4 key steps for auditors in assessing technology risks