The need to manage risk is an essential part of good corporate governance practice and risk based internal audit is an approach that internal auditors can take to support management in mitigating business risk. The UK Institute of Chartered Internal Auditing defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organization’s overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
Risk audit means auditing things that really matter to an organization. According to internal audit expert, Phil Griffiths, “the essence of risk-based audit is therefore customer-focused, starting with the objectives of the activity being audited, then moving on to the threats (or risks) to achievement of those goals and then to the procedures and processes to mitigate the risks. Risk-based audit is therefore an evolution rather than a revolution, although the results obtained can be revolutionary in their magnitude.”
RBIA is a proactive approach compared to other internal audit approaches such as compliance, which seeks to verify that the organization is complaint with applicable laws and regulations and systems- based audit (SBA), which is an approach to follow a small number of transactions from start to finish to prove its effectiveness. Unlike the others RBIA builds on the SBA approach to focus on the areas of the highest risk to the business and uses a different starting point, business objectives rather than controls. The recommendations made are also risk-evaluated to ensure maximum benefit and buy-in by management.
By following RBIA internal audit should be able to conclude that:
- Management has identified, assessed and responded to risks above and below the risk appetite
- The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
- Where residual risks are not in line with the risk appetite, action is being taken to remedy that
- Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively
- Risks, responses and actions are being properly classified and reported.
In sum, RBIA focuses on the key risk areas proportionate to the potential exposure of the company and helps the company to reduce the overall level of risk.