A multi-objective optimization approach for integrated risk-based internal audit planning

Annual audit planning is a multi-criteria decision-making problem faced by internal audit departments of all organizations. Due to the constrained audit resources, the planning process primarily involves the analysis and evaluation of complex factors for selecting auditable units that maximize the full potential of internal audit. Previous research on internal audit planning only focused on the goal of risk minimization and applied ranking methods to prioritize alternatives. In order to enable internal audit activities to add more value to the organization, the integrated risk-based internal audit planning is proposed to assist audit department in achieving multiple objectives in addition to risk management. Meanwhile, a multi-stage framework is proposed to support the development of such value-added internal audit plan. The new framework integrates the risk assessment of auditable units with the selection of audit activities and resource allocation through a combined analytic hierarchy process (AHP), fuzzy comprehensive evaluation (FCE) and weighted multi-choice goal programming (WMCGP) approach. The model considers both qualitative and quantitative decision criteria. A real-life case study of the development of an integrated risk-based annual audit plan is presented, and sensitivity analysis is performed to illustrate the validity of the proposed approach. The results indicate that the proposed framework is a useful tool for internal audit planning and the implications of the study can be extended to various selection and allocation problems.


Introduction
weighted multi-choice goal programming (WMCGP). To the best of authors' knowledge, these techniques have not been used for audit planning problem.
The reasons for the use of a combined AHP-FCE-WMCGP approach are elaborated as follows.
• The AHP method (Saaty, 1980) is the most widely used multiple criteria decision analysis (MCDA) method in practice to calculate criteria weights (Vinogradova-Zinkevič et al., 2021). Although it is subject to some criticisms, it is a powerful yet simple analysis tool. For example, one major concern on AHP is the low consistency of pairwise comparisons (Rezaei, 2015). However, checking the consistency of human judgements is one of the AHP steps. In case that the judgement matrix does not meet consistency ratio threshold, remedies can be made by reperforming the pairwise comparisons, excluding the inconsistent matrix, or repairing inconsistent matrix using particle swarm optimization (PSO) technique (Bandichode et al., 2018). During the risk assessment of audit planning, pairwise comparison is also not cumbersome due to the limited evaluation criteria. Moreover, it is easy for practitioners to use available AHP software that is mature and user friendly. The AHP can be used for group decision making by aggregating group opinions. The most commonly used methods are the arithmetic mean and the geometric mean, which are considered to be aggregation by means of direct information (Coffey & Claudio, 2021). Forman and Peniwati (1998) proposed that geometric mean aggregation should be utilized when individuals pool judgements in a way that the group functions as a new individual decision-maker. Accordingly, when applying AHP in the context of group decision, this study adopts the geometric mean method to aggregate individual judgements since the group is assumed to act together as a unit. • As an application of the fuzzy set theory (Zadeh, 1965), the FCE method is well suited for assessing the overall risk level of an auditable unit, which is a complicated, vague, and multi-level process. In performing risk assessment, practitioners usually prefer to use linguistic terms such as low, moderate, high, and significant (Ameyaw & Chan, 2015). However, previous studies on risk assessment of internal audit planning rarely considered the vagueness (Menekse & Camgoz-Akdag, 2022). Embracing the weighting vector of the evaluation factor obtained from AHP, FCE provides an approach to model and quantify ambiguous and subjective assessment judgments in the context of group decision. FCE model has been adopted in numerous assessment processes in uncertain situations. It is easy to be understood and used by DMs who are not experts in the OR field. • Compared with other programming models, multi-choice goal programming (MCGP) (Chang, 2007) improves traditional goal programming (GP) model by considering multiaspiration levels (e.g., the more the better for benefit goal, and the less the better for cost goal) when solving multi-objective problems, and thus avoids underestimation of the decision and obtains solutions with minimum aggregate deviation/maximum aggregate achievement for all multiple goals. The WMCGP model proposed by Ho (2019) further improves MCGP, allowing DMs to emphasize objectives which they consider more important. To achieve multiple goals for the integrated risk-based audit planning, WMCGP provides a rigorous and transparent way to select auditable units and determine the optimal level of audit effort.
The major contributions of this study are stated below.
• This is the first study presenting an integrated risk-based internal audit planning, and utilizing combined OR techniques and a new risk universe of manufacturing industry for this purpose.
• It expands the knowledge base in internal auditing and promotes interdisciplinary study. Previous research on internal auditing was predominated by testing statistical hypothesis (Kotb et al., 2020) and each phase of the internal audit cycle should be investigated in more detail (Christ et al., 2021;Roussy & Perron, 2018). By illustrating the implementation of OR techniques through a real-life case, this paper not only contributes to a better understanding of the internal audit planning process, but also sheds light on the new directions in auditing research to enhance the practical relevance. • This study provides a reference for practitioners, internal audit association, and audit software companies. With the proposed framework, the IAF can apply simple quantitative methods to develop a value-added audit plan according to departmental strategy. Audit association (e.g., the Institute of Internal Auditors) can also benefit from this study to provide guideline on risk management and audit plan development to inform better practice. In addition, internal audit software companies can embed the model into their products to improve the function.
The rest of the paper is organized as follows: Sect. 2 conducts a review of prior research on methods applied to internal audit planning process and on risk identification of manufacturing sector. Section 3 presents the proposed framework for developing an integrated risk-based audit plan. Section 4 applies the proposed framework to a real-life situation. The results and management feedback are discussed as well. Finally, conclusions and avenues for future research are discussed in Sect. 5.

Internal audit planning
While there is a growing interest in the decision-making problem of internal audit planning, the body of the literature is still small. Sueyoshi et al. (2009) proposed a hybrid AHP and data envelopment analysis (DEA) model to determine the stores of a rental car company that should be audited with more urgency. AHP was applied to compute the subjective risk exposure, and DEA was adopted to obtain the objective efficiency score. Then the sum of exposure (AHP score) and operational inefficiency (1 − DEA score) was used to rank each store. However, this method cannot be generalized to auditable units without measurement criteria in common. For example, not all the processes are comparable with respect to their performance and this kind of audit topics cannot be ranked with the proposed model. Goman and Koch (2019) developed a new composite index (CI) based on the geometric mean to aggregate an overall risk score of each possible audit topic. To develop a risk-based annual audit plan, an illustrative example was given to rank 13 auditable areas. In fact, risk items can be structured in multiple levels but there was a lack of analysis of risks under the main criteria in their study. Menekse and Camgoz-Akdag (2022) proposed spherical fuzzy elimination and choice expressing reality (ELECTRE) model to support internal audit planning. The introduced method was applied to evaluate risk levels of four schools of a university and the riskiest unit should be selected for an audit. Nevertheless, risk assessment was performed in terms of the five elements of COSO internal control framework without identifying specific risk items. The method was also subject to the rank-reversal problem, which could result in obtaining incorrect results.
On the other hand, some research address resource allocation problem in addition to the prioritization of auditable areas. To minimize the total risk of an organization, Serfontein and Krüger (2016) combined loss function, AHP and method of Lagrange multipliers to aid in allocating audit resources to five internal audit projects of a gold mining company. In their study, AHP was used to determine overall risk scores of auditable areas rather than a weight estimation tool. Similarly, to support the internal audit planning of Ministry of Energy and Mineral Resources of Indonesia, Purwanto et al. (2017) also used AHP to calculate risk scores of 27 auditable units. Total working days of each auditable unit were calculated by multiplying the number of auditors with the number of working days, which were defined based on the AHP results and the audit type, respectively. An implicit assumption was made that manpower needed was in proportion to the risk level, whereas it is highly likely that auditing a high-risk area is easy and thus requires fewer headcounts, making it an invalid assumption in many situations. Wang et al. (2021) proposed fuzzy AHP and MCGP for selecting audit activities out of 28 candidate audit activities, and allocating staff time synchronously to achieve goal risk level. As the risk assessment in their study was performed at organization level, it appeared that there was no connection between the current risk level and the risk reduction in terms of each auditable unit. Moreover, a marginal effect was ignored between the risk reduction value and the allocated audit time.

