I am currently working on a project with a significant IT component so the topic of IT risks is very relevant to me right now. I am not an IT expert. As an auditor with over ten years of experience primarily in financial statement and operational risk, I have typically relied on internal or external experts to assess IT risks. However, for a current audit, I am the starting point for assessing IT risks.
My goal is to understand the context and scenario of the area of audit so that I can at a high level understand the different kinds of possible risks and have a good list of questions to ask both the audit stakeholder and the external expert.
How do I begin to assess IT risks with no IT background?
I consulted an internal expert, my boss, and here is where she had me start:
1. Best Practices: Start with commonly accepted industry sources and standards such as the following:
(a) COBIT (Control Objectives for Information and Technology) – is an IT governance framework and supporting tool-set that allows managers to bridge the gap between control requirements, technical issues and business risks.
(b) ISACA engages in the development, adoption and use of globally accepted industry-leading knowledge and practices for information systems. COBIT is part of ISACA’s globally accepted framework.
(c) IIA – Global Technology Audit Guide (GTAG) - Prepared by the IIA, each GTAG is written to address timely issues related to information technology (IT) management, risk, control, and security. The GTAG serves as a resource on different technology-associated risks and recommended practices.
3. External Compliance and IT Technical Expertise: Consult technical experts (internal and external) for the really technical stuff. They might need to do the technical testing for you. At a minimum, they can guide you to know the questions you should be asking the audit stakeholder.
The bottom line is that non-IT auditors can assess IT risks from the ‘soft-control’ standpoint of governance. However, when it comes to identifying controls that mitigate or detect specific IT risks, it is best to leave that to the experts.