The most critical step while planning an audit is performing a risk assessment. ISACA IS Audit and Assurance Standard 1202 require risk assessment as per the statement 1202.2, where IS audit and assurance professionals must assess and identify the possible risks that are relevant to the area that is being reviewed.
This is to provide the clients a sufficient reasonable basis when there are risks of error, fraud or misstatement of materials. The auditor must obtain their client’s company and its environment, understanding of the financial reporting, the acceptance of the client for retention evaluation, past audits, and an inquiry of the audit committee and other team members regarding all the risks.
When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks.