Using Risks To Determine The Frequency Information Technology Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

this paper has been made to discuss the possibility of IT auditors using a risk-based approach to determining when to audit the IT portion of a company. We will discuss the risks involved in the IT portion of a company and the ability of the IT auditor to use these risks to determine when it is necessary to audit an IT client. We also give an example of how this is used from an Australian government agency along with some of our thoughts as to the method it would be used by an IT auditor.


Going against the grain of society is difficult and can make you viewed as an outcast. However, with any technology change follows. Audits for publicly traded companies were determined to be done once a year by the SEC but even rules change with the invention of technology that can make better methods possible.

The proposal found throughout this paper is not that all audit time periods should change, but rather the IT audit frequency should change due to the new technology available for the auditors to use. In this fast pace, ever changing world it is apparent that a lot can happen in one year. Companies can fail, be purchased, or become private in a short period of time. IT audits should keep pace with the world and there should be a method for determining the timing of the audit rather than a one year rule. We believe there should be a minimum rule for auditing a publicly traded company but not a set time and frequency.

In this paper you will find a discussion on the audit risks involved in an IT audit and why it is essential for auditor's to comprehend the risks involved. With the knowledge of the IT risks involved with the IT audit and the overall audit risks, the auditor can determine when to perform an audit without him exceeding his threshold for audit risk. We provide an example that has been implemented into a governmental agency that audits manufacturers of medical items. Furthermore, we also provide an example of how this can be used for an IT audit and the benefits of using risks to change the frequency of the audit.

Overall risks

Audit Risk

Audit risk is the risk that the auditor is not able to discover material errors in the financial statements or that the auditor gives the wrong opinion on the financial statements. The audit risk consists of the inherent risk, the control risk, and the detection risk. Inherent risk is the risk that comes along with doing business. The control risk is the risk that the controls within the company will not catch a material error. Finally detection risk is the risk that the auditor will not catch material misstatements through substantive testing. In most cases the auditor will set an acceptable level of level of total audit risk that they are willing to accept.[1]

Inherent Risk

Inherent risk is the risk that comes with doing activities without controls. It could come from things such as the complexity of a project, the amount of work at a given time, "the health of the industry, strength of competitors, product demand, and earnings variables."[2] [3] In other words it comes from human limitations. It cannot be controlled simply from adding controls to the process. Inherent risk is very difficult to quantify because it is subjective in nature. [4] It is also very difficult to determine whether inherent risk can explain material misstatements as seen in the paper The Relationship of Risk Assessments and Information Technology To Detected Misstatements which cites several papers with conflicting assessments of whether inherent risk can explain some material misstatements. [5] The inherent risk is the baseline of when we are looking at the frequency of the audit as is it the risk without controls. The inherent risk of the company will affect the controls the company will put in place at the beginning to try to "compensate" for these inherent risks. According to the HALO theory, the higher the inherent risk the more "stringent" the "compensating controls" will be.[3] This is especially relevant for us as the more stringent controls will lower overall audit risk in an IT audit.

Control Risk

Control risk is the risk that the controls within the company will not work effectively. Most audits leave the assessment of control risk up to a senior auditor. There is more than one way to evaluate the control risk, though the qualitative is the "traditional way." Information Technology General Control is an evaluation model for determining the control risk of a company. [6] Control risk is the most easily fixed risk of the three because the organization can fix controls that are not working properly and lower the control risk. A lot of time is spent by audit firms to determine the appropriate control risk for an audit. This is because of the high costs associated if the determined control risk is incorrect. Because of an accountant's tendency towards conservatism, they are more likely to be too high in their estimation. [7]

Detection Risk

Detection Risk is the risk that the auditor will not be able to find material misstatements, and will conclude that there is no material misstatement. There are things that may reduce detection risk. These things include additional substantive tests and analysis, though some say this actually increases the risk if there is high likelihood of fraud.[8] It also depends highly upon the quality of the auditors because this risk is dependent on the auditors and only the auditors can lower this risk. [9] If the system that is being audited is has predominantly electronic evidence is may not be possible to lower detection risk by performing more substantive tests. [10]

Audit Risk Conclusions

The organization only has direct control of the control risk. The inherent risk is just that, inherent and it cannot be controlled at all. The detection risk is completely on the auditor so the organization cannot control that, except hiring a known competent auditor. Using the control risk is the risk we will be focusing on in this paper because that is the most easily manipulated and because control risk informs an IT Audit. After calculating the control risk of the company, which can easily change from audit to audit, we will add it to the inherent risk and the detection risk to get the total audit risk.

