Lecture 3

CS494 – Information System Audit and

Control
Small recap
Why is an audit charter important ?
What are the four types of controls?

How are controls implemented?

Policies, procedures, organizational structure etc.

What is Segregation of Duties?

What is risk?
Risk based
audit planning
What is Risk ?

The Oxford English Dictionary

defines risk as "The
probability of something
happening multiplied by the
resulting cost or benefit if it
does.“

Risk-based audit is the

deployment of audit
resources to areas within an
organization that represent
the greatest risk.
 Another way of understanding risk is by understanding the
notion of vulnerability and threat.

In simple terms, a vulnerability is a weakness, and a threat

is something that can exploit said weakness. Again, both
elements (V and T) should be present in order to
Vulnerability constitute a risk.

and threat There is no threat to a useless system, even if it is highly

vulnerable. As such, the risk for that system would be nil in
spite of the high vulnerability.

Vulnerabilities are mostly internal. Threats are mostly

external.
Examples of Threats and Vulnerabilities

Weak No anti- Natural

Malware
Coding virus Disaster

Weak access
Hacker Criminal
control
Risk Assessment
Now that we understand what risk is, let’s talk about how to assess
and manage it in real-world scenarios.

We do this all the time. How ?

Imagine you are going out of your house. Any risks come to mind?
Risk Assessment
Risk assessment is the process of 11️⃣ Identify Risks
identifying, analyzing, and prioritizing risks What could go wrong?
• Someone might snatch your mobile on
so we can decide how to handle them. the way.

2️⃣ Analyze Risks

• What can go wrong? (Identifying risks) How bad could it be, and how likely is it?
• Impact: Losing an expensive mobile
• How bad could it be? (Analyzing risks) phone is significant.
• What should we focus on first? • Probability: If the area is known for theft,
the likelihood is high.
(Prioritizing risks)
3️⃣ Prioritize Risks
What should you do to reduce the risk?
• Avoid carrying the phone in your hand.
• Use a secure bag or choose a safer
route
Risk Assessment
• Systematic process of identifying , evaluating and prioritizing potential risks to an
organization.

Risk assessments should be conducted at regular intervals to account for changes in risk factors
Risk Response methodology
1. Risk mitigation/risk reduction: Take some action to mitigate/reduce
the risk.

2. Risk avoidance: Change the strategy or business process to avoid

the risk.

3. Risk acceptance: Decide to accept the risk.

4. Risk transfer: Transfer the risk to a third party. e.g. ?

Risk Assessment Practical example
Scenario: Planning a Birthday Party
• You’re organizing a birthday party for 20 guests. How do you assess
and manage risks to ensure everything goes smoothly?

• Step 1: Identify Critical Assets/Processes

• Critical aspects of the party:
• Venue
• Food and drinks
• Entertainment
• Invitations (guests showing up on time)
Risk Assessment Practical example
Step 2: Identify Relevant Risks
• What could go wrong?
• The venue might not be available on the day (threat).
• There might not be enough food for everyone (vulnerability).
• Rain might disrupt the event if it’s outdoors (threat).

Step 3: Do Impact Analysis

• Assess the impact and probability of each risk:
• Venue Issue: High impact (party cannot happen) but low probability if pre-booked.
• Food Shortage: High impact and medium probability if guest count is
underestimated.
• Rain: High impact if outdoors; medium probability depending on the season.
Risk Assessment Practical example
• Step 4: Risk Prioritization
• Focus on risks with the highest probability and impact:
• Ensure the venue is booked well in advance.
• Arrange extra food to avoid shortages.
• Have a backup indoor space or tents if it rains.
• Step 5: Risk Treatment
• Decide how to manage the prioritized risks:
• Venue: Book the venue early and confirm the reservation closer to the event.
• Food: Order extra food or snacks to handle unexpected guests.
• Rain: Arrange a tent or move the party indoors.
Risk Appetite
Risk appetite is the amount of risk an organization is willing to take in
pursuit of objectives it deems have valuable.

e.g. password control vs 2fA

 • Inherent Risk: The risk that an activity poses,
excluding any controls or mitigating factors. E.g.
driving a car – you “risk” an accident and
Inherent risk personal injury.
vs residual
• Residual Risk: The risk that remains after taking
risk controls into account. E.g. wearing a seatbelt
reduces risk of personal injury.
Audit Risk ?
Audit risk is the chance that an auditor might give the wrong opinion about a company's
financial or information systems. In simpler terms, it's like a mechanic checking your car and
saying everything is fine when, in fact, there’s a hidden problem that was missed during the
inspection.

