An audit plan is a step-wise approach to be followed to conduct an audit. It helps to establish the overall audit process in an effective and efficient manner. An audit plan should be aligned with the audit charter of the organization. To plan an audit, the IS auditor is required to have a thorough understanding of business processes, business applications, and relevant controls. Audit planning includes both short- and long-term planning.

The following topics will be covered in this chapter:

• The content of an audit charter
• Audit planning
• Business process applications and controls
• Types of controls
• Risk-based audit planning
• Types of audit and assessment

An internal audit is an independent activity and it should ideally be reported to a board-level committee. In most organizations, the internal audit function reports to the audit committee of the board. This helps to protect the independence of the audit function.

The independence of the audit function is ensured through a management-approved audit charter.

The following figure shows the features of an audit charter:

The CISA candidate should note the following features of the audit charter:

• An audit charter is a formal document defining the internal audit's objective, authority, and responsibility. The audit charter covers the entire scope of audit activities.
• An audit charter must be approved by top management.
• An audit charter should not be changed too often and hence procedural aspects should not be included in it. Also, it is recommended to not include a detailed annual audit calendar including things such as planning, the allocation of resources, and other details such as audit fees, other expenses for the audit, and so on in an audit charter.
• An audit charter should be reviewed annually to ensure that it is aligned with business objectives.

Essentially, an auditor's activities are impacted by the charter of audit department, which authorizes the accountability and responsibility of the audit department.

An audit charter includes the following:

• The mission, purpose, and objective of the audit function
• The scope of the audit function
• The responsibilities of management
• The responsibilities of internal auditors
• The authorised personnel of the internal audit work

If an audit is outsourced to an audit firm, the objective of the audit, along with its detailed scope, should be incorporated in an audit engagement letter.

An audit charter forms the basis of structured audit planning. Activities relevant to audit planning are discussed in the next topic.

Key aspects from CISA exam perspective

The following table covers important aspects from the CISA exam perspective:

Self-evaluation questions

1. An audit charter should be approved by:
   
   1. Higher management
   2. The head of audit
   3. The Information Security department
   4. The project steering committee

2. The audit charter should:
   
   1. Be frequently upgraded as per changes in technology and the audit profession
   2. Incorporate yearly audit planning
   3. Incorporate business continuity requirements
   4. Incorporate the scope, authority, and responsibility of the audit department
3. The prime objective of an audit charter is to:
   
   1. Document the procedural aspect of an audit
   2. Document system and staff requirements to conduct the audit
   3. Document the ethics and code of conduct for the audit department
   4. Document the responsibility and authority of the audit department
4. The document that delegates authority to the audit department is:
   
   1. The audit planner
   2. The audit charter
   3. The IT policy
   4. The risk assessment and treatment document
5. The prime reason for the review of an organization chart is to:
   
   1. Get details related to the flow of data
   2. Analyze the department-wise employee ratio
   3. Understand the authority and responsibility of individuals
   4. Analyze department-wise IT assets
6. An IS auditor would be primarily influenced by:
   
   1. The charter of the audit department
   2. The representation by management
   3. The structure of the organization
   4. The number of outsourcing arrangements
7. Which of the following is the result of a risk management process?
   
   1. A corporate strategic plan
   2. A charter incorporating the audit policy
   3. Decisions regarding the security policy
   4. Outsourcing arrangements

8. Which of the following should be included in an audit charter?
   
   1. Annual audit planning
   2. The audit function's reporting structure
   3. Guidelines for drafting audit reports
   4. An annual audit calendar
9. The scope, authority, and responsibility of the IS audit function is defined by:
   
   1. The approved audit charter
   2. The head of the IT department
   3. The operational head of the department
   4. The head of audit
10. Which of the following functions is governed by the audit charter?
    
    1. The information technology function
    2. The external audit function
    3. The internal audit function
    4. The information security function
11. Which of the following covers the overall authority to perform an IS audit?
    
    1. The audit scope with goals and objectives
    2. Management's request to perform an audit
    3. The approved audit charter
    4. The approved audit schedule
12. The audit function should be reported to the audit committee of the board because:
    
    1. The audit function has few resources
    2. The audit function must be independent of the business function and should have direct access to the audit committee of the board
    3. No other function should use the resources of the audit function
    4. The audit function can use their own authority to complete the audit on a priority basis.
13. The best objective for the creation of an audit charter is to:
    
    1. Determine the audit resource requirements
    2. Document the mission and long-term strategy of the audit department
    3. Determine the code of conduct for the audit team
    4. Provide the authority and responsibility of the audit function

CISA aspirants should understand the following important terms before reading about the different aspects of audit planning:

• Audit universe: An inventory of all the functions/processes/units under the organization.
• Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low.
• Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified.
• Risk factors: Factors that have an impact on risk. The presence of those factors increases the risk, whereas the absence of those factors decreases the risk.

All of the preceding elements are important prerequisites for the design of a structured audit plan. Next, let's discuss the benefits of a structured and well-designed audit plan.

Benefits of audit planning

Audit planning is the initial stage of the audit process. It helps to establish the overall audit strategy and the technique to complete the audit. Audit planning aids in making the audit process more structured and objective oriented.

An audit plan helps to identify and determine the following aspects:

• The objectives of the audit
• The scope of the audit
• The periodicity of the audit
• The members of the audit team
• The method of audit

The following are some of the benefits of audit planning:

• It helps the auditor to focus on high-risk areas
• It helps in the identification of resource requirements to conduct the audit
• It helps to estimate the budget for the audit
• It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the auditee units

Selection criteria

An IS auditor should have a sufficient understanding about the various criteria for the selection of audit processes.

One of the criteria for audit planning is to have an audit universe. All of the significant processes of the enterprise's business should be included in the audit universe.

Each business process may undergo a qualitative or quantitative risk assessment by evaluating the risk in respect to relevant risk factors. Risk factors influence the frequency of the audit. After the risk is evaluated for each relevant factor, criteria may be defined to determine the risk of each process. The audit plan can then be designed to consider all the high-risk areas.

Reviewing audit planning

This audit plan should be reviewed and approved by top management. Generally, approval is obtained from the audit committee of the board.

The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory requirements, changes in the market condition, and other risk factors).

