The Difference Between IT Risk Assessments and IT Audits

Patrick Hughes
Jul 7, 2021 1:00:00 PM

While information technology (IT) risk assessments and information technology (IT) audits go hand in hand with one another, the two terms are often misused. There are quite a few key differences to note when it comes to IT risk assessments and IT audits and determining which is best for your organization. In this blog post, we will discuss some of the similarities between the two, the differences, and some additional information on which route to go with depending on your circumstances. But before we can do all that, we must first review some terms that are important to understand for any type of assessment you choose.

In the world of IT security, we have what are referred to as controls. Controls are specific activities performed by individuals or systems designed to ensure that business objectives are met. They are a subset of an enterprise’s internal control. Controls are designed to deter and mitigate risk. Controls are found in the policies and procedures of an organization. This would be considered the control design. In practice, they are found physically and logically throughout the organization. Some examples of this would be locked doors, cameras, access control on systems. There are preventative controls, detective controls, and corrective controls. An example of a preventative control would be a firewall implemented to prevent unwanted access. An example of a detective control would be log files that could be reviewed to detect incidents. Corrective controls are implemented to remediate weaknesses. A control weakness is the lack of properly functioning controls, which leads to risk. The goal is to implement controls to reduce risk to a reasonable level. So, you may be wondering why we need to understand this first. The reason for that is no matter what type of assessment you are conducting, whether it is an IT risk assessment or a full-blown IT audit, we are always assessing the client’s control environment against something. That something could be a law or regulation, such as HIPAA. It could be a standard like the Payment Card Industry Data Security Standard (PCI DSS) or a framework like COBIT. It could even just be assessing the organization against their own policies or best practices. In any event, it is important to note that we are testing the design and operating effectiveness of the organization’s control environment.

The biggest difference to note between an IT risk assessment and IT audit is that an IT audit is a deeper dive and will require the auditors to see more evidence than would be required in an IT risk assessment. In both IT risk assessments and IT audits, you always need to first develop an assessment/audit plan. This is where you identify what we are going to assess against and how controls will be tested. The evidence will then be requested based on the controls outlined in the assessment/audit plan. As we just discussed, when it comes to an IT audit the evidence collection phase will be much more intense. Samples will be requested, and the auditors will assess the artifacts provided and form an opinion on the operating effectiveness of the controls in place. In both assessments, interviews with key members of the staff and a walkthrough of the facility will be performed. In an IT audit, the auditors will solicit management responses to any findings that were identified. Finally, the IT risk assessment or IT audit report will be drafted.

You may still be wondering which is right for you. That comes down to your business, and what laws and regulations govern it. If you are required to comply with a law or regulation that requires an IT audit, obviously you would want to go down that path. If you are interested in seeing how your organization fares with general IT security, you may be better suited first having a risk assessment performed. It is also important to understand where your business may go in the future, and plan accordingly. With so many variables and unique business challenges involved, it is often best to seek out the assistance of a third-party IT security and compliance firm to assist in identifying an ideal assessment strategy. Compass IT Compliance has spent the past decade serving as that unbiased sounding board, advising organizations on what assessments would be most beneficial given their specific business circumstances and regulatory environment. Compass IT Compliance also serves as a trusted third-party assessor, conducting both IT risk assessments and IT audits for organizations across the nation. Contact us today to schedule up a no-cost consultation call with one of our experts!

You May Also Like

These Stories on IT Audit

Subscribe by Email

No Comments Yet

Let us know what you think