Information systems security risks

There are many risks involved with a company's IT. The risks we will discuss have been recognized by articles and books alike. The following are the risks we will discuss and they were found in Michael E. Whitman's article "Enemy At The Gate: Threats To Information Security" [15] [i] :

1. Act of Human Error or Failure

2. Compromises to Intellectual Property

3. Deliberate Act of Espionage or Trespass

4. Deliberate Acts of Information Extortion

5. Deliberate Acts of Sabotage or Vandalism

6. Deliberate Acts of Theft

7. Deliberate Software Attacks

8. Forces of Nature

9. Quality of Service Deviations from Service Providers

10. Technical Hardware Failures or Errors

11. Technical Software Failures or Errors

12. Technological Obsolescence

Inside of our discussion of each of the risks named we will also state the approximate frequency of the risk and if the risk is expensive or inexpensive when the breach occurs.

Act of Human error or failure.

Employee mistakes constitute one of the biggest threats to information security. Employees can easily be socially engineered, tricked, or make so called "innocent mistakes,' which can compromise a secured organization. [ii] Mistakes like the wrongful deletion of important files and documents, entry of erroneous data, mistakenly divulging classified company data to the outside world and failure to protect documents entrusted in the care of an employee. Employees in organizations can potentially make mistakes or errors which can compromise the security posture of the organization. Some individual acts are performed without any malicious intent and some of these acts are as a result of inexperience on the part of the employee, lack of knowledge on the subject matter due to inadequate training, making wrong assumptions.

Compromises to intellectual property

Intellectual Property refers to the creations of the mind, inventions, literary and artistic works, and symbols, names, and designs used in commerce. [iii] Unique inventions like copyrights, trade secrets, patents, trademark secrets all fall under intellectual property. A lot of organizations either create their own form of intellectual property or borrow to use other individual company's intellectual property. Breaches to the organizations intellectual property constitute a threat to the security of information and data of the organization. Unlawfully using an organization's trade secrets, its source of value and competitive advantage can be a source of business risk. It is therefore imperative for organizations to ensure that there is adequate protection of its intellectual property.

Deliberate acts of Espionage or Trespass

Deliberate acts by persons to breach the confidentiality of information are termed at an act of trespass or espionage. According to Whitman, this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information. [iv] An individual has trespassed on an organization's information if the persons get access to that information. Even if the person makes no changes to that information but still has gotten access to it, it can be classified as a trespass. Successful hackers to organization's information always breach this element of information security even if they make no changes to information they get access to.

Deliberate acts of Information Extortion

According to Rezgui & Marks, deliberate acts of information extortion are one of the information security threats that organizations face in recent years. [v] This threat is based on an attacker or hacker stealing organization information and holding it ransom. The attacker requests for a compensation to keep the confidentiality of the information or before the data is returned to the organization.

Deliberate acts of Sabotage or Vandalism

Whitman also describes this threat as a category of threat that addresses an individual or a group of individuals who want to deliberately sabotage the operations of a computer system or business, or perform acts of vandalism to either destroy an asset or damage the image of the organization. The destruction of company assets and its resources can all be classified as acts of vandalism. In addition attacking an organization's website and restricting the website from performing necessary function for its successful operation can be termed as vandalism. This has an intention of damaging the reputation of the company.

Deliberate acts of theft

This is the threat posed by individuals both inside and outside the organization directly and indirectly stealing the resources of the organization. Such resources include its assets, data (electronic and physical), and information. This act can lead to the compromise of the confidentiality, integrity, and availability of information.

Deliberate Software Attacks

Deliberate Software attacks are one of the security risks a company deals with but it is a broad category. This category encompasses some of the most prevalent attacks on companies such as viruses, denial of service attacks, and Trojan horses [15]. In the 2008 "CSI Computer Crime & Security Survey" they asked approximately 500 individuals from companies who are a member of the CSI community. Approximately 50% of the respondents said they have had incidences dealing with viruses and 21% said they had incidences with denial of service attacks [11](Richardson, Robert 2008). Both of these incidences are inside of deliberate software attacks which confirm this category is of high occurrence.

Forces of Nature

Forces of nature can disrupt anything man-made, including information systems. A few examples are tornadoes, earthquakes, and tsunamis (which can be caused by earthquakes). These risks should be easily determinable for the auditor. The IT auditor should determine if the company is near a fault line (ex. California), if they are near large bodies of water (ex. Hawaii), or if the history of the location is susceptible to certain events such as tornadoes or hurricanes (ex. Florida).

Quality of Service Deviations from Service Providers

A business relying on a third party for services has risks because they do not have control over the third party's ability to provide those services. All businesses rely on third parties to different degrees, from none to complete reliance. The more reliance on a third party for core business processes, the more risk there is for a company when the third party is not able to perform at the agreed upon level. There should be policies and procedures set in place in order to minimize the effects of a third party not performing correctly that the IT auditor should look for.

Some items the IT auditor should look for our back-up procedures, insurance when available, and contracts specifically stating the agreed upon levels of performance and any restitution available if the third party does not perform at the required minimum level. Because there are inherent risks involved in using a third party, those risks should be viewed with professional skepticism to make sure any controls stated to mitigate those risks are looked at to determine if they do so adequately and appropriately.

10. Technical Hardware Failures or Errors

A computer or other electronic device can fail due to a number of issues. It is common knowledge that water will damage a computer. If the temperature changes dramatically very quickly it could cause condensation and be a risk to an electronic device. It is therefore understandable that the frequency of this type of risk can be high and depending on how many devices are affected, it can also be costly. An IT auditor should determine there are appropriate controls in order to prevent these risks from occurring. These controls can come in many ways. An example of a simple control could be for the company to have a policy that drinks do not leave the break room and company computers are not allowed in the break room. This would prevent human error in the event of them accidentally spilling the beverage on the computer and damaging it.

11. Technical Software Failures or Errors

Technical software risks occur because of doubt surrounding tasks and procedures. There are many types of software risks. Table [ ] includes all of the components. Table [ ] also has the technical aspects, along with other aspects I will not be discussing, of each component of software risk management techniques. For each of these risks the IT auditor should determine if there are controls to mitigate or avoid the risks completely [14](Sherer, Susan 1995).

For example, while the IT auditor is viewing security risks dealing with the technical portion of the software they should see if there are data controls in place in order to minimize the effect of the security risk. All the risks along with the risk management techniques that should be considered can be seen by using the two tables and aligning each component. Depending on how pervasive the technology is inside of the company and the sufficiency and appropriateness of the controls used to prevent the risks that could occur, the frequency and cost of these risks could change. The more pervasive and the less sufficient and appropriate controls being used, the more likely a larger more frequent risk will occur.

The frequency of these events will be different depending on the locations of the company and the history of that location. For example, a business in California will have a higher risk of being in an earthquake than a business in North Carolina. The cost of such an event will also have to be determined on a client by client basis. Costs experienced from natural disasters vary depending the on the size and wrath of the event.

12. Technological Obsolescence

Items becoming obsolete are an obvious problem for auditors and businesses alike but is an even larger problem when dealing with technology products. "A part becomes obsolete when it is no longer manufactured, either because demand has dropped to low enough levels that manufacturers choose not to continue to make it, or because the materials or technologies necessary to produce it are no longer available" [13](Sandborn, Peter 2007) [vi] . Technology can become obsolete overnight and therefore it is of high importance to maintain a level of knowledge about the IT in order to know when the item has become obsolete. Xerox has seen this issue first hand with their inventory being dramatically priced over their value on their books when a lot of them were relatively worthless.

Overpricing a company's IT can have a dramatic effect on the balance sheet and in the minds of the shareholders. With IT, obsolescence can happen too often and therefore might occur frequently. In order to know whether a device or product has become obsolete you should understand the item and its' competitors. Understanding the competitors is important because technology can become obsolete when something is made that can perform all of its' functions plus new ones. Not only can technology becoming worthless happen on a frequent basis but the cost can be high also depending on what the item is considered. If the obsolete item is inventory then there could be a lot involved and the amount lost could be very large. On the other hand if the item is a device the business uses then it will not have a dramatic effect on the business itself.

The frequency and cost for technological obsolescence can both be high but seeing the early signs and adjusting the business can have an impact for the better on the company. An example would be a company using Just-in-Time (JIT) instead of keeping lots of inventory on site. This would reduce the risk of inventory obsolescence having a intense impact on a company.