The approved audit plan should be communicated promptly to the following groups:

• Senior management
• Business functions and other stakeholders
• The internal audit team

Individual audit assignments

The next step after doing the overall annual planning is to plan individual audit assignments. The IS auditor must understand the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following:

• Prior audit reports
• Risk assessment reports
• Regulatory requirements
• Standard operating processes
• Technological requirements

Like every other process, the audit process will also have some input and output. The following diagram will help you to understand input and output elements of the audit process:

For effective audit planning, it is of utmost importance that the IS auditor has a thorough understanding of business process applications and controls. The basic architecture of some of the commonly used applications and their associated risks are discussed in the next topic.

Key aspects from CISA exam perspective

The following figure covers important aspects from the CISA exam perspective:

Self-evaluation questions

1. Which of the following is the first step in risk-based audit planning?
   
   1. To identify the requirements of relevant stakeholders
   2. To identify high-risk processes in the company
   3. To identify the budget
   4. To identify the profit function
2. Which of the following is a major advantage of a risk-based approach to audit planning?
   
   1. Advance communication of the audit plan
   2. Completion of the audit exercise within the allotted time and budget
   3. The collection of audit fees in advance
   4. Optimum use of audit resources for high-risk processes
3. Which of the following should be the first exercise while reviewing data center security?
   
   1. The evaluation of the physical security arrangement
   2. The evaluation of vulnerabilities and threats to the data center location
   3. The evaluation of the business continuity arrangement for the data center
   4. The evaluation of the logical security arrangement
4. Which of the following is the most important aspect of planning an audit?
   
   1. Identifying high-risk processes
   2. Identifying the experience and capabilities of audit staff
   3. Identifying control testing procedures of the audit
   4. Determining the audit schedule

Working knowledge of the business environment and business objectives is required to plan a risk-based audit. The IS auditor should have a sufficient understanding of the overall architecture and technological specifications of the various applications used by the organization and the risks associated with those applications.

In understanding the issues and current risks facing the business, the IS auditor should focus on the areas that are most meaningful to management. To effectively audit business application systems, an IS auditor is required to gain a thorough understanding of the system under the scope of the audit.

The following are some of the widely used applications in business processes. The CISA candidate should be aware of the risks associated with each of them.

E-commerce

Let's start with understanding how e-commerce works:

• Single-tier architecture runs on a single computer, that is, a client-based application
• Two-tier architecture includes a client and server
• Three-tier architecture consists of the following:
  • A presentation tier (for interaction with the user)
  • An application tier (for processing)
  • A data tier (for the database)

The risks are as follows:

• A compromise of confidential user data
• Data integrity issues due to unauthorized alterations
• The system being unavailable may impact business continuity
• The repudiation of transactions by either party

The IS auditor's roles are as follows:

• To review the overall security architecture related to firewalls, encryption, networks, PKI to ensure confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions
• To review the process of log capturing and monitoring for e-commerce transactions
• To review the incident management process
• To review the effectiveness of the controls implemented for privacy laws
• To review anti-malware controls
• To review business continuity arrangements

Electronic Data Interchange (EDI)

Let's start with understanding how EDI works:

• EDI is the online transfer of data or information between two enterprises.
• EDI ensures an effective and efficient transfer platform without the use of paper.
• The traditional exchange of paper documents between organizations has been replaced with EDI platforms.
• EDI applications contain processing features such as transmission, translation, and the storage of transactions flowing between two enterprises.
• An EDI setup can be either traditional EDI (batch transmission within each trading partner's computers) or web-based EDI (accessed through an internet service provider).

The risks are as follows:

• One of the biggest risks applicable to EDI is transaction authorization.
• Due to electronic interactions, no inherent authentication occurs.
• There could be related uncertainty with a specific legal liability when we don't have a trading partner agreement.
• Any performance-related issues with EDI applications could have a negative impact on both parties.
• Other EDI-related risks include unauthorized access, data integrity and confidentiality, and the loss or duplication of EDI transactions.

The IS auditor's roles are as follows:

• To determine the data's confidentiality, integrity, and authenticity, as well as the non-repudiation of transactions
• To determine invalid transactions and data before they are uploaded to the system
• To determine the accuracy, validity, and reasonableness of data
• To validate and ensure the reconciliation of totals between the EDI system and the trading partner's system

The IS auditor should determine the use of some controls to validate the sender, as follows:

1. The use of control fields within an EDI message
2. The use of VAN sequential control numbers or reports
3. Acknowledgment transactions with the sender

The auditor should also determine the availability of the following controls:

Control requirements for inbound transactions:

• A log of each inbound transaction on receipt
• Segment count totals built into the transaction set trailer
• Checking digits to detect transposition and transcription errors

Control requirements for outbound transactions:

• Transactions to be compared with the trading partner's profile
• Proper segregation of duties for high-risk transactions
• A log to be maintained for outbound transactions

EDI audits also involve the use of audit monitors (to capture EDI transactions) and expert systems (to evaluate transactions).

Point of Sale (POS)

Let's start with understanding how POS works:

• Debit and credit card transactions are the most common examples of POS.
• Data is captured at the time and place of sale.

The risks of this are as follows:

• The risk of skimming, that is, the unauthorized capturing of card data with the purpose of duplicating the card
• The risk of the unauthorized disclosure of PINs

The IS auditor's objectives are as follows:

• To determine that data used for authentication (PIN/CVV) is not stored in the local POS system
• To determine that the cardholder's data (either at rest or in transit) is encrypted

Electronic banking

Let's start with understanding how it works:

• E-banking websites and mobile-based systems are integrated with the bank's core system to support automatic transactions without any manual intervention.
• Automated processing improves processing speed and reduces opportunities for human error and fraud.
• Electronic banking increases the dependence on internet and communication infrastructure.

Two of the risks of this are as follows:

• Heavy dependence on internet service providers, telecommunication companies, and other technology firms
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity

The IS auditor's objectives are as follows:

• To determine the effectiveness of the governance and oversight of e-banking activities
• To determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructure
• To determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic transactions
• To review the effectiveness of the controls implemented for privacy laws
• To review anti-malware controls
• To review business continuity arrangements

Electronic funds transfer (EFT)

Let's start with understanding how EFT works:

• Through EFT, money can be transferred from one account to another electronically, that is, without cheque writing and cash collection procedures.

Some of the risks are as follows:

• Heavy dependence on internet service providers, telecommunication companies, and other technology firms
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity

The IS auditor's objectives are as follows:

• To determine the availability of two-factor authentication for secure transactions.
• To determine that systems and communication channels have undergone appropriate security testing.
• To determine that transaction data (either at rest or in transit) is encrypted.
• To determine the effectiveness of controls on data transmission.
• To review security arrangements for the integrity of switch operations. An EFT switch connects with all equipment in the network.
• To review the log capturing and monitoring process of EFT transactions. In the absence of paper documents, it is important to have an alternate audit trail for each transaction.

Image processing

Let's start with understanding how it works:

• An image processing system processes, stores, and retrieves image data.
• An image processing system requires huge amounts of storage resources and strong processing power for scanning, compression, displays, and printing.
• Such systems are capable of identifying colors and shades.
• The use of image processing (in place of paper documents) can result in increased productivity, the immediate retrieval of documents, enhanced control over document storage, and efficient disaster recovery procedures.

Some of the risks are as follows:

• Implementation without appropriate planning and testing may result in system failure.
• The workflow system may need to be completely redesigned to integrate with the image processing system.
• Traditional controls and audit processes may not be applicable to image processing systems. New controls must be designed for automated processes.
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity.

The IS auditor's objectives are as follows:

• To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systems
• To determine the reliability of the scanners used for image processing
• To review the retention process for original documents
• To determine that original documents are retained at least until a good image has been captured
• To review the confidentiality, integrity, and availability arrangements of image processing systems
• To review the training arrangements for employees to ensure that the processes of image scanning and storing are maintained as per the quality control matrix

Artificial intelligence and expert systems

Artificial intelligence and expert systems do the following:

• Capture and utilize the knowledge and experience of individuals
• Improve performance and productivity
• Automate skilled processes without manual intervention

A knowledge base in AI contains information about a particular subject and rules for interpreting that information. The components of a knowledge base include the following:

• Decision trees: Questions to lead the user through a series of choices
• Rules: Rules that use "if" and "then" conditions
• Semantic nets: A knowledge base that conveys meaning
• Knowledge interface: Stores expert-level knowledge
• Data interface: Stores data for analysis and decision making

The risks are as follows:

• Incorrect decisions or actions performed by the system due to incorrect assumptions, formulas, or databases in the system
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity

The IS auditor's roles are as follows:

• To assess the applicability of AI in various business processes and determine the associated potential risks
• To review adherence to documented policies and procedures
• To review the appropriateness of the assumptions, formulas, and decision logic built into the system
• To review the change management process for updating the system
• To review the security arrangements to maintain the confidentiality, integrity, and availability of the system

Once the IS auditor understands the basic architecture of the business applications and associated risks, the next step is to understand the appropriateness and effectiveness of the implemented controls to mitigate the risks.

Key aspects from CISA exam perspective

The following covers the important aspects from a CISA exam perspective:

Self-evaluation questions

1. Which of the following is the area of greatest concern in an EDI process?
   
   1. No logging and monitoring of EDI transactions.
   2. Senior management has not approved the EDI process.
   3. The contract for a trading partner has not been entered.
   4. EDI using a dedicated channel for communication.
2. Encryption helps in achieving which of the following objectives in an EDI environment?
   
   1. Ensuring the confidentiality and integrity of transactions
   2. Detecting invalid transactions
   3. Validating and ensuring the reconciliation of totals between the EDI system and a trading partner system
   4. Providing functional acknowledgment to the sender
3. In an EDI environment, which of the following procedures ensures the completeness of an inbound transaction?
   
   1. The process for transaction authentication
   2. The build segment count coming to the transaction set trailer of the sender
   3. An audit trail
   4. The segregation of duties for high-risk transactions

4. In which of the following processes are details entered by one employee re-entered by another employee to check their accuracy?
   
   1. Reasonableness check
   2. Key verification
   3. Control total
   4. Completeness check
5. Which of the following is used in an e-commerce application to ensure that a transaction is enforceable?
   
   1. Access control
   2. Authentication
   3. Encryption
   4. Non-repudiation

An internal control is a process that is used to safeguard the assets of an organization. Assets can include systems, data, people, hardware, or the reputation of the organization. Internal controls help in achieving the objectives of the organization by mitigating various risks.

Internal controls are implemented through policies, procedures, practices, and organizational structures to address risks. Internal controls provide reasonable assurance to management about the achievement of business objectives. Through internal controls, risk events are prevented or detected and corrected.

Top management is responsible for implementing a culture that supports efficient and effective internal control processes.

Effective controls in an organization can be categorized into the following types:

Let's discuss the control types in detail.

Preventive controls

Preventive controls are designed to be implemented in such a way that prevents a threat event and thus avoids any potential impact of that threat event.

Examples of preventive controls include the following:

• The use of qualified personnel
• The segregation of duties
• The use of SOPs to prevent errors
• Transaction authorization procedures
• Edit checks
• Access control procedures
• Firewalls
• Physical barriers

Detective controls

Detective controls are designed to detect a threat event once that event has occurred. Detective controls aim to reduce the impact of such events.

Examples of detective controls include the following:

• Internal audits and other reviews
• Log monitoring
• Checkpoints in production jobs
• Echo controls in telecommunications
• Error messages over tape labels
• Variance analysis
• Quality assurance

Corrective controls

Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to normal operations.

Examples of corrective controls include the following:

• Business continuity planning
• Disaster recovery planning
• Incident response planning
• Backup procedures

Deterrent controls

The purpose of a deterrent control is to give a warning signal to deter a threat event.

Examples of deterrent controls include the following:

• CCTV cameras or "under surveillance" signs
• Warning signs

The difference between preventive and deterrent controls

For the CISA exam, it is important to understand the difference between preventive and deterrent controls. When a preventive control is implemented, an intruder is prevented from performing an act. They do not have a choice in whether or not to perform the act.

When a deterrent control is implemented, the intruder is being given a warning. Here, the intruder has a choice: either to act as per the warning or ignore the warning.

A locked door to a room is a preventive control. Intruders cannot go through the door. On the other hand, just a warning sign that says "No Entry" is a deterrent control. Intruders can ignore the warning and enter the room.

Apart from the controls we have covered thus far, CISA candidates should also understand compensating controls. It should be noted that the absence of one control can be compensated for by having another strong control.

Compensating controls

Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.

For example, in small organizations, the segregation of duties may not always be feasible. In such cases, compensatory controls such as reviews of logs should be implemented.

Similarly, some organizations may prefer to have alternate security measures in place of encryption.

Control objectives

A control objective is a reason why a control is implemented. Control objectives are linked to business objectives.

