Risk Management Audit. Many companies manage all kinds of data - client related, internal, government, or employee related. Much of the data you are managing can be sensitive, classified, or non-disclosure. You have responsibilities managing those data. If your employees or your vendors mismanage the information, you will be put in a difficult situation.
You manage email lists and all companies are regulated how we can use those lists. If your junior marketing assistant starts sending emails with the new email software, you violate the spam act. You have contracts and agreements that fall under non-disclosure agreements. An employee can easily break it by sending it to a wrong email address. You have salary, commissions, healthcare information and agreements with employees. There are many ways people can breach this intentionally or unintentionally and cause legal issues in the company. Pricing sheets, client lists, internal calculations, vendor information and business processes are all very critical documents that need to be protected to keep the competitive edge.
If we are able to identify sensitive or classified information, we are able to create a strategy to protect them efficiently. If not, either we have to protect everything (which is ineffective), or have holes in our system and take a huge business risk.
After creating the strategy, we can break it down to smaller projects: protecting emails, file systems, creating access control, and so on.
The Risk Management Audit solves this problem. The goal is to make sure you and your company understand the basic IT related risks, and have common ground on what data is sensitive, what you need to protect better, and what needs to have regulated access.