IT audit planning depends on identifying the IT audit universe and solid assessment of the risks of adverse events

IT risks are increasingly recognized as critical factors in enterprise risk management. From preventing failures in regulatory compliance to helping avoid devastating harm to the reputation of the organization from headline-making security breaches, IT auditors have an obligation and value-adding opportunities to assess enterprise vulnerabilities.

Fast-moving changes in technology have added to the potential risks companies face. It is not always easy for senior management to wrap its arms around information technology risks confronting their organization. However, internal audit departments can help shed light on the risks.

The first step for embarking on a risk-based IT audit plan involves determining the IT audit universe. That means pinpointing all the relevant auditable IT entities including: operating systems, databases and networks, as well as mission critical business applications. Auditors taking this approach will want to measure the risks associated with these entities and focus their limited audit resources on high impact areas that could have the greatest impact on the business.


Fred Roth will be speaking on this topic at the IT Audit & Controls 2016 conference taking place in New Orleans from Dec. 6 to 8. Click here for more information or to register to attend.


How you determine what to audit and in what sequence will be based on the risk criteria used to identify the impact of, and likelihood that, conditions or events may occur that would harm the organization. Examples include the competency, financial and economic conditions; asset size, liquidity, transaction volume; competitive conditions; and complexity or volatility of activities. Discussions will include developing risk measurement criteria consistent with the organization’s mission, objectives and critical success factors.

Risk assessments address the likelihood and potential adverse impacts to organizational operations, assets and individuals. During the workshop we will have a debate regarding the significance of likelihood in the risk equation and how it applies to today’s high risk IT environment.

We will discuss methods to identify and analyze risks to business information assets. Heading the list of IT risk factors is information criticality and the three pillars of information security; confidentiality, integrity and availability.

Confidentiality is essential to protect personally identifiable information and guard company secrets from inadvertent disclosure.

Integrity needs to be in place in application systems so employees can trust that the output can be relied upon for completeness and accuracy.

For more on this topic, continue here.


 Fred Roth is vice president of the IT Audit division of MIS Training Institute.