How IT risks can influence the frequency of an IT audit

According Alexander Kogan & Co, the progressive computerization of business processes and the widespread availability of computer networking has made it possible to dramatically increase the frequency of periodic audits. [vii] According to the article, this method is done by redesigning the auditing architecture, making it possible to produce audit results simultaneously with, or at a short period of time after, the occurrence of relevant events. This auditing type although beneficial and helps in increased efficiency of audits, is only feasible if implemented in a fully automated process with instant access to relevant events and their outcomes. (Kogan & Co.)

According to Jane Butt, in evaluating internal controls, the auditor's judgment of the frequency with which different accounting processes generate errors should affect evaluations of the importance of control weaknesses discovered in the system. [viii] In other words, the frequency with which sub processes generate errors have a major impact on control risk assessment and the amount of audit evidence needed to give an opinion. As a result,

There are a whole lot of circumstances that creates an opportunity for fraud to be perpetrated in an organization. In an instance where there is an absence of controls, ineffective controls, or the ability of management to override controls, these situations create an opportunity for management to engage in fraud as described by Michael Ramos in his article 'Auditors' Responsibility for Fraud Detection. This has a clear effect on the control risk inherent in the organization.

We believe that IT risks should influence the frequency of IT audit in order to reduce the problems inherent in other audit forms like continuous auditing. This will improve the audit process and make it more efficient. Determining the frequency of the audit based on the IT risks of the company involves increasing the frequency of audits of particular accounts and assets based on the risks inherent in that operation. In a sense, the higher the inherent risks, business risks and control risks, the higher it is for the client been audited to engage in activities that will lead to risks of material misstatements. Detection risks increases when the risks of material misstatements are high. When the risks of material misstatements are high, detection risks are increased since the probability of the IT auditor to detect a material misstatements is low. The IT auditor with such knowledge about the company will require more substantive testing and analytical procedures to ensure that all material misstatements are captured in arriving at an opinion for the audit. On the other hand, less substantive and analytical procedures are needed in giving an opinion when there is a low risk of material misstatements because due to low IT risks. This decision will impact on the type of audit evidence to accumulate the timing of the audit and the review period of the evidence accumulated for the audit.

We believe that with the knowledge about the organization's inherent and control risks, the IT auditor will make a better decision on how to set the detection risks of the company which will help in planning and structuring the timeline for auditing the IT portion of the company.

A Look at the risks of google inc and chipotle mexcian grill

IT is important to note that some industries by themselves have high business risks. Google for instance organizes and stores large volume of data and information and makes that information available to users from all parts of the world. That information includes information from its partners like banks and from companies who work solicit their services to market their products and services. Google runs over one million servers in data centers on the world and processes billions of search requests. As a result of these systems, the company is highly susceptible to cyber and other computer crime attacks. . In addition, for the company to remain competitive and survive in a market characterized by intense competition from giants like Yahoo and Bing, the company needs to be abreast with technology and stay on top of it. Obsolete technology can lead to the company losing its competitive advantage. The survival of Google very much depends on how well it manages these risks, how it establishes systems and controls to reduce the impact posed by these inherent and control risks. So since there is a high inherent and control risk with the company, the detection risk for an IT auditor will be high and increasing the frequency of the audit will help reduce such risks posed.

On the other hand, a company like Chipotle Mexican Grill does not have large volumes of data to process and store in its system. Any attacks on its computer infrastructure by hackers will not grind their operation to a halt. Their inherent IT risks coupled with their business risk are low as compared to Google. The risks of their operation grinding to a halt as a result of a hacker getting access to their system are minimal and the effects of its systems been compromised and resulting in problems is low, since the company does not process and store a lot of information. Thus the company's business risk is low and its inherent risk and control risk will be low as compared to Google. We will suggest increasing the frequency of the audit with Google, because the detection risk is high with Google as compared to Chipotle and the audit will be more efficient in such manner.

Real Life Example- Therapeutic Goods Administration in Australia

The Therapeutic Goods Administration (TGA) is responsible for auditing the manufacturing quality and the continued compliance of the Codes of Good Manufacturing Practice (GMP) from manufactures'. The TGA oversee manufacturers that specifically manufacture items dealing with the medical field such as medicines and medical devices [12](Risked Based Approach to Audit Frequency, 2010). While dealing with an audit the auditor can control detection risk but inherent and control risks are outside of the auditor's control (assuming he is independent and does not place controls in action for the client). These other two risks, inherent and control risk are the reason why a risk-based approach to determining the frequency of an audit is used by the TGA. TGA stated "…depth of the audit, and the audit interval are guided by the inherent risks of products and their method of manufacture." There are two basic steps TGA uses in determining the audit frequency of a manufacturer. They first classify the risks involved with the manufacturer at the site and then determine the risks involved based on their past compliance history [12](Risked Based Approach to Audit Frequency, 2010).

