Chapter 1 - Risk Assessment Flashcards Preview

CITP - Certified Information Technology Professional Exam > Chapter 1 - Risk Assessment > Flashcards

Flashcards in Chapter 1 - Risk Assessment Deck (89)
Loading flashcards...

What are the five learning objectives of Chapter 1?

Types - RA involved BE apply IT in relationship FR
Environment - understand BE and BP, esp IT risks to AIS and FR
Model - understand and apply ARM as defined by RBS - IR, CR, RMM
Walk - Understanding and evaluation of controls
Report - draft RA report

1. To understand the types of risk assessments involved in a business entity and how they apply to IT and its relationship to financial reporting
2. To understand the business environment and business processes, especially the risk IT itself brings to accounting information systems and financial reporting
3. To understand and apply the audit risk model as defined in the risk based standards - Inherent Risk; Control Risk and Risk of Material Misstatement
4. To enhance one's understanding and evaluation of controls using walk-throughs
5. To understand the most effective process of drafting a risk assessment report


What is a risk assessment?
What is the definition of risk assessment?

- initial what? - of what? - that may impact what?
- MM or what? Vul... -Vul of what? - Based on what?

The initial evaluation of risks that may affect the possibility of a material misstatement or the vulnerability of an organization's assets based on initial assumptions, research and uncertainties.

Dimension 1, CITP BOK


Is a risk based audit more effective than other approaches? Why or why not?

Yes. In recent years, all types of audits have become risk-based in their approaches. Standards by various professional organizations reflect this modern view that a risk-based audit is more effective than other approaches.


What is the nick-name for the group of standards from a professional organization that gives guidance on the risk based approach to auditing?

The nickname is "Risk Based Standards". The AICPA
issued a group of risk based standards in 2006, effective 2007.


Why are SAS 104 through SAS 111 important?

How many standards?
Rigorously do what?
RMM where?
Understand what is done by who?
What audit to they affect?
Who's role and responsibility is described?
Who is impacted in business and industry?

These eight new standards (2007) require both the auditor and the entity to rigorously assess the risks of material misstatement of the financial statements and understand what the entity is doing to mitigate them.
- Key Standards
- Affect the financial statement audit
- Role and responsibility of the IT auditor in the financial statement auditor
- and affects management and auditors in business and industry


How do the eight standards, SAS 104 - SAS 111, impact CITPs?

These are the Statements on Auditing Standards (SAS) (AICPA, Professional Standards). These are referred to as the "risks standards". Consideration of IT in financial audits and RMM (public accounting); and IT risks, automated controls, and IT General Controls (ITGC) in business and industry.


What is SAS 99?

No. 99, Consideration of Fraud in a Financial Statement Audit (AU sec. 316. Consideration of fraud risks, anti-fraud controls, and fraud auditing in financial audits (public accounting); anti-fraud programs (Business and Industry). This is one of the professional standards that impacts CITPS. Statement on Auditing Standards (SAS) (AICPA, Professional Standards)


What is the "Fraud standard"?

SAS No. 99. SAS 99 requires consideration of fraud risks; anti-fraud controls; and fraud auditing in financial audits (public accounting); and anti-fraud programs (B&I)


What are the "risks standards"?

SAS No. 104 - 111 - rquires consideration of IT in financial audits and RMM (public accounting); and IT risks, automated controls, and IT General Controls (ITGC) B&I


What are the relevant models for risk?

Relevant models for risk include
- Committee of Sponsoring Organizations of the Treadway Commission (COSO)
- Control Objectives for Information and related Technology (COBIT), Information Systems Audit and Control Association
- Prevent, Detect, Control (P-D-C) model


In the risk based approach to auditing, what risks are concerns to the IT auditor?

The risks that are concerns to the IT auditor include areas of:
- Data Integrity
- Data / Systems / IT Security
- IT Operational effectiveness and
- Systemized processes and controls


What does the CITP BOK focus on?

The dimension of the CITP BOK focuses on the roles and responsibilities of the CITP in both public accounting and business and industry and in applying the risk based approach to identify, evaluate and mitigate relevant IT risks.


What is the Risk Based Approach (RBA)? What does it do?

The Risk Based Approach (RBA) is key to the current financial audit and most other assurance services as well. This approach:
- Expands the role of the IT auditor in the financial statement audits because of the need to assess risks and associate it with IT and risks associated with the controls embedded in IT.
- IT auditor needs to identify key relevant elements of systems and technology to ensure that IT related risks are appropriately considered.


Page 1-4


What are the three primary areas of risk assessments for CITPs?

1) Enterprise Risk Assessments, page 1-11
2) Financial Statement Risk Assessment, page 1-12
3) IT Risk Assessment, page 1-15


What are the two perspectives of CITPs for risk assessments?

The risk assessment process is constrained by the perspective and goal of the particular activity, whether it is external (for example, financial audits) or internal (for example, operational audits).
Externally - the risk assessment scopes risks that are in the IT space, have a relatively high risk of material misstatement, and are associated with financial reporting processes, data, or reports.
Internally - different goals, not constrained by external criteria. Internal CITPs will probably include some risk that external CITPs exclude.


