Skip to main content

Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru!

In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing?


By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that IT is a major source of risk in your organization. I don’t think the examiner is criticizing your decision, they’re only asking that you document how you came to that determination. Why every 12 months? Why not 6, or 18, or 24? The FFIEC Audit Handbook states that your risk assessment guidelines specify:

A maximum length for audit cycles based on the risk scores. (For example, some institutions set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and up to 36 months for low-risk areas. Audit cycles should not be open-ended.);

In the past, saying “…because that’s how we’ve always done it” might have been sufficient, but lately examiners often want a more definitive basis for IT audit scope and frequency. The Audit Handbook states that risk-based IT audit programs should:

Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products;

This highlights a recent trend we’re seeing which we refer to as the “defacto scoring system”. This refers to any situation where someone in your organization makes an undocumented risk-based decision, and it happens more often than you might realize. One example is when you decide that certain vendors do not need to be included in your vendor management program because they don’t meet a minimum risk threshold. Far better to risk assess and score every vendor, then apply controls (or not) based on that inherent risk score.

Similarly, by keeping to a 12-month audit scope and frequency, someone in your organization made an undocumented determination that IT risks and controls should be reviewed on a 12 month cycle. Again, I don’t think the examiner is faulting that decision, only the decision-making process (or lack thereof).

Implementing a robust IT (or vendor) risk scoring system is not an easy task, but it is a regulatory expectation, and it seems to be where the examiner is leading you. A comprehensive risk management system will evaluate the source of risk (typically your business processes and the assets required for those processes), the risks and threats to those sources, and the controls implemented for the risks and threats identified. Apply a numeric score at each step. (I’ve oversimplifed the process a bit for brevity. This FDIC FIL is an excellent reference if you want to take a deeper dive into risk modeling.)

At this point you should be able to list all risk sources from high to low, all risks/threats from high to low, and all controls from strongest to weakest. Most importantly, risks should be scored both at the inherent level (before controls), and the residual level (after controls). Your audit plan* should then specify that your IT audits are risk-based; the scope will focus on inherent (NOT residual) risk levels for your riskiest assets, highest risks and threats, and most critical controls, and the audit cycle (frequency) will be every 12 months or less for these high-risk areas.

This approach should more than satisfy the examiner, AND as an added bonus, providing this to your IT auditor prior to the engagement will also greatly assist them as they build their scope of work.

*FFIEC IT Handbook: Audit Booklet, (Appendix B: Glossary):

  • Audit Program – The audit policies, procedures, and strategies that govern the audit function, and cover all of an institution’s major activities including IT audit.
  • Audit Plan – A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.

Other Compliance Guru posts related to this topic include: Ask the Guru: The IT Audit “Scope” and Audits vs. Examinations.