Internal Audit

Risk-Based Auditing: How to Focus on What Matters Most

Risk-based auditing is the modern internal audit methodology that allocates audit resources based on risk — ensuring that the highest-risk areas receive the most audit attention, and that the audit plan directly reflects the organization's risk landscape. This page covers the methodology, risk concepts, and practical tools for building a risk-based audit plan.

"A risk-based audit plan that avoids the organization's most significant risks is not a risk-based plan — it is a risk-avoidance plan."
Risk-based auditing (RBA) is the IIA-endorsed approach in which the internal audit function's work is driven by a systematic assessment of the organization's risks. Rather than auditing every area on a rotational schedule regardless of risk level, RBA allocates audit resources proportionate to risk — providing greater assurance coverage where failure would be most damaging and less coverage where risks are low or well-controlled.

Core Risk Concepts

ConceptDefinitionAudit Relevance
Inherent RiskThe level of risk before any controls are appliedDetermines the natural risk exposure of an activity or process
Control RiskThe risk that existing controls fail to prevent or detect a material error or fraudAssessed by evaluating control design and operating effectiveness
Residual RiskThe remaining risk after controls have been applied: Inherent Risk – Control EffectivenessThe actual risk faced by the organization; what the board relies on management to manage
Risk AppetiteThe level of risk the organization is willing to accept in pursuit of its objectivesDetermines which residual risks are acceptable and which require additional controls or audit attention
Risk ToleranceThe acceptable variation around a risk appetite — the operational rangeUsed to assess whether actual risk levels fall within acceptable boundaries

Building the Risk-Based Audit Universe

The audit universe is the complete catalogue of all auditable entities — every process, system, business unit, subsidiary, project, and activity within the scope of internal audit. Building the audit universe is the prerequisite to risk-ranking and audit planning.

  1. Identify all auditable entities: Revenue processes, expenditure processes, HR and payroll, IT systems, treasury, compliance functions, operations, contracts, projects
  2. Gather risk information: Prior audit findings, management risk assessments, regulatory reports, industry benchmarks, internal loss events
  3. Score each entity on risk dimensions: Financial impact, regulatory risk, reputational risk, operational risk, fraud risk, change risk
  4. Calculate a composite risk score for each auditable entity
  5. Rank the universe from highest to lowest risk
  6. Allocate audit resources proportionate to risk ranking

Risk Assessment Dimensions — A Practical Scoring Model

DimensionHigh (3)Medium (2)Low (1)
Financial Exposure>₦100M₦10M–₦100M<₦10M
Regulatory RiskCBN/SEC regulated; enforcement historySome regulatory oversightNo direct regulation
Change LevelMajor system or process change in periodModerate changesStable, unchanged
Prior Audit FindingsSignificant unresolved findingsMinor findings resolvedClean history
Fraud RiskHigh cash/asset handling, known red flagsSome exposureMinimal exposure
Control MaturityWeak or untested controlsAdequate but not testedStrong, independently verified

Continuous Risk Assessment

The audit plan is not static. Risk-based auditing requires continuous monitoring of the risk environment and willingness to adjust the plan when significant new risks emerge. Events that should trigger audit plan reconsideration include:

  • Major organizational restructuring or leadership changes
  • Significant system implementations or migrations
  • Regulatory changes or new enforcement actions in the sector
  • Whistleblower allegations or unexplained financial anomalies
  • Significant economic events affecting the operating environment

Key Takeaway

Risk-based auditing is the difference between an audit function that covers the organization and one that protects it. By allocating resources systematically based on risk, internal audit can provide the board and audit committee with meaningful assurance that the organization's most significant exposures are being monitored, tested, and reported on — not just the areas that are easiest or most comfortable to audit.

Read: Audit Planning & Execution →