On what basis should an IS auditor plan IS audit coverage?

Planning IS audit coverage primarily based on risk is essential because it allows the auditor to focus on the areas that pose the greatest threat to the organization's information systems. By understanding the specific risks associated with the information systems and processes, the IS auditor can prioritize audit activities to ensure that resources are allocated effectively where they are most needed.

Risk-based auditing enables the identification of vulnerabilities, potential impacts, and the likelihood of adverse events occurring. It helps in assessing the controls in place and determining whether they are sufficient to mitigate those risks. This method ensures that audit activities are aligned with the organization’s risk appetite and strategic objectives, ultimately contributing to better overall governance and assurance processes.

While organizational charts, compliance standards, and historical audit results can provide valuable insights and context for planning audits, they should serve as secondary considerations in comparison to the overarching risks that could potentially affect the organization’s operations and data integrity. By placing risk at the forefront, IS auditors can enhance the effectiveness of their audit coverage and support the organization in achieving its goals in a secure manner.