1.2. Risk-Based Approach

A recurring theme throughout the IS audit process is basing your audit approach on risk. It is important to fully understand the role that risk-based analysis has in the audit process because it is a primary differentiator in the exam question formats. A candidate must use a risk-based approach to pass the exam, because many of the exam questions rely on the candidate's ability to understand the best solution based on risk. It also should be used as the best practice for ensuring that the auditing you do is maximized in terms of value added to your employer and the organization being appraised by the audit process. This is the definition of "thinking like an auditor." The purpose of an audit is to identify risks and to ensure that the residual risk (risk remaining after controls are applied) is acceptable to management.

All activities in life have risk associated with them; some more than others. We are constantly doing a risk analysis hundreds of times a day in the normal course of our lives. If I push the speed limit will I get pulled over? Should I try this new product on the grocery shelf or buy the same brand as I always have? If I walk faster will I beat the traffic light at the corner? All actions have risk associated with them. It is the cost of doing any business at all. Consequences are evaluated, the probability of loss is computed, risks are weighed, then a choice is made.

Auditing is not about eliminating risks. It is intended to enable management ...

Get The CISA® Prep Guide: Mastering the Certified Information Systems Auditor Exam now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.