Risk universe
A prerequisite of risk assessment is to identify possible risks. Nevertheless, prior studies mostly evaluated the risk of auditable units based on risk factors without risk identification. A risk factor (e.g., organizational size, degree of change, or operations complexity) is a characteristic, condition, or variable that increases the possibility of the risk. Identifying risk is necessary to ensure an accurate evaluation result.
The risk universe is a list of potential risks the company faces or might face. Although risk areas vary among organizations and industries, there are four main risks for a business (Deloitte, 2013): (1) strategic risk: business decisions or events that prevent an organization from achieving its objectives; (2) financial risk: risk associated with potential financial loss to the organization; (3) operational risk: the failure of processes, systems or events that disrupts daily business operations; and (4) compliance risk: potential exposure resulting from the violation of laws, regulations, and other standards. Each of these main risk categories can be decomposed into several secondary risks.
Manufacturing plays a critical role in both advanced economies and emerging market and developing economies (EMDEs) and generates more economic activities than other sectors (Bryson et al., 2015). Based on the literature of risk management, and the real-world risk universe shared by 7 international manufacturing companies, a generic risk universe of manufacturing industry is created and displayed as Table 1. It can be used as a starting point by any organizations for developing a unique risk universe that fits them.

A multi-stage audit planning framework
To assist the IAF in making scientific and transparent decisions in the annual planning process, a multi-stage audit planning framework is proposed as Fig. 1.
As illustrated, the integrated risk-based internal audit planning is a comprehensive process that evaluates the risk levels of candidate audit areas based on the identified risk types, and then selects the areas to be audited, and determines optimal resource allocation to achieve multiple value-added goals. In the preliminary stage, possible risks in the organization are   identified, and all the auditable units are listed. In the second stage, based on DMs' judgements on the relative importance of various risks and risk rating of auditable units by risk type, the risk weights and overall risk level of each auditable unit can be computed using the AHP method and FCE method, respectively. To measure the contribution of audit activities to mitigating existing risks of auditable units, a risk reduction value is estimated. The audit can be conducted at different degrees of work scope, which requires different audit hours. The more audit effort is devoted, the more risk is reduced. However, the time spent on auditing the entity should have a decreasing marginal effect on risk reduction. In the third stage, multiple objectives are defined for the audit area selection problem. Also, available audit resources (e.g., time, funds, and auditor capability) are reviewed. According to the pre-defined objectives and constraints, the audit activities to be conducted in the year and corresponding audit resources are determined using WMCGP model. In the following sections, each stage of the proposed framework is described in detail.

Stage 1: preliminary
To prepare a feasible audit plan, an initial effort should be made to identify organizational risks and potential areas that can be audited. The purpose of such preparation work is to define the evaluation/selection criteria and objects. Risks are potential threats that affect the achievement of organizational objectives (Jovanović et al., 2020). To identify all the key risks, a risk universe can be created by obtaining inputs through meetings, surveys, interviews and workshops with business leaders, and internal auditors' independent research. The audit universe, a list of all the auditable units, simplifies the risk evaluation of the whole organization. The auditable units can be subsidiaries of the organization, business processes, organizational functions, or a mix of them. Gartner (2018)'s survey on 88 companies indicated that most organizations defined audit universes based on business units (73%) and processes (72%), followed by risk type (42%), geographic area (31%) and others (7%). The survey also revealed that about half of audit universes (47%) consist of 50 to 250 entities, while 30% organizations have more than 250 auditable units, and the rest 23% have fewer than 50 units. Griffiths (2020) introduced detailed steps to establish the risk universe and audit universe from scratch in practice. A noteworthy tip is that both universes should be updated periodically to reflect the changes of internal and external environments.

Stage 2: risk assessment
This paper adopts a specific-risk approach for risk assessment, which connects risk types and auditable units using a matrix with each auditable unit in a row and each risk in a column (Heldifanny & Tobing, 2019). When rating the risk level, evaluators are more likely to use qualitative terms (e.g., low, medium, and high) than quantitative ranges or point estimates (Stoel et al., 2017). Table 2 shows the risk scale revised from Joshi and Singh (2017).
To prioritize various risk types according to the importance to organizational performance, an AHP questionnaire is designed to collect the data. In the meantime, a FCE questionnaire is developed to collect DMs' risk rating data. The obtained data can be processed by commercial software or spreadsheet. Based on the calculated risk level, the risk reduction value is obtained via subjectively assessed formulas. The used methods are introduced as follows.

