When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to
controls needed to mitigate risks are in place.
vulnerabilities and threats are identified.
audit risks are considered.
a gap analysis is appropriate.
In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood.
This will determine the areas to be audited and the extent of coverage. Understanding whether
appropriate controls required to mitigate risksare in place is a resultant effect of an audit. Audit risks
are inherent aspects of auditing, are directly related to the audit process and are not relevant to the
risk analysis of the environment to be audited. A gap analysis would normally be doneto compare
the actual state to an expected or desirable state.