A growing number of organizations are moving to a risk-based audit approach. This approach can influence an IS auditor’s decision to perform either compliance testing or substantive testing. Identifying risks and vulnerabilities allows the auditor to determine the controls needed to mitigate those risks.
Risk-based IT audit programs should:
- Identify the organization’s data, application and operating systems, technology, facilities, and personnel.
- Identify the business activities and processes within each of those categories.
- Include profiles of significant business units, departments, and product lines or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the organization.
- Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments and products.
- Testing may involve identifying the controls for compliance with management policies and procedures – that is, gathering evidence to determine whether they are being applied and functioning as expected.
- The audit may also involve substantive tests, in which evidence is gathered to evaluate the integrity of selected data or individual transactions. Substantive procedures are tests performed to obtain audit evidence to detect material misstatements in the financial statements.
- Because of time and cost constraints, it is often impossible to verify all transactions or events in a specific group of items, so auditors use a sample of that group. This sampling allows auditors to infer characteristics of the entire group based on the characteristics of the sample.
- Internal controls include policies, procedures, practices and organizational structures that are put in place to reduce risk.
Their intent is to provide reasonable assurance that the business objectives of the organization will be achieved and that risk events will be prevented, detected, or corrected.
- To implement the control, a control objective is defined for an identified risk. Then, specific control activities or procedures designed to achieve the objective are instituted. These processes and activities, automated or manual, function at all levels in the organization to reduce exposure to risks that could prevent the organization from achieving its business objectives.
When identifying risk, there are three elements to assess:
- Threats to, and vulnerabilities of, processes and assets (including both physical and information assets)
- Impact on assets based on threats and vulnerabilities
- Probabilities of threats (combination of the likelihood and frequency of occurrence)
Although auditors need to be aware of all potential risks, operational risk is the primary risk associated with information technology. Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people or systems.
Possible audit areas
Systematic segregation of duties — Segregation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. Fraud will still occur if there is collusion.
Segregation of duties is one of the most effective internal controls. It just means that no one person should be responsible for doing everything. Authorization, recording, and custody of assets should be performed by different employees.
The audit function usually has more training and expertise to map business logic to information flow and suggest where separation of duties makes sense.
Systematic segregation of duties review audit — Evaluates the process and controls IT has in place to effectively manage segregation of duties. Performs an assessment to determine where segregation of duties conflicts exist and compare to known conflicts communicated by IT. Evaluates the controls in place to manage risk where conflicts exist.
- How does IT work with the business to identify cross application segregation of duties issues?
- Does business personnel understand ERP roles well enough to perform user access reviews?
- While compensating controls identified for SoD conflicts may detect financial misstatement, would they truly detect fraud?
Role design audit — Evaluates the design of roles within ERPs and other applications to determine whether inherent SoD issues are embedded within the roles. Provides role design, role cleanup or role redesign advisory assistance and pre- and post-implementation audits to solve identified SoD issues.
- Does the organization design roles in a way that creates inherent SoD issues?
- Do business users understand the access being assigned to roles they are assigned ownership of?
Segregation of duties remediation audit — Follows up on previously identified external and internal audit findings around SoD conflicts.
- Does the organization take appropriate action when SoD conflicts are identified?
- Have we proactively addressed SoD issues to prevent year-end audit issues?
Information security program assessment — Evaluates the organization’s information security program, including strategy, awareness and training, vulnerability assessments, predictive threat models, monitoring, detection and response, technologies and reporting
Threat and vulnerability management program assessment — Evaluates the organization’s threat and vulnerability management (TVM) program including threat intelligence, vulnerability identification, remediation, detection, response, and countermeasure planning.
Vulnerability assessment — Performs a regular attack and penetration (A&P) review. These should not be basic A&Ps that only scan for vulnerabilities. Today we suggest risk-based and objective-driven penetration assessments tailored to measure the company’s ability to complicate, detect and respond to the threats that the company is most concerned about.
Business continuity program integration and governance audit — Evaluates the organization’s overall business continuity plan, including program governance, policies, risk assessments, business impact analysis, vendor/third-party assessment, strategy/plan, testing, maintenance, change management and training/awareness
Disaster recovery audit — Assesses IT’s ability to effectively recover systems and resume regular system performance in the event of a disruption or disaster
Crisis management audit — Reviews the organization’s crisis management plans, including overall strategy/plan, asset protection, employee safety, communication methods, public relations, testing, maintenance, change management and training/awareness
Mobile device configuration review — Identifies risks in mobile device settings and vulnerabilities in the current implementation. This audit would include an evaluation of trusted clients, supporting network architecture, policy implementation, management of lost or stolen devices, and vulnerability identification through network accessibility and policy configuration.
Cloud strategy and governance audit — Evaluates the organization’s strategy for utilizing cloud technologies. Determines whether the appropriate policies and controls have been developed to support the deployment of the strategy. Evaluates alignment of the strategy to overall company objectives and the level of preparedness to adopt within the organization.
IT risk management strategy assessment — Assesses the framework and process IT has embedded within the function to assess and manage risks. Evaluates the actions taken to mitigate risks and the level of accountability within the process.
Project management methodology audit — Assesses the design of processes and controls in place to manage projects against leading practices.
IT and software asset management process and control audit — Assesses the design and effectiveness of processes and controls IT has deployed related to software and IT asset management. Reviews the impact of these processes on related IT processes such as IT service management, IT contract management and information security.
T contract management assessment — Evaluates the IT organization’s ability to manage contracts and how effectively IT and supply chain coordinate to manage costs and negotiate effective agreements.
Social media activities audit — Audits the social media activities of the organization and its employees against the policies and procedures in place. Identifies new risks and assist in developing policies and controls to address the risks.
Data governance and classification audit — Evaluates the processes management has put in place to classify data, and develop plans to protect the data based on the classification.
Click for Risk case study
After identifying and quantifying risks, the decision must be made as to how to respond to them.
Below are the main response strategies for risks.
- Risk avoidance
- Risk acceptance
- Risk transference
- Risk mitigation
Audit planning should address the highest-risk areas within the organization, given the resources available to the internal audit department. Changes to the audit plan may require direct communication/approval from the organization’s Audit Committee.
The risk that a material error exists – an error that the internal controls system will not prevent or detect in a timely manner
The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do exist
The susceptibility of an audit area to error that could be material, assuming that there were no related internal controls
Overall audit risk
A combination of the individual types of audit risks for each control objective
In a risk-based audit approach, IS auditors are not just relying on risk. You are also relying on internal and operational controls, as well as knowledge of the organization. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing for practical choices and better cost-benefit recommendations to management.