-Tools and processes used to “fortify” your business by developing defenses ahead of time.
Alternate Data Centers
Contracting secondary locations will enable an organization to recover critical technologies if the primary technology infrastructure fails.
Alternate Suppliers
Seeking out and documenting contingency agreements with alternate suppliers for your organization’s critical inputs will allow you to continue normal activities in the event that one of your critical suppliers experiences an interruption or ceases to supply you for any reason.
Backup Power
Securing backup power will enable your core activities to continue as normal with minimal, if any, downtime or loss in productivity.
Change Management Processes
Initiating and controlling organizational, process, technology or resource adjustments with the end objective of ensuring an appropriate level of performance and availability throughout the transition.
Cross-Trained Personnel
Ensuring that multiple staff members can fulfill the duties of each critical job within your organization will remove any personnel single points of failure and enable regular activities to continue even if an employee is absent, unable to work or is no longer employed by the organization.
Data Backup
Replicating data at an alternate location and/or on alternate media will help protect against the loss of the primary data source and also simplify and expedite recovery efforts, thus minimizing downtime.
Fire Protection Systems
Developing working relationships with your local fire department and other first responders, as well as taking fire protective measures of your own (i.e. using fire retardant file cabinets and ensuring that sprinkler systems work properly), will not only help protect personnel, information and facilities, but also minimize the effects of a fire on your core operational activities.
Insurance
Carrying appropriate insurance can help minimize financial complications as a result of major facility or equipment loss, an inability to deliver products or services or if one or more of your employees are injured in an accident
IT Security Measures
Taking appropriate measures to protect hardware, software, data storage, and communications technology will reduce downtime and organization inefficiency (i.e. access controls, malware protections, etc.).
Media Monitoring
Employing a media monitoring process can provide your organization with early warning regarding reputational issues, as well as other threats that could result in a near-term interruption.
Physical Security Controls
Keeping unauthorized persons out of restricted areas will reduce the potential for data loss or business process disruption due to vandalism, theft or other forms of sabotage.
Safety Stock
Storing an appropriate amount of finished product or raw materials in an off-site location will limit the impact of downtime resulting from a loss of the organization’s primary storage or production capabilities.
Wednesday, June 29, 2011
Formal Risk Management Plan
The project development team's strategy to manage risk provides the project team with direction and basis for planning. The formal plan should be developed during the planning and scoping process and updated at subsequent project development phases. Since the agency and contractor team's ability to plan and build the facility affects the project's risks, industry can provide valuable insight into this area of consideration.
The plan is the road map that tells the agency and contractor team how to get from where the project is today to where the public wants it to be in the future. Since it is a map, it may be specific in some areas, such as the assignment of responsibilities for agency and contractor participants and definitions, and general in other areas to allow users to choose the most efficient way to proceed. The following is a sample risk management plan outline:
Introduction
Summary
Definitions
Organization
Risk management strategy and approach
Risk identification
Risk assessment and analysis
Risk planning
Risk allocation
Risk charter and risk monitoring
Risk management information system, documentation, and reports
Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Red flag item lists, risk charters, and formal risk management plans provide flexibility in risk management documentation.
The plan is the road map that tells the agency and contractor team how to get from where the project is today to where the public wants it to be in the future. Since it is a map, it may be specific in some areas, such as the assignment of responsibilities for agency and contractor participants and definitions, and general in other areas to allow users to choose the most efficient way to proceed. The following is a sample risk management plan outline:
Introduction
Summary
Definitions
Organization
Risk management strategy and approach
Risk identification
Risk assessment and analysis
Risk planning
Risk allocation
Risk charter and risk monitoring
Risk management information system, documentation, and reports
Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Red flag item lists, risk charters, and formal risk management plans provide flexibility in risk management documentation.
Risk Charters
The creation of a risk charter is a more formal identification of risks than the listing of red flag items. Typically, it is completed as part of a formal and rigorous risk management plan. The risk charter provides project managers with a list of significant risks and includes information about the cost and schedule impacts of these risks. It also supports the contingency resolution process described in Chapter 6 by tracking changes in the magnitude of potential cost and schedule risk impacts as the project progresses through the development process and the risks are resolved.
A risk charter is a document containing the results of a qualitative or quantitative risk analysis. It is similar to a list of red flag items, but typically contains more detailed information about the potential impact of the risks and the mitigation planning. The risk charter contains a list of identified risks, including description, category, and cause. It may contain measurements of magnitude such as the probability and impact of occurrence. It may also include proposed mitigation responses, "owners" of the risk, and current status. This method may be more effective than simply listing potential problem areas through red flagging because it integrates with the risk monitoring and control processes. The terms "risk charter" and "risk register" are synonymous in the highway industry.
A risk charter is used as a management tool to identify, communicate, monitor, and control risks. It provides assistance in setting appropriate contingencies and equitably allocating risks. As part of a comprehensive risk management plan, the risk charter can help control cost escalation. It is appropriate for large or complex projects that have significant uncertainty.
The charter organizes risks that can impact cost estimates and project delivery. A risk charter is typically based on either a qualitative or quantitative assessment of risk, rather than simple engineering judgment. The identified risks are listed with relevant information for quantifying, controlling, and monitoring. The risk charter may include relevant information such as the following:
Risk description
Status
Date identified
Project phase
Functional assignment
Risk trigger
Probability of occurrence (percent)
Impact ($ or days)
Response actions
Responsibility (task manager)
Two examples of risk charters are in Appendix D. The first example, from Caltrans, is a spreadsheet that forms the basis of the agency's risk management plan.The spreadsheet contains columns for identification, analysis, response strategy, and monitoring and control. The second example is from an FTA report on risk assessment, which uses the term risk register synonymously with risk charter.The FTA risk register contains more quantitative risk assessment information than the Caltrans example, but the goal of the documentation is similar. FTA adds issues such as correlation among dependent components, type of distribution used to model the risk, and expected value of the risks.
A risk charter is a document containing the results of a qualitative or quantitative risk analysis. It is similar to a list of red flag items, but typically contains more detailed information about the potential impact of the risks and the mitigation planning. The risk charter contains a list of identified risks, including description, category, and cause. It may contain measurements of magnitude such as the probability and impact of occurrence. It may also include proposed mitigation responses, "owners" of the risk, and current status. This method may be more effective than simply listing potential problem areas through red flagging because it integrates with the risk monitoring and control processes. The terms "risk charter" and "risk register" are synonymous in the highway industry.
A risk charter is used as a management tool to identify, communicate, monitor, and control risks. It provides assistance in setting appropriate contingencies and equitably allocating risks. As part of a comprehensive risk management plan, the risk charter can help control cost escalation. It is appropriate for large or complex projects that have significant uncertainty.
The charter organizes risks that can impact cost estimates and project delivery. A risk charter is typically based on either a qualitative or quantitative assessment of risk, rather than simple engineering judgment. The identified risks are listed with relevant information for quantifying, controlling, and monitoring. The risk charter may include relevant information such as the following:
Risk description
Status
Date identified
Project phase
Functional assignment
Risk trigger
Probability of occurrence (percent)
Impact ($ or days)
Response actions
Responsibility (task manager)
Two examples of risk charters are in Appendix D. The first example, from Caltrans, is a spreadsheet that forms the basis of the agency's risk management plan.The spreadsheet contains columns for identification, analysis, response strategy, and monitoring and control. The second example is from an FTA report on risk assessment, which uses the term risk register synonymously with risk charter.The FTA risk register contains more quantitative risk assessment information than the Caltrans example, but the goal of the documentation is similar. FTA adds issues such as correlation among dependent components, type of distribution used to model the risk, and expected value of the risks.
Red Flag Item Lists
A red flag item list is created at the earliest stages of project development and maintained as a checklist during project development. It is perhaps the simplest form of risk identification and risk management. Not all projects will require a comprehensive and quantitative risk management process. A red flag item list can be used in a streamlined qualitative risk management process.
A red flag item list is a technique to identify risks and focus attention on critical items that can impact the project's cost and schedule. Issues and items that can potentially impact project cost or schedule in a significant way are identified in a list, or red flagged, and the list is kept current as the project progresses through development and construction management. By listing items that can potentially impact a project's cost or schedule and by keeping the list current, the project team has a better perspective for setting proper contingencies and controlling risk. Occasionally, items considered risky are mentioned in planning but soon forgotten. The red flag item list facilitates communication among planners, engineers, and construction managers about these items. By maintaining a running list, these items will not disappear from consideration and then later cause problems.
Caltrans has developed a sample list of risks in its Project Risk Management Handbook.While this sample list can be used to create a list of red flag items for a project, it is quite comprehensive and any single project's list of red flag items should not include all of these elements. The next section discusses risk charters, which is a more formalized and typically more quantitative extension of a red flag list.
