Most, if not all, business transactions executed today touch the information technology (IT) environment at some point in their lifecycle. As organizations plan for the next calendar year, it’s logical to regard the IT risk assessment as a critical component that should be reviewed through the internal audit function.
Many organizations use this model to evaluate how IT and their business strategy align. A sensible approach to the IT risk assessment process involves asking fundamental questions such as, “How does the organization define its IT audit universe?” “How does it define general computer controls?” and “Who should be involved in the risk assessment process?”
In addition, it’s important to understand how your organization assesses IT risk: Is it part of internal audit’s risk assessment or audit planning process? Do you have adequate knowledge of the risk areas within IT? Do you stick to what you know?
While many organizations define their IT audit universe based on the general controls in place within their IT environment, how do they define IT general computer controls? A typical, comprehensive IT audit universe will incorporate an understanding of business and IT risk factors as they impact applied technology (applications, databases, operating systems, etc.), IT processes, and current and future IT projects.
Another relevant question to consider is how often IT risk should be assessed or reviewed. There really isn’t a single good answer. It’s recommended that IT risk be formally assessed at least once annually; however, due to the constantly changing risk environment, IT risk should be considered as regularly as possible without impacting the IT department’s ability to perform its day-to-day activities. High-performing IT organizations also will have their own risk management processes built in to their processes and project management activities to provide ongoing risk assessment at a granular level.
In creating an audit plan, Protiviti approaches the IT risk assessment from a strategic, operational, financial and compliance point-of-view. On the one hand, it identifies the audit risk universe and ranks risk by audit units; on the other, it identifies business risks and then prioritizes them. The risk assessment data collection process takes a four-pronged approach involving:
- Interviews: Use structured interview protocols and consistent format and agenda. One company management representative is interviewed by two audit team members. This approach is time intensive, so allow at least one hour. Ask probing questions and listen; good note taking is critical.
- Surveys: They support global assessments in distributed geographical locations and can be emailed, thus allowing participants to work at their own pace. Various tools can be used to facilitate this process.
- Analysis of Existing Data: Besides interacting with others, analysis of company information and data can be an important source for identifying key objectives and potential events, as well as related issues and risks. Examples of information to analyze could include past internal audit reports and other prior risk assessments, the most recent financial information (both external and internal), updated budgets and strategic plans, and new policies and press releases, especially for new initiatives.
- Facilitated Workshops (Online or Face-to-Face): They can help generate more relevant ideas and risks; aid in verifying and validating issues, facts and conclusions; increase the level of knowledge sharing across the organization; and allow use of voting technology. While they may sometimes create disagreements or conflicts or inhibit people, the lack of consensus can be insightful.
For more information on IT risk, you can find the following tools on KnowledgeLeader and many others under the IT risk topic page: