Abstract
Operational risk, in the post–Basel II sense, is the newest area of risk in financial institutions, following on credit and market risk. As such, it is also relatively new to many auditors. In looking at the information technology (IT)–related aspects of operational risk, these have also been challenging to auditors. Partially, this is because of the complexity of financial institutions' products and process. Partially, this is because of the interaction of business processes with their dependencies on IT requiring general and IT auditors to work together. This article looks at the business and regulatory environment surrounding operational risk, raises key questions around evaluating and auditing operation risk, especially IT and outsourcing aspects, and then looks at what is on the horizon in financing operational risk. At each step, it notes considerations for auditors to mature their work.