The Gap Between Theory and Practice
The theory of risk-based auditing is that audit resources should be directed toward the areas of highest risk, determined through rigorous, evidence-based assessment of the organisation's current risk profile. The practice in most audit functions is that the risk assessment process confirms an allocation that was largely already planned — because building an audit plan genuinely from scratch each year is time-consuming, politically complex, and uncertain in a way that incrementally adjusting the previous year's plan is not.
This is not primarily a failure of professional ethics. It is a predictable response to the incentive structure in which most audit functions operate. Auditing areas that have been audited before is safer in a specific sense — the auditee relationships, the data sources, and the likely finding profile are all known quantities. Auditing a genuinely new area carries the risk of being under-prepared, of not knowing what good practice looks like in an unfamiliar context, and of surfacing issues that create uncomfortable governance conversations. True risk-based auditing is professionally demanding in ways that habit-based auditing simply is not.
How Risk Assessments Get Captured by Politics
A second common failure mode is the risk assessment that is technically risk-based but substantively shaped by political dynamics. Audit functions that consult broadly with senior management in their risk assessment process — which is good practice in principle — can end up with a plan that reflects management's preferred areas of audit focus rather than the areas of genuinely highest risk. Senior managers who prefer not to have their functions subjected to audit scrutiny have subtle but effective tools for deprioritising those functions in the risk assessment: emphasising the effectiveness of existing controls, downplaying emerging risk signals, and highlighting the audit burden on already-stretched operational teams.
The CAE who lacks the independence or the audit committee relationship required to push back against this pressure will produce a plan that has been laundered through a risk assessment process but is substantively shaped by management preferences. This is risk-based auditing in form and management-guided auditing in substance.
The Evidence Problem
Risk assessment in most audit functions relies heavily on qualitative inputs — management interviews, prior audit experience, and the CAE's professional judgement — with limited integration of quantitative risk indicators. This is not inherently wrong, but it creates a risk assessment that is only as good as the information management chooses to share and the auditor's ability to detect what is being withheld or underemphasised.
Audit functions that supplement qualitative risk assessment with data analytics — examining incident patterns, exception rates, complaint volumes, reconciliation failure frequencies, and other objective risk indicators — produce assessments that are harder for management to shape and more likely to surface emerging risk areas that qualitative discussion alone would miss.
The most dangerous audit plan is not the one that audits low-risk areas. It is the one that systematically avoids specific high-risk areas through a risk assessment process that has been captured by the very management it is designed to oversee independently. That outcome is structurally possible whenever the audit committee is not actively engaged in validating prioritisation decisions.
Making Risk-Based Auditing Work
Genuine risk-based auditing requires four commitments that many audit functions have not made explicitly. First, willingness to audit areas that have never been audited before, including areas where coverage will be uncomfortable for specific parts of management. Second, an audit committee relationship strong enough to validate risk assessment decisions independently of management input. Third, a data-informed risk assessment process that incorporates objective risk indicators alongside qualitative professional judgement. Fourth, transparency in the audit plan document about the areas not being covered and the rationale for that decision — making coverage trade-offs visible to governance bodies rather than leaving them implicit and unexamined.