A combined AHP-GP model to allocate internal auditing time to projects

The optimal allocation of internal auditing time among competing projects is a multi-criteria problem that includes both qualitative and quantitative factors. This paper discusses an integrated approach where the analytic hierarchy process (AHP) is used to deal with qualitative risk assessments and a goal programming (GP) model to distribute available hours in such a way that risk is minimised. Additional considerations, such as maximum and minimum allowable project hours, risk reducing factors and risk levels, are also taken into account. Following a description of the models and framework, a brief case study is presented in which the framework was empirically evaluated.


Introduction
Internal Audit (IA) departments are faced with the challenge of ensuring that business units within their organisation follow established policies and procedures and that these policies and procedures are then adjusted to adhere to corporate requirements and promote efficient operations.The aim of internal auditors is therefore to evaluate risk (noncompliance with policies and procedures) and then to attempt adjusting existing risk levels (perform audits and make recommendations).As a business function, an internal audit department is subject to resource limitations and, in order to provide maximum efficiency and benefit to their organisations, the productive hours available must be allocated optimally to audit projects.To this end, an integrated approach based on risk, and consisting of two main activities, was developed.Firstly, the Analytic Hierarchy Process (AHP) was used to deal with qualitative risk assessments and secondly, a goal programming model was developed for establishing an optimal allocation of internal auditing time, based on the AHP risk evaluations and other quantitative considerations.
The main utilisation area of the framework would be in the preparation of an annual or longer term audit plan where the limited available audit hours is allocated to audit projects on the basis of risk related to the projects.Internal audit departments must compile audit plans according to their perceptions of the risk facing the different audit areas.To form new perceptions or confirm existing perceptions, risk assessments should be performed.
There are many references on the importance of systematic quantitative and/or qualitative risk assessments.Strong arguments for performing quantitative and qualitative risk assessments may be found in Jacobson (2002) and Ozier (2003), for example.In addition, there are also a number of organisations that have published risk management guidance.Some of these organisations include the International Standards Organization (ISO, 2002), the Information Security Forum (ISF, 2003), the Institute of Internal Auditors (IIA, 2003) and the Information Security Audit and Control Association (ISACA, 2003).
The AHP has been used widely in a number of applications involving multi-criteria decisions.For references to some of the earlier application areas, see Vargas and Dougherty (1982).Examples of more recent applications of the AHP are described in Al-Subhi and Al-Harbi (2001), Ramanathan and Ganesh (1995), Tam and Rao Tummala (2001) and Yang and Huang (2000).
In the area of internal audit, the work by Patton et al. (1983) stands out as an important contribution where the AHP was used in conjunction with a non-linear model to evaluate risk.A linear programming model to assign resources to different audit project classifications may be found in Gotlob et el. (1997).The AHP and linear programming models have also been used together earlier, e.g. by Korpela et al. (2002) for production capacity and supply chain design, and by Ghodsypour and O'Brien (1998) for supplier selection, while Badri (2001) and Yurdakul (2004) describe applications where AHP and goal programming models were used in combination.Bodin and Gass (2003) lists the combination of AHP and linear programming models for resource allocations as one of the key elements to be included in a course on the AHP.
The goal programming part of the framework in this paper introduces some discrete variables resulting in a mixed integer linear program.The AHP and linear programming models are both well known quantitative analysis techniques within the operations research discipline and are described in most management science text books, e.g.Moore and Weatherford (2001) and Taylor (2002).
The remainder of this paper is organised as follows.The proposed integrated framework is described in §2; this description covers the AHP and linear programming models used.A case study and numerical results are presented in §3, while the paper is concluded in §4 with some general comments.

Integrated framework for risk based allocation of resources
The framework proposed here consists of two main activities to be completed.The first part is an application of the AHP to determine risk levels for each audit project, while the second activity applies these results and other management information in a goal programming model to allocate resources (hours) such that risk is minimised.A schematic representation of the framework is shown in Figure 1.
The main steps of the two-part framework are: • Define those risk factors that will impact on pre-defined audit projects' risk levels; • Calculate importance weights for the risk factors; • Rate the different audit projects; • Compute the overall risk score for each audit project; and • Build and solve the goal programming model.
The first four steps of the algorithm forms part of the AHP which is briefly discussed below in subsection 2.1, while subsection 2.2 details the development of the goal programming model which is the fifth step of the algorithm.

