 9 |13, 14, 15 |FFIEC IS Exam Handbook |
|monitor risk | | | |pages 2-3 to 2-4 |
|Policies for oversight responsibility of the Systems and | |4, 7 |1, 15 |OCC 98-3 (p. 11, 12) |
|Policies for Systems Development and Policies for Change | | | | |
|Management | | | | |
|Monitoring Systems Capacity | |5 |1 |FFIEC IS Exam Handbook |
| | | | |pages 2-3, 2-4 |
|Assuring the Integrity and Security of Systems | |4 |7, 9, 15 |FFIEC IS Exam Handbook page|
| | | | |2-4 |
|Documenting System (programming) History | |2 | |FFIEC IS Exam Handbook page|
| | | | |2-4 |
|Effective Internal Accounting Controls | | |8 |FFIEC IS Exam Handbook page|
| | | | |2-4 |
|Effective Recovery Planning, Training & Testing | |6 |10, 11 |OCC 99-9, OCC 98-3 (p. 11, |
| | | | |12) |
|Other Risks Which Are Identified by the Auditor | | | | |
System Name ________________
BUSINESS AREA QUESTIONNAIRE
1. Does the capacity and functionality of this system support the Bank’s strategic objectives?
2. What are the high risk conditions in your area? Please quantify the potential dollar exposure related to misuse or errors connected to operating this system. How many “transactions” are created in your area using this system (please define your answer in the time frame which you judge to be most meaningful, daily, weekly, quarterly, etc.)?
3. What are the primary controls you use to monitor business processed through this system? Which of these do you consider to be high risk? Are the controls effective (i.e., timely accurate, meaningful, etc.)? Have there been any control exceptions this year which were not caught by this systems controls?
4. How many changes to this system have been implemented this year (both hardware and software)?
5. How would you rate the potential for financial loss due to any of the following:
Human error or fraud: low medium high
Competitive disadvantage: low medium high
Incomplete information: low medium high
Operational disruption: low medium high
Please provide reasonable details regarding your responses:
6. Is the development or administration of this system outsourced? Do you feel that control over the outsourcing arrangements are adequate to provide safe and efficient services?
7. Who in your department is in charge of monitoring the security of this system? Who is the backup? To whom are security problems reported?
8. Does the system support your requirements for: administrative controls (e.g., transaction controls, limit controls, accounting controls, etc.); and due diligence assessments?
9. Is IT support for this system adequate?
10. Are the Bank’s training support and user documentation for this system adequate?
11. When was the last business recovery test which involved this system? Was this system described in the recovery test plans, logs, and sign-offs from that test? Are there output samples from this system which were made during that test?
12. Are new systems or significant system changes planned for the remainder of this year, or next year?
13. What are the most significant threats to this system? Would they include some of the following: denial or disruption of systems services, unauthorized monitoring of systems services, disclosure of proprietary or private information, modification or destruction of related computer capabilities (i.e., programming codes, networks, databases), and the manipulation of computer, or communications services resulting in fraud, financial loss or other criminal violations?
14. Does this system support your departmental goals to comply with banking reporting requirements and regulations, customer privacy, and other compliance-related business objectives.
15. What would be the best way to improve security or quality for this system?
16. Do you have risk taking and/or risk management responsibility? If so, how are the separation risk king and risk management responsibilities enforced or monitored by the system? Is this an effective control?
System Name ________________
IT Questionnaire
1. How many years experience does the IT staff have supporting this system? How many people are qualified to support this system? If system support outsourced, please state the vendor name and contact information here.
2. How would you rate the systems documentation for this system? Poor, average, great?
3. How often was this system changed last year? No changes, fewer than six changes, six or more changes?
4. What are the IT controls for assuring the security of this system? Do they address risks (identified in OCC 99-9) such as, entering data incorrectly, changing data, deleting data, destroying data or programs with logic bombs, “crashing” systems, holding data hostage, destroying hardware or facilities? Who is in charge of monitoring the security of this system? Who is the backup?
To whom are security problems reported?
5. What are the IT controls for assuring the systems capacity, and the integrity or quality of this system?
Who is in charge of monitoring the integrity or quality of this system? Who is the backup?
To whom are integrity or quality problems reported?
6. What are the IT controls for assuring the continuity and rapid recovery of this system?
When was the last recovery test for this system?
Is this system described in the recovery test plans, logs, and sign-offs from that test? Are there output samples from this system which were made during that test?
7. Are significant system changes planned for the remainder of this year or in the next year?
8. What are the most significant threats to this system? Would they include some of the following (as noted in OCC 99-9): denial or disruption of systems services, unauthorized monitoring of systems services, disclosure of proprietary, or private information, modification or destruction of related computer capabilities (i.e., programming codes, network databases), and the manipulation of computer, or communications services resulting in fraud, financial loss or other federal criminal violation?
9. What would be the best way to improve security or quality for this system?
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- risk assessment for p2p payments
- risk assessment examples for banks
- nist risk assessment template
- nist cybersecurity risk assessment template
- nist risk assessment template xls
- nist risk assessment model
- nist risk assessment questionnaire
- nist csf risk assessment template
- nist risk assessment checklist
- nist risk assessment pdf
- risk assessment steps nist
- nfpa 99 risk assessment template