Analytical hierarchy process
The first step in using AHP is to define the criteria (e.g., risk items for risk assessment problem). The key feature of AHP technique is the pairwise comparison for scoring each Risk may be acceptable within a short period, but action is needed to reduce risk Low Risk is acceptable and the event does not constitute a concern. There are opportunities for further improvement, and risk mitigation should be implemented in future Very low Risk is slight and negligible criterion and sub-criterion. In the pairwise comparison, any two factors are compared with each other. The comparison is usually scored according to Saaty (1980)'s nine-point scale.
To ensure the reliability of subjective judgments made by DMs, consistency check should be conducted. If the consistency ratio is below 0.1, the judgement matrix is satisfactory. Otherwise, initial values of judgement matrix elements should be revised to improve the consistency. To generate the weighting vector W {w 1 , w 2 , · · · , w I }, the most widely used method is the characteristic root method, and I i 1 w i 1.

Fuzzy comprehensive evaluation
The procedure of FCE method can be described as following steps (Hsiao & Ko, 2013).
Step 2: Setup of the fuzzy evaluation matrix. A U -V fuzzy relationship matrix R can be generated for each alternative/evaluation object (e.g., auditable unit) as follows.
The process is also called fuzzy transformation. The membership function denotes the fuzziness of the evaluation factor by assigning each evaluation factor a grade of membership ranging from 0 to 1. In the context of group evaluation, r i j (i 1, 2, · · ·, I; j 1, 2, · · ·, J) is the membership degree which represents the percentage of evaluators who rated j th grade for i th factor. In other words, r i j x i j /C in which x i j means the number of evaluators who rate evaluation object as v j in regard to criterion u i , and C is the total number of evaluators. Additionally, J j 1 r i j 1.
Step 3: Conduct fuzzy comprehensive evaluation of the alternative. By applying the fuzzy composite operation between the weighting vector W from AHP and the fuzzy relationship matrix R, the comprehensive evaluation result of the alternative is obtained via Eq. (1).
where • denotes the composition operator. This study uses weighted average principle and d j To make it more straightforward for decision making, the fuzzy output is then converted into a crisp number through defuzzification process (Chen et al., 2015).

Risk reduction value
Prior research is quite limited to explore the relation between devoted audit time and risk reduction effect, and it is a difficult task to measure the exact relation due to complex scenarios and lots of uncertainty in practice (Hamid, 2012).
As risk cannot be fully eliminated, there is a maximum amount of risk reduction by conducting audit activities. Inspired by Miltz et al. (1991), audit work scope and corresponding risk reduction percentage (R P n ) are classified into the following four categories.
• Small scope review. Internal auditors perform interview, walkthrough, and high-level review of the auditable unit. Detailed investigation or testing is not conducted. In this scenario, the risk reduction is judgmentally set as 40% of the maximum risk reduction amount. • Moderate scope review. Audit testing can cover all the key processes and risk reduction is set as 60% of the maximum risk reduction amount. • Large scope review. Internal auditors perform deep testing on majority of the applicable processes. The risk reduction equals to 80% of the maximum risk reduction amount. • Full scope review. Auditors conduct a complete and extensive review of the auditable units to achieve maximum risk reduction amount. Assume that 90% of existing risk can be mitigated at the most by conducting a full audit.
In addition, there is a decreasing marginal risk reduction to additional audit scope/effort. In other words, for each auditable unit, the broader the audit scope is, the more the risk reduction can be achieved. However, risk reduction per unit of time decreases. Audit time at different work degrees of an auditable unit can be obtained from internal auditors based on their professional judgements (e.g., complexity and nature of each audit) and/or historical data (e.g., timesheet which records actual audit time spent on comparable audits).
In the below, Eq.
(2) expresses the above estimation and Eq.
(3) examines the diminishing marginal returns of audit time.
where R R mn indicates risk reduction value of m th auditable unit at n th audit scope; R P n means risk reduction percentage under n th work scope, thereby R P 1 , R P 2 , R P 3 , and R P 4 equal to 40%, 60%, 80%, and 100%, respectively; Z m denotes pre-audit risk score of m th auditable unit as per FCE results; T mn means audit hours spent on m th auditable unit at n th audit scope. T mn (or T m(n+1) ) indicates additional time to conduct audit in m th auditable unit at one level higher than n (or n + 1); R R mn (or R R m(n+1) ) indicates additional risk reduction achieved by expanding audit scope at one level higher than n (or n + 1) when working on m th auditable unit.

