IT Risk & Audit: Risk Analysis, Mitigation & Assessment

Questions and Answers

PDF Questions PDF Answers

What is the goal of risk analysis?

To determine the risks and vulnerabilities to plan controls

What must the auditor understand in the auditing process?

Common business risks

Related technology risks

Relationship between risks and controls

All of the above (correct)

Risk analysis involves determining the risks associated with IT services within an enterprise.

True

Risk mitigation involves identifying controls that can reduce the potential ________.

loss

Match the following risks with their impacts:

Financial risk = Damage financially Regulatory risk = Regulatory violations Operational risk = Operational outages IT risk = Risks associated with IT in any dependences

What is the purpose of compliance testing in an IS audit?

To test if an organization is in compliance of control procedures.

What is the main difference between compliance testing and substantive testing?

Compliance testing focuses on control procedures compliance.

Compliance and substantive testing can be used together in an audit.

True

Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements. The calculation of audit risk is: Audit risk = Control risk x Detection risk x ____________ risk.

inherent

What is the main purpose of audit sampling?

To save time and costs by examining less than 100% of items

Sampling risk is the risk that audit tests do not uncover existing exceptions in the sample.

True

Define a representative sample in auditing.

A representative sample is one in which the characteristics in the sample of audit interest are approximately the same as those of the population.

Statistical sampling applies the laws of probability theory to assist the auditor in designing a sampling plan and subsequently evaluating the results of the sample, whereas non-statistical sampling is solely based on the ___________.

auditor’s judgment

Study Notes

Risk Analysis, Mitigation, and Assessment

Risk Analysis

• The goal of risk analysis is to determine risks and vulnerabilities to plan controls that can lessen those risks.
• The auditor must understand the relationship between risks and controls.
• Key points for the auditor to know:
  • The purpose and nature of the business and its environment.
  • The business's dependence on technology.
  • Other risks associated with IT and dependencies that can impact the business's goals.

Risk IT Framework

• ISACA has a risk IT framework based on guiding principles and features business processes and management guidelines.
• The framework defines risk as the potential that a given threat will exploit vulnerabilities of an asset, causing harm to the organization.

Risk Analysis Components

• Assets of the organization:
  • Processes or objectives of the business.
  • Damage financially.
  • Regulatory violations.
  • Operational outages.
• Risk assessment lifecycle:
  • Identify business objectives.
  • Identify information assets.
  • Identify systems that generate or store information.
  • Identify systems that manipulate assets.

Risk Mitigation

• Risk mitigation involves identifying controls that can reduce potential loss.
• Cost-benefit analysis is necessary for controls:
  • What is the cost of the control?
  • How will the control minimize the risk?
  • What level of risk will the organization accept?
  • What is the preferred risk reduction method?

Risk Assessment Process

• Perform periodic risk revaluation.
• Identify business objectives.
• Identify information assets.
• Perform risk assessment and risk treatment.
• Perform risk mitigation.

Risk-Based Auditing

• Risk-based auditing assesses risk and helps the auditor decide on the nature and extent of testing.
• The auditor should not rely solely on risk, but also on internal and operational controls and knowledge of the company's operations.
• Risk model assessment:
  • Weights for the types of risks.
  • Weight-based rating depending on the significance of the risk and the asset being protected.

Audit Risk and Materiality

• Audit risk is the level of risk an auditor is prepared to accept during an audit engagement.
• Materiality refers to an error that is significant to the parties concerned with the audit.
• The auditor should have a good understanding of audit risks when planning the audit.
• Audit risk can be reduced using proper statistical sampling or a strong quality control process.

Assessing Security Risks

• The auditor should be familiar with the organization's approach to risk assessment and treatment.
• Risk assessment should identify, quantify, and prioritize risks against the criteria set forth for risk acceptance.
• Risk criteria can set priorities for managing security risks and implementing controls to mitigate those risks.

Treating Risks

• Before deciding on risk treatment, there should be criteria that determine whether risks can be accepted.
• Possible options for risk treatment include:
  • Reducing risk using controls.
  • Accepting risks that meet the organization's policy criteria.
  • Avoiding risks by stopping actions that could cause them.
  • Transferring risks to insurers or suppliers.

Controls and Risk Treatment

• Controls should be selected based on their ability to reduce risk to an acceptable level.
• Considerations for selecting controls:
  • Requirements and constraints of regulations.
  • Understanding organizational objectives and operational requirements.
  • Cost-effectiveness.

Risk Assessment Techniques

• Risk assessment techniques include:
  • Scoring systems to prioritize audits based on risk factors.
  • Judgmental approaches based on business knowledge and management directives.

Audit Objectives

• Audit objectives refer to the specific goals that must be accomplished during the audit.
• Examples of audit objectives:
  • Substantiating that internal controls exist to minimize business risks.
  • Translating wide-range objectives into specific audit objectives.

Compliance vs. Substantive Testing

• Compliance testing is gathering evidence to test if an organization is in compliance with control procedures.
• Substantive testing is evaluating the integrity of transactions, data, or other information.
• Both compliance and substantive testing can work together to improve the audit.