How much should the external CITP put IT risks into the scope of an engagement?

The CITP should be careful - not all IT risks end up in the scope of the engagement. For example, risks that do not end up in the scope of the audit are:
- Significant IT risks, but there is no risk of material misstatement
- Significant IT risks, but a compensating (or downstream) control mitigates the risk
The CITP should take care to ensure all relevant IT risks are in scope, but IT risks that do not lead to risk of material misstatement should be excluded from the scope of the engagement.


What are the two ways of ranking risks?

Explain the two ways of ranking risks.

You can rank risks by using a scatter plot or by using a scorecard. A scatter plot is a graph with four quadrants, with significance on the vertical axis and likelihood on the horizontal axis. A scorecard is a simple ranking is a listing of risks from high to low, based on the auditor's judgment.


Are scatter plots more useful in risk management than simple ranking

Yes, scatter plots are more useful because they are generally considered easier to understand. They are more visual and provide a more efficient and effective application of risk assessment by ranking risks into groupings or similar ratings (quadrants).
Because scatter plots draw attention to the risks that need to be addressed in some order or precedence, they are easier to apply than a simple ranking.


What are the six steps of the risk assessment life cycle?

The six steps of the risk assessment life cycle are:
1) Recognize
2) Rate
3) Rank
4) Respond
5) Report and
6) Review


In the risk assessment life cycle, describe Step 1 - Recognize.

The first step in a risk assessment is to use a formal, structured, effective process where the objective is to identify, as much as possible, the relevant, material risks that could potentially adversely affect the entity.


In the risk assessment life cycle, describe Step 2 - Rate.

The second step in a risk assessment process is to assess the level of risk for each individual risk identified. This process usually begins with a rating of the significance of the impact of the risk identified. That significance could be as simple as high, medium, or low impact. It can also be much more sophisticated, for example a significance rating factor based on a percentage scale from 0 to 100. Some risks may be assessed low enough to be ignored.


In the risk assessment life cycle, describe Step 3 - Rank.

After Step 2, where risks are rated (based on significance and likelihood), the next step is to organize the risks in order of priority.


In the risk assessment life cycle, describe Step 4 - Respond.

In this step, management develops appropriate responses to the higher risks. Management should formally develop mitigating controls, actions, or plans to sufficiently mitigate all of the risks to an acceptable level. Some risks will already be at an acceptable level, and will therefore not need to be mitigated further.


In the risk assessment life cycle, describe Step 5 - Report.

After management has identified, assessed, ranked, and provided mitigating actions, that information needs to be documented. Management should create a report or document that provides a formal and structured conclusion to the risk assessment process to this point.


In the risk assessment life cycle, describe Step 6 - Review.

"Review" is the process of monitoring the risks, individually and in groups, and monitoring the effectiveness of risk mitigation. This is critical in keeping risks at an acceptable level.


In the risk assessment process, in Step 2 - Rate, what is another common phase in this step other than to rate significance?

Another common phase in this step is to rate the likelihood that the risk will come to fruition and not be prevented. A simple approach is high, medium, or low probability, or it could be more granular as 0.00 to 1.00 or a percentage.


In Step 3 - Ranking - of the risk assessment process, how are risk scores obtained? What do we do with them after we have them?

To obtain a risk score, simply multiply the significance factor times the likelihood factor. The risk score results can then be ordered to rank the risks in a scorecard manner. A scorecard is when the risks are ranked in a simple list from based on their risk scores. Instead of using a scorecard, the risk scores can be plotted on a traditional scatter plot.


When is a scatter plot used?

Describe a scatter plot.

A scatter plot can be used in Step 3 - Rank - of the Risk assessment process. A scatter plot is a graph with four quadrants. Significance is plotted on the X (vertical) axis. Likelihood is plotted on the Y (horizontal) axis. The graph is then divided into four quadrants, as follows:
1 - Quadrant 4 - High Risk
2 - Quadrants 2 and 3 - Medium Risk
3 - Quadrant 1 - Low Risk


What does management need to do when performing risk assessments?

Management needs to do a formal ranking of risks, and use a structured process to get to that ranking. Management also needs to document the process (for example rational, approach, method used) and results.


In Step 6 - Review - of the Risk Assessment process, what activity is critical in keeping risks at an acceptable level?

Any risk assessment, especially as it relates to IT, needs to be reviewed regularly. Monitoring the risks, individually and in groups, and monitoring the risk mitigation effectiveness is critical in keeping risk at an acceptable level.

New risks emerge, while old risks can increase or decrease. Controls or other mitigations can lose effectiveness, and alternative mitigations can become more efficient or effective than the ones in existence. Because of these factors, a regular review is important to an effective risk assessment and risk management program. The CITP should not only see that management performs periodic risk assessments, but also should see that management has implemented a formal and structured approach to monitoring and responding to risks appropriately.

By monitoring, management could return to Step 4 - Respond; or revisit the other steps of the risk assessment process before responding. This is the life cycle approach to risk assessment - it is a continual process that ends and begins again in a cyclical process.