ABSTRACT
True risk management is an inclusive process to benefit the business. Success is predicated on getting the entire organization to support the level of acceptable risk proposed. Internal Audit performs a valuable process and can be a powerful ally. Audit can be an advocate to senior management when discussing business risk. The auditor will review the relevant policies to determine the acceptable risks. The auditor will confirm that the environment matches management's description of the systems. Many auditors will want to run a vulnerability scanner to check the systems. Propose that the Auditors observe a security analyst running the scanner, and take the results directly from the analyst. Discovering security vulnerabilities on a production system is one thing; testing them is another.
