IT RISK ASSESSMENT QUESTIONNAIRE

As a reminder, the most basic definition of risk is “the possibility of loss or injury” or “the chance that an
investment will lose value.” Internal controls are the policies, procedures and processes put in place to address or
mitigate risks to the company. Internal controls include processes to ensure the effectiveness and efficiency of
operations, the reliability of financial information, the accuracy of accounts, and compliance with laws and
regulations.

1. So that we can follow up with you regarding risk assessment, please enter your first and last name:
(Insert Name Here)

2. Please provide your title:

(Insert Title Here)

3. Please provide your department affiliation:

(Insert Department Here)

4. From the perspective of your business unit as well as the overall company, please consider your agreement
with the following statements:
a) Strongly Agree
b) Agree
c) Not Sure/Not Applicable
d) Disagree
e) Strongly Disagree

IT Processes, Organization and Relationships Response

We have adequate knowledge and experience to fulfill our responsibilities.

Relevant systems and data have been inventoried and their owners have been
identified.

Our roles and responsibilities are defined, documented and understood.

We understand and accept our responsibility regarding internal control.

Data integrity ownership and responsibilities have been communicated to appropriate

data/business owners and they/we have accepted these responsibilities.

We have implemented a division of roles and responsibilities (segregation of duties)

that reasonably prevent a single individual from subverting a critical process.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Educate and Train Users Response

We provide education and ongoing training programs that include ethical conduct,
system security practices, confidentiality standards, integrity standards and security
responsibilities of all staff.

1 Source: www.knowledgeleader.com
If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Communicate Management Aims and Directions Response

We periodically review our policies, procedures and standards to reflect changing

business conditions.

We have a process in place to assess compliance with our policies, procedures and
standards.

We understand our roles and responsibilities related to the Sarbanes-Oxley Act.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Assess and Manage IT Risks Response

We have an entity- and activity-level risk assessment framework that is used

periodically to assess information risk to achieving financial reporting objectives.

Our risk assessment framework measures the impact of risks according to qualitative
and quantitative criteria, using inputs from different areas, including management
brainstorming, strategic planning, past audits and other assessments.

Where risks are considered acceptable, there is formal documentation and acceptance
of residual risk with related offsets, including adequate insurance coverage,
contractually negotiated liabilities and self-insurance.

Where risks have not been accepted, we have an action plan to implement risk
response.

IT initiatives are underway and the cost, business value and risks of each initiative are
documented.

In the event of a disaster or pandemic, the organization is prepared to provide access

to key systems and information.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Manage Quality Response

Documentation is created and maintained for significant IT processes, controls and

activities.

A quality plan exists for significant IT functions (e.g., system development and
deployment) and it provides a consistent approach to address both general and
project-specific quality assurance activities.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Monitor and Evaluate Performance Response

We have established appropriate metrics to effectively manage the day-to-day

activities of our department.

2 Source: www.knowledgeleader.com
 Monitor and Evaluate Performance Response

We monitor our delivery of service to identify shortfalls and we respond with actionable
plans to improve.

Key IT controls have been tested to provide reasonable assurance that they are
designed and working as expected.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Monitor and Evaluate Internal Control Response

We obtain independent reviews of our operations, including policies, procedures,

overall IT systems and processes; we also assess adherence to those policies and
procedures.

There is a follow-up process for residual actions.

There is a mechanism to allow monitoring of internal control of third-party service

providers.

The organization knows when system access is granted to appropriate and authorized
individuals.

An information security policy has been developed and implemented and an

independent security role/function has been established.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

5. Please list any additional concerns that you have regarding information technology risks:
(Insert Concerns Here)

3 Source: www.knowledgeleader.com
 EXECUTIVE IT MANAGEMENT RISK ASSESSMENT
SURVEY

Please complete the following questionnaire in advance of our face-to-face meeting with you. We will discuss the
results with you along with addressing the questions included in the attached questionnaire. Given your position
within the company, your time and feedback is critical to our risk assessment process.

