An IT audit is a structured review of IT infrastructure, applications, policies and operations that ensures proper controls are in place to support business objectives. Within the practice of risk management, IT audits provide independent assurance that IT risk identification, assessment and mitigation processes are designed well and operating effectively.

IT Audit Risk Management Procedures

Effective IT audit risk management programs follow a set of IT audit risk management practices and procedures that enable IT risk management planning, risk identification, risk assessment, assessment of controls, mitigation recommendations and reporting. Below are steps to either help you build your IT audit risk management function or to make improvements to one that already exists.

Planning and Scoping

Effective procedures start with a clear scope and an alignment to enterprise risk management appetite and business objectives. Begin by identifying which systems will be within the scope of the audit. For smaller organizations, this may mean including all IT systems, while for larger organizations, this may mean prioritizing systems that are critical to business operations. As systems are being prioritized, include information about them, such as technical details, operator and owner names and types of data that are hosted.

At this stage, have conversations with senior leadership about what risk level is acceptable, and if gaps are identified, what resources can be dedicated to mitigation. These conversations will help to determine priorities as risks are identified.

Identification

After defining the scope of the IT audit risk management program, identify risks that can impact those systems that are in scope, including vulnerabilities, threats, and potential compliance issues.

While there are a number of vulnerability scanning solutions on the market that can identify weaknesses in networks, applications and systems, these solutions offer only a solid starting point, as these scans are required by several compliance frameworks.

In addition to vulnerability scanning, build a team that includes system/application owners, IT security, governance and power users, to discuss vulnerabilities and threats that have been experienced. As risks are identified, start to build a risk register with basic details about each risk. This will develop over time via assessments.

Risk Assessment

Once all risks are identified, make assessments based on the likelihood that those risks will occur, and any impacts to the organization should they occur. Impacts may include operational downtime, regulatory penalties and, of course, financial losses. At this point, all risks can be ranked based on their likelihood and impact, with each of those two factors scored separately on a scale from 1-3, with 1 being the lowest likelihood/impact and 3 being the highest likelihood/impact.

These scores are typically placed into a risk or heat map, where both likelihood and impact scores can be demarcated into low risk, medium risk and high risk to the organization. This single view will be very helpful in mitigation planning.

Controls Analysis and Testing

The last key activity to perform before risk mitigation planning takes place is to analyze and/or test each control. The purpose of this exercise is to determine if internal controls are appropriately designed, implemented and operating effectively. When a control is operating effectively, it sufficiently mitigates a risk to an acceptable level.

Testing is best done by an auditor who can perform control procedures and review any evidence (such as activity logs, etc.) that shows the controls are operating as designed. Any weaknesses found should be documented, so recommendations can be made to remediate any weaknesses. In addition, any weaknesses should be documented alongside each risk impacted in the risk register.

Mitigation Planning

After all risks are identified and scored, and controls are assessed and tested, there may be gaps that are identified that may lead to more risk exposure. Now is a good time to revisit acceptable risk levels that were discussed with senior leadership while planning to help determine the amount of mitigation that will be recommended.

The IT audit risk management team should now work with key stakeholders to develop plans to address any gaps in controls, IT systems, people or processes to lower the likelihood and impact of specific risks that are viewed by senior leadership as having the highest impact on the organization. Often, these plans will require resources to carry out and successfully complete, so getting approval from the right people is very important.

Reporting

Before mitigation projects begin, establish a cadence of review and reporting. As a part of the IT Audit Risk Management program, consider creating a steering committee comprised of senior leadership and members of the business who have the authority to directly approve of any outcomes, the direction of each project, as well as to onboard or acquire any resources needed to successfully mitigate risks.

Meeting on a regular basis, members of the IT Audit Risk Management team should report on progress, as well as show how the impact and likelihood of each risk is continuing to fall via updates to the risk heat map. Consider sharing these materials with all employees to show how the organization is lowering its risk profile.

IT Audit Risk Management Regulations

Common IT audit and risk management regulations govern financial reporting, data privacy, cybersecurity and sector-related requirements. Below are several key regulations that are governed by laws.

Sarbanes-Oxley Act (SOX) - SOX directly impacts IT audit risk management as IT systems support most financial reporting. For those IT systems that store, process and report financial data, validation of those IT controls is a central part of SOX compliance. The heart of these regulations lies with section 404, which states how internal controls and financial reporting procedures must be assessed and attested, typically by external auditors and senior leadership. IT audit risk management practitioners must carefully review controls to mitigate IT risks such as unauthorized access, data integrity and human error to determine how they might impact SOX controls.

General Data Protection Regulation (GDPR) - GDPR is a European Union (EU) law that protects the personal data and privacy of all people within the EU and European Economic Area (EEA). From the perspective of an IT audit risk management professional, it means having a focus on risks to personal data, accountability and privacy controls. More importantly, this helps to shift IT auditing to continuous monitoring and incident readiness, as opposed to routine checks.

Health Insurance Portability and Accountability Act (HIPAA) - HIPAA is a U.S. federal law that sets standards for protecting sensitive patient health information. HIPAA sets strict standards for managing, transmitting and storing protected health information. HIPAA guides IT audit risk management processes to perform “accurate and thorough” assessment of risks pertaining to confidentiality, integrity and availability of electronic protected health information to ensure that proper safeguards and controls are in place.

IT Audit Risk Management Standards

Whether you are already running an existing IT audit risk management program or are establishing one, there are several widely adopted standards and frameworks that can help to define (or redefine) aspects of IT audit risk management to ensure your IT systems are secure and compliant.

ISO/IEC 27001:2022 – This international standard provides a framework for organizations to establish, implement, maintain and continually improve an information security management system. From an IT audit perspective, it becomes a frame of reference to determine if information security risks are being identified, evaluated, treated and systematically monitored.

NIST Cybersecurity Framework (CSF) – This NIST framework is intended to help organizations manage and reduce cybersecurity risks by offering standard ways to understand, assess and communicate their cybersecurity efforts. Organized into six core functions of govern, identify, protect, detect, respond and recover, IT audit practitioners can leverage these functions as an outline for audit planning, risk registering and mitigation planning.

Control Objectives for Information and Related Technologies (COBIT) - COBIT is a comprehensive framework for the governance and management of information and technology. The IT audit risk management function can use the principles detailed in COBIT to evaluate if IT strategy, policies and decisions are aligned with the organization's risk appetite and business goals.

IT Audit Risk Management Tools

IT audit risk management programs use a variety of tools, from traditional IT audit risk management templates to integrated software platforms.

Governance, Risk and Compliance (GRC) platforms - GRC platforms can connect policies, controls, risks and audits to provide a single view of an organization's risk posture. As its name suggests, it can perform governance functions such as policy management, risk management activities such as identifying and mitigating threats, and ensuring adherence to policies and external regulations. Additionally, most GRC platforms assist with the creation of policy as well as internal and external audits.

IT security and risk management tools - These tools focus on specific, technical areas of risk within IT, providing insights into potential vulnerabilities with tools such as vulnerability and threat detection, identity and access management and third-party risk management.

Learn more about IT audit risk management by exploring these related resources on KnowledgeLeader:

• Topic Guide: IT Audit
• IT Data Management Work Audit Program
• Corporate Intranet Security Work Audit Program