Corporate it security audit compliance

1.  Discuss the importance of: “Identifying and prioritizing risks is a key component of the audit plan”. Is there a process to follow? 

2.  Discuss this statement: “Establishing baselines and identifying an acceptable level of risk across the environment provides a starting point for the actual audit”. How is this statement true? Where would you start your development of a baseline?