A control objective generally addresses the following:

• The effectiveness and efficiency of operational processes. For example, preventive controls attempt to prevent invalid transactions from being processed and assets from being misappropriated. However, detective controls have the objective of detecting errors or fraud that could result in the misstatement of financial statements.
• Adherence to regulatory requirements.
• The protection of assets.

It is advisable to document objectives for each and every control. Periodic reviews and monitoring of controls are required to validate results against these objectives.

Control measures

Control measures are implemented to achieve control objectives. Control measures are activities that are taken to prevent, eliminate, or minimize the risk of threat occurrence.

Key aspects from CISA exam perspective

The following table covers the important aspects from a CISA exam perspective:

Self-evaluation questions

1. Controls that are designed to prevent omissions, errors, or negative acts from occurring are which kind of controls?
   1. Preventive controls
   2. Detective controls
   3. Corrective controls
   4. Compensating controls

2. What are controls that are put in place to indicate or detect an error?
   1. Preventive controls
   2. Detective controls
   3. Corrective controls
   4. Deterrent controls
3. Which of the following is the segregation of duties an example of?
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Deterrent control
4. What is the process of using well-designed documentation to prevent errors an example of?
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Deterrent control
5. What kind of control is a control that enables a deficiency or another irregularity to be corrected before a loss occurs?
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Deterrent control
6. Utilizing a service of only qualified resource is an example of:
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Internal control
7. A check subroutine that identifies an error and makes a correction before enabling the process to continue is an example of what kind of control?
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Deterrent control

8. Barriers or warning signs are examples of what kind of control?
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Deterrent control
9. An "echo" message in a telecommunications protocol is an example of what kind of control?
   1. Preventive control
   2. Detective control
   3. Corrective control
   4. Compensating control
10. Checkpoints in a production job are examples of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Compensating control
11. Controls that minimize the impact of a threat are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
12. Controls that remedy problems observed by means of detective controls are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
13. Controls that indirectly address a risk or address the absence of controls that would otherwise directly act upon that risk are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls

14. Controls that predict potential problems before their occurrence are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
15. The requirement of biometric access for physical facilities is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
16. Which of the following risks represents a process failure to detect a serious error?
    1. Detective risk
    2. Inherent risk
    3. Sampling risk
    4. Control risk
17. Which of the following statements best describes detective controls and corrective controls?
    1. Both controls can prevent the occurrence of errors
    2. Detective controls are used to avoid financial loss and corrective controls are used to avoid operational risks
    3. Detective controls are used as a deterrent check and corrective controls are used to make management aware that an error has occurred
    4. Detective controls are used to identify that an error has occurred and corrective controls fix a problem before a loss occurs
18. Why are control objectives defined in an audit program?
    1. To give the auditor an overview for control testing
    2. To restrict the auditor to testing only documented controls
    3. To prevent management from altering the scope of the audit
    4. To help the auditor to plan for the resource requirements

CISA aspirants are expected to understand the following aspects of risk-based audit planning:

• What is the risk?
• Vulnerabilities and threats
• Inherent risk and residual risk
• The advantages of risk-based audit planning
• Audit risk
• The steps of the risk-based audit approach
• The steps of risk assessment
• The four methodologies for risk treatment

What is risk?

Let's look at some of the widely accepted definitions of risk.

Most of the CISA questions are framed around Risk. CISA candidates should have a thorough understanding of the term risk. Multiple definitions/formulas are available for risk. If you look carefully, every definition speaks either directly or indirectly about two terms: probability and impact.

Some of the more commonly used definitions of risk are presented here:

• ERM-COSO defines risk as "Potential events that may impact the entity."
• The Oxford English Dictionary defines risk as "The probability of something happening multiplied by the resulting cost or benefit if it does."
• Business Dictionary.com defines risk as "The probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action."
• ISO 31000 defines risk as "The effect of uncertainty on objectives."

In simple words, the 'risk' is the product of probability and impact:

Probability and impact are equally important when identifying risk. For example, say that the probability or likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely costs anything and so the impact is “0” even if the product is damaged.

So, the risk in this scenario would be calculated as follows:

Risk = P * I

Risk = 1 * 0 = 0

Understanding vulnerability and threat

Another way of understanding risk is by understanding the notion of vulnerability and threat. In simple terms, a vulnerability is a weakness and a threat is something that can exploit said weakness. Again, both elements (V and T) should be present in order to constitute a risk.

There is no threat to a useless system, even if it is highly vulnerable. As such, the risk for that system would be nil in spite of the high vulnerability:

There are various definitions and formulas for risks. However, for the CISA certification, please remember only the following two formulas:

In the second formula, A, V, and T are the value of, vulnerability of, and threats to assets, respectively.

Understanding inherent risk and residual risk

A CISA candidate should understand the difference between inherent risk and residual risk:

The following is the formula for residual risk:

Advantages of risk-based audit planning

Risk-based audit planning is essential to determine an audit's scope (the areas/processes/assets to be audited) effectively. It helps to deploy audit resources to areas within an organization that are subject to the greatest risk.

The following are the advantages of risk-based audit planning:

• Effective risk-based auditing reduces the audit risk that arises during an audit.
• Risk-based auditing is a proactive approach that helps in identifying issues at an early stage.
• One of the major factors in a risk assessment is compliance with contractual and legal requirements. Risk-based auditing helps an organization to identify any major deviation from contractual and legal requirements. This improves compliance awareness throughout the organization.
• Risk-based auditing promotes preventive controls over reactive measures.
• Risk-based auditing helps to align internal audit activities with the risk management practices of the organization.

Audit risk

Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an audit. Audit risk is influenced by inherent risk, control risk, and detection risk. The following list describes each of these risks:

• Inherent risk: This refers to risk that exists before applying a control.
• Control risk: This refers to risk that internal controls fail to prevent or detect.
• Detection risk: This refers to risk that internal audits fail to prevent or detect.

The following figure explains the relationship between all three risks:

An IS auditor should have sound knowledge of the audit risk when planning auditing activities. Some ways to minimize audit risk are listed here:

• Conduct risk-based audit planning
• Review the internal control system
• Select appropriate statistical sampling
• Assess the materiality of processes/systems in the audit scope

It is the experience and expertise of the auditor that minimizes audit risk. However, it must be noted that the auditor is a watchdog and not a bloodhound.

