In risk-based auditing, which step follows understanding the business environment?

In risk-based auditing, after gaining an understanding of the business environment, the next logical step is to identify the IT systems that will be subjected to the audit. This identification process is critical as it allows auditors to focus on the systems that are integral to the organization’s operations and that could present significant risks if not properly managed or controlled.

Understanding the business environment provides context such as business processes, organizational structure, and regulatory requirements, which inform auditors about which systems are essential and how they relate to the overall risk landscape. By identifying the IT systems, auditors can then tailor their audit efforts to align with the specific risks and controls related to those systems, setting the stage for a more effective and focused audit process.

This foundational step is vital as it serves to bridge the understanding of the business and its associated risks with the practical elements of the audit itself. Subsequent steps, such as establishing control objectives, assessing risks, and reviewing previous audit findings, are crucial but come after the identification of the relevant IT systems.