IT Risks and Controls

One of the biggest aspects of my job is to perform IT audits which examine IT systems to ensure that
assets are being safeguarded and data is being protected. A big challenge for this is recognising
where the risk is and what control would mitigate, lower or remove the risk. Personally I have found
the “Onion Model” (Capgemini, 2015) to be one of the most useful tools to visualise “where” risk
can be found and “where” layers of controls need to be implemented. I have found the IIA GTAG
book series to be invaluable and especially useful for “what” IT controls are needed whether it be
application controls, IT general controls or IT management controls.

IT Audit Process

With respect to the IT Audit Process I feel that it is better value to combine IT Audit into financial and
process audits. The integration of IT audit allows techniques such as Computer Assisted Audit
Techniques (CAATS) to be utilised to add value to test sample data accuracy, completeness and
reliability.

IT Governance

In my organisation, internal audit only plays a small part in IT Governance and this is mainly for
providing compliance and assurance or as a post mortem role to projects that have failed. Personally
I would like to see internal audit play a greater consultative role and this may prevent governance
issues.