cisa-d1-auditing-process-risk-based-audit-planning

Risk-based Audit Planning

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 3, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Risk-based Audit Planning

Risk-based audit planning is a systematic methodology for designing an IT audit program by allocating finite audit resources proportionally to areas of highest organizational risk exposure. Rather than applying uniform coverage to all systems and processes, it uses the Audit Risk Model (Audit Risk = Inherent Risk × Control Risk × Detection Risk) to prioritize where auditors spend their time. The process begins with constructing an audit universe—a comprehensive inventory of all auditable entities—then applies risk assessment techniques to rank each entity by risk severity, and produces a documented audit plan that justifies every resource allocation decision with explicit risk-based reasoning. The output is a defensible, strategic audit plan, not a procedural checklist.

Where it stops · what it isn't

—IS: the methodology for deciding which areas to audit, how much time to allocate, and why—before fieldwork begins
—IS NOT: audit execution (fieldwork, testing, evidence collection), which follows the plan
—IS NOT: a risk management function—auditors assess risk for planning purposes but do not own organizational risk mitigation
—IS NOT: a one-time annual event—risk-based plans must be updated when significant changes occur (new systems, threat landscape shifts, control failures)
—IS NOT: a guarantee of detecting all control weaknesses—detection risk can never reach zero; risk-based planning explicitly accepts residual detection risk in lower-priority areas
—IS NOT: synonymous with compliance-driven audit planning, which applies standard audit programs regardless of risk profile

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Systems Auditing Process (CISA Domain 1)

REQUIRES

Audit Universe DefinitionInherent Risk AssessmentControl Risk Evaluation

ENABLES

Audit Scope Definition and Resource AllocationAudit Committee Reporting and Governance

RELATED TO

Audit Project Management and Engagement PlanningContinuous Auditing and Monitoring (CAM)

CONSTRAINS

Audit fieldwork—scope boundaries flow directly from risk-based plan decisions

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.