Information Systems Risk and Audit Planning

Auditing standard setters worldwide are focusing greater attention on the importance of corporate controls in general, and on information systems in particular. However, there is relatively little research on the nature of specific control risks in actual companies, and on the auditor's response to those risks. In this study, we examine client characteristics identified by external auditors for actual audit clients, which are relevant to two important areas of systems risk: system security and management information quality. To perform the study, we describe the types of client characteristics identified by the auditors as being relevant to planning, and relate those characteristics to systems risk assessments and testing plans. We find that auditors identify both systems risk factors (risk‐increasing characteristics) and positive factors (risk‐decreasing characteristics), although risk factors predominate. Systems risk factors are identified for a high proportion of clients, even those with relatively low risk assessments. Most frequently identified risk factors relate to system security, management style and competence, and outdated systems. We find that risk assessments increase with the number of identified risk factors for management information quality, but not for EDP security. Categorizing risk factors into COSO categories, we find that audit procedure planning for EDP security is associated with risk factors relating to control activities but not to control environment. For management information quality, audit procedure planning is associated with control environment and information/communication risk factors. The implications of these findings for audit research and practice are discussed.