Financial Statement Audits – IT Lessons Learned | Part II: Risk Management

IT lessons
Share Button

This article is co-authored by Natasha Barnes.

Vulnerable to IT risks? Often companies wait until an attack or incident happens to make important changes to their IT environment. After months in the field during audit season, Aronson has compiled tips to help companies proactively manage IT risks.

Develop risk management policies and procedures. A risk management policy sets an organization’s risk management approach and identifies the roles involved with executing activities. The policy is typically supported by procedures for setting a risk appetite, identifying areas of risk, and mitigating or managing the risks. The procedures are vital to ensuring relevant risk identification mediums are in use to comprehensively evaluate threats.

Conduct periodic risk assessments. These assessments can include enterprise risk assessments with IT components, vulnerability scans, penetration tests, compliance assessments, and related evaluation tools. Organizations should determine the ideal combination of assessment mediums and frequencies. Insufficient identification and management of risks could impact the ability of the IT environment to meet business needs. Continuous security monitoring activities can be factored into these assessments.

Develop a third-party management program. Hiring of third-party vendors for IT products and services has become a standard way of conducting business. However, it also creates additional potential opportunities for risks, an unacceptable potential for business disruption, or a negative impact on business performance. During the vetting stage of third-parties, reliance and trust can be supported with System and Organization Controls (SOC) audit reports. These SOC audits are conducted to evaluate a service provider’s services in accordance with the American Institute of Certified Public Accountants (AICPA) standards.

SOC reports should be obtained as available and reviewed to determine if the third-party has an acceptable control environment, and whether any controls need to be implemented in the organization’s environment. As these reports are voluntary, organizations should still determine ways of monitoring and providing oversight, which can include periodic calls, questionnaires, or site visits to determine control effectiveness. The point is to verify that a provider can be trusted initially and on an on-going basis with critical business operational activities and data.

Tip: Interested in learning more about SOC reports and how they can be valuable to your organization? Check out our SOC Compliance Guide.

Tip: Determine the minimum security requirements needed by third-parties to facilitate business activities. Incorporate validation of these requirements into third-party oversight of service performance evaluation. and Part III: Access, Passwords, Configuration, and Change Management

For more information and questions, please contact Payal Vadhani at

Read Part I: Strategy & IT Guidance and Part III: Access, Passwords, Configuration, and Change Management.

About Payal Vadhani

Payal Vadhani has written 4 post in this blog.

Payal Vadhani is the partner-in-charge of Aronson LLC’s Technology Risk Services Group. She is an innovative and seasoned executive with more than fifteen years of technology risk advisory and assurance experience. Her experience has been providing internal auditing, IT risk management, information and cyber security, third party reporting, compliance, process improvement, and additional technology risk services to clients across industries. In particular, she has extensive financial services experience. Throughout her career, she has sought to align clients’ needs and strategic objectives with an approach that manages the risks of technology with the benefits. As a trusted advisor to her clients, Payal succeeds in breaking down complex technology concepts and developing pragmatic, cost-effective solutions that minimize risk and add value. She offers significant experience building technology risk management programs and managing large advisory engagements. In her current role, she is focusing on the development of risk services related to existing and emerging technologies including cloud (private and public) computing, mobile computing, big data, social media, and internet of things. Payal earned a Master’s of Business Administration degree in Information Technology from American University. She received her Bachelor’s in Engineering degree in Computer Science from the University of Pune, one of the premier universities in India. She holds credentials in IT Capability Maturity Framework (IT-CMF) and Certified Information Systems Auditor (CISA).

Comments are closed.

View Archives

Blog Authors

Latest Webinar Videos