Previous Table of Contents Next


Information Sources

The IT auditor should consider reviewing at least the following items to identify potential reviews. The IT auditor should first request these items. If they are not available, then IT personnel should be asked to develop them. The IT auditor should only personally develop any such item as a last resort, and should also consider drafting a recommendation that the IT function maintain this information.

  Annual IT plan
  An automated application inventory
  A systems software inventory
  A summarized or high-level hardware inventory

IT auditor should consider reviews related to applications and environments that the IT function only has limited responsibility for. Furthermore, the IT auditor should always be alert for systems and applications where the IT function is not responsible, or possibly not even aware of them.

STEP 2: EVALUATE AND PRIORITIZE POSSIBLE REVIEWS

The IT auditor’s foundation for this step is performing an accurate risk assessment of the potential reviews. The risk assessment is normally a highly customized activity, as the accuracy of the results are directly correlated with how well the risk assessment model reflects the issues and conditions that will determine the company’s future success. The risk assessment process usually produces a numerical score or other value that can be used to compare items that are otherwise unrelated or are difficult to compare.

The final risk value or score enables the IT auditor to rank the potential reviews by the degree of risk to the company. The IT auditor should find that many elements of the risk assessment are objective, and produce the most easily defended results. Unfortunately for the auditor, there will almost always be significant subjective, or judgmental, elements included in the risk assessment. There will also be situations where the judgmental elements clearly outweigh the objective elements.

The risk assessment model presented on the following pages includes both objective and subjective elements. The IT auditor should also consider the idea that even identifying objective and subjective elements can create conflict, as the classification of an element is often a matter of opinion. The IT audit director will normally establish the basic definitions for objective and subjective while developing the departmental strategic planning framework. The included risk assessment model will not go beyond defining possible elements and providing examples for using them.

The IT audit manager needs to work closely with all of the appropriate constituencies in the company. Reflecting their concerns and opinions in the risk assessment model is likely to increase their acceptance of the tactical audit plan. Their acceptance, in turn, is likely to be a significant contributing factor in determining whether the IT audit effort is successful.

The IT audit manager may enter the risk assessment step with an extremely long list of potential automated application reviews and general controls reviews. It may be reasonable in that situation for the IT audit manager to perform an initial risk assessment to quickly separate the potential review list into two or three sections. A two-section split could be as basic as include versus exclude, and a three-section list divided as being high, medium, and low risk. The text does not describe procedures for an initial risk assessment, as it represents a subset of a complete risk assessment.

An IT audit manager in a small company, in having little time, or supported with limited resources, may choose to use a limited risk assessment for the company and not go farther. That inherently subjective division will ultimately be supported or overturned by the IT audit director, and then by senior management.

IT auditors may choose to reduce or extend the number of elements and the analysis done for each one. In any event, the final risk assessment model should match up well to the company.

The Task Process

The risk assessment model described in the text is developed and used in three phases. Phase 1 includes risk factor identification and weighting. Phase 2 includes assigning the risk value to each risk factor, whether it is determined subjectively or objectively. Phase 3 combines the total risk score, and is the phase where the accumulated scores are used to rank the potential reviews.

The IT auditor should always consider the following issues and items prior to beginning a risk assessment. If the IT auditor finds that too many of these represent problems or exceptions, then others should be selected.

  A complete systems and applications inventory is available or can be developed to establish the audit universe.
  A readily available inventory may have one or more of the following problems: it may not reflect recent production environment changes, it may exclude automated application reviews that are still in development and testing, or strategic and tactical changes planned for the hardware and equipment environment.
  Other unauthorized changes, whether accidental or intentional, may cause customer-provided information to be anything from slightly incomplete to completely invalid.
  The internal audit department, senior management, and audit customers may be better serviced if an IT auditor is involved who has the appropriate technical background.
  The IT auditor who fails to include the appropriate number of company managers, technical employees, end users, and other auditees is likely to develop a model that is at least rejected, or at most fatally flawed.
  Judgment, whether the IT auditor’s or from another constituency, is an inherent and necessary part of any risk assessment. Even choosing only monetary risk factors in an attempt to avoid subjectivity is founded on the opinion that monetary factors are objective.

The above list is not meant to be all-inclusive, and should always be tailored to the facts and circumstances of the company or situation.

If the IT auditor is not familiar with the risk assessment process, he or she should take extra time to become familiar with the process. One should also consider asking IT auditors from other companies, or other knowledgeable third parties, to periodically review progress and plans, and provide other needed support.

Review the internal audit risk assessment model. Normal IT audit planning should complement the internal audit departmental process, with which the IT audit manager should be familiar. The three-step risk assessment described earlier will be apparent in almost every model as either the actual structure, or as a central theme, of the internal audit risk assessment model.

The risk assessment model in Exhibit 5-1 begins with some of the nontechnical areas the IT audit manager should review to identify relevant risk factors.

  Regularity issues: SEC, IRS, and other federal and state agencies
  Company policies and procedures: policies and procedures may be established within a company, and even within a company at the subsidiary, division, department, or other level
  Business environment: current opportunities or limitations of the economy and overall competitive pressures
  Market position: are there unusual or even unique circumstances to consider, or is the company positioned to compete in a low-cost commodity-type market?
  Geopolitical issues: are there current or potential events that could significantly impact the company such as hyperinflation, civil unrest, or regional instability?
  Internal resources limitations: these could result from temporary or long-term considerations, and could have a profound impact on the company’s agility and responsiveness


Exhibit 5-1.  Risk Assessment Model (100-Point System)


Previous Table of Contents Next