A compliance officer in Europe could use some advice from fellow IT professionals and executives. His IT budget is being scrutinized, as is the case in every organization in 2009; he needs targets to get things done more efficiently but without taking on more risk.
His department is evaluating benchmarking IT application controls as a way of testing strategy.
He would like to know what you think is the best way to implement a risk assessment in an IT department that will align COBIT controls with risks.
What are your recommendations?