Analytic Hierarchy Process
The AHP, developed by Thomas L Saaty in 1980, is a systematic procedure for representing the elements of a problem in the form of a hierarchy.At the top level of the hierarchy, criteria are evaluated and at the next levels the alternatives are evaluated by each criterion.In the evaluations, pairwise comparisons are used to provide a subjective evaluation of the set of alternatives (audit projects in this article) based on multiple criteria.The comparisons are made using a preference scale, which assigns numerical values to different levels of preference.The scale, taken from Patton et al. (1983), that was chosen for this study is presented in Table 1.A consistency index may then be computed to measure the degree of inconsistency in the pairwise comparisons.A square matrix may be derived from the pairwise comparisons and the eigenvector associated with the largest eigenvalue may be computed.When this vector is normalised to sum to one, the solution is unique and represents a numerical measure of the decision maker's perceptions of the relative importance of criteria and alternatives.Mathematical details of this process may be found in Patton et al. (1983) and Vargas and Dougherty (1982), for example.Figure 2 is an illustration of a hierarchy developed for different audit projects, influenced by certain risk factors and with a goal of minimising risk.The term 'risk' is defined and used in different contexts.In this study, risk is seen as a measure of uncertainty and is linked to the possible loss in an audit area -uncertainty in achievement of business objectives.The possible loss in an audit area will depend on specific characteristics and these characteristics are termed audit risk factors.Examples of well known and frequently used risk factors include complexity of operations, financial implications, recent changes, time since last audit, etc.It is up to individual organisations to identify those risk factors that will impact on their different audit areas.This identification process is usually the responsibility of the internal audit department and may be done in conjunction with external auditors (to provide a broader perspective on risks in the industry) and senior management (to obtain management's view and approval).Available literature on the subject also provides lists of risk factors that may be used as a starting point and then tailored to fit specific circumstances.Patton et al. (1983) have, for example, conducted an extensive survey and compiled a list of 19 potentially important audit risk factors.They also recommended that the maximum number of factors to be included in an AHP model vary from five to nine to ensure that meaningful judgements can be obtained.Another example of a list of common risks, as used by the Virginia Tech Information Resources and Technology Security Office, may be found on the internet (Virginia Tech, 2001).

Build the goal programming model
Mathematical programming is a management science technique whereby a decision maker (manager) attempts to solve a problem by seeking to optimize an objective that is subject to restrictions.In a specific class of applications, linear programming models are used as a mathematical means to allocate scarce resources to different tasks in such a way that an objective function is maximised or minimised, e.g. the allocation of available hours to different audit projects to minimise risk levels.These applications may be formulated in more than one way.A popular way, when combined with the AHP, is to use the quantitative weights, or risks, determined by the AHP as the objective function coefficients in a 0-1-knapsack problem (Bodin and Gass, 2003).Here a subset of audit projects may be selected so that the risk is less than or equal to predetermined levels.This, however, does not solve the actual allocation of hours to projects and to address this problem a mixed integer linear programming model, based on goal programming principles, was developed.
Goal programming is an extension of mathematical programming models that enables a decision maker to specify desirable goals for each objective -in other words, to come as close as possible to satisfying various goals and constraints.To achieve this, problems are generally formulated using nonnegative deviation variables ε 1 and ε 2 .The variable ε 1 represents underachievement and is usually added to the goal constraints; ε 2 similarly represents overachievement and is subtracted from the goal constraints.To form the objective function, the sum of the absolute values of the deviation variables is minimised.This can be stated as: Minimise n i=1 α i (ε 1i + ε 2i ) to reach the goal b i with constraints g i (x 1 , . .., x n ), where α i indicates the different weights or preferences.This way of formulating a problem is particularly suitable to the problem under discussion in this article where there are a number of audit projects, each with a specific risk level determined from the AHP model.The algorithm then seeks to minimise the risk levels of the audit projects to acceptable (or as close as possible to acceptable) levels by allocating hours to them.
In order to formulate the goal programming model in a meaningful way, additional information is required.In Figure 1 this additional information was referred to as management information and management requirements.The first requirement is a risk reducing factor -this is the 'incentive' for allocating hours to a specific project (if hours are allocated and an audit is performed, then it is assumed that the risk will be reduced).In this research project a value for each project's risk reducing factor was determined as follows: The AHP provided a current risk level (say r i ) for project i.This implies that if zero hours are allocated then the risk is r i .On a simple graph with hours on the horizontal axis and risk on the vertical axis, this would give a coordinate (0, r i ).It is now assumed that management and/or internal auditors, based on experience and previous audits, are able to give fairly accurate estimates of how much the risk level of an audit project will be reduced after an audit.For example, experience might tell them that a complete audit of project i will reduce the risk level by 80% (complete audits rarely reduce risks totally).In certain cases quantifications would be possible (e.g.before an audit there have been 100 breaches on average of a certain rule, after the audit there was only 20 breaches over the same period of time).This may be seen as a reduction of 80%.With this percentage estimate a second coordinate may be computed with the horizontal coordinate the maximum number of hours usually allocated to perform a complete audit.The vertical coordinate would be r i (100 -estimated percentage)/100.From the two coordinates, the slope of the straight line connecting them may be computed and will provide a value for the risk-reducing factor.This approach assumes that there is a linear relationship between hours allocated and risk, which might not be true in all cases.In some cases a more convex graph (as opposed to a linear function) might be a better representation of the relationship.Figure 3 shows an example of how the risk-reducing factor is derived for project i with a risk level of 0.35 on a scale from 0 to 1.If management has estimated that a complete audit taking 250 hours would reduce the risk by 80%, the risk-reducing factor may be calculated as −0.001 12.Additional information required from management is an indication of what level of risk they are willing to accept or tolerate.Suppose the risk of project i, as determined by the AHP, is 0,35 (on a scale from 0 to 1) and management would be satisfied in general with a reduction of 60% of the risk (willing to tolerate in general 40% of current risk) for this project.This would mean that the goal in terms of the risk level to be achieved for project i is 40% of the given risk level, which is 0.14.
Other management information that is required is the total number of hours available that may be allocated to the different projects.Furthermore, a minimum and maximum number of hours for each project should be specified.This is to prevent an allocation of only a few hours to a project to perform meaningful audit work (e.g. the allocation of 1 or 2 hours is not enough to do a proper audit).It is also not desirable to allocate too many hours to a project e.g. to allocate 200 hours if it is known that only 75 hours is needed to cover the audit area satisfactorily.Other optional management requests may include the selection of a pre-specified number of projects, dependent choices, such as select project i for allocation only if project j was selected, etc.It should be noted that these requirements might force the decision maker to either choose (or assign a feasible number of hours to a project), or to exclude it from the process.

