When management requests focus on new systems in an audit plan, how should an IS auditor respond?

In a scenario where management requests that the audit plan focus on new systems, the most effective approach for an IS auditor is to identify and audit the highest-risk systems. This ensures that the audit resources are allocated to areas where they can have the most significant impact on the organization's risk management.

New systems may have inherent risks due to factors such as lack of historical data, untested functionalities, or potential integration issues with existing systems. Therefore, while they deserve attention, it is crucial for the auditor to assess the broader risk landscape. By focusing on the highest-risk systems, the auditor can prioritize the audit of new systems that present the greatest potential for significant impact on the organization, including financial, operational, and reputational risks.

Additionally, this approach aligns with the principles of risk management and ensures that audits are not merely procedural but rather strategic in safeguarding the organization's interests. It enables the auditor to provide more valuable insights and recommendations to enhance the overall security and effectiveness of the IT environment.

In contrast, merely auditing only the new systems would not provide a comprehensive view of overall risks, and focusing strictly on systems that were excluded from last year's audit might overlook new developments. Including both new and previous systems in a blanket manner without a risk-based approach may dilute the