It Risk and Fundamental Auditing Concepts

THIS CHAPTER EXPLORES the concepts of materiality within the IT audit function and contrasts materiality as it is commonly applied to financial statement audits such as those performed by independent external auditors. In this context, the quality and types of evidence required to meet the definitions of sufficiency, reliability, and relevancy are examined. The risks involved in examining evidence to arrive at an audit conclusion are reviewed as are the need to maintain the independence and objectivity of the auditor and the auditor’s responsibility for fraud detection in both an Information Technology (IT) and non-IT setting.


“Control” comprises all the elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives. Control is “effective” to the extent that it provides reasonable assurance that the organization will achieve its objectives reliably. Leadership involves making choices in the face of uncertainty. “Risk” is the possibility that one or more individuals or organizations will experience adverse consequences from those choices. Risk is the mirror image of opportunity.1

All entities encounter risk regardless of their size, structure, nature, or industry. In common with this, all business decisions involve elements of risk including such elements as financing, ...

Get Auditor's Guide to IT Auditing, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.