RISK BASED AUDIT PLANNING

MODULE 4

Effective risk-based auditing uses risk assessment

RISK-BASED AUDIT PLANNING
to drive the audit plan and minimize the audit risk
● Is the deployment of audit resources to areas during the execution of an audit.
within an organization that represent the
greatest risk. It requires an understanding of BUSINESS RISK
the organization and its environment,
● Includes concerns about the probable effects
specifically:
of an uncertain event on achieving
➔ External and internal factors affecting
established business objectives
the organization
● The nature of business risk may be financial,
➔ The organization’s selection and
regulatory or operational and may also
application of policies and procedures
include risk derived from specific technology.
➔ The organization’s objectives and
○ For example, an airline company is
strategies
subject to extensive safety regulations
➔ Measurement and review of the
and economic changes, both of which
organization’s performance
impact the continuing operations of the
company. In this context, the availability
- What we need to consider is the most critical
of IT service and its reliability are
processes to the organization that could
critical.
affect the achievement of their objectives.
● Risk also includes those measures an
- It would be much better if we could audit the
organization is willing to take in order to
entire business processes of an organization
achieve or advance their objectives, but the
and even provide an absolute assurance
results may be unproven or uncertain
regarding the effectiveness and efficiency of
● There is a school of thought that classifies risk
the operations—safeguarding of assets and
into two: the positive risk and negative risk.
compliance with the laws and regulations.
○ Negative risk is what we have defined in
- However, due to the scarcity of audit
this slide.
resources, those are not possible.
○ The positive risks are those opportunities
- We need to allocate the limited resources of
that can be exploited by the organization.
our IS audit function to the most important
In short, para siyang opportunities.
or what we consider as priority to the
○ For the purposes of our discussion and to
organization.
avoid confusion, we will just use/consider
the negative risk and risk as the same.
GAIN AN UNDERSTANDING ON ● Risk is uncertain. It can happen or not. Risk can
ORGANIZATION’S be measured in terms of likelihood or the
As part of obtaining this understanding, an IS probability of the event from happening.
auditor must also gain an understanding of the key ● It is usually presented from the combination of
components of the organization’s: the percentage and amount. It can be
● Strategy management measured as to its impact or consequence—the
● Business products and services effect of the organization in case the risk
● Corporate governance process materializes.
● Transaction types, transaction partners and ● Example: Sa isang business, what are the
transaction flows within information systems possible risks? Ex. Data center. Anong possible
risk doon?
- This is just like performing a SWOT analysis but ○ Yung area is prone to flood. Eto yung
under an audit perspective. What we need to expected nila na damage. Kapag binaha
understand is that the objectives of the yung lugar, possibility of damage is 2
organization and determine which of those million pesos. The chances of the area
business processes is linked with the overall being flooded is 20%.
business objectives. ○ So imumultiply nila yun. Yun yung possible
- Hence, we should familiarize the outputs, the effect sa organization if that risk happen.
dependencies, and the persons responsible for ● We can identify all types of risk. Even so, one
that business process. example of risk assessment na medyo di natin
masasabing kakaiba pero naconsider nila.

