,6$8',7,1**8,'(/,1(

USE OF RISK ASSESSMENT IN AUDIT PLANNING

(Revision of Previously Issued SISAS 5)

,QWURGXFWLRQ 6FRSHDQG$XWKRULW\RI,6 'HYHORSPHQWRI6WDQGDUGV

The specialised nature of information
systems (IS) auditing, and the skills
necessary to perform such audits,
require standards that apply
specifically to IS auditing. One of the
Information Systems Audit and
Control Association, Inc.s (ISACAs)
goals is therefore to advance globally
applicable standards to meet this
need. The development and
dissemination of IS Auditing
Standards are a cornerstone of the
ISACAs professional contribution to
the audit community.
2EMHFWLYHV
The objectives of the ISACAs IS
Auditing Standards are to inform
n IS Auditors of the minimum level
of acceptable performance
required to meet the professional
responsibilities set out in the
ISACA Code of Professional
Ethics for IS Auditors
n Management and other interested
parties of the professions
expectations concerning the work
of practitioners
$XGLWLQJ6WDQGDUGV
The framework for the ISACAs IS
Auditing Standards provides for
multiple levels of standards, as follows:

6WDQGDUGV define mandatory
requirements for IS auditing and
reporting.
 seeks out those with a special
*XLGHOLQHV provide guidance in
applying IS auditing standards. The
IS Auditor should consider them in
determining how to achieve
implementation of the standards,
use professional judgment in their
application and be prepared to
justify any departure.
3URFHGXUHV provide examples
of procedures an IS Auditor might
follow in an audit engagement.
The procedure documents provide
information on how to meet the
standards when performing IS
auditing work, but do not set
requirements.
The ISACA Code of Professional
Ethics requires members of the
*XLGHOLQHVDQG3URFHGXUHV
The ISACA Standards Board is
committed to wide consultation in the
preparation of IS Auditing Standards,
Guidelines and Procedures. Prior to
issuing any documents, the Standards
Board issues exposure drafts
internationally for general public
comment. The Standards Board also
expertise or interest in the topic under
consideration for consultation where
necessary.
The Standards Board has an on-going
development programme, and would
welcome the input of members of the
ISACA and holders of the CISA
designation to identify emerging
issues requiring new standards
products. Any suggestions should be
e-mailed (research@isaca.org),
faxed (+1.847. 253 .1443), or
mailed (address at the end of
Guideline) to ISACAs International
Office for the attention of the Director
of Research, Standards and
Academic Relations.
:LWKGUDZDORI3UHYLRXVO\

ISACA and holders of the Certified ,VVXHG'RFXPHQWV

The objective of IS Auditing
Guidelines is to provide further
information on how to comply with the
IS Auditing Standards.
Information Systems Auditor (CISA)
designation to comply with IS Auditing
Standards as adopted by the ISACA.
Failure to comply with these standards
may result in an investigation into the
member's or CISA holder's conduct by
the ISACA Board or appropriate
ISACA committee, and ultimately in
disciplinary action.
This Guideline replaces the previously
issued Statement on Information
Systems Auditing Standard Number 5
on Performance of Work-Use of Risk
Assessment in Audit Planning.
SISAS 5 will be withdrawn on the date
on which this Guideline becomes
effective.

