Most internal audit functions complete a risk assessment and an audit plan every year. Fewer can demonstrate, in a way that would hold up under scrutiny, that one actually drove the other.
This is one of the most common structural gaps in internal audit operations — and one of the least visible until an external quality assessment or a pointed audit committee question surfaces it. The risk assessment exists. The audit plan exists. But the documented logic connecting them is thin, informal, or absent entirely.
The 2025 IIA Global Internal Audit Standards are designed to close that gap. Understanding what they require — and what genuine risk-based audit planning looks like in practice — is essential for any CAE working toward conformance.
What the Standards Actually Require
The 2025 standards address audit planning across multiple standards within Domain IV: Managing the Internal Audit Function and Domain V: Performing Internal Audit Services. Taken together, they establish a clear expectation: the annual audit plan must be derived from a documented risk assessment, and the CAE must be able to explain and defend that derivation to the board and senior management.
Standard 9.2 — Establish a Risk-Based Plan — requires the CAE to develop an annual audit plan based on a documented assessment of the organization's risks and the internal audit function's capacity to address them. The plan must reflect the function's priorities, be aligned to the organization's strategic objectives, and be communicated to the board for approval.
This is not simply a requirement to conduct a risk assessment before writing the audit plan. It is a requirement to build a documented, defensible connection between the two — one that shows how risk ratings drove prioritization, how coverage decisions were made, and how resource constraints were factored into the final plan.
Why the Connection Is Often Missing
The disconnect between risk assessment and audit plan is rarely the result of negligence. It is usually the result of how these processes evolved within the function.
In many organizations, the risk assessment began as an informal exercise — a conversation with management, a review of prior audit results, a scan of industry risk reports. Over time it became more structured, but the structure was layered onto existing practice rather than built from the ground up. The audit plan, similarly, often reflects a combination of prior year coverage, stakeholder requests, and the CAE's judgment about where the function's time is best spent.
The result is two documents that are both reasonable on their own terms but are not formally connected. The risk assessment identifies the top risks. The audit plan covers a set of areas. The overlap is real, but the logic is implicit rather than documented.
Under the 2025 standards, implicit is not sufficient. The board is expected to approve the audit plan with an understanding of how it was built. That understanding requires a documented connection.
What a Documented Connection Looks Like
Building a documented connection between the risk assessment and the audit plan does not require a complex system. It requires a deliberate process and the discipline to document it consistently.
The risk assessment should produce a prioritized inventory of audit areas — not just a list of risks, but a structured view of which organizational processes, systems, and functions carry the highest inherent risk and have the most significant control gaps. Each audit area should have a documented risk rating that reflects the factors the function used to assess it: inherent risk, control environment, prior audit results, regulatory exposure, and strategic significance.
The audit plan should then map directly to that prioritized inventory. Each engagement in the plan should be traceable to one or more audit areas in the risk assessment, with a documented rationale for why it was included, when it was scheduled, and how it was resourced. Areas that were assessed but not included in the plan should also be documented — with an explanation of why coverage was deferred and how the function plans to address them in future cycles.
This traceability is what makes the plan defensible. When the audit committee asks why a particular area was not audited, the CAE should be able to point to the risk assessment, explain the prioritization logic, and describe the coverage plan for future periods. That is not possible without documentation.
The Role of Resource Capacity in Planning
One of the most important — and most commonly overlooked — elements of risk-based audit planning is the explicit acknowledgment of resource constraints.
No internal audit function has the capacity to audit everything on its risk assessment in a single year. The plan is always a prioritized subset of the full risk universe. The 2025 standards recognize this reality and require the CAE to document the capacity analysis that informs the plan: how many audit hours are available, how they are allocated across engagements, and what the function is not covering as a result.
This capacity analysis serves two purposes. First, it forces the CAE to make explicit trade-offs rather than implicit ones — which areas are being covered, which are being deferred, and why. Second, it provides the basis for a resource conversation with the board and senior management. If the risk assessment identifies ten high-priority areas and the function has capacity to cover six, the CAE needs to communicate that gap — and the board needs to decide whether to accept it or address it through additional resourcing.
Functions that skip this step are not just missing a documentation requirement. They are missing an opportunity to have a substantive conversation about the function's mandate and the resources required to fulfill it.
Key Takeaway
The Annual Planning Cycle: What the CAE Needs to Have in Place
Risk-based audit planning is not a single document — it is a cycle. Before the audit plan is presented to the board for approval, the CAE should be able to confirm each of the following is documented and current.
Checklist
CAE Readiness: Annual Risk-Based Planning Checklist
- ✓A documented risk universe covering all in-scope organizational processes, systems, and functions
- ✓Risk ratings for each audit area based on defined, consistently applied criteria (inherent risk, control environment, strategic significance, regulatory exposure)
- ✓A record of the information sources used in the risk assessment (management interviews, prior audit results, regulatory reports, industry benchmarks)
- ✓A prioritized ranking of audit areas that reflects the risk ratings and any qualitative factors the CAE applied
- ✓A capacity analysis showing available audit hours, planned engagements, and the allocation of resources across the plan period
- ✓A documented rationale for each engagement included in the plan, traceable to the risk assessment
- ✓A documented list of high-priority areas not included in the current plan, with a deferred coverage rationale
- ✓A communication package for the board that explains how the plan was built, what it covers, and what it does not
- ✓A process for updating the risk assessment and plan mid-year if significant organizational changes occur
What Conformance Looks Like Under the 2025 Standards
Conformance with the 2025 standards' planning requirements is not achieved by having a risk assessment and an audit plan. It is achieved by having a documented, defensible process that connects them — and by being able to demonstrate that process to the board, to an external quality assessor, or to a regulator.
For functions that are building this connection for the first time, the work is not as daunting as it may appear. The risk assessment and audit plan that already exist are the starting point. The task is to make the connection between them explicit: to document the prioritization logic, to trace each engagement to the risk assessment, and to build the capacity analysis that explains what the plan covers and what it does not.
For functions that are preparing for an external quality assessment, this is one of the areas that assessors examine most closely. The question is not whether the function conducted a risk assessment. The question is whether the CAE can demonstrate, with documentation, that the audit plan was built on that foundation.
LH Consulting Group works with internal audit functions to build the risk assessment frameworks, planning processes, and documentation structures that support genuine risk-based audit planning — and that hold up under the scrutiny of an external quality assessment. If your function is working through what a documented connection between risk assessment and audit plan looks like in practice, that is exactly the kind of work we do.