Stage 3: audit area selection
As discussed earlier, a value-added audit plan is not only risk-focused but also integrated, proactive and future-focused, such as incorporating organizational strategy and business needs. Meanwhile, scarce audit resources are constraints for the IAF to achieve desired goals.
The selection of auditable units and determination of the audit scope can be solved simultaneously. When no audit scope is assigned to the candidate audit areas, the audit activities will not be included in the annual audit plan. The proposed WMCGP method is used to determine the audit activities with corresponding audit scope. A summary of WMCGP model is presented as Eq. (4) to Eq. (10) (Ho, 2019).
s.t. , k 1, 2, ..., K , (for the case of the more the better) (6) y k − e + k + e − k g k,min , k 1, 2, ..., K , (for the case of the less the better) g k,min ≤ y k ≤ g k,max , k 1, 2, ..., K , x ∈ F, (Fis a feasible set, x is unrestricted in sign) where Eq. (4) is the objective function to minimize the aggregate deviation from all goals. Equation (5) to Eq. (8) determine the rang of aspirational levels and drive the target value to get closer to the upper (lower) bound.w k represents the weight of k th goal, and K k 1 w k 1; α k and β k respectively denote the penalty weights attached to deviations d + k and d − k , which are overachievement and underachievement of k th goal. e + k and e − k are positive and negative deviations between aspiration value of k th goal (y k ) and lower/upper bound of corresponding aspiration value (g k,min or g k,max ). f k (x) is the objective function of k th goal. y k is a continuous variable with a range of interval values.

A real life case
A real-life case is presented to illustrate how the proposed multi-stage framework can be applied to develop an integrated risk-based audit plan. The case study is conducted at an automobile parts manufacturing company. With its global headquarter located in China, the company has 19 plants, 8 sales offices, 8 technical support centers, 5 research and development centers, and 4 logistics centers across the world. Currently there are 10 members in the IAF, who are all based at corporate headquarter. In addition, according to the secondment agreement with a multinational consulting firm, the in-house internal audit team could hire external consultants in various locations to carry out some audit activities if necessary (e.g., international travel restriction due to the pandemic, or insufficient specialized skills and capabilities in certain fields). Internal audit co-sourcing model allows the IAF to operate in a more flexible and cost-effective way.
In this study, we discussed the internal audit planning problem by interviewing chief audit executive (CAE) and senior audit manager. The current annual planning process mainly relies on intuitive decision and manual work as elaborated below. (1) The audit team collects potential audit areas for the following year via various inputs, such as continuous audits conducted every year, interview with business management, audit topics proposed by internal auditors, and follow-up audits of previous findings due to the severity. (2) Based on professional judgement, senior audit manager performs risk assessment by simply rating each potential audit area as "low", "medium" or "high". To determine whether the topic should be included in the annual audit plan, senior audit manager judgmentally classifies the potential audit activities as "yes", "maybe", or "no" considering the risk category and other factors, such as audit areas requested by management frequently. (3) Senior audit manager estimates hours including co-source hours needed to audit each selected area (i.e., topics marked as "yes"). When available hours are less than the total hours of the proposed activities, some audit topics need to be excluded. Otherwise, potential audit topics categorized as "maybe" will be judgmentally added to the audit plan until available hours are used up.

Implementation of the proposed framework
Based on the 45 auditable units identified as potential audit topics for the year 2022, the implementation of the proposed framework is described below.

