How should a CAE plan for emerging risk coverage?
If the board is asking about newer risks, how does the chief audit executive decide what belongs in the plan and what should wait?
The CAE should start with the organization's strategy, objectives, risk assessment, and board expectations. Emerging risks belong in the plan when they are relevant to the organization and significant enough to justify assurance or advisory work.
A practical sequence is:
- identify where the strategy depends on new technology, vendors, data, regulation, or external change,
- assess likelihood, impact, velocity, and management preparedness,
- compare the topic with other audit-universe risks,
- determine whether assurance, advisory, monitoring, or deferral is appropriate,
- assess whether internal audit has the competence and resources to cover it, and
- communicate coverage gaps or resource needs to the board.
The CAE should also consider applicable professional guidance. For example, when an engagement covers a topic with current IIA topical requirements, the audit team should determine applicability and retain documentation supporting its conclusion.
The exam trap is adding every new risk to the plan without prioritization. Risk-based planning means the CAE can explain both what is covered and why.
Master Managing the Internal Audit Function with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.