IT Risk and Control Fundamentals
Learn the essentials of IT risk management, controls, and governance frameworks in this introductory course designed for professionals seeking to understand today’s digital risks and compliance requirements.
Course Description
Course 1 of 9 in our IT Auditing Learning Path! This course provides a practical introduction to the fundamentals of IT risk and control. Whether you are new to IT audit, exploring a career in cyber risk, or simply want to strengthen your understanding of how technology risks impact organizations, this program equips you with the knowledge to navigate today’s complex digital landscape.
Through real-world examples and case studies, you’ll gain insights into how risks emerge, why controls succeed or fail, and how organizations use governance frameworks and regulatory requirements to build strong security and compliance programs. The course is designed to be accessible for beginners while still offering valuable perspectives for professionals in accounting, audit, compliance, and technology roles.
By the end, you’ll walk away with a solid foundation to evaluate risks with confidence, engage in IT and cybersecurity discussions, and better understand how technology fits into the broader control environment.
This course covers topics that align with concepts addressed in Domain 1 of the Certified Information Systems Auditor (CISA®) exam framework. It is not affiliated with, endorsed by, or sponsored by ISACA®, nor does it guarantee exam preparation or certification outcomes.
In this course, you'll learn...
Course Objectives
To identify and differentiate between risks, threats, and vulnerabilities in an IT environment.
To explain the core principles of IT controls, including the “CIA” triad and control types.
To recognize the role and importance of governance frameworks in IT risk management.
To distinguish among major frameworks and regulations that guide IT control implementation.
To apply learned concepts to evaluate control effectiveness and map controls to frameworks.
How you'll apply these skills...
Differentiate Risks, Threats & Vulnerabilities: Recognize how each contributes to IT risk and use this understanding to assess real-world scenarios
Apply Risk Responses: Decide when to avoid, accept, transfer, or mitigate risks based on cost-benefit analysis and business context
Implement Layered Controls: Combine preventative, detective, and corrective controls to strengthen defense in depth strategies
Leverage Governance Frameworks: Use standards like ISO 27001, PCI DSS, and SOC reports as guides to align IT controls with business needs
Navigate Regulatory Requirements: Understand how laws such as SOX, HIPAA, and GDPR impact IT control environments and compliance programs
Analyze Case Studies: Apply lessons from real-world breaches and compliance challenges to identify gaps and recommend improvements
Communicate Risk Insights: Explain IT and cybersecurity risks clearly to management, auditors, and non-technical stakeholders
Course Instructor
Michael Carroll, CPA, CISA, CISM
Michael is an accounting and information security professional. He is also an Adjunct Professor at several higher education institutions, where he is responsible for teaching various accounting and information technology courses.
Michael earned his MBA in Accounting and B.S. in Accounting / Accounting Information Systems from Canisius University. Additionally, Michael is a Certified Public Accountant (CPA) and a Certified Information Systems Security Professional (CISSP). Michael is a current member of the NYCPA’s Education Committee and has been an Advisory Board Member for the Academy of Finance (AOF) since 2020.
Michael enjoys traveling, hiking, and watching the Buffalo Bills. He has also participated in several marathon events.
Course Content
Additional Info
Format
5-20 min. videos, 2 quizzes, and a final assessment
Field of study
Information Technology
CPE Credits
CPEs 3.0
Prerequisites
None