Risk-based internal auditing – is your organisation ready?

According to the results of external quality assessments by the Chartered IIA, some audit leaders do not position the work of internal audit within the context of an organisation’s risk framework. There may be good reason for this, but it can also be due to lack of awareness.

The phrase ‘risk based internal auditing’ (RBIA) has become commonplace since its introduction in 2005 and applies to all sectors. It is one of those taken for granted assumptions that everyone understands what it is.

In this article, we explore the question so you can answer it for yourself. We will get back to basics taking a look at what it really means, when to use it and what to do if your organisation is not quite ready for it.

Short for time? Skip ahead to ten reasons to embrace RBIA.

RBIA defined

The Institute defines RBIA as a methodology that links internal auditing to an organisation's overall risk management framework.

It is not as simple as auditing the top risks on the organisations risk register!

RBIA provides assurance that risks are being managed within a defined risk appetite.

Using this approach, internal audit can report on the effectiveness and efficiency of the processes, polices and governance in place to manage risks to the level considered acceptable by the board.

The key to RBIA is risk management: specifically the maturity of the organisation’s approach to it.

RBIA goes beyond the traditional approach of auditing objectives, processes, controls; it audits risk. By establishing the risks to achieving objectives it enables internal audit to align directly with the purpose of the organisation.

A RBIA methodology has three important stages. Firstly, in assessing the organisations risk maturity and the reliability of risk information produced by management. Secondly, at a strategic level it determines the…