Objective function
As a goal programming approach is being followed where the objective is to minimise the risk levels of audit projects to acceptable (or as close as possible to acceptable) levels, the objective function that was chosen is the minimisation of the sum of deviation variables.Weights may be assigned to the deviation variables to show preference to certain projects.Management could supply the weights or alternatively, as a heuristic choice, the risk levels determined by the AHP could be used as weights.It should be noted that the problem in this specific study is of such a nature that the deviation variable used to indicate overachievement may be discarded in the objective function.This follows from the fact that the initial risk of each project under consideration is always greater than the goal risk -otherwise the project would not have formed part of the input to the model as its current risk would already been less than or equal to the desired goal risk.It is therefore only the deviation variable representing underachievement that will play a role when attempting to bring existing project risk closer to its goal risk.The objective is therefore to minimise n i=1 α i ε 2i (n projects), where ε 2i denotes underachievement for the risk of project i.

Constraints
The most important constraints are the goal constraints which aim to approach specific goal levels as close as possible.They are formulated as where R i denotes the risk level of project i as determined from the AHP, a i denotes the risk-reducing factor for project i (negative value), T i denotes the number of hours to be allocated to project i, ε 1i denotes the deviation variable representing overachievement, ε 2i denotes deviation variable representing underachievement, and where g i denotes risk level management is prepared to tolerate (goal) for project i.
With each project a constraint will be associated to provide for selection of projects and to keep the number of hours allocated within the given minimum and maximum bounds.These constraints are formulated as where T M in i denotes the minimum hours to be allocated to project i (if selected), T M ax i denotes the maximum hours to be allocated to project i (if selected), and where y i is a binary decision variable used to decide whether to select project i.
A constraint is also required to ensure that all available hours are allocated and is formulated as where T H denotes the total number of hours available for allocation.Should management decide to constrain the number of projects to k where k ≤ n, then the constraint should be added to the model.Finally, the non-negativity constraints ε 1i , ε 2i ≥ 0 for all i are required.

Application of the framework
In this section an application of the model framework introduced in the previous section is presented as a case study.