In the first step, determining the classification of the risk involved at the manufacturing site, there are many items TGA identifies. Just to say a few, they determine if the manufacturer deals with sterile medicines (high risk rating), Sunscreens and medical gases (low risk rating), and if they are single step manufacturers- such as labeling/packaging (low risk rating). This step determines the risks involved that could affect the end users; the patients of the medical items. The more critical the device or medicine the more risk that is involved with the item [12](Risked Based Approach to Audit Frequency, 2010). Similarly, the more critical the IT device for the company, the more inherent risk there is for the company because when a critical device fails it has a pervasive effect throughout the company. An example of an IT device that should be given a high risk rating is an internal firewall to the Demilitarized Zone. The proxy servers in a Demilitarized Zone are not secured to a large amount and it is up to the firewall between the proxy servers and the internal network to filter out malicious material in order to keep the internal network safe. If this firewall became compromised it would be disastrous for the company when an attack occurs.

The second step TGA uses is the determination of the compliance history with each manufacturer that audit. The compliance history is divided into four levels. There are three types of deficiencies TGA reviews in determining which category a manufacturer should be placed in. These three types of deficiencies are critical, major, and other. These are all determined based on the potential patient harm from the result of serious product failure [12](Risked Based Approach to Audit Frequency, 2010). The distinctions between the three different types of deficiencies are easily comprehendible. The critical deficiency is one where there is fraud or falsification found or when the process being used could end up producing a harmful product. Major deficiencies are not as harmful as critical deficiencies and could include processes being used that could make items produce not compliant with certain governing bodies; such as major departures from the Code of GMP. The last category, other deficiencies, is items such as departures from the Code of GMP but is not as major as the previous categories discussed [12](Risked Based Approach to Audit Frequency, 2010).

The four compliance levels each manufacturer can fall into are as follows: Good, Satisfactory, Basic, and Unacceptable. The "Good" compliance level is used for a manufacturer that has few deficiencies (other deficiencies). The "Satisfactory" compliance level is for a manufacturer with few major deficiencies or a large amount of other deficiencies. The "Basic" compliance level is for a manufacturer with a large number of major deficiencies or a large number of other deficiencies. In this category the major deficiencies found should be approximately 5-10. The "Unacceptable" compliance level is for a manufacturer with critical deficiencies or a large number of major deficiencies. This same methodology could relate to IT auditing by determining previous compliance just as TGA has done. The definition of what is a critical, major, or other deficiency would change but the overall concept would remain [12](Risked Based Approach to Audit Frequency, 2010). To keep with the example of the firewall between the proxy server and the internal network, it could be determined it was a critical deficiency if the firewall could be easily accessed by a public network due to the possibility of intruders easily accessing the internal network from an outside source (practice of a harmful process/fraud for TGA standards). This critical deficiency would classify their compliance level as unacceptable for the IT auditor and increase the inherent risks within the IT audit.

Finally, TGA uses all the information they have composed to determine when a re-audit should be performed. It should be noted TGA has used a different matrix for medical devices than the other items. This is due to the fact medical devices have more regulatory requirements than the others [1] . TGA uses the risk category along with the level of acceptableness (or unacceptable) to determine when they should re-audit [12](Risked Based Approach to Audit Frequency, 2010). For example, we could say TGA determined one of their manufacturers dealt with sterile medicines which has a high risk rating [2] . TGA also determined the manufacturer has a basic compliance level [3] . With these facts we would determine using the matrix for medicines that they should be audited every 12 months [4] .

We believe these same tactics could be used to help an IT auditor determine when to audit the IT portion of a company. We could determine how much risk the company has inherently along with control risks and then determine their past compliance to determine how much risk there would be for the auditor (detection risk). As we will discuss later, this has benefits for the auditor and the client.

