Prioritise the identified risk.

Define the audit universe.

Identify the critical controls.

Determine the testing approach.

Review findings from prior audits.

Executive management's approval of the audit plan.

Review IS security policies and procedures.

Perform Risk Assessment

Does not require an IS auditor to collect evidence on system reliability while processing is taking place

Requires the IS auditor to review and follow up immediately on all information collected

Can improve system security when used in time-sharing environments that process a large number of transactions

Does not depend on the complexity of an organizations computer systems.

Issue an Audit finding

Seek an explanation from IS management

Review the classification of data held on the server

Expand the sample of logs reviewed

Address Audit objectives

Collect sufficient evidence

Specify appropriate tests

Minimize audit resources

A Product of probability and magnitude of impact if threat successfully exploits the vulnerability

The magnitude of impact should a threat source successfully exploit the vulnerability

The likelihood of given threat source exploiting a given vulnerability

The collective judgement of the risk assessment team

Show compliance with standards

Show how results were deduced

Show management’s role

Show due care was exercised