Risk Management: Risk-Based Auditing

Time! There is never enough time and there are always too many demands upon what time is available! This applies in almost everything we do these days and no less when we are carrying out audit projects.

It is our task as Assurance Professionals to provide executive management and other Stakeholders with confidence that they can place reliance upon the processes carried out within the organisation, both manual and using information technology and that they can rely on the integrity, confidentiality, completeness and availability of critical business information.

Yet the time we are given to complete the necessary tasks to provide such assurance is rarely enough to perform an audit of the whole spectrum of whatever audit "entity" under review.

It is essential, therefore, that in planning our audit projects we focus on areas which are the most vital to the organisation; those parts of the process where any mistakes or lack of control is likely to result in the biggest business impact and those elements of information which, if incorrect or incomplete may lead to financial or reputational loss or may result in failure to comply with legislation or regulation.

This course will look at how to establish the audit programme and conduct audits based on Business Risk. It will also identify the specific risks associated with Information Technology, especially considering the dependence of most businesses on their IT!

For each risk or threat, typical audit questions will be discussed and possible solutions outlined so that delegates will be able to focus their audit work where it is most essential and increase their value to the organisation bu being able to give greater assurance to Stakeholders.

Through a combination of lectures, open discussions and consideration of actual audit projects, you will learn how to identify and rank business risks and associated controls and resolve problems in a mutually agreeable way, so that you can focus the time available for an audit project where the greatest assurance can be given to Stakeholders and where they can place reliance on processes to maintain the requisite quality of information. Delegates will learn to:-

• Understand the importance of business risk in planning audits
• Assess the "value-add" of audits to the business
• Determine the specific risks to the business arising from information technology and
• Consider the role of Internal Audit in assisting the Business to meet its objectives.

Introduction and agenda

• Review of agenda as well as course expectations
• Opportunity for Delegates to raise any specific issues

What is the general role of the Auditor and other Assurance Professional?

• Delegates share their own experience
• Discuss various attitudes toward audit project management, difficulties and the reasons for them

What may represent Business Risk in the Enterprise?

• What is Business Risk? What could go wrong?
• Should the IS Auditor be involved in assessing risks and, if so, when?
• Advantages of including risk in audit planning
• What are the duties of Information Security Management?

How can business risk be used in creating an audit programme?

• The relationship between business assets, threats, risk and exposure
• Converting threats into genuine risks
• The principles of Risk Assessment: do we need a formal method?

How do we expect the Enterprise to manage business risk?

• When & how risks may be tolerated
• When & how they should be treated
• When & how they can be terminated and
• When risk transfer is the best answer
• You don't use a sledgehammer to crack a nut!

What are the standard control types when Treating risk?

• Preventive controls
• Detective controls and their deterrent effect
• Corrective controls

Should the Auditor contribute to risk management?

• Making sure we don't breach our independence
• Working with the auditee to reach the best conclusion

How is risk essential in starting the actual audit project?

• Planning what can be achieved in the time available
• What must be done against what might be left out
• What tools might help us focus our work to be most productive
• Using Computer Assisted Audit Techniques (CAATs)

At the end of the day, what are we trying to achieve?

• Perhaps the auditors should simply do what they can in the time given
• Can Internal Audit provide added value to the business?
• Should External Auditors provide a value add or keep within their brief?

So, what's so special about computers?

• Introducing IT-related risk
• The importance of IT risk in achieving business objectives

What elements of IT may represent particular risk?

• Head and shoulders into the computer: the Operating System
• Networks

What elements of IT may represent particular risk?

• The Internet & World Wide web
• The Technical Infrastructure: network design to minimise risk

How important is information security?

• Logical Security
• Physical Security
• Environmental Security

How can we use risk-based auditing in technical audits?

• Threats, risks, exposures and business impact
• The Auditor's role in technology

How can we audit business continuity?

• Disaster Recovery: what can go wrong?
• Developing and evaluating a technical plan
• The People issues: developing and assessing the ability of the business to continue

What are the particular problems with people?

• The business risks associated with Social Engineering
• Verifying that the business addressing

How can risk be embedded into audit documentation?

• Using a Control Risk Analysis (CRA) as the core document
• Connecting the CRA to the Scope & Objectives
• Linking forward to audit tests, findings and observations
• Using the documentation to complete the Audit report

Call : +6 (082) 287 737

E-mail : kevin@cia-global.com

• Project Risk Management
• Business Continuity Management & Sustainability Reporting
• Stakeholder Management
• Project Auditing for Risk Assurance
• Business Continuity Management & Planning
• More other Business Management Training Courses