IT Audit Frequency Model

In light of the evidence dispensed in our research we have used the ideas from the matrices given from TGA in Australia and the information based on the risks involved in the IT division of public companies to produce our own model in the determination of the time for an IT audit. We will discuss the matrix the senior manager would use to determine when to perform the audit in more detail. The detail involved with the scorecard the lower-level audit team members would provide to the senior manager for his decision is out of the scope of this paper and will be discussed at a minimum.

The scorecard the staff auditors would fill out would be used to determine the costs and frequency of occurrence for individual risks involved with the company's IT division [5] . After the senior auditor received this information he would use it in the aggregate to determine the audit period. While this procedure is done it is imperative to understand during the period the inherent risks and control risks will change and then determine the detection risk the auditor is willing to accept. The detection risk the auditor is willing to accept for each client would already be determined by the auditor. The auditor could then base his decision regarding only the risk of material misstatement (ROMM) the client has to determine when to provide an audit [6] . For example, we could assume the auditor is auditing a large technological company such as Google. For an IT audit involving Google as the client the auditor may determine he has a very high detection risk, therefore he would look at the ROMM, which will probably also be high, to determine he should do an audit every four months6. The ROMM will be determined with the help of the scorecards the audit staff provides to the senior auditor for inclusion during his decision making process. The higher amounts of costs and frequencies inside of each risk will result in a higher ROMM for the IT audit. With the amount of professional judgment that is involved, it is imperative that an executive support system should not be used and that all managers making these decisions are very skilled in doing so.

While looking at the audit period table6, it is easily determinable that the higher the detection risk and ROMM are, the less time there should be between each audit. Our model displays this because as the risks increase, the time between audits decreases. Therefore, the amount of time in between audits and the amount of risk that is involved have an inverse relationship.

The different levels of ROMM in the audit period table6 could change depending on the rating system each auditing team uses. What has a low rating for one might be moderate to another. The process of determining the rating system and the range for each level should be done very carefully because an error in these matters would be pervasive throughout all IT audits performed.

Benefits of Frequency

We found several benefits of increasing the frequency of audits. One of these benefits is the lowering of the audit's detection risk. Another benefit is that by auditing more you will end up reducing waste in any particular audit. Increasing frequency of an IT audit should also increase the integrity of the data that is being audited. We also found that by increasing the frequency of the audit the total cost should also decrease because of decreased amounts of loss due to fraud because the catch more hole in the system that the person committing fraud can take advantage of. Finally, increasing the frequency of an audit should also reduce the amount of time that you spend on each individual audit.

Lower Detection Risk

There are two major benefits in increasing audit frequency that concerns detection risk. One thing that we found was that by increasing the frequency of the audits we will be decreasing the detection risk because we will catch more errors and weaknesses in the information technology because we are doing more total tests than we would otherwise. Another thing that we found was that auditing more will increase the integrity of the data which will also lower the detection risk. [7] 

More Likely to Catch

By increasing the frequency of the audit you will in turn also be increasing the amount of substantive testing and analysis that will be done. [8] Obviously this does not mean you will be doing the same tests on the same things over and over again, though it is possible and probably recommended that there should be some overlap even in a short period of time. The increased number of tests done will give more opportunities to potentially audit the technologies or processes that have material deficiencies. There would have to be some process to decide what to audit and when, which will be discussed later. The parts of the system that have higher detection risk would have to be audited more often than systems with very low detection risk. Also more important systems might want to be audited more often and probably be the ones that would be more likely to have overlap because of the system's importance.

Waste Reduction

Increasing the frequency of the audit and deciding what to audit and when will help reduce wasted time, money, and other resources in over or under auditing. By having smaller individual audits you will be able to have smaller and more efficient audit teams which will mean you will not be wasting a lot of resources on one auditing project. With smaller audit teams you will also not have people wasting time not having anything to do or just being put somewhere to audit something insignificant. Catching additional errors also reduces wasted time and money. If you are able to catch errors and deficiencies in the audit the company will not have to waste time in the middle of, say a busy season, fixing them. If the company finds these deficiencies in the middle of doing important work they will have to take people off of other projects to fix these errors, wasting manpower and potentially money. [9] 

Integrity of Data

Increased audit frequency should also increase the integrity of the data collected. More frequent reporting of audit findings from to the public should reduce uncertainty about the organization about whether these controls that are in place to protect data will actually do their job. [10] By doing something that increases the integrity, or trustworthiness, of the information on the technology you are auditing, you should be able to have more confidence in being able to detect the potential errors, thus lowering the detection and audit risk.

