Do you want to create a flexible, risk-based audit program for your organization? Well, some believe that internal audit should play a lead role in advising management on risk issues and setting the risk management agenda. On the other hand, others think that internal audit should exist only to screen the risk management functions.
In this article at ISACA, Alexander Obraztsov explains effective steps for IT risk management using ISACA’s IT Risk Management Audit Program.
Steps for Effective Auditing of IT Risk Management
Map the Relevant Standards
Tailor your audit program to meet specific industry and circumstances presented by the information technology environment. Encourage your IS auditors to apply their professional judgment to include all procedures, information, and tests in the audit program. Further, the IS auditors must map the audit program relevant to the industry standards, guidelines, and regulations to avoid overlooking the mandatory regulatory requirements during the planning phase.
Adjust the Audit Objectives
The ISACA program’s control objectives (COs) address IT risk governance and framework, events identification, management processes, assessment and response, and maintenance and monitoring of remediation action plans. “The IS auditor might include all control objectives in the audit program, or only some of them, if the scope is limited to specific themes (e.g., annual risk assessment, risk monitoring, and reporting),” says the author.
Conduct Continuous Monitoring and Assessments
Given the increasing threats and dynamic nature of risks confronting many organizations, a static “annual audit plan” approach will not be enough for internal audit to address evolving risks. Conducting regular assessments will help organizations in identifying the inefficiencies and mitigating the evolving threats.
IT auditors can certainly streamline their tasks with the help of ISACA’s IT Risk Management Audit/Assurance Program, COBIT 5, and COBIT 2019. With ISACA’s programs in place, IT auditors can even design a standardized approach, increase the efficiency of the audit work, and gain a comprehensive view of the enterprise’s risk management program. To learn more, click on https://www.isaca.org/resources/news-and-trends/newsletters/cobit-focus/2019/five-steps-for-effective-auditing-of-it-risk-management.