IT Auditing and IT Risk Assessment: What's the Difference?

3 min read
July 30, 2015 at 10:15 AM

We often hear the terms IT Risk Assessment and IT Audit used in various situations and often times they are used interchangeably. This causes great confusion for people who are trying to determine not only what they are looking for in terms of a service, but also what they can expect throughout the process as well. The Risk Assessment and the Audit, while similar on the surface, are very different altogether for a variety of reasons.

What is an IT Risk Assessment? If we look at the basic definition of what a risk assessment is according to, we find that it is “the identification, evaluation, and estimation of the levels of risk involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.” Pretty straightforward stuff.

IT Audit Post

Now that we have defined what a risk assessment is, what about an audit? According to the same source, an audit is “periodic onsite-verification by a certification authority to ascertain whether or not a documented quality system is being effectively implemented.” There are some key differences between the IT Risk Assessment and IT Audit which we will detail below: 

  • Who Performs What? – The first and most obvious difference between the two is who performs the task. A risk assessment can be either a self-assessment or completed by an independent third party. An audit must be completed by an independent, certified third party. This is an important distinction to make as you cannot perform a self-audit!
  • How Deep Does it Go? – The next consideration that we must look at is the depth or level to which the method of evaluation goes. An IT Risk Assessment is a very high-level overview of your technology, controls, and policies/procedures to identify gaps and areas of risk. An IT Audit on the other hand is a very detailed, thorough examination of said technology, controls, and policies/procedures. In an IT Audit, not only are these items listed going to be evaluated, they are going to be tested as well. This is a major difference between the two as the Risk Assessment looks at what you have in place and the Audit tests what you have in place.
  • Who Requires What? – This can be a very gray area in determining the difference between the risk assessment and audit process. Typically, you conduct an audit to comply with various Federal, State, and/or Industry regulations. Examples of these might be FFIEC regulations on conducting an annual IT Audit, the PCI Security Standards Council requiring a full PCI Report on Compliance (ROC), or an organization that goes through the SSAE16 SOC Reporting process. A good example of a risk assessment might be completing a PCI Self-Assessment Questionnaire or completing an IT Risk Assessment for cybersecurity insurance requirements.
  • How Often are they Completed? – Best practice outlines that an organization should conduct a risk assessment on at least a yearly basis or whenever there have been significant changes to their IT environment, such as the addition or removal of hardware and/or software. At the end of the day, there is no guidance holding an organization to when they need to complete a risk assessment overall. An audit traditionally has a very specific timeframe in mind for when they need to be completed. In the examples provided in the previous paragraph, there are very specific instructions that they MUST be completed on a yearly basis by an independent, objective third party.

There is no doubt that these terms will continue to be confused for years to come as that is unfortunately the nature of these services. Hopefully the information above will help you to determine the key differences between each type of service, when it needs to be completed, and who needs to complete it. Feel free to contact us to learn more about the differences and similarities between an IT Risk Assessment and IT Audit!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think