Risk-based auditing approach

In a risk-based auditing approach, it is important to understand the steps to be performed by the IS auditor. The following structured approach will help to minimize the audit risk and provide assurance about the state of affairs of the auditee organization:

1. Step 1 – Acquire pre-audit requirements:
   • Knowledge about industry and regulatory requirements
   • Knowledge about applicable risk to the concerned business
   • Prior audit results
2. Step 2 – Obtain information about internal controls:
   • Get knowledge about the control environment and procedures
   • Understand control risks
   • Understand detection risks

3. Step 3 – Conduct compliance test:
   • Identify the controls to be tested
   • Determine the effectiveness of the controls
4. Step 4 – Conduct a substantive test:
   • Identify the process for the substantive test
   • See that the substantive test includes analytical procedures, detail tests of account balances, and other procedures

Risk assessments

A risk assessment includes the following steps:

Risk assessments should be conducted at regular intervals to account for changes in risk factors. The risk assessment process has an iterative life cycle. Risk assessments should be performed methodically and the outputs should be comparable and reproducible.

Also, it is important to determine the risk appetite of the organization. Risk appetite helps to prioritize various risks for mitigation.

Risk response methodology

Risk response is the process of dealing with a risk to minimize its impact. It is a very important step in the risk management process. Here are the four main risk response methodologies:

• Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk.
• Risk avoidance: Change the strategy or business process to avoid the risk.
• Risk acceptance: Decide to accept the risk.
• Risk transfer: Transfer the risk to a third party. Insurance is the best example.

The risk culture and risk appetite of the organization in question determines the risk response method. Of the preceding responses, the most widely used response is risk mitigation by implementing some level of controls.

Let's understand the preceding risk response methodologies with a practical example. Say that a meteorological department has forecasted heavy rain during the day and we need to attend CISA lectures. The risk of rain can be handled in the following manner:

• The majority of candidates will try to mitigate the risk of rain by arranging for an umbrella/raincoat to safeguard them from potential rain (mitigation of risk).
• Some courageous candidates won't worry about carrying an umbrella/raincoat (risk acceptance).
• Some candidates, such as me, will not attend classes (risk avoidance).

It's not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion.

You cannot run a business without taking risks. Risk management is the process of determining whether the amount of risk taken by an organization is in accordance with the organization's capabilities and needs.

Top-down and bottom-up approaches to policy development

Let's understand the difference between the top-down and bottom-up approaches to policy development.

The top-down approach

In the top-down approach, a policy is developed and designed from a senior management perspective. In a top-down approach, policies are developed and aligned with business objectives. Involvement of senior management in designing the risk scenario is of the utmost importance. One advantage of the top-down approach to developing organizational policies is that it ensures consistency across the organization.

The bottom-up approach

In the bottom-up approach, polices are designed and developed from the process owner's/employee's perspective. The bottom-up approach begins by defining operational-level requirements and policies. The bottom-up approach is derived from and implemented on the basis of the results of risk assessments.

The best approach

An organization should make use of both the top-down approach and the bottom-up approach when developing organizational policies. They are complementary to each other and should be used simultaneously. In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up approach, process-level risks are addressed.

Key aspects from CISA exam perspective

The following table covers the important aspects from the CISA exam perspective:

Self-evaluation questions

1. Which of the following is the most critical aspect of a risk analysis?
   
   1. Identifying competitors
   2. Identifying the existing controls
   3. Identifying vulnerabilities
   4. Identifying the reporting matrix of the organization
2. What is the initial step in risk-focused audit planning?
   
   1. Identifying the role and responsibility of the relevant function
   2. Identifying high-risk processes
   3. Identifying the budget
   4. Identifying the profit function
3. What is the main objective of conducting a risk assessment?
   
   1. To determine the segregation of duties for critical functions
   2. To ensure that critical vulnerabilities and threats are recognized
   3. To ensure that regulations are complied with
   4. To ensure business profitability
4. What should be the next step of an IS auditor after identifying threats and vulnerabilities in a business process?
   
   1. Identifying the relevant process owner
   2. Identifying the relevant information assets
   3. Reporting the threat and its impact to the audit committee
   4. Identifying and analyzing the current controls

5. Which of the following is the main benefit of risk-based audit planning?
   
   1. The communication of audit planning to the client in advance
   2. The completion of the audit activity within the allocated budget constraints
   3. The use of the latest auditing technology
   4. The focus on high-risk areas
6. Which of the following should be the primary focus when considering the level of security of an IT asset?
   
   1. The criticality of the IT asset
   2. The value of IT the asset
   3. The owner of IT the asset
   4. The business continuity arrangement for the IT asset

7. The actions of the IS auditor is most likely to influence which of the following risks?
   
   1. Inherent
   2. Detection
   3. Control
   4. Business
8. What is the risk of an inadequate audit methodology known as?
   
   1. The procedural aspect
   2. Control risk
   3. Detection risk
   4. Residual risk
9. Particular threat of an overall business risk indicated as:
   
   1. The product of the probability and impact
   2. The probability of threat realization
   3. The valuation of the impact
   4. The valuation of the risk management team
10. Which of the following is the first step in performing risk assessments of information systems?
    
    1. Reviewing the appropriateness of existing controls
    2. B. Reviewing the effectiveness of existing controls
    3. Reviewing the asset-related risk surveillance mechanism
    4. Reviewing the threats and vulnerabilities impacting the assets

11. What is the first step in evaluating the security controls of a data center?
    
    1. Determining the physical security arrangement
    2. Evaluating the threats and vulnerabilities applicable to the data center site
    3. Evaluating the hiring process of security staff
    4. Determining the logical security arrangements
12. What does the classification of information assets help to ensure?
    
    1. The protection of all IT assets
    2. That a fundamental level of security is implemented irrespective of the value of assets
    3. That information assets are subject to suitable levels of protection
    4. That only critical IT assets are protected

13. Which of the following should be performed first in a risk-focused audit?
    
    1. Analyzing inherent risk
    2. Analyzing residual risk
    3. Analyzing the controls assessment
    4. Analyzing the substantive assessment
14. In a risk-focused audit, which of the following is the most critical step?
    
    1. Determining the high-risk processes
    2. Determining the capability of audit resources
    3. Determining the audit procedure
    4. Determining the audit schedule
15. Which of the following options best describes the process of assessing a risk?
    
    1. Subject-oriented
    2. Object-oriented
    3. Mathematics-oriented
    4. Statistics-oriented
16. What is the outcome of a risk assessment exercise utilized for?
    
