This audit report outlines findings from a high-level IT risk assessment at a company. The purpose of this assessment was to: (1) assist management in obtaining a better understanding of the technology risk impacting the organization, (2) prioritize the technology risk areas, and (3) develop a three-year IT audit plan.

In this sample, the internal audit department’s perspective was that substantial IT audit coverage is gained annually through Sarbanes-Oxley (SOX) IT general controls testing; however, some additional IT audit work should be performed annually to address other IT risks not covered (or not covered in sufficient depth) through SOX IT testing. An IT process-centric risk assessment approach was taken.