Application background
The proposed model was tested in an IA department of a South African based international gold mining company.Mining operations are established in all the gold producing provinces of South Africa as well as in North Africa, North and South America and Australia.Clearly, a risk assessment exercise in any organisation of this nature and size would be a long and fairly complicated task spanning a large number of possible audit areas and projects.Due to the size of the company, as well as the fact that the approach is a proposed framework, the goal was to test the model against a small subset of possible audit projects as opposed to doing a complete internal auditing resource allocation for the whole organisation.The idea was to use the model's results (applied to a small subset of audit areas) and compare it with what actually was expected, planned and implemented by IA management.The model was applied in a number of exercises varying in size.For simplicity a very small exercise using only 5 different audit projects is described.
The 5 projects chosen were selected from a list of planned projects in the Commercial Services area and are listed, together with their associated management information and requirements, in Table 2.The choice of audit projects was based on an IA management request as well as the fact that the right level of staff was readily available to provide the necessary evaluations and information.A comparison between model results and actual actions would also be more reliable as the projects were already included in the annual audit plan and resources have been allocated to them.Table 2: Audit projects' quantitative information.

Risk assessment using AHP
The first main activity to be completed consists of an evaluation of current risk using the AHP.The evaluation process is described according to the first four steps mentioned in §2.

Define risk factors
IA management decided to use 5 main risk factors.The factors were chosen based on the fact that they are frequently used by the IA department in risk assessments and have been proved as important and influential characteristics.IA staff was familiar with these risk factors and were confident that they would be able to provide reliable pairwise comparisons for them.The risk factors selected were complexity of operations, frequency of occurrence (e.g. a transaction is seen as an occurrence), financial implications, changes (recent or planned) in the area, and external (legislation, image, morale, etc.) influences.

Calculate importance weights for the risk factors
In the second step IA management was asked to provide their professional judgement and express an opinion on the relative importance of each of the five selected risk factors by comparing each pair of factors using the scale in Table 1.Pairwise comparisons were recorded as a consensus rating from two IA managers.The consensus ratings were obtained by following an iterative process based on the Delphi method (see, for example, Render and Stair (2000)).Ratings were given by each manager and then, if necessary, the ratings were discussed, debated and adjusted until consensus was reached.MATLAB (see, Mathworks (2003)) was then used to extract, from the pairwise comparison matrix, the importance scale by calculating the normalised eigenvector associated with the largest real eigenvalue.A consistency ratio of 0.09 was calculated and accepted as satisfactory.Figure 4 shows the resulting importance scale.

Rate the different audit projects
Using the scale in Table 1, the same approach as in the previous step was followed to construct a risk matrix for each of the five audit projects with respect to each of the risk factors.As an example, Table 3 shows the matrix containing the pairwise comparisons and extracted scale for the 'External' factor, while Table 4 contains the scales for all five risk factors.Judgement consistency was tested for all matrices and the average consistency was found to be acceptable at 0.08.

Compute overall risk score of each project
By combining the importance weights (in Figure 4) and audit projects risk (in Table 4), the overall risk score for each audit project was determined.The resulting overall risk measure is shown in Figure 5.

Resource allocation using the goal programming model
The final activity in the proposed two-part framework is the building and solving of a goal programming model.Using the preceding risk evaluation results in Figure 5, and the audit project information presented in Table 2, the risk reducing factor and goal risk for each project may be calculated (see Table 5) and then finally the optimal number of hours to be allocated to audit projects was determined.
ε 1i , ε 2i ≥ 0 and ( 12) TH in constraint ( 6) is the total number of hours available for allocation.The model was solved for different values of TH, as shown in Table 6.The results are further discussed in the next section.
The weights used in the objective function were derived from the tolerance level, e.g. if the level of risk that management is willing to tolerate is 20%, then it was assumed that the importance factor is 80%.The importance factors were then normalised to sum to one.Obviously, equal weights or any other weighting system with which IA management is comfortable could be been used instead.
The Solver function from Microsoft Excel (see, Microsoft ( 2003)) was used to solve the goal programming problem and Table 6 shows the number of hours allocated to audit projects for different TH values.The first column under each project shows the result when weights were used as formulated above, while the second column shows the hours allocated when the weights in the objective function were taken to be equal, so as to investigate the case where the reduction of risk in all audit projects are viewed as being of equal importance.Changes in the allocations for the two cases are typeset in boldface.

Discussion of results
The proposed framework consists of two main activities and the results are therefore also discussed separately in two different subsections -risk assessment results from the AHP ( §3.4.1) and hour allocations from the goal programming model ( §3.4.2).

