Risk-based audits, often used under the care of internal IT audits, IT Compliance, IT Security or IT Risk Management, is a relatively recent event in the world of auditing, according to this blog post by Dr. Jack Freund. First sharing a brief review of the history of the IT audit from the days of the Electronic Data Processing Auditors Association (EDPAA) all the way to the publication of COBIT, Dr. Freund explains how IT audits have been shaped by—and shaped—Information Technology in the business, and how it’s been used to assess risks.
The blog explains how a mature risk management function must be able to inform decision makers about the severity of its findings (not just its findings alone). This means that a good audit function should, according to the author, identify variances from agreed-upon policies and standards, identify the frequency of deviations, and identify how critical the deviations are to the operation of the overall system. Most organizations try a “horizontal approach” which focuses on areas that correspond with high risk business activities:
This approach has the opportunity to be beneficial to the organization, as it substitutes the auditor’s priority-making for that of the businesses (i.e. focusing on the areas that the business already identifies as being critical). However, where this approach will not improve decision-making is in the application of standards for which the business has not agreed to adhere. For instance, strictly auditing an organization by ISO/IEC 27001:2005 that has not committed to follow it would not help inform management of their organization’s compliance with that standard. An ISO auditor would ask for the Statement of Applicability or evidence of management commitment and the result would immediately halt the audit. As a result, a key takeaway is to ensure that any perceived best practices inform the decision making of those who are writing the policies and standards of the organization, or those who have the authority to commit an organization to adhere to them.
The article then concludes with an emphasis on the goals of risk management functions and what benefits can be expected. To read the full article, click here: http://riskdr.com/2013/09/18/a-cooperative-model-for-security-audit-and-risk-a-collaborative-approach-to-risk-based-audits/