IT audits provide assurance that IT controls are protecting the organization from costly threats.
How much is an organization's information worth? That is, what would be the cost — either quantitatively or qualitatively — if its sensitive or valuable information was compromised? For example, it would be costly if customers' personally identifiable information was leaked to the dark web, critical systems suffered denial of service attacks, or the organization was the target of a ransomware incident such as the recent SolarWinds attack.