Audit and Assurance

Expand all | Collapse all

Risk and Control Statements

  • 1.  Risk and Control Statements

    Posted 14 Aug, 2019 13:06
    I am looking for guidance on writing good risk and control statements.  I have come across a number of references to writing risk statements, including an excellent article by Benjamin Power published in the ISACA Journal, however little reference to writing good control statements.

    These would be used in developing an audit program and sharing with auditees to help define audits.  Note that the auditees typically do not have specific controls identified or documented.

    I once attended an ISACA session hosted by Brian Barnier where he discussed writing control statements, however I unfortunately ​cannot locate my notes from that session.

    Any thoughts and input from the community are welcome.

    Henry Bottjer
    Lead IT Auditor

  • 2.  RE: Risk and Control Statements

    Posted 14 Aug, 2019 14:48
    @Henry Bottjer,

    I'm afraid I don't have anything I can point you to.  Perhaps use something like ISO 27001/2 as a "model" for these?

    Can any other members help with this one?

    Best Regards,


    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist

  • 3.  RE: Risk and Control Statements

    Posted 20 Aug, 2019 10:45
    @Ian Cooke

    Thanks for your reply. We did have an internal meeting to discuss this topic, and the consensus was that we would be leaving our risk statements "as-is" moving forward. I think the result of the exercise was a ​foregone conclusion based on the discussion held, just a formality.

    I will continue to research on my own, however, as I think developing good risk statements and good control statements are essential to defining the audit.


    Henry Bottjer
    Lead IT Auditor

  • 4.  RE: Risk and Control Statements

    Posted 02 Mar, 2020 20:13
    Hi Henry,

    Do you find any good resource for this "good risk statements and good control statements"?
    Can you share?


    Hong-Anh Nguyen
    IT Auditor

  • 5.  RE: Risk and Control Statements

    Posted 10 Mar, 2020 03:13
    Thanks for the link, here is an example of risk statement from that link:

    Customer data leakage, corruption or unavailability caused by defective system changes resulting in financial fraud losses of UK £1 million and ICO fine of UK £500,000, customer churn of 6.4 percent, and regulatory sanction by the Prudential Regulation Authority

    That's not a risk statement, that's a loss-event description/summary, something that has happened.

    Maybe (??) the writer was thinking about "risk title"... IMO a risk title should be representative of the risk but not too long like that one above. It's better (??) to make a short and on-point description of the risk and then put the details, the risk information, in the risk table in the database. The information in it should be more elaborate than just "defective system changes", that's not clear.

    The loss event above should be put into loss event table or incident table in the database, then it should be linked to the customer data leakage risk. If there's another data leakage loss event, then it should also be linked to that risk.

    About control statement, just like risk title, there is also "control title" and the details should be put in the control table in the database, such as control description, control type, control owner and so on. IMO control title should also be short and representative.

    Reza Aminy