As part of our audit planning, Internal Audit performs a risk assessment analysis of all units to identify the potential areas of high risk throughout the University. We have a separate risk assessment for operational and information technology audits. Both focus on the overall business risk of the units. The information technology risk factors are:

1. Character of System – The criticality of the system (server/application) and the portion of the University that relies on it.
   
   
2. System Complexity – The rating for complexity is dependent on many concepts including interrelated/interdependent activities, volume of output, complexity of automated calculations, and the impact of legal requirements.
   
   
3. System Maturity – This factor indicates whether the system is in development, newly implemented, or mature.
   
   
4. System Cost – This factor includes consideration, as applicable, of development and maintenance costs in terms of both financial and human resources (e.g., time and effort).
   
   
5. Sensitivity – This measures the potential for public exposure of system issues and the impact to the University that would result from publication of negative information about the system.
   
   
6. Fall-Back Plans – This considers the mitigating measures that have been put in place to ensure continuing operations in the case of system problems. Mitigating measures can include disaster recovery and business continuity plans, backup procedures, manual operating procedures, and old systems.
   
   
7. Internal or External Audits – This factors in any audits performed by Internal Audit or external auditors or testing contractors such as those performing tests of firewall vulnerabilities.