IT Audit Risk Assessment

Does everyone have a separate IT Audit Risk Assessment for determining the audit schedule from the Enterprise Wide RA? I am needing to separate the two so I can have a more detailed IT Audit RA. Does anyone have one they would be willing to share?

These are always hard questions to answer and each institution is different. Does your IT Department have a Risk Assessment of their processes?

They have a GLBA Risk Assessment that is done by a third party. The third party also does an ebanking and cybersecurity RA for us. But no their is really not one done by the IT Department on their processes.

I would start there and recommend they create a risk assessment of their processes. Have them start with their critical items. What I have found over the years IT Departments believe everything they do is critical.

Okay, thank you for your help!