Continuous Risk Assessment Process
Due to the rapidity of change within the Information Technology (IT) world here on campus, the IT Audit Department has implemented a continuous risk assessment process that integrates information gathered over the year through a variety of ways.
The process centers around an in-house developed Access database. The database is updated regularly with information from four main sources:
- The IT General Questionnaire that is given to each area audited by either the IT or Operational Audit Departments and completed by the LAN Tech or management.
- The State Bureau of Investigation reports completed by campus departments experiencing a misuse or theft of state assets.
- The information obtained during the IT Annual Planning process.
- Information received from various campus sources during campus IT, business, or academic meetings (e.g., University IT Committee, University Business Officers).
Data from the database is regularly extracted as reports and graphs for continuous monitoring and analyzing. We particularly look for potential trends and high risks areas to watch or audit. The IT Annual Plan and the audit schedule are adjusted as necessary based on these on-going risk assessments allowed by the database.