I'll try to give that a start.
At CIDA we have a strong mix of processing tools in our risk management tool box. We assess risks at the program level, the country level, the recipient level, the individual assessment level. We have a risk framework that helps us determine the level of administration a recipient would be bound to provide—depending on the situation in the country, the amount of the contribution, whether it's a grant, whether there is local capacity, whether there are known quantities, and depending on their financial capacity.
That would drive whether and how we do a recipient audit—for example, whether we do that at the desktop by seeking information from the recipient on details of their payments and the cost they've incurred, or whether we actually go and do an audit of the individual project.
We can't audit everyone around the world, but in terms of our audit plans, they are risk-based audit plans that are renewed every year.