Risk assessment results
The relative importance of risk factors are shown in Figure 4.It may be seen that IA management viewed the risk factor Complexity of Operations (0.5739) as being significantly more important than the other factors.The factor Changes (0.0420) is seen as being the least important.The audit project risk matrix (Table 4) shows the 'weights' of each factor linked to each project.Considering the audit projects, it is easy to see that the project Strategic Spares is rather risky in three of the five factors (Complexity, Financial and Changes), while the project Staffing is risky in one factor (External ).The risk influence of each individual risk factor on each audit project may also be read directly from Table 4.For example, the factor Complexity has the largest influence (riskiness) on the audit project Strategic Spares (0.5510) and the least influence (0.0296) on the project Staffing, while the risk factor External has the largest risk influence on the project Staffing (0.4118) and the least influence on Service Exchange (0.0387).The final AHP results are presented in Figure 5.These results indicate that 44% of the total risk was attributed to the audit project Strategic Spares, as compared to less than 7% for the project Staffing.

Goal programming results
The model was solved for two cases.Firstly, weights were used to show preference to certain projects and secondly, weights were taken to be equal to indicate that the reduction of risk is of equal importance for all projects.It should be kept in mind that in both cases the general objective remains the same, namely to minimise risk levels to a level as close as possible to a predefined goal level.
Consider the first case where weights were used in the objective function and suppose that a total of 425 hours is available for allocation (refer to Table 6).Taking the minimum and maximum allowable hours, risk levels, weights and risk reducing factors of each project into account, the model indicated that the optimal allocation that would reduce project risk levels to as close as possible to the respective goal risks would be to allocate the maximum allowable hours to Strategic Spares (160) and Service Exchange (140).The remaining 125 hours were allocated to Staffing, while Strategic Supplies and Stock Process did not receive any hours.In the second case, where equal weights were used, the model again allocated the maximum allowable hours to Strategic Spares and Service Exchange.However, the remaining 125 hours were split differently.The best allocation of the 125 hours, to reduce risk optimally and to come as close as possible to the goal risks, is given by the model as 40 hours allocated to Stock Process (the minimum allowed) and 85 hours to Strategic Spares.
It is clear from the results that some model or tool is required as no decision maker can easily do all the above calculations and at the same time take all the different constraints and issues into account.
One of the strengths of the models is their ability to generate "what-if" analyses.The two cases (with different weights, and with equal weights) already provide answers to "what-if" questions.For example, IA management can immediately observe what the effect would be when increasing the available audit hours from 425 to 450 (available audit hours may be increased by, for example, cutting back on training time).Another example is when management wants to spend hours on all 5 projects and seek the minimum number of hours required to achieve this.From Table 6 it is easy to see that the answer is 550 hours when weights were used and 525 hours with equal weights.There are a number of other variables that may be varied to give "what-if" information (e.g. the weights in the objective function may be changed to indicate audit project importance influences, goal risks may be changed, maximum and minimum allowable hours can be increased or decreased, etc.).
To illustrate another feature of the model, consider the case where management has decided to concentrate only on a few audit projects instead of all of them.By adding the constraint n i=1 y i = k with k the required number of audit projects and 1 ≤ k < n (n is the total number of projects), the model will then advise (select) which k projects out of the total of n projects should be audited in order to minimise the risk levels.This situation usually occurs when there are many audit projects and not enough hours available to cover all of them.
In the application example, the number of maximum allowable hours for each project was too low to reach any of the goal risk levels.This means that another strength of the model was not illustrated.Consider the case where one of the project's maximum allowable hours is more than what is necessary to reduce its risk level to the goal risk level.The model may then take those "extra" hours and allocate them to other projects in an effort to reach as many as possible goals.For example, let the maximum allowable hours for Stock Process equal 200.Only 161 hours are required to reach the goal risk of 0.0941[0.1569− (161 × 0.00039)].Instead of allocating all 200 hours and reduce the risk to 0.0789[0.1569− (200 × 0.00039)], the model will stop allocating hours to Stock Process when the goal risk of 0.0941 is reached at 161 hours.The remaining 39 hours may then be allocated to the other projects to try and reach their goals as well.
Finally, it should be noted that the model, as it is presented here, will be infeasible when the total hours available (TH) is greater than the sum of all the maximum allowable hours of each audit project or when TH is less than the smallest minimum allowable hours for any project.

