Академический Документы
Профессиональный Документы
Культура Документы
engagements require standards that apply specifically to IS audit and assurance. The development and
dissemination of the IS audit and assurance standards are a cornerstone of the ISACA
professional contribution to
the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
IS audit and assurance professionals of the minimum level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code of Professional Ethics
Management and other interested parties of the professions expectations concerning the work of practitioners
Holders of the Certified Information Systems Auditor
(CISA
5 family of products
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet
the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of
this product will assure a successful outcome. The publication should not be considered inclusive of any proper
procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific procedure or test, controls professionals should apply their own
professional judgement to the specific control circumstances presented by the particular systems or IS environment.
The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation
in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued
internationally for general public comment. Comments may also be submitted to the attention of the director of
professional standards development via email (standards@isaca.org), fax (+1.847. 253.1443) or postal mail (ISACA
International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
IS Audit and Assurance Guideline
EXPOSURE DRAFT
2202 Risk Assessment in Planning
ISACA 2013-2014 Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Chairperson Texas Health and Human Services Commission, USA
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP HP Enterprises Security Services, UK
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA Myers and Stauffer LC, USA
Alisdair McKenzie, CISA, CISSP, ITCP IS Assurance Services, New Zealand
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP University of North Texas, USA
Katsumi Sakagawa, CISA, CRISC, PMP J IEC Co. Ltd., J apan
Ian Sanderson, CISA, CRISC, FCA NATO, Belgium
Timothy Smith, CISA, CISSP, CPA LPL Financial, USA
Todd Weinman The Weinman Group, USA
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 2
Theguidelineispresentedinthefollowingsections:
1. Guidelinepurposeandlinkagetostandards
2. Guidelinecontent
3. LinkagetostandardsandCOBIT5processes
4. Terminology
5. Effectivedate
1. GuidelinePurposeandLinkagetoStandards
1.0Introduction Thissectionclarifiesthe:
1.1 Purposeoftheguideline
1.2 Linkagetostandards
1.3 Termusageofauditfunctionandprofessionals
1.1Purpose 1.1.1Thelevelofauditworkrequiredtomeettheauditobjectiveisasubjective
decisionmadebyISauditandassuranceprofessionals.Thepurposeofthis
guidelineistoreducetheriskofreachinganincorrectconclusionbasedon
theauditfindingsandtoreducetheexistenceoferrorsoccurringinthearea
beingaudited.
1.1.2Theguidelineprovidesguidanceinapplyingariskassessmentapproachto
developan:
ISauditplanthatcoversallannualauditengagements
Auditengagementprojectplanthatfocusesononespecificaudit
engagement
1.1.3TheguidelineprovidesthedetailsofthedifferenttypesofrisktheISaudit
andassuranceprofessionalsencounter.Thisincludessubjectmatterrisk,
whichincludesinherentriskandcontrolrisk;togetherwithdetectionriskit
isalsoreferredtoasauditrisk.
1.1.4ISauditandassuranceprofessionalsshouldconsiderthisguidelinewhen
determininghowtoimplementthestandard,useprofessionaljudgementin
itsapplication,bepreparedtojustifyanydepartureandseekadditional
guidanceifconsiderednecessary.
1.2Linkageto
Standards
1.2.1Standard1201EngagementPlanning
1.2.2Standard1202RiskAssessmentinPlanning
1.2.3Standard1203PerformanceandSupervision
1.2.4Standard1204Materiality
1.2.5Standard1207IrregularityandIllegalActs
1.3TermUsage 1.3.1Hereafter:
ISauditandassurancefunctionisreferredtoasauditfunction
ISauditandassuranceprofessionalsarereferredtoasprofessionals
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 3
2. GuidelineContent
2.0Introduction Theguidelinecontentsectionisstructuredtoprovideinformationonthefollowing
keyauditandassuranceengagementtopics:
2.1 RiskassessmentoftheISauditplan
2.2 Riskassessmentmethodology
2.3 Riskassessmentofindividualauditengagements
2.4 Auditrisk
2.5 Inherentrisk
2.6 Controlrisk
2.7 Detectionrisk
2.1Risk
Assessmentof
theISAuditPlan
2.1.1WhendevelopingtheoverallISauditplan,asuitableriskassessment
approachshouldbefollowed.Thisapproachshouldbeconductedand
documentedatleastannuallytofacilitatethedevelopmentprocessofthe
ISauditplan.Itshouldtakeintoaccounttheorganisationalstrategicplans
andobjectivesandtheenterpriseriskmanagementframeworkand
initiatives.
