Position

Statement
The Institute of Internal Auditors – UK and Ireland

Risk Based Internal Auditing

Introduction Internal auditors might say that they have always focused their efforts
on the riskier areas of the organisation. However, this approach has
The focus of internal audit work has shifted dramatically over the last historically been directed by internal audit’s own assessment of risk.
decade. There has been a move from systems based auditing to The key distinction with RBIA is that the focus should be to understand
process based auditing and the current emphasis is on Risk Based and analyse management’s assessment of risk and to base audit efforts
Internal Auditing (RBIA). around that process.

RBIA is a much used and much misunderstood term. This paper aims What is Risk Based Internal Auditing?
to set out the Institute’s position with regard to RBIA and to offer some
high level guidance on how to approach it. The objective of RBIA is to provide independent assurance to the
board that:
Context
The risk management processes which management has put in
The current definition of internal auditing is that it is: place within the organisation (covering all risk management
processes at corporate, divisional, business unit, business process
“An independent, objective assurance and consulting activity designed to level, etc.) are operating as intended.
add value and improve an organisation’s operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined These risk management processes are of sound design.
approach to evaluate and improve the effectiveness of risk management,
control and governance processes” The responses which management has made to risks which they
wish to treat are both adequate and effective in reducing those risks
RBIA is an approach that can help to meet these requirements. The to a level acceptable to the board.
Standards for the Professional Practice of Internal Auditing and the
associated Practice Advisories emphasise adopting a risk-based And a sound framework of controls is in place to sufficiently
approach to internal auditing. mitigate those risks which management wishes to treat.

This approach is also consistent with the Turnbull guidance Internal RBIA starts with the business objectives and then focuses on those
Control: Guidance for Directors on the Combined Code, which requires risks that have been identified by management that may hinder their
directors to adopt “a risk-based approach to establishing a sound achievement.
system of internal control and reviewing its effectiveness”, and to embed
risk management and internal control into the culture of the The role of internal audit is to assess the extent to which a robust risk
organisation. management approach is adopted and applied, as planned, by
management across the organisation to reduce risks to a level that is
Internal auditors need to adopt a risk-based approach compatible with acceptable to the board (the risk appetite).
that adopted by their organisation. There are many approaches which
could be adopted by internal audit depending on the extent to which While internal audit’s main contribution is to provide assurance on
internal audit is able to rely on the risk management processes across management’s treatment of risk (through governance and control
the organisation. This enables the auditor to avoid duplicating processes) it may also advise management on other aspects of their
processes already carried out by management, and allows him or her to response to risks such as decisions to terminate, transfer or tolerate risks.
question management’s processes or conclusions.
Risk Based Internal Auditing

The Risk Based Internal Auditing approach is described schematically below:

Corporate Objectives

Identification of risks to achieving objectives

What is the risk appetite of the business?

Is the risk management process an adequate

and effective process for identifying, assessing,
managing & reporting on risk?

Yes No

Use organisation’s Facilitate risk

Facilitate
own view of risk as identification with
refinement
far as possible management

Determine risk universe

Determine scope and priority of assignments

Based on risks select areas for review

For each area, review adequacy of risk management processes to identify & manage risks

Where largely OK Where not OK

Evaluate processes and determine how Facilitate risk identification and assessment
management gain assurance that the risk • inherent risks
management activities are being • mitigation
carried out as intended • residual risks

Give assurance where OK and facilitate improvement where not

Risk Based Internal Auditing

The practice of Risk Based Internal Auditing out a range of stages of risk management maturity and the internal
audit approach that might be adopted at each stage:
Points of information:
Risk Key Internal Audit
The scope of risk-based internal auditing includes strategic and Maturity Characteristics Approach
business risks.
No formal approach Promote risk
Risk Naive developed for risk management and rely on
The key starting point is to determine that appropriate objectives management audit risk assessment
have been set by the organisation and then to determine whether or
not the business has an adequate process in place for identifying,
Scattered silo based Promote enterprise-wide
assessing and managing the risks that impact on the achievement Risk Aware approach to risk approach to risk management
management and rely on audit risk assessment
of these objectives.