Risk assessment on auditable units
Under the specific-risk approach, risk items in Table 1 are used as the evaluation criteria of auditable units. Five experts from the IAF, including three (senior) audit managers and two senior auditors, made comparison judgments on these risk items. Questionnaires were sent out for each respondent to give their own opinion for each judgment, and when the questionnaires were sent back the judgments were combined using the geometric mean and then entered as a single judgment into a model in Super Decisions V3.2 (Mu & Pereyra-Rojas, 2018), a simple easy-to-use AHP software developed by the team of the creator of the AHP method. In the group decision using geometric mean method, it is assumed that all group members have equal importance as they are all qualified professionals. As a result, the weights of risk items are obtained as Table 3. It can be concluded that operational risk (U 3 ) is rated as the most important main risk to the organization. In terms of the secondary risks, the top five risk items are accounting and reporting (u 21 ), sales and marketing (u 31 ), governance (u 11 ), regulatory (u 42 ), and manufacturing (u 36 ). Meanwhile, FCE method is adopted to calculate risk score. Five experts rated risk level of each auditable unit by risk item. An example of risk rating of the first auditable unit (AU 1 ) is given in Table 4. As shown, three DMs voted "high" for both governance risk (u 11 ) and purchasing and supply chain risk (u 32 ), while the other two DMs believed that these two risks were "significant".
By normalizing the data in Table 4, the fuzzy relationship matrix can be obtained. Combing the weighting vector from Table 3, the FCE result is presented as Eq. (11).
To interpret the results, in terms of the overall risk level of the assessed auditable unit, the probability to be "very low", "low", "medium", "high", and "significant" is 0.0097, 0.0951, 0.2532, 0.3649 and 0.2772, respectively. To get the final evaluation result, linguistic terms of the risk level can be converted into crisp values using five-point Likert scale (Loh et al., 2017). Therefore, let risk grade set V { very low, low, medium, high, significant } { 1, 2, 3, 4, 5 }. By applying the weighted average algorithm, which is the frequently used method to conduct the defuzzification of the evaluation results due to its simplicity and high efficiency (Jia et al., 2022), the fuzzy comprehensive evaluation results are converted into a crisp number 3.805. That is, the overall risk of AU 1 falls between medium and high.
The pre-audit risk score of all auditable units (AU m ) can be obtained by repeating the above calculation. And then the risk reduction value can be estimated by applying Eqs. (2) and (3). An overview of the auditable units is given in Table 5, including the calculated pre-audit risk level and risk reduction value. The top five auditable units ranked by overall risk level are AU 23 , AU 9 , AU 27 , AU 35 , and AU 19 .
Other information (e.g., working hours and nature of the audit) needed for making decision are provided by the senior audit manager. For instance, performing a small-scope audit at AU 1 could take 320 h and reduce existing risk by 1.3698. Similarly, conducting a moderate (large or full) audit requires 480 (760 or 1200) hours and can reduce the risk by 2.0574 (2.7396 or 3.425). Working hours of audit managers who are responsible for supervising the audit are excluded from the estimated audit time. This audit is not an advisory service and is assigned to in-house audit team only (i.e., external consultant accounts for 0% of the total work time).  Management used to request audit team to conduct this audit. However, this audit topic is not related to enterprise risk management (ERM), does not belong to the industry hot spot, is not corporate strategic focus, nor within the potential scope of audit committee (AC)'s interest. On the other hand, considering the restriction of international travel due to COVID-19 pandemic, external consultants can provide local audit support of overseas entities such as AU 9 , which could account for 30% of total work time. In other words, the in-house audit team would concurrently complete the rest 70% of audit tasks remotely using technology. IT audit (e.g., AU 27 ) will be fully (100%) completed by consultants due to lack of proficient IT auditors in the company.

