Previous | Table of Contents | Next |
Information Sources
The IT auditor should consider reviewing at least the following items to identify potential reviews. The IT auditor should first request these items. If they are not available, then IT personnel should be asked to develop them. The IT auditor should only personally develop any such item as a last resort, and should also consider drafting a recommendation that the IT function maintain this information.
IT auditor should consider reviews related to applications and environments that the IT function only has limited responsibility for. Furthermore, the IT auditor should always be alert for systems and applications where the IT function is not responsible, or possibly not even aware of them.
The IT auditors foundation for this step is performing an accurate risk assessment of the potential reviews. The risk assessment is normally a highly customized activity, as the accuracy of the results are directly correlated with how well the risk assessment model reflects the issues and conditions that will determine the companys future success. The risk assessment process usually produces a numerical score or other value that can be used to compare items that are otherwise unrelated or are difficult to compare.
The final risk value or score enables the IT auditor to rank the potential reviews by the degree of risk to the company. The IT auditor should find that many elements of the risk assessment are objective, and produce the most easily defended results. Unfortunately for the auditor, there will almost always be significant subjective, or judgmental, elements included in the risk assessment. There will also be situations where the judgmental elements clearly outweigh the objective elements.
The risk assessment model presented on the following pages includes both objective and subjective elements. The IT auditor should also consider the idea that even identifying objective and subjective elements can create conflict, as the classification of an element is often a matter of opinion. The IT audit director will normally establish the basic definitions for objective and subjective while developing the departmental strategic planning framework. The included risk assessment model will not go beyond defining possible elements and providing examples for using them.
The IT audit manager needs to work closely with all of the appropriate constituencies in the company. Reflecting their concerns and opinions in the risk assessment model is likely to increase their acceptance of the tactical audit plan. Their acceptance, in turn, is likely to be a significant contributing factor in determining whether the IT audit effort is successful.
The IT audit manager may enter the risk assessment step with an extremely long list of potential automated application reviews and general controls reviews. It may be reasonable in that situation for the IT audit manager to perform an initial risk assessment to quickly separate the potential review list into two or three sections. A two-section split could be as basic as include versus exclude, and a three-section list divided as being high, medium, and low risk. The text does not describe procedures for an initial risk assessment, as it represents a subset of a complete risk assessment.
An IT audit manager in a small company, in having little time, or supported with limited resources, may choose to use a limited risk assessment for the company and not go farther. That inherently subjective division will ultimately be supported or overturned by the IT audit director, and then by senior management.
IT auditors may choose to reduce or extend the number of elements and the analysis done for each one. In any event, the final risk assessment model should match up well to the company.
The Task Process
The risk assessment model described in the text is developed and used in three phases. Phase 1 includes risk factor identification and weighting. Phase 2 includes assigning the risk value to each risk factor, whether it is determined subjectively or objectively. Phase 3 combines the total risk score, and is the phase where the accumulated scores are used to rank the potential reviews.
The IT auditor should always consider the following issues and items prior to beginning a risk assessment. If the IT auditor finds that too many of these represent problems or exceptions, then others should be selected.
The above list is not meant to be all-inclusive, and should always be tailored to the facts and circumstances of the company or situation.
If the IT auditor is not familiar with the risk assessment process, he or she should take extra time to become familiar with the process. One should also consider asking IT auditors from other companies, or other knowledgeable third parties, to periodically review progress and plans, and provide other needed support.
Review the internal audit risk assessment model. Normal IT audit planning should complement the internal audit departmental process, with which the IT audit manager should be familiar. The three-step risk assessment described earlier will be apparent in almost every model as either the actual structure, or as a central theme, of the internal audit risk assessment model.
The risk assessment model in Exhibit 5-1 begins with some of the nontechnical areas the IT audit manager should review to identify relevant risk factors.
Exhibit 5-1. Risk Assessment Model (100-Point System)
Previous | Table of Contents | Next |