Risk Assessment and Risk-Based Auditing
An effective risk-based auditing program will cover all of an institution’s major activities. The frequency and depth of each area’s audit will vary according to the risk assessment of that area. Examiners should determine whether the audit function is appropriate for the size and complexity of the institution.
PROGRAM ELEMENTS
properly designed risk-based audit programs increase audit efficiency and effectiveness. The sophistication and formality of risk-based audits may vary depending on the institution’s size and complexity. To determine the appropriate level of audit coverage for the organization’s IT environment, management should define an effective risk assessment methodology. This assessment methodology should provide the auditor and the board with objective information to prioritize the allocation of audit resources properly. Risk-based IT audit programs should:
Identify the institution’s data, application and operating systems, technology, facilities, and personnel;
Identify the business activities and processes within each of those categories;
Include profiles of significant business units, departments, and product lines, or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the institution;
Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products;
Include board or audit committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope, and resource ...