Facilitate risk management/liaise

In a mature risk management environment the focus of internal Strategy and policies in
with risk management and use
Risk Defined place and communicated.
audit work may be: Risk appetite defined
management assessment of risk
where appropriate

Auditing the risk management infrastructure, for example,

Enterprise wide approach Audit risk management
resources, documentation, methods, reporting. Risk Managed to risk management processes and use management
developed and communicated assessment of risk as appropriate
Auditing the whole system of internal control for the complete
organisation and for individual departments.
Carrying out individual audit assignments that are predominantly Risk management and Audit risk management processes
Risk Enabled internal control fully embedded and use management assessment
about specific risks. Where a number of risks are controlled into the operations of risks as appropriate
through a common system or process, it may be appropriate to
perform a combined audit of that system or process.
Each organisation must determine how it wishes to implement risk
In less mature risk management environments, where individual management. This will help determine its appetite for risk and the level
audit assignments predominantly focus on complete systems, of it’s risk maturity. For example, not all organisations will wish to
processes or business units, internal audit needs to review business become completely “risk enabled” as they may need to weigh up the
objectives and risk management processes within each of these costs against their views on the potential benefits. It is for the board of
auditable entities. directors and senior management team to determine how far along the
continuum they wish to travel.
Where risk management processes are adequate and embedded,
internal audit aims to rely, where possible, on the organisation’s own In addition to risk management maturity within an organisation, the
view of the risks in order to determine the audit work that it needs extent to which internal audit needs to undertake its own risk
to carry out. assessment also depends upon the degree and speed of strategic and
organisational change.
Where the risk management processes cannot be relied on, internal
audit needs to undertake its own risk assessment (in conjunction When undertaking an audit of a project, the risk management processes
with management) to determine the precise level of the work covering projects in general and also those specific to the individual
required and then focus on how management assures itself that the project need to be covered.
risk management activities are operating as intended.
Conclusion
The end result of each audit assignment should be to give
assurance that risks are being managed to an acceptable level (as RBIA does not preclude the use of systems-based and/or process-
determined by the risk appetite) or to facilitate and/or agree based auditing as circumstances dictate. It is, however, an approach
improvements as necessary. that focuses on the issues that matter to the organisation and on
providing assurance on the risk management framework adopted by the
organisation. RBIA will enable internal audit to link directly with the risk
Risk management continuum management framework thereby leveraging synergies.

It is important to understand that not all organisations are at the same

stage of risk management implementation. The following diagram sets
Risk Based Internal Auditing

Glossary of terms Risk management activities: the methods by which an organisation

chooses to manage its risks as outlined above. This replaces the
Risk: the chance of something happening or not happening that will traditional approach that focused purely on internal controls.
have an influence upon the achievement of business objectives.
Inherent (gross) risk: the status of the risk (measured through impact
Risk identification: the process of determining what can happen, why and likelihood) without taking account of any risk management
and how. activities that the organisation may already have in place.

Risk analysis: the systematic use of available information to determine Residual (net) risk: the status of the risk (measured through impact
the likelihood of specified events occuring and the magnitude of their and likelihood) after taking account of any risk management activities
consequences. Measured in terms of impact and likelihood. that the organisation may have in place.

Risk appetite: the level of risk that the board or management is

prepared to live with. This is likely to be different for each of the risks About Position Statements
that have been identified.
The Institute of Internal Auditors – UK and Ireland (IIA) is the primary
Risk evaluation: the process used to determine risk management body representing, promoting and developing the professional practice
priorities by comparing the level of risk against predetermined of internal auditing in the UK and Ireland. Position statements are part
standards, target risk levels or other criteria of a range of technical and professional guidance prepared by the
Institute for it’s members. They are designed to clarify the Institute's
Risk assessment: the overall process of risk analysis and risk official policy position on important and potentially complex matters
evaluation. confronting internal auditors.

Risk management: an iterative process consisting of steps, which Disclaimer

when taken in sequence, enable continual improvement in decision-
making. It is the logical and systematic method of identifying, analysing, This technical guidance material is not intended to provide definitive
evaluating, treating, monitoring and communicating risks associated answers to specific individual circumstances and as such is only
with any activity, function or process in a way that will enable intended to be used as a guide. The Institute of Internal Auditors – UK
organisations to minimise losses and maximise opportunities. and Ireland recommends that you always seek independent expert
(Australian/New Zealand Standard on Risk Management AS/NZS 4360) advice relating directly to any specific situation. The Institute accepts no
responsibility for anyone placing sole reliance on this technical
Management of risk: the means by which an organisation elects to guidance.
manage individual risks. These may be by treatment (i.e. to reduce
impact or likelihood), termination, transfer, or the organisation may
decide to tolerate the risks.

www.iia.org.uk
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
Telephone 020 7498 0101 Fax 020 7978 2492
Email [email protected] www.iia.org.uk
© The Institute of Internal Auditors – UK and Ireland Ltd, August 2003