How to Build an IT Audit Plan

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


This post is primarily for IT auditors, but its philosophy applies equally to those charged with assessing so-called IT risk.

The first step is to recognize that there shouldn’t be a separate IT audit plan! It should be fully integrated into the overall internal audit plan and focused on the risks that matter to the organization as a whole.

Similarly, risk should not be assessed in silos, which is what happens when you have an isolated IT risk management function with its own processes and risk register.

These days, most business initiatives and strategies depend on technology (either providing the foundation, enabling, or not getting in the way of the strategy). They key is to identify how those initiatives and strategies are dependent on technology.

Where the risk to achievement of the business strategy from a potential failure relating to the use of technology is high, consideration should be given to including an engagement to address that risk in the internal audit plan.

The risk is not the technology failure; it is the impact of such a failure on business objectives!

The work performed may be an assurance engagement, designed to provide assurance that the risk is managed within acceptable limits, or a consulting engagement, working in a more collaborative fashion with management to ensure processes and controls provide reasonable assurance that the risk is within acceptable limits.

There’s the traditional approach to building the plan. I just watched a couple of videos from Deloitte on the topics of “Auditing what matters” and “Moving toward the postdigital enterprise.”. They are useful and thoughtful, but not the approach I would take, even though I agree with the titles and aims.

My first step would be to talk to the CIO (best) and see whether he and his people are involved in understanding and assessing the technology-related risks to the organization’s strategies and objectives. If so, is that process adequate? Does it provide reasonable assurance that technology-related risks that might impact the achievement of each of the strategies and objectives are identified, assessed, and managed within acceptable (to business management) levels? Or is it a technology-related risk assessment that starts with technology instead of starting with the business strategies and objectives?

If it starts with technology-related risks, then how can you be sure that it is complete? How can you be sure that all the technology-related risks for every strategy/objective are assessed, prioritized, and resources allocated based on their significance to the success of the organization as a whole?

This is basically an assessment of that part of IT governance (or, if you prefer, enterprise governance of technology) relating to the relationship between the management of technology and the achievement of organizational objectives.

If the process is effective, then I would assess whether the organization’s risk management program is itself effective? Does it provide reasonable assurance that risks to the achievement of the organization are managed at acceptable levels? Does it integrate risks related to the use of technology – in other words, is the management of risk and technology in general by IT adequately integrated into the organization’s overall risk management and governance processes?

If possible, I would use management’s identification and assessment of technology-related risks.

If not, I would work as part of an integrated internal audit effort to identify the more significant risks to the achievement of objectives by taking each strategy and objective, in turn, and (usually using a risk workshop involving appropriate management) identify the more significant risks, including technology-related risks.

This is a top-down approach that should help internal audit ensure its focus is on the business risks that matter – those relating to the achievement of corporate strategies and objectives.

But, I would go further and balance that top-down approach with the more traditional bottoms-up approach, as described by Deloitte.

Working again with IT management where possible, I would identify the “risks” from a technology perspective that seem most significant. I am talking now of “risks” (actually risk sources) that are described by reference to the technology, such as social media, mobile, privacy, big data analytics, cybersecurity, and so on.

I would not assess these in terms of their effect on IT and users, but in terms of their effect on the achievement of corporate strategies and objectives. In other words, assess whether they are sources of risk that should have been included in the top-down assessment.

I would combine the results of the top-down and bottoms-up process.

This process would help the IT auditor and the CAE ensure that IT audit resources are focused on the risks that matter to the organization as a whole.

From a risk management perspective, a combination of top-down and bottoms-up processes will give a more reliable identification and assessment of all business risks, including those arising from the use or misuse of technology.

Do you agree?

Please see this related post: Reflections on IT Risk and Audit.

Posted on Dec 7, 2013 by Norman Marks

Share This Article:    

  1. Norman, can I pose a question? You’ve used the phrase ‘reasonable assurance’ in this article 3 times. I’d be really interested to hear your views as to what ‘reasonable assurance’ means in practice, as against say ‘substantial’ or ‘adequate’ or ‘limited’ assurance. The Standards are silent yet 2410.A1 is clear that we must, where appropriate, give an opinion or conclusion. As far as I’m aware, the IIA haven’t issued any guidance as to what constitutes ‘reasonable ‘assurance’. As the CIA annual opinion begins to have greater prominence in the overall assurance framework, it would be helpful to know that ‘reasonable assurance’ within company A, had exactly the same meaning as within company B. This would allow all stakeholders to be able to compare apples to apples. Any thoughts?
  1.  David, please see this:

  1. Each and every activity irrespect of its form needs check and balance.So while conducting IT audit activity, the factor Authorisation or Access to use software, having confidential data of any business,enterpenur is to be assured as well as the integrity of the user.Generaly un authorise access to data creates problems, so it leads to internal controls and governance.

Leave a Reply