03.01. Developing Risk-based IS Audit Plans

Briefly reflect on the following before we begin:

• How can audit planning be aligned with an organization’s strategic goals and objectives?
• How would IS Auditors go about developing multi-year audit plans?
• Who should be the key stakeholders to sign off on the multi-year audit plan?

The essence of a risk-based audit plan lies in its ability to anticipate and mitigate risks in a rapidly evolving IT landscape. Such a plan is not merely a procedural requirement but a strategic tool instrumental in safeguarding an organization’s digital assets and ensuring compliance with regulatory standards. It necessitates a forward-looking perspective that aligns with the organization’s immediate and long-term goals.

The process begins with identifying key risk areas within an organization’s IT framework to pinpoint potential vulnerabilities and areas where the organization is most susceptible to risks, be it in data security, system integrity, or compliance with regulations. This requires a comprehensive analysis of the organization’s IT infrastructure, including a detailed understanding of various systems, applications, and the business processes they support.

Once the risks are identified, the next step involves the prioritization of these risks. This prioritization is not a mere sequence of risks, but a strategic categorization based on potential impact and likelihood of occurrence. It is a delicate balance that weighs various factors, including the potential financial implications, operational disruptions, and reputational risks. Integrating industry and regulatory standards into the planning process is another critical aspect. Standards such as ISO 27001 and GDPR are benchmarks, ensuring the audit plan adheres to internal organizational standards and aligns with global best practices and legal requirements.

Allocating resources is a pivotal part of the planning process as it involves assigning the right mix of skills and tools to address the identified risks. It is based on the nature and complexity of the risks, ensuring the audit team is well-equipped to conduct a thorough and effective audit. Similarly, reviewing past audits and their findings plays a significant role in shaping the current audit plan. This retrospective analysis helps identify recurring issues, understand the effectiveness of prior recommendations, and refine the current approach.

Risk-based IS Audit Planning Process

The risk-based IS audit planning process is a structured approach central to effective IS auditing.

Given the ever-evolving nature and extent of the IT’s influence over the organization’s operations, assessing enterprise-wide IT risk and controls can be daunting. While most progressive organizations and IS audit functions aim to maintain a complete inventory of their IT infrastructure components, it is not always possible or feasible. As an acceptable alternative, IS audit functions tend to perform the following in preparation of developing a risk-based audit plan:

• Performing IT risk assessments annually to identify the new technologies impacting the organization.
• Becoming familiar with the IT’s short-term initiatives and analyzing how they impact the IT risk assessment.
• Beginning each IT audit by reviewing its risk assessment component.
• Monitoring the organization’s IT-related risk profile and adapting audit procedures as it evolves.

Additionally, several organizational and technological factors should be considered when developing the risk-based IS audit plan, such as the organization’s industry sector, revenue size, type, complexity of business processes, and geographic locations of operations. More specifically, the following factors play a significant role in helping IS Audit functions shape their risk-based audit plans:

• Extent of IT Use
  • The extent of IT use needs to be considered in planning the nature, extent, and timing of audit procedures.
  • IT skills may be needed to understand the flow of some transactions.
  • Nature, timing, and extent are all affected by the extent of IT use.
• Availability of Data
  • Input data, system-generated files and other data may exist only for short periods of time or only in computer readable form.
  • The client may have to adopt a retention policy that preserves information for audit purposes.
  • The auditor should plan to perform procedures when data is available.
• Complexity of Operations
  • Complexity refers to hardware configuration and the degree of integration of common files or data.
  • Another factor is the availability of transaction trails.
  • Significant processing of transactions by service providers affects planning.
• Need for Specialized Skills
  • All aspects of a client’s systems should be considered in determining the need for specialized IT skills.
  • Audit team members should possess sufficient IT knowledge to know when to call on specialists.
• IT Organizational Structure
  • The degree of centralization of IT will affect the auditor’s controls assessment.
  • Centralized IT departments lead to uniform hardware and control structures throughout the entity.
  • Decentralized structures may have different hardware, software, and control procedures at each processing location.

Developing the risk-based IS audit plan should follow a systematic process to ensure that the IS auditors consider all fundamental business aspects and IT-service support activities. The foundation for the plan must be rooted in the organization’s objectives, strategies, and business model.

The process begins with gaining an understanding of the business by identifying the strategies, organizational objectives, and business models that will enable the IS Auditor team to understand the organization’s unique business risks. The IS Audit team also must understand how existing business operations and IT service functions support the organization. Understanding the business also involves recognizing external factors. These include market trends, economic conditions, and technological advancements. Auditors should be aware of how these factors impact the organization. They must also understand the organization’s adaptability to these changes to better assess technological risks. Understanding the business is a continuous process and requires the IS audit team to stay updated with organizational and environmental changes. They should regularly interact with key stakeholders to gain insights to better understand changes in the business processes, objectives, and strategies as well as identify new technologies adopted by the organization.

Next, the IS audit team needs to define the IT universe through a top-down approach that identifies key business objectives and processes, significant IS that support the business processes, the infrastructure needed for the business applications, the organization’s service support model for IT, and the role of common supporting technologies such as network devices. These technical components, along with an understanding of service support processes and system implementation projects, will allow the IS audit team to create a comprehensive inventory of the IT environment, which forms the foundation for assessing the vulnerabilities that may impact internal controls. The IT audit universe is dynamic and evolves as the organization’s IT environment and business objectives change. Therefore, the IT audit universe must be periodically (at least annually) reviewed and updated to ensure that the IT audit plan remains relevant and aligned with the organization’s current risk profile and strategic direction. Engaging with IT management, business unit leaders, and other relevant personnel is crucial in defining the IT universe as it helps gain insights into the IT environment and associated risks. Stakeholder engagement also helps ensure the IT audit universe is comprehensive and aligns with the organization’s priorities and concerns.

The next step is to perform the risk assessment — a methodology for determining the likelihood of an event that could hinder the organization from attaining its business goals and objectives in an effective, efficient, and controlled manner. This involves assessing the impact and likelihood of each risk regarding potential financial loss, operational disruption, and reputational damage. The likelihood assessment also considers the probability of each risk materializing. This prioritization helps focus audit efforts on areas that pose the greatest threat to the organization’s objectives. It is a strategic process, balancing various risk factors to determine the most significant areas needing attention. Incorporation of industry and regulatory standards into the audit plan is essential. Standards such as ISO 27001 and laws like GDPR provide a framework for assessing the organization’s compliance posture. Adhering to these standards ensures that the audit plan is aligned with internal organizational goals and external compliance requirements. This aspect of the planning process safeguards the organization from potential legal and regulatory risks.

The information and analysis gained by understanding the organization, inventorying the IT environment, and assessing risks feeds into the final step, formalizing the audit plan. It involves selecting audit subjects, bundling them into distinct engagements, determining the audit cycle and frequency, and adding engagements based on management requests or consulting opportunities. The objective of the audit plan is to determine where to focus the auditor’s assurance and consulting work to provide management with objective information to manage the organization’s risks and control environment. The audit plan must be dynamic, allowing for adjustments in response to changes in the business and IT environments to maintain relevance and effectiveness in the face of evolving risks and organizational needs​​. A crucial part of this phase is reviewing the plan with senior and operations management to validate the management’s input and provides them a preview of the upcoming IT audit activities. It also allows for the discussion of potential audit engagement dates and any operational activities that might affect the audit process, such as application upgrades or significant operational events​​. The content of the IT audit plan should directly reflect the risk assessment. The audit plan should cover various aspects, including IT general controls, application controls, infrastructure controls, and their contributions to operational, financial, and compliance reviews. It should also consider new IT trends and their potential impacts​​. The plan is influenced by risk assessments, resource allocation, and the prioritization of risks. These factors help in determining the scope and focus of the audit activities​​. Different types of IT audits might include integrated business process audits, audits of IT processes, and audits of business projects and IT initiatives​​. The plan could be integrated with non-IT audit activities, sometimes involving a multidisciplinary team with balanced expertise, including IT audit skills​​. Lastly, IS audit teams should also plan for contingencies and coordinate activities with internal and external assurance and consulting service providers to help minimize duplication of efforts and ensure comprehensive coverage​​.

The risk-based IS Audit Plan development process can be summarized as follows:

• Understand the Business
  • Identify the organization’s strategies and business objectives.
  • Understand the high-risk profile of the organization.
  • Identify how the organization structures their business operations.
  • Understand the IT service support model and environment.
• Define the IT Universe
  • Understand business fundamentals.
  • Identify applications supporting the business operations.
  • Identify critical infrastructure for significant applications.
  • Identify major projects and initiatives.
  • Determine realistic audit subjects.
• Perform Risk Assessment
  • Develop processes to identify risks.
  • Assess risk and rank audit subjects using IT risk factors.
  • Assess risk and rank subjects using business risk factors.
• Formalize the Audit Plan
  • Select audit subjects and bundle them into distinct audit engagements.
  • Determine audit cycle and frequency.
  • Add appropriate engagements based on management requests or opportunities for consulting.
  • Validate the plan with business management.

Documenting the IS Audit Plan and Getting Stakeholder Approval

Documenting the IS audit plan and obtaining stakeholder approval serves as a blueprint for the IS audit function, outlining the scope, objectives, and methodology of the key assurance and consulting engagements to be undertaken over the next few quarters.

Effective documentation starts by defining the overall scope, including identifying specific IT areas to be audited. The scope must be comprehensive, covering all critical systems and processes. It should also be specific, delineating the boundaries of the audit. Clear scope definition helps set realistic expectations and avoid scope creep during the audit execution. Next, the objectives of the audit are outlined. They need to be clear, measurable, and achievable. Each objective should address a specific risk or compliance requirement. This clarity helps focus the audit efforts and facilitates the evaluation of audit outcomes.

The audit methodology section describes the approach and techniques, including details on risk assessment methods, audit procedures, and evidence-gathering techniques. The methodology should be robust, ensuring a thorough and efficient audit. It should also be flexible, allowing for adjustments in response to findings during the audit. Resource allocation is another critical component of the audit plan, outlining the personnel and technology resources assigned to the audit. The timeline and milestones section should provide a schedule for the audit, including key milestones and deadlines. The timeline should be realistic, allowing sufficient time for thorough audit activities.

Once the audit plan is documented, obtaining stakeholder approval is the next important step. This involves presenting the plan to senior management and other key stakeholders. The presentation should be clear, concise, and focused on how the audit supports the organization’s objectives. It should highlight the audit’s expected value and how it aligns with the organization’s strategic goals. Securing stakeholder approval often requires addressing concerns and answering questions. This interaction is an opportunity to refine the audit plan based on stakeholder feedback. It ensures that the plan is not only acceptable to the audit team but also to those who will be impacted by the audit. Effective communication is key in this stage, and the IS auditor must articulate the importance of the audit, its potential benefits, and how it will be conducted without disrupting normal business operations. This communication builds trust and fosters a collaborative relationship between the audit team and stakeholders.

Once approval is obtained, the audit plan is finalized and communicated to the IS audit team. This communication is crucial for ensuring that everyone involved understands the plan and their roles in it.