Audit area selection
The available audit resources considered during the annual audit planning include: (1) A total of 9,600 working hours of 6 internal auditors who execute the audit plan.
(2) The approved 2022 annual budget for hiring external consultants is RMB 2 million (~USD 312,500). With this fund, the IAF can hire external resources up to 1,950 h based on consultant's hourly rate. Therefore, 11,550 h are available for carrying out the audit plan.
According to the characteristics of the integrated risk-based audit plan and the practice of the studied IAF, the goals of the case company are expressed as follows. (1) reduce risk level as much as possible; (2) the more audit areas linked with ERM the better; (3) accommodate as many management requests as possible; (4) cover industry audit hot spots as many as possible; (5) cover company's strategy as many as possible; (6) consider potential interest of  audit committee/board and the more the better; and (7) spend as much time as possible on advisory service. Table 6 provides a summary of goal weights, aspirations, penalty weights for below/above each goal given by the senior manager. The importance of each goal also can be generated by MCDA method such as AHP. Each goal is explained as follows based on the above dataset.
(G1) Existing risks should at least be reduced by 38, the more the better. Risk reduction is the core of the integrated risk-based audit planning. To avoid getting the result value less than the lower bound and make the result value the higher the better, the senior audit manager assigns the penalty weight of 5 for below the goal. (G2) Audit time spent on areas related to ERM must be over 5775 h (or 50% of total available time, which is also the upper bound), the more the better. Addressing ERM is an essential way for the IAF to target the pulse of the company, thereby a penalty weight of 5 is assigned to this goal. (G3) Audit time spent on areas proposed by management must be over 5775 h (or 50% of total available time), the more the better. Management concerns are a key indicator of business needs and should be considered in the annual audit planning process. Hence, a penalty weight of 3 is assigned for below the goal. (G4) Audit time spent on hot audit topics in the industry must be over 600 h (or about 5% of total available time), the more the better. Covering hot spots helps to keep an eye on the industrial trend. Hence, a penalty weight of 2 is assigned for below the goal. (G5) Audit time spent on areas related to company's strategy must be over 2310 h (or 20% of total available time), the more the better. A penalty weight of 3 is assigned for below the goal. (G6) At least 3465 h (or 30% of total available time) are spent on areas which would be the interest of audit committee, the more the better. Audit committee's opinion is an important input and thus a penalty weight of 3 is assigned for below this goal. (G7) At least 1155 h (or 10% of total available time) are spent on advisory service, the more the better. Senior audit manager assigns penalty weight of 2 for below the advisory service goal. However, as assurance service is still the main task of the IAF, 3465 h (or 30% of total available time) are set as the upper bound. Also, to avoid too many hours spent on the advisory service, a penalty weight of 3 is assigned for exceeding the goal.
Formulation of the audit planning problem is expressed as follows.  Fig. 3 depicts the realized goals. All the goals can be achieved as follows according to the optimal solution.
(G1) A total risk reduction of 41.5 is achieved, which is 9.14% higher than the desired risk reduction value. (G2) It would take 9520 h to complete 13 audit engagements relevant with ERM, which is 65% higher than the expectation. (G3) It would take 10,080 h to perform 13 engagements related to management request, which is 75% higher than the expectation. (G4) There are 4320 h spent on 4 audit engagements covering industry hot spots. The achieved result is six times higher than the expectation. (G5) There are 7360 h spent on 9 audit engagements covering company's strategy. The achieved result is more than three times as many as the desired hours. (G6) There are 10,820 h spent on 13 engagements addressing the interest of audit committee, which is twice higher than the expectation. (G7) There are 3540 h spent on 4 advisory engagements, which is slightly (75 h) above the upper bound and is three times as many as the pre-defined requirement.

Sensitivity analysis
To check the robustness of the solution, two sensitivity analyses are presented regarding changes in DMs' weights on the risk items and goals. First, when assessing the overall risk of auditable units using FCE method, the illustrative case, namely Case I, is based on one set of weights W (0.2716, 0.2256, 0.3509, 0.1519) from AHP method. Specifically, DMs view operational risk as the most important risk to the organization, followed by strategic risk, financial risk, and compliance risk. To make strategic risk the most critical one, let Case II exchange the weight of strategic risk for that of operational risk in the original weight vector, thereby W (0. 3509, 0.2256, 0.2716, 0.1519 Figure 4 depicts the comparison of final evaluation results by top 10 risky auditable units.
As it is seen, AU 23 has the highest risk score in both Case I and Case II but not in other cases. Therefore, this auditable unit is not sensitive to strategic risk but is sensitive to financial and compliance risks. Also, AU 19 ranks fifth in the illustrative case, but ranks either the first or the second in other cases. Therefore, it is sensitive to other risks. Besides, AU 23 , AU 9 , AU 27 , AU 35 , AU 19 , AU 1 , and AU 43 are the top 7 risky auditable units in all cases, while the specific rankings vary among the cases. In general, these auditable units are viewed as high-risk areas and the impact of weight changes on the ranking is not obvious. On the other hand, AU 40 becomes top 10 risky area only in Case I, and AU 2 is not ranked as top 10 risky area only in Case IV. To summarize, DMs' judgements on the importance of risks could impact the risk evaluation results to a certain extent. However, the difference of the risk score of each auditable unit is not significant among the cases, ranging from 0.062 to 0.4321, or from 2 to 14%.
Second, as given in Table 7, this study sets different weights of goals in determining the multi-objective selection of auditable units. The illustrated case study, Scenario I, emphasizes on risks. The assumed other three scenarios emphasize other objectives. With all constraints unchanged, the solutions are presented in Fig. 5.
Scenario I considers risk reduction (G1) and linkage with ERM (G2) as key goals while balancing other goals. As a result, 15 audits are selected. Scenario II cares more about stakeholders. Under this strategy, management request (G3) and AC's interest (G6) are given higher weights. Finally, 16 audits are selected. In Scenario III, the nature of the audit is