1
 Module 4: Risk-Based Audit Planning

Yung risk ng effect is the entire business itself,

mawa-wipeout ang business nila. Pero the
probability of happening is 0.001% yung
nilagay nila. Tapos yung nilagay nilang risk: in
case tamaan daw ng asteroid yung lugar nila.
It can happen.
● We need to identify the types of risk. Kailangan
mo rin macompute kung magkano yung
possible impact if that materializes, and the
probability of happening.
● Yung likelihood of happening niyan, based
naman yun usually sa historical data nila kung
nangyari na sa kanila before or siguro meron
silang pwede makitang other authority or
reference na pwede masabi yung chances of For risk-based audit, this is how we conduct the
those event from happening. audit. The annual risk-based plan is to determine
● Hindi lang siya hinuhulaan basta basta. which business units or processes that we need to
prioritize. After we identify those activities, we are
RISK-BASED AUDIT going to schedule the audits. When we start the
audit of a unit or process, we need to:
● Used to assess risk and to assist an IS auditor
in making the decision to perform either
compliance testing or substantive testing 1. Gather information and plan
● Risk-based audit approach efficiently assists - When we gather information and plan for our
an IS auditor in determining the nature and audit engagement, we need to look into various
extent of testing documents to gain an understanding of the unit
- The IS audit is not compliance-based. We or process that we will be going to audit.
only need to focus on the most important, - We could check organizational charts, the
which are the areas with the high level of risk. previous audit reports, industry reports, or any
- Before, the audit was compliance-based, other documents that are important to
meaning—checklist type of audit, and you familiarize within ourselves.
need to do everything regardless of the level - And after we gain understanding, we need to
of the risk of the business process. identify our audit objectives or the things we
need to look into.
By understanding the nature of the business, an IS - Example: We are auditing the EDI. So, we
auditor can identify and categorize the types of identify the responsible personnel and we need
risk that will better determine the risk model or previous audit reports. And there are findings
approach in conducting the audit. that there are duplicate transactions. And those
which are not approved for authorization.
The risk model assessment can be as simple as - Siguro dito tayo magfofocus kung naayos na
creating weights for the types of risk associated yung mga issues on EDI transactions noted
with the business and identifying the risk in an during the last audit.
equation.
2. Obtain understanding of control
On the other hand, risk assessment can be a
- We can gain/obtain understanding of controls
scheme where risk has been given elaborate
by performing walkthroughs, interviews,
weights based on the nature of the business or the observations, and reviewing the policies and
significance of the risk. A simplistic overview of a
procedures. We can do process flowcharts or
risk-based audit approach can be seen in figure
narratives in documenting our understanding of
1.6. the control. We need to do this on the audit
objectives that we identified in our first step.
- Let’s get back to our EDI example. We can
observe their process, request a meeting to
discuss how they do the transactions. In this
step, we can have a preliminary assessment if
controls are in place to address the risk.

2
 Module 4: Risk-Based Audit Planning

- However, if you can recall in our previous mas konti lang yung matetest mo. Possible
module (Module 3) about internal controls, a meron kang di makitang mga misstatement.
mere understanding of control is not sufficient - Let’s go the other way around. Let’s say hindi
to conclude its effectiveness. effective ang controls, let’s say na sinabi mong
- Kasi mamaya baka maganda nga yung ineffective yung controls when in fact it is really
pagkakadesign, pero di naman siya effective. Your audit will still be effective but you
naiimplement nang maayos. will no longer be efficient kasi mas madami ka
pang tinignan. Instead na mas konti yung
3. Perform compliance testing samples mo, mas marami ka pang tinignan
dahil nagconclude ka na hindi effective yung
- Compliance testing is the test of controls. We
internal controls.
need to test the effectiveness of those indicated
in our Step #2.
- Let’s get back to our previous example, the EDI. 5. Conclude the audit
Sabi nila transactions are approved na before - In concluding the audit, we need to discuss our
sending and verification is being done by their findings to the auditee. How we provide them
counterparty to confirm their transaction. So with the report and evaluate their replies in our
yun yung representation nila during our audit report in addressing our audit findings.
understanding of the control, nung
nagwalkthrough tayo, yun yung sinasabi nila. 6. Monitoring/Follow up Activity
- To validate their claims, we can check the audit
- Some findings really take time to resolve and we
logs or audit trail if their representation about
need to monitor those until the auditee has
authorization is correct. We could look into the
addressed all of the issues. We can even require
authorization code sent by the counterparty to
them to submit proof of compliance to verify
validate their claim, if such is really confirmed
their claims in the subsequent periods—they
by the third party.
stated that complied na yung mga findings. Of
- With that, we can provide an opinion/conclusion
course, di naman tayo maniniwala basta-basta
kung effective nga ba talaga yung controls nila.
sa claim lang so we need some proof or
supporting documents to validate their claims.
4. Perform substantive testing
- Substantive testing includes test of details and
AUDIT RISK
analytical procedures of the transaction itself.
We can check the amount, the details, etc., with ● Audit risk can be defined as the risk that
the contract of purchase order, if those are information collected may contain a material
encoded in the EDI. So yun yung more on error that may go undetected during the
detailed na, iniisa-isa na natin ang documents course of the audit
natin. - Just like other businesses, meron ding risk
- You might be wondering, why do we need to test yung audit and we call it audit risk.
the effectiveness of controls? Why not perform ❖ An IS auditor should also consider, if
substantive testing immediately? The answer is applicable, other factors relevant to the
the nature, timing, and extent of the substantive organization: customer data, privacy,
testing depends on the effectiveness of the availability of provided services, and
controls. corporate and public image, as in the case
- If the controls are effective, meaning, lesser of public organizations or foundations.
procedures and lesser samples—yun ang
gagamitin natin, and vice versa. Formula for computing the audit risk:
- Kung hindi siya effective, let’s say there are 𝐴𝑅 = 𝐼𝑅 × 𝐶𝑅 × 𝐷𝑅
material weaknesses in the control, mas marami
tayong titignan, mas expensive ang procedure, Where:
and mas maraming sample. ● AR = Audit Risk
- We must be careful in assessing the controls. If ● IR = Inherent Risk
you say that it is effective when in fact it is not, ● CR = Control Risk
nacocompromise na yung buong audit mo kasi ● DR = Detection Risk
the audit will not be effective kasi sinabi mong
effective pala pero di naman pala talaga. So

