ISACA - Use of Risk Assessment in Audit Planning
ISACA - Use of Risk Assessment in Audit Planning
ISACA - Use of Risk Assessment in Audit Planning
$XGLWLQJ6WDQGDUGV *XLGHOLQHVDQG3URFHGXUHV
The specialised nature of information
systems (IS) auditing, and the skills The ISACA Standards Board is
The framework for the ISACAs IS
necessary to perform such audits, committed to wide consultation in the
Auditing Standards provides for
require standards that apply preparation of IS Auditing Standards,
multiple levels of standards, as follows:
specifically to IS auditing. One of the Guidelines and Procedures. Prior to
Information Systems Audit and issuing any documents, the Standards
Control Association, Inc.s (ISACAs) 6WDQGDUGV define mandatory
Board issues exposure drafts
goals is therefore to advance globally requirements for IS auditing and internationally for general public
applicable standards to meet this reporting. comment. The Standards Board also
need. The development and seeks out those with a special
dissemination of IS Auditing *XLGHOLQHV provide guidance in expertise or interest in the topic under
Standards are a cornerstone of the applying IS auditing standards. The consideration for consultation where
ISACAs professional contribution to IS Auditor should consider them in necessary.
the audit community. determining how to achieve
implementation of the standards, The Standards Board has an on-going
2EMHFWLYHV use professional judgment in their development programme, and would
application and be prepared to welcome the input of members of the
The objectives of the ISACAs IS justify any departure. ISACA and holders of the CISA
Auditing Standards are to inform designation to identify emerging
3URFHGXUHV provide examples issues requiring new standards
n IS Auditors of the minimum level of procedures an IS Auditor might products. Any suggestions should be
of acceptable performance follow in an audit engagement. e-mailed ([email protected]),
required to meet the professional The procedure documents provide faxed (+1.847. 253 .1443), or
responsibilities set out in the information on how to meet the mailed (address at the end of
ISACA Code of Professional standards when performing IS Guideline) to ISACAs International
Ethics for IS Auditors auditing work, but do not set Office for the attention of the Director
n Management and other interested requirements. of Research, Standards and
parties of the professions Academic Relations.
expectations concerning the work The ISACA Code of Professional
of practitioners Ethics requires members of the :LWKGUDZDORI3UHYLRXVO\
67$1'$5'6%2$5'
Chair, Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal & SunAlliance, USA
Claudio Cilli, CISA, Ph.D Ernst & Young, Italy
Svein Erik Dovran, CISA The Banking Insurance and Securities Commission of Norway
Maria E. Leonard, CISA Fleet Financial Group, USA
Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA
Andrew J. MacLeod, CISA, FCPA, MACS, PCP Brisbane City Council, Australia
Venkatakrishnan Vatsaraman, CISA, ACA, AICWA Emirates Airlines, United Arab Emirates
Sander S. Wechsler, CISA, CPA BDO Seidman, LLP, USA
%$&.*5281' achieve implementation of the above Conditions affecting audits may
Standards, use professional judgment change over time. Periodically, the IS
/LQNDJHWR6WDQGDUGV
in its application and be prepared to Auditor should re-evaluate the
justify any departure. appropriateness of the chosen risk
Standard 050.010 (Audit assessment methodologies.
Planning) states The Information
3/$11,1*
Systems Auditor is to plan the
8VHRI5LVN
information systems audit work to
6HOHFWLRQRID5LVN $VVHVVPHQW
address the audit objectives and to
comply with applicable professional $VVHVVPHQW The IS Auditor should use
auditing standards. 0HWKRGRORJ\ the selected risk assessment
Standard 060.020 There are many risk techniques in developing the overall
(Evidence) states During the course audit plan and in planning specific
assessment methodologies,
of the audit, the Information Systems audits. Risk assessment, in
computerised and non-computerised,
Auditor is to obtain sufficient, reliable, combination with other audit
available from which the IS Auditor
relevant and useful evidence to techniques, should be considered in
may choose. These range from
n
achieve the audit objectives making planning decisions such as:
simple classifications of high, medium
effectively. The audit findings and The nature, extent, and timing of
and low, based on the IS Auditors
n
conclusions are to be supported by audit procedures
judgment, to complex and apparently
appropriate analysis and interpretation The areas or business functions
scientific calculations to provide a
n
of this evidence. to be audited
numeric risk rating. The IS Auditor
Paragraph 2.2.2 of the IS The amount of time and
should consider the level of
resources to be allocated to an
Auditing Guideline on Planning the IS complexity and detail appropriate for
audit
Audit states An assessment of risk the organisation being audited.
