Interested in making the step up in your career that the CISA could give you? Over the next month, we are exploring Hemang Doshi’s expert perspective advice in order to drill into what makes a good IS Auditor, what skills you need to make a step up, and how you can get stuck into the journey. To find out more, check out the link below:
Risk-based audit planning prioritizes the high-risk areas of an organization so as to maximize the effectiveness of the audit. By focusing on areas with the greatest potential for financial loss, compliance issues, or operational inefficiencies, auditors can proactively identify vulnerabilities and support management in making informed decisions. This section covers the following aspects of risk based audit planning:
What is risk?
Vulnerabilities and threats
Inherent risk and residual risk
The advantages of risk-based audit planning
Audit risk
The steps of the risk-based audit approach
The steps of risk assessment
The four methodologies for risk treatment
What Is Risk?
Most of the CISA questions are framed around risk. Therefore, CISA candidates should have a thorough understanding of the term risk, which has multiple definitions/formulas. If you look carefully, every definition speaks either directly or indirectly about two terms: probability and impact.
Some of the more commonly used definitions of risk are presented here:
COSO ERM defines risk as “potential events that may impact the entity”
The Oxford English Dictionary defines risk as “the probability of something happening multiplied by the resulting cost or benefit if it does”
BusinessDictionary.com defines risk as “the probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action”
ISO 31000 defines risk as “the effect of uncertainty on objectives”
In simple words, “risk” is the product of probability and impact.
Probability and impact are equally important when identifying risk. For example, if the probability or likelihood of a product being damaged is very high, with a value of 1, but that product barely costs anything, the impact is 0 even if the product is damaged.
So, the risk in this scenario would be calculated as follows:
Risk = P * I
Risk = 1 * 0 = 0
Understanding Vulnerability and Threats
Another way of understanding risk is by understanding the notion of vulnerability and threats. In simple terms, a vulnerability is a weakness and a threat is something that could exploit said weakness. Again, both elements ( V and T ) should be present in order to constitute a risk.
There is no threat to a system that has no value, even if it is highly vulnerable. As such, the risk to that system would be nil despite the high vulnerability. The following table presents the differences between a threat and vulnerability:
There are various definitions and formulas for risk. However, for the CISA exam, you only need to remember the following two formulas:
Risk = Probability * Impact
Risk = A * V * T
In the second formula, A, V, and T denote the value of assets, the vulnerability of assets, and the threats to assets, respectively.
Understanding Inherent Risk and Residual Risk
Inherent risk and residual risk are two important types of risk. A CISA candidate should understand the difference between them, as described here:
The following is the formula for residual risk:
Residual Risk = Inherent Risk - Control
Advantages of Risk-Based Audit Planning
Risk-based audit planning is essential to determine an audit’s scope (the areas/processes/assets to be audited) effectively. It helps to deploy audit resources to areas within an organization that are subject to the greatest risk.
The following are the advantages of risk-based audit planning:
Effective risk-based audit planning reduces the risk that arises during an audit.
Risk-based auditing is a proactive approach that helps to identify issues at an early stage.
One of the major factors in risk assessment is compliance with contractual and legal requirements. Risk-based audit planning helps an organization identify any major deviation from contractual and legal requirements. This improves compliance awareness throughout the organization.
Risk-based auditing promotes preventive controls over reactive measures. As risks are known in advance, it becomes easy to apply preventive controls.
Risk-based auditing helps align internal audit activities with the risk management practices of the organization.
Audit Risk
An auditor may not be able to detect material errors during the course of an audit. This is known as audit risk. Audit risk is influenced by inherent risk, control risk, and detection risk. The following list describes each of these risks:
Inherent risk: This refers to the risk that exists before applying a control
Control risk: This refers to the risk that internal controls fail to prevent or detect
Detection risk: This refers to the risk that internal audits fail to prevent or detect and is influenced by the actions of an auditor.
The following is the formula for calculating audit risk:
Audit Risk = Inherent Risk * Control Risk * Detection Risk
An IS auditor should have a sound awareness of audit risk when planning auditing activities. Some ways to minimize audit risk are listed here:
Conduct risk-based audit planning
Review the internal control system
Select appropriate statistical sampling
Assess the materiality of processes/systems in the audit scope
It is the experience and expertise of the auditor that minimizes audit risk. However, it must be noted that the auditor is a watchdog and not a bloodhound. The auditor examines the internal controls based on standard procedures and guidelines. They rely on the information provided by the organization rather than conducting an exhaustive search for issues.
Risk-Based Auditing Approach
In a risk-based auditing approach, it is important to have an understanding of the steps to be performed by the IS auditor. The following structured approach will help to minimize the audit risk and provide assurance about the state of affairs of the auditee organization:
Acquire pre-audit information
Information about industry and regulatory requirements
Information about the applicable risk to the concerned business
Previous audit results
Obtain information about internal controls
Information about the control environment and procedures
Have an understanding of control risks
Have an understanding of detection risks
Conduct a compliance test
Identify the controls to be tested
Determine the effectiveness of the controls
Conduct a substantive test
Identify the process for the substantive test as per the scope of the audit
Ensure that the substantive test includes analytical procedures, detailed tests of account balances, and other procedures
Check out the full book over on the Packt website!
