Module 4: Risk-Based Audit Planning

Question 1

What is the main purpose of Risk-based Audit Planning?

Answer 1

to deploy resources on the greatest risk on the organization

Question 2

Risk-based Audit Planning: What are the factors needed to be considered for its environment?

Answer 2

1. External and internal factors affecting the organization
2. The organization’s selection and application of policies and procedures
3. The organization’s objectives and strategies
4. Measurement and review of the organization’s performance

Question 3

How do you gain an understanding of the organization?

Answer 3

1. Strategy management
2. Business products and services
3. Corporate governance process
4. Transaction types, partners, and flows within information systems

Question 4

concerns about the probable effects of an uncertain event on achieving established business objectives

Answer 4

Business Risk

Question 5

Business Risk: What are the natures that a business risk might take?

Answer 5

financial, regulatory, operational, risk from specific technology

Question 6

Business Risk: Business risk also includes accepted risk from activities that’s in line with the organization’s objectives (T or F)

Answer 6

True

Question 7

Risk-based Audit: Is used to assess risk and assist an IS auditor in deciding to perform what?

Answer 7

Either compliance or substantive testing

Question 8

Risk-based Audit: Risk based audit assists the auditor in what?

Answer 8

Assists in determining the nature and extent of testing

Question 9

Risk-based Audit: What are the steps to a risk-based audit?

Answer 9

1. Gather information and plan
2. Obtain understanding of control
3. Perform compliance testing
4. Perform substantive testing
5. Conclude the audit
6. Monitoring

Question 10

risk that information collected
may contain a material error
that may go undetected
during the course of the audit

Answer 10

Audit Risk

Question 11

What is the formula for audit risk?

Answer 11

AR = Inherent Risk x Control Risk x Detection Risk

Question 12

What is the only factor of audit risk that can be controlled?

Answer 12

The detection risk

Question 13

The risk that material errors or misstatements
that have occurred will not be detected by an
IS auditor

Answer 13

Detection Risk

Question 14

The risk that a material error exists that would not be
prevented or detected on a timely basis by the
system of internal controls

Answer 14

Control Risk

Question 15

the risk level or exposure of the process/entity to be audited without
considering the controls that management has implemented. Inherent risk
exists independent of an audit and can occur because of the nature of
the business

Answer 15

Inherent Risk

Question 16

Audit Risk: Things to consider -

• IS auditor should have a ______ when planning an audit
• By using __________, the probability of detection risk can be reduced
  to an acceptable level
• A given system may not detect a ____. However, that specific error, combined with others, could become material to the overall system

Answer 16

1. good understanding of audit risk
2. proper statistical sampling procedures or a strong quality control process
3. minor error

Question 17

The amount of risk an organization is prepared to accept or be
exposed to

Answer 17

Risk appetite

Question 18

The maximum risk the organization is able to bear, given its resources
and capabilities

Answer 18

Risk Capacity

Question 19

Acceptable variance from risk appetite

Answer 19

Risk Tolerance

Question 20

The level of risk remaining after risk treatment

Answer 20

Residual Risk

Question 21

The residual risk should ____ the risk appetite

Answer 21

not exceed

Question 22

The risk appetite should exceed the organisation’s risk capacity and risk tolerance (T or F)

Answer 22

False. Should not.

Question 23

introduce or
strengthen internal
controls to mitigate
the risk

Answer 23

Treat/Mitigate/
Reduce

Question 24

Knowingly and
objectively not taking
action, provided the
risk clearly satisfies the
organization’s policy
and criteria for risk
acceptance

Answer 24

Tolerate/Accept

Question 25

apportion some or all of the risk to a third party

Answer 25

Transfer/Share

Question 26

Avoiding risk by not allowing actions that would cause the risk to occur

Answer 26

Terminate/Avoid

Question 27

Is it allowed to ignore the risk in some cases?

Answer 27

No. It is never allowed

Question 28

Risk responses: Determine the course of action depending on the impact and probability 1. High impact - Low probability: 2. Low impact - low probability: 3. Low impact - high probability: 4. High impact - High probability:

Answer 28

1. Build Contingency plans 2. Keep under review 3, Consider treatments 4. Take immediate action

Question 29

Considerations for implementing risk mitigation: What are the considerations?

Answer 29

1. Requirements and constraints of national and international legislation 2. Organizational Objectives 3. Operational requirements and constraints 4. Cost Effectiveness

Question 30

What should be considered by the IS auditor when developing the audit plan?

Answer 30

1. All areas within the scope of the IS audit universe 2. Reliability of the risk assessment by the management 3. The process that management does to examine possible risks 4. Coverage of risk in related activities relevant to activities under review

Question 31

IS audit risk assessment techniques: Either a quantitative or a qualitative approach must be used for the risk assessment (T or F)

Answer 31

False. It may be a combination of both

Question 32

IS audit risk assessment techniques: Give a quantitative approach

Answer 32

Scoring system

Question 33

What are the desired outcomes on using risk assessment? 1. Enable audit management to ______ 2. Ensure that _____ has been obtained 3. Establishing ____ for effectively managing the audit department 4. Providing a summary of how the _________

Answer 33

1. allocate limited audit resources 2. relevant information 3. a basis 4. individual audit subject is related to the overall organization

Question 34

Subset of risk assessment and is used during audit planning to help identify risk and vulnerabilities so an IS auditor can determine the controls needed to mitigate risk

Answer 34

Risk Analysis

Question 35

Risk Analysis: Help IS auditors to

Answer 35

Determine the controls to mitigate risk

Question 36

Risk Analysis: Identifies what?

Answer 36

Risk and Vulnerabilities

Question 37

Risk Analysis: Provide sufficient appropriate audit evidence on which to base the audit opinion (T or F)

Answer 37

False. It does not provide sufficient evidence

Question 38

WHAT AUDITORS SHOULD UNDERSTAND WHEN ANALYZING BUSINESS RISK FROM THE USE OF IT?  Industry and/or internationally accepted ___ ___ ___  The ___ __ ___ of business, the environment in which the business operates and related business risk  Dependence on ___ ___ ___ __of business goals and objectives  The business risk of using __ and how it impacts the achievement of the business goals and objectives  A ____ ____ of the business processes and the impact of IT and related risk on the business process objectives

Answer 38

1. risk management processes 2. purpose and nature 3. technology in the achievement 4. IT 5.Good Overview