The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such

engagements require standards that apply specifically to IS audit and assurance. The development and
dissemination of the IS audit and assurance standards are a cornerstone of the ISACA

professional contribution to
the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
IS audit and assurance professionals of the minimum level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code of Professional Ethics
Management and other interested parties of the professions expectations concerning the work of practitioners
Holders of the Certified Information Systems Auditor

(CISA

) designation of requirements. Failure to comply

with these standards may result in an investigation into the CISA holders conduct by the ISACA Board of
Directors or appropriate committee and, ultimately, in disciplinary action.

IS audit and assurance professionals should include a statement in their work, where appropriate, that the
engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable
professional standards.

The ITAF framework for the IS audit and assurance professional provides multiple levels of guidance:
Standards, divided into three categories:
- General standards (1000 series)Are the guiding principles under which the IS audit and assurance
profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance
professionals ethics, independence, objectivity and due care as well as knowledge, competency and skill.
The standards statements (in bold) are mandatory.
- Performance standards (1200 series)Deal with the conduct of the assignment, such as planning and
supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit
and assurance evidence, and the exercising of professional judgement and due care
- Reporting standards (1400 series)Address the types of reports, means of communication and the
information communicated
Guidelines, supporting the standards and also divided into three categories:
- General guidelines (2000 series)
- Performance guidelines (2200 series)
- Reporting guidelines (2400 series)
Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white
papers, IS audit/assurance programmes, the COBIT

5 family of products

An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet
the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of
this product will assure a successful outcome. The publication should not be considered inclusive of any proper
procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific procedure or test, controls professionals should apply their own
professional judgement to the specific control circumstances presented by the particular systems or IS environment.

The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation
in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued
internationally for general public comment. Comments may also be submitted to the attention of the director of
professional standards development via email (standards@isaca.org), fax (+1.847. 253.1443) or postal mail (ISACA
International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).

IS Audit and Assurance Guideline
EXPOSURE DRAFT
2202 Risk Assessment in Planning
ISACA 2013-2014 Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Chairperson Texas Health and Human Services Commission, USA
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP HP Enterprises Security Services, UK
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA Myers and Stauffer LC, USA
Alisdair McKenzie, CISA, CISSP, ITCP IS Assurance Services, New Zealand
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP University of North Texas, USA
Katsumi Sakagawa, CISA, CRISC, PMP J IEC Co. Ltd., J apan
Ian Sanderson, CISA, CRISC, FCA NATO, Belgium
Timothy Smith, CISA, CISSP, CPA LPL Financial, USA
Todd Weinman The Weinman Group, USA
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 2
Theguidelineispresentedinthefollowingsections:
1. Guidelinepurposeandlinkagetostandards
2. Guidelinecontent
3. LinkagetostandardsandCOBIT5processes
4. Terminology
5. Effectivedate

1. GuidelinePurposeandLinkagetoStandards
1.0Introduction Thissectionclarifiesthe:
1.1 Purposeoftheguideline
1.2 Linkagetostandards
1.3 Termusageofauditfunctionandprofessionals

1.1Purpose 1.1.1Thelevelofauditworkrequiredtomeettheauditobjectiveisasubjective
decisionmadebyISauditandassuranceprofessionals.Thepurposeofthis
guidelineistoreducetheriskofreachinganincorrectconclusionbasedon
theauditfindingsandtoreducetheexistenceoferrorsoccurringinthearea
beingaudited.
1.1.2Theguidelineprovidesguidanceinapplyingariskassessmentapproachto
developan:
ISauditplanthatcoversallannualauditengagements
Auditengagementprojectplanthatfocusesononespecificaudit
engagement
1.1.3TheguidelineprovidesthedetailsofthedifferenttypesofrisktheISaudit
andassuranceprofessionalsencounter.Thisincludessubjectmatterrisk,
whichincludesinherentriskandcontrolrisk;togetherwithdetectionriskit
isalsoreferredtoasauditrisk.
1.1.4ISauditandassuranceprofessionalsshouldconsiderthisguidelinewhen
determininghowtoimplementthestandard,useprofessionaljudgementin
itsapplication,bepreparedtojustifyanydepartureandseekadditional
guidanceifconsiderednecessary.

