Skip to content

Insights

Risk-Based IT Auditing: Prioritizing Key Areas of Risk and Concern

Key Takeaways

  • Strategic Focus: Risk-based IT auditing moves beyond compliance to concentrate on the areas that pose the greatest risk to organizational objectives.
  • Smart Prioritization: Limited resources are directed toward high-impact areas, such as cybersecurity, cloud/vendor risks, data protection, business continuity, and change management.
  • Business Alignment: Audits are most effective when tied to the organization’s goals, IT initiatives, and regulatory requirements.
  • Collaboration Is Essential: Input from IT, compliance, and enterprise risk teams ensures audits reflect real risks and strategies.
  • Proactive Approach: By focusing on risk, auditors act as partners in safeguarding critical assets and driving continuous improvement.

Given that today’s digital world is ever-changing, it is no longer sufficient to perform box-checking internal audits and simply verify compliance. Internal auditors are now acting as strategic advisors who bring a risk-focused lens to the audits they conduct within organizations. This has become increasingly more helpful in IT auditing.

The scale and complexity of most IT environments (e.g., cloud platforms, legacy systems, mobile applications), make it virtually impossible to audit everything given typically limited IT audit resources. This is where a risk-based IT auditing approach can be useful.

What Is Risk-Based IT Auditing?

Risk-based IT auditing is a strategic audit approach that focuses resources and efforts on key areas that pose the greatest threat to the organization’s overall objectives. With this approach, it is important to align resources with the organization’s risk appetite, business goals, and regulatory obligations.

In simpler terms, risk-based IT auditing is asking a few questions:

  1. What could go wrong in this area?
  2. How likely is it that this will go wrong?
  3. What would the impact be if it did go wrong?

From Coverage to Criticality

Historically, many internal auditors have treated audit coverage like a to-do list by reviewing every area and checking off the box once reviewed (e.g., checking user access controls, testing backups, reviewing system logs, etc.). However, this approach of providing equal treatment to all areas can waste critical resources and may not truly reflect the organization’s actual risk exposure.

With a risk-based audit approach, internal auditors must ask, “What is most important to the organization, and where is the greatest vulnerability?”

Prioritizing What Matters

Prioritization is very important in a risk-based audit approach. Key points for prioritization include:

1. Understanding the Business

Before planning or conducting IT audits, it is important to sit down with leaders and stakeholders to understand critical systems and processes, upcoming IT initiatives, regulatory requirements, etc. This is helpful for creating an audit that is based on the reality of the organization.

2. Leveraging the Organization-Wide Risk Assessment

An organization-wide risk assessment helps identify key areas of concern and aids internal auditors in aligning the objectives of the audit plan. Audits should focus on the major areas of risk identified in the organization-wide risk assessment.

3. Focusing on High-Impact IT Areas

Common areas that are typically given the highest priority are:

  • Cybersecurity and Access Management: Poor access controls, password hygiene, or unnecessary privileges can lead to major breaches of security and information.
  • Cloud and Vendor Services Risks: As organizations migrate to SaaS (Software as a Service) and IaaS (Infrastructure as a Service) providers, third-party risk increases.
  • Data Protection and Privacy: All sensitive data, for customers and the organization itself, must be safeguarded. This becomes even more crucial if the organization or information safeguards are subject to specific regulations (e.g., HIPAA).
  • Disaster Recovery and Business Continuity: Organizations must be prepared to act quickly and appropriately when a critical event or worst-case scenario occurs.
  • Software Development and Change Management: Careless software deployments or unverified code changes without proper oversight can lead to major issues for organizations (e.g., service outages, internal access and data breaches).

Collaboration

Risk-based auditing cannot be successfully achieved without collaboration. Internal auditors should communicate with leaders and stakeholders, including:

  1. IT leadership to obtain more technical insights into the organization’s IT environment.
  2. Legal and compliance teams to understand the organization’s regulatory requirements.
  3. Enterprise risk management team (ERM) to align the goals of the audit with the organization’s overall business and risk strategies.

From Reactive to Proactive

Risk-based IT auditing is about being proactive. This approach helps internal auditors to focus constrained time and resources on areas that matter the most to protect what is most important to the organization. Internal auditors are instrumental partners in aiding an organization in improvement and risk mitigation strategies by using risk as a compass, rather than a constraint.

To learn more about McKonly & Asbury’s Internal Audit services, contact Dave Hammarberg, Partner, or Victor Kong, Senior Manager, who have been providing internal audit services for over twenty years. We would love to discuss how we can assist you with your challenges.

About the Author

Cecily Carl

Cecily joined McKonly & Asbury in 2023 and is currently a Senior Consultant in the firm’s Consulting Services group.

Related Services

Advisory & Business Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us