An organization’s IT environment ranges in complexity from business to business which directly impacts the risk profile and system of controls that should be implemented to support the company. Below are some important factors to consider when beginning the audit process:


1)       IT Geography

Your business model impacts IT structure and delivery, and often centralized and decentralized businesses require very different audit scopes. A centralized business may choose to keep IT support onsite and use a suite of enterprise applications to support their IT security needs, whereas a decentralized business is more likely to rely on a larger, more diverse pool of applications to support their aims. The scope of an audit may change based on these factors, but every business is unique and may break with these conventions.


2)       Systems in Use

The saying, “Variety is the spice of life” is likely rarely uttered by IT risk professionals as the opposite is true when it comes to managing company IT risk. Diversity in IT stack- the “building blocks” of IT infrastructure, including program code, database, operating system, and network infrastructure- is not ideal but it is the reality for many companies unable to homogenize all elements of an IT service structure due to operational needs. Still, it is much safer (and simpler) to create a homogenized environment for an easily identifiable IT stack if possible.


3)       Customized Instances

Vendor software, like applications, operating systems (OS), or additional support software, are often modified to meet the specific needs of a business or organization. Customization of third-party software requires advanced set-up from vendors and may incur risk from both improper organization usage and issues in implementing the additional controls necessary to compensate for additional risk undertaken by creating a unique instance or product skew.


4)       IT Governance

An IT Governance program allows an organization to manage the day-to-day activities of its IT program and assess risk through a regularly maintained set of policies and standards. An organization’s adherence to these policies and standards are imperative to their success, so management should adequately understand, communicate, and update these programs.


5)       Technology Reliance

Some organizations extensively employ technology while others may still be in industries that have yet to adopt a number of technological solutions beyond having a website and email. The significance of IT grows as a company’s reliance on a complex system of interrelated technological systems begins to creep into every facet of their business. Once an organization cannot go without, it should be evident that there is a need to pursue an IT audit plan for risk assessment.