    1. Estimating profits
    2. Calculating the ROI
    3. Implementing relevant controls
    4. Conducting user acceptance testing

17. With whom does the responsibility of managing risk to an acceptable level rest?
    
    1. The risk management team
    2. Senior business management
    3. The chief information officer
    4. The chief security officer
18. Which of the following is a major factor in the evaluation of IT risks?
    
    1. Finding vulnerabilities and threats that are applicable to IT assets
    2. Analyzing loss expectancy
    3. Benchmarking with industry
    4. Analyzing previous audit reports

19. An IS auditor has determined a few vulnerabilities in a critical application. What should their next step be?
    
    1. Reporting the risk to the audit committee immediately
    2. Determining a system development methodology
    3. Identifying threats and their likelihood of occurrence
    4. Recommending the development of a new system
20. What does a lack of appropriate control measures indicate?
    
    1. Threat
    2. Magnitude of impact
    3. Probability of occurrence
    4. Vulnerability
21. Which of the following is the first step in a risk management program?
    
    1. Determining a vulnerability
    2. Determining existing controls
    3. Identifying assets
    4. Conducting a gap analysis
22. What is the advantage of the bottom-up approach to the development of enterprise policies?
    
    1. They cover the whole organization.
    2. They are created on the basis of risk analysis.
    3. They are reviewed by top management.
    4. They support consistency of procedure.

23. The mitigation of risk can be done through which of the following?
    
    1. Controls
    2. Outsourcing
    3. Audit and certification
    4. Service level agreements (SLAs)
24. The most important factor when implementing controls is ensuring that the control does which of the following?
    
    1. Helps to mitigate risk
    2. Does not impact productivity
    3. Is cost effective
    4. Is automated

25. The absence of internal control mechanisms is known as what?
    
    1. Inherent risk
    2. Control risk
    3. Detection risk
    4. Correction risk
26. Which of the following represents the risk that the controls will not prevent, correct, or detect errors in a timely manner?
    
    1. Inherent risk
    2. Control risk
    3. Detection risk
    4. Correction risk
27. What is the primary consideration when evaluating the acceptable level of risk?
    
    1. The acceptance of risk by higher management
    2. That not all risks need to be addressed
    3. That all relevant risks must be recognized and documented for analysis
    4. The involvement of line management in risk analysis
28. What is the best approach when focusing an audit on a high-risk area?
    
    1. Perform the audit; the control failures will identify the areas of highest risk
    2. Perform the audit and then perform a risk assessment
    3. Perform a risk assessment first and then concentrate control tests in the high-risk areas
    4. Increase sampling rates in high-risk areas

29. In a risk-based audit approach, which of the following is the least relevant to audit planning?
    
    1. The adoption of a mature technology by the organization
    2. The risk culture and risk awareness of the organization
    3. The legal regulatory impact
    4. Previous audit findings

CISA candidates are expected to have a basic understanding of the various types of audits that can be performed, internally or externally, and the basic audit procedures associated with each of them. These are as follows:

The following diagram shows various audits combined to form an integrated audit, giving an overall view of an organization's functioning:

As you can see, integrated audit tests the internal controls of an organization. It can be performed either by the internal audit team or an external audit firm.

Self-evaluation questions

1. Which audit is designed to collect and evaluate an information system and any related resources?
   1. Compliance audit
   2. Operational audit
   3. IS audit
   4. Specialized audit

2. Which audit involves specific tests of controls to demonstrate adherence to specific regulatory or industry standards?
   1. Operational audit
   2. Compliance audit
   3. Integrated audit
   4. Financial audit

3. Which audit assesses the overall objectives within an organization in terms of safeguarding an asset's efficiency and compliance?
   1. Operational audit
   2. Compliance audit
   3. Integrated audit
   4. Financial audit
4. Which audit involves the independent evaluation of software products, verifying it's configuration items?
   1. Functional audit
   2. Integrated audit
   3. Specialized audit
   4. Compliance audit
5. In which audit can an IS auditor assist a forensic specialist in performing forensic investigations and conduct an audit of the system to ensure compliance?
   1. Specialized audit
   2. Integrated audit
   3. IS audit
   4. Computer forensic audit
6. Which audit is designed to assess issues related to the efficiency of operational productivity within an organization?
   1. Administrative audit
   2. Integrated audit
   3. Compliance audit
   4. Operational audit

In this chapter, we discussed various audit processes, standards, guidelines, practices, and techniques that an IS auditor is expected to use during audit assignments. We learned about risk-based audit planning and its advantages. The most important benefit of audit planning is that it helps the auditor to focus on high-risk areas. We also discussed the major risks associated with business applications.

In the next chapter, we will discuss and learn about audit execution, which includes project management techniques, sampling methodology, audit evidence collection techniques, and other aspects of conducting an audit.

In this section, you will find the answers to the assessment questions.

Content of the audit charter

1. Answer: A. Higher management
   Explanation: Ideally, top management should approve the audit charter. The approved audit charter is the basis on which the chief audit officer carries out audit processes. The IS department and the IT steering committee should not be involved in the preparation of the audit charter.
2. Answer: D. Outline the overall authority, scope, and responsibilities of the audit function.
   Explanation: The overall scope, authority, and responsibility of the audit function is outlined in an audit charter. The charter should not be frequently modified. The audit charter will not cover procedural aspects such as the audit calendar and resource allocation. Business continuity arrangements should ideally be incorporated in the BCP document, and it should not form part of the audit charter.
3. Answer: D. To prescribe the authority and responsibilities of the audit department
   Explanation: The main purpose of the audit charter is to define the auditor's roles and responsibilities. The audit charter should empower auditors to perform their work. Procedural aspects such as audit procedure, resource allocation, and ethical standards should not be a part of the audit charter.

4. Answer: B. The audit charter
   The audit charter includes the overall scope, responsibility, and authority of the audit department. Audit planning is included in the audit calendar. The risk assessment and treatment plan should contain details of identified risks and their mitigating controls. The compendium of audit observations contains a summary of critical audit observations for top management.
5. Answer: C. To understand the authority and responsibility of individuals
   Explanation: An organization chart is used to derive details about the authority and responsibility of relevant functions in the organization. It will help to understand whether proper segregation of duties exists.

