The interview process and the earlier work done to understand the business identified the major risks. We looked for clues in this summarization that would point to observable or measurable factors to serve as substitutes for the risk itself. We chose seven risk factors, and then we validated them with a number of people in the organization, including the internal audit director. The factors chosen were:

• Impact size

• Rate of change

• Business impact

• Complexity

• Recoverability

• Value

• Management team focus.

Using the seven risk factors, we set up two scoring teams for the IS audit universe: the risk model project team and a knowledgeable management team. Both teams independently scored each of the audit universe topics on a scale of 1 (low) to 5 (high). The risk model was an equal-weight model, meaning that each factor had equal weight in the scoring system. Another approach could have been to adjust the model by giving certain factors more influence by assigning more weight, but the existing model in use was also equal weight. We used the same method so that we could integrate with the existing risk methodology.

We used a simple spreadsheet to capture the audit universe and the seven factor scores for each topic. It was easy then to sort the scores from highest to lowest. The existing risk model for non-IS audits used a cut-off score of 4.25 to mean high risk, and we stayed within that parameter for consistency...