IS audit is a formal examination, interview and/or testing of an information system to determine the compliance of information system with the applicable laws, regulations, contracts, and guidelines. IS audit determines the data and information of IS have the appropriate level of confidentiality, integrity, and availability along with IS operations accomplished efficiently or effectively. Once the audit function and audit planning are done. Based on the nature of audit objective and the audit types are classified as financial audit, operational audits, integrated audit, administrative audit, compliance audit, specialized audit, forensic audit,
IS audit is a challenging responsibility performed by an IS auditor to determine the compliance of Information systems with the applicable laws, regulations, contracts, and guidelines. IS audit determines the data and information of IS have the appropriate level of confidentiality, integrity, and availability along with IS operations accomplished efficiently or effectively. IS audit has been classified as a financial audit, operational audits, integrated audit, administrative audit, compliance audit, specialized audit, forensic audit, and risk-based audit.
The risk-based audit approach is adopted to develop and improve the continuous audit process. According to ISACA (CISA Review Manual, 2016), this approach is based on two processes
1. Risk Assessment driving audit schedule
2. Risk Assessment minimizing the audit risk during the execution of an audit
A risk-based audit approach assesses the auditor in making a decision in performing compliance testing and assess the risk accordingly. The auditor not only relies on the risk of the business but also concerns internal or operational controls as well as the business. This approach helps for easier adaptation to changing conditions by developing a consistent and comprehensive approach for risk management strategically.
A risk-based auditing approach provides a better overview of risk and manages them. It helps to identify risk correctly and reduce the negative risk through internal control to ensure the best performance. It aligns the resources utilizing efficiently and creates opportunities by optimization of resources. It eases to understand risk, their impact on business and the support in the decision making.
In the risk-based auditing approach, the auditor must be aware that there might be the influence of inherent risk, control risk, detection risk, and overall audit risk during the audit process. These may arise due to the weakness of internal controls that may expose the vulnerability of the organisation.
The risk-based auditing undergoes the same process of basic auditing phases but more focused on risk approach. The below figure shows the phases of the risk-based audit approach.
In the risk-based approach, risk assessment is the main concern that should identify, quantify and prioritize risk against the criteria. The risk assessment identifies critical business assets and infrastructure, threats, vulnerabilities, impact, and consequences. Also, it defines the scope of the auditing process through prioritizing risks and guides and determines appropriate controls to achieve the audit goal.
The possible risk responses that an IS auditor may implement depending on the nature and priority of risks are as follows:
Risk mitigation: The measure reduce the risk of applying appropriate controls in case of a high priority risk.
Risk Acceptance: The risk are accepted if their impact is negligible and the cost to implement is huge for an organisation,
Risk Avoidance: Avoiding risk by not allowing actions that would cause the risk to occur.
Risk Transfer: The risk is transfer to associated parties or third parties like suppliers or insurers to share the risk.
Hence, the risk-based auditing is more focused on the organisation with greater risk.
That optimizes the risk through helping the management to take corrective, preventive and detective controls as per the need of business and gain the business objective.
Comments