Home / Resources / News and Trends / ISACA Now Blog / 2025 / When Harry Met SALY

When Harry Met SALY: A Love-Hate Story in Audit Risk Assessment

Chidambaram Narayanan
Author: Chidambaram Karthik Narayanan, CISA, Chartered Accountant, Azure Cybersecurity Architect Expert (SC-100)
Date Published: 3 March 2025
Read Time: 2 minutes

Some of the more seasoned auditors reading this – or at least those who enjoy classic rom-com films – will remember the popular movie from a few decades back, “When Harry Met Sally …”.

Audit risk assessment is like the Harry of the audit world—dependable, insightful, and always ready to help you achieve efficiency, effectiveness and profit. But then there’s SALY (Same As Last Year)—comfortably predictable, yet dangerously stagnant.

This is the story of how auditors often fall for SALY, only to realize Harry (audit risk assessment) was the friend they needed all along.

Why Do Auditors Stick with SALY?

Many auditors choose SALY over Harry for two reasons:

  1. We Don’t Understand Risk Assessment: It’s misunderstood as a complex, burdensome process.
  2. We’re Creatures of Habit: SALY feels safe, requiring minimal effort and thought.

But here’s the twist: SALY isn’t always the loyal companion you think it is.

When SALY Leads You Astray

Relying on SALY is like recycling last year’s New Year’s resolutions without considering what’s changed. If last year’s approach was flawed or the organization has evolved, SALY’s advice becomes irrelevant—or even harmful.

Imagine auditing a tech startup in 2024 using SALY from 2023, not considering the meteoric rise of AI or regulatory shifts. You’d have missed critical risks and opportunities.

How Harry Saves the Day

Harry—aka audit risk assessment—might not be flashy, but he’s the real deal. He guides you to:

  • Focus on areas that matter most
  • Adapt to new risks and opportunities
  • Avoid wasting resources on irrelevant issues

Risk assessment is the doorway to maximum impact with minimal effort. It tells you not just what to do, but also what to skip.

Breaking Up with SALY

Here’s how to escape SALY’s clutches:

  1. Get Educated: Understand that risk assessment isn’t just a compliance checkbox; it’s your strategic advantage.
  2. Challenge Comfort Zones: Encourage your team to leave the safety net of SALY and embrace change.
  3. Lead by Example: Audit leaders must champion risk assessment as the foundation of an impactful audit.

A Call to Audit Leaders

So, when it comes to audits, are you team Harry or team SALY? Choose wisely—your efficiency, effectiveness and impact depend on it.

Are your audit teams stuck in a toxic relationship with SALY? If yes, it’s time to play matchmaker and introduce them to Harry. Harry might not be as predictable, but he’s exactly what they need to thrive in today’s dynamic environment.

Choose, and choose wisely, dear fellow auditors!

Additional resources

Artificial Intelligence Audit Toolkit
Audit Program

Artificial Intelligence Audit Toolkit | Digital | English

As the use of AI increases and becomes more integral in enterprise product and service delivery, it will come under more audit scrutiny.

Chidambaram Narayanan
Blog Post

The Numbers Whisper, But Stories Captivate: Rethinking Audit Communication

Auditors need to go beyond the cold, hard facts and incorporate time-tested storytelling methods to make their reports resonate more deeply with stakeholders.

11 June 2024
Patrick Trierweiler, A-LIGN Senior Consultant
Blog Post

Five Ways Audit Professionals Can Start the New Year Strong

A fresh start for IT auditors in 2025 is possible, but closing out lingering loose ends from last year likely requires attention before embracing the clean slate.

6 January 2025
Magnifying glass
Webpage

A Risk-Based Approach to IT Audit

Get expert guidance, research policies and procedures to stay ahead of the curve in your IT audit career.

ISACA Now By Year

Check Mark
2025
Check Mark
2024
Check Mark
2023
Check Mark
2022
Check Mark
2021