Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
Visit the Risk Management Knowledge Center community
Objective—Provide senior management with an understanding and assessment of the efficiency and effectiveness of the IT risk management process, supporting framework and policies and assurance that IT risk management is aligned with the enterprise risk management process.
Scope—Since IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise.
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.