Management response to the model
The evaluation of risk factors was previously carried out on an ad hoc basis and was mainly performed through discussions by the different managers.The use of the AHP approach provides a more systematic way to assess and quantify risk by evaluating factors' importance and their riskiness with respect to specific audit projects.This risk factor framework and quantification of risk was also seen as a valuable tool that can (should) be used to justify or explain the inclusion or exclusion of audit projects from an annual audit plan.Management was also of the opinion that the AHP results can assist and enhance with sequencing or scheduling problems by simply selecting, or starting with those audit projects with the highest risk evaluation.It was further felt that the methodology allows for more effective group decision-making e.g.pair-wise comparisons based on (consensus) input from more than one decision maker, as opposed to general discussions where consensus was often difficult to reach.
There was no existing easy-to-use facility to perform "what-if" analyses.The use of the framework enabled "what-if" analyses, e.g. if management wants to change the weights of risk factors, addition or deletion of risk factors and/or audit projects etc.
IA management viewed the fact that the framework can be used as a tool to justify certain audits as an important advantage.This is especially applicable when longer-term audit plans are compiled and the inclusion or exclusion of audit projects needs to be justified.In the past inclusion of audit projects in audit plans was mainly based on audit cycles, management requests or incidents such as fraud.
A possible negative aspect is the time it takes to perform the pairwise comparisons.This can be tedious depending on the number of criteria and audit projects, and simplifying the process with existing user-friendly graphic interface software should be considered.Other direct rating methods e.g.directly positioning alternatives on a scale, may take less time to perform.However, the use of intuitive statements in the AHP where decision makers can give verbal descriptions of relative importance/risk in terms such as "slightly", "strongly" or "absolutely" more risky (see Table 1), proved to be more appropriate in this study.IA management was initially of the opinion that constraints such as minimum and maximum allowable hours would enable them to produce "good enough" solutions without using this type of model.For example, if the range between the minimum and maximum were small enough it would be easy to do the allocation.This is true, but only in cases where there are only a small number of audit projects to be considered.For a larger number of projects it will not be possible.It would also mean that allocations become subjective and no longer based on a quantitative risk analysis.Other advantages such as "what-if" analyses and the optimal reduction of risk will also be lost.To take all these aspects into account, especially with a larger number of audit projects is simply not possible without the help of a model.At the beginning of section 3 it was stated that the objective of applying the framework was to compare the model's result with what actually was planned and implemented.Such a direct comparison was not possible, since the model used management information and data that was not taken into account earlier during the actual allocations.Examples of such additional information are the minimum and maximum hours, goal risks, riskreducing factors etc.In addition to this, the model also used a different basis for evaluating a project's risk level, i.e. the AHP methodology.Despite all this, it was clear that the results of the model were in general consistent with IA management's expectations.It was agreed that the model correctly allocates available hours while at the same time finer allocations were done, "what-if" analyses were facilitated, risk levels were optimally reduced and a tool was provided to justify the inclusion or exclusion of audit projects.

Conclusion
In this paper a risk-based integrated approach for establishing an optimal allocation of internal auditing time among competing audit projects was suggested.The AHP was used to deal with qualitative risk assessments and the results were integrated with a goal programming model that performed the actual allocations in such a way that risk levels are driven closer to management goals.A case study and numerical results were presented to explain how the framework could be applied in practice.The results indicated that using the suggested approach, several benefits could be derived, e.g.
• It provides a systematic and objective way to identify, assess and evaluate risk factors related to audit projects; • Analyses of several "what-if" scenarios are facilitated; and • It can be used as a tool to justify the inclusion or exclusion of audit projects in audit plans based on calculated risk management.
The internal audit function is dynamic and in certain cases this dynamic nature may prevent IA management from following predetermined allocations of hours to audit projects.
There may be other constraints to be considered, e.g.legal requirements or special assignments from audit committees, etc.However, in general the framework suggested is a decision-making tool that allows for the consideration of multiple criteria.It offers great potential for allocating audit hours to audit projects, while minimising risk levels and at the same time maximising the utility provided by an IA department.

Figure 1 :
Figure 1: Risk and resource allocation framework.

Figure 3 :
Figure 3: Determination of risk-reducing factor for project i.

Figure 4 :
Figure 4: Importance scale for risk factors.

Figure 5 :
Figure 5: Overall risk of audit projects.

Table 3 :
Pairwise comparison matrix and scale for 'External' factor.

Table 4 :
Audit project risk matrix.

Table 5 :
Goal risk and risk reducing factors.

Table 6 :
Goal programming model results.In the column headings W denotes weight and EW denotes equal weight.