Many different types of organizations and businesses are required to undertake risk assessments and audits, either to satisfy some regulatory body or to satisfy internal policy requirements. But there often are questions about why both must be undertaken each year and what the differences between them are. These processes are very different, are done for different reasons and produce very different results
A risk assessment in reality is a way to estimate, or make “an informed guess” about the kinds and levels of risk facing just about anything. From a business perspective, you can perform a risk assessment on an individual business process, an information system, a third-party supplier, a software application or the enterprise as a whole. Risk assessments may be performed internally by company personnel, or by specialist, third-party security organizations. They can also be small-scale assessments conducted among a group of interested parties, or they can be large-scale, formal assessments that are comprehensive and fully documented. But whatever type and scale of risk assessment you are undertaking, they all share certain common characteristics.
To perform risk assessment, you first must characterize the system you wish to assess. For example, you may wish to assess the risk to the organization of implementing a new software application. “Characterizing,” in this case, means learning everything you can about the system and what is going to be entailed with installing it, maintaining it, training personnel to use it, how it connects to other systems, etc.
Once you have this information in hand, the next step is to find out what threats and vulnerabilities to the application exist or may appear in the near future. To do this, most organizations look to government and private organizations that keep track of threats and vulnerabilities and rate them for severity such as DHS, CERT, Cisco or SAP. In addition, organizations look to similar organizations and use groups to learn from them what threats they have experienced and what vulnerabilities they have found when implementing the software application in question.
The next steps in risk calculation are ascertaining the probability that the threats and vulnerabilities found in the previous steps may actually occur, and the impacts on the organization if they do. The final step is then to take into account the security controls that the organization has in place and the effect these countermeasures might have in preventing attackers from actually compromising the system. Thus, the formula for calculating risk is (threats x vulnerabilities x probability of occurrence x impact)/countermeasures in place = risk.
Looking at the above, it is obvious that there is much room for error in a risk calculation. You might not be able to find all the threats against the application, nor may you be able to determine all the vulnerabilities that exist. Probability of occurrence is also just an estimate, and even impact on the organization may not be fully understood. That is why I said that risk assessment is really just an estimate or educated guess. Audit, on the other hand, is something entirely different.
The goal of an audit is to ascertain if an organization is effectively implementing and adhering to a documented quality system. In other words, an audit examines written policies and processes, and records of how they are actually being implemented, to see if the organization is following the rules and to see if the processes they are following are effective. Auditors should be disinterested third-party professionals and in the case of IT audits are usually CPAs.
Most often, such as in the case of an audit by a regulatory body, a group of auditors will come on-site to the organization and start the process of records examination and interviews with personnel. This is an exhaustive process and contains little or no guesswork. Audits can be limited, such as an audit of an accounting system, or can look at all the business practices of an organization. You can even have an audit done to test the quality and effectiveness of your risk assessment and risk management processes. This is probably where some of the confusion between the two arise. Although both may be mandated for a single organization, they remain very different processes.