3
 Module 4: Risk-Based Audit Planning

IS auditor only provides assurance because auditors or may control pero insufficient siya to
also encounter risk. Though we cannot eliminate address the level of risk.
audit risk, we can reduce it into one acceptable level.
If we arrange the formula: DETECTION RISK
𝐴𝑅
𝐷𝑅 = 𝐼𝑅 × 𝐶𝑅 ● The risk that material errors or misstatements
that have occurred will not be detected by an
Detective risk is dependent from inherent and control
IS auditor.
risk. Siya yung dapat mag-adjust depending sa
- So this is in our part, we failed to detect those
assessment mo sa inherent risk and control risk.
misstatements.
We cannot really eliminate this audit risk but we
OVERALL AUDIT RISK
should reduce it to an acceptable level.
● The probability that information or financial
INHERENT RISK reports may contain material errors and that
the auditor may not detect an error that has
● As it relates to audit risk, it is the risk level or
occurred.
exposure of the process/entity to be audited
● An objective in formulating the audit
without considering the controls that
approach is to limit the audit risk in the area
management has implemented.
under scrutiny so the overall audit risk is at a
● Inherent risk exists independent of an audit
sufficiently low level at the completion of the
and can occur because of the nature of the
examination.
business
- From the word itself, it is innate from the
So let’s now discuss the relationship between these
business itself, so in the absence of any
risks. As discussed in our previous slide, detection
controls, risky na yung business process.
risk is dependent on our assessment of inherent risk
- Ex. Cash collection. Regardless of the control
and control risk. So what we want is to reduce the
you put in place, cash is cash. It is very
audit risk into an acceptable level. So yung detective
susceptible to fraud, which is the #1 most
risk yung pambalance natin, not the other way
appropriated asset of an organization, so it
around. In case na mataas yung inherent risk or
has a high level of inherent risk.
control risk, sila yung ibababa mo to lower the audit
- Simple analogy in layman’s term for you to
risk. Hindi ganoon yung ginagawa natin. Laging si
easily understand: For example, may
detection risk yung mag-aadjust.
girlfriend ka na maganda. Kahit anong
● If IR and CR is high, we need to reduce DR.
bantay mo diyan, kahit napakaloyal niya
○ Let’s say transaction is about cash. Tapos
sa’yo, meron at meron pa ring magpapacute
weak yung controls. So mataas yung IR and
diyan. Physical attribute niya yun diba, na
CR natin. So we need to reduce DR by
maganda siya, which is nag-aattract siya ng
performing more procedures.
mataas na risk.
○ Meaning, dadamihan natin yung mga
- In essence, mataas yung inherent risk niya.
samples para makita natin yung mga
misstatements.
CONTROL RISK ○ Hindi yung gagawin natin ay imemaintain
● The risk that a material error exists that would yung sample size tapos i-assess natin na
not be prevented or detected on a timely mababa yung IR and CR. Hindi ganun yun.
basis by the system of internal controls. ○ Laging DR yung mag-aadjust in terms of
● For example, the control risk associated with audit procedures and sample size.
manual reviews of computer logs can be high ● The other way around, yung CR okay naman,
because activities requiring investigation are tapos yung IR hindi naman ganun ka-risky,
often easily missed due to the volume of siguro pwede natin taasan ang level ng DR.
logged information. ○ Meaning, mas konti yung samples natin and
● The control risk associated with lesser procedures. So titignan natin, inverse
computerized data validation procedures is ang relationship ng CR and IR sa DR.
ordinarily low if the processes are ○ Kapag mataas yung CR and IR, kailangan
consistently applied. babaan natin ang DR
- In short, it is either walang controls, or may ○ Kapag mababa naman ang CR and IR,
control man, hindi siya implemented properly, pwede nating taasan naman ang DR.