1.2Linkageto
Standards
1.2.1Standard1201EngagementPlanning
1.2.2Standard1202RiskAssessmentinPlanning
1.2.3Standard1203PerformanceandSupervision
1.2.4Standard1204Materiality
1.2.5Standard1207IrregularityandIllegalActs

1.3TermUsage 1.3.1Hereafter:
ISauditandassurancefunctionisreferredtoasauditfunction
ISauditandassuranceprofessionalsarereferredtoasprofessionals
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 3

2. GuidelineContent
2.0Introduction Theguidelinecontentsectionisstructuredtoprovideinformationonthefollowing
keyauditandassuranceengagementtopics:
2.1 RiskassessmentoftheISauditplan
2.2 Riskassessmentmethodology
2.3 Riskassessmentofindividualauditengagements
2.4 Auditrisk
2.5 Inherentrisk
2.6 Controlrisk
2.7 Detectionrisk

2.1Risk
Assessmentof
theISAuditPlan
2.1.1WhendevelopingtheoverallISauditplan,asuitableriskassessment
approachshouldbefollowed.Thisapproachshouldbeconductedand
documentedatleastannuallytofacilitatethedevelopmentprocessofthe
ISauditplan.Itshouldtakeintoaccounttheorganisationalstrategicplans
andobjectivesandtheenterpriseriskmanagementframeworkand
initiatives.
2.1.2Tocorrectlyandcompletelyassesstheriskthatisrelatedtothecomplete
scopeoftheISauditarea,professionalsshouldconsiderthefollowing
elementswhendevelopingtheISauditplan:
FullcoverageofallareaswithinthescopeoftheISaudituniverse,
whichrepresentstherangeofallpossibleauditactivities
Reliabilityoftheriskassessmentprovidedbymanagement
Theprocessesfollowedbymanagementtosupervise,examineand
reportpossibleriskorissues
Coverriskinrelatedactivitiesrelevanttotheactivitiesunderreview
2.1.3Theappliedriskassessmentapproachshouldhelpwiththeprioritisation
andschedulingprocessoftheISauditandassurancework.Itshould
supporttheselectionprocessofareasanditemsofauditinterestandthe
decisionprocesstodesignandconductparticularISauditengagements.
2.1.4Professionalsshouldensurethattheappliedriskassessmentapproachis
approvedbythevariousauditstakeholdersandthosechargedwith
governance.
2.1.5Professionalsshoulduseriskassessmentstoquantifyandjustifythe
amountofISauditresourcesneededtocompletetheISauditplanandthe
requirementsforspecificengagements
2.1.6Basedontheriskassessment,professionalsshoulddevelopanISauditplan
thatactsasaframeworkfortheISauditandassuranceactivities.Itshould
considernonISauditandassurancerequirementsandactivities,itshould
beupdatedatleastannuallyandbeapprovedbythosechargedwith
governance.Finally,theISauditplanshouldalsoaddressresponsibilitiesset
bytheauditcharter.FormoreinformationrefertoStandard1201
EngagementPlanning.

ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 4
2.2Risk
Assessment
Methodology
2.2.1Professionalsshouldconsidertheappropriateriskassessmentmethodology
toensurecompleteandaccuratecoverageoftheauditengagementsinthe
ISauditplan.
2.2.2Professionalsshouldatleastincludeananalysis,withinthemethodology,of
therisktotheenterpriserelatedtosystemavailability,dataintegrityand
businessinformationconfidentiality.
2.2.3Manyriskassessmentmethodologiesareavailabletosupporttherisk
assessmentprocess.Theserangefromsimpleclassificationsofhigh,
mediumandlow,basedonprofessionalsjudgement,tomorequantitative
andscientificcalculationsprovidinganumericriskrating.Professionals
shouldconsiderthelevelofcomplexityanddetailappropriateforthe
enterprisebeingaudited.Specificguidanceonperformingriskassessments
canbefoundintheISACApublicationCOBIT5forRisk.
2.2.4Allriskassessmentmethodologiesrelyonsubjectivejudgementsatsome
pointintheprocess(e.g.,forassigningweightstothevariousparameters).
Professionalsshouldidentifythesubjectivedecisionsrequiredtousea
particularmethodologyandconsiderwhetherthesejudgmentscanbe
madeandvalidatedtoanappropriatelevelofaccuracy.
2.2.5Indecidingwhichisthemostappropriateriskassessmentmethodology,
professionalsshouldconsidersuchthingsasthe:
Typeofinformationrequiredtobecollected(somesystemsusefinancial
effectsastheonlymeasurethisisnotalwaysappropriateforISaudit
engagements)
Costofsoftwareorotherlicencesrequiredtousethemethodology
Extenttowhichtheinformationrequiredisalreadyavailable
Amountofadditionalinformationrequiredtobecollectedbefore
reliableoutputcanbeobtained,andthecostofcollectingthis
information(includingthetimerequiredtobeinvestedinthecollection
exercise)
Opinionsofotherusersofthemethodology,andtheirviewsofhowwell
ithasassistedtheminimprovingtheefficiencyand/oreffectivenessof
theiraudits
WillingnessofthosechargedwithgovernanceovertheISauditareato
acceptthemethodologyasthemeansofdeterminingthetypeandlevel
ofauditworkcarriedout.
2.2.6Nosingleriskassessmentmethodologycanbeexpectedtobeappropriate
inallsituations.Conditionsaffectingauditsmaychangeovertime.
Periodically,professionalsshouldreevaluatetheappropriatenessofthe
chosenriskassessmentmethodologies.
2.2.7Theprofessionalsshouldusetheselectedriskassessmenttechniquesin
developingtheoverallISauditplanandinplanningspecificaudit
engagements.Riskassessment,incombinationwithotheraudittechniques,
shouldbeconsideredinmakingplanningdecisionssuchasthe:
Areasorbusinessfunctionstobeaudited
Amountoftimeandresourcestobeallocatedtoanaudit
Nature,extentandtimingofauditprocedures

ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 5
2.3Risk
Assessmentof
IndividualAudit
Engagements
2.3.1Whenplanninganindividualengagement,professionalsshouldidentifyand
assessriskrelevanttotheareaunderreview.Theresultsofthisrisk
assessmentshouldbereflectedintheauditengagementobjectives.During
theriskassessment,professionalsshouldconsider:
Resultsofpriorauditengagements,reviewsandfindings,includingany
remedialactivities
Theenterpriseoverarchingriskassessmentprocess
2.3.2Professionalsshouldensurefullunderstandingoftheactivitiesinscope
beforeassessingrisk.Theyshouldrequestcommentsandsuggestionsfrom
stakeholdersandotherappropriateparties.Thisisneededtocorrectly
determineandexaminetheimpactofpossibleriskintheaudit
engagements.
2.3.3Thegoaloftheriskassessmentisthereductionofauditrisktoan
acceptablylowlevel,thusmeetingtheauditobjectives.Thisneedstobe
performedbyanappropriateassessmentoftheISsubjectmatterand
relatedcontrols,whileplanningandperformingtheISaudit.
2.3.4WhenplanningaspecificISauditandassuranceprocedure,professionals
shouldrecognisethefactthatthelowerthematerialitythresholdis,the
moreprecisetheauditexpectationswillbeandthegreatertheauditrisk.
2.3.5WhenplanningaspecificISauditandassuranceprocedure,professionals
shouldconsiderpossiblelegalactsthatcanrequireamodificationofthe
nature,timingorextentoftheexistingprocedures.Formoreinformation
refertoStandard1207IrregularityandIllegalActs.
2.3.6Togainadditionalassurance,professionalsshouldcompensatebyeither
extendingthescopeornatureoftheISaudittestsorincreasingor
extendingthesubstantivetesting.

