Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > An Auditor’s Approach to Risk-Based Auditing: What to Audit and When

Auditing Best Practice

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When

by Paul J. Sanchez

Executive Summary

  • The need for internal auditing professionals to make a serious professional risk assessment about how limited audit resources should be allocated to various corporate activities.

  • A risk-based approach and a risk model for prioritizing auditable activities by risk scores.

  • The perennial internal audit problem of how to effectively use limited audit resources. It emphasizes that high risk areas require top priority.

  • This chapter highlights a model that easily can be used to rank auditable activities.


Each year the senior audit manager in a corporate internal audit department is faced with the difficult task of presenting the audit committee with a schedule of audit coverage for the coming year. The senior audit manager must decide what to audit and when. This crucial assignment for the internal audit function sets in place the audit schedule for the year. The schedule should focus on the areas of risk that, if not controlled, will most likely interfere with corporate objectives. If audit work does not cover such risk areas, the audit function may find itself in the embarrassing position of being in the wrong place at the wrong time. Since the internal audit function is part of the enterprise risk management (ERM) process, the auditor is expected to know the sensitive operations of the entity and to use audit resources to provide efficient audit risk coverage. A proper ERM process will embrace an audit plan that will satisfy the audit committee and will answer the question of what to audit.

Internal Auditors Cannot Audit Everything!

This chapter focuses on each corporation’s need for a careful, consistent, professional approach to determining what to audit. The generally limited resources in the corporate internal auditing environment must be used in selected areas on the basis of a risk prioritization exercise. Without a risk-based auditing approach, professional auditors may fall into the trap of trying to audit all activities. It is an automatic reaction. Auditors try to do a little audit work in every auditable area. It is usually difficult or inconvenient for management and audit committee members to accept the truth—that there simply are not enough audit resources to audit “everything.” Auditors never want to be in a position where they would have to say that there will be no audit coverage in particular areas. It is difficult for auditors to list what will not be audited. Accordingly, internal auditors tend to do “a little bit of everything.” That is the same as doing “a lot of nothing”—and it is not a helpful approach to applying overall effective audit coverage for the corporation. The modern audit committee wants to know that the limited audit resources are being allocated to the high-risk areas at the expense of the low-risk areas.

Internal Auditors Must Rank Auditable Activities

Although internal auditor resources are scarce, corporate management seems to expect auditors to provide audit coverage for “everything that moves.” That simply cannot be done! The auditor must be in the right place at the right time. A risk-ranking approach, where high-risk activities are more subject to audit coverage than low-risk areas, is essential. In fact, some low-risk areas will not be covered at all by the internal auditors. Those activities are just not significant, or, as practicing accountants say, they are “not material.” A risk assessment approach to creating an audit plan is the logical starting-point for the audit manger who wants to focus audit coverage on high-risk areas.

Professional Standards

The auditing standards (measures of the quality of performances) of the internal audit profession recognize the importance of an audit plan. That fact is clearly stated in the international professional auditing standards promulgated by the Institute of Internal Auditors (IIA).

IIA Standard “2010—Planning” states the following:

“The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.”

Paragraph A1 of Standard 2010 suggests that the risk assessment:

  • be based on a documented risk assessment;

  • be undertaken at least annually;

  • should consider the input of senior management and the board.

Further, the Standard 2010 suggests the internal audit activity have, at a minimum, a carefully prepared annual audit plan based on risk assessment. Audit committees expect such a plan; the professional standards require such a plan; and common sense dictates such a plan.

Back to Table of contents

Further reading


  • Institute of Internal Auditors (IIA). “International Professional Practices Framework (IPPF).” 2011 edition, updated for 2012. Online at:
  • Institute of Internal Auditors (IIA). “2010—Planning.” Online at:


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share