My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here.
I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBIT to find the answers. This led me down a familiar path: basically that I really don’t want audit doing risk. They will always feel compelled to provide a level of priority, which I would argue is always a statement of risk, but leave risk ranking to those groups that are expert at it.