A red flag item list is a technique to identify risks and focus attention on critical items that can impact the project's cost and schedule. Issues and items that can potentially impact project cost or schedule in a significant way are identified in a list, or red flagged, and the list is kept current as the project progresses through development and construction management. By listing items that can potentially impact a project's cost or schedule and by keeping the list current, the project team has a better perspective for setting proper contingencies and controlling risk. Occasionally, items considered risky are mentioned in planning but soon forgotten. The red flag item list facilitates communication among planners, engineers, and construction managers about these items. By maintaining a running list, these items will not disappear from consideration and then later cause problems.
Caltrans has developed a sample list of risks in its Project Risk Management Handbook.While this sample list can be used to create a list of red flag items for a project, it is quite comprehensive and any single project's list of red flag items should not include all of these elements. The next section discusses risk charters, which is a more formalized and typically more quantitative extension of a red flag list.
Risk Planning Documentation
Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Large projects or projects with high levels of uncertainty will benefit from detailed and formal risk management plans that record all aspects of risk identification, risk assessment, risk analysis, risk planning, risk allocation, and risk information systems, documentation, and reports. Projects that are smaller or contain minimal uncertainties may require only the documentation of a red flag item list that can be updated at critical milestones throughout the project development and construction.
Risk Planning
Risk planning involves the thoughtful development, implementation, and monitoring of appropriate risk response strategies. The DOE's Office of Engineering and Construction Management defines risk planning as the detailed formulation of a plan of action for the management of risk.(4) It is the process to do the following:
Develop and document an organized, comprehensive, and interactive risk management strategy.
Determine the methods to be used to execute a risk management strategy.
Plan for adequate resources.
Risk planning is iterative and includes describing and scheduling the activities and processes to assess (identify and analyze), mitigate, monitor, and document the risk associated with a project. For large projects or projects with a high degree of uncertainty, the result should be a formal risk management plan.
Planning begins by developing and documenting a risk management strategy. Early efforts establish the purpose and objective, assign responsibilities for specific areas, identify additional technical expertise needed, describe the assessment process and areas to consider, delineate procedures for consideration of mitigation and allocation options, dictate the reporting and documentation needs, and establish report requirements and monitoring metrics. This planning should also address evaluation of the capabilities of potential sources as well as early industry involvement.
Develop and document an organized, comprehensive, and interactive risk management strategy.
Determine the methods to be used to execute a risk management strategy.
Plan for adequate resources.
Risk planning is iterative and includes describing and scheduling the activities and processes to assess (identify and analyze), mitigate, monitor, and document the risk associated with a project. For large projects or projects with a high degree of uncertainty, the result should be a formal risk management plan.
Planning begins by developing and documenting a risk management strategy. Early efforts establish the purpose and objective, assign responsibilities for specific areas, identify additional technical expertise needed, describe the assessment process and areas to consider, delineate procedures for consideration of mitigation and allocation options, dictate the reporting and documentation needs, and establish report requirements and monitoring metrics. This planning should also address evaluation of the capabilities of potential sources as well as early industry involvement.
Risk Response Options
Risk identification, assessment, and analysis exercises form the basis for sound risk response options. A series of risk response actions can help agencies and their industry partners avoid or mitigate the identified risks. Wideman, in the Project Management Institute standard Project and Program Risk Management: A Guide to Managing Risks and Opportunities, states that a risk may be the following:
Unrecognized, unmanaged, or ignored (by default).
Recognized, but no action taken (absorbed by a mater of policy).
Avoided (by taking appropriate steps).
Reduced (by an alternative approach).
Transferred (to others through contract or insurance).
Retained and absorbed (by prudent allowances).
Handled by a combination of the above.
The above categorization of risk response options helps formalize risk management planning. The Caltrans Project Risk Management Handbook suggests a subset of strategies from the categorization defined by Wideman above.(6) The Caltrans handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The strategies and actions in the handbook include the following:
Avoidance-The team changes the project plan to eliminate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).
Transference-The team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. (This strategy is discussed in depth in Chapter.
Mitigation-The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. It accomplishes this via many different means that are specific to the project and the risk. Mitigation steps, although costly and time consuming, may still be preferable to going forward with the unmitigated risk.
Acceptance-The project manager and team decide to accept certain risks. They do not change the project plan to deal with a risk or identify any response strategy other than agreeing to address the risk if it occurs.
Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The understanding will allow for thoughtful risk planning.
Unrecognized, unmanaged, or ignored (by default).
Recognized, but no action taken (absorbed by a mater of policy).
