Information Technology Financial Risk Assessment

• An ITFRA is formal assessment of the risks posed by IT on relevant business processes. It is a predecessor to an audit engagement (may occur months in advance) and is more substantive than an engagement planning memo.
• The assessment results are used by two audiences — auditors with a finance focus and client business process owners.
• Though ITFRA is not a full audit report and does not raise audit “findings”, it can raise comments that are relevant to the business process owner in better understanding process risk.
• An ITFRA can do a simple “test of design” on a critical control which is essentially a “test of one item” though this is the extent to which an ITFRA will gather evidence and execute tests. This test of design is most useful if there is no “SOX-esque” testing available at a client.

Common Issues Encountered in ITFRA

1. ITFRA may be interpreted as full audits. This should be disclaimed sufficiently.
2. ITFRA may recommend “further audit procedures” for the audit team based on knowledge gleaned from the assessment. These further audit procedures are easy for the engagement auditors to ignore.
3. ITFRA may emphasize business processes that can be best tested through either continuous controls monitoring solution (CCM) or by performing data analytics. Though these are perceived by finance auditors to be “good ideas” they rarely are executed in practice because implementing these requires a greater time/resource commitment than the finance auditor may be willing to commit.