Risk Based Auditing!
I am often asked, especially at the end of a year, what should we be focusing our next audit plan upon?
My answer: Focus your auditing on testing YOUR controls that mitigate the most risk in YOUR environment. Don’t bother testing controls which do not mitigate risk. Other than compliance risk*, recent trends should NOT be a consideration when you develop your audit plan.
In other words, be careful not to fall for all the blogs pushing trend-auditing practices or annual checklists*. If your organization is not deploying Latest-Gadget-A, or is not involved in Recent-Buzzword-Process-B, then there is no need to focus your audit program on these issues. But if you still haven’t addressed end-of-life operating system A or last-year’s-buzzword-adopted-late then you should be sure to make these “outdated” issues a high priority.
The focus of any IT Audit plan should be to test the controls which you declared in your most recent risk assessment. If your risk assessment is measuring inherent and residual risk, then the change in risk due to the controls you are declaring should dictate the priorities of your audit testing.
* Note: If the checklist or trend is in the form of a “guidance” sent to you by a regulator who governs your organization, then compliance risk would dictate that the guidance be turned into an audit checklist, and this would then be a focus for this year’s audit plan.
Dan Hadaway CRISC, CISA, CISM
Founder and Managing Partner, Infotex
“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”