One thing the IT auditor can do in auditing IT risk assessment is to obtain a copy of the current IT risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over risk assessment being properly mitigated is lowered. Another good start is to obtain the entity’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the IT auditor to understand the role of IT and where risks could occur.