In the “gathering information” step the IT auditor needs to identify five items:Ī side note on “inherent risks” is to define it as the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls. This type of risk assessment decision can help relate the cost and benefit analysis of the control to the known risk. In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business. More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor decide as to whether to perform compliance testing or substantive testing. Planning an IT audit involves two major steps: gathering information and planning, and then gaining an understanding of the existing internal control structure.