RiskMatrix Pro
Back to blog
Internal AuditMethodology

Why Your Internal Audit Team Needs Its Own Risk Matrix

Priya Nair11 min read10 January 2026

Most internal audit teams rely on the enterprise risk register to prioritise their annual plan. The problem: that register was built for management, not auditors. An audit-specific risk matrix — one that scores auditability, control maturity, and audit cycle time alongside risk severity — gives your CAE a defensible, methodology-driven audit plan.

The problem with using the ERM register as your audit plan

Using the enterprise risk register as a direct input to your audit plan sounds logical, but creates three structural problems:

1. The ERM register is management's view of risk, not audit's

Management's risk assessment reflects their subjective view of inherent risk and control effectiveness — exactly what internal audit should be independently verifying. Starting your audit plan from management's risk scores creates circular reasoning.

2. Not all high risks are auditable

Some risks — macro-economic downturns, regulatory changes, competitive dynamics — are significant but not auditable in the traditional sense. Your audit plan needs to distinguish between risks you can assure and risks you can only advise on.

3. Audit cycle time is not captured in ERM

A high-risk area audited 12 months ago with a clean opinion is less pressing than a medium-risk area that has not been audited in four years. Time since last audit is a critical input to your plan — and it is never in the ERM register.

What an audit risk matrix should score

An audit-specific risk matrix replaces or supplements likelihood and impact with factors that are meaningful for planning purposes:

FactorWhat it capturesWeight
Inherent risk levelSeverity of the risk if controls failHigh
Control maturityHow robust and tested the controls areHigh
Audit frequencyTime elapsed since last audit of this areaMedium
AuditabilityWhether IA can provide meaningful assuranceMedium
Stakeholder significanceBoard / committee interest or concernLow
Change velocityHow quickly this area is changingLow

Building your audit universe

Before you can build a risk-based audit plan, you need a comprehensive audit universe — a complete list of all auditable entities (processes, systems, business units, or locations) that your function could potentially review.

Building a robust audit universe typically involves:

  • Mapping organisational structure to identify all business units and key processes
  • Reviewing the ERM risk register to understand where risk is concentrated
  • Mapping key systems, applications, and third-party relationships
  • Reviewing prior audit history to understand coverage gaps
  • Consulting with senior management and the audit committee on emerging concerns

From risk matrix to audit plan: the prioritisation logic

Once each auditable entity is scored across your risk factors, your audit plan is driven by the results:

High overall score

Priority audit — schedule within 6 months

Medium-high score

Annual audit — schedule within 12 months

Medium score

Biennial audit — schedule within 24 months

Low score

Advisory or monitoring — no formal audit scheduled

Making the case to your CAE

An audit-specific risk matrix makes your annual plan defensible in a way that “we followed the ERM register” does not. When your audit committee asks why you audited procurement but not IT security this year, you can point to a documented, scored, independently-applied methodology — not just management's own risk ratings.

It also makes capacity planning easier. Once each entity is scored, you can model different coverage scenarios — “if we add one more auditor, we can add three high-priority areas to the plan” — with data to back the conversation.

Build your audit universe in RiskMatrix Pro

Use the Internal Audit template to score your audit universe entities and generate a risk-based plan your audit committee will trust.

Get started free →