How does one assess the risk of a fast-moving technology landscape, and more importantly, the speed at which business strategy changes? It all boils down to the methodological approach of risk assessment to quantify how potential events can impact business objectives.
In order for the IT risk assessment process to be a successful driver for creating the audit plan, it is important to define the audit universe. The audit universe is, first and foremost, a living document that has to be updated on a periodic basis. It should capture all of the businesses, regions and functions that make up the organization. There has to be collaboration between key business stakeholders and internal audit to come up with this audit universe, but it should be primarily driven by the audit function. Upon creation of this audit universe, there is a means to perform the risk assessment, which is primarily an enterprise risk-level activity. Depending on your organization’s structure, this responsibility can be shared between the chief risk officer and the chief audit executive. This responsibility could also belong to the chief information security officer, who then works with the internal IT audit function to come up with a risk assessment process.
The IT risk assessment process encompasses laying out all of the key business, financial, IT, privacy and external/regulatory risk factors and ranks them by the various businesses and regions/functions. Upon completion of this task, which should be done on an annual basis, there is a good framework in place to use for annual audit plan activities. Certainly, there will be times throughout the year when this IT risk assessment has to be revisited as key internal and external risk changes due to key strategic improvements the company is making.
Figure 1: Gears of the IT Risk Assessment Process
Read Mohammed J. Khan’s recent Journal article:
“Managing Data Protection and Cybersecurity—Audit’s Role,” ISACA Journal, volume 1, 2016.