What should we focus our 2014 Audit Plan upon?
Risk Based Auditing!
I am often asked, especially at the end of a year, what should we be focusing our next audit plan upon?
My answer: Focus your auditing on testing YOUR controls that mitigate the most risk in YOUR environment. Don’t bother testing controls which do not mitigate risk. Other than compliance risk*, recent trends should NOT be a consideration when you develop your audit plan.
In other words, be careful not to fall for all the blogs pushing trend-auditing practices or annual checklists*. If your organization is not deploying Latest-Gadget-A, or is not involved in Recent-Buzzword-Process-B, then there is no need to focus your audit program on these issues. But if you still haven’t addressed end-of-life operating system A or last-year’s-buzzword-adopted-late then you should be sure to make these “outdated” issues a high priority.
The focus of any IT Audit plan should be to test the controls which you declared in your most recent risk assessment. If your risk assessment is measuring inherent and residual risk, then the change in risk due to the controls you are declaring should dictate the priorities of your audit testing.
* Note: If the checklist or trend is in the form of a “guidance” sent to you by a regulator who governs your organization, then compliance risk would dictate that the guidance be turned into an audit checklist, and this would then be a focus for this year’s audit plan.
Dan Hadaway CRISC, CISA, CISM
Founder and Managing Partner, Infotex
“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”
Lessons Learned from Zoom’s Rise… The only constant is change. An illustration of imp
A Webinar Back by popular demand! Based on what Dan is finding in reviews of several
While we’re not a news service, we often use current events to comment on trends and
Welcome IBA Forum attendees! Looking to set up your own program for people to work fr
A short. This presentation is intended for those who are planning to participate in a