1. So that we can follow up with you regarding risk assessment, please enter your first and last name:
(Insert Name Here)

2. Please provide your title:

(Insert Title Here)

3. Please provide your department affiliation:

(Insert Department Here)

4. From the perspective of your business unit as well as the overall company, please consider your agreement
with the following statements:
a) Strongly Agree
b) Agree
c) Not Sure/Not Applicable
d) Disagree
e) Strongly Disagree

IT Strategic Planning Response

We have prepared strategic plans for IT that align business objectives with IT
strategies.

Our planning approach includes mechanisms to solicit input from relevant internal and
external stakeholders affected by the IT strategic plans.

We communicate our IT plans to business process owners and other relevant parties
across the organization.

We communicate our activities, challenges and risks on a regular basis with the CEO
and CFO.

We communicate our activities, challenges and risks on a regular basis with the board
of directors.

We monitor our progress against the strategic plan and react accordingly to meet
established objectives.

The organization regularly identifies and addresses legislative and regulatory

requirements for protecting personal information. A person is assigned the
responsibility to identify privacy policy, privacy legislation and compliance.

We identify and implement solutions to support and enable operational and competitive

4 Source: www.knowledgeleader.com
 IT Strategic Planning Response

advantage.

We manage IT projects as business projects with well-defined business case and ROI.
We conduct post-implementation reviews and feedback from business.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

IT Processes, Organization and Relationships Response

We have adequate knowledge and experience to fulfill our responsibilities.

Relevant systems and data have been inventoried and their owners identified.

Our roles and responsibilities are defined, documented and understood.

We understand and accept our responsibility regarding internal control.

Data integrity ownership and responsibilities have been communicated to appropriate

data/business owners and they/we have accepted these responsibilities.

We have implemented a division of roles and responsibilities (segregation of duties)

that reasonably prevents a single individual from subverting a critical process.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Educate and Train Users Response

We provide education and ongoing training programs that include ethical conduct,
system security practices, confidentiality standards, integrity standards and security
responsibilities of all staff.

The organization has plans in place to address retention, training, succession planning,
and required technology and management expertise.

The organization has policies to address the appropriate management and use of
technology and they are regularly tested to ensure that they’re being followed.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Communicate Management Aims and Directions Response

We periodically review our policies, procedures and standards to reflect changing

business conditions.

We have a process in place to assess compliance with our policies, procedures and
standards.

We understand our roles and responsibilities related to the Sarbanes-Oxley Act.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

5 Source: www.knowledgeleader.com
 Assess and Manage IT Risks Response

We have an entity- and activity-level risk assessment framework that is used

periodically to assess information risk to achieving financial reporting objectives.

Our risk assessment framework measures the impact of risks according to qualitative
and quantitative criteria, using inputs from different areas, including management
brainstorming, strategic planning, past audits and other assessments.

Where risks are considered acceptable, there is formal documentation and acceptance
of residual risk with related offsets, including adequate insurance coverage,
contractually negotiated liabilities and self-insurance.

Where risks have not been accepted, we have an action plan to implement risk
response.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Manage Quality Response

Documentation is created and maintained for significant IT processes, controls and

activities.

A quality plan exists for significant IT functions (e.g., system development and
deployment) and it provides a consistent approach to address both general and
project-specific quality assurance activities.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Monitor and Evaluate Performance Response

We have established appropriate metrics to effectively manage the day-to-day

activities of our department.

We monitor our delivery of service to identify shortfalls and we respond with actionable
plans to improve.

The organization measures, monitors and benchmarks IT performance and this

performance is regularly reviewed.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

Monitor and Evaluate Internal Control Response

We obtain independent reviews of our operations, including policies, procedures,

overall IT systems, and processes, and we assess adherence to those policies and
procedures.

There is a follow-up process for residual actions.

There is a mechanism to allow monitoring of internal control of third-party service

providers.

If you entered Disagree or Strongly Disagree to any of the responses above, please provide additional comments:

5. Please list any additional concerns that you have regarding information technology risks:

6 Source: www.knowledgeleader.com
 (Insert Concerns Here)

7 Source: www.knowledgeleader.com