• NotesOnDramboraPartIIAuditProcess

DRAMBORA Notes PART II: Audit Process

5.1-5.6 Introduction, Requirements, Definitions, Principles, Methodology and Stages

• The purpose of the toolkit is to facilitate the auditor in:
  • defining the mandate and scope of functions of the repository;
  • identifying the activities and assets of the repository;
  • identifying the risks and vulnerabilities associated with the mandate, activities and assets;
  • assessing and calculating the risks;
  • defining risk management measures;
  • reporting on the self-audit.
• Select the audit team with care.
• Evidential Requirements: Pages 29-30 contain a long list of documents (e.g. policy and procedure documentation), that should be aggregated before beginning the audit process.
• Time Estimate: 24-40 hours + preparation time (e.g. aggregate evidence).

• Definitions: Pages 32-34 contain the key terminology used in DRAMBORA (includes definitions of digital repository and functional class).

• Page 35: Score Interpretations. Risk Probability Score ranges from 1 to 6, and Risk Impact Score ranges from 0 to 6.
• Pages 36-37 is the Risk Description Template.
• The self-audit process tasks include identification of objectives, deriving activities and assets, documenting and grouping risks, developing organisation specific risk attributes and characterising the risks. Risk grouping may use the risk relationship table on page 39. The output should be a risk register (which should be updated periodically) as well as documentation on areas, where improvement is needed and priorities of these areas.
• Page 42: Self-audit Stages Diagram (see page 41 for diagram conventions).

The rest of part II (pages 43 to 104) has only been skimmed over.

Stage 1

Describe mandate and purpose; identify goals and objectives (within functional classes). The initial two stages will help identify repository boundaries, activities and stakeholder communities

Stage 2

Collect policy documents and regulatory documents that may be relevant to the repository (including legal and contractual frameworks) and analyse relevance to goals and objectives (and to the different operational functions). Page 60 provides a list of relevant acts and regulations in the UK as inspiration.

Stage 3

Develop a conceptual model of what the repository does and how it does it... By splitting mission and goals into more specific activities, we should develop a list of repository activities, assets and owners (the focus of this stage seems to be managerial). Methodologies for identifying functions and activities commonly used: hierarchical (or functional) analysis and process (or sequential) analysis (see page 65). Submission agreements? Activity and asset examples pages 68-73; look at the functional classes activity examples p. 71-73.

Stage 4

Derive repository risks from activities and assets. Consider the following kinds of risks:

• The assets or activities fail to achieve or adequately contribute towards the relevant goal(s) and objectives.
• Internal threats present obstacles to the success of one or more activities.
• External threats present obstacles to the success of one or more activities.
• Threats result in unauthorised disclosure, modification, corruption, destruction and unavailability or loss of repository's assets.

The result of this stage should be a list of risks categorised according to functional class, organisational objectives and identified activities and assets; and for each risk description, owner, type classificaton and optionally relationships with other risks. See generic list of risks pages 81-83.

Stage 5

Characterise risks and risk relationships and assess severity. See risk characteristics table pages 84-85, risk probability and impact scores pages 88-89, example risk description tables Appendix 3.

Stage 6

For each risk, determine how to approach... Risk management examples:

• Avoid the risk by not continuing with the activity that gives rise to the risk.
• Change the likelihood of the risk.
• Change the consequences to reduce losses.
• Share the risk (note that sharing or transfering a risk gives rise to the new risk of an external party not managing the risk effectively).
• Retain the risk.

In this stage the auditors should chooce a risk management strategy, describe the risk mitigation measure, assign responsibility for the risk mitigation activities and set target dates and results for the risk mitigation activities. See risk description table p. 98-99.

5.13 How to Interpret the Audit Result

Example of extended risk attribute tags p. 100-101. The self-audit should be followed up by risk maagement monitoring to ensure that the risk register is kept up to date and risks are re-evaluated and new risks managed as well. Example risk avoidance and treatment strategies p. 102-103.