How Security, Audit, and Risk should work together

My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here.

I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBIT to find the answers. This led me down a familiar path: basically that I really don’t want audit doing risk. They will always feel compelled to provide a level of priority, which I would argue is always a statement of risk, but leave risk ranking to those groups that are expert at it.