An Audit Report on The Texas State University System Foundation
Information System Audit : © South-Asian Management Technologies Foundation Chapter 6: Risk Based...
-
Upload
lionel-wade -
Category
Documents
-
view
212 -
download
0
Transcript of Information System Audit : © South-Asian Management Technologies Foundation Chapter 6: Risk Based...
Information System Audit : © South-Asian Management Technologies Foundation
Chapter 6: Risk Based
Systems Audit
Information System Audit : © South-Asian Management Technologies Foundation
Risk based systems audit
• Risk identification,
• Prioritisation of audit objects based on identified risks, and
• Allocation of audit resources in line with the risk assessment.
• Shift from the functionality of audit object to the risk associated with its failure.
Information System Audit : © South-Asian Management Technologies Foundation
Concept of Risk
• A risk is the likelihood that the organisation would face a vulnerability being exploited or a threat becoming harmful – Vulnerability– Threat– Exploitation
Information System Audit : © South-Asian Management Technologies Foundation
Risk based systems audit process
• Profiling of Risks
• Conducting Risk Assessment
• Audit prioritisation
• Audit of selected areas
• Reporting
Information System Audit : © South-Asian Management Technologies Foundation
Risk Assessment
• Identify possible sources of threat that can adversely affect achievement of the goal of the auditee. The threats can arise from– Internal Factors– External Factors
• The risk assessment process also includes evaluating risks to determine which are controllable by the auditee and which are not.
Information System Audit : © South-Asian Management Technologies Foundation
Controllable Risk
• For risks that are controllable, the auditee must assess – Whether to accept those risks or – The extent to which it wishes to mitigate the
risks through control procedures.
Information System Audit : © South-Asian Management Technologies Foundation
Uncontrollable Risk
• For those risks that cannot be controlled, the auditee must decide – Whether to accept these risks– Withdraw from the activity– Reduce the level of business activity concerned
Information System Audit : © South-Asian Management Technologies Foundation
Risk Assessment Process
• The risk assessment process should include the following:- – Identification of inherent business risks
• reflect the intrinsic risk existing in a particular area of operation or activity
– Evaluation of control risk• arising out either out of inadequacies, deficiencies,
or gaps in existing control systems contributing to likely failure of the existing control processes
Information System Audit : © South-Asian Management Technologies Foundation
Risk Assessment Process
• The risk assessment process would lead to:- – Drawing up a risk-matrix for taking into
account both the factors viz., inherent business risks and control risks.
Information System Audit : © South-Asian Management Technologies Foundation
Risk Matrix
Inherent Business
Risks
HighA
High RiskB
Very High RiskC
Extremely High Risk
MediumD
Medium RiskE
High RiskF
Very High Risk
LowG
Low RiskH
Medium RiskI
High Risk
Low Medium High
Control Risks
Information System Audit : © South-Asian Management Technologies Foundation
Risk and audit sample determination
• Sample size– Mission Criticality– Investment
• Representation
• Information systems auditor must recognise that lower the sample size, greater is the possibility that an error– Sample size vis-à-vis audit risk
Information System Audit : © South-Asian Management Technologies Foundation
Audit Risk Assessment
• The risk that the unchecked portion contains material error.
• The risk that the auditor may not detect an error - detection risk.
• Audit risk (AR) is the product of combined risk assessment (CRA) and detection risk (DR).
Information System Audit : © South-Asian Management Technologies Foundation
Audit Risk Framework
Information System Audit : © South-Asian Management Technologies Foundation
Risk Audit Matrix
AUDIT RISK MATRIX
High
Medium
Low
High MLow F
High MMedium F
High MHigh F
Medium MLow F
Medium MMedium F
Medium MHigh F
Low MLow F
Low MMedium F
Low MHigh F
Low Medium High
Frequency of Risk (F)
Mag
nit
ud
e o
f R
isk
(M)
Information System Audit : © South-Asian Management Technologies Foundation
Prioritisation
• Prioritise audit work to give greater attention to the areas of: – High Magnitude and high frequency– High Magnitude and medium frequency– Medium magnitude and high frequency– High magnitude and low frequency– Medium Magnitude and medium frequency.
Information System Audit : © South-Asian Management Technologies Foundation
Populating a Risk Matrix – Severity and Frequency Scale
Information System Audit : © South-Asian Management Technologies Foundation
Severity and Frequency Scale
Information System Audit : © South-Asian Management Technologies Foundation
Risk Management Strategy
• Accept – No mitigation tools designed
• Transfer - transferring the adverse exposure for a price
• Avoid - stay away from the activity
• Reduce - reducing the magnitude of loss or reducing the frequency of occurrence
• Classification of processes into– Core processes– Internal service processes