2.1.2Tocorrectlyandcompletelyassesstheriskthatisrelatedtothecomplete
scopeoftheISauditarea,professionalsshouldconsiderthefollowing
elementswhendevelopingtheISauditplan:
FullcoverageofallareaswithinthescopeoftheISaudituniverse,
whichrepresentstherangeofallpossibleauditactivities
Reliabilityoftheriskassessmentprovidedbymanagement
Theprocessesfollowedbymanagementtosupervise,examineand
reportpossibleriskorissues
Coverriskinrelatedactivitiesrelevanttotheactivitiesunderreview
2.1.3Theappliedriskassessmentapproachshouldhelpwiththeprioritisation
andschedulingprocessoftheISauditandassurancework.Itshould
supporttheselectionprocessofareasanditemsofauditinterestandthe
decisionprocesstodesignandconductparticularISauditengagements.
2.1.4Professionalsshouldensurethattheappliedriskassessmentapproachis
approvedbythevariousauditstakeholdersandthosechargedwith
governance.
2.1.5Professionalsshoulduseriskassessmentstoquantifyandjustifythe
amountofISauditresourcesneededtocompletetheISauditplanandthe
requirementsforspecificengagements
2.1.6Basedontheriskassessment,professionalsshoulddevelopanISauditplan
thatactsasaframeworkfortheISauditandassuranceactivities.Itshould
considernonISauditandassurancerequirementsandactivities,itshould
beupdatedatleastannuallyandbeapprovedbythosechargedwith
governance.Finally,theISauditplanshouldalsoaddressresponsibilitiesset
bytheauditcharter.FormoreinformationrefertoStandard1201
EngagementPlanning.
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 4
2.2Risk
Assessment
Methodology
2.2.1Professionalsshouldconsidertheappropriateriskassessmentmethodology
toensurecompleteandaccuratecoverageoftheauditengagementsinthe
ISauditplan.
2.2.2Professionalsshouldatleastincludeananalysis,withinthemethodology,of
therisktotheenterpriserelatedtosystemavailability,dataintegrityand
businessinformationconfidentiality.
2.2.3Manyriskassessmentmethodologiesareavailabletosupporttherisk
assessmentprocess.Theserangefromsimpleclassificationsofhigh,
mediumandlow,basedonprofessionalsjudgement,tomorequantitative
andscientificcalculationsprovidinganumericriskrating.Professionals
shouldconsiderthelevelofcomplexityanddetailappropriateforthe
enterprisebeingaudited.Specificguidanceonperformingriskassessments
canbefoundintheISACApublicationCOBIT5forRisk.
2.2.4Allriskassessmentmethodologiesrelyonsubjectivejudgementsatsome
pointintheprocess(e.g.,forassigningweightstothevariousparameters).
Professionalsshouldidentifythesubjectivedecisionsrequiredtousea
particularmethodologyandconsiderwhetherthesejudgmentscanbe
madeandvalidatedtoanappropriatelevelofaccuracy.
2.2.5Indecidingwhichisthemostappropriateriskassessmentmethodology,
professionalsshouldconsidersuchthingsasthe:
Typeofinformationrequiredtobecollected(somesystemsusefinancial
effectsastheonlymeasurethisisnotalwaysappropriateforISaudit
engagements)
Costofsoftwareorotherlicencesrequiredtousethemethodology
Extenttowhichtheinformationrequiredisalreadyavailable
Amountofadditionalinformationrequiredtobecollectedbefore
reliableoutputcanbeobtained,andthecostofcollectingthis
information(includingthetimerequiredtobeinvestedinthecollection
exercise)
Opinionsofotherusersofthemethodology,andtheirviewsofhowwell
ithasassistedtheminimprovingtheefficiencyand/oreffectivenessof
theiraudits
WillingnessofthosechargedwithgovernanceovertheISauditareato
acceptthemethodologyasthemeansofdeterminingthetypeandlevel
ofauditworkcarriedout.
2.2.6Nosingleriskassessmentmethodologycanbeexpectedtobeappropriate
inallsituations.Conditionsaffectingauditsmaychangeovertime.
Periodically,professionalsshouldreevaluatetheappropriatenessofthe
chosenriskassessmentmethodologies.
