Creating a risk-based audit plan, is it a myth?

The idea that audit plans should be risk based is so old and widely accepted that we give no second thought to it. And yet in my 16 years of risk across 4 continents I have seen 100s of audit plans and I can assure you NONE of them were risk based. They were opinion and feelings based, some even had colors and qualitative words describing perceived risk exposure, some were materiality based and yet none were risk based because they were disconnected from the underlying organisational risk profile. 

If you are an internal auditor and you are sure that your audit plan is risk based, scroll to the bottom of the article, I added a quick checklist that will change your mind 🙂

The problem – the biggest lie IIA ever sold business is that auditors understand risk

IIA even published a guideline on creating a risk-based audit plan, Developing the Risk-based Internal Audit Plan, 2020. I carefully reviewed the guideline back when it came out and again today and can guarantee, anyone who is following this best practice has no risk-based audit plan, 87% of the time. 

In alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately. Developing the Risk-based Internal Audit Plan, 2020

I think this is irony at its best, I will come back to the Code of Ethics principles a little later in the article. 

Risk assessments typically include both quantitative and qualitative methodologies. An abundant selection of software is available to help the internal audit activity perform risk assessments that result in both quantitative and qualitative data. Developing the Risk-based Internal Audit Plan, 2020

Well, I know of only one software that turns qualitative risk registers into quantitative and utilise utility theory to properly quantify and compare financial and non-financial risks. Archer Insight. 

In their risk assessments, internal auditors should estimate both inherent risk — the risk that exists if no controls were in place — and residual risk. Developing the Risk-based Internal Audit Plan, 2020

Ok, this is too funny. I have a whole article on why this is a typical example of nonsense when auditors artificially create a whole new concept to fit their agenda and serve no practical business purpose whatsoever. If you know auditors are the only beneficiaries from the whole inherent/residual conversation, something is seriously wrong.  The better alternative to “inherent” and “residual” risk concepts.

The CAE or assigned internal auditors should document the reasons for their determination of residual risk. This rationale lends support to internal audit’s view of risk priorities. Developing the Risk-based Internal Audit Plan, 2020

This is one of many reasons why risk prioritised derived from such approach have nothing to do with actual risk exposure the business is facing and what the auditors should’ve been focused all this time. 

Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.

Ok, this is all you really need to know about IIA level of competency when it comes to risk management. Heatmaps have been scientifically proven to misprioritise risks and be “worse than useless”  Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of a Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea. 

CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.

Ok, that’s just wishful thinking. How do you get an accountant compare notes with a surgeon? That is just an analogy, an illustration. The point I am making is internal auditors have no necessary risk management competencies to understand how risk exposure is calculated, how uncertainty affects decisions or objectives, how risks are correlated, why cVaR should be used for some risks instead of VaR and what role confidence interval plays in risk assessments and lastly, how there is no such thing as an enterprise wide approach to risk assessment, each risk has own risk model and aggregating risks is anything but trivial. 

So you tell me, why would management want to meet and take seriously auditors who come and talk about risks because apparently they need to be independent when planning audits. Would you listen to an auditor’s opinion on heart surgery or vaccination? The biggest lie IIA ever sold business is that auditors understand risk management.  The methodology provided in Appendix D of the Developing the Risk-based Internal Audit Plan, 2020 is an absolute disgrace, Appendix E is nothing short of negligence. 

The following books are listed as references, so I wanted to personally thank these gentlemen for contributing to the destruction of audit and risk management value across the world:

The solution – don’t replicate what professionals have already done

My simple answer is use whatever risk information exists within the business. Large shareholders, risk owners and 2nd line know exactly what the risks are.

However, despite IIA “best practice” auditors should start with 2nd line. But what if the auditors don’t trust the 2nd line methodology. Then audit the second line until you trust the methodology. But don’t kid yourself, unless you have mathematicians on the audit team you have zero chance of auditing risk management methodology that the risk team is using. Outsource the audit. What if the risk team is not doing quantitative risk analysis? Well, that’s an easy audit finding right there. Whatever the risk team is doing, it is not risk management, they should upgrade the methodology or be fired. Good risk managers can pretty quickly tell how does market risk cVaR compare to operational risk cVaR and whether cyber or climate are as huge as everyone makes them out to be. Legal, HSE, security, IT have a lot of information about significant risks in their areas of responsibility, but more importantly they know exactly where the weak control areas are. 

The second step is to talk to risk owners. Just like IIA is suggesting. The trouble is that while risk owners know their risks better than anyone, they are also often motivated to hide them and keep them hush hush. IIA forgets to mention that interviewing risk owners is unlikely to produce any meaningful and honest representation of the actual risk exposure, because risk owners are smart and will not bet against their own bonuses. So audit the performance management process and the methodology for calculating KPIs and bonuses before you seriously rely on risk owner input. 

Third step is to talk to the shareholders. It is easier in the private companies, where shareholders tell auditors exactly where to look. In public shareholders are many. And yet, I don’t understand why companies are not using proxy voting at AGMs to ask shareholders about their focus areas for the audit team and the key risks shareholders see. Institutional investors should be involved as well, they often have a solid view on the audit priorities. Didn’t audit want to become truly independent?  Well, here is the chance. 

Engaging external experts for horizon scanning is also a good source of risk information for the audit team. Wouldn’t it be awesome if risk and audit team together organised a horizon scanning or value killers workshop or interviews with external experts. 

Bottom line is auditors are not competent to perform risk assessments, so they have no choice but to rely on 2nd line risk assessments. Many 2nd line risk assessments are also bad, so auditors need to audit the 2nd line risk methodology and help business fix it, if 2nd line is still using qualitative horoscopes. When something is broken, auditors recommend to fix it, not recreate a worse replica of it. 

What else? What did I forget? 

– – – – – – – – – – – – 

Checklist for auditors: 

  • How does your market cVaR compare to credit cVaR and operational cVaR? 
  • What risks contribute the most to the probability of breaching covenants / liquidity risk? 
  • Are risks within set limits? Have stop losses been activated recently? WHat is the forecast against key limits? 
  • Which operational risks have the highest risk exposure? 
  • What risks had significant change in historical losses? 
  • What confidence level is used in risk models across the organisation? 
  • What significant risks could dramatically affect EBITDA forecasts over the coming 1,3,5 years? 
  • How concentrated are the investment projects? 
  • What is company / project NPV@risk? 

If you found these questions confusing, probably not a good idea to do a risk assessment without risk professionals present. 

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


4 thoughts on “Creating a risk-based audit plan, is it a myth?

  1. Alex –
    Would you have any specific recommendations for banking internal audit risk-based audit plan? How much time and effort would be involved to upskill/reskill to have the necessary management competencies to understand how risk exposure is calculated, how uncertainty affects decisions or objectives, how risks are correlated, why cVaR should be used for some risks instead of VaR and what role confidence interval plays in risk assessments and lastly, how there is no such thing as as an enterprise wide approach to risk assessment, each risk has own risk model, and aggregating risks is anything but trivial. Thank you in advance for your consideration.

    1. I don’t have an answer for banking, never worked in a bank. Are you it makes sense to upskill IA to know risk management? Why? Just use information from the risk team

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.