External audit planning is largely determined by the audit requirements of the paying party. Regulatory or contractual obligations also play a role in determining the scope of the external audits. In order to achieve the review objectives of the paying party, standard audit objectives are typically proposed for inclusion into the audit scope based on the experience of the external auditor. Due to cost factors, external audits tend to be of a higher level and broader in nature with less specific and detailed testing or narrow in scope when specific and detailed testing is required.
The scope of an internal audit is usually more tactically focused on high-risk areas or new and emerging risk areas. The annual revisiting of sensitive or critical operations also is a common focus of internal audits. This is especially true when an external audit or other regulatory recurring activities require that these processes are reviewed and relied upon for regular validation. The scope and objectives of the individual internal IS audit engagements generally support the overall audit plan for the organization in any given year. This plan should be based upon an annual risk assessment process.
This assessment process would follow classic quantitative risk assessment guidelines:
Identify all of the relevant assets (information assets, processes the company is dependant upon, infrastructure that the company needs to perform daily operations, and so forth).
Value the assets (cost ...