IT Examiner School eBook May 2025

Internal Use Only

IT Audit Engagement Letter Continued

Internal Use Only

The IT Audit Risk Assessment

The IT Audit Risk Assessment is not the same as the IT/GLBA Risk Assessment. They serve related but different purposes.

The IT Audit Risk Assessment is designed to identify key risk areas (business units or functions) in to determine a reasonable level of engagement frequency. This assessment is entity wide.

The IT Audit Risk Assessment covers all aspects of an entities IT program (operations, wires, security, vendor management, etc.) The scope is much larger than an IT/GLBA risk assessment that covers security and private, non-public, other pieces of sensitive information.