IS Audit and Assurance Standard 1202 Risk Assessment in Planning 


  Download the PDF Version

The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:

  • IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
  • Management and other interested parties of the profession’s expectations concerning the work of practitioners
  • Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.

IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.

The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:

  • Standards, divided into three categories:
    • General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
    • Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
    • Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
  • Guidelines, supporting the standards and also divided into three categories:
    • General guidelines (2000 series)
    • Performance guidelines (2200 series)
    • Reporting guidelines (2400 series)
  • Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products

An online glossary of terms used in ITAF is provided at

Disclaimer:  ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.

The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email (, fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).

ISACA 2012-2013 Professional Standards and Career Management Committee

Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
NATO, Belgium
LPL Financial, USA
Tarshop S.A., Argentina


The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.

IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements.

IS audit and assurance professionals shall consider subject matter risk, audit risk and related exposure to the enterprise.

Key Aspects

When planning ongoing activities, the IS audit and assurance function should:

  • Conduct and document, at least annually, a Risk assessment to facilitate the development of the IS audit plan.
  • Include, as part of the risk assessment, the organisational strategic plans and objectives and the enterprise risk management framework and initiatives.
  • For each IS audit and assurance engagement, quantify and justify the amount of IS audit resources needed to meet the engagement requirements.
  • Use risk assessments in the selection of areas and items of audit interest and the decisions to design and conduct particular IS audit and assurance engagements.
  • Seek approval of the risk assessment from the audit stakeholders and other appropriate parties.
  • Prioritise and schedule IS audit and assurance work based on assessments of risk.
  • Based on the risk assessment, develop a plan that:
    • Acts as a framework for IS audit and assurance activities
    • Considers non-IS audit and assurance requirements and activities
    • Is updated at least annually and approved by those charged with governance
    • Addresses responsibilities set by the Audit charter

When planning an individual engagement, IS audit and assurance professionals should:

  • Identify and assess risk relevant to the area under review.
  • Conduct a preliminary assessment of the risk relevant to the area under review for each engagement. Objectives for each specific engagement should reflect the results of the preliminary risk assessment.
  • In considering risk areas and planning a specific engagement, consider prior audits, reviews and findings, including any remedial activities. Also consider the board’s overarching risk assessment process.
  • Attempt to reduce Audit risk to an acceptable level, and meet the audit objectives by an appropriate assessment of the IS subject matter and related controls, while planning and performing the IS audit.
  • When planning a specific IS audit procedure, recognise that the lower the Materiality threshold, the more precise the audit expectations and the greater the audit risk.
  • To reduce risk for higher materiality, compensate by either extending the test of controls (reduce control risk) and/or extending the Substantive testing procedures (reduce detection risk) to gain additional assurance.


Term Definition
Audit charter A document approved by those charges with governance that defines the purpose, authority and responsibility of the internal audit activity.

The charter should:
  • Establish the internal audit function’s position within the enterprise
  • Authorise access to records, personnel and physical properties relevant to the performance of IS audit and assurance engagements
  • Define the scope of audit function’s activities
Audit risk The risk of reaching an incorrect conclusion based upon audit findings. The three components of audit risk are:
  • Control risk
  • Detection risk
  • Inherent risk
Audit subject matter risk Risk relevant to the area under review:
  • Business risk (customer capability to pay, credit worthiness, market factors, etc.)
  • Contract risk (liability, price, type, penalties, etc.)
  • Country risk (political, environment, security, etc.)
  • Project risk (resources, skill set, methodology, product stability, etc.)
  • Technology risk (solution, architecture, hardware and software infrastructure network, delivery channels, etc.)
See inherent risk.
Control risk The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal control. (See inherent risk.)
Detection risk The risk that the IS audit or assurance professional’s substantive procedures will not detect an error that could be material, individually or in combination with other errors. See audit risk.
Inherent risk The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls). See control risk.
Materiality An audit concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the enterprise as a whole
Risk assessment A process used to identify and evaluate risk and its potential effects.

Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan.

Risk assessments are also used to manage the project delivery and project benefit risk.
Substantive testing Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

Linkage to Guidelines

Type Title
Guideline 2202 Risk Assessment in Planning

Operative Date

This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.