Information Technology Reference
In-Depth Information
Auditing IT Risk Management
Overview
The IS auditor is required to have a good understanding of IT risk in the enterprise. The IS
auditor is also regularly required to carry out IT risk audits because of the nature of IT risk.
Many enterprises are dependent on IT to run and manage business operations, and it is for
this reason that management requires assurance that IT systems are able to deliver required
services and ensure that data and information is protected. IT should also add value to the
enterprise in terms of growth, efficiency, and profitability.
Many enterprises have implemented IT risk frameworks in order to effectively manage IT
risks beyond just implementing disaster recovery procedures. There are many ways of mit-
igating risks, which we shall review in this chapter. Our focus will be to cover key areas
which should be considered when auditing IT risk.
The IS auditor should have a good understanding of the enterprise risk policy, the risk stand-
ards being used, and IT risk procedures which have been implemented. This information
will enable the IS auditor to appreciate how IT risk is being managed in the enterprise.
This chapter will focus on what IS auditors should take into consideration when carrying
out IT risk audits and enable management to have the required confidence in the IT systems
which are used to automate business processes.
Objectives of Auditing IT Risk Management
It is important that we clearly outline some of the objectives of carrying out an IT risk audit.
There are many reasons of course, but in this chapter, we will focus on a few key reasons.
IT risk audit objectives may include:
1. to find out if an IT risk management framework exists and has been imple-
mented in the enterprise
2. to determine that the IT risk management framework is included in the enter-
prise's overall risk management framework
3. determine which risk standards or best practices are used to implement risk
management in the enterprise
4. establish that a risk register has been developed and covers all the functions
in the enterprise
5. to find out whether the enterprise does regularly conduct risk assessments
Search WWH ::
Custom Search