Risk assessments can be conducted internally or externally. Both options have pros and cons which can impact the results and the desired deliverables.
External auditors test the underlying transactions that form the basis of the business function. Internal auditors advise management on whether its major operations have sound systems of risk management and internal controls. Fundamentally, internal audits provide value to the business in its ability to advise, recommend, and potentially assist in the mitigation activities. External audits will normally select to audit/assess or to remediate, but not both due to potential conflicts of interest. That is why it is extremely important to breakdown the difference in how an assessment is conducted by each business group to get a clear alignment with the business goals and objectives.
The following items can provide further clarity in distinguishing the pros and cons of a selecting a third party assessment team versus leveraging an internal team:
An external assessment team:
- Leverages the best talent immediately (less ramp up time)
- Has greater exposure to industries
- Frees up internal human resources
- Has fewer preconceived notions about the current assessment target
- Has an impartial opinion
- Has broad experience across multiple disciplines
- Has extensive audit experience
- Is a good alternative when internal auditors don't have time or are unavailable
- Allows staff to speak candidly with an outsider
- Provides an opinion on whether the assessment recommendations show a true and fair view
An internal assessment team:
- Has broad and deep experience with specific business
- Has built in cost structure to conducting the assessment
- Has capability for both analysis and synthesis of data to provide the best recommendation
- Knows the organization chart and political structure
- Can elicit candid input utilizing existing relationships
- Can develop recommendations based on organization as a whole
- Can participate in the remediation effort
There are many areas within risk assessments that require making decisions based on the type of expertise needed and ramp up costs associated with conducting the review. The list above can provide some insight in helping you select the best avenue to pursue for a given situation. There are many other sub-categories, such as legal influence and the security surrounding risk assessment findings, which may alter the preliminary decision to keep the assessment activity inside the company or to go outside for assistance. By conducting an initial meeting with each stakeholder in your organization, you can quickly develop an understanding of the drivers and motivators that will guide you in your decision making process.
About the author:
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for GE Financial Assurance, Chief Information Security Officer (CISO) for Genworth Financial and served in information technology leadership roles within Hunton & Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at firstname.lastname@example.org.
This was first published in October 2008