Previous | Table of Contents | Next |
The IT auditor has been shown how to use a risk assessment model in both an absolute and a relative sense. Each automated application system in the example was scored independently for each objective or subjective criteriaan absolute evaluation. Once the scores are compared, the evaluation is on a relative basis.
Exhibit 5-3. Risk Assessment Model (10-Point System)
The IT auditor may consider short-cutting the process and moving directly into a relative risk assessment model, where each automated application systems is ranked versus the others (Exhibit 5-4). The IT auditor should be careful in taking this path because it hides the absolute analysis that is still being done. Consider even a question that seems completely relative, such as so is today hotter than yesterday? One could not answer without knowing that hot refers to temperature, which is measured on one of several scales.
If one did not know what temperature was for each day, then one might decide which day felt hotter. Returning to the audit risk assessment, the auditor should try to document the absolute items whenever possible, as it builds a stronger and more defendable foundation in case the risk assessment results are challenged. This does not preclude the auditor from including judgment in the risk assessment model, but only strives to separate both the objective/subjective and the mechanical/judgmental elements.
Preventing and solving problems. There are problems that might inhibit the IT auditors ability to use risk assessment techniques. These problems include:
Potential solutions include:
The IT auditor should be willing to risk over-simplification, as it is much easier to expand and improve the next effort than it is to fail to complete the first one.
The IT auditor should now be able to set a preliminary scope for the application reviews identified for inclusion in the current plan. The auditor should include all of the information should include all of the information gathered or developed thus far to support the current analysis.
Task 1: Set Review Scope
The IT auditor must set a specific audit scope for each planned review. The decisions to make are which elements of each selected application will be done for each selected element. The IT auditor should perform a general review of the application as part of every selected review.
Task 2: Estimate Audit Resources
The IT auditor estimates the audit time and expenses required to perform the audit. The time estimates includes the following considerations:
The expense estimate is normally driven by any travel cost incurred to audit a non-local site. Other typical expenses include computer hours, supports groups, and unusual administrative support.
Task 3: Identify Special Audit Needs
The IT auditor must define special audit needs, including unique audit skills (e.g., knowledge of a particular DBMS), special knowledge of certain business activities, and operational knowledge of special tools (e.g., audit software).
The IT auditor selects the computer applications that are to be audited during the coming year and then schedules the time when these audits will be performed.
The auditor must select the audits that should be performed during the coming year. General guidelines should be developed to enable the auditor to set priorities for the audit to be performed. An example of these guidelines follows:
Auditors should schedule the audits for a year in groups by quarter. The scheduling considerations for determining which quarter to perform audits include:
Additional considerations include the availability of special audit staff to assist in the conduct of the audit and the ability to coordinate with independent public accountants and other auditee area personnel.
This task merges the IT audit plan with other audit plans to create an overall internal audit department plan.
During this task, the IT auditor must integrate multiple audit plans from various parts of the audit department into a single audit plan. The process usually depends on the available audit resources. Thus, the overall audit plan must meet the following organizational constraints:
Administrative activities (e.g., training and staff meetings) should be incorporated through other parts of the annual audit planning process.
This task produces an annual audit department plan that closely parallels the IT plan. If specific items are included in the organizations annual audit planning documents that are not included in the audit planning process presented in this section, the auditor should modify these workpapers to include the other needed information.
Previous | Table of Contents | Next |