Audit Sampling 101

• Audit sampling is the application of an audit procedure to less than 100% of the items within an account balance or class of transactions for the purpose of drawing a general conclusion about the account balance or the entire group of transactions based on the characteristics detected in the sample.

When is Sampling Used?

• Sampling is generally used in field audits when it is not efficient to review 100% of the records.
• Sampling may also be used if records are missing or other circumstances make reviewing all of the records difficult.

Representative Sample

• A representative sample is one in which the characteristics in the sample of audit interest are approximately the same as those of the population.
• Two things cause a sample to be non-representative: non-sampling risk and sampling risk.

Non-Sampling Risk

• Non-sampling risk is the risk that the audit tests do not uncover existing exceptions in the sample.
• The two causes are: auditor failure to recognize exceptions and inappropriate or ineffective audit procedures.

Sampling Risk

• Sampling risk is the risk that an auditor reaches an incorrect conclusion because the sample is not representative of the population.
• This can be controlled by: adjusting the sample size and using an appropriate method of selecting sample items.

Audit Risk

• Audit Risk = Inherent Risk X Control Risk X Detection Risk
• Audit Risk = Sampling Risk + Non-Sampling Risk

Statistical vs. Non-Statistical Sampling

• Statistical sampling applies the laws of probability theory to assist the auditor in designing a sampling plan and subsequently evaluating the results of the sample.
• Non-statistical sampling is solely based on the auditor’s judgment.

Statistical Sampling

• Statistical sampling provides a means of mathematically evaluating the outcome of the sampling plan by applying the laws of probability to measure the likelihood that sample results are representative of the population.
• Probabilistic sample selection selects a sample in a way that each population item has a known probability of being included in the sample and the sample is randomly selected.

Methods of Probabilistic Sample Selection

• Simple Random Number Selection – all items of the population have an equal chance of being selected.
• Systematic Sample Selection – auditor determines an interval and selects items on the basis of the interval.
• Probability Proportional to Size – probability of selecting an item is proportional to its recorded amount.
• Stratified Sample – divided population into subpopulations and use different selection criteria for each subpopulation.

Stratiification

• The process of dividing a population into subpopulations that have similar characteristics.
• Strata must be defined so that each sampling unit can only be in one stratum.

Disadvantages of Statistical Sampling

• Overvalue the evidence it provides
• Reduces auditor skepticism
• Increased cost
• Train auditors
• Design samples

Nonstatistical Sampling

• In nonstatistical sampling, the auditor does not quantify sampling risk.
• Instead, those sample items that the auditor believes will provide the most useful information are selected.

Methods of Nonprobabilistic Sample Selection

• Direct sample selection – auditor selects items based on judgmental criteria such as likelihood of misstatement, characteristics such as different time periods, or large dollar amounts.
• Block sample selection – selection of a number of items in sequence.
• Haphazard sample selection – selection of items without any conscious bias on the part of the auditor.

Rule #1

• When designing the size and structure of an audit sample, auditors should consider the specific audit objectives, the nature of the population, and the sampling and selection methods.

Applications of Sampling in the Audit

• Attribute Sampling (Test of Controls) – The use of sampling for compliance testing (qualitative characteristic)
• Variables Sampling (Test of Account Balances) – The use of sample for substantive test on the client’s account balances (quantitative characteristic)

Sampling Risk in Attribute Sampling

• Risk of Underreliance – Control Risk Too High
• Risk of Overreliance – Control Risk Too Low

Sampling Risk in Variables Sampling

• Risk of Incorrect Rejection – Auditor’s sample indicates that the account balance is materially misstated even though it is fairly stated.
• Risk of Incorrect Acceptance – Auditor’s sample indicates that the account balance is fairly stated even though the account balance is materially misstated.

Sample Characteristics

• Precision – Represents the closeness of the auditor’s sample estimate to the true (but unknown) population value.
• Reliability – is the probability that the auditor’s sample provides a sample estimate that is of a specified precision.

Steps in the Sampling Process

• Planning the Sample (Steps 1-9)
• Select the Sample and Perform the Tests (Steps 10-11)
• Evaluate the Results (Steps 12-14)

Terms Used in Sample Planning

• Characteristics or Attribute Sampling
• Variable Sampling
• Audit Objectives
• Sampling Unit
• Population
• Stratification
• Tolerable Error
• Expected Error
• Sample Size
• Sampling Risk
• Risk of Incorrect Acceptance
• Risk of Incorrect Rejection
• Level of Sampling Risk

Terms Related to Evaluation Results

• Exception
• Sample Exception Rate
• Computed Upper Exception Rate

Computer Assisted Audit Techniques (CAATS)

• CAATS is the practice of using computers to automate or simplify the audit process.
• Examples: Audit Command Language (ACL), Interactive Data Extraction (IDEA), SAS, Excel, Access, Crystal Reports, and Business Objectives.

Description

This quiz covers the concepts of risk analysis, mitigation, and assessment in IT risk and audit. It focuses on the relationship between risks and controls and the need for auditors to understand common business and technology risks.