Cost Versus Benefits

Cost is a huge factor in deciding whether to do additional audits. The organization has to decide whether the benefits of each additional audit outweigh the cost of that audit. They must make the decision of what the optimum audit frequency is. As seen in the figure, the point where Audit Cost and Expected Losses cross would be the optimum audit frequency on the horizontal axis. [11] 12

The point where these two lines cross is also the minimum point for total relevant costs in the audit. These total relevant costs include the actual cost of the audit, the loss due to fraud, waste, error, and other costs from not auditing even more. [13] By increase the frequency of the audit the auditor will be able to catch more holes in the information technology that people committing fraud or hackers wanting to steal information would have originally been able to take advantage of. If this definition of total relevant costs is true then this means that as we are auditing more and more the loss due to fraud, waste, error and other costs from not auditing are going down at a faster rate than the increase in the actual cost of the audit. This agrees with previously stated benefit of increased frequency reducing the detection risk, which is catching more of the loss due to fraud. It also agrees with previously concluded statement that increasing the frequency of an audit will decrease waste.

That being said, you cannot just expect every time you increase the frequency of the audit that costs will automatically decrease the cost. There is a point where increasing the amount of audits will increase the total relevant costs. As the audit becomes more frequent the benefits of increasing the audit frequency gradually becomes less until the point where those benefits are less than the cost of the additional audit, and the total relevant costs start going up. This is when the benefit of the additional audit is outweighed by the cost of the additional audit. [14] 

Continuous Auditing

While some may think that, because of the previously mentioned statements, continuous auditing would be the ideal solution. However, as we see in the graph that this is not the case. Continuous auditing in the long run is not worth the cost. Continuous auditing wastes money by auditing more frequently than is helpful. As previously mentioned, there is a point where the cost of an additional audit will out way the benefits. Though continuous auditing tries to minimize this by implementing automated audit techniques, they cannot minimize everything. [15] Implementing automated audit techniques will increase efficiency and relieve some of the problems additional audits will bring, but will also bring other costs of maintenance potentially canceling out the benefits bringing continuous auditing problems back to where they were before.

Audit Fatigue Problem

One large potential problem with increased audit frequency is the possibility of audit fatigue. Auditors need to find, in addition to balancing cost and benefit, a balance between fatiguing your auditors by increasing the number of audits and having smaller audit teams and having frequent enough audits to have enough assurance that the systems are operating effectively. [16] There are ways to relieve this problem. The best way for auditors to do this is to have some automated IT audit procedures to relieve some of the fatigue on the audit staff by reducing the amounts of tests they have to do manually. This is not perfect though as they will also have additional maintenance costs on that automated system. [17] While this will not completely relieve the amount of extra work done, it will help. In addition, the overall audit time will not go up as much as it could because the amount of time spent on each audit will not be as high as if you we doing one audit and auditing everything at the same time. Audit fatigue, while it is a potential problem, should not dissuade from increasing audit frequency.


The purpose of this paper was to make a conclusion on how often an IT Audit should occur. We concluded that the frequency of an audit should not be a fixed number and time period but should be very fluid. It should depend on the current risk within the company being audited. This means that as the risk changes with new employees, new automated processes, and new controls the frequency of the audit should also change. The change in frequency should occur whenever it is needed. Because we determined that audit frequency should be based off of risk we decided to create our own audit frequency model.

We first looked at an example of an audit frequency risk model from the Australian government. We decided that by looking at an example of the type of matrix we can get an understanding of how we can build out model. In this risk model they first determine the risk of the area they want to determine the audit frequency of based on how critical the area is. The second step was to look at the deficiency history of the area and how critical the deficiency was. Then using the information that has been found you can now input these factors into the matrix.

We decided to use two matrixes to determine a new frequency of audit based on the amount of risk involved in the specific audit area. The first matrix we created looked at frequency of possible deficiencies and the cost of those frequencies to help determine the detection risk of that area. The second matrix looks at the detection risk and a determined risk of material misstatement for information technology. This helps determine the frequency of the audit where the lost detection risk and risk of material misstatement is only audited once a year.

Our creation of a new audit frequency model should help organization determine how often they should have different information systems audited. We feel that this will allow companies to audit enough to mitigate as much risk as possible while not auditing so much that the costs outweigh the benefits.