Examiners told us we need one as our IT risk is large.
Policy or Procedure?
Do you have a risk assessment issue and not a policy/procedure issue?
Audits are usually conducted the same for each area. Hence my confusion with the statement.
We risk rate all relevant areas of the bank and IT is no exception. If your risk assessment follows a different methodology for each area it would not show the relevant differences between the areas to be audited so you would not be able to allocate your recourses effectively. If you have a separate (standalone) "IT Audit" function and had to allocate recourses around "IT Audit" that would be different and could use a different RA and policy,
PS Making policy without a risk assessment would be placing the cart before the horse.
_________________________
Opinions can be considered as coming from anywhere but my employer.
CAMS