2.4AuditRisk 2.4.1Auditriskreferstotheriskofreachinganincorrectconclusionbasedupon
auditfindings.Thethreecomponentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
2.4.2Professionalsshouldconsidereachoftheriskcomponentstodeterminethe
overalllevelofrisk.Thisincludessubjectmatterrisk,whichincludes
inherentriskandcontrolrisk;togetherwithdetectionriskitisthenreferred
toasauditrisk.Furtherelaborationonthedifferentcomponentsofaudit
riskcanbefoundinsections2.5to2.7.

2.5InherentRisk 2.5.1Inherentriskisthesusceptibilityofanauditareatoerrinawaythatcould
bematerial,individuallyorincombinationwithothererrors,assumingthat
therewerenorelatedinternalcontrols.Forexample,theinherentrisk
associatedwithoperatingsystemsecurityisordinarilyhigh,sincechanges
to,orevendisclosureof,dataorprogramsthroughoperatingsystem
securityweaknessescouldresultinfalsemanagementinformationor
competitivedisadvantage.Bycontrast,theinherentriskassociatedwith
securityforastandalonePC,whenaproperanalysisdemonstratesitisnot
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 6
usedforbusinesscriticalpurposes,ordinarilyislow.
2.5.2InherentriskformostISauditareasishighsincethepotentialeffectsof
errorsordinarilyspansseveralbusinesssystemsandmanyusers.

2.6ControlRisk 2.6.1Controlriskistheriskthatanerrorthatcouldoccurinanauditareaand
couldbematerial,individuallyorincombinationwithothererrors,willnot
bepreventedordetectedandcorrectedonatimelybasisbytheinternal
controlsystem.Forexample,thecontrolriskassociatedwithmanual
reviewsofcomputerlogscanbehighbecauseofthevolumeoflogged
information.Thecontrolriskassociatedwithcomputeriseddatavalidation
proceduresordinarilyislowbecausetheprocessesareappliedconsistently.
2.6.2Professionalsshouldassessthecontrolriskashighunlessrelevantinternal
controlsare:
Identified
Evaluatedaseffective
Testedandprovedtobeoperatingappropriately
2.6.3TheprofessionalsshouldconsiderbothpervasiveanddetailedIScontrols:
PervasiveIScontrolsareconsideredasubsetofgeneralcontrols;they
arethosegeneralcontrolsthatfocusonthemanagementand
monitoringoftheISenvironment.TheythereforeaffectallISrelated
activities.TheeffectofpervasiveIScontrolsonprofessionalsworkisnot
limitedtothereliabilityofapplicationcontrolsinthebusinessprocess
systems.TheyalsoaffectthereliabilityofthedetailedIScontrolsover,
e.g.,applicationprogramdevelopment,systemimplementation,security
administrationandbackupprocedures.WeakpervasiveIScontrols,and
thusweakmanagementandmonitoringoftheISenvironment,should
alertprofessionalstothepossibilityofahighriskthatthecontrols
designedtooperateatthedetailedlevelmaybeineffective.
DetailedIScontrolsaremadeupofapplicationcontrolsplusthose
generalcontrolsnotincludedinpervasiveIScontrols.Followingthe
COBITframeworktheyarethecontrolsovertheacquisition,
implementation,deliveryandsupportofISsystemsandservices.
2.6.4Apossibleriskthatprofessionalsshouldconsideristhelimitationsand
shortcomingsofthedetailedIScontrolsthatareinducedbyinadequaciesof
thepervasiveIScontrols.

2.7DetectionRisk 2.7.1Detectionriskistheriskthatprofessionalssubstantiveprocedureswillnot
detectanerrorthatcouldbematerial,individuallyorincombinationwith
othererrors.Forexample,thedetectionriskassociatedwithidentifying
breachesofsecurityinanapplicationsystemordinarilyishighbecauselogs
forthewholeperiodoftheauditarenotavailableatthetimeoftheaudit.
Thedetectionriskassociatedwithidentifyingalackofdisasterrecovery
plansordinarilyislow,sinceexistenceisverifiedeasily.
2.7.2Indeterminingthelevelofsubstantivetestingrequired,theprofessionals
shouldconsiderthe:
Assessmentofinherentrisk
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 7
Conclusionreachedoncontrolriskfollowingcompliancetesting
2.7.3Thehighertheassessmentofinherentandcontrolriskthemoreaudit
evidencetheprofessionalsshouldnormallyobtainfromtheperformanceof
substantiveauditprocedures.

