IT Examiner School, Providence, RI

Risk Assessment Red Flags

• The risk assessment does not incorporate both technical and nontechnical risks

• The risk assessment is not reviewed and updated at least annually (should be more often if there are significant operational changes). • Audit (controls testing) results do not impact the risk assessment and/or the risk assessment does not impact the audit scope & frequency.

IT Exam: Contracting the Depth of the Risk Assessment Review

• May be able to significantly contract the depth of the risk assessment review when: – The risk assessment was recently reviewed by a qualified auditor and found to be adequate. – There have been no changes in management or the environment since the last examination. – The quality of the risk assessment process has been validated.