In the event that an IS audit team cannot complete the approved audit plan due to resource constraints, what is the most acceptable course of action?

When an IS audit team faces resource constraints and is unable to complete the approved audit plan, it is most appropriate to focus on auditing high-risk areas. This approach ensures that the audit team prioritizes the most critical aspects of the organization's operations, where the potential for loss or impact is the greatest.

By concentrating on high-risk areas, the audit team can provide the organization with insights into the most vulnerable components of its information systems. This targeted audit approach maximizes the value of the limited resources available and ensures that key risks are assessed and addressed in the event that a comprehensive audit cannot be performed.

Testing the adequacy of control design and the operational effectiveness of controls are important steps in the auditing process, but they may not be feasible or necessary in the context of resource limitations. Similarly, relying on management testing of controls is generally less effective, as it does not provide the same level of independent assurance that an in-depth audit could deliver.

In summary, focusing on high-risk areas allows the audit team to maintain an effective oversight function, ensuring that potential financial, operational, and reputational risks are mitigated even when resources are constrained.