Risk assessments: Internal vs. external

Risk assessments can be conducted internally or externally. Both options have pros and cons which can impact the results and the desired deliverables.

External auditors test the underlying transactions that form the basis of the business function. Internal auditors advise management on whether its major operations have sound systems of risk management and internal controls. Fundamentally, internal audits provide value to the business in its ability to advise, recommend, and potentially assist in the mitigation activities. External audits will normally select to audit/assess or to remediate, but not both due to potential conflicts of interest. That is why it is extremely important to breakdown the difference in how an assessment is conducted by each business group to get a clear alignment with the business goals and objectives.

The following items can provide further clarity in distinguishing the pros and cons of a selecting a third party assessment team versus leveraging an internal team:

An external assessment team:

• Leverages the best talent immediately (less ramp up time)
• Has greater exposure to industries
• Frees up internal human resources
• Has fewer preconceived notions about the current assessment target
• Has an impartial opinion
• Has broad experience across multiple disciplines
• Has extensive audit experience
• Is a good alternative when internal auditors don't have time or are unavailable
• Allows staff to speak candidly with an outsider
• Provides an opinion on whether the assessment recommendations show a true and fair view

An ...

Digg This!     StumbleUpon     Del.icio.us

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach How to lay the foundation for role entitlement management Risk assessment and management in financial institutions New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009 Risk assessments For insurance firms, security risk assessments demand good policy GLBA risk assessment steps to success Risk assessments for the real world: Tools even I can use Creating a fraud risk assessment policy

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

internal assessment team:

• Has broad and deep experience with specific business
• Has built in cost structure to conducting the assessment
• Has capability for both analysis and synthesis of data to provide the best recommendation
• Knows the organization chart and political structure
• Can elicit candid input utilizing existing relationships
• Can develop recommendations based on organization as a whole
• Can participate in the remediation effort

There are many areas within risk assessments that require making decisions based on the type of expertise needed and ramp up costs associated with conducting the review. The list above can provide some insight in helping you select the best avenue to pursue for a given situation. There are many other sub-categories, such as legal influence and the security surrounding risk assessment findings, which may alter the preliminary decision to keep the assessment activity inside the company or to go outside for assistance. By conducting an initial meeting with each stakeholder in your organization, you can quickly develop an understanding of the drivers and motivators that will guide you in your decision making process.

About the author:
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for GE Financial Assurance, Chief Information Security Officer (CISO) for Genworth Financial and served in information technology leadership roles within Hunton & Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at rick.lawhorn@mac.com.