Section: The process of Auditing Information System
Explanation:
Inherent Risk is the risk level or exposure of a process or entity to be audited without taking into account
the control that management has implemented. Inherent risk exists independent of an audit and can occur
because of the nature of the business.
For your exam you should know below information about audit risk:
Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report
due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is
composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:
AR = IR × CR × DR
Inherent Risk
Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk.
While assessing this level of risk, you ignore whether the client has internal controls in place (such as a
secondary review of financial statements) in order to help mitigate the inherent risk. You consider the
strength of the internal controls when assessing the client's control risk. Your job when assessing inherent
risk is to evaluate how susceptible the financial statement assertions are to material misstatement given
the nature of the client's business. A few key factors can increase inherent risk.
Environment and external factors: Here are some examples of environment and external factors that can
lead to high inherent risk:
Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.
Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and
external factors. Drug patents eventually expire, which means the company faces competition from other
manufacturers marketing the same drug under a generic label.
State of the economy: The general level of economic growth is another external factor affecting all
businesses.
Availability of financing: Another external factor is interest rates and the associated availability of financing.
If your client is having problems meeting its short-term cash payments, available loans with low interest
rates may mean the difference between your client staying in business or having to close its doors.
Prior-period misstatements: If a company has made mistakes in prior years that weren't material (meaning
they weren't significant enough to have to change), those errors still exist in the financial statements. You
have to aggregate prior-period misstatements with current year misstatements to see if you need to ask the
client to adjust the account for the total misstatement.
You may think an understatement in one year compensates for an overstatement in another year. In
auditing, this assumption isn't true. Say you work a cash register and one night the register comes up $20
short. The next week, you somehow came up $20 over my draw count. The $20 differences are added
together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no
mistakes at all had occurred.
Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level
may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the
balance sheet cash account is going to have risk associated with theft or fraud because of the fact that
cash is more easily diverted than customer checks or credit card payments.
Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory
account as inherently risky. Small inventory items can further increase the risk of this account valuation
being incorrect because those items are easier to conceal (and therefore easier to steal).
Control Risk
Control risk has been defined under International Standards of Auditing (ISAs) as following:
The risk that a misstatement that could occur in an assertion about a class of transaction, account balance
or disclosure and that could be material, either individually or when aggregated with other misstatements,
will not be prevented, or detected and corrected, on a timely basis by the entity's internal control.
In simple words control risk is the probability that a material misstatement exists in an assertion because
that misstatement was not either prevented from entering entity's financial information or it was not
detected and corrected by the internal control system of the entity.
It is the responsibility of the management and those charged with governance to implement internal control
system and maintain it appropriately which includes managing control risk.
There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some
of them are as follows:
Cost-benefit constraints
Circumvention of controls
Inappropriate design of controls
Inappropriate application of controls
Lack of control environment and accountability
Novel situations
Outdated controls
Inappropriate segregation of duties
Detection Risk
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements
whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a
material misstatement remaining undetected by the auditor. Some detection risk is always present due to
the inherent limitations of the audit such as the use of sampling for the selection of transactions.
Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed
testing.
The following answers are incorrect:
Control Risk - The risk that material error exist that would not be prevented or detected on timely basis by
the system of internal controls.
Detection risk - The risk that material errors or misstatements that have occurred will not be detected by an
IS auditor.
Overall audit risk - The probability that information or financial report may contain material errors and that
the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to
limit the audit risk in the area under security so the overall audit risk is at sufficiently low level at the
completion of the examination.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 50
http://en.wikipedia.org/wiki/Audit_risk
http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html
http://pakaccountants.com/what-is-control-risk/
http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

The network administrator should not have the privilege of changing existing configurations for applications in an adequately segregated IT environment. This is because changes to existing configurations can introduce vulnerabilities and cause unexpected behavior, which can lead to disruption of services or data loss. The network administrator should not have the ability to make such changes without the explicit authorization of the IT manager. Additionally, the network administrator should be monitored to ensure that any changes they make are in compliance with the organization's security policies and procedures. CISA Certification - Information Systems Auditor official site or book provides a comprehensive guide to best practices and security principles for the IT environment, which includes recommendations on how to restrict access to sensitive configuration changes.

Explanation/Reference:
Explanation:
The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all integrity conditions in the database be maintained with each transaction. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction only accesses data that are part of a consistent database state. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.

Rapid application development is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. The program evaluation review technique (PERT) and critical path methodology (CPM) are both planning and control techniques, while function point analysis is used for estimating the complexity of developing business applications.