should be made to provide reasonable The IS Auditor should
All risk assessment
assurance that material items will be consider each of the following types of
methodologies rely on subjective
n
adequately covered during the audit risk to determine their overall level:
judgments at some point in the
n
work. This assessment should Inherent risk
process (e.g. for assigning weightings
n
identify areas with relatively high risk Control risk
to the various parameters). The IS
of existence of material problems. Detection risk
Auditor should identify the subjective
decisions required in order to use a
1HHGIRU*XLGHOLQH ,QKHUHQW5LVN
particular methodology and consider
The level of audit work whether these judgments can be Inherent risk is the
required to meet a specific audit made and validated to an appropriate susceptibility of an audit area to error
objective is a subjective decision level of accuracy. which could be material, individually or
made by the IS Auditor. The risk of In deciding which is the in combination with other errors,
reaching an incorrect conclusion most appropriate risk assessment assuming that there were no related
based on the audit findings (audit risk) methodology, the IS Auditor should internal controls. For example, the
inherent risk associated with operating
n
is one aspect of this decision. The consider such things as:
other is the risk of errors occurring in The type of information required system security is ordinarily high since
the area being audited (error risk). to be collected (some systems changes to, or even disclosure of,
Recommended practices for risk use financial effect as the only data or programs through operating
assessment in carrying out financial measure - this is not always system security weaknesses could
result in false management
n
audits are well documented in auditing appropriate for IS audits)
standards for financial auditors, but The cost of software or other information or competitive
guidance is required on how to apply licenses required to use the disadvantage. By contrast, the
inherent risk associated with security
n
such techniques to IS audits. methodology
Management also bases The extent to which the for a stand-alone PC, when a proper
information required is already analysis demonstrates it is not used
their decisions on how much control is
for business-critical purposes, is
n
appropriate upon assessment of the available
The amount of additional ordinarily low.
level of risk exposure which they are
prepared to accept. For example, the information required to be Inherent risk for most IS
inability to process computer collected before reliable output audit areas is ordinarily high since the
applications for a period of time is an can be obtained, and the cost of potential effect of errors ordinarily
exposure that could result from collecting this information spans several business systems and
unexpected and undesirable events (including the time required to be many users.
(e.g. data centre fire). Exposures can invested in the collection In assessing the inherent
n
be reduced by the implementation of exercise) risk, the IS Auditor should consider
appropriately designed controls. The opinions of other users of both pervasive and detailed IS
These controls are ordinarily based the methodology, and their views controls. This does not apply to
upon probabilistic estimation of the of how well it has assisted them circumstances where the IS Auditors
occurrence of adverse events, and are in improving the efficiency and/or assignment is related to pervasive IS
n
intended to decrease such probability. effectiveness of their audits controls only.
For example, a fire alarm does not The willingness of management At the pervasive IS control
prevent fires, but is intended to reduce to accept the methodology as the
level, the IS Auditor should consider,
the extent of fire damage. means of determining the type
to the level appropriate for the audit
This Guideline provides and level of audit work carried
n
area in question:
out
guidance in applying IS auditing The integrity of IS management
standards. The IS Auditor should No single risk assessment and IS management experience
consider it in determining how to methodology can be expected to be and knowledge
appropriate in all situations.
n
previous audits in this area
The complexity of the systems testing an audit area to error which could be
The higher the assessment material, individually or in combination
n
involved
The level of manual intervention of inherent and control risk the more with other errors, assuming that there
audit evidence the IS Auditor should were no related internal controls.
n
required
The susceptibility to loss or normally obtain from the performance 3HUYDVLYH,6&RQWURO general
misappropriation of the assets of substantive audit procedures. controls which are designed to
controlled by the system (e.g. manage and monitor the IS
n
inventory, and payroll) 3(5)250$1&(2) environment and which therefore
The likelihood of activity peaks at $8',7:25. affect all IS-related activities.
n
certain times in the audit period 5LVN the possibility of an act or
Activities outside the day-to-day event occurring that would have an
'RFXPHQWDWLRQ
routine of IS processing (e.g. the adverse effect on the organisation and
use of operating system utilities The IS Auditor should
its information systems.
consider documenting the risk
n
to amend data) 5LVN$VVHVVPHQW a process
The integrity, experience and assessment technique or
methodology used for a specific audit. used to identify and evaluate risks and
skills of the management and
The documentation should ordinarily their potential effect.
staff involved in applying the IS
6XEVWDQWLYH7HVWLQJ tests of
n
controls include:
A description of the risk detailed activities and transactions, or
analytical review tests, designed to
n
&RQWURO5LVN
assessment methodology used
The identification of significant obtain audit evidence on the
Control risk is the risk that exposures and the corresponding completeness, accuracy or existence
an error which could occur in an audit of those activities or transactions
n
risks
area, and which could be material, The risks and exposures the during the audit period.
individually or in combination with
n
audit is intended to address
other errors, will not be prevented or The audit evidence used to Copyright 2000
detected and corrected on a timely support the IS Auditors Information Systems Audit and Control Association
basis by the internal control system. assessment of risk 3701 Algonquin Road, Suite 1010
For example, the control risk Rolling Meadows, IL 60008 USA
associated with manual reviews of Telephone: +1.847.253.1545
())(&7,9('$7( Fax: +1.847.253.1443
computer logs can be high because Email: [email protected]
activities requiring investigation are Web Site: http://www.isaca.org
often easily missed owing to the This Guideline is effective
volume of logged information. The for all information systems audits
control risk associated with beginning on or after 1 September
computerised data validation 2000.
procedures is ordinarily low because