Assessing information technology risks

I am currently working on a project with a significant IT component so the topic of IT risks is very relevant to me right now. I am not an IT expert. As an auditor with over ten years of experience primarily in financial statement and operational risk, I have typically relied on internal or external experts to assess IT risks. However, for a current audit, I am the starting point for assessing IT risks.  

My goal is to understand the context and scenario of the area of audit so that I can at a high level understand the different kinds of possible risks and have a good list of questions to ask both the audit stakeholder and the external expert. 

How do I begin to assess IT risks with no IT background?

I consulted an internal expert, my boss, and here is where she had me start: 

1. Best Practices: Start with commonly accepted industry sources and standards such as the following: 

(a) COBIT (Control Objectives for Information and Technology) – is an IT governance framework and supporting tool-set that allows managers to bridge the gap between control requirements, technical issues and business risks.

(b) ISACA engages in the development, adoption and use of globally accepted industry-leading knowledge and practices for information systems. COBIT is part of ISACA’s globally accepted framework. 

(c) IIA – Global Technology Audit Guide (GTAG) – Prepared by the IIA, each GTAG is written to address timely issues related to information technology (IT) management, risk, control, and security. The GTAG serves as a resource on different technology-associated risks and recommended practices. 

2. Internal Compliance: Review applicable internal policies such as the security and data privacy policy to understand organizational compliance requirements. Also, consult any IT-related strategic documents and guidelines.

3. External Compliance and IT Technical Expertise: Consult technical experts (internal and external) for the really technical stuff. They might need to do the technical testing for you. At a minimum, they can guide you to know the questions you should be asking the audit stakeholder.  

The bottom line is that non-IT auditors can assess IT risks from the ‘soft-control’ standpoint of governance. However, when it comes to identifying controls that mitigate or detect specific IT risks, it is best to leave that to the experts.


3 Responses to “Assessing information technology risks”

  1. December 31, 2012 at 10:07 pm

    What’s up, yeah this paragraph is in fact good and I have learned lot of things from it on the topic of blogging. thanks.

  2. February 11, 2013 at 5:33 am

    Asking questions are really nice thing if you are not understanding something entirely,
    but this piece of writing provides fastidious understanding even.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


June 2012
« May   Jul »



Online Accounting Degree blog feature

%d bloggers like this: