www.sci-p.uz
II SON. 2025
833
AN ANALYTICAL MODEL FOR DEVELOPING INTERNAL AUDIT PROGRAMS
BASED ON A FOUR-DIMENSIONAL RISK INDEX (LEGAL, FINANCIAL,
RESOURCE, AND ORGANIZATIONAL RISKS)
Saitmuratov Saitmurat
Urgench State University named after Abu Rayhan Biruni
ORCID: 0009-0008-2048-319X
Abstract.
This paper proposes a four-dimensional risk index model for designing internal
audit programs in the public sector. The model integrates legal, financial, resource, and
organizational risks to provide a comprehensive framework for risk-based audit planning.
Through simulation involving hypothetical departments, the study demonstrates that aggregate
risk scores can mask the diversity and specificity of underlying risk categories. By decomposing
audit risk into distinct dimensions, the model enhances audit targeting, supports transparent
decision-making, and aligns with international internal audit standards. It also proves
particularly useful in environments with limited data availability. The model’s adaptability and
clarity make it suitable for both manual and automated audit planning processes. While future
enhancements could include dynamic weighting and digital integration, the model as presented
already offers a robust and practical approach to prioritizing internal audit activities and
improving public sector governance outcomes.
Keywords:
internal audit, public sector, risk index, audit planning, legal risk, financial risk,
resource risk, organizational risk, audit program, strategic auditing, risk-based audit,
governance, internal control, audit prioritization, compliance.
ICHKI AUDIT DASTURLARINI TO‘RT O‘LCHOVLI XAVF INDEKSI (HUQUQIY,
MOLIYAVIY,
RESURS VA TASHKILIY XATARLAR) ASOSIDA ISHLAB CHIQISH UCHUN TAHLILIY MODEL
Saitmuratov Saitmurat
Abu Rayhon Beruniy nomidagi
Urganch davlat universiteti
Annotatsiya.
Ushbu maqolada davlat sektorida ichki audit dasturlarini loyihalash uchun
to‘rt o‘lchovli xavf indeksi modeli taklif etiladi. Model huquqiy, moliyaviy, resurs va tashkiliy
xatarlarni integratsiya qilgan holda, xavfga asoslangan audit rejalashtirish uchun kompleks
doirani taqdim etadi. Gipotetik bo‘limlar ishtirokida o‘tkazilgan simulyatsiya orqali tadqiqot
ko‘rsatadiki, umumiy xavf ballari asosiy xavf toifalarining xilma
-xilligi va xususiyatlarini
yashirishi mumkin. Audit xatarlarini alohida o‘lchamlarga ajratish orqali model auditni aniqroq
yo‘nalti
rishni, shaffof qaror qabul qilishni va ichki auditning xalqaro standartlariga mos kelishni
ta’minlaydi. Bundan tashqari, model ma’lumotlar yetarli bo‘lmagan muhitlarda ham foydali
ekanligini isbotlaydi. Modelning moslashuvchanligi va aniqligi uni qo‘lda h
am,
avtomatlashtirilgan audit rejalashtirish jarayonlarida ham qo‘llashga mos qiladi. Kelgusidagi
takomillashtirishlar ichiga dinamik og‘irlik berish va raqamli integratsiya kiritilishi mumkin,
biroq taqdim etilgan model allaqachon ichki audit faoliyatini ustuvorlashtirish va davlat sektori
boshqaruv natijalarini yaxshilash uchun kuchli va amaliy yondashuvni taqdim etadi.
UOʻK:
330.131.7
833-840
www.sci-p.uz
II SON. 2025
834
Kalit so‘zlar:
ichki audit, davlat sektori, xavf indeksi, audit rejalashtirish, huquqiy xavf,
moliyaviy xavf, resurs xavfi, tashkiliy xavf, audit dasturi, strategik audit, xavfga asoslangan audit,
boshqaruv, ichki nazorat, auditni ustuvorlashtirish, muvofiqlik.
АНАЛИТИЧЕСКАЯ МОДЕЛЬ РАЗРАБОТКИ ПРОГРАММ ВНУТРЕННЕГО АУДИТА НА
ОСНОВЕ ЧЕТЫРЕХМЕРНОГО ИНДЕКСА РИСКА (ПРАВОВЫЕ, ФИНАНСОВЫЕ,
РЕСУРСНЫЕ И ОРГАНИЗАЦИОННЫЕ РИСКИ)
Саитмуратов Саитмурат
Ургенчский
государственный
университет
имени Абу Райхана Беруни
Аннотация.