4
 Module 4: Risk-Based Audit Planning

- The organization might be risk-hungry—willing

THINGS TO CONSIDER
to make a higher level of risk, or can be
● An IS auditor should have a good risk-averse—those conservative in risk taking
understanding of audit risk when planning an activities.
audit. - What is the correct risk appetite? The answer is
○ An audit sample may not detect every it depends. There is no really correct answer. As
potential error in a population long as the residual risk is within the
● By using proper statistical sampling organization’s risk capacity and tolerance.
procedures or a strong quality control - The risk capacity and the risk tolerance are
process, the probability of detection risk can closely related with each other.
be reduced to an acceptable level - Risk tolerance is just like an elbow room for the
● A given system may not detect a minor error. organization. Syempre diba yung risk taking
However, that specific error, combined with activity mo, dapat depende lang kung alin lang
others, could become material to the overall yung kaya mo.
system - Ex: In the bank, you cannot have a risk
appetite of granting loans to Ayala and San
RISK ASSESSMENT Miguel if your total resources are only 20
million. Because those companies usually
Objective → Risk → Risk Management borrow for almost 100 million which is already
- Risk management in simple terms: The beyond the total resources of your
process of an organization to address organization—yung risk capacity mo.
business risk into an acceptable level. - Parang pagkain lang yan. Let’s say favorite mo
● The identification and analysis (typically in fried chicken. Gusto mo kumain ng 2 whole
terms of impact and likelihood) of relevant fried chicken. Gusto mo nga pero yung
risks to the achievement of an organization’s capacity ng tyan mo hanggang dalawang
objectives, forming a basis for determining pirasong chicken lang, let’s say leg and wing
how the risks should be managed part lang. Kung pipilitin mong kumain nang
➔ Threats kumain beyond ng capacity ng tyan mo, baka
➔ Vulnerability sumuka ka na. Ayun ang mangyayari pag pinilit
➔ Impact mo.
- Nadiscuss na sa’tin before yung threats and - Like in business, they might collapse if they still
impact. The new here is the vulnerability, insist in taking risk that is beyond their risk
which means how susceptible an organization capacity.
is to a given risk. It depends on the
organization’s state of readiness.
MANAGING THE RISK APPETITE
We need first to be familiarized with these terms:

RISK APPETITE
● The amount of risk an organization is
prepared to accept or be exposed to.

RISK CAPACITY
● The maximum risk the organization is able to
bear, given its resources and capabilities. - In this figure, may two options. May smaller
apples na mas madaling kunin, aakyat lang
RISK TOLERANCE siya at pipitasin lang niya. Pwede niyang
● Acceptable variance from risk appetite sungkitin.
- Meron din namang mas malaking apple pero
RESIDUAL RISK delikado. Mahirap kunin, may bangin sa
pagitan.
● The level of risk remaining after risk
- Which will you choose?
treatment
- In an organization, it depends on their risk
capacity, yung decision ng management nila.
And how risk-hungry they are,

5
 Module 4: Risk-Based Audit Planning

- There is no right or wrong risk appetite as - As we can see, meron pa ring black portion
long as it is within your capacity and yung risk response. The remaining black
tolerance. portion is the residual risk.
- At the end of the day, it is still a business - The organization must ensure that the
decision. residual risk or the remaining risk after the
risk response or treatment is within its
acceptable level and within the capacity and
tolerance.
- There will always be residual risk if we
decided to accept the risk because we
cannot really eliminate the risk.
- However, it will be a different story if we
decided not to accept the risk, which means
hindi natin tinanggap yung business
opportunity. We also forgo ourselves with the
possible benefits attributed to those risks.

- Risk and return have positive correlation or

direct relationship. Meaning, the higher the
risk, the higher the return.
- There’s no such thing as low risk, high return, ● The residual risk should not exceed the risk
as we usually hear from pyramiding scams. appetite.
- If it’s too good to be true, then it is definitely ● The risk appetite should not exceed the
not true. organization’s risk capacity and risk
- Logic dictates naman talaga. High risk tapos tolerance.
low return, edi wag ka na magtake ng risk. - Halos dapat yung risk niya pasok lang siya
Usually, yun ang trade off niyan. The higher doon sa risk capacity, and merong konting
the risk, the higher the return, the higher the elbow room for risk tolerance.
reward. - Meaning, inaallow na deviation ng
management in case na mag-aaccept ng
risk.

