those business functions or processes with residual risk above a certain level are considered candidates for potential internal audit projects. the first question, however, is what expertise or resources are needed to best address the residual risk. can management address the risk directly without an intervening internal audit project? in some cases, risks identified during the assessment process can be directly addressed by management. in other cases, either the legal department, the compliance department, or the external auditors, may be the most appropriate resource. those functions or processes most appropriately addressed by the IAD are entered into the internal audit plan. that plan is reviewed with senior and business unit management and must be approved by the audit commitee.