В данной статье предлагается модель четырехмерного индекса риска
для проектирования программ внутреннего аудита в государственном секторе. Модель
объединяет правовые, финансовые, ресурсные и организационные риски, обеспечивая
комплексную основу для риск
-
ориентированного планирования аудита. С помощью
моделирования с участием гипотетических подразделений исследование показывает,
что агрегированные баллы риска могут скрывать разнообразие и специфику отдельных
категорий рисков. Разделяя аудиторские риски на отдельные измерения, модель
повышает точность целенаправленного аудита, способствует принятию прозрачных
решений и соответствует международным стандартам внутреннего аудита. Модель
также особенно полезна в условиях ограниченной доступности данных. Благодаря
своей
адаптивности и ясности, модель подходит как для ручного, так и для
автоматизированного планирования аудита. В будущем модель может быть дополнена
динамическим взвешиванием и цифровой интеграцией, однако уже в представленном
виде она предлагает надежный и практичный подход к приоритезации внутреннего
аудита и улучшению результатов государственного управления.
Ключевые слова:
внутренний аудит, государственный сектор, индекс риска,
планирование аудита, правовые риски, финансовые риски, ресурсные риски,
организационные риски, программа аудита, стратегический аудит, риск
-
ориентированный аудит, управление, внутренний контроль, приоритезация аудита,
соответствие требованиям.
Introduction.
In the modern governance of the public sector, internal audit has increasingly become an
essential instrument for ensuring transparency, accountability, and risk mitigation.
Traditionally perceived as a compliance-focused function, internal audit today is undergoing a
transformation toward a more risk-based and strategic orientation, particularly under the
influence of international standards and reforms initiated by global organizations such as the
Institute of Internal Auditors (IIA) and the OECD. This shift requires a rethinking of how audit
programs are designed, especially in environments characterized by diverse, complex, and
multidimensional risks.
"Internal audit must be strategically aligned with organizational risks to provide
assurance where it matters most" (Spencer Pickett, 2010). In this context, developing a
systematic and multi-criteria model to prioritize audit objects has become a priority for public
sector institutions. One of the major challenges, however, remains the accurate identification
and categorization of risks that affect audit objects from multiple dimensions.
Literature review.
Recent studies emphasize the necessity of adopting broader analytical models that
consider not only financial irregularities but also governance-related risks, legal compliance,
www.sci-p.uz
II SON. 2025
835
and resource constraints (Rylska Nataliya, 2018; Van Rensburg Jo, 2014). For example, Rylska
(2018) introduces the concept of the
Value-Added Management Partner (VAMP)
paradigm,
under which internal audit becomes a strategic advisor focused on institutional performance
improvement. "Public-sector internal audit is evolving beyond simple control functions to serve
as a partner in policy and strategic development" (Rylska Nataliya, 2018). This view is
reinforced by international comparative studies that advocate for holistic risk assessment
frameworks (Zakiah Mohd Yusof et al., 2019).
While various capability maturity models (such as the IA-CM) have been proposed to
assess the development of audit functions, they do not fully address the challenge of translating
diverse risk indicators into operational audit programs (Van Rensburg Jo, 2014). To fill this gap,
the current research proposes a
four-dimensional risk index
that incorporates legal,
financial, resource, and organizational risks. This index is expected to serve as a comprehensive
framework for prioritizing internal audit activities in line with the strategic needs of public
sector institutions.
"Audit risk models used in public institutions often rely heavily on financial metrics,
ignoring other equally critical dimensions such as legal compliance and organizational
structure" (Alhendi Eyad, 2017). To address this limitation, the proposed model
operationalizes each risk dimension through specific indicators, allowing internal audit units
to quantify and compare risks across various entities and processes.
The literature also highlights that internal audit effectiveness is significantly influenced
by its independence and the institution’s capacity to implement its recommendations (Zakiah
Mohd Yusof et al., 2019). Therefore, any model aimed at improving audit planning should be
not only methodologically sound but also context-sensitive, incorporating governance realities
and data availability constraints.
In summary, this paper builds upon the existing div of knowledge by integrating
theoretical and practical insights into a unified analytical model that aims to elevate internal
audit programming through multi-dimensional risk assessment. The model's originality lies in
its ability to incorporate diverse risk categories in a way that is actionable and adaptable to the
internal audit environments of developing and transition economies.
Methods.
