Risk statement ,Risk,Control objective,control

Munny1
Tera Expert

‎06-10-2025 12:08 AM - edited ‎06-10-2025 01:41 AM

Hi @SANDEEP DUTTA @Ankur Bawiskar ,

Can someone help. Since i am new to IRM.

I want to understand the difference between and with few examples of IT Risk Department Perspective based on banking sector.
1.Control objective and control(name and description)

2.RIsk statement and Risk(name and description)

 

 

0 Helpfuls
  • 501 Views
4 REPLIES 4

SANDEEP DUTTA
Tera Patron
Tera Patron

‎06-10-2025 03:12 AM

Hi @Munny1 ,

Let's take an Example of an SOX's Requirement for an company for IT Risk Department Perspective.

 

We are trying to Mitigate a

Risk :SOX-IT-Changes to production application systems and programs are not properly authorized, tested, approved, implemented and documented

Risk Statement : SOX-IT-Changes to production application systems and programs are not properly authorized, tested, approved, implemented and documented

By applying : 

Control Objective : SOX-SAP-15 Dev/Test/Prod Environments

Control: SOX-SAP-15 Dev/Test/Prod Environments

 

Financial institution Specific:

Risk / Risk Statement : SOX-RR-Revenue not recognized in the proper period

Control/ Control Objective 1 : SOX-RR-24 Non-US Deferred Revenue Reconciliation

Control/ Control Objective 2 : :SOX-RR-15 US Revenue Checklist

 

 

by applying the following control:

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.
0 Helpfuls

Munny1
Tera Expert
In response to SANDEEP DUTTA

‎06-10-2025 04:30 AM - edited ‎06-10-2025 04:32 AM

Hi @SANDEEP DUTTA ,

 

Thanks for your response.

 

I understood that technically when we apply entity type to risk statement or control objective the risks or controls will generate automatically with the same name.

 

But If we want register a risk for risk statement as per below example manually.

In the similar way required a control objective and control example 

 

risk: "System Downtime
Risk Statement:"Due to outdated IT infrastructure, there is a risk of system downtime within the financial reporting system during peak

0 Helpfuls

SANDEEP DUTTA
Tera Patron
Tera Patron
In response to Munny1

‎06-10-2025 04:36 AM

Hi @Munny1 ,

That your Organization will tell you which control you need to apply for that Risk.

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.
0 Helpfuls

SANDEEP DUTTA
Tera Patron
Tera Patron
In response to SANDEEP DUTTA

‎06-10-2025 07:34 AM

Hi @Munny1 ,

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.
0 Helpfuls