top of page
FOR LOCAL GOVERNMENT INTERNAL AUDIT
A multi-year IT audit plan that holds up.
Building a defensible IT audit plan requires technical expertise most internal audit teams don't have in-house. SCGRC closes that gap. The web-based tool walks your team through a structured risk assessment, scores each technology across your selected risk categories, and produces a three-year audit sequence your committee can review and your team can execute.
10
RISK CATEGORIES SELECTED AND SCORED
3
YEAR AUDIT SEQUENCE
WHY SECURANCE
The three pillars of a defensible audit plan.
Most multi-year IT audit plans don't hold up under audit-committee scrutiny because they're built on convention, not evidence. Here's how we build them differently.

01 METHODOLOGY
Risk-aligned, multi-category scoring
Every plan starts with a risk assessment scored across dimensions like Corporate Reliance, Customer Impact, Financial Exposure, and Security Threat. Clients select from a full list or define their own — so the scoring reflects your environment, not a default configuration.

02 OUTPUT
Audit-committee ready
Each technology in scope receives a composite risk ranking — High, Medium, or Low — that determines its place in the three-year audit sequence. The result is a plan the committee can read in minutes: plain English, no IT jargon, sequenced by risk.

03 DELIVERY
Senior-led. Start to finish.
The risk assessment isn't a form you fill out. Senior consultants conduct the stakeholder interviews, make the scoring judgments, and build the audit plan. No bait-and-switch staffing. The person scoping your work is the person doing your work.
.png)
THE RISK CATEGORIES
Composite scores beat single-axis scores. Every time.
Every plan starts with a risk assessment scored across dimensions like Corporate Reliance, Customer Impact, Financial Exposure, and Security Threat. Clients select from a full list or define their own, so the scoring reflects your environment, not a default configuration.
Example categories — yours may differ:
1
Corporate Reliance
3
External Customer Impact
5
Future Life
7
Level of Admin Tasks
9
Prior Audit History
2
Internal Customer Impact
4
Financial Exposure
6
Security Threat
8
Commercial vs. Internal
10
Recent Major Change
THE DELIVERABLE
Here’s what a risk-driven audit plan looks like.
The following components make up a standard SCGRC audit plan, built from your environment, scored on your categories, sequenced across your audit cycle.
Multi-category risk methodology
The full framework, with definitions for each category and how they're scored.
39 auditable technologies, independently scored
Enterprise applications, infrastructure, and IT processes — each scored on likelihood and impact.
3-year audit sequence
Year 1 through Year 3 audits prioritized by composite risk score. Defensible. Auditable.
Audit-committee one-pager
The single-page view your committee chair will actually use.
3-YEAR IT AUDIT PLAN — YEAR 1
Top-risk technologies & processes
Scored across 10 categories. High Risk = composite ≥ 35.
Motorola PremierOne
44
HIGH
Firewall / Router / Switch
41
HIGH
ISE, SolarWinds, Panorama
41
HIGH
Financial ERP
37
HIGH
Vendor Management
35
HIGH
Active Directory / Entra ID
35
HIGH
Customer Connect 6
34
MED
User Provisioning
34
MED
Page 12 of 17 — Redacted sample plan
securanceconsulting.com
Items considered and excluded
The credibility multiplier most plans skip. The sample includes a full exclusion log explaining what we evaluated and why it didn't make the cut. Audit committees ask. Now you'll have an answer.
Securance has performed IT audits for Louisville Metro Government for over ten years. We have always been very pleased with the work product and the cost value that Securance offers.”
Louisville Metro Government Office of Internal Audit
We will assess your current plan and outline what a risk-ranked alternative would look like for your environment.
bottom of page
.png)