This material was issued on 1 May

2000.
,QIRUPDWLRQ6\VWHPV$XGLWDQG&RQWURO$VVRFLDWLRQ

67$1'$5'6%2$5'
Chair, Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal & SunAlliance, USA
Claudio Cilli, CISA, Ph.D Ernst & Young, Italy
Svein Erik Dovran, CISA The Banking Insurance and Securities Commission of Norway
Maria E. Leonard, CISA Fleet Financial Group, USA
Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA
Andrew J. MacLeod, CISA, FCPA, MACS, PCP Brisbane City Council, Australia
Venkatakrishnan Vatsaraman, CISA, ACA, AICWA Emirates Airlines, United Arab Emirates
Sander S. Wechsler, CISA, CPA BDO Seidman, LLP, USA
  %$&.*5281' achieve implementation of the above
Standards, use professional judgment
 /LQNDJHWR6WDQGDUGV
in its application and be prepared to
justify any departure.
 Standard 050.010 (Audit
Planning) states The Information
 3/$11,1*
Systems Auditor is to plan the
information systems audit work to
 6HOHFWLRQRID5LVN
address the audit objectives and to
comply with applicable professional $VVHVVPHQW
auditing standards. 0HWKRGRORJ\
 Standard 060.020  There are many risk
(Evidence) states During the course
assessment methodologies,
of the audit, the Information Systems
computerised and non-computerised,
Auditor is to obtain sufficient, reliable,
available from which the IS Auditor
relevant and useful evidence to
may choose. These range from
achieve the audit objectives
simple classifications of high, medium
effectively. The audit findings and
and low, based on the IS Auditors
conclusions are to be supported by
judgment, to complex and apparently
appropriate analysis and interpretation
scientific calculations to provide a
of this evidence.
numeric risk rating. The IS Auditor
 Paragraph 2.2.2 of the IS
should consider the level of
Auditing Guideline on Planning the IS complexity and detail appropriate for
Audit states An assessment of risk the organisation being audited.
should be made to provide reasonable
 All risk assessment
assurance that material items will be
methodologies rely on subjective
adequately covered during the audit
judgments at some point in the
work. This assessment should
process (e.g. for assigning weightings
identify areas with relatively high risk
to the various parameters). The IS
of existence of material problems.
Auditor should identify the subjective
decisions required in order to use a
 1HHGIRU*XLGHOLQH
particular methodology and consider
 The level of audit work whether these judgments can be
required to meet a specific audit made and validated to an appropriate
objective is a subjective decision level of accuracy.
made by the IS Auditor. The risk of  In deciding which is the
reaching an incorrect conclusion most appropriate risk assessment
based on the audit findings (audit risk) methodology, the IS Auditor should
n
is one aspect of this decision. The consider such things as:
other is the risk of errors occurring in The type of information required
the area being audited (error risk). to be collected (some systems
Recommended practices for risk use financial effect as the only
assessment in carrying out financial measure - this is not always
n
audits are well documented in auditing appropriate for IS audits)
standards for financial auditors, but The cost of software or other
guidance is required on how to apply licenses required to use the
n
such techniques to IS audits. methodology
 Management also bases The extent to which the
information required is already
their decisions on how much control is
n
appropriate upon assessment of the available
The amount of additional
level of risk exposure which they are
prepared to accept. For example, the information required to be
inability to process computer collected before reliable output
applications for a period of time is an can be obtained, and the cost of
exposure that could result from collecting this information
unexpected and undesirable events (including the time required to be
(e.g. data centre fire). Exposures can invested in the collection
n
be reduced by the implementation of exercise)
appropriately designed controls. The opinions of other users of
These controls are ordinarily based the methodology, and their views
upon probabilistic estimation of the of how well it has assisted them
occurrence of adverse events, and are in improving the efficiency and/or
n
intended to decrease such probability. effectiveness of their audits
For example, a fire alarm does not The willingness of management
prevent fires, but is intended to reduce to accept the methodology as the
the extent of fire damage. means of determining the type
This Guideline provides and level of audit work carried