2.2.7Theprofessionalsshouldusetheselectedriskassessmenttechniquesin
developingtheoverallISauditplanandinplanningspecificaudit
engagements.Riskassessment,incombinationwithotheraudittechniques,
shouldbeconsideredinmakingplanningdecisionssuchasthe:
Areasorbusinessfunctionstobeaudited
Amountoftimeandresourcestobeallocatedtoanaudit
Nature,extentandtimingofauditprocedures
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 5
2.3Risk
Assessmentof
IndividualAudit
Engagements
2.3.1Whenplanninganindividualengagement,professionalsshouldidentifyand
assessriskrelevanttotheareaunderreview.Theresultsofthisrisk
assessmentshouldbereflectedintheauditengagementobjectives.During
theriskassessment,professionalsshouldconsider:
Resultsofpriorauditengagements,reviewsandfindings,includingany
remedialactivities
Theenterpriseoverarchingriskassessmentprocess
2.3.2Professionalsshouldensurefullunderstandingoftheactivitiesinscope
beforeassessingrisk.Theyshouldrequestcommentsandsuggestionsfrom
stakeholdersandotherappropriateparties.Thisisneededtocorrectly
determineandexaminetheimpactofpossibleriskintheaudit
engagements.
2.3.3Thegoaloftheriskassessmentisthereductionofauditrisktoan
acceptablylowlevel,thusmeetingtheauditobjectives.Thisneedstobe
performedbyanappropriateassessmentoftheISsubjectmatterand
relatedcontrols,whileplanningandperformingtheISaudit.
2.3.4WhenplanningaspecificISauditandassuranceprocedure,professionals
shouldrecognisethefactthatthelowerthematerialitythresholdis,the
moreprecisetheauditexpectationswillbeandthegreatertheauditrisk.
2.3.5WhenplanningaspecificISauditandassuranceprocedure,professionals
shouldconsiderpossiblelegalactsthatcanrequireamodificationofthe
nature,timingorextentoftheexistingprocedures.Formoreinformation
refertoStandard1207IrregularityandIllegalActs.
2.3.6Togainadditionalassurance,professionalsshouldcompensatebyeither
extendingthescopeornatureoftheISaudittestsorincreasingor
extendingthesubstantivetesting.
2.4AuditRisk 2.4.1Auditriskreferstotheriskofreachinganincorrectconclusionbasedupon
auditfindings.Thethreecomponentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
2.4.2Professionalsshouldconsidereachoftheriskcomponentstodeterminethe
overalllevelofrisk.Thisincludessubjectmatterrisk,whichincludes
inherentriskandcontrolrisk;togetherwithdetectionriskitisthenreferred
toasauditrisk.Furtherelaborationonthedifferentcomponentsofaudit
riskcanbefoundinsections2.5to2.7.
2.5InherentRisk 2.5.1Inherentriskisthesusceptibilityofanauditareatoerrinawaythatcould
bematerial,individuallyorincombinationwithothererrors,assumingthat
therewerenorelatedinternalcontrols.Forexample,theinherentrisk
associatedwithoperatingsystemsecurityisordinarilyhigh,sincechanges
to,orevendisclosureof,dataorprogramsthroughoperatingsystem
securityweaknessescouldresultinfalsemanagementinformationor
competitivedisadvantage.Bycontrast,theinherentriskassociatedwith
securityforastandalonePC,whenaproperanalysisdemonstratesitisnot
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 6
usedforbusinesscriticalpurposes,ordinarilyislow.
2.5.2InherentriskformostISauditareasishighsincethepotentialeffectsof
errorsordinarilyspansseveralbusinesssystemsandmanyusers.
2.6ControlRisk 2.6.1Controlriskistheriskthatanerrorthatcouldoccurinanauditareaand
couldbematerial,individuallyorincombinationwithothererrors,willnot
bepreventedordetectedandcorrectedonatimelybasisbytheinternal
controlsystem.Forexample,thecontrolriskassociatedwithmanual
reviewsofcomputerlogscanbehighbecauseofthevolumeoflogged
information.Thecontrolriskassociatedwithcomputeriseddatavalidation
proceduresordinarilyislowbecausetheprocessesareappliedconsistently.
2.6.2Professionalsshouldassessthecontrolriskashighunlessrelevantinternal
controlsare:
Identified
Evaluatedaseffective
Testedandprovedtobeoperatingappropriately
2.6.3TheprofessionalsshouldconsiderbothpervasiveanddetailedIScontrols:
PervasiveIScontrolsareconsideredasubsetofgeneralcontrols;they
arethosegeneralcontrolsthatfocusonthemanagementand
monitoringoftheISenvironment.TheythereforeaffectallISrelated
activities.TheeffectofpervasiveIScontrolsonprofessionalsworkisnot
limitedtothereliabilityofapplicationcontrolsinthebusinessprocess
systems.TheyalsoaffectthereliabilityofthedetailedIScontrolsover,
e.g.,applicationprogramdevelopment,systemimplementation,security
administrationandbackupprocedures.WeakpervasiveIScontrols,and
thusweakmanagementandmonitoringoftheISenvironment,should
alertprofessionalstothepossibilityofahighriskthatthecontrols
designedtooperateatthedetailedlevelmaybeineffective.
