Professional Documents
Culture Documents
IT Risk Assessment Questionnaire
IT Risk Assessment Questionnaire
As a reminder, the most basic definition of risk is “the possibility of loss or injury” or “the chance that an
investment will lose value.” Internal controls are the policies, procedures and processes put in place to address or
mitigate risks to the company. Internal controls include processes to ensure the effectiveness and efficiency of
operations, the reliability of financial information, the accuracy of accounts, and compliance with laws and
regulations.
1. So that we can follow up with you regarding risk assessment, please enter your first and last name:
(Insert Name Here)
4. From the perspective of your business unit as well as the overall company, please consider your agreement
with the following statements:
a) Strongly Agree
b) Agree
c) Not Sure/Not Applicable
d) Disagree
e) Strongly Disagree
Relevant systems and data have been inventoried and their owners have been
identified.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
We provide education and ongoing training programs that include ethical conduct,
system security practices, confidentiality standards, integrity standards and security
responsibilities of all staff.
1 Source: www.knowledgeleader.com
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
We have a process in place to assess compliance with our policies, procedures and
standards.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
Our risk assessment framework measures the impact of risks according to qualitative
and quantitative criteria, using inputs from different areas, including management
brainstorming, strategic planning, past audits and other assessments.
Where risks are considered acceptable, there is formal documentation and acceptance
of residual risk with related offsets, including adequate insurance coverage,
contractually negotiated liabilities and self-insurance.
Where risks have not been accepted, we have an action plan to implement risk
response.
IT initiatives are underway and the cost, business value and risks of each initiative are
documented.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
A quality plan exists for significant IT functions (e.g., system development and
deployment) and it provides a consistent approach to address both general and
project-specific quality assurance activities.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
2 Source: www.knowledgeleader.com
Monitor and Evaluate Performance Response
We monitor our delivery of service to identify shortfalls and we respond with actionable
plans to improve.
Key IT controls have been tested to provide reasonable assurance that they are
designed and working as expected.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
The organization knows when system access is granted to appropriate and authorized
individuals.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
5. Please list any additional concerns that you have regarding information technology risks:
(Insert Concerns Here)
3 Source: www.knowledgeleader.com
EXECUTIVE IT MANAGEMENT RISK ASSESSMENT
SURVEY
Please complete the following questionnaire in advance of our face-to-face meeting with you. We will discuss the
results with you along with addressing the questions included in the attached questionnaire. Given your position
within the company, your time and feedback is critical to our risk assessment process.
1. So that we can follow up with you regarding risk assessment, please enter your first and last name:
(Insert Name Here)
4. From the perspective of your business unit as well as the overall company, please consider your agreement
with the following statements:
a) Strongly Agree
b) Agree
c) Not Sure/Not Applicable
d) Disagree
e) Strongly Disagree
We have prepared strategic plans for IT that align business objectives with IT
strategies.
Our planning approach includes mechanisms to solicit input from relevant internal and
external stakeholders affected by the IT strategic plans.
We communicate our IT plans to business process owners and other relevant parties
across the organization.
We communicate our activities, challenges and risks on a regular basis with the CEO
and CFO.
We communicate our activities, challenges and risks on a regular basis with the board
of directors.
We monitor our progress against the strategic plan and react accordingly to meet
established objectives.
We identify and implement solutions to support and enable operational and competitive
4 Source: www.knowledgeleader.com
IT Strategic Planning Response
advantage.
We manage IT projects as business projects with well-defined business case and ROI.
We conduct post-implementation reviews and feedback from business.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
Relevant systems and data have been inventoried and their owners identified.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
We provide education and ongoing training programs that include ethical conduct,
system security practices, confidentiality standards, integrity standards and security
responsibilities of all staff.
The organization has plans in place to address retention, training, succession planning,
and required technology and management expertise.
The organization has policies to address the appropriate management and use of
technology and they are regularly tested to ensure that they’re being followed.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
We have a process in place to assess compliance with our policies, procedures and
standards.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
5 Source: www.knowledgeleader.com
Assess and Manage IT Risks Response
Our risk assessment framework measures the impact of risks according to qualitative
and quantitative criteria, using inputs from different areas, including management
brainstorming, strategic planning, past audits and other assessments.
Where risks are considered acceptable, there is formal documentation and acceptance
of residual risk with related offsets, including adequate insurance coverage,
contractually negotiated liabilities and self-insurance.
Where risks have not been accepted, we have an action plan to implement risk
response.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
A quality plan exists for significant IT functions (e.g., system development and
deployment) and it provides a consistent approach to address both general and
project-specific quality assurance activities.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
We monitor our delivery of service to identify shortfalls and we respond with actionable
plans to improve.
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:
5. Please list any additional concerns that you have regarding information technology risks:
6 Source: www.knowledgeleader.com
(Insert Concerns Here)
7 Source: www.knowledgeleader.com