Information technology audits are vital information management programs for banks and financial institutions. A plethora of laws and regulations exists, requiring financial institutions to develop an information technology audit program to support its information technology infrastructure and keep non-public customer information secure. Furthermore, banks are required to complete a risk-based audit on an annual basis to comply with regulators. This research combines two previously identified frameworks, the Comprehensive Risk-Based Auditing Framework (CRBA) and Small to Medium Entity Risk Assessment Model (SMERAM), to further develop the audit process to include the critical risk assessment process and to ensure that the audit is risk- based. Having a sound risk-based audit program will improve the overall information security posture for banks and financial institutions. Furthermore, this research utilizes an example to demonstrate the process.
Lovaas, Petter and Streff, Kevin, "A Comprehensive Information Technology Risk Assessment Audit Framework for Small- and Medium-Sized Financial Institutions" (2009). MWAIS 2009 Proceedings. 32.