Management feedback on the framework
The proposed framework for developing integrated risk-based audit plan enhances the value of audit work that brings to the organization. Because the case study used management judgement and data that were not considered in the manually performed planning process, a direct comparison between the proposed solution and the real-life audit plan was not feasible. However, the designed process is reasonable and the results are satisfactory to audit leaders. The new framework not only selects more critical audits, but also determines the effort level to reduce low value work.
According to the senior audit manager, "Unlike the look back approach we are using now, the proposal adopts a proactive approach. This is the mindset we need to implement to show how people can make decision. The proposed framework makes much more sense in the data driven audit planning, and we will need it when it becomes hard for us to reduce potential audits and pick more meaningful projects at one point. Although we are not yet data driven audit team because the current management team of the company is not at this appetite, this could change next day". In addition, as per the CAE, "The framework is a good way to track and explain the selection decision. You also bring up a good point to start resource plan upfront selection. How we operate now is that we work backward to manage the numbers at the last minute. However, it is not necessary to use this new approach at this moment because we do not have a large population of auditable unit to make the selection now. Our candidate topics are mainly from management input meetings. We pretty much know what we are going to select as we kind of understand which areas would executives like us to check. With that said, I'm not denying the benefits of the approach and the promising results. This is the way to future. This will be useful as we grow up and become more complex considering the ongoing and future mergers and acquisitions. I'm also thinking of applying the approach to individual audit engagement, we can figure out where else we can apply this approach best".

Conclusion and future work
Internal audit planning is a methodical process of selection and resource allocation. This paper presents a novel decision support model for annual planning problem based on OR methods. The proposed multi-stage framework synthesizes DMs' judgements on risk rating and considers various goals and constraints in selecting audit engagements and allocating resources.
Starting from the preparation of the audit and risk universe, the proposed framework uses a combined AHP and FCE method for assessing the existing risk of each auditable unit. This method aggregates DMs' opinions about organizational risks. Then the risk reduction value is estimated based on the obtained risk level and possible audit scopes. Finally, WMCGP model is adopted to select candidate audits and allocate resources to the audit engagement concurrently, aiming to achieve multiple objectives. The proposed integrated risk-based audit planning enables the IAF to consider value-added factors in addition to risk management. A real-life case of a manufacturing company is presented to elaborate how the proposed framework can be applied. However, the proposed framework can be applied to any organization.
This study has some theoretical implications for auditing in general and risk-based audit planning in particular. It extends existing internal auditing research which is an important but under-researched area. The new risk model of the manufacturing industry, and the exploration of the relationship between risk mitigation and audit time also contribute to the body of knowledge on risk management. Moreover, this interdisciplinary study sheds new insights into the audit planning process. Compared with previous studies which use ranking methods for audit project selection and only focus on a single goal of risk mitigation, the proposed framework enables simultaneous consideration of resource allocation and project selection for achieving multiple objectives. In addition to the theoretical implications, the findings of this study support the IAF in developing a value-added annual plan according to the departmental strategy. With the proposed framework, internal audit planning can be conducted in a justified, scientific, and transparent way, which enhances the reliability of internal audit activities. This study also provides a reference for audit software developers to improve the design of audit planning module. In fact, the implications of this paper are not limited to annual audit planning problem, the proposed model would be of great practical value for many decision-making problems, especially for selection, allocation, and evaluation in various scenarios.
In terms of the study limitation, an issue may arise is the increasing amount of effort for audit planning work. When the size of the audit universe is small, managers can easily make decisions based on their experience. Moreover, a decision analyst might be needed to implement the proposed framework. However, with repeated use of the model, the effort level can be reduced. Also, for an organization to embrace integrated risk-based audit planning, the risk management system should be sufficiently mature. Future studies could apply the proposed framework to various organizations in different countries and engage more practitioners in the data collection. In AHP-group decision making, other aggregation methods, such as Bayesian approach and Delphi technique, can be employed to achieve a consensus for future research. In determining the membership degree using FCE method, other membership functions, such as triangular or trapezoidal function and even nonlinear functions can be used. More studies on risk reduction value would also be beneficial to auditing research.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.