THIS CHAPTER INTRODUCES THE concept of a risk-based information systems audit. Under the situation of resource constraint, an information systems auditor may be required to selectively review some functions of the auditee. In fact, even when there is no paucity of resources, the auditor may need to achieve optimal use of the resources deployed. Upon completing this chapter, we should be able to prioritize various functions in terms of their risk criticality and design the audit program so that we can focus more on the critical areas.
A risk-based information systems audit includes, in addition to testing of logic and transaction, an evaluation of risk engrained in management systems and control procedures established in various operations. Under a risk-based information systems audit, the focus shifts from exhaustive testing to a system guided by risk identification, prioritization of audit objects based on identified risks, and allocation of audit resources in line with risk assessment. Thus, the criteria for selecting an audit object shifts from the functionality of such an object to the risk associated with its failure. An information systems audit under a risk-based approach results in greater assurance that the entity is adequately geared to face the risks its information systems is exposed to.
A risk-based information systems audit consists of the following five steps: