Schedule internal audits based on risk

The internal audit manager is subjected to a variety of pressures when deciding which internal audits to schedule. This can include requests from the various department managers, the board of directors, and even the outside auditors. The result can be a a mish-mash of unrelated audit projects.

Scheduling these requests can result in poor usage of auditor time, since some projects may be assigned a high priority by their sponsors, even though there is unlikely to be any improvement of company operations as a result. One way to schedule audits more effectively is to give top priority to those areas that present the highest risk to the company.

Risk scheduling calls for a ranking system that is consistently employed, where the top audit projects are those where the target area could potentially place the business in grave financial danger. Other project requests with lower perceived risks are scheduled after these key projects. This approach results in an audit schedule that can be easily defended. If a senior manager wants to alter this schedule, he or she can be informed that doing so may place the company in jeopardy, which may gain their cooperation.

An audit schedule that is based on risk should be approved in writing by the audit committee. Doing so shifts responsibility for any schedule adjustments from the audit manager to the committee, which should be sufficiently senior to ward off any attempts to make alterations.