Page 132 - Courses
P. 132
IT Essentials — Assessing Infrastructure and Networks
It is important to understand the business risks and IT controls, as well as the skills and
competencies required to conduct these types of audit engagements.
Guidance to conducting IT Assessments
According to The IIA’s GTAG, “IT Essentials for Internal Auditors,” assessing IT-related risks and
controls represents one of the first steps in gaining an understanding of the IT environment and its
significance in business risk management.
The next step, assessing and understanding IT governance, permits the internal auditor to identify
who is accountable for what in IT and how IT leadership, in cooperation with business leaders,
deploys the IT strategy. In this context, CAEs should keep in mind that IIA Standard 2110.A2 calls for
“assessing IT governance.”
Once IT governance is assessed, analyzing IT-related risks is a logical next step in the process.
Unfortunately, there is no universal checklist for analyzing IT risks. Each organization — driven by
the requirements of its nature and size of business — operates different technology infrastructure,
applications, and interfaces, and uses different policies to achieve IT strategy.
Performing a risk analysis by using a structured methodology, such as that outlined in the
International Organization for Standardization’s (ISO) 31000 Risk Management guidelines, and other
business leaders will help the internal audit team understand the impact IT has on the overall
enterprise risks. Developing solid and trusted relationships will allow for transparency when
analyzing inherent and residual risks.
Assessing the IT-related risks and controls and their impact on critical business processes requires a
thoughtful and organized plan. CAEs should plan sufficient time and skilled resources to do a
professional job and create a sustainable process for ongoing analysis.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
