Basics of Auditing IT Risk Assessments
The primary focus of an IT risk assessment is to identify risks that IT presents to the business, i.e., adverse effects related to IT that are not in the best interests of the entity. These risks are usually associated with business elements such as business processes, ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). IT can introduce risks in any of these areas, and more. For instance, effective IT can enhance the entity’s ability to sell its products over the Internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts). IT can also cause substantive negative effects, such as the unavailability of servers for online sales at places like eBay, or bugs in applications associated with accounting systems that lead to errors. The bottom line is that there is a need to have an effective identification and assessment of business risks associated with IT, where the risks are at a degree that is more than trivial. The recently released Risk IT: Based on COBIT® framework from ISACA provides a process structure within which all types of IT-related risks can be identified, defined, mitigated and reported.