Skip to main content


Scoping Your IT Audit Based on Risk

Scoping Your IT Audit Based on Risk

"Scoping your IT Audit based on risk" is a phrase that’s thrown around a lot by IT Audit companies and examiners, but what does it really mean? How do you know if your IT Audit is truly risk-based, or if it’s based on an auditor’s idea of what security ought to be? Let’s start by looking at the requirements of Information Security Assurance and Testing from the FFIEC Information Security (IS) Booklet.

The first thing the IS Booklet states in Section IV – Information Security Program Effectiveness (sub-section IV.A – Assurance and Testing) is that there are two parts to Information Security testing:

  1. IT system design is what we like to call “adequacy.” Another way to look at “adequacy” is to determine if you are doing enough to protect customer information, or are there other steps you should be taking?
  2. IT system operation is what we refer to as “compliance with your own program.” In other words, are you doing what you say you’re doing from a control-implementation (IT Risk Assessment) and policy/procedure (Information Security Program) standpoint?

The IS Booklet also lists “Scope” as the first “Key Factor” of IS Testing (sub-section IV.B – Key Testing Factors). The IS Booklet defines Scope as, “The tests and methods utilized, in the aggregate, should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling the risk from information security-related events.”

So what does it really mean to scope your IT Audit based on risk? A risk-based IT Audit looks at your Information Security Program and your various risk assessments to determine the riskiest areas of your organization, allowing you to focus more time and effort on those areas.


Compliance vs. Adequacy

One of the first steps to take when talking with an external IT audit company is to work with them to determine the scope of your audit. You will want to scope the audit based on your riskiest IT assets and ISP processes, not the firm’s default checklist. The audit should then validate the controls you’ve identified in your IT Risk Assessment and Information Security Program for both compliance (are you doing what you say you’re doing?) and adequacy (is what you say you’re doing enough?) to protect your customer information.

So how do you determine a risk-based scope?


Determine Your IT Audit Scope

A first risk-based tool you can use to help scope your IT Audit is your IT Risk Assessment. The IT Risk Assessment is based on identified risks (threats) to your IT assets and the controls in place to mitigate those risks. Your IT Risk Assessment should identify your most inherently and residually risky IT assets. The Inherent Risk of an IT asset is the risk of that IT asset before controls are implemented to protect that IT asset. Residual Risk is the risk of that IT asset after you implement controls. You want your riskiest IT assets independently audited to validate the controls you identify as implemented in your IT Risk Assessment.

IT Risk Assessment - Asset Risk Report
Figure 1 – IT Risk Assessment – Asset Risk Report from TRAC

The second tool you can use to help scope your IT Audit is your Organizational Risk Assessment. This assessment is a high-level view of the risk to your organization as a whole. The most common Organizational Risk Assessment used by financial institutions today is the FFIEC Cybersecurity Assessment Tool (CAT). The CAT provides two components that can help determine your IT Audit scope: The Inherent Risk Profile and the Cybersecurity Maturity section.

The FFIEC CAT’s Inherent Risk Profile component rates your institutional risk based on five categories and how you deploy products and services in each category. The Inherent Risk Profile components with higher Inherent Risk ratings should be reviewed in detail when scoping your IT Audit.

FFIEC CAT Inherent Risk Profile
Figure 2 – FFIEC CAT – Inherent Risk Profile Report from Cyber-RISK

You can use your CAT Cybersecurity Maturity Level(s) as part of your scope in an IT Audit. If you have not yet reached the Baseline Maturity Level, assessing your organization against the 123 Baseline Maturity controls is a great place to start. If you have moved beyond the Baseline and into the Evolving Maturity Level of your Cybersecurity Assessment, you may want to consider including some of those controls in your IT Audit scope as well.

CAT Risk/Maturity Matrix
Figure 3 – FFIEC CAT – Risk/Maturity Matrix

In addition to the FFIEC CAT, there are other Organizational Risk Assessment methodologies you can utilize to review your organization and Information Security Program to determine greatest areas of ISP risk. You can look into tools to help automate the process and perform a self-assessment of your own ISP. Here’s an example of the ISP Risk Chart from TRAC’s ISP module that shows areas of greatest risk exposure based on an assessment of your own ISP. The red ISP components would be important items to scope into your IT Audit in detail.

ISP Risk Assessment
Figure 4 – ISP Risk Assessment – ISP Risk Chart from TRAC. Full-Size Image

If you need help with building an IT Risk Assessment or understanding Inherent Risk vs. Residual Risk, check out our article on “How to Build a Better IT Risk Assessment.”


Should You Base Your Scope on Inherent or Residual Risk?

As we discussed Inherent vs. Residual Risk earlier, you may be wondering if you should use Inherent or Residual risk ratings to scope your IT Audit. The answer depends on what you want to accomplish in the IT Audit scope.

If you are looking to evaluate the quality of risk reduced around your most inherently risky assets and processes, scope the IT Audit based on Inherent Risk. The Inherent Risk of your ISP components and IT assets will remain fairly constant over time, meaning you’ll concentrate your assessment efforts around your most important and risky things. Assessing based on Inherent Risk tends to focus more on the adequacy of your ISP and IT asset controls.

If you’re looking to evaluate the quantity of risk reduced around your most inherently risky assets and processes, scope the IT Audit based on Residual Risk. The Residual Risk of your ISP components and IT assets may fluctuate based on the maturity of your program and the controls you deploy. Assessing based on Residual Risk tends to focus more on compliance around whether you are actually implementing the controls you’ve documented in the IT Risk Assessment and ISP.

Scoping your IT Audit based on Inherent Risk is the more common of the two practices; however, it’s perfectly acceptable to scope your IT Audit based on Residual Risk, especially if compliance is your key focus.


Don’t Reinvent the Wheel

Either way, use the ISP-related assessments you’re already performing regularly as a starting-point for scoping your IT Audits, determine the focus of your IT Audit, and document exactly what you’d like included in your IT Audit scope. Then, find a partner that’s willing to scope their IT Audit based on your organization and your risk. If you can build your IT Audit around two priorities, you’ll set your organization up for an IT Audit that truly provides you value based on your organization’s risk.


Written by: Jeff Spann
SVP / Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • {Article} How to Build a Better IT Risk Assessment: A comprehensive, measurable, and repeatable IT Risk Assessment should be used to help an organization make better decisions. Without a detailed framework, any money spent on information security is akin to throwing darts at a board.
  • {Cyber Byte Video} IT Risk Assessment: This video will cover what the goal of an IT Risk Assessment should be, how it is used to build a strong foundation for your ISP, and steps you can take to go beyond checking boxes off a list.
  • {Service} IT Audit: The ever-increasing reliance on technology and the rate at which those technologies change make the inclusion of IT Audit essential to an effective overall Information Security Program. The SBS IT Audit is risk-based and tailored to the size and complexity of each individual organization, providing a personalized experience from start to finish. 


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager 

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, March 20, 2019
Categories: Blog