Information Technology Reference
In-Depth Information
The 1202.1 information systems audit standard requires that an appropriate risk assessment
approach and supporting methodology be used to develop the IS audit plan and determine
priorities for the effective allocation of IS audit resources. Risk assessment is one of the
tools required to assess risk in the enterprise and can also be used to identify critical assets.
Priority and allocation of resources can be determined based on the risk level, which can
be high, medium, or low. Criticality of IT assets and impact are other factors which can be
used to assign priority of allocating audit resources. Risk assessment should be included
from the planning stage and cover all other stages of the IS audit process.
The 1202.2 information systems audit standard expects IS auditors to be careful when as-
sessing risk on individual areas or IT asset as the risk has to be relevant to the area or asset.
It is advisable that the auditors first gain an overall understanding of risk in the enterprise
before they perform risk assessment on individual IT assets. Some risks may be relevant to
particular assets and might disappear when a number of assets are considered as a single
unit.
During the planning stage, IS auditors will be required to ensure that (1202.3 information
systems audit standard) consideration is given to subject matter risk, audit risk, and related
exposure to the enterprise. Subject matter risk is risk directly related to the asset or area
being audited. Audit risk is the possibility that information or reports may have material
errors which the auditor may not have detected.
In practice, subject matter risks can be identified by carrying out a risk assessment on the
subject area or IT asset. This could be based on the design and effectiveness of IT controls
or compliance with security standards and regulations. Audit risk often does occur where
inexperienced auditors or non-specialist auditors are used to perform audits which require
particular skills. A good example would be allowing a generalist IS auditor to perform an
audit requiring SAP skills. The audit team should ensure that, during planning, auditors
with appropriate skills are used to avoid audit risk, although it is not a disputed fact that
audit risk exposure can happen even where experienced auditors are involved.
Performance and Supervision (1203.1 to 1203.3)
The use of a carefully developed (1203.1 information systems audit standard) audit pro-
gram will ensure that the audit is not exposed to unnecessary risks. Use of project man-
agement software will help to ensure that the audit is kept within the approved schedule.
Where an audit program is out of schedule, it is important that a review is made and neces-
sary corrections are made and approved by both the IS audit team and the client.
The 1203.2 information systems audit standard requires auditors to ensure that all junior
or trainee IS auditors are supervised in an appropriate manner so that professional IS audit
standards are maintained. The authors of the standard had in mind the need to achieve audit
objectives as agreed with the client. Providing sufficient guidance and training to IS audit
Search WWH ::
Custom Search