DetailedIScontrolsaremadeupofapplicationcontrolsplusthose
generalcontrolsnotincludedinpervasiveIScontrols.Followingthe
COBITframeworktheyarethecontrolsovertheacquisition,
implementation,deliveryandsupportofISsystemsandservices.
2.6.4Apossibleriskthatprofessionalsshouldconsideristhelimitationsand
shortcomingsofthedetailedIScontrolsthatareinducedbyinadequaciesof
thepervasiveIScontrols.
2.7DetectionRisk 2.7.1Detectionriskistheriskthatprofessionalssubstantiveprocedureswillnot
detectanerrorthatcouldbematerial,individuallyorincombinationwith
othererrors.Forexample,thedetectionriskassociatedwithidentifying
breachesofsecurityinanapplicationsystemordinarilyishighbecauselogs
forthewholeperiodoftheauditarenotavailableatthetimeoftheaudit.
Thedetectionriskassociatedwithidentifyingalackofdisasterrecovery
plansordinarilyislow,sinceexistenceisverifiedeasily.
2.7.2Indeterminingthelevelofsubstantivetestingrequired,theprofessionals
shouldconsiderthe:
Assessmentofinherentrisk
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 7
Conclusionreachedoncontrolriskfollowingcompliancetesting
2.7.3Thehighertheassessmentofinherentandcontrolriskthemoreaudit
evidencetheprofessionalsshouldnormallyobtainfromtheperformanceof
substantiveauditprocedures.
3.LinkagetoStandardsandCOBIT5Processes
3.0Introduction Thissectionprovidesanoverviewofrelevant
3.1 Linkagetostandards
3.2 LinkagetoCOBIT5processes
3.3 Seekotherguidance
3.1Linkageto
Standards
Thetableprovidesanoverviewof:
ThemostrelevantISACAStandardsthataredirectlysupportedbythisguideline
Thosestandardstatementsthataremostrelevanttothisguideline
Note:Onlythosestandardstatementsrelevanttothisguidelinearelisted.
StandardTitle RelevantStandardStatements
1201EngagementPlanning ISauditandassuranceprofessionalsshallplaneachISaudit
andassuranceengagementtoaddress:
Objective(s),scope,timelineanddeliverables
Compliancewithapplicablelawsandprofessional
auditingstandards
Useofariskbasedapproach,whereappropriate
Engagementspecificissues
Documentationandreportingrequirements
1202RiskAssessmentinPlanning TheISauditandassurancefunctionshalluseanappropriate
riskassessmentapproachandsupportingmethodologyto
developtheoverallISauditplananddetermineprioritiesfor
theeffectiveallocationofISauditresources.
ISauditandassuranceprofessionalsshallidentifyandassess
riskrelevanttotheareaunderreview,whenplanning
individualengagements.
ISauditandassuranceprofessionalsshallconsidersubject
matterrisk,auditriskandrelatedexposuretothe
enterprise.
1203PerformanceandSupervision ISauditandassuranceprofessionalsshallconductthework
inaccordancewiththeapprovedISauditplantocover
identifiedriskandwithintheagreedonschedule.
1204Materiality ISauditandassuranceprofessionalsshallconsiderpotential
weaknessesorabsencesofcontrolswhileplanningan
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 8
StandardTitle RelevantStandardStatements
engagement,andwhethersuchweaknessesorabsencesof
controlscouldresultinasignificantdeficiencyoramaterial
weakness.
ISauditandassuranceprofessionalsshallconsider
materialityanditsrelationshiptoauditriskwhile
determiningthenature,timingandextentofaudit
procedures.
ISauditandassuranceprofessionalsshallconsiderthe
cumulativeeffectofminorcontroldeficienciesor
weaknessesandwhethertheabsenceofcontrolstranslates
intoasignificantdeficiencyoramaterialweakness.
ISauditandassuranceprofessionalsshalldisclosethe
followinginthereport:
Absenceofcontrolsorineffectivecontrols
Significanceofthecontroldeficiencies
Likelihoodoftheseweaknessesresultinginasignificant
deficiencyormaterialweakness
1207IrregularityandIllegalActs ISauditandassuranceprofessionalsshallconsidertheriskof
irregularitiesandillegalactsduringtheengagement.
3.2Linkageto
COBIT5Processes
Thetableprovidesanoverviewof:
COBIT5processes
COBIT5processpurpose
Specificactivitiesperformedaspartofexecutingtheseprocessesarecontainedin
COBIT5:EnablingProcesses.
