How internal audit can use self-assessment to sharpen audit planning

30-second take

Internal audit does not need to rely only on past findings, management interviews or annual risk registers to decide where to focus.

A well-designed self-assessment can help identify where management confidence is strong, where evidence is thin, and where further assurance effort may be better directed. Used properly, self-assessments can provide a sharper starting point and support audit reviews.

Try our Risk & Governance Snapshot to identify which areas need more audit attention and could benefit from self-assessment tools.


Internal audit planning often starts with a familiar set of inputs: prior audit findings, regulatory themes, risk registers, management concerns, incident data, control changes and executive priorities.

All of these matter.

But there is another input that can be very powerful when used carefully: structured self-assessments.

The key is not to treat self-assessments as full assurance. Management saying a control is strong does not make it strong. A high maturity score does not prove that the underlying practice is working.

But self-assessments can show something just as useful for audit planning: where management believes it has confidence, where that confidence may be uneven or unevidenced, and where people are unsure.

That is valuable.

some of the best audit work starts where confidence and evidence do not quite line up.


Self-assessment helps internal audit see the shape of confidence

A good self-assessment asks practical questions about how risk and governance operate in reality.

Not just:

“Do we have a policy?”

But:

“Are accountabilities understood and used in decisions?”
“Can management evidence that key controls are operating?”
“Are issues and actions tracked through to completion?”
“Does reporting show what is changing and where attention is needed?”

The answers can help internal audit see patterns before the formal audit starts.

For example:

  • High confidence but weak evidence may suggest an assurance priority.
  • Low confidence may suggest known gaps that need management action before audit.
  • Mixed responses may suggest inconsistent implementation across teams.
  • “Not sure” responses may indicate poor visibility, unclear ownership or weak reporting.
  • Strong results in one domain and weak results in another may help refine audit scope.

This does not replace audit judgement. It gives audit a better conversation to start from.


It can sharpen the audit universe

Internal audit teams often face a practical problem: there are more possible audits than available audit days.

Self-assessment can help prioritise the audit universe by showing where attention is most needed.

For example, a broad risk and governance snapshot might highlight weaker results in:

  • risk appetite and escalation
  • control ownership
  • third-party risk visibility
  • issue and action closure
  • assurance evidence
  • board reporting

Those signals do not automatically determine the audit plan. But they can help internal audit ask better planning questions:

  1. Is this area already known and being addressed by management?
  2. Is the risk material enough to warrant assurance?
  3. Is the issue about design, implementation, evidence or reporting?
  4. Would an audit add value now, or would a management-led uplift be more useful first?
  5. Is this a one-off concern or a pattern across the organisation?

That is a more focused planning conversation than simply asking, “What should we audit next?”


It can reveal where management confidence needs testing

One of the most useful outcomes from self-assessment is not the score. It is the gap between stated confidence and the evidence behind it.

If a team rates itself highly on controls, resilience, reporting or governance, internal audit can ask:

  • What evidence supports that view?
  • Is the evidence current?
  • Has it been tested?
  • Is the practice consistent across business areas?
  • Would the same view be shared by risk, compliance, operations and the board?
  • Are there incidents, issues or overdue actions that challenge the rating?

This is where self-assessment becomes a planning tool.

It helps audit identify where to test confidence, rather than simply confirm process existence.


It can support better management conversations before the audit starts

Self-assessment also helps avoid a common problem: audit planning that feels like it arrives from outside the business.

When management has completed a structured diagnostic, the planning discussion can become more constructive.

Instead of:

“We are auditing this area because it is on the plan.”

The conversation can become:

“Your own assessment suggests this area may need stronger evidence, clearer ownership or better reporting. Let’s discuss whether assurance would help.”

That changes the tone.

It makes the audit plan feel more connected to business reality. It can also help management see audit as a way to test and improve confidence, not just identify issues.


A practical starting point

The Risk & Governance Readiness Snapshot has been designed as a short front-door diagnostic for exactly this type of conversation.

It asks ten practical questions across areas such as governance, risk appetite, controls, operational resilience, third-party risk, issue management, assurance evidence, culture, AI and technology risk, and board reporting.

At the end, it provides:

  • an overall readiness view
  • stronger areas
  • focus areas
  • a suggested next pathway
  • a printable result for discussion

For internal audit, the value is not in treating the result as assurance. The value is in using it to sharpen the next conversation:

Where does management believe it is strong?
Where is evidence thin?
Where are people unsure?
Where would assurance add the most value?

That is a better starting point for audit planning.

Start with the Risk & Governance Readiness Snapshot, then use the result to consider tools that can shape a more focused audit, assurance or management discussion.

More from the Reading Room

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…

“Cheap and Out of Date”, a Board-Level Resilience Question

A practical risk maturity article using a current event to test ownership, evidence, controls, challenge and decision quality.

Everyone Passed. That’s Not the Point.

APRA's inaugural System Risk Stress Test found four major banks and six super funds individually resilient, but exposed concentration risk and a super-fund liquidity mechanism that could amplify a system-wide shock.