Avoided (by taking appropriate steps).
Reduced (by an alternative approach).
Transferred (to others through contract or insurance).
Retained and absorbed (by prudent allowances).
Handled by a combination of the above.
The above categorization of risk response options helps formalize risk management planning. The Caltrans Project Risk Management Handbook suggests a subset of strategies from the categorization defined by Wideman above.(6) The Caltrans handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The strategies and actions in the handbook include the following:
Avoidance-The team changes the project plan to eliminate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).
Transference-The team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. (This strategy is discussed in depth in Chapter.
Mitigation-The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. It accomplishes this via many different means that are specific to the project and the risk. Mitigation steps, although costly and time consuming, may still be preferable to going forward with the unmitigated risk.
Acceptance-The project manager and team decide to accept certain risks. They do not change the project plan to deal with a risk or identify any response strategy other than agreeing to address the risk if it occurs.
Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The understanding will allow for thoughtful risk planning.
Objectives of Risk Mitigation and Planning
The objectives of risk mitigation and planning are to explore risk response strategies for the high risk items identified in the qualitative and quantitative risk analysis. The process identifies and assigns parties to take responsibility for each risk response. It ensures that each risk requiring a response has an owner. The owner of the risk could be an agency planner, engineer, or construction manager, depending on the point in project development, or it could be a private sector contractor or partner, depending on the contracting method and risk allocation.
Risk mitigation and planning efforts may require that agencies set policies, procedures, goals, and responsibility standards. Formalizing risk mitigation and planning throughout a highway agency will help establish a risk culture that should result in better cost management from planning through construction and better allocation of project risks that align teams with customer-oriented performance goals.
Once the agency planner, engineers, and construction managers have thoroughly analyzed the critical set of risks, they are in a better position to determine the best course of action to mitigate those risks. Pennock and Haimes of the Center for Risk Management of Engineering Systems state that three key questions can be posed for risk mitigation.
What can be done and what options are available?
What are the trade offs in terms of all costs, benefits, and risks among the available options?
What are the impacts of current decisions on future options?
An understanding of these three questions is critical to risk mitigation and risk management planning. Question 1 addresses the available risk response options, which are presented in the following section. An understanding of questions 2 and 3 is necessary for risk planning because they determine the impact of both the immediate mitigation decisions and the flexibility of risk mitigation and planning on future events.
Risk mitigation and planning efforts may require that agencies set policies, procedures, goals, and responsibility standards. Formalizing risk mitigation and planning throughout a highway agency will help establish a risk culture that should result in better cost management from planning through construction and better allocation of project risks that align teams with customer-oriented performance goals.
Once the agency planner, engineers, and construction managers have thoroughly analyzed the critical set of risks, they are in a better position to determine the best course of action to mitigate those risks. Pennock and Haimes of the Center for Risk Management of Engineering Systems state that three key questions can be posed for risk mitigation.
What can be done and what options are available?
What are the trade offs in terms of all costs, benefits, and risks among the available options?
What are the impacts of current decisions on future options?
An understanding of these three questions is critical to risk mitigation and risk management planning. Question 1 addresses the available risk response options, which are presented in the following section. An understanding of questions 2 and 3 is necessary for risk planning because they determine the impact of both the immediate mitigation decisions and the flexibility of risk mitigation and planning on future events.
What is Risk Mitigation and who will involve in Risk mitigation plan
Risk Mitigation is all about forecasting the possible
problems that might arise in future and finding out ways to
prevent it from occurring or do alternate ways to avoid the
problems from happening.
Hope Business Continuity plan/Disaster recovery is also a
part of Risk Mitigation. Let's say some criminal organization has planned
to blast your development center, all our clients would lose
all their money. This business continuity plan/Disaster
recovery is a step towards taking backup of all the data in
a different development center, so that even if your office
is gone, the clients don't lose out anything.
problems that might arise in future and finding out ways to
prevent it from occurring or do alternate ways to avoid the
problems from happening.
Hope Business Continuity plan/Disaster recovery is also a
part of Risk Mitigation. Let's say some criminal organization has planned
to blast your development center, all our clients would lose
all their money. This business continuity plan/Disaster
recovery is a step towards taking backup of all the data in
a different development center, so that even if your office
is gone, the clients don't lose out anything.
