Would you pay to have four people doing what one person could do on their own? Well, Dr. Jack Freund says you might be doing just that if you are not taking a collaborative approach to risk-based audits. Most organizations have different groups that take care of internal audit, IT compliance, IT security, and IT risk management. While this isn’t necessarily wrong, if communicating poorly these four groups may end up doing each other’s work and draining valuable company resources.
Freund says that one of the key problems with risk management today is its focus on qualitative assessments and control-based activities. These tasks are often just going back over the work of internal audit and IT compliance. What risk management should actually be doing is communicating the severity of audit findings to the organization’s decision makers. Meanwhile, it is the job of auditors to identify variances from agreed-upon policies and standards, the frequency of these deviations, and how critical the deviations are to the overall system. If an organization can find the right balance between internal audit, risk management, IT security, and IT compliance, then they are on their way to becoming a safer and stronger organization.