CISA aspirants are expected to understand the following aspects of risk-based audit planning:
- What is the risk?
- Vulnerabilities and threats
- Inherent risk and residual risk
- The advantages of risk-based audit planning
- Audit risk
- The steps of the risk-based audit approach
- The steps of risk assessment
- The four methodologies for risk treatment
What is risk?
Let’s look at some of the widely accepted definitions of risk.
Most of the CISA questions are framed around Risk. CISA candidates should have a thorough understanding of the term risk. Multiple definitions/formulas are available for risk. If you look carefully, every definition speaks either directly or indirectly about two terms: probability and impact.
Some of the more commonly used definitions of risk are presented here:
- ERM-COSO defines risk as “Potential events that may impact the entity.”
- The Oxford English Dictionary defines risk as “The probability of something happening multiplied by the resulting cost or benefit if it does.”
- Business Dictionary.com defines risk as “The probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action.”
- ISO 31000 defines risk as “The effect of uncertainty on objectives.”
In simple words, the ‘risk’ is the product of probability and impact:
Probability and impact are equally important when identifying risk. For example, say that the probability or likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely costs anything and so the impact is “0” even if the product is damaged.
So, the risk in this scenario would be calculated as follows:
Risk = P * I
Risk = 1 * 0 = 0
Understanding vulnerability and threat
Another way of understanding risk is by understanding the notion of vulnerability and threat. In simple terms, a vulnerability is a weakness and a threat is something that can exploit said weakness. Again, both elements (V and T) should be present in order to constitute a risk.
There is no threat to a useless system, even if it is highly vulnerable. As such, the risk for that system would be nil in spite of the high vulnerability:
|A weakness in a system. Generally, a vulnerability can be controlled by the organization.||An element that exploits a weakness. Generally, a threat is not in the control of the organization.|
|Vulnerabilities are mostly internal elements.||Threats are mostly external elements.|
|Examples include weak coding, missing anti-virus, weak access control, and others.||Examples include hackers, malware, criminals, natural disasters, and so on.|
There are various definitions and formulas for risks. However, for the CISA certification, please remember only the following two formulas:
Risk = Probability*Impact
Risk = A*V*T
In the second formula, A, V, and T are the value of, the vulnerability of, and threats to assets, respectively.
Understanding inherent risk and residual risk
A CISA candidate should understand the difference between inherent risk and residual risk:
|Inherent risk||Residual risk|
|The risk that an activity poses, excluding any controls or mitigating factors||The risk that remains after taking controls into account|
|Gross risk – that is, the risk before controls are applied||Net risk – that is, the risk after controls are applied|
The following is the formula for residual risk:
Residual Risk = Inherent Risk – Control
Advantages of risk-based audit planning
Risk-based audit planning is essential to determine an audit’s scope (the areas/processes/assets to be audited) effectively. It helps to deploy audit resources to areas within an organization that are subject to the greatest risk.
The following are the advantages of risk-based audit planning:
- Effective risk-based auditing reduces the audit risk that arises during an audit.
- Risk-based auditing is a proactive approach that helps in identifying issues at an early stage.
- One of the major factors in a risk assessment is compliance with contractual and legal requirements. Risk-based auditing helps an organization to identify any major deviation from contractual and legal requirements. This improves compliance awareness throughout the organization.
- Risk-based auditing promotes preventive controls over reactive measures.
- Risk-based auditing helps to align internal audit activities with the risk management practices of the organization.
Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an audit. Audit risk is influenced by inherent risk, control risk, and detection risk. The following list describes each of these risks:
- Inherent risk: This refers to risk that exists before applying a control.
- Control risk: This refers to risk that internal controls fail to prevent or detect.
- Detection risk: This refers to risk that internal audits fail to prevent or detect.
The following figure explains the relationship between all three risks:
The following is the formulae for calculating the audit risk:
Audit Risk = Inherent Risk X Control Risk x Detection Risk
An IS auditor should have sound knowledge of the audit risk when planning auditing activities. Some ways to minimize audit risk are listed here:
- Conduct risk-based audit planning
- Review the internal control system
- Select appropriate statistical sampling
- Assess the materiality of processes/systems in the audit scope
It is the experience and expertise of the auditor that minimizes audit risk. However, it must be noted that the auditor is a watchdog and not a bloodhound.