This study employs a qualitative-descriptive methodology grounded in document
analysis and conceptual modeling. The aim is to construct and validate an analytical framework
that enables the development of internal audit programs based on a four-dimensional risk
index encompassing legal, financial, resource, and organizational risk factors. The research
design is primarily exploratory, as it seeks to bridge the existing gap between theoretical audit
risk models and their practical implementation within public sector internal audit units.
The methodological approach begins with an extensive review of international internal
audit standards and practices, particularly the International Professional Practices Framework
(IPPF) issued by the Institute of Internal Auditors (IIA), and the Public Sector Internal Audit
Standards (PSIAS) used in several OECD countries. These documents provide foundational
definitions and principles for risk-based internal auditing, from which the key dimensions of
the proposed model are derived.
A thematic content analysis was then conducted on a range of dissertations, policy papers,
and audit evaluation studies drawn from international and national contexts, including
Armenia, the UK, South Africa, and Malaysia. The content analysis helped identify recurring risk
categories mentioned across different sources, such as legal exposure, financial
mismanagement, operational inefficiency, and organizational capacity challenges. Based on the
frequency and depth of discussion of these risks, four core dimensions were extracted: legal,
financial, resource, and organizational risks.
www.sci-p.uz
II SON. 2025
836
Each risk dimension was operationalized into a set of criteria or indicators. For example,
legal risk was defined to include the presence of unresolved audit findings related to
compliance with regulatory frameworks, while financial risk encompassed budget deviations,
irregular expenditures, and audit-qualified opinions. Resource risk considered shortages in
skilled personnel, outdated systems, and lack of physical infrastructure. Organizational risk
captured aspects such as audit committee inactivity, poor interdepartmental communication,
and weak leadership accountability.
To ensure coherence and relevance, expert validation was sought through informal
consultations with three experienced public sector auditors who reviewed the draft model.
Their feedback led to the refinement of the scoring scales and clarification of some of the
criteria definitions.
The final model was tested using a hypothetical case scenario involving three
departments within a fictional public agency. Risk scores were assigned based on simulated
data reflecting real-world audit issues. The purpose of this application was to demonstrate how
the model can differentiate audit priorities and assist in audit planning. The results of this
simulation were then analyzed to assess the internal consistency and practical utility of the
model.
The methodological strategy involved theoretical grounding, systematic document
analysis, expert input, and model simulation. While empirical field testing remains a future task,
this research provides a replicable framework that internal audit units in the public sector can
adapt and apply to improve the strategic focus of their audit programs.
Results.
1. Simulation outcomes of the four-dimensional risk index model
In order to evaluate the practical applicability of the proposed four-dimensional risk
index model, a simulation was conducted using hypothetical data from three illustrative public
sector departments. The objective was to determine how the model could be used to assess,
differentiate, and prioritize internal audit programs based on a structured assessment of legal,
financial, resource, and organizational risks.
Each department was scored on a 5-point Likert scale across the four defined risk
categories: Legal Risk (LR), Financial Risk (FR), Resource Risk (RR), and Organizational Risk
(OR), where 1 represents a very low level of risk and 5 represents a very high level. The total
composite risk score for each department was calculated by summing the values assigned to
each dimension. This scoring process was informed by criteria derived from literature,
professional internal audit standards, and common risk indicators observed in public sector
audit practices.
Below is a summary of the risk scores for each department:
Department
Legal
Risk
(LR)
Financial
Risk (FR)
Resource
Risk (RR)
Organizational
Risk (OR)
Total
Risk
Score
A (Health Services)
4
5
3
3
15
B (Municipal
Infrastructure)
3
3
5
4
15
C (Education
Management)
2
2
3
5
12
The simulation revealed significant differences in the risk composition of the
departments, even where the total scores were identical. For instance, although Departments
A and B both scored a total of 15, the nature of their risks varied. Department A was most
www.sci-p.uz
II SON. 2025
837
vulnerable to legal and financial risks, reflecting a history of compliance failures, budget
misallocations, and external audit criticisms. Department B, in contrast, was more heavily
exposed to resource constraints
—
such as outdated equipment and insufficient staff
—
and
organizational risks like delays in strategic decision-making and inefficient oversight
structures.
Department C showed comparatively lower legal and financial risk, but a very high
organizational risk due to leadership instability, a non-functional internal audit committee, and
weak accountability mechanisms. Although its total score was lower than the other two, the
elevated organizational risk indicated a strong need for internal control reforms and process
audits, which might otherwise have been overlooked in traditional risk models focused solely
on financial indicators.