3.LinkagetoStandardsandCOBIT5Processes
3.0Introduction Thissectionprovidesanoverviewofrelevant
3.1 Linkagetostandards
3.2 LinkagetoCOBIT5processes
3.3 Seekotherguidance

3.1Linkageto
Standards
Thetableprovidesanoverviewof:
ThemostrelevantISACAStandardsthataredirectlysupportedbythisguideline
Thosestandardstatementsthataremostrelevanttothisguideline

Note:Onlythosestandardstatementsrelevanttothisguidelinearelisted.

StandardTitle RelevantStandardStatements
1201EngagementPlanning ISauditandassuranceprofessionalsshallplaneachISaudit
andassuranceengagementtoaddress:
Objective(s),scope,timelineanddeliverables
Compliancewithapplicablelawsandprofessional
auditingstandards
Useofariskbasedapproach,whereappropriate
Engagementspecificissues
Documentationandreportingrequirements
1202RiskAssessmentinPlanning TheISauditandassurancefunctionshalluseanappropriate
riskassessmentapproachandsupportingmethodologyto
developtheoverallISauditplananddetermineprioritiesfor
theeffectiveallocationofISauditresources.

ISauditandassuranceprofessionalsshallidentifyandassess
riskrelevanttotheareaunderreview,whenplanning
individualengagements.

ISauditandassuranceprofessionalsshallconsidersubject
matterrisk,auditriskandrelatedexposuretothe
enterprise.
1203PerformanceandSupervision ISauditandassuranceprofessionalsshallconductthework
inaccordancewiththeapprovedISauditplantocover
identifiedriskandwithintheagreedonschedule.
1204Materiality ISauditandassuranceprofessionalsshallconsiderpotential
weaknessesorabsencesofcontrolswhileplanningan
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 8
StandardTitle RelevantStandardStatements
engagement,andwhethersuchweaknessesorabsencesof
controlscouldresultinasignificantdeficiencyoramaterial
weakness.

ISauditandassuranceprofessionalsshallconsider
materialityanditsrelationshiptoauditriskwhile
determiningthenature,timingandextentofaudit
procedures.

ISauditandassuranceprofessionalsshallconsiderthe
cumulativeeffectofminorcontroldeficienciesor
weaknessesandwhethertheabsenceofcontrolstranslates
intoasignificantdeficiencyoramaterialweakness.

ISauditandassuranceprofessionalsshalldisclosethe
followinginthereport:
Absenceofcontrolsorineffectivecontrols
Significanceofthecontroldeficiencies
Likelihoodoftheseweaknessesresultinginasignificant
deficiencyormaterialweakness
1207IrregularityandIllegalActs ISauditandassuranceprofessionalsshallconsidertheriskof
irregularitiesandillegalactsduringtheengagement.

3.2Linkageto
COBIT5Processes
Thetableprovidesanoverviewof:
COBIT5processes
COBIT5processpurpose

Specificactivitiesperformedaspartofexecutingtheseprocessesarecontainedin
COBIT5:EnablingProcesses.

