top of page

FOR LOCAL GOVERNMENT INTERNAL AUDIT

A multi-year IT audit plan that holds up.

Building a defensible IT audit plan requires technical expertise most internal audit teams don't have in-house. SCGRC closes that gap. The web-based tool walks your team through a structured risk assessment, scores each technology across your selected risk categories, and produces a three-year audit sequence your committee can review and your team can execute.

10

RISK CATEGORIES SELECTED AND SCORED

3

YEAR AUDIT SEQUENCE

FREE DOWNLOAD

Get the redacted sample plan

Real U.S. city engagement. Full methodology, 39 technologies scored, 3-year sequence, audit-committee one-pager. No call required.

Your information is never shared or sold.

WHY SECURANCE

The three pillars of a defensible audit plan.

Most multi-year IT audit plans don't hold up under audit-committee scrutiny because they're built on convention, not evidence. Here's how we build them differently.

photo-1551288049-bebda4e38f71_edited.jpg

01   METHODOLOGY

Risk-aligned, multi-category scoring

Every plan starts with a risk assessment scored across dimensions like Corporate Reliance, Customer Impact, Financial Exposure, and Security Threat. Clients select from a full list or define their own — so the scoring reflects your environment, not a default configuration.

photo-1505373877841-8d25f7d46678.avif

02   OUTPUT

Audit-committee ready

Each technology in scope receives a composite risk ranking — High, Medium, or Low — that determines its place in the three-year audit sequence. The result is a plan the committee can read in minutes: plain English, no IT jargon, sequenced by risk.

photo-1521737604893-d14cc237f11d_edited.

03   DELIVERY

Senior-led. Start to finish.

The risk assessment isn't a form you fill out. Senior consultants conduct the stakeholder interviews, make the scoring judgments, and build the audit plan. No bait-and-switch staffing. The person scoping your work is the person doing your work.

Untitled design (4).png

THE RISK CATEGORIES

Composite scores beat single-axis scores. Every time.

Every plan starts with a risk assessment scored across dimensions like Corporate Reliance, Customer Impact, Financial Exposure, and Security Threat. Clients select from a full list or define their own, so the scoring reflects your environment, not a default configuration.

Example categories — yours may differ:

1

Corporate Reliance

3

External Customer Impact

5

Future Life

7

Level of Admin Tasks

9

Prior Audit History

2

Internal Customer Impact

4

Financial Exposure

6

Security Threat

8

Commercial vs. Internal

10

Recent Major Change

THE DELIVERABLE

Here’s what a risk-driven audit plan looks like.

The following components make up a standard SCGRC audit plan, built from your environment, scored on your categories, sequenced across your audit cycle.

Multi-category risk methodology

The full framework, with definitions for each category and how they're scored.

39 auditable technologies, independently scored

Enterprise applications, infrastructure, and IT processes — each scored on likelihood and impact.

3-year audit sequence

Year 1 through Year 3 audits prioritized by composite risk score. Defensible. Auditable.

Audit-committee one-pager

The single-page view your committee chair will actually use.

3-YEAR IT AUDIT PLAN — YEAR 1

Top-risk technologies & processes

Scored across 10 categories. High Risk = composite ≥ 35.

Motorola PremierOne

44

HIGH

Firewall / Router / Switch

41

HIGH

ISE, SolarWinds, Panorama

41

HIGH

Financial ERP

37

HIGH

Vendor Management

35

HIGH

Active Directory / Entra ID

35

HIGH

Customer Connect 6

34

MED

User Provisioning

34

MED

Page 12 of 17 — Redacted sample plan

securanceconsulting.com

Items considered and excluded

The credibility multiplier most plans skip. The sample includes a full exclusion log explaining what we evaluated and why it didn't make the cut. Audit committees ask. Now you'll have an answer.

Securance has performed IT audits for Louisville Metro Government for over ten years. We have always been very pleased with the work product and the cost value that Securance offers.”

Louisville Metro Government Office of Internal Audit

FY27 planning windows open in September. Most engagements are scoped in July and August.

If you don't have a plan in place, this is the quarter to build one. Download the redacted sample plan or book a 30-minute scoping call with Paul Ashe.

We will assess your current plan and outline what a risk-ranked alternative would look like for your environment.

bottom of page