In this chapter, you explored various audit processes, standards, guidelines, practices, and techniques that an IS auditor is expected to use during audit assignments. You learned about risk-based audit planning and its advantages. The most important benefit of audit planning is that it helps the auditor focus on high-risk areas. You explored the major risks associated with business applications. The important topics covered in this chapter were as follows: • The audit department’s activities are influenced by the audit charter. The approved audit charter is the basis on which the chief audit officer carries out audit processes. The audit charter should ideally be approved by top management. • The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. • Preventive controls are designed to prevent omissions, errors, or negative acts from occurring. Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred; they aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area. • The identification of vulnerabilities is an important aspect of conducting a risk assessment. If a vulnerability is not appropriately recognized, controls and audit planning may not be effective. • The objective of an information system audit is to determine the adequacy of the processes and controls to safeguard the confidentiality, integrity, and availability of information systems and related infrastructure and resources. In the next chapter, you will be exploring audit execution, which includes project management techniques, sampling methodology, audit evidence collection techniques, and other aspects of conducting an audit.