How does the audit team select processes and systems to be tested?

The selection of processes and systems to test in an audit is fundamentally linked to the concept of materiality. Materiality refers to the significance of an item, event, or information that could influence the decision-making processes of stakeholders. In the context of an audit, the audit team focuses on areas that are critical to the organization’s information security management system (ISMS) and where there is a higher risk of non-compliance or failure.

When the audit team emphasizes materiality, they prioritize testing processes and systems that can have a substantial impact on the organization’s overall security posture and risk profile. By concentrating their efforts on these significant areas, they ensure that their findings are relevant and valuable, ultimately leading to actionable insights for improving the ISMS. This approach forges a deeper understanding of the organization’s security strengths and weaknesses, facilitating a more robust audit process.

In contrast, relying solely on technical experts' advice, audit procedures, or historical performance may not adequately address the most critical areas of concern, as these methods can overlook current risks or emerging threats. Therefore, basing the selection on materiality ensures a targeted and effective audit approach.