Risks and Mitigation
Any risks that will affect the testing process must be
listed along with the mitigation. By documenting the risks
in this document, we can anticipate the occurrence of it
well ahead of time and then we can proactively prevent it
from occurring. Sample risks are dependency of completion
of coding, which is done by sub-contractors, capability of
testing tools etc.
listed along with the mitigation. By documenting the risks
in this document, we can anticipate the occurrence of it
well ahead of time and then we can proactively prevent it
from occurring. Sample risks are dependency of completion
of coding, which is done by sub-contractors, capability of
testing tools etc.
Monday, March 28, 2011
Exchange Rate Risk
The uncertainty of returns for investors that acquire foreign investments and wish to convert them back to their home currency. This is particularly important for investors that have a large amount of over-seas investment and wish to sell and convert their profit to their home currency. If exchange rate risk is high - even though a substantial profit may have been made overseas, the value of the home currency may be less than the overseas currency and may erode a significant amount of the investments earnings. That is, the more volatile an exchange rate between the home and investment currency, the greater the risk of differing currency value eroding the investments value.
Market Risk
The price fluctuations or volatility increases and decreases in the day-to-day market. This type of risk mainly applies to both stocks and options and tends to perform well in a bull (increasing) market and poorly in a bear (decreasing) market. Generally with stock market risks, the more volatility within the market, the more probability there is that your investment will increase or decrease.
Country Risk
This is also termed political risk, because it is the risk of investing funds in another country whereby a major change in the political or economic environment could occur. This could devalue your investment and reduce its overall return. This type of risk is usually restricted to emerging or developing countries that do not have stable economic or political arenas.
Financial Risk
Financial risk is the risk borne by equity holders (refer Shares section) due to a firms use of debt. If the company raises capital by borrowing money, it must pay back this money at some future date plus the financing charges (interest etc charged for borrowing the money). This increases the degree of uncertainty about the company because it must have enough income to pay back this amount at some time in the future.
Liquidity Risk
The uncertainty introduced by the secondary market for a company to meet its future short term financial obligations. When an investor purchases a security, they expect that at some future period they will be able to sell this security at a profit and redeem this value as cash for consumption - this is the liquidity of an investment, its ability to be redeemable for cash at a future date. Generally, as we move up the asset allocation table - the liquidity risk of an investment increases.
Business Risk
The uncertainty of income caused by the nature of a companies business measured by a ratio of operating earnings (income flows of the firm). This means that the less certain you are about the income flows of a firm, the less certain the income will flow back to you as an investor. The sources of business risk mainly arises from a companies products/services, ownership support, industry environment, market position, management quality etc. An example of business risk could include a rubbish company that typically would experience stable income and growth over time and would have a low business risk compared to a steel company whereby sales and earnings fluctuate according to need for steel products and typically would have a higher business risk.
Saturday, March 19, 2011
How to Merge Audit Files From the Audit Trail
By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.
Assume a role that includes the Audit Review profile, or become superuser.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
Create a directory for storing merged audit files.
# mkdir audit-trail-directory
Limit access to the directory.
# chmod 700 audit-trail-directory
# ls -la audit-trail-directory
drwx------ 3 root sys 512 May 12 11:47 .
drwxr-xr-x 4 root sys 1024 May 12 12:47 ..
Merge the audit records in the audit trail.
Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.
# cd audit-trail-directory
# auditreduce -Uppercase-option -O suffix
The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:
Assume a role that includes the Audit Review profile, or become superuser.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
Create a directory for storing merged audit files.
# mkdir audit-trail-directory
Limit access to the directory.
# chmod 700 audit-trail-directory
# ls -la audit-trail-directory
drwx------ 3 root sys 512 May 12 11:47 .
drwxr-xr-x 4 root sys 1024 May 12 12:47 ..
Merge the audit records in the audit trail.
Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.
# cd audit-trail-directory
# auditreduce -Uppercase-option -O suffix
The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:
Managing Audit Records
By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.
How to Display Audit Record Formats
To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The bsmrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.
Put the format of all audit event records in an HTML file.
The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.
% bsmrecord -a -h > audit.events.html
When you display the *html file in a browser, use the browser's Find tool to find specific records.
How to Display Audit Record Formats
To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The bsmrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.
Put the format of all audit event records in an HTML file.
The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.
% bsmrecord -a -h > audit.events.html
When you display the *html file in a browser, use the browser's Find tool to find specific records.
The Objectives, Extent, and Scope of Audit Procedures
Audit procedures are called audit programs by examiners, and they merely serve as guidelines and checklists of actions to perform during audit engagements. To provide an example, we focused on the details of the audit procedures for accounts receivables (AR), which we present in the succeeding sections.
