Key Considerations while doing Risk-Based Internal Audit

Risk-based Internal Audit:

An internal methodology that is primarily focused on the risk involved inherently in the system of a company is called as Risk-Based Internal Audit (RBIA). It is a framework for management of the risks to provide the necessary assurance that the management and the Board of Directors are managing the key risks as per the defined risk appetite level. But before that one needs to know what is internal audit and that there are two types of internal audit one is the checklist-based and the other one is risk-based internal audit.

Risk-based Internal Audit

Key Considerations in Risk-based Internal Audit:

There are several points that must be considered as key basics while carrying on the risk-based internal audit. These key considerations are-

  • Getting a proper understanding of the business, its objectives and the risk involved- The scope of risk-based audit is broad and requires the internal auditor to have a proper understanding of the goals, aims, objectives and strategies of the organization. They must have a thorough knowledge about the business along with knowledge of strengths and weaknesses, involved risks and challenges faced by the business. This will help the auditors to have a planned audit on the risk areas that are critical. It is the duty of the auditors to dig deeper and find out all the risk factors related to compliance, information technology, technical and legal departments.
  • Getting the management have involvement in the risk based internal audit- The internal auditors while designing a monitoring and auditing program based on risks works well and closely with the management team and the senior leadership of the company. This is done to have an alignment between the mission of the auditing with the issues, risks and strategies of the management. The management can actually help the auditors through regular communications, dialogues and assistance for conducting the true and fair risk based internal audit and assessment in every business area. Since, management is the owner of the risks involved in the company, they should agree about the high-risk priority in the audit and must collaborate with the auditing team. This can really be of great help in getting transparency and auditor services that are designed optimally for the key risk areas for the organization.
  • Determining the risk tolerance and the risk appetite of the management- Acceptable risk or risk appetite is the term used for the risk exposure amount that a business will take and accept willingly. It is the duty of the stakeholders to set the threshold of risks for identifying the implementation of the controls and when and where they must be implemented. This whole procedure is very important for the management and the company in order to distinguish all the risks that are easy to handle and can be taken by the company and the risks that require necessary protection for carrying the business functions forward. When the auditors try to understand the tolerance of the management towards the key risks then they can easily report any breach of control gap in the threshold of tolerance and take it as a critical issue.
  • Assessing the impact of risk and likelihood- The auditor needs to access the risks, once they are identified for determining its impact and likelihood over the company and also to seek the managements abilities to mitigate and control these risks involved. The result of assessing the effectivity of the processes and determining the managements appropriate addressal towards the most significant risks can be useful in planning the whole risk-based internal audit activity.
Author: Anil Agrawal
EZYBIZ India Consulting LLP, New Delhi. The firm is business and tax consultancy firm providing consultancy in Taxation, Regulatory, Transfer pricing, Valuation, Corporate funding and Business set up matters. He may be reached at 9899217778 or