Describe the risk-based audit approach

What will be an ideal response?

Answer: The risk-based audit approach has four steps that evaluate internal controls. This approach provides a logical framework for conducting an audit of the internal control structure of a system. The first step is to determine the threats facing the AIS. Threats here can be defined as errors and irregularities in the AIS. Once the threat risk has been established, the auditor should identify the control procedures that should be in place to minimize each threat. The control procedures identified should either be able to prevent or detect errors and irregularities within the AIS. The next step is to evaluate the control procedures. This step includes a systems review of documentation and also interviewing the appropriate personnel to determine whether the needed procedures are in place within the system. The auditor can then use tests of controls to determine if the procedures are being satisfactorily followed. The fourth step is to evaluate weaknesses found in the AIS. Weaknesses here means errors and irregularities not covered by the AIS control procedures. When such deficiencies are identified, the auditor should see if there are compensating controls that may counterbalance the deficiency. A deficiency in one area may be neutralized given control strengths in other areas. The ultimate goal of the risk-based approach is to provide the auditor with a clear understanding of errors and irregularities that may be in the system along with the related risks and exposures. Once an understanding has been obtained, the auditor may provide recommendations to management as to how the AIS control system can be improved.