In addition, financial audits have the same prerequisite. Beginning with the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards (SAS) No. 99, “Consideration of Fraud in a Financial Statement Audit,” and continuing with the risk-based audit standards (SAS 104-111), financial audits are planned after a risk assessment that identifies specifically the risks of fraud or material misstatement having taken place, accompanied by an assessed level of risk (e.g., from low to high). Then, audit procedures are developed at a concomitant level of risk; that is, a high risk needs a high-strength test or procedure, while a medium risk needs a medium-strength test.
This article will describe the basics associated with conducting an effective audit of IT risk assessment activity in an entity