Risk-based auditing approach
In a risk-based auditing approach, it is important to understand the steps to be performed by the IS auditor. The following structured approach will help to minimize the audit risk and provide assurance about the state of affairs of the auditee organization:
- Step 1 – Acquire pre-audit requirements:
- Knowledge about industry and regulatory requirements
- Knowledge about applicable risk to the concerned business
- Prior audit results
- Step 2 – Obtain information about internal controls:
- Get knowledge about the control environment and procedures
- Understand control risks
- Understand detection risks
- Step 3 – Conduct compliance test:
- Identify the controls to be tested
- Determine the effectiveness of the controls
- Step 4 – Conduct a substantive test:
- Identify the process for the substantive test
- See that the substantive test includes analytical procedures, detail tests of account balances, and other procedures
A risk assessment includes the following steps:
Risk assessments should be conducted at regular intervals to account for changes in risk factors. The risk assessment process has an iterative life cycle. Risk assessments should be performed methodically and the outputs should be comparable and reproducible.
Also, it is important to determine the risk appetite of the organization. Risk appetite helps to prioritize various risks for mitigation.
Risk response methodology
Risk response is the process of dealing with a risk to minimize its impact. It is a very important step in the risk management process. Here are the four main risk response methodologies:
- Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk.
- Risk avoidance: Change the strategy or business process to avoid the risk.
- Risk acceptance: Decide to accept the risk.
- Risk transfer: Transfer the risk to a third party. Insurance is the best example.
The risk culture and risk appetite of the organization in question determines the risk response method. Of the preceding responses, the most widely used response is risk mitigation by implementing some level of controls.
Let’s understand the preceding risk response methodologies with a practical example. Say that a meteorological department has forecasted heavy rain during the day and we need to attend CISA lectures. The risk of rain can be handled in the following manner:
- The majority of candidates will try to mitigate the risk of rain by arranging for an umbrella/raincoat to safeguard them from potential rain (mitigation of risk).
- Some courageous candidates won’t worry about carrying an umbrella/raincoat (risk acceptance).
- Some candidates, such as me, will not attend classes (risk avoidance).
It’s not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion.
You cannot run a business without taking risks. Risk management is the process of determining whether the amount of risk taken by an organization is in accordance with the organization’s capabilities and needs.
Top-down and bottom-up approaches to policy development
Let’s understand the difference between the top-down and bottom-up approaches to policy development.
The top-down approach
In the top-down approach, a policy is developed and designed from a senior management perspective. In a top-down approach, policies are developed and aligned with business objectives. Involvement of senior management in designing the risk scenario is of the utmost importance. One advantage of the top-down approach to developing organizational policies is that it ensures consistency across the organization.
The bottom-up approach
In the bottom-up approach, polices are designed and developed from the process owner’s/employee’s perspective. The bottom-up approach begins by defining operational-level requirements and policies. The bottom-up approach is derived from and implemented on the basis of the results of risk assessments.
The best approach
An organization should make use of both the top-down approach and the bottom-up approach when developing organizational policies. They are complementary to each other and should be used simultaneously. In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up approach, process-level risks are addressed.
Key aspects from CISA exam perspective
The following table covers the important aspects from the CISA exam perspective:
|CISA questions||Possible answers|
|The most important step in a risk assessment is to identify||Threats and vulnerabilities|
|In risk-based audit planning, an IS auditor’s first step is to identify what?||High risk areas|
|Once threats and vulnerabilities are identified, what should be the next step?||Identify and evaluate existing controls|
|What is the advantage of risk based audit planning?||Resources can be utilized for high risk areas|
|What does the level of protection of information assets depend on?||Criticality of assets|
|What is risk that is influenced by the actions of an auditor known as?||Detection risk|
|What is audit risk?||Audit risk is the sum total of inherent risk, control risk, and detection risk|
|What is risk the product of?||Probability and impact|
|What are the results of risk management processes used for?||Designing the control|
|Whose responsibility is the management of risk to an acceptable level?||Senior management|
|What is the absence of proper security measures known as?||Vulnerability|
|What is the advantage of the bottom-up approach for the development of organizational policies?||Policies are created on the basis of risk analysis|
|What is risk before controls are applied known as?||Inherent risk/gross risk (after the implementation of controls, it is known as residual risk/net risk)|
- Which of the following is the most critical aspect of a risk analysis?
- Identifying competitors
- Identifying the existing controls
- Identifying vulnerabilities
- Identifying the reporting matrix of the organization
- What is the initial step in risk-focused audit planning?
- Identifying the role and responsibility of the relevant function
- Identifying high-risk processes
- Identifying the budget
- Identifying the profit function
- What is the main objective of conducting a risk assessment?
- To determine the segregation of duties for critical functions
- To ensure that critical vulnerabilities and threats are recognized
- To ensure that regulations are complied with
- To ensure business profitability
- What should be the next step of an IS auditor after identifying threats and vulnerabilities in a business process?
