IS AUDITING PROCEDURE P1 IS RISK ASSESSMENT MEASUREMENT Introduction The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association, Inc. (ISACA) is to advance globally applicable standards to meet this need. The development and dissemination of IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. Objectives The objectives of the ISACA IS Auditing Standards are to inform:  IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors  Management and other interested parties of the profession’s expectations concerning the work of practitioners The objective of IS auditing procedures is to provide further information on how to comply with the IS Auditing Standards. Scope and Authority of IS Auditing Standards The framework for the ISACA IS Auditing Standards provides multiple levels of guidance:  Standards define mandatory requirements for IS auditing and reporting.  Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.  Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditor should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The words audit and review are used interchangeably. Holders of the Certified Information Systems Auditor (CISA®) designation are to comply with IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Development of Standards, Guidelines and Procedures The ISACA Standards Board is committed to wide consultation in the preparation of IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme, and would welcome the input of members of the ISACA and holders of the CISA designation and other interested parties to identify emerging issues requiring new standards products. Any suggestions should be e-mailed ([email protected]), faxed (+1.847. 253.1443) or mailed (address provided at the end of this guideline) to ISACA International Headquarters, for the attention of the director of research standards and academic relations. This material was issued on 1 April 2002. INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION 2001-2002 STANDARDS BOARD Chair, Claudio Cilli, CISA, Ph.D. KPMG, Italy Claude Carter, CISA, CA Nova Scotia Auditor General’s Office, Canada Sergio Fleginsky, CISA PricewaterhouseCoopers, Uruguay Alonso Hernandez, CISA, ROAC Colegio Economistas, Spain Marcelo Hector Gonzalez, CISA Central Bank of Argentina Republic, Argentina Andrew MacLeod, CISA, FCPA, MACS, PCP, MIIA Brisbane City Council, Australia Peter Niblett, CISA, CA, MIIA, FCPA Day Neilson, Australia Venkatakrishnan Vatsaraman, CISA, ACA, AICWA, CISSP Emirates Airlines, United Arab Emirates Sander S. Wechsler, CISA, CPA Ernst & Young, USAPage 2 of 15 IS Risk Assessment Measurement Procedure 1 BACKGROUND 1.1 Linkage to Standards/Guidelines 1.1.1 Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives and to comply with applicable laws and professional auditing standards.” 1.1.2 Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by the appropriate analysis and interpretation of this evidence.” 1.1.3 Guideline G13 Use of Risk Assessment in Audit Planning provides guidance. 1.2 Need for Procedure 1.2.1 This procedure is designed to provide:  A definition of IS audit risk assessment  Guidance on the use of a IS audit risk assessment methodology for use by internal audit functions  Guidance on the selection of risk ranking criteria and the use of weightings 2. IS RISK 2.1 Risk is the possibility of an act or event occurring that would have an adverse effect on the organisation and its information systems. Risk can also be the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to, the assets. It is ordinarily measured by a combination of effect and likelihood of occurrence. 2.2 Inherent risk refers to the risk associated with an event in the absence of specific controls. 2.3 Residual risk refers to the risk associated with an event when the controls in place to reduce the effect or likelihood of that event are taken into account. 3. IS RISK ASSESSMENT MEASUREMENT 3.1 Risk assessment measurement is a process used to identify and evaluate risks and their potential effect. 4. IS AUDIT RISK ASSESSMENT MEASUREMENT METHODOLOGY 4.1. IS audit risk assessment measurement is a methodology to produce a risk model to optimise the assignment of IS audit resources through a comprehensive understanding of the organisation’s IS environment and the risks associated with each auditable unit. See Section 9 for details of