Can anyone share their approach to performing a IT focused risk assessment in the support of audit planning? Would any one have a IT risk universe that they would be willing to share?

174 views3 Comments

India Head and Director of Global Finance Shared Services in Hardware, 5,001 - 10,000 employees
The risk assessment for IT areas should cover a number of areas for ensuring that an organization's IT systems and processes are effective, secure, and compliant with relevant regulations. The Audit Plan can typically focus on a range of topics to assess risks and controls. Here are some key areas to consider when planning IT focused risk assessment. 
1. Information Security 2. Cybersecurity 3. Systems and Applications Controls 4. IT Vendor Management 4. IT Audit trail and single / multiple logins for various Applications. 
Founder in Miscellaneous, Self-employed

This will depend on your current infrastructure and the landscape of your applications.

Some initial questions to ask:

1/ Are you all working from one location, or are people spread remotely
2/ Is there a formal procedure / training for things like cyber security
3/ Are your applications administered centrally using SSO and 2FA, or are they all fragmented?
4/ Are you working from on-premise systems, or are you in the cloud?

Answers to these sorts of questions will dictate your approach to audit planning.

1/ Can we be sure our data is safe with people working remotely
2/ Are our team equipped with the knowledge that they need to reduce risk?
3/ Do we have complete control over access to internal systems?
4/ Are our systems backed up in the event we have to undergo a disaster recovery process?

You've then got second order consequences that could evolve from this:

- Risks from unauthorized access, data breaches, etc.
- Risks from system downtime, inefficient processes, etc.
- Risk of non-compliance with regulations like GDPR, SOX, etc.
- Risks from lack of adaptability to new technologies, vendor lock-in, etc.
- Risks from budget overflows in IT projects, ROI concerns, etc.

My recommendations:

1/ Start with the highest risks
2/ Ensure you have a plan in place to remain compliant
3/ Have a procedure in place for regular vulnerability assessments
4/ Map all of your systems, all of your team members and their usage
5/ Put it all into a matrix that you can colour code into a heat map of low vs high risks

Happy to provide more guidance if you want to send me a DM
Director of Finance in Consumer Goods, 10,001+ employees
One can refer to this approach while performing a IT focused risk assessment.
Understand the entity and its environment, Understand entity-level controls, Understand the transaction level controls, Use preliminary analytical procedures to identify risk, Perform fraud risk analysis, Assess risk.

Content you might like

Internet Explorer6%

Microsoft Edge16%

Google Chrome64%

Mozilla Firefox6%





9.2k views4 Upvotes6 Comments

Data driven - Analytical41%

Collaborative - Data + expert opinion78%


Expert - Manual4%


533 views1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.8k views130 Upvotes318 Comments