Custom Search

Tuesday, July 10, 2007

CISA Audit Process #16

CISA Audit Process #16

The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.

Related Tags: , , , , , , , ,

CISA Audit Process#15

CISA Audit Process #15

The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

Related Tags: , , , , ,

Monday, July 9, 2007

CISA Audit Process #14

Calculation of a Business Risk - Risky Analysis

Overall business risk for a particular threat can be expressed as:
a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
For example: If you lose some strictly confidential documents which consists of pricing and patent information of new products that your company is going to launch, what is the impact if it falls under the hands of competitors & further more the documents have not been encrypted.

Impact = 10 (high impact)
Probabaility = 0.9( very likely)

Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)

Related Tags: , , , , , , ,