Most, if not all, business transactions executed today touch the information technology (IT) environment at some point in their lifecycle. As organizations plan for the next calendar year, it’s logical to regard the IT risk assessment as a critical component that should be reviewed through the internal audit function.
It’s important to understand how your organization assesses IT risk. When measuring IT risk: (1) use quantitative factors as well as qualitative measures, (2) focus on the maturity of the risk assessment over time, and (3) involve and educate the IT organization in the risk assessment process. Use IT risk to: (1) drive the audit plan and (2) enable the entire audit organization to assess risk.