Questions about Risk Based Internal Audit

I have a couple of exciting things to share with you.

First, I am close to finishing my new book on Risk Based Internal Audit, and anticipate it will be ready for purchase in the next couple of months. Stay tuned for the announcement when it is ready.

Learn more about how you can become Certified Risk Based Internal Auditor™ through cRisk Academy and really show people you understand risk based internal audit.

Second, I participated in a webinar on “The Evolving Role of Internal Audit” with MetricStream this week and discussed Risk Based Internal Audit (RBIA). After the webinar I received several questions that I thought others may also be interested in having answered. The questions and answers are included at the bottom of this post.

Please feel free to ask questions in the discussion box below and I will get them answered over the next few weeks.

You can access the slides and audio of this webinar through the Store.

Third, I have a few more Certified Risk Based Audit courses I am teaching the remainder of this year through Leoron Professional Development Institute. You can get more information about these courses, and get registered, at The next sessions are being held:

  • 14-18 September 2014, Riyadh, KSA
  • 19-23 October 2014, Muscat, Oman
  • 14-18 December 2014, Dubai, UAE

This course is a five day on Risk Based Internal Audit and participants in the training who pass the exam at the end of the course also receive the Certified Risk Based Auditor certification designation. A great opportunity to get trained and walk away with another certification for your professional CV.

Best of luck with your risk based internal auditing endeavors.  Please let me know if there is anything I can do to help.



Q. What do you think about a different department, who focuses more on assessing risk like an ERM (enterprise risk management) department, determining the audit plan for IA?

A. The Chief Audit Executive (CAE) and internal audit activity is the one responsible for determining the audit plan. Consideration should be made as to what other groups like ERM have assessed as the high risks to the organization. The annual audit plan must be based on a risk assessment, undertaken at least annually, but does not need to be performed by the internal audit activity. If the internal audit activity has tested the ERM process, and is comfortable with the assessment of risk done by the ERM group, the ERM risk assessment should be a major input into the audit planning process.

Q. Isn’t there a danger of Internal Audit not being recognized when we give advice rather than pointing out the problems that exist?

A. One of the main roles of internal audit is to identify when the conditions do not match the criteria upon which we are to audit. This is usually considered “pointing out the problems” but still needs to be done. We should; however, also praise parts of the business where we see them reducing risks to an acceptable level and when we identify, as part of our audits, that the business has a good internal control environment and has reduced risks to an acceptable level. When we do risk-based audits we are still pointing out problems when they exist, the difference is we are showing how those problems may lead to the organization not meeting its objectives – a much more powerful statement to managers.

Q. Can you highlight on the definition of “integrated audits” and the trends on it?

A. Integrated audits means combining one or more type of audit into one audit project (financial, controls, IT, compliance, operations). There is a growing trend towards integrated audits for several reasons. First, IT is such a huge part of business now, it is difficult to separate the audit scope from the IT component. Also, it is usually more efficient to perform an integrated audit especially when it requires travel to a particular location. For example, it is cheaper to do several types of audits in one audit project at a remote location instead of traveling back for each type of audit.

Q. From a CMMi perspective, i.e., to gauge what maturity level or extent IA function is embedded in an organization, can a similar CMMi model be applied to IA to ensure effective evolution of Governance, Risk and Compliance (GRC)?

A. I am not familiar with a particular maturity model for an internal audit activity. There is some information in the CBOK study by IIA showing what we should be doing in the future (the 10 items I shared) but not all internal audit activities need to be a best-in-class organization. This will mainly depend on the expectations of its stakeholders (management and the board). An organization could develop a maturity model upon which to assess its internal audit activity. In regards to GRC, the risk based audit approach I mentioned relating to performance, risk and compliance of an organization is consistent with the OCEG GRC Capability Model, which is the only international source for a GRC framework (more info at The risk based audit approach I discussed is inline with auditing a GRC capability within an organization.

Q. Is there a split for how much time we should spend auditing what’s in the light vs. in the dark…any benchmark or info available?

A. We should be spending all of our time auditing in the dark if that is where the highest risks to our organization exist. Risk based auditing is focuses on those areas that have the greatest impact to our organization not meeting its key objectives. Sometimes those areas are ones we are familiar with, but I would say often they are the “in the dark” items where we may need more specialized help to perform the audit. I am not aware of a specific benchmark but my guess is 75% of internal audit activities spend a lot of their annual budgeted time auditing areas they are comfortable with, or have audited regularly in the past. As auditors, we often do not like to get out of our comfort zone.

Q. We use an business objectives-driven risk and control evaluation and feel pretty good about our tool; we need help with tool to evaluate economies and efficiencies in processes.

A. Feel free to reach out to me separately at: [email protected] so I can get more clarification about what exactly you are looking for and if I can help provide you with something.

Q. How do you ensure all units are covered over a 2 -3 year period when a risk based approach to auditing is adopted?

A. Risk based auditing is not concerned with having coverage every 2-3 years of particular locations or parts of the organization. There are some aspects and locations of an organization that are either low risk or immaterial that they may never require an audit. Others may warrant an audit every year because of their risk profile. I do not advocate thinking in a coverage or rotation mindset unless the organization has mandates from regulators to visit locations regularly (e.g. bank regulations that usually require an