The Institute of Internal Auditors (IIA) defines risk-based internal auditing as a method that links internal auditing to a company’s overall risk management framework. A risk-based internal audit (RBIA) focuses on a company’s response to the risks it faces in achieving its goals and objectives. 

A company’s board of directors has the overall responsibility and accountability for risk management, internal control, and corporate governance within the organization. An RBIA allows the internal auditors to assure the board of directors that the organization’s risk management processes are managing risks effectively in relation to its risk appetite. 

An RBIA is different from other types of audits because it’s based on business goals and the risks associated with those goals. That means the internal auditors not only manage the internal control activities, but they also help an organization develop its risk management processes by defining its risk landscape.

The benefits of a risk-based internal audit:

  • Developing a consistent and comprehensive approach to risk management makes it easier for an organization to adapt to changing conditions;
  • Provides a better understanding of the risks and enables the organization to better manage the risks;
  • Enables the internal auditors to correctly identify risks and allows management to put the correct internal controls in place to ensure the best performance;
  • Makes it easier for the business to understand its risks and the actual effects of those risks.

What internal auditors should do when conducting risk-based internal audits

Understand the business, its objectives, and risks: 

A risk-based internal audit requires that internal auditors understand the company’s strategies, goals, and objectives. The internal auditors must have deep knowledge of the business, including its strengths, weaknesses, and challenges, so they can focus their audits on the most critical risk areas.

Get management involved

When the internal auditor’s design a risk-based auditing and monitoring program, they should work closely with senior management to align business strategy and risks. This enables management to assist the internal auditors to conduct an accurate risk assessment of various business areas. It also helps the internal auditors to understand the company’s risk tolerance and thresholds.

Determine management’s risk tolerance and appetite

Risk appetite is the amount of risk exposure that a company is willing to accept. Stakeholders must set risk thresholds so they can identify when and where they need to implement internal controls. 

Internal auditors have to identify and understand the risk management policies that are in place, along with the risk appetite at the individual and organizational process levels. The internal auditors then need to determine the risk tolerance of the management and board, to establish a starting point for independent risk assessments. 

Assess risk impact and likelihood

After the internal auditors have identified the key risks, they need to assess those risks to determine the likelihood that they will occur, the impact on the organization should they occur, and management’s ability to mitigate the risks.