Identifying and managing IT risks has become ever more important, and this has led to an increased interest in IT auditing. The idea behind IT auditing is that employees who have a position that is independent from management perform assessments of how IT risks are managed within the organization. The argument is that IT audits can help avoid surprises by properly assessing IT risks so that appropriate action can be taken to minimize either the chance that a risk will materialize or the impact of a risk that does materialize. Although one could argue that a good IT manager can perform the same risk assessment function as an IT auditor, the movement toward IT auditing is based on the premise that IT auditors will improve an organization’s capacity to identify and manage IT risks especially because they are in a position to act as independent observers.1 Whether or not this premise is true, the effectiveness of IT auditors hinges to a large degree on whether they differ from IT managers in terms of risk perceptions. Here, we suggest that the risk perceptions of IT auditors (who are in the position to observe) may differ from the risk perceptions of IT managers (who are in the position to act). Several years ago, Liu et al. [1] pointed to the need for research on the risk perceptions of IT auditors, but to date there has been no research comparing the risk perceptions of IT auditors with those of IT managers. As many documented IT disasters have exhibited a pattern in which key IT professionals in the organization failed to assess and report IT risks properly because of biases in their observations [2–۵], understanding whether IT auditors differ from IT managers in their perceptions of risk has important implications for both theory and practice. In this study, we draw upon the actor–observer perspective to examine differences in IT managers’ vs. IT auditors’ perceptions of IT risks. To test our ideas, we conducted a quasi-experiment in which we compared risk assessments of 44 IT managers and 32 IT auditors who worked for the same financial institution. The remainder of our paper is organized as follows: first, we offer an overview of the literature and the theoretical perspective that we draw upon. Then, we introduce our research model and hypotheses. Next, we discuss the method used to test our research model and the results that were obtained. We conclude with a discussion of the implications of our study for both research and practice.