CISA aspirants should understand the following important terms before reading about the different aspects of audit planning:
- Audit universe: An inventory of all the functions/processes/units under the organization.
- Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low.
- Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified.
- Risk factors: Factors that have an impact on risk. The presence of those factors increases the risk, whereas the absence of those factors decreases the risk.
All of the preceding elements are important prerequisites for the design of a structured audit plan. Next, let's discuss the benefits of a structured and well-designed audit plan.
Benefits of audit planning
Audit planning is the initial stage of the audit process. It helps to establish the overall audit strategy and the technique to complete the audit. Audit planning aids in making the audit process more structured and objective oriented.
An audit plan helps to identify and determine the following aspects:
- The objectives of the audit
- The scope of the audit
- The periodicity of the audit
- The members of the audit team
- The method of audit
The following are some of the benefits of audit planning:
- It helps the auditor to focus on high-risk areas
- It helps in the identification of resource requirements to conduct the audit
- It helps to estimate the budget for the audit
- It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the auditee units
Selection criteria
An IS auditor should have a sufficient understanding about the various criteria for the selection of audit processes.
One of the criteria for audit planning is to have an audit universe. All of the significant processes of the enterprise's business should be included in the audit universe.
Each business process may undergo a qualitative or quantitative risk assessment by evaluating the risk in respect to relevant risk factors. Risk factors influence the frequency of the audit. After the risk is evaluated for each relevant factor, criteria may be defined to determine the risk of each process. The audit plan can then be designed to consider all the high-risk areas.
Reviewing audit planning
This audit plan should be reviewed and approved by top management. Generally, approval is obtained from the audit committee of the board.
The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory requirements, changes in the market condition, and other risk factors).
The approved audit plan should be communicated promptly to the following groups:
- Senior management
- Business functions and other stakeholders
- The internal audit team
Individual audit assignments
The next step after doing the overall annual planning is to plan individual audit assignments. The IS auditor must understand the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following:
- Prior audit reports
- Risk assessment reports
- Regulatory requirements
- Standard operating processes
- Technological requirements
Like every other process, the audit process will also have some input and output. The following diagram will help you to understand input and output elements of the audit process:
For effective audit planning, it is of utmost importance that the IS auditor has a thorough understanding of business process applications and controls. The basic architecture of some of the commonly used applications and their associated risks are discussed in the next topic.
Key aspects from CISA exam perspective
The following figure covers important aspects from the CISA exam perspective:
CISA questions |
Possible answers |
What is the first step in risk-based audit planning? |
To identify areas of high risk |
What is a major benefit of risk-based audit planning? |
The utilization of resources for high-risk areas |
What is the first step to conduct a data center review? |
To evaluate vulnerabilities and threats related to data center location |
Self-evaluation questions
- Which of the following is the first step in risk-based audit planning?
- To identify the requirements of relevant stakeholders
- To identify high-risk processes in the company
- To identify the budget
- To identify the profit function
- Which of the following is a major advantage of a risk-based approach to audit planning?
- Advance communication of the audit plan
- Completion of the audit exercise within the allotted time and budget
- The collection of audit fees in advance
- Optimum use of audit resources for high-risk processes
- Which of the following should be the first exercise while reviewing data center security?
- The evaluation of the physical security arrangement
- The evaluation of vulnerabilities and threats to the data center location
- The evaluation of the business continuity arrangement for the data center
- The evaluation of the logical security arrangement
- Which of the following is the most important aspect of planning an audit?
- Identifying high-risk processes
- Identifying the experience and capabilities of audit staff
- Identifying control testing procedures of the audit
- Determining the audit schedule