Pub. 10 2019 Issue 3

www.wvbankers.org 12 West Virginia Banker As the risk assessment is developed, the timing for con- ducting a review of each risk assessment will need to be performed, at least annually, and could be performed more frequently depending on the changes in the areas analyzed by each risk assessment. While conducting the risk assessment, it is important to document and support the risk scoring system utilized. Each risk assessment should have a documented understanding on how the risk scoring of high, medium, and low was devel- oped. Items to consider and document are the inherent risk of the area, mitigating controls that are in place, frequency of testing the mitigating controls and the residual risk. There are a number of common factors that can be included in the risk scoring system. Below are a few of factors that should be included: • Adequacy of internal controls • Nature of transactions • Age of the system • Nature of the operating environment • Physical and logical security of information. • Adequacy of operating management oversight and monitoring • Regulatory and audit results and management’s responsiveness in addressing issues • Human Resources • Senior management oversight So now the financial institution has a risk assessment devel- oped and has risk ranked all potential threat areas. The next step is to conduct the different testing/audits based on the audit cycle. As each test is performed, ensure that the results are documented and any changes in controls are document- ed based on those results. This process is going to help the financial institution be prepared in the event a threat occurs. Risk cannot be eliminated but can be managed. The question is, how prepared is the financial institution in the event a threat/risk occurs? As the financial institutions grows and offers more products and services, there will more reasons to develop additional risk assessments. As the financial institution has audits con- ducted, a risk assessment will need to be developed that will assess the threats/risks and the areas that will be analyzed. When engaging to have an audit conducted, the financial in- stitution will need to determine the areas that are considered high risk and what should be analyzed during the audit based on the audit cycle. It is critical for the financial institution to review the potential risks and assess the format of the items being audited to ensure that the audit is being conducted in a manner that will benefit the financial institution.  Trista Cline is a Manager of Arnett Carbis Toothman LLP, Certified Public Accountants, in the Charleston, West Virginia office. Ms. Cline has over 10 years of experience in information technology audit and security services in the financial institutions industry. In addition, Ms. Cline has extensive experience in database analysis and the use of database analysis tools. Contact Ms. Cline at 800-642-3601 or trista.cline@actcpas.com. Continued from page 11