One of the significant challenges facing auditors today is what to audit. The tighter integration of information systems and business processes, and the continued complexity of these systems, combined with limited resources and the ever-increasing pace of business, make auditing everything an impossible task. One of the techniques that management and auditors can use to allocate limited audit resources is a risk-based audit approach. The risk-based audit approach helps ensure that appropriate levels of protection are applied to information assets. A benefit of the risk-based approach to audit planning is that auditing resources are allocated to the areas of highest concern (risk). Many types of risk are associated with business and auditing. These risks are identified during the planning stage of the audit and are used as the foundation for control review. Risk assessment is the process of reviewing the threats and vulnerabilities, their effects on the assets being audited, and the projected loss frequency and severity. The organization can then use the risk assessment to determine how to remediate risk to the lowest possible level. Keep in mind that risk can never be reduced to zero and that there are a finite amount of resources to mitigate risk. Risk mitigation consists of reducing risk to a tolerable level by implementing controls that reduce the risk; the remaining risk is called residual risk. Residual risk can be mitigated by transference to a third party. A variety of risks are associated with business and the process of auditing: Business risk The risk that a business will not achieve its stated business goals or objectives. Business risk can be affected by both internal and external factors. Security risk The risk that unauthorized access to data will adversely affect the integrity of that data. Poor data integrity can lead to poor decision making and contribute to business risk. Continuity risk This is the risk associated with systems availability and its capability to utilize backups to recover. Audit risk The risk that the information of financial reports might contain material errors or that the IS auditor might not detect an error that has occurred. This term is also used to describe the level of risk an auditor is prepared to accept during an audit engagement. A material error is an error that should be considered significant to any party concerned with the item in question. Inherent risk The risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is the susceptibility of an area or process to an error that could be material. An example is when an authorized program has exits (trap doors) because they provide flexibility for inserting code to modify or add functionality. Control risk The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Detection risk Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when, in fact, they do. An auditor should create and follow a specific predefined set of processes to set control objectives, gather evidence, review the evidence, and produce a findings conclusion and recommendations. The following steps help define your responsibilities as an auditor: Plan the IT audit engagement based on an assessed level of risk that irregular and illegal acts might occur, and that such acts could be material to the subject matter of the IS auditor's report. Design audit procedures that consider the assessed risk level for irregular and illegal acts. Review the results of the audit procedures for indications of irregular and illegal acts. Assume that acts are not isolated. Determine how the act slipped though the internal control system. Broaden audit procedures to consider the possibility of more acts of this nature. Conduct additional audit procedures. Evaluate the results of the expanded audit procedures. Consult with legal counsel and possibly corporate governance bodies to estimate the potential impact of the irregular and illegal acts, taken as a whole, on the subject matter of the engagement, audit report, and organization. Report all facts and circumstances of the irregular and illegal acts (whether suspected or confirmed) if the acts have a material effect on the subject matter of the engagement or organization. Distribute the report to the appropriate internal parties, such as managers who are at least one level above those who are suspected or confirmed to have committed the acts, or corporate governance. |