This phase of the study demonstrated that the model could successfully highlight hidden
or underestimated risks by decomposing the overall audit risk into discrete, analyzable
categories. It also illustrated the importance of looking beyond aggregate scores when
determining audit priorities, as two departments with the same overall score might require
completely different audit approaches.
The simulation further suggests that such a model allows internal auditors to move from
reactive auditing
—
often based on past issues
—
to proactive auditing based on structured risk
prediction. This supports the strategic planning of audit resources, fosters better dialogue with
auditees, and enhances the transparency of audit program development.
2. Practical utility and thematic insights
The practical application of the four-dimensional risk index model demonstrated its
versatility and strategic value in public sector internal audit planning. By decomposing audit
risk into legal, financial, resource, and organizational categories, the model provided a
comprehensive view of institutional vulnerabilities that are often not captured by traditional
financial audits alone. Through its structure, the model facilitated prioritization, visual
comparison, and deeper understanding of the root causes of risks, enabling audit teams to craft
more targeted and effective audit strategies.
One of the most important findings was the model’s
ability to identify
risk concentration
patterns
within departments. Instead of evaluating institutions through a one-dimensional
lens (e.g., financial risk only), the model revealed which departments faced multidimensional
exposure and which ones had imbalanced risk profiles. For example, a department might be
financially sound but still warrant high audit attention due to severe organizational deficiencies
such as the absence of monitoring mechanisms, low managerial accountability, or a
dysfunctional audit committee.
The following table illustrates a thematic breakdown of how risk categories revealed
different audit needs across the simulated departments:
Risk Category
Key Indicators Used
Common Findings Across
Departments
Suggested Audit Focus
Areas
Legal Risk (LR)
Unresolved audit
issues, legal violations
Regulatory non-
compliance in
procurement (Dept. A)
Compliance audits,
review of legal contracts
Financial Risk
(FR)
Budget deviations,
misstatements
Cost overruns and weak
budget controls (Dept. A)
Financial audits, budget
control system
evaluations
Resource Risk
(RR)
Staff shortages, system
obsolescence
Outdated infrastructure
and undertrained staff
(Dept. B)
Operational audits, HR
and IT capacity
assessments
Organizational
Risk (OR)
Inactive audit
committees, weak
leadership
Poor oversight structures
and leadership gaps (Dept.
C)
Governance audits,
organizational
restructuring
www.sci-p.uz
II SON. 2025
838
These thematic insights show how the model aids in crafting
customized audit
interventions
based on the dominant risk typology. It moves the audit function beyond routine
compliance checks and enables it to address structural issues that have a long-term impact on
institutional effectiveness. For instance, in Department C, the high organizational risk score
suggested the need for governance improvement rather than a traditional financial audit,
despite relatively low financial risk indicators.
Furthermore, the model promoted
data-informed decision-making
in audit planning.
Internal auditors, when faced with multiple auditees and limited resources, often rely on past
experiences or external mandates to determine audit focus. The risk index introduced a more
transparent and justifiable basis for selection by providing quantifiable and comparable risk
scores.
The model also helped expose what could be termed as
"hidden risk zones"
—
departments that might appear stable in financial terms but are structurally weak. This insight
is particularly valuable for audit committees and senior management, as it allows them to
allocate oversight attention and resources to areas that could pose strategic risks in the future.
In conclusion, the practical utility of the model lies in its ability to combine simplicity and
depth. It is adaptable to different levels of organizational data maturity and can be used both
manually and digitally. Thematically, it pushes the boundaries of audit thinking by promoting a
shift from reactive to proactive, and from compliance-centered to risk-centered auditing. This
aligns closely with modern internal audit trends and international best practices in public
sector governance.
Discussion.
The application of the four-dimensional risk index model provides a compelling
advancement in the strategic orientation of internal audit functions within the public sector.
Through its structured yet flexible design, the model enhances the ability of audit units to shift
from conventional, finance-centric auditing to a more holistic, multidimensional evaluation of
risk. This transformation is consistent with the international trajectory of internal audit
reforms, which emphasize risk-based planning, proactive assurance, and organizational value
creation.
One of the central insights revealed through the discussion of the results is the importance
of
risk differentiation
, not just in intensity but also in category. The model’s decomposition of
risk into legal, financial, resource, and organizational dimensions allowed for nuanced
prioritization that would be unachievable through aggregate scoring alone. For example,
Department A and Department B received the same total score (15), but their audit needs
varied fundamentally due to the differing sources of risk
—
legal-financial in A versus resource-
organizational in B. This highlights a key contribution of the model: enabling
risk-type-specific
audit planning
, which supports more effective resource allocation and targeted audit
interventions.
