As the IT audit staff/senior of the engagement, you are presenting to the IT manager and partner (as part of the planning meeting) the results of the risk assessment performed in Exhibit 3. Based on such results (look at Exhibit 3, under the Risk Rating and Action Priority columns), it seems clear that the audit should focus on Financial Application #2 (FA2). Nevertheless, the IT manager and partner, based on previous relevant experience, believe that the audit should be performed on Financial Application #1 (FA1). The planning meeting is over, and you still feel doubtful on the decision just made. Your task: Prepare a two-page memo to the audit manager (copying the partner) stating your reasons why FA2 should be audited first. In order to convince the audit manager and partner, you are to think outside the box. In other words, think of additional information not necessarily documented in the risk assessment shown in Exhibit 3, and document in your memo information related to:

• Any additional vulnerabilities or weaknesses that may currently be in place affecting FA2.
• Any additional threat-sources that can trigger the vulnerabilities or weaknesses you just identified for FA2
• Any additional risks or situations involving exposure to loss for the financial information in FA2
• Any additional controls or procedures that should be implemented to mitigate the risks just identified

Recommended Action Rating Contra Proty 375 Backup of 3 Medium Financial data are arched som that dat Exhibit 3. Risk Assessment Example for the functional Audit Area Leihood Determination ima Financial IT Area / khood Probably Made Level Application Vulnerability Threat souravel Aged of impact Values Financial Operation/ Hurricanes, Medium ase 75 FAI information Application There is no system cannot be 1 TALI offsite storage recovered for data backups respected event of system to provide shutdown falumpati rente the Company's oport valability in the francis event of Information disaster according to established reporting information Unauthorized Security Security partes. Several of the | Ihackers, not propriately Company's terminated configured opical employees single and insiders pel pariwordel authored configured for user to FALER consistent with industry best practices 0.75 3 5 A B the devit, authenticate Although TAL the Industry best mimary waluw must incorporate minimum periodic chout the and complety Tehood Determination Impact Action Proy Very Financial Area Ubehood Probability Matade Application Vulnerably Threat Source vel Assigned of impact Financial Motion Unauthor and very 1.00 Aplication Security/FAZ 22 FAZI owners do not hackers periodically terminated access privileges and insider 7 Users possess privileges that are Cow functions owing uthored or incorrect modification to FAZsdata which could Recommended Rating Control 75 User en with FAZ perly reviewed by application RES portand consistent with obremes 100 we 75 Information Unauthored Very wers Terminated user terminated accounts were employees removed from FAZ decisions based upon min Information Terminated users > The Bounty Very can gainet disse FA2 und wir notified of modity is employees who financial have been informacion terminated Accessories of such immediately andere their + Action Priority Low Likelihood Determination Impact Impact Financial IT Area / Likelihood Probability Magnitude Level Application Vulnerability Threat Source Level Assigned of impact Value Risk Change Control Unauthorized Low 0.25 High 75 FA2 changes are Management/ application not properly Test results for changes and authorized FA2 upgrades modifications Implementation are not approved of such changes by management could result in prior to their invalid or implementation misleading data into production Risk Recommended Rating Control 18.75 Changes to FAZ are tested and approved by management prior to their implementation in production in accordance with test plans and results *Computed by multiplying the "Probability Assigned and the "Impact Level Value