Previous Table of Contents Next


IDENTIFYING APPLICATION RISKS

IT auditors will find that an entire set of application-specific workpapers has been developed to comprehensively identify the risks that might be associated with that application. The risks are grouped by business cycle, allowing the IT auditor to identify relevant risks within the context of the business cycle being reviewed.

The IT auditor should use the comment column to provide additional information related to the risk as needed. This workpaper can be modified or supplemented with additional risks as needed.

OVERCOMING OBSTACLES TO SUCCESS

IT auditors will normally face only one obstacle as they attempt to meet their objectives in this area: getting complete and accurate information about all of the potential risks in an application setting. IT auditors can overcome this obstacle by including at least one highly experienced auditor as a team member or reviewer, referring to general reference sources such as the included workpapers, and conducting effective interviews with client personnel.

ASSIGNING MATERIALITY

IT auditors have only completed the first step where the relevant risks are identified. The IT auditor will need to determine the materiality, or relative significance, of each risk in relation to an established standard. For the purposes of this book, the following standard is used.

1.  The realization or occurrence of this risk poses only minor consequences to the business.
1.  The realization of this risk might be major or minor, depending on the specific event and functioning or failure of other controls.
3.  The realization of this risk is likely to have a major effect on either the affected application or the business as a whole.

IT auditors will end up multiplying the original number value assigned to each risk by this materiality to provide the foundation for subsequent planning activities. These planning activities will result in the IT auditor’s identification of the application or applications to be covered during the audit.

IT auditors have an assortment of alternative methods available to them for quantifying the potential risk in a particular application. Several of these alternatives are described in the following pages.

The time required to conduct this task varies with the approach taken. If the historical method is used to gather statistical information, the time can be quite extensive. If a structured approach is used to estimate the risk, the time required for this task is minimal—in most cases, less than that required to identify the risk. The historical and structured methods are compared in the following example.

Describing the Unfavorable Event. The IT auditor needs to describe application risks in sufficient detail to make the frequency and loss conditions apparent. For example, in a risk situation in which merchandise is shipped but not billed, the unfavorable event would be that the value of the products shipped to a customer but not billed represents a loss to the organization each time such a shipment occurs.

This particular loss of value has two components. First is the actual cost of the goods shipped, which is a sunk cost to the enterprise. Second is the gross margin associated with the particular sale, which should have provided the return on the cost of these goods. This becomes further complicated because even a simple delay in billing a shipment has a time value of money impact on the return realized from the shipment.

Calculating the Frequency and Loss for the Unfavorable Event. The historical method requires that the IT auditor analyze the risk situation and gather background information. The IT auditor can use financial analysis methods to identify inventory shortages. One assumption could be that all or part of this shortage is associated with unbilled shipments. The IT auditor might also look for missing shipping numbers or use other methods to attempt to estimate the frequency of the occurrence of this risk and the losses associated with it. This method provides data that is most easily accepted by most clients.

The IT auditor employing the structured method uses the calculation of frequency and loss as an audit assessment tool whose objective is to provide estimates rather than precise numbers. If estimates are acceptable, then the IT auditor can select frequency and loss estimates from a list of frequency and loss categories rather than making the effort to calculate precise frequency and loss valuation.

For example, frequency and loss can be estimated in multiples of five—loss would be estimated at $1, $5, $25, $125, and frequency would be estimated at once every five years, once every year, five times per year, 25 times per year. IT auditors should remember that this process is performed for the purpose of planning the audit, not to develop extremely precise numbers. It is therefore immaterial whether a risk produces an annual loss expectation of $1 million or $100 million, as long as it becomes one of the major risks for audit investigation.

While IT auditors may often express frequency as a number of times per year and losses in dollars and cents, they can also use high, medium, and low categories to quantify annual loss expectations (ALEs). The IT auditor should establish specific parameters based on the organization.

For example, the low category might include the range of numeric values from 1 to 10, while the medium category ranges from 11 to 40, and the high category ranges from 41 to 50. If the IT Auditors choose to utilize categories, then they should be consistent and continue to use categories in every situation.

COMPUTING A RISK SCORE

IT auditors should normally use the ALE quantification method as the direct basis for calculating the risk score. If they choose to make judgmental adjustments to the results, they can easily compromise not only the reliability of the results but also their own credibility. Client personnel can often be convinced of many ideas if they can accept the basis for those ideas; but if they begin to believe that the methods only provide cover for the IT auditor actually making personal or even biased selections or evaluations, then the credibility of the entire IT audit function can be called into question.


Previous Table of Contents Next