Best Practices for Conducting a Risk-Based Internal Audit

by Pedro Tavares on November 29, 2018

Introduction

Over the last few years, cyber-crimes have grown in number and in the ways cybercriminals exploit them. Due to this, the need to manage risks has been recognized by organizations and adopted as a crucial part of a good governance best practice.

A Risk-Based Internal Audit (RBIA) is focused on the organization’s response to the risks they face in achieving their goals and objectives. An RBIA differs from other types of audits as it is based on the business goals and their associated risks. With this approach, internal auditors gain other responsibilities — now they not only manage the control activities, but also add an important contribution in the development of the risk management processes by defining the organization’s universe of risk.

This article focuses on RBIA and describes a method to select the high-risk fields via risk assessment as a focal point. This provides time and cost saving in the audit because other controls with minor impacts to the business risk are placed in a different “bag.”

Benefits of Conducting an RBIA

Writing in the European Journal of Accounting Auditing and Finance Research, Dr. Vahit Ferhan Benli and Duygu Celayir summed up the idea of a risk-based internal audit: “RBIA is an audit approach on the basis of determining the risk profiles of the businesses, shaping the audit progress according to the risk profile of the business and allocating the audit resources according to this profile to improve the efficiency of the audit.”

The RBIA is an approach that enables the internal audit review to become more efficient and focused on the business needs and, consequently, a service under analysis. In this sense, management will benefit from greater input into the “shape” of the audit review, ensuring that key concerns and significant risks are considered within (Read more...)