This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

IT Risk Assessment Methodology

Our IT risk assessment methodology identifies and classifies the inherent risks that an organization faces. The key business applications in use at a client are identified and addressed at a high level, in order to incorporate them into the future planning process. The controls within the client business application systems residing on the various platforms are evaluated during the course of the review.

Our IT risk assessment methodology includes several steps, namely:

• Identifying and obtaining a high-level understanding of the key business applications in use at a client
• Establishing the main platforms on which existing applications reside and identifying the key interfaces between them
• Identifying, at a high level outstanding user needs, demands, and problems regarding existing applications, applications under development, and proposed applications
• Recommending controls and procedures to be instituted to effectively manage identified risks.

This methodology uses the classifications below to categorize each risk identified in the IT Environment:

Green Areas:
These are areas that have been identified as being low risk, from a business as well as an audit perspective. It is not critical that the controls over these areas are reviewed in detail on an annual or a rotational basis. However, the decision not to rotate is a management decision.
Orange Areas:
These are areas that have been identified as medium risk (i.e., an important risk exists, but it is not so material that it is likely to result in significant loss or embarrassment should the required controls not operate effectively). The controls over these areas should be reviewed at least once every two to three years on a rotational basis.
Red Areas:

These are areas considered to be inherently high risk from either a business or audit perspective and therefore capable of resulting in significant financial loss or embarrassment. The controls over these systems should be reviewed on an annual basis to confirm that the controls are in place and continue to be adequate to mitigate the inherent risks.

Stay connected

  • Contact us
  • Submit RFP
  • RSS feeds
  • Global podcasts