Risk Management in Internal Audit Planning

Internal audit planning is a critical step in achieving effective and efficient internal audits. This study looks at how risk management approach is used to plan internal audit. Purpose is to reduce the subjectivity and time spent in audit planning. A two-step risk management approach is used. In Step 1, the audit frequency is determined based on the department's Workplace Environment, Health and Safety (EHS) risk. In Step 2, the level of readiness of a department is determined by looking at the department's level of documentation and level of measuring and monitoring of processes. From the risk assessment, a 3-year cycle plan is developed to ensure all departments are audited at least once in every 3 years. Higher risk departments would be audited more frequently. A review of risk factors is conducted every 3 years or as and when necessary. The subjectivity in selecting a department for internal audit is reduced. Another significant benefit achieved is the reduction in time spent to do audit planning. With the risk-based audit planning, new staff who is not familiar with audit planning can complete the audit planning process efficiently and effectively. Through the risk management approach, the internal audit planning is more structured and effective.