How to Plan an Information Technology (IT) Risk Assessment

ISACA  Information Technology (IT) Audit and Assurance Standard S11, “Use of Risk Assessment in Audit Planning,” explains the role of and need for risk assessment in IT audits:

According to Tommy Singleton, beginning with the American Institute of Certified Public Accountants’ (AICPA) statement on auditing standards (SAS) No. 99, “Consideration of Fraud in a Financial Statement Audit,” and continuing with the risk-based audit standards (SAS 104-111), financial audits are planned after a risk assessment specifically identifies the risks of fraud or material misstatements that have taken place, accompanied by assessed levels of risk (e.g., from low to high). Audit procedures are then developed at a concomitant level of risk; that is, a high risk requires a high-strength test or procedure, whereas a medium risk requires a medium-strength test^.

What is an IT Risk Assessment?

The Federal Financial Institutions Examinations Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of …