Program Elements

Properly designed risk-based audit programs increase audit efficiency and effectiveness. The sophistication and formality of risk-based audits may vary depending on the institution's size and complexity. To determine the appropriate level of audit coverage for the organization's IT environment, management should define an effective risk assessment methodology. This assessment methodology should provide the auditor and the board with objective information to prioritize the allocation of audit resources properly. Risk-based IT audit programs should:

  • Identify the institution's data, application and operating systems, technology, facilities, and personnel;
  • Identify the business activities and processes within each of those categories;
  • Include profiles of significant business units, departments, and product lines, or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the institution;
  • Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products;
  • Include board or audit committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope, and resource allocation for each area audited;
  • Implement the audit plan through planning, execution, reporting, and follow-up; and
  • Include a process that regularly monitors the risk assessment and updates it at least annually for all significant business units, departments, and products or systems.


Previous Section
Risk Assessment and Risk-Based Auditing
Next Section
Risk Scoring System