The audit strategy is a key driver determining the type, scope, and frequency of IT audits an
organization conducts and defining the criteria organizations use to prioritize the items in the audit universe. Organizations follow procedures in the audit strategy to assign audit priorities and use those determinations to allocate internal auditing resources.
An audit strategy sets the direction, timing, and scope of an audit. The strategy is then used as a guideline when developing an audit plan. The strategy document usually includes a statement of the key decisions needed to properly plan the audit. The audit strategy is based on the following considerations:
• The characteristics of the engagement
• Reporting objectives
• Timing of the audit
• Nature of communications
• Significant factors in directing engagement team efforts
• The results of preliminary engagement activities
• The knowledge gained on other engagements
• The nature, timing, and extent of resources available for the engagement
The audit strategy could be relatively short for the audit of a smaller entity, perhaps in the form of a brief memo. If there are unexpected changes in conditions or the outcome of audit procedures, it may be necessary to alter the audit strategy. If there is an alteration, the reasons for the alteration should be stated in the accompanying documentation.
The audit plan is much more detailed than the strategy document, since the plan states the nature, timing, and extent of the specific audit procedures to be conducted by the audit team.