out
guidance in applying IS auditing
standards. The IS Auditor should  No single risk assessment
consider it in determining how to methodology can be expected to be
appropriate in all situations.
Page 2 of 3 Use of Risk Assessment in Audit Planning Guideline Version I-1.0
Conditions affecting audits may
change over time. Periodically, the IS
Auditor should re-evaluate the
appropriateness of the chosen risk
assessment methodologies.
 8VHRI5LVN
$VVHVVPHQW
 The IS Auditor should use
the selected risk assessment
techniques in developing the overall
audit plan and in planning specific
audits. Risk assessment, in
combination with other audit
techniques, should be considered in
n
making planning decisions such as:
The nature, extent, and timing of
n
audit procedures
The areas or business functions
n
to be audited
The amount of time and
resources to be allocated to an
audit
 The IS Auditor should
consider each of the following types of
n
risk to determine their overall level:
n
Inherent risk
n
Control risk
Detection risk
 ,QKHUHQW5LVN
 Inherent risk is the
susceptibility of an audit area to error
which could be material, individually or
in combination with other errors,
assuming that there were no related
internal controls. For example, the
inherent risk associated with operating
system security is ordinarily high since
changes to, or even disclosure of,
data or programs through operating
system security weaknesses could
result in false management
information or competitive
disadvantage. By contrast, the
inherent risk associated with security
for a stand-alone PC, when a proper
analysis demonstrates it is not used
for business-critical purposes, is
ordinarily low.
 Inherent risk for most IS
audit areas is ordinarily high since the
potential effect of errors ordinarily
spans several business systems and
many users.
 In assessing the inherent
risk, the IS Auditor should consider
both pervasive and detailed IS
controls. This does not apply to
circumstances where the IS Auditors
assignment is related to pervasive IS
controls only.
 At the pervasive IS control
level, the IS Auditor should consider,
to the level appropriate for the audit
n
area in question:
The integrity of IS management
and IS management experience
and knowledge
n
n
Changes in IS management
Pressures on IS management
which may predispose them to
conceal or misstate information
(e.g. large business-critical
project over-runs, and hacker
n
activity)
The nature of the organisations
business and systems (e.g. the
plans for electronic commerce,
the complexity of the systems,
and the lack of integrated
n
systems)
Factors affecting the
organisations industry as a
whole (e.g. changes in
technology, and IS staff
n
availability)
The level of third party influence
on the control of the systems
being audited (e.g. because of
supply chain integration,
outsourced IS processes, joint
business ventures, and direct
n
access by customers)
Findings from and date of
previous audits
 At the detailed IS control
level, the IS Auditor should consider,
to the level appropriate for the audit
n
area in question:
The findings from and date of
the processes are consistently
applied.
 The IS Auditor should
assess the control risk as high unless
n
relevant internal controls are:
n
Identified
n
Evaluated as effective
Tested and proved to be
operating appropriately
 'HWHFWLRQ5LVN
 Detection risk is the risk that
the IS Auditors substantive
procedures will not detect an error
which could be material, individually or
in combination with other errors. For
example, the detection risk associated
with identifying breaches of security in
an application system is ordinarily
high because logs for the whole
period of the audit are not available at
the time of the audit. The detection
risk associated with identification of
lack of disaster recovery plans is
ordinarily low since existence is easily
verified.
 In determining the level of
substantive testing required, the IS
n
Auditor should consider both:
n
The assessment of inherent risk
The conclusion reached on
control risk following compliance
$33(1',;*/266$5<
$XGLW5LVN the risk of giving an
incorrect audit opinion.
&RPSOLDQFH7HVWLQJ tests of
control designed to obtain audit
evidence on both the effectiveness of
the controls and their operation during
the audit period.
&RQWURO5LVN the risk that an error
which could occur in an audit area,
and which could be material,
individually or in combination with
other errors, will not be prevented or
detected and corrected on a timely
basis by the internal control system.
'HWDLOHG,6&RQWURO controls
over the acquisition, implementation,
delivery and support of IS systems
and services.
'HWHFWLRQ5LVN the risk that the
IS Auditors substantive procedures
will not detect an error which could be
material, individually or in combination
with other errors.
(UURU5LVN the risk of errors
occurring in the area being audited.
([SRVXUH the potential loss to an
area due to the occurrence of an
adverse event.
,QKHUHQW5LVN the susceptibility of

n
previous audits in this area
The complexity of the systems testing an audit area to error which could be
 The higher the assessment material, individually or in combination
n
involved
The level of manual intervention of inherent and control risk the more with other errors, assuming that there
audit evidence the IS Auditor should were no related internal controls.
n
required
The susceptibility to loss or normally obtain from the performance 3HUYDVLYH,6&RQWURO general
misappropriation of the assets of substantive audit procedures. controls which are designed to
controlled by the system (e.g. manage and monitor the IS

n
inventory, and payroll)  3(5)250$1&(2) environment and which therefore
The likelihood of activity peaks at $8',7:25. affect all IS-related activities.

n
certain times in the audit period
Activities outside the day-to-day
routine of IS processing (e.g. the
use of operating system utilities
n
to amend data)
The integrity, experience and
skills of the management and
staff involved in applying the IS
controls
 &RQWURO5LVN
 Control risk is the risk that
an error which could occur in an audit
area, and which could be material,
individually or in combination with
other errors, will not be prevented or
detected and corrected on a timely
basis by the internal control system.
For example, the control risk
associated with manual reviews of
computer logs can be high because
activities requiring investigation are
often easily missed owing to the
volume of logged information. The
control risk associated with
computerised data validation
procedures is ordinarily low because
5LVN the possibility of an act or
event occurring that would have an
 'RFXPHQWDWLRQ
adverse effect on the organisation and
 The IS Auditor should
its information systems.
consider documenting the risk
5LVN$VVHVVPHQW a process
assessment technique or
methodology used for a specific audit. used to identify and evaluate risks and
The documentation should ordinarily their potential effect.
6XEVWDQWLYH7HVWLQJ tests of
n
include:
A description of the risk detailed activities and transactions, or
analytical review tests, designed to
n
assessment methodology used
The identification of significant obtain audit evidence on the
exposures and the corresponding completeness, accuracy or existence
of those activities or transactions
n
risks
The risks and exposures the during the audit period.
n
audit is intended to address
The audit evidence used to Copyright 2000
support the IS Auditors Information Systems Audit and Control Association
assessment of risk 3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
 ())(&7,9('$7( Fax: +1.847.253.1443
Email: research@isaca.org
Web Site: http://www.isaca.org
 This Guideline is effective
for all information systems audits
beginning on or after 1 September
2000.

Use of Risk Assessment in Audit Planning Guideline Version I-1.0 Page 3 of 3