- Identifying the relevant process owner
- Identifying the relevant information assets
- Reporting the threat and its impact to the audit committee
- Identifying and analyzing the current controls
- Which of the following is the main benefit of risk-based audit planning?
- The communication of audit planning to the client in advance
- The completion of the audit activity within the allocated budget constraints
- The use of the latest auditing technology
- The focus on high-risk areas
- Which of the following should be the primary focus when considering the level of security of an IT asset?
- The criticality of the IT asset
- The value of IT the asset
- The owner of IT the asset
- The business continuity arrangement for the IT asset
- The actions of the IS auditor is most likely to influence which of the following risks?
- What is the risk of an inadequate audit methodology known as?
- The procedural aspect
- Control risk
- Detection risk
- Residual risk
- Particular threat of an overall business risk indicated as:
- The product of the probability and impact
- The probability of threat realization
- The valuation of the impact
- The valuation of the risk management team
- Which of the following is the first step in performing risk assessments of information systems?
- Reviewing the appropriateness of existing controls
- B. Reviewing the effectiveness of existing controls
- Reviewing the asset-related risk surveillance mechanism
- Reviewing the threats and vulnerabilities impacting the assets
- What is the first step in evaluating the security controls of a data center?
- Determining the physical security arrangement
- Evaluating the threats and vulnerabilities applicable to the data center site
- Evaluating the hiring process of security staff
- Determining the logical security arrangements
- What does the classification of information assets help to ensure?
- The protection of all IT assets
- That a fundamental level of security is implemented irrespective of the value of assets
- That information assets are subject to suitable levels of protection
- That only critical IT assets are protected
- Which of the following should be performed first in a risk-focused audit?
- Analyzing inherent risk
- Analyzing residual risk
- Analyzing the controls assessment
- Analyzing the substantive assessment
- In a risk-focused audit, which of the following is the most critical step?
- Determining the high-risk processes
- Determining the capability of audit resources
- Determining the audit procedure
- Determining the audit schedule
- Which of the following options best describes the process of assessing a risk?
- What is the outcome of a risk assessment exercise utilized for?
- Estimating profits
- Calculating the ROI
- Implementing relevant controls
- Conducting user acceptance testing
- With whom does the responsibility of managing risk to an acceptable level rest?
- The risk management team
- Senior business management
- The chief information officer
- The chief security officer
- Which of the following is a major factor in the evaluation of IT risks?
- Finding vulnerabilities and threats that are applicable to IT assets
- Analyzing loss expectancy
- Benchmarking with industry
- Analyzing previous audit reports
- An IS auditor has determined a few vulnerabilities in a critical application. What should their next step be?
- Reporting the risk to the audit committee immediately
- Determining a system development methodology
- Identifying threats and their likelihood of occurrence
- Recommending the development of a new system
- What does a lack of appropriate control measures indicate?
- Magnitude of impact
- Probability of occurrence
- Which of the following is the first step in a risk management program?
- Determining a vulnerability
- Determining existing controls
- Identifying assets
- Conducting a gap analysis
- What is the advantage of the bottom-up approach to the development of enterprise policies?
- They cover the whole organization.
- They are created on the basis of risk analysis.
- They are reviewed by top management.
- They support consistency of procedure.
- The mitigation of risk can be done through which of the following?
- Audit and certification
- Service level agreements (SLAs)
- The most important factor when implementing controls is ensuring that the control does which of the following?
- Helps to mitigate risk
- Does not impact productivity
- Is cost effective
- Is automated
- The absence of internal control mechanisms is known as what?
- Inherent risk
- Control risk
- Detection risk
- Correction risk
- Which of the following represents the risk that the controls will not prevent, correct, or detect errors in a timely manner?
- Inherent risk
- Control risk
- Detection risk
- Correction risk
- What is the primary consideration when evaluating the acceptable level of risk?
- The acceptance of risk by higher management
- That not all risks need to be addressed
- That all relevant risks must be recognized and documented for analysis
- The involvement of line management in risk analysis
- What is the best approach when focusing an audit on a high-risk area?
- Perform the audit; the control failures will identify the areas of highest risk
- Perform the audit and then perform a risk assessment
- Perform a risk assessment first and then concentrate control tests in the high-risk areas
- Increase sampling rates in high-risk areas
- In a risk-based audit approach, which of the following is the least relevant to audit planning?
- The adoption of a mature technology by the organisation
- The risk culture and risk awareness of the organisation
- The legal regulatory impact
- Previous audit findings