There are three key parts to audit risk:

1. Inherent risk: This is the chance that something could go wrong on its own, just because the
company or system being audited is complex. For example, if a company handles a lot of
cash transactions, there's a higher risk of mistakes or fraud happening without any
involvement of the auditor.
2. Control risk: This refers to the possibility that the company’s internal controls (like security
measures, procedures, etc.) fail to catch mistakes or fraud. Think of it like your car's warning
system not working properly to alert you of low fuel.
3. Detection risk: This is the chance that the auditor themselves won’t find the problems that
exist, even after doing their checks. It’s like the mechanic missing the fact that your brakes
are wearing out, even after inspecting them.
Why audit risk is important
Understanding audit risk is important because it helps people realize that audits are
not foolproof. Even if an auditor checks everything, there’s still a chance something
could go wrong, and problems may be missed.
Here’s why it matters in simple terms:
1. Protects against false confidence: If you think an audit guarantees everything is
perfect, you might relax too much. Understanding audit risk helps you stay cautious
and avoid blindly trusting the results.
2. Helps decision-making: If you’re a business owner, manager, or investor, knowing
about audit risk makes you aware that there could still be financial or operational
problems that weren’t caught. This keeps you on your toes and helps you make
better decisions, like asking for more checks or strengthening your internal controls.
3. Sets realistic expectations: It’s important to know that audits are about reducing
risks, not eliminating them completely. This helps everyone involved understand
that no audit can find 100% of problems, but it can catch most of the big ones.
How to minimize “audit” Risk
• Develop a better understanding of the business

• Use expert knowledge

• Conduct risk-based audit planning

• Stay Skeptical

• Select appropriate statistical sampling

Approach towards Risk-based auditing in real
life
Step 1 – Acquire pre-audit requirements:
• Knowledge about industry and regulatory requirements
• Knowledge about applicable risk to the concerned business e.g. banking and
loan repayments. Data security for IT companies etc.
• Perform a risk assessment
• Prior audit results

Step 2 – Obtain information about internal controls:

• Get knowledge about the control environment and procedures
• Understand Audit risks
Approach towards Risk-based auditing
Step 3 – Conduct compliance test:
• Identify the controls to be tested e.g. access to certain applications
• Determine the effectiveness of the controls
• E.g. Fast registration for courses?

Step 4 – Conduct a substantive test:

• Identify the process for the substantive test
• See that the substantive test includes analytical procedures, detail tests of
account balances, and other procedures
• E.g. GPA calculation method
Compliance vs Substantive Testing
• Compliance testing checks for the presence of controls.
• Substantive testing checks for the completeness, accuracy, and
validity of the data.

• Compliance involves verification of the process.

• Substantive involves the verification of data or transactions
Recap of Audit planning
• Audit charter
• Business Process
• What is risk?
• What are controls?
• What is a risk assessment?
• Risk based audit planning?
Audit Execution
Audit execution processes, such as project management techniques,
sampling methodology, and audit evidence collection techniques.

• Audit project management

• Sampling methodology
• Audit evidence collection techniques
• Data analytics
• Reporting and communication techniques
• Quality assurance and improvement of the audit process
 Audit project management
Report the
findings
Evaluate the
Controls
Determine
Control
Design Audit Objectives
plan, resource and activities
Determine allocation and
business identify key
Conduct Risk processes to stakeholders
Assessment be audited
Determine
Audit
Objective
Audit Objective
Audit objectives are the expected outcome of the audit activities. They
refer to the intended goals that must be accomplished by the audit.

Determining the audit objective is a very important step in planning

the audit activity. Generally, audits are conducted to:
• Confirm that internal control exists
• To evaluate the effectiveness of internal controls
• To confirm compliance with the statutory and regulatory
requirements
Sampling methodologies
• Sampling is the process of the selection of data from a population.

• By analyzing the selected samples, characteristics of the full

population can be concluded.

• Sampling is performed when it is not feasible to study the full

population due to time and cost constraints.

• Samples are a subset of the population.

• Why do we need sampling?

Sampling approaches
Statistical Sampling - This is an objective sampling technique. Also
known as non-judgmental sampling.

It uses the laws of probability, where each unit has an equal chance of
selection.

In statistical sampling, the probability of error can be objectively

quantified, and hence the detection risk can be reduced.
Sampling approaches
Non-Statistical Sampling

• This is a subjective sampling technique.

• Also known as judgmental sampling.
• The auditor uses their experience and judgement to select the
samples that are material and represent a higher risk.
Sampling approaches
Attribute Sampling
Selecting a small number of transactions and making assumptions
about how their characteristics represent the full population of which
the selected items are a part.

Stop-or-go sampling
Stop-or-go sampling is used where controls are strong and very few
errors are expected.
It helps to prevent excess sampling by allowing the audit test to end at
the earliest possible moment.
Sampling approaches
Variable Sampling
• Variable sampling contains more information than attribute data.
• It answers the questions "how much?".
• It is expressed in monetary value, weight, height, or some other
measurement—for example, an average profit of $25,000.
• Variable sampling is usually used in substantive testing
Sampling approaches
Discovery sampling
Discovery sampling is used when the objective is to detect fraud or
other irregularities. If a single error is found, then the entire sample is
believed to be fraudulent/irregular.
Sampling Risk
• Sampling risk arises from the possibility that an IS auditor’s
conclusion may be different from the conclusion that would be
reached if the entire population were subjected to the same audit
procedure. There are two types of sampling risk:

• The risk of incorrect acceptance—A material weakness is assessed as

unlikely when, in fact, the population is materially misstated.
• The risk of incorrect rejection—A material weakness is assessed as likely
when, in fact, the population is not materially misstated.