What is Risk-Based Internal Auditing?

Risk-based internal auditing involves the targeting of internal audits at those areas of a business that have the most risk associated with them. This approach provides clarity to auditing priorities when the internal audit manager is receiving requests to conduct audits in many parts of a business.

Risk scheduling calls for a ranking system that is consistently employed, where the top audit projects are those where the target area could potentially place the business in grave financial danger. Other project requests with lower perceived risks are scheduled after these key projects. This approach results in an audit schedule that can be easily defended. If a senior manager wants to alter this schedule, he or she can be informed that doing so may place the company in jeopardy, which may gain their cooperation.

An audit schedule that is based on risk should be approved in writing by the audit committee. Doing so shifts responsibility for any schedule adjustments from the audit manager to the committee, which should be sufficiently senior to ward off any attempts to make alterations.