IS Audit Process II

About This Presentation

Title:

Description:

Number of Views:136

Avg rating:3.0/5.0

Slides: 11

Provided by: Aij9

Category:

Tags: audit | countermeasure | process

Transcript and Presenter's Notes

Title: IS Audit Process II

1
IS Audit Process II
2
IS Audit Risks

3
Inherent Risks

This is an IS Audit risk that an error exists
which could become significant or material when
combined with other errors encountered during the
audit assuming there are no compensating controls
(Internal Controls already in place).
It is the susceptibility to a material
misstatement in the absence of controls.
They are usually independent of an audit and can
occur irrespective of an audit.
They are mostly risks that are inherent in a
business .
Their level is noted by considering general
factors that both internal and external to the
business.
This is done by considering the financial,
Strategic, critical operations and
Technologically advanced Systems

4
Control Risk

This reflects the likelihood that internal
controls in some segment of the audit will not
prevent, detect or correct material losses or
misstatements that may arise. e.g. manual
calculations and manual review of computer logs.
Its level is determined by considering the
reliability of both management and application
controls.

5
Detection Risk

This defines a situation where audit procedures
used in some segments of an audit will fail to
detect material losses or account misstatements.
In other to define the level of detection risk,
auditors must consider the evidence collection
procedure design.

6
Overall Audit Risk

This is a combination of all categories of audit
risks assessed for each specific control
objective.
It defines the desired level of risk an auditor
is prepared to accept so as to achieve desired
level of assurance as efficiently as possible.
The auditor may set a target level of risk and
adjust the amount of audit work to minimize the
overall audit risk.

7
What is Risk?

Risk is the likelihood that a threat agent will
take advantage of a vulnerability in a system
resulting in an adverse impact to the
organization.
it is the loss potential or probability that a
threat will exploit a vulnerability.
Threat is any potential danger that a
vulnerability will be exploited by a threat
agent.
Threat agent is any factor or event that can
exploit a vulnerability.

8
Risk cont

Vulnerability is the absence or weakness of a
safeguard which can be exploited by a threat
agent.
Safeguards/Countermeasure/Control can be a
software configuration, hardware or procedure
that eliminates or mitigates the risk of a threat
agent exploiting a vulnerability.
Risk is defined mathematically as
Total Risk Threats X Vulnerability X Asset Value

9
Risk Analysis

Risk analysis is the method or means of
identifying risks and assessing the possible
damage that could be caused in order to justify
security safeguards.
To the Auditor Risk analysis serves many purposes
which include
for help with identifying threats,
vulnerabilities and risk to an organizations IS
that need to be taken care of by management and
internal controls.
Aids collection of relevant information for the
audit exercise from all levels of management.
It aids the selection of audit subject areas.
Helps in evaluating controls.
Aids the setting of audit objectives.

10
Risk Analysis cont

To management for the benefit of IS auditing,
benefits of a Risk analysis include
To identify areas of high risk.
Identify special circumstances that need better
controls.
Ensure that audit resources are allocated
effectively and efficiently.
Ensure that the policies of the organization are
directed accordingly
Establish a basis for effectively managing the
audit function.
Shows relationship of individual audit subjects
to overall the organization and its business
plans.