Information System Audit : © South-Asian Management Technologies Foundation Chapter 6: Risk Based...

Information System Audit : © South-Asian Management Technologies Foundation

Chapter 6: Risk Based

Systems Audit


Risk based systems audit

• Risk identification,

• Prioritisation of audit objects based on identified risks, and

• Allocation of audit resources in line with the risk assessment.

• Shift from the functionality of audit object to the risk associated with its failure.


Concept of Risk

• A risk is the likelihood that the organisation would face a vulnerability being exploited or a threat becoming harmful – Vulnerability– Threat– Exploitation


Risk based systems audit process

• Profiling of Risks

• Conducting Risk Assessment

• Audit prioritisation

• Audit of selected areas

• Reporting


Risk Assessment

• Identify possible sources of threat that can adversely affect achievement of the goal of the auditee. The threats can arise from– Internal Factors– External Factors

• The risk assessment process also includes evaluating risks to determine which are controllable by the auditee and which are not.


Controllable Risk

• For risks that are controllable, the auditee must assess – Whether to accept those risks or – The extent to which it wishes to mitigate the

risks through control procedures.


Uncontrollable Risk

• For those risks that cannot be controlled, the auditee must decide – Whether to accept these risks– Withdraw from the activity– Reduce the level of business activity concerned


Risk Assessment Process

• The risk assessment process should include the following:- – Identification of inherent business risks

• reflect the intrinsic risk existing in a particular area of operation or activity

– Evaluation of control risk• arising out either out of inadequacies, deficiencies,

or gaps in existing control systems contributing to likely failure of the existing control processes


Risk Assessment Process

• The risk assessment process would lead to:- – Drawing up a risk-matrix for taking into

account both the factors viz., inherent business risks and control risks.


Risk Matrix

Inherent Business

Risks

HighA

High RiskB

Very High RiskC

Extremely High Risk

MediumD

Medium RiskE

High RiskF

Very High Risk

LowG

Low RiskH

Medium RiskI

High Risk

Low Medium High

Control Risks


Risk and audit sample determination

• Sample size– Mission Criticality– Investment

• Representation

• Information systems auditor must recognise that lower the sample size, greater is the possibility that an error– Sample size vis-à-vis audit risk


Audit Risk Assessment

• The risk that the unchecked portion contains material error.

• The risk that the auditor may not detect an error - detection risk.

• Audit risk (AR) is the product of combined risk assessment (CRA) and detection risk (DR).


Audit Risk Framework


Risk Audit Matrix

AUDIT RISK MATRIX

High

Medium

Low

High MLow F

High MMedium F

High MHigh F

Medium MLow F

Medium MMedium F

Medium MHigh F

Low MLow F

Low MMedium F

Low MHigh F

Low Medium High

Frequency of Risk (F)

Mag

nit

ud

e o

f R

isk

(M)


Prioritisation

• Prioritise audit work to give greater attention to the areas of: – High Magnitude and high frequency– High Magnitude and medium frequency– Medium magnitude and high frequency– High magnitude and low frequency– Medium Magnitude and medium frequency.


Populating a Risk Matrix – Severity and Frequency Scale


Severity and Frequency Scale


Risk Management Strategy

• Accept – No mitigation tools designed

• Transfer - transferring the adverse exposure for a price

• Avoid - stay away from the activity

• Reduce - reducing the magnitude of loss or reducing the frequency of occurrence

• Classification of processes into– Core processes– Internal service processes

Information System Audit : © South-Asian Management Technologies Foundation Chapter 6: Risk Based...

Documents

Transcript of Information System Audit : © South-Asian Management Technologies Foundation Chapter 6: Risk Based...