Audit Risk Assessment – Risk Types & Relationships
Risk assessment is one of the most important part of IS Audit process. This article intends to tell you in brief about different types of audit risks and their interrelationships.
Audit Risk is the risk originated because of auditor's inappropriate or inaccurate judgment about the audit subject or audit area.
In IS Audit process following types of risk can be found:
1.Inherent Risk
2.Control Risk
3.Detection Risk
4.Residual Risk
Inherent Risk is the default risk linked to the area of audit. In other words Inherent risk is the risk naturally related to the business area of audit subject.
Control Risk is the risk originated because of errors or irregularities in the audit subject may not be detected, prevented or corrected by existing internal control.
The risk because the material errors/irregularities in the audit subject will not be detected by substantive test techniques used by IS Auditor is called Detection Risk.
Residual Risk are those risks which exist in the system even after putting controls to mitigate inherent risks of the audit subject.
Abbreviations used:
IS - Information Systems
Audit Risk is the risk originated because of auditor's inappropriate or inaccurate judgment about the audit subject or audit area.
In IS Audit process following types of risk can be found:
1.Inherent Risk
2.Control Risk
3.Detection Risk
4.Residual Risk
Inherent Risk is the default risk linked to the area of audit. In other words Inherent risk is the risk naturally related to the business area of audit subject.
Control Risk is the risk originated because of errors or irregularities in the audit subject may not be detected, prevented or corrected by existing internal control.
Remember Control Risk & Internal Control are entirely different.
The risk because the material errors/irregularities in the audit subject will not be detected by substantive test techniques used by IS Auditor is called Detection Risk.
The following formula tells the relationship between all the risk types covered so far.
Audit Risk = Inherent Risk + Control Risk+ Detection Risk
Residual Risk are those risks which exist in the system even after putting controls to mitigate inherent risks of the audit subject.
The relationship between Inherent Risk, Control Risk and Residual Risk can be depicted by the following formula:
Inherent Risk × Control Risk = Residual Risk
Abbreviations used:
IS - Information Systems
2 comments:
Hi,
I am reading your blog to prepare for the CISA exam in addition to the CRM.
Have a question: you mentioned "Inherent Risk × Control Risk = Residual Risk
".
How does the "x"- "multiply by" be explained?
Am still stuck in the "Residual risk = Total Risk - Responses to Risks"
Thanks,
James Tan
this is certainly a very good observation.
I have tried to answer your query at
http://passcisa.blogspot.com/2008/12/audit-risk-and-relationship.html
Thanks for weiting to us
Post a Comment