Risk Assessment
Domain 2 — Governance and Management of IT
Definition
Risk assessment is the systematic process of identifying, analysing, and evaluating risks to an organisation's objectives. It involves determining the likelihood and impact of risk events, assessing inherent risk, evaluating the effectiveness of existing controls, and calculating residual risk. IS auditors use risk assessment to scope audit engagements, prioritise findings, and recommend risk treatment options including avoidance, mitigation, transfer, or acceptance.
Real-World Audit Scenario
During an annual audit planning exercise at a financial client, the head of IT wanted to audit every system equally — a "fair" approach. I pushed back and proposed a risk-based audit plan instead. We ranked all 47 systems by criticality (impact on financial reporting) and inherent risk (complexity, exposure, past incidents). The result: 80% of our audit hours went to the top 8 systems. The next year, we found three critical control gaps in those high-risk systems — gaps that would have been missed under a uniform audit schedule.
Common Exam Trap
ISACA's risk assessment methodology uses "inherent risk × control effectiveness = residual risk." Don't confuse this with COSO or ISO 31000 — the exam expects ISACA's risk framework, not a generic one.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →