In any risk-based audit, there should be a random component to ensure that the criteria used to identify the most risky cases are valid. There is therefore always a random component, so as to confirm risk management.
On November 26th, 2009. See this statement in context.