COBIT5Process ProcessPurpose
EDM01Ensuregovernanceframework
settingandmaintenance.
Provideaconsistentapproachintegratedandalignedwith
theenterprisegovernanceapproach.ToensurethatIT
relateddecisionsaremadeinlinewiththeenterprise's
strategiesandobjectives,ensurethatITrelatedprocesses
areoverseeneffectivelyandtransparently,compliancewith
legalandregulatoryrequirementsisconfirmed,andthe
governancerequirementsforboardmembersaremet.
EDM03Ensureriskoptimisation. EnsurethatITrelatedenterpriseriskdoesnotexceedrisk
appetiteandrisktolerance,theimpactofITriskto
enterprisevalueisidentifiedandmanaged,andthepotential
forcompliancefailuresisminimised.
APO12Managerisk. IntegratethemanagementofITrelatedenterpriseriskwith
overallERM,andbalancethecostsandbenefitsofmanaging
ITrelatedenterpriserisk.
MEA02Monitor,evaluateandassessthe Obtaintransparencyforkeystakeholdersontheadequacyof
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 9
COBIT5Process ProcessPurpose
systemofinternalcontrol. thesystemofinternalcontrolsandthusprovidetrustin
operations,confidenceintheachievementofenterprise
objectivesandanadequateunderstandingofresidualrisk.
MEA03Monitor,evaluateandassess
compliancewithexternal
requirements.
Ensurethattheenterpriseiscompliantwithallapplicable
externalrequirements.

3.3SeekOther
Guidance
Whenimplementingstandardsandguidelines,professionalsareencouragedto
seekotherguidance,whenconsiderednecessary.ThiscouldbefromISauditand
assurance:
Colleaguesfromwithintheorganisationand/oroutsidetheenterprise,e.g.,
throughprofessionalassociationsorprofessionalsocialmediagroups
Management
Governancebodieswithintheorganisation,e.g.,auditcommittee
Otherguidance(e.g.,books,papers,otherguidelines)

4. Terms
Term Definition
Auditcharter Adocumentapprovedbythosechargedwithgovernancethatdefinesthepurpose,
authorityandresponsibilityoftheinternalISauditandassuranceactivity

Thechartershould:
EstablishtheinternalISauditandassurancefunctionspositionwithinthe
enterprise
Authoriseaccesstorecords,personnelandphysicalpropertiesrelevanttothe
performanceofISauditandassuranceengagements
DefinethescopeoftheISauditandassurancefunctionsactivities
Auditrisk Theriskofreachinganincorrectconclusionbaseduponauditfindings.Thethree
componentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
Controlrisk Theriskthatamaterialerrorexiststhatwouldnotbepreventedordetectedona
timelybasisbythesystemofinternalcontrol.Seeinherentrisk.
DetailedIS
controls
Controlsovertheacquisition,implementation,deliveryandsupportofISsystems
andservicesmadeupofapplicationcontrolsplusthosegeneralcontrolsnot
includedinpervasivecontrols
Detectionrisk TheriskthattheISauditorassuranceprofessionalssubstantiveprocedureswill
notdetectanerrorthatcouldbematerial,individuallyorincombinationwith
othererrors.Seeauditrisk.
Inherentrisk Therisklevelorexposurewithouttakingintoaccounttheactionsthat
managementhastakenormighttake(e.g.,implementingcontrols).Seecontrol
risk.
ISAuditandAssuranceGuideline2202RiskAssessmentinPlanning
2013ISACA Allrightsreserved. 10
Term Definition
Materiality Anauditconceptregardingtheimportanceofanitemofinformationwithregard
toitsimpactoreffectonthesubjectmatterbeingaudited.Anexpressionofthe
relativesignificanceorimportanceofaparticularmatterinthecontextofthe
engagementortheenterpriseasawhole.
PervasiveIS
control
GeneralcontroldesignedtomanageandmonitortheISenvironmentandwhich,
therefore,affectsallISrelatedactivities
Riskassessment Aprocessusedtoidentifyandevaluateriskanditspotentialeffects

Riskassessmentsareusedtoidentifythoseitemsorareasthatpresentthe
highestrisk,vulnerabilityorexposuretotheenterpriseforinclusionintheIS
annualauditplan.

Riskassessmentsarealsousedtomanagetheprojectdeliveryandprojectbenefit
risk.
Substantive
testing
Obtainingauditevidenceonthecompleteness,accuracyorexistenceofactivities
ortransactionsduringtheauditperiod

5.EffectiveDate
5.1EffectiveDate ThisrevisedguidelineiseffectiveforallISaudit/assuranceengagementsbeginning
onorafterDayMonth2014.