What factors belong in a risk-based annual audit plan?

Question

AcadiFi · Accepted Answer

A risk-based annual audit plan should reflect where the organization is most exposed, where change is happening, and where assurance is most valuable. Good planning considers likelihood and impact, but also factors like regulatory pressure, system changes, fraud exposure, management concerns, prior findings, and whether key controls are mature or still unstable.

Suppose Granite River Payments has 12 auditable entities and a 5-person internal audit team with about 5,400 annual hours available. The company just launched a new vendor portal, acquired a small payments processor, and has recurring overdue remediation in treasury operations. A risk-based plan would likely rank cyber access, third-party risk, treasury controls, and integration governance above lower-change areas like fixed-asset accounting. The plan might allocate 680 hours to cyber access, 540 to third-party oversight, 420 to treasury, and only 180 to low-risk recurring compliance reviews.

```mermaid
flowchart TD
  A[Enterprise changes] --> E[Risk ranking]
  B[Prior findings] --> E
  C[Fraud and regulatory exposure] --> E
  D[Control maturity] --> E
  E --> F[Annual audit plan]
```

CIA questions often reward the answer that uses dynamic business risk, not just last year's schedule. If an area is changing fast, highly regulated, or repeatedly failing controls, it should probably move up the plan. Practice more in our CIA question bank.

What factors belong in a risk-based annual audit plan?

Master Part 3 with our CIA Course

Related Questions

Practice Questions