Previous Table of Contents Next


The IT auditor has been shown how to use a risk assessment model in both an absolute and a relative sense. Each automated application system in the example was scored independently for each objective or subjective criteria—an absolute evaluation. Once the scores are compared, the evaluation is on a relative basis.


Exhibit 5-3.  Risk Assessment Model (10-Point System)

The IT auditor may consider short-cutting the process and moving directly into a relative risk assessment model, where each automated application systems is ranked versus the others (Exhibit 5-4). The IT auditor should be careful in taking this path because it hides the absolute analysis that is still being done. Consider even a question that seems completely relative, such as ‘so is today hotter than yesterday?’ One could not answer without knowing that “hot” refers to temperature, which is measured on one of several scales.

If one did not know what temperature was for each day, then one might decide which day felt hotter. Returning to the audit risk assessment, the auditor should try to document the absolute items whenever possible, as it builds a stronger and more defendable foundation in case the risk assessment results are challenged. This does not preclude the auditor from including judgment in the risk assessment model, but only strives to separate both the objective/subjective and the mechanical/judgmental elements.

Preventing and solving problems. There are problems that might inhibit the IT auditor’s ability to use risk assessment techniques. These problems include:

  Significant data collection resources
  Inadequate IT planning
  Lack of credibility in the risk assessment model
  Insufficient time to analyze the collected data
  Inadequate skills in IT to perform the initial risk scoring

Potential solutions include:

  Simplify the questionnaire and procedures
  Encourage IT personnel to plan by helping them to develop a basic plan
  Understand the reasons for credibility problems and react to those reasons
  Simplify the analysis
  Borrow internal expertise or employ consulting support to complete the scoring.

The IT auditor should be willing to risk over-simplification, as it is much easier to expand and improve the next effort than it is to fail to complete the first one.

STEP 3: SETTING PRELIMINARY SCOPES

The IT auditor should now be able to set a preliminary scope for the application reviews identified for inclusion in the current plan. The auditor should include all of the information should include all of the information gathered or developed thus far to support the current analysis.

Task 1: Set Review Scope

The IT auditor must set a specific audit scope for each planned review. The decisions to make are which elements of each selected application will be done for each selected element. The IT auditor should perform a general review of the application as part of every selected review.

Task 2: Estimate Audit Resources

The IT auditor estimates the audit time and expenses required to perform the audit. The time estimates includes the following considerations:

  Risk level, as higher risks are likely to require either higher skills or more time
  Budget and actual results from previous audits

The expense estimate is normally driven by any travel cost incurred to audit a non-local site. Other typical expenses include computer hours, supports groups, and unusual administrative support.

Task 3: Identify Special Audit Needs

The IT auditor must define special audit needs, including unique audit skills (e.g., knowledge of a particular DBMS), special knowledge of certain business activities, and operational knowledge of special tools (e.g., audit software).

STEP 4: SELECT AND SCHEDULE IT AUDITS

The IT auditor selects the computer applications that are to be audited during the coming year and then schedules the time when these audits will be performed.

The auditor must select the audits that should be performed during the coming year. General guidelines should be developed to enable the auditor to set priorities for the audit to be performed. An example of these guidelines follows:

  First priority: high-risk applications
  Second priority: medium-risk applications
  Third priority: low-risk applications, beginning with those controlling a high dollar volume of resources

Auditors should schedule the audits for a year in groups by quarter. The scheduling considerations for determining which quarter to perform audits include:

  Annual audits: scheduling at least three quarters from the last audit
  Related applications: auditing in the sequence in which data logically flows through the application (e.g., a cash receipt system is audited before the accounts receivable system to which that cash is applied)
  Applications in out-of-town locations: auditing concurrently to reduce travel expenses
  Audits of application with widely fluctuating volumes: scheduling during either high- or low-volume periods, depending on audit objectives and special audit needs (e.g., the availability of project staff to work with auditors).

Additional considerations include the availability of special audit staff to assist in the conduct of the audit and the ability to coordinate with independent public accountants and other auditee area personnel.

STEP 5: MERGER AUDIT PLANS

This task merges the IT audit plan with other audit plans to create an overall internal audit department plan.

During this task, the IT auditor must integrate multiple audit plans from various parts of the audit department into a single audit plan. The process usually depends on the available audit resources. Thus, the overall audit plan must meet the following organizational constraints:

  Number of available staff auditors days
  Number of specialized audit skills (e.g., IT audit specialist)
  Available travel funds
  Available funds for computer resources
  Available funds for specialized tools and assistance

Administrative activities (e.g., training and staff meetings) should be incorporated through other parts of the annual audit planning process.

This task produces an annual audit department plan that closely parallels the IT plan. If specific items are included in the organization’s annual audit planning documents that are not included in the audit planning process presented in this section, the auditor should modify these workpapers to include the other needed information.


Previous Table of Contents Next