Since I have little knowledge on audits (only from what I learned in college), I have been reading up on the finer details of an audit. I came across this documentation on the methods of carrying out a risk assessment in an audit. The article lists three options for performing a risk assessment (though there are many ways of performing a risk assessment). One way of doing it is by having an outside consultant coming in, looking at what the company wants to accomplish, analyzes the business processes, and determines what their exact risks are. Another way of doing it is for a consultant to come in, work with management to identify risk, determine the level of risk to the company, and evaluate the controls in place. The final way, as detailed in the article, is to have an assessment performed by many employees in the company, identifying the possible risk, ensure the controls are in place, and monitor whether the controls are working. This, though, is meant for an audit of the financial statements. While it’s true these methods can be used to audit other parts of the company, these are mainly for ensuring that the financial statements are reasonably correct and free from errors.
So how could I apply this to an I.S. audit? The first step on an engagement is setting the scope and the objectives of the audit. Then you move on to the risk assessment. Where to use these methods will depend upon how the company operates, and on the inherent risk to the company. If the company is more “top-down”, and things are usually dictated from the top, then perhaps it would be better to have a consultant come in, talk with management to identify risk, and perform more assessments from there. A problem with this, though, is that you may not get buy-in from the lower employees. At least, that’s what I can tell from such an approach.
As for other methods, well, I’m going to have to eventually learn those in detail.