BASIC RISK RESPONSE

- Diagram regarding the residual risk of the

organization. - We exploit the risk to harvest the benefit from
- First, inherent risk. It is the risk in the absence those risks. The higher the risk, the higher the
of internal control. If the organization reward. Of course dapat may reward yung risk
decided to accept or take this risk to benefit na yun, so we exploit it.
from expected gains from this business - The management has different types of risk
undertaking, they should have an appropriate responses on those risks.
risk response.
TREAT/MITIGATE/REDUCE

6
 Module 4: Risk-Based Audit Planning

● Introduce or strengthen internal controls to But, you are also deprived of the potential
mitigate the risk (reduce likelihood and/or benefits if you go online.
impact)
- Preventive, Detective, Corrective NEVER IGNORE THE RISK
- Hard and Soft Controls - Iba yung ignore sa pag-accept. Sa ignore,
- It is the implementation of the risk to you don’t know the impact of those risk or
reduce it into an acceptable level. the possible repercussions if that risk
- We should check if the residual risk is happens.
within the acceptable level after we - The decision of the risk management rests
mitigate the risk. with the management. Our job as an IS
- You also need to consider if the controls auditor is not to implement this basic risk
implemented are beneficial, kasi baka response, but to evaluate whether the
mamaya excessive na masyado in relation appropriate response is commensurate with
to its perceived benefits. the risk-taking activities and if the residual
- Example: The organization decided to go risk is within the acceptable level approved
online. They can implement firewalls, IPS, by the organization.
IDS, and other controls, so dapat yung
remaining risk is within the ability pa nung
RISK PROFILE RESPONSES
organization to absorb. Meaning, within
their risk capacity.

TOLERATE/ACCEPT
● Knowingly and objectively not taking action,
provided the risk clearly satisfies the
organization’s policy and criteria for risk
acceptance
- It just means we accept the risk and
understand its repercussions as long as it is
within the risk capacity of the organization.
- Say in our previous example, they decided to
go online, but not to implement any controls.
It is definitely not the best approach because
the likelihood and impact of the risk if they
materialize could be devastating.
- This is just an example of a possible
TRANSFER/SHARE treatment for a risk, yung mga diniscuss
● Apportion some or all of the risk to a third natin kung ano yung gagawin. Bale
party, typically through some form of cinonsider dito yung impact and likelihood,
insurance, joint initiative, or outsourcing nakikita niyo kung mataas yung impact and
- Going back to our previous example, instead likelihood, may desisyon na sila either avoid
of us developing the structure and ba.
implementing the controls, we can outsource - It still depends. Hindi naman ito yung
it and let the third party manage it and ginagamit sa lahat ng organization. Depende
assume the risk. Is it for a fixed fee ba? Yun sa risk appetite—how hungry they are in
naman ang dapat i-weigh natin. Magkano risk-taking activities.
naman ba ang gagastusin natin if we
outsource it for a third party

TERMINATE/AVOID
● Avoiding risk by not allowing actions that
would cause the risk to occur
- In plain terms, yung previous example natin, - Possible response in case they measured the
let’s just go online, it is simple. No more risk. probability and the impact of risk

