Auditors assess control risk in a two-stage process. First, they assess the strength of the design of the firm’s control system. The first step in evaluating the design of the auditee’s control system is identifying the specific threats that would prevent the information system from operating reliably and securely.
a. Explain firm-level threats
b. Explain transaction-level threats
c. Explain what an audit program is. How is it used before, during and after the audit?