6. Answer: A. The audit charter
   Explanation: The overall scope, authority, and responsibility of the audit department is outlined in the audit charter. Primarily, the actions of the audit team will be influenced and guided by this charter.
7. Answer. C. Security policy decisions
   Explanation: On the basis of the outcome of the risk management process, the organization determines the security requirements. Other choices are not directly impacted by the results of the risk management process.
8. Answer: B. The audit function's reporting structure
   Explanation: The overall scope, authority, and responsibility of the audit department is outlined in the audit charter. It should also document the reporting matrix of the audit function. Generally, the head of the audit reports to an audit committee.
9. Answer: A. The approved audit charter
   Explanation: The overall scope, authority, and responsibility of the internal audit department is outlined in the audit charter. The audit charter should be approved by top management/members of the board. The other options are not correct.
10. Answer: C. The internal audit function
    Explanation: The overall scope, authority, and responsibility of the internal audit department is outlined in the audit charter. The authority, scope, and responsibilities of the external audit are governed by the engagement letter.
11. Answer: C. The approved audit charter
    Explanation: An internal audit charter is an official document that comprises the internal audit department's objectives, authority, responsibilities, and delegation of authority.

12. Answer. B. The audit function must be independent of the business function and should have direct access to the board audit committee.
    Explanation: The audit function should be independent of influence and bias. Having direct and immediate access to the audit committee can enable auditors to raise major irregularities and concerns without any influence from business functions.
13. Answer. D. To provide a clear mandate in terms of authority and responsibilities for performing the audit function
    Explanation: The charter's main purpose is to define the auditor's roles and responsibilities. The audit charter empowers the audit function to carry out their work. The other options are not relevant to this purpose.

Audit planning

1. Answer: B. To identify high-risk processes in the organization
   Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas.
2. Answer: D. The optimal use of audit resources for high-risk processes
   Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.
3. Answer: B. The evaluation of threats and vulnerabilities applicable to the data center
   Explanation: Getting information and an understanding of the processes being audited and evaluating the risks and various threats will help auditors to concentrate on high-risk areas, thereby making the audit more effective and relevant.
4. Answer: A. To identify high-risk processes
   Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.

Business process applications and controls

1. Answer: C. The contract for the trading partner is not entered
   Explanation: Legal liability cannot be enforced in the absence of an agreement between trading partners. There may be uncertainty with respect to legal liability. This will be the area of most concern. A dedicated communication channel is considered a good control for EDI transactions.
2. Answer: A. Ensuring the integrity and confidentiality of transactions
   Explanation: Encryption is a technical control through which plaintext is converted into encrypted (non-readable) text. Encryption processes are implemented to ensure the integrity and confidentiality of transactions.
3. Answer: B. Building a segment count total into transaction set trailer
   Explanation: Building a segment count total ensures the completeness of inbound transactions in an EDI environment.

4. Answer. B. Key verification
   Explanation: In key verification, the same field is filled in twice and a machine compares the entries for verification and validation. A reasonableness check ensures the logical reasoning of an input transaction. The control total is a system-based control that ensures that all relevant data is captured. A sequence check ensures the continuity of serial numbers. Completeness controls ensure the presence input for all required fields.
5. Answer: D. Non-repudiation
   Explanation: Non-repudiation is a control that ensures that the sender cannot deny a transaction. It ensures that a transaction is enforceable.

Types of controls

1. Answer: A. Preventive controls
   Explanation: Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred. Detective controls aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.

2. Answer: B. Detective controls
   Explanation: Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred. Detective controls aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.
3. Answer: A. Preventive controls
   Explanation: Segregation of duties is an attempt to prevent fraud or irregularities by segregating duties such that no single employee can commit fraud or other irregularities.

4. Answer: A. Preventive controls
   Explanation: Well-designed documents are an attempt to prevent errors by implementing efficient and effective operational procedures in the organization.
5. Answer: C. Corrective controls
   Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring the routine operations of the business.
6. Answer: A. Preventive controls
   Explanation: Employing only qualified personnel is an attempt to prevent errors or other irregularities.
7. Answer: C. Corrective controls
   Explanation: The check subroutine corrects the error. It modifies the processing system and minimizes the likelihood of future occurrences of the problem.
8. Answer: D. Deterrent controls
   Explanation: A deterrent control is anything intended to warn a potential attacker not to attack.
9. Answer: B. Detective controls
   Explanation: Detective controls use controls that detect and report the prevalence of an error, omission, or malicious act.

10. Answer: B. Detective controls
    Explanation: Detective controls detect and report the prevalence of an error, omission, or malicious act.

11. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business.
12. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business. They provide a remedy to problems discovered by detective controls.
13. Answer: D. Compensating controls
    Explanation: Compensating controls are an alternate measure that is employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for weaknesses in other areas.
14. Answer: A. Preventive controls
    Explanation: Preventive controls detect problems before they arise. They prevent omissions, errors, or malicious acts from occurring.

15. Answer: A. Preventive controls
    Explanation: Access control aims to prevent access by unauthorized persons. It prevents omissions, errors, or malicious acts from occurring.
16. Answer. C. Control risk
    Explanation: Control risk is a term that signifies the possibility that a control will fail to prevent or detect unwanted actions.
17. Answer. D. Detective controls are used to determine whether an error has occurred and corrective controls fix problems before losses occur.
    Explanation: Detective controls are designed to detect or indicate that an error has occurred. Examples of detective controls include audits, hash totals, echo controls, and so on. Corrective controls are designed to correct a risk or deficiency to prevent losses. Examples of corrective controls include business continuity planning, backup procedures, and more.
18. Answer. A. Give the auditor an overview of control testing.
    Explanation: On the basis of control objectives, an auditor can plan control testing to evaluate the effectiveness and efficiency of implemented controls.

Risk-based audit planning

1. Answer: C. Identifying vulnerabilities
   Explanation: The identification of vulnerabilities is an important aspect of conducting a risk assessment. If a vulnerability is appropriately recognized, controls and audit planning may not be effective.
2. Answer: B. Identifying high-risk processes of the organization
   Explanation: The identification of high-risk processes is the first and most critical step in risk-based audit planning. Audit planning should be done in accordance with high-risk areas.
3. Answer: B. Ensuring that critical vulnerabilities and threats have been recognized
   Explanation: The identification of vulnerabilities and threats is critical in developing a risk-based audit strategy. This will help in the determination of the processes to be considered in the scope of audit. The audit team can concentrate on high-risk areas.
4. Answer: D. Identifying and analyzing current controls
   Explanation: Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls to draw a conclusion about residual risk.