In actual practice, audit techniques or styles in performing these procedures, developed by examiners through their skills and expertise, contribute largely to achieving the best audit results within a specified time frame.
The objectives, the extent, and the scope by which these procedures are performed may vary according to the role of the examiner, as internal or external auditor. These roles and objectives are discussed in full in a separate article entitled Financial Statement Audit vs. Forensic Accounting.
The term “extent” refers to the percentage of documents test-checked for completeness or for accuracy of computations involved. An AR audit program may also include the tracing of transactions from the selling point, to payment activities, up to its final disposition as a paid-account, a past due account, a doubtful account, or as a bad debt, as they are verified via random sampling of substantial balances or material amounts.
The term “scope” refers to the period covered based on cut-off dates established by the internal or external financial auditors. To fraud examiners or forensic accountants, the scope refers to the specific account(s) under suspicions of fraud--where dates could go as far back as necessary.
In actual practice, audit techniques or styles in performing these procedures, developed by examiners through their skills and expertise, contribute largely to achieving the best audit results within a specified time frame.
The objectives, the extent, and the scope by which these procedures are performed may vary according to the role of the examiner, as internal or external auditor. These roles and objectives are discussed in full in a separate article entitled Financial Statement Audit vs. Forensic Accounting.
The term “extent” refers to the percentage of documents test-checked for completeness or for accuracy of computations involved. An AR audit program may also include the tracing of transactions from the selling point, to payment activities, up to its final disposition as a paid-account, a past due account, a doubtful account, or as a bad debt, as they are verified via random sampling of substantial balances or material amounts.
The term “scope” refers to the period covered based on cut-off dates established by the internal or external financial auditors. To fraud examiners or forensic accountants, the scope refers to the specific account(s) under suspicions of fraud--where dates could go as far back as necessary.
Saturday, February 26, 2011
Audit Documentation
Documentation refers to working papers kept by the auditor as regards audit planning, procedures performed, information and explanations obtained from client and conclusions drawn from the work performed.
Objectives of Documentation:
1: Assist in planning and performance of audit
2: Assist in supervision and review of audit work
3: Record the audit evidence resulting from the audit work performed to support the auditor's opinion , including representation that the examination was conducted in accordance with the International standards on auditing…!
Objectives of Documentation:
1: Assist in planning and performance of audit
2: Assist in supervision and review of audit work
3: Record the audit evidence resulting from the audit work performed to support the auditor's opinion , including representation that the examination was conducted in accordance with the International standards on auditing…!
Sunday, February 20, 2011
Example of Risk Assessment
Chemical substances have many different properties and many different uses. Some are used to make plastics flexible, some put out fires quickly and efficiently, some are products of common chemical reactions that occur naturally in the environment (such as a volcanic eruption) - still others form part of our day-to-day activities, such as driving a car.
In the same way that chemical substances have different uses, they can also be harmful in different ways. For instance, some may harm plants, while some may cause very serious illnesses in people such as cancer. Still others may be carried long distances through the air and affect people far away.
The risk posed by a chemical substance is determined by its hazardous properties and how or where exposure takes place. A scientific evaluation, or "risk assessment," is required to determine details on those hazardous qualities, and the specific ways people or the environment can be exposed.
In the same way that chemical substances have different uses, they can also be harmful in different ways. For instance, some may harm plants, while some may cause very serious illnesses in people such as cancer. Still others may be carried long distances through the air and affect people far away.
The risk posed by a chemical substance is determined by its hazardous properties and how or where exposure takes place. A scientific evaluation, or "risk assessment," is required to determine details on those hazardous qualities, and the specific ways people or the environment can be exposed.
Risk Assessment
Risk analysis is the process of defining and analyzing the dangers to individuals, businesses and government agencies caused by potential natural and human-caused adverse and unwanted events. In IT, a risk analysis report can be used to align technology-related objectives with a company's business objectives. A risk analysis report can be either quantitative or qualitative.
In quantitative risk analysis, an attempt is made to numerically determine the probabilities of various adverse events and the likely extent of the losses if a particular event takes place.
Qualitative risk analysis, which is used more often, does not involve numerical probabilities or predictions of loss. Instead, the qualitative method involves defining the various threats, determining the extent of vulnerabilities and devising countermeasures should an attack occur.
What is Risk
Risk is the potential that a chosen action or activity will lead to a loss (an undesirable & unwanted outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called "risks". Almost any human endeavor carries some risk, but some are much more risky than others.
Subscribe to:
Comments (Atom)