From the radar diagram, it becomes immediately clear that each department exhibits a
different "risk shape." This visual representation supports more intuitive decision-making
during audit planning meetings or board presentations and strengthens the auditor's argument
for department-specific audit strategies.
Another important discussion point is the role of
organizational risk
, which emerged as
a silent but powerful dimension across all departments. While financial and legal risks are more
visible and quantifiable, organizational risks
—
such as lack of accountability, weak leadership,
or poor audit committee engagement
—
often remain underestimated. Yet, these issues
frequently undermine audit recommendations and limit the effectiveness of internal control
systems. Therefore, elevating the recognition of organizational risk within the audit planning
process is not only timely but essential for public sector resilience.
www.sci-p.uz
II SON. 2025
839
Figure 1. Risk Radar Diagram of Three Departments
Moreover, the model’s compatibility with
limited data environments
is particularly
beneficial for developing and transition economies. Unlike data-intensive audit maturity
models, this risk index allows for semi-quantitative assessment, expert judgment, or even
qualitative scoring where needed. This feature enhances its scalability and adaptability to
various institutional contexts.
Nevertheless, the model is not without its limitations. The current version assumes equal
weight for all four dimensions, which may not reflect the strategic priorities of every audit
entity. For instance, a finance ministry may wish to assign greater weight to financial risk, while
an education department might prioritize resource or organizational risk. Future iterations of
the model could incorporate
customizable weighting matrices
, enabling institutions to adjust
the model to fit their unique mandate and risk appetite.
To summarize, the proposed risk index model:
•
Encourages balanced, multidimensional audit planning.
•
Enhances visibility of less tangible but critical risk areas like organizational capacity.
•
Supports data-informed, transparent, and justifiable audit selection.
•
Offers a scalable solution for institutions with varying levels of audit sophistication.
In the broader context of public sector governance, this model represents a meaningful
step toward
integrated risk management
, linking internal audit more closely with strategic
planning and institutional performance. By embedding such a model into standard audit
program development, audit units can better fulfill their evolving role as agents of
accountability, foresight, and organizational improvement.
www.sci-p.uz
II SON. 2025
840
Conclusion.
The development and application of a four-dimensional risk index model for internal
audit program design marks a significant step forward in strengthening the effectiveness,
relevance, and strategic orientation of public sector auditing. This study has demonstrated that
assessing audit objects through legal, financial, resource, and organizational dimensions allows
internal auditors to move beyond traditional compliance-based methods toward more
proactive and risk-informed planning. The simulation revealed that departments with identical
total risk scores could possess vastly different risk profiles, necessitating tailored audit
approaches. This insight underscores the importance of disaggregating risks and
understanding their root causes in shaping audit strategies.
One of the model's key strengths lies in its adaptability. Whether used in resource-rich
institutions or in environments with limited data availability, the model can accommodate
different levels of audit maturity. Additionally, its ability to reveal “hidden” organizational
risks
—
often overlooked in conventional risk assessments
—
enhances the overall depth of audit
planning and supports institutional improvement from within.
By combining simplicity with analytical rigor, the model supports transparency in audit
selection, encourages accountability, and aligns closely with international internal audit
standards. It also lays the foundation for integrating audit efforts with broader governance and
performance goals. However, future refinements, such as introducing variable weightings or
automating the risk scoring process, could further enhance its utility.
In conclusion, the four-dimensional risk index model offers a valuable and replicable
framework for improving audit program development. Its application has the potential to
transform internal audit units into more strategic actors in public sector governance and
reform.
References:
Alhendi E.A. (2017) The Impact of Foreignness on the Compliance with the International
Standards for the Professional Practice of Internal Auditing.
–
University of Hull,
–
296 p.
Rylska N.S. (2018) Internal Audit as a Strategic Partner in Public Administration // Public
Policy and Administration.
–
Vol. 17(4).
–
P. 509
–
519.
Van Rensburg J. (2014) Internal Audit Capability: A Public Sector Case Study.
–
University of
Pretoria,
–
158 p.
Yusof Z.M., Simon J., Muda R. (2019) Internal Audit Effectiveness in the Malaysian Public
Sector: Framework and Determinants // Asian Journal of Accounting and Governance.
–
Vol. 12.
–
P. 63
–
79.