5. Answer: D. Focusing on high-risk areas
   Explanation: The main advantage of a risk-focused audit is that the auditor can focus on areas of high risk. This will help to plan an audit in such a way that means the audit team can concentrate on the high-risk processes.
6. Answer: A. The criticality of IT assets
   Explanation: Protecting an asset will involve costs. It is important to understand the criticality of assets when designing appropriate levels of protection.
7. Answer: B. Detection
   Explanation: Detection risk refers to the risk that an internal audit fails to prevent or detect. Inherent risk refers to risk that exists before applying any controls. Control risk refers to risk that internal controls fail to prevent or detect. Business risks are not impacted by inadequate audit procedure.
8. Answer: C. Detection risk.
   Explanation: Detection risk refers to risk that an internal audit fails to prevent or detect.
9. Answer: A. The product of probability and impact
   Explanation: Risk is the product of impact and product. Option A considers both probability and impact. Option B considers only the probability of occurrence. Option C considers only the quantum of the impact. Option D is not applicable to the structured and scientific process of risk assessment.

10. Answer: D. Reviewing the threats and vulnerabilities applicable to the data center
    Explanation: The identification of vulnerabilities and threats is the first step in a risk assessment process. Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls and their effectiveness to draw a conclusion about the residual risk. Continuous risk monitoring is implemented during the risk monitoring function.
11. Answer: Evaluating the threats and vulnerabilities applicable to the data center
    Explanation: Out of the given options, the first step in evaluating the security controls of a data center is evaluating the threats to and vulnerabilities of the data center. Options A and D are followed once the vulnerabilities and threats are identified. Option C is not considered as a part of a security analysis.
12. Answer: C. Information assets are subject to suitable levels of protection
    Explanation: Data classification helps in determining the appropriate level of protection for information assets. Having a specific level of information security is important when protecting data and other IT assets.

13. Answer: A. Analyzing the inherent risk assessment
    Explanation: The inherent risk assessment is the assessment of risk at a gross level without considering the impact of controls. The first step in a risk-focused audit is to obtain relevant details about the industry and organization to consider the inherent risk level.
14. (14) Answer: A. Determining high-risk processes
    Explanation: In risk-based planning, it is very important to determine high-risk areas. This will help to determine the areas to be audited.
15. Answer: A. Subject-oriented
    Explanation: To determine risk, you need to calculate probability and impact. Probability is based on estimates and estimates are always subjective. Risk assessment is based on perception.
16. Answer: C. Implementing relevant controls
    Explanation: The risk management process includes the assessment of risk and, on the basis of the outcome, the designing of various controls. The objective of the risk assessment process is to address the recognized risks by implementing appropriate controls.
17. Answer: B. Senior business management
    Explanation: Top business management have the final authority and also the responsibility for the smooth operation of the organization. They should not further delegate their responsibility for risk management. The other options should help authorities in determining the risk appetite of the organization.

18. Answer: A. Finding threats/vulnerabilities associated with current IT assets
    Explanation: The biggest factor in evaluating IT risk is finding and evaluating threats and vulnerabilities associated with IT assets. The other options, though very important factors for the risk assessment process, are not more important than option A.
19. Answer: C. Identifying threats and their likelihood of occurrence
    Explanation: Once the critical assets are identified, the next step is to determine vulnerabilities and then to look at threats and their probability of occurrence.
20. Answer: D. Vulnerability
    Explanation: A lack of security measures indicates a weakness or vulnerability. A vulnerability can be in the form of a lack of up-to-date anti-virus, weak software coding, poor access control, and more. It must be noted that vulnerabilities can be controlled by the organization.

21. Answer: C. The identification of assets
    Explanation: The identification of critical assets is the first step in the development of a risk assessment process.
22. Answer: B. Are created on the basis of risk analysis
    Explanation: In the bottom-up approach, risks related to processes are identified and considered. The approach starts by considering the process-level requirements and operational-level risk. The other options are the benefits of the top-down approach. In the top-down approach, policies are consistent across the organization and there is no conflict with overall corporate policy.
23. Answer: A. Implementing controls
    Explanation: Risks are managed and reduced by incorporating proper security and relevant controls. Through insurance, risk is transferred. Auditing and certification help in providing assurance, while SLAs help in risk allocation.
24. Answer: A. Addresses the risk
    Explanation: The most important factor for implementing controls is to ensure that the controls address the risk.
25. Answer: A. Inherent risk
    Explanation: Gross risk or risk before controls is known as inherent risk.
26. Answer: B. Control risk
    Explanation: Control risk refers to risk that internal controls fail to prevent or detect. Control risk refers to risk the internal control system of the organization will not able to detect, correct, or prevent.
27. Answer: C. All relevant risks must be documented and analyzed.
    Explanation: It is most important that identified risks are properly documented. After proper documentation, other factors should be considered.

28. Answer. C. Perform a risk assessment first and then concentrate control tests on high-risk areas
    Explanation: On the basis of risk assessment, the audit team should devote more testing resources to high-risk areas.
29. Answer. A. The adoption of mature technology by the organization
    Explanation: Technology adoption may not have a huge impact while planning an audit as compared to other options. All the options are important, but the technology's maturity alone has the least influence on an organization's risk assessment.

Types of audit and assessment

1. Answer. C. IS audit
   Explanation: An IS audit is designed to evaluate an information system and any related resources to determine the adequacy of the internal controls that provide the availability, integrity, and confidentiality of the IT assets of the system.
2. Answer. B. Compliance audit
   Explanation: A compliance audit includes specific tests of controls to determine adherence to specific regulatory or legal requirements.
3. Answer. C. Integrated audit
   Explanation: There are different types of integrated audits that may combine financial and operational audit steps to assess the overall objectives of an organization and safeguard the efficiency and compliance of assets.
4. Answer. A. Functional audit
   Explanation: A functional audit provides an independent evaluation of software products. The audit comes either prior to software delivery or after implementation.
5. Answer. D. Computer forensic audit
   Explanation: This is an investigation that includes the analysis of electronic devices. An IS auditor can support an IS manager or forensic specialist when conducting forensic analysis and auditing to ensure adherence to policy and procedure.
6. Answer: D. Operational audit
   Explanation: An operational audit is designed to perform an operational audit and other aspects related to the effectiveness, efficiency, and productivity of an enterprise.