7
 Module 4: Risk-Based Audit Planning

CONSIDERATIONS FOR IMPLEMENTING RISK One such risk assessment

approach is a scoring
MITIGATION
system that is useful in
● Requirements and constraints of national and prioritizing audits based on
international legislation and regulations an evaluation of risk factors
● Organizational objectives - For the quantitative assessment, from the word
● Operational requirements and constraints itself, it utilizes computation. It is considered as
● Cost effectiveness an objective approach because the result is
based on the computations made.
- For example, the IS audit function can assign
FOR IS AUDITORS, RISK ASSESSMENT COULD
weight and ratings on factors such as audit
● Assist in identifying risk and threats to an IT score of the business units from the previous
environment and IS system—risk and threats audit kasi minsan yung ibang audit
that would need to be addressed by organization, may score sila doon sa mga
management—and in identifying ino-audit nila. Siguro kung okay siya eto yung
system-specific internal controls score, medyo mababa eto yung score. Pwede
● Help in the evaluation of controls in audit siyang iconsider sa paggawa ng audit plan.
planning - Might also be considered when it was last
● Assist in determining audit objectives audited. Siguro kung mas matagal na siyang di
● Support in risk-based audit decision making naudit, mas mataas yung weight na ibibigay
natin sa kanya.
- Risk assessment is not automatically included - Some other financial factors—mga affected na
in our plans. We may consider the risk FS accounts, siguro kung mas malaki yung
assessment by management and at work pero amount na involved, mas mataas yung rating na
hindi siya automatic. ibibigay natin.
- And of course the business size, or if you are
WHAT SHOULD BE CONSIDERED BY THE IS going to consider the risk assessment made by
AUDITOR WHEN DEVELOPING THE AUDIT the management. Using those factor, we will
PLAN compute for each business processes or units
and rank them accordingly. Yung highest rank
● Full coverage of all areas within the scope of na nacompute natin na business unit or process,
the IS audit universe, which represents the sila yung mga activities na ise-schedule natin
range of all possible audit activities for audit.
● Reliability and suitability of the risk
assessment provided by management - Qualitative: We can just have a narrative and
● The processes followed by management to just decide based on our experience.
supervise, examine and report possible risk or - Let’s say audit of EDI, ano ba yung assessment
issues natin dito? Sabihin nating high siya. High siya
● Coverage of risk in related activities relevant sa rating dahil ito yung mga naging
to the activities under review justification natin, last audit natin ganito yung
nakita and medyo relied na tayo sa EDI,
IS AUDIT RISK ASSESSMENT TECHNIQUES - Network management—medium lang siya kasi
eto yung mga justification natin.
- Ito na yung ginagawa ng IS auditor na risk
- So after natin magawan lahat ng business
assessment.
process, those rated as high, siya yung
isasama natin or ise-schedule for audit this
QUANTITATIVE QUALITATIVE
year.
Range from simple Subjective, in which an
classifications based on the independent decision is A combination of techniques can be used. Risk
IS auditor’s judgment of made based on business
assessment methods may change and develop over
high, medium and low, to knowledge, executive
time to best serve the needs of the organization.
complex scientific management directives,
calculations that provide a historical perspectives, - Combination of quantitative and qualitative
numeric risk rating business goals and provides some flexibility. It can allow you to
environmental factors insert or have an overlay on the computation
made by a quantitative approach. If you did
base on experience, a certain business process

8
 Module 4: Risk-Based Audit Planning

or unit requires more attention but not ● Industry and/or internationally accepted risk
captured in our quantitative approach dahil management processes
medyo limited nga lang yung mga parameters ● The purpose and nature of business, the
na nandoon sa quantitative computation natin. environment in which the business operates
and related business risk
● Dependence on technology in the
OUTCOMES ON USING RISK ASSESSMENT ON
achievement of business goals and objectives
AREAS TO BE AUDITED
● The business risk of using IT and how it
● Enabling audit management to effectively impacts the achievement of the business
allocate limited audit resources goals and objectives
● Ensuring that relevant information has been ● A good overview of the business processes
obtained from all levels of management, and the impact of IT and related risk on the
including boards of directors, IS auditors and business process objectives
functional area management
● Establishing a basis for effectively managing
the audit department
● Providing a summary of how the individual
audit subject is related to the overall
organization as well as to the business plans

RISK ANALYSIS
● Subset of risk assessment and is used during
audit planning to help identify risk and
vulnerabilities so an IS auditor can determine
the controls needed to mitigate risk
● Provide a basis for the identification and
assessment of risk of material vulnerabilities;
however, they do not provide sufficient
appropriate audit evidence on which to base
the audit opinion.
- So this is the risk analysis that we do during
audit and of course, validation is still required
in our risk assessment. Hindi automatic na
kung ano yung conclusion natin sa risk
assessment natin, yun na yung result. Because
it is dynamic and it can change over the course
of our audit.

FOR IT RELATED BUSINESS PROCESSES

● Understand the relationship between risk and
control
● Identify and differentiate risk types and the
controls used to mitigate this risk
● Understand common business risk areas,
related technology risk and relevant controls
● Evaluate the risk assessment and
management process and techniques used by
business managers, and to make assessments
of risk to help focus and plan audit work

WHAT AUDITORS SHOULD UNDERSTAND

WHEN ANALYZING BUSINESS RISK FROM USE
OF IT