COBIT5Process ProcessPurpose
EDM01Ensuregovernanceframework
settingandmaintenance.
Provideaconsistentapproachintegratedandalignedwith
theenterprisegovernanceapproach.ToensurethatIT
relateddecisionsaremadeinlinewiththeenterprise's
strategiesandobjectives,ensurethatITrelatedprocesses
areoverseeneffectivelyandtransparently,compliancewith
legalandregulatoryrequirementsisconfirmed,andthe
governancerequirementsforboardmembersaremet.
EDM03Ensureriskoptimisation. EnsurethatITrelatedenterpriseriskdoesnotexceedrisk
appetiteandrisktolerance,theimpactofITriskto
enterprisevalueisidentifiedandmanaged,andthepotential
forcompliancefailuresisminimised.
APO12Managerisk. IntegratethemanagementofITrelatedenterpriseriskwith
overallERM,andbalancethecostsandbenefitsofmanaging
ITrelatedenterpriserisk.
MEA02Monitor,evaluateandassessthe Obtaintransparencyforkeystakeholdersontheadequacyof
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 9
COBIT5Process ProcessPurpose
systemofinternalcontrol. thesystemofinternalcontrolsandthusprovidetrustin
operations,confidenceintheachievementofenterprise
objectivesandanadequateunderstandingofresidualrisk.
MEA03Monitor,evaluateandassess
compliancewithexternal
requirements.
Ensurethattheenterpriseiscompliantwithallapplicable
externalrequirements.
3.3SeekOther
Guidance
Whenimplementingstandardsandguidelines,professionalsareencouragedto
seekotherguidance,whenconsiderednecessary.ThiscouldbefromISauditand
assurance:
Colleaguesfromwithintheorganisationand/oroutsidetheenterprise,e.g.,
throughprofessionalassociationsorprofessionalsocialmediagroups
Management
Governancebodieswithintheorganisation,e.g.,auditcommittee
Otherguidance(e.g.,books,papers,otherguidelines)
4. Terms
Term Definition
Auditcharter Adocumentapprovedbythosechargedwithgovernancethatdefinesthepurpose,
authorityandresponsibilityoftheinternalISauditandassuranceactivity
Thechartershould:
EstablishtheinternalISauditandassurancefunctionspositionwithinthe
enterprise
Authoriseaccesstorecords,personnelandphysicalpropertiesrelevanttothe
performanceofISauditandassuranceengagements
DefinethescopeoftheISauditandassurancefunctionsactivities
Auditrisk Theriskofreachinganincorrectconclusionbaseduponauditfindings.Thethree
componentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
Controlrisk Theriskthatamaterialerrorexiststhatwouldnotbepreventedordetectedona
timelybasisbythesystemofinternalcontrol.Seeinherentrisk.
DetailedIS
controls
Controlsovertheacquisition,implementation,deliveryandsupportofISsystems
andservicesmadeupofapplicationcontrolsplusthosegeneralcontrolsnot
includedinpervasivecontrols
Detectionrisk TheriskthattheISauditorassuranceprofessionalssubstantiveprocedureswill
notdetectanerrorthatcouldbematerial,individuallyorincombinationwith
othererrors.Seeauditrisk.
Inherentrisk Therisklevelorexposurewithouttakingintoaccounttheactionsthat
managementhastakenormighttake(e.g.,implementingcontrols).Seecontrol
risk.
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 10
Term Definition
Materiality Anauditconceptregardingtheimportanceofanitemofinformationwithregard
toitsimpactoreffectonthesubjectmatterbeingaudited.Anexpressionofthe
relativesignificanceorimportanceofaparticularmatterinthecontextofthe
engagementortheenterpriseasawhole.
PervasiveIS
control
GeneralcontroldesignedtomanageandmonitortheISenvironmentandwhich,
therefore,affectsallISrelatedactivities
Riskassessment Aprocessusedtoidentifyandevaluateriskanditspotentialeffects
Riskassessmentsareusedtoidentifythoseitemsorareasthatpresentthe
highestrisk,vulnerabilityorexposuretotheenterpriseforinclusionintheIS
annualauditplan.
Riskassessmentsarealsousedtomanagetheprojectdeliveryandprojectbenefit
risk.
Substantive
testing
Obtainingauditevidenceonthecompleteness,accuracyorexistenceofactivities
ortransactionsduringtheauditperiod
5.EffectiveDate
5.1EffectiveDate ThisrevisedguidelineiseffectiveforallISaudit/assuranceengagementsbeginning
onorafterDayMonth2014.