| Booklet:
Audit Section: Risk Assessment and Risk-Based Auditing |
|||||||||||||||||||||||||||
Action Summary
An effective risk-based auditing program will cover all of an institution’s major activities. The frequency and depth of each area’s audit will vary according to the risk assessment of that area. Examiners should determine whether the audit function is appropriate for the size and complexity of the institution.
PROGRAM ELEMENTS
Properly designed risk-based audit programs increase audit efficiency
and effectiveness. The sophistication and formality of risk-based audits
may vary depending on the institution’s size and complexity. To
determine the appropriate level of audit coverage for the organization’s
IT environment, management should define an effective risk assessment
methodology. This assessment methodology should provide the auditor and
the board with objective information to prioritize the allocation of audit
resources properly. Risk-based IT audit programs should:
|
|
Identify the institution’s data, application and operating systems, technology, facilities, and personnel; |
|
|
Identify the business activities and processes within each of those categories; |
|
|
Include profiles of significant business units, departments, and product lines, or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the institution; |
|
|
Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products; |
|
|
Include board or audit committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope, and resource allocation for each area audited; |
|
|
Implement the audit plan through planning, execution, reporting, and follow-up; and |
|
|
Include a process that regularly monitors the risk assessment and updates it at least annually for all significant business units, departments, and products or systems. |
RISK
SCORING SYSTEM
A successful risk-based IT audit program can be based on an effective
scoring system.
In
establishing a scoring system, the board of directors and management should
ensure the system is understandable, considers all relevant risk factors,
and, to the extent possible, avoids subjectivity. Major risk factors commonly
used in scoring systems include the following:
|
|
The adequacy of internal controls; |
|
|
The nature of transactions (for example, the number and dollar volumes and the complexity); |
|
|
The age of the system or application; |
|
|
The nature of the operating environment (for example, changes in volume, degree of system and reporting centralization, sensitivity of resident or processed data, the impact on critical business processes, potential financial impact, planned conversions, and economic and regulatory environment); |
|
|
The physical and logical security of information, equipment, and premises; |
|
|
The adequacy of operating management oversight and monitoring; |
|
|
Previous regulatory and audit results and management’s responsiveness in addressing issues; |
|
|
Human resources, including the experience of management and staff, turnover, technical competence, management’s succession plan, and the degree of delegation; and |
|
|
Senior management oversight. |
Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee or the board of directors. The sophistication and formality of guidelines will vary for individual institutions depending on their size, complexity, scope of activities, geographic diversity, and various technologies used. The institution can rely on standard industry practice or on its own experiences to define risk scoring. Auditors should use the guidelines to grade or assess major risk areas and to define the range of scores or assessments (e.g., groupings such as low, medium, and high risk or a numerical sequence such as 1 through 5).
The written risk assessment guidelines should specify the following elements:
|
|
A maximum length for audit cycles based on the risk scores. (For example, some institutions set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and up to 36 months for low-risk areas. Audit cycles should not be open-ended.); |
|
|
The timing of risk assessments for each department or activity. (Normally risks are assessed annually, but more frequent assessments may be needed if the institution experiences rapid growth or significant change in operation or activities.); |
|
|
Documentation requirements to support scoring decisions; and |
|
|
Guidelines for overriding risk assessments in special cases and the circumstances under which they can be overridden. (For example, the guidelines should define who can override assessments, and how the override is approved, reported and documented.) |
Numerous industry groups offer resources where institutions can obtain matrices, models, or additional information on risk assessments. Among these groups are: ISACA, American Bankers Association (ABA), American Institute of Certified Public Accountants (AICPA), and IIA. Day-to-day management of the risk-based audit program rests with the internal audit manager, who monitors the audit scope and risk assessments to ensure that audit coverage remains adequate. The internal audit manager also prepares reports showing the risk rating, planned scope, and audit cycle for each area. The audit manager should confirm the risk assessment system’s reliability at least annually or whenever significant changes occur within a department or function. Operating department managers and auditors should work together in evaluating the risk in all departments and functions by reviewing risk assessments to determine their reasonableness.
Auditors should periodically review the results of internal control processes and analyze financial or operational data for any impact on a risk assessment or scoring. Accordingly, operating management should be required to keep auditors up to date on all major changes in departments or functions, such as the introduction of a new product, implementation of a new system, application conversions, or significant changes in organization or staff.