An IS auditor is preparing the annual audit plan for a mid-sized retail bank. Senior management has asked that prior-year findings drive the selection of auditable units, while the audit committee has asked for coverage that reflects the bank's current risk profile. Which approach should the IS auditor adopt as the PRIMARY basis for selecting auditable units?
- AAssess inherent risk, control risk and detection risk for each auditable unit and allocate effort to the highest residual risk areas. Correct
- BSchedule each auditable unit on a fixed three-year rotation so every system is covered at least once in the cycle.
- CRe-audit every area where the previous year's report contained a high-rated finding before considering any new auditable units.
- DPrioritise the auditable units that the available audit staff have the strongest technical familiarity with for the coming year.
Why A is correct: This is the risk-based audit planning model required by ISACA standards; effort is concentrated where residual risk is highest, which is the defensible basis for an annual plan.
Why B is wrong: Fixed-rotation cycles are tempting because they look fair and predictable, but ISACA standards require selection driven by current inherent and control risk, not calendar rotation that ignores threat changes.
Why C is wrong: Following up prior findings is necessary but partial; it anchors the plan on history rather than the current risk profile and leaves emerging high-risk areas uncovered.
Why D is wrong: Staffing convenience is tempting in a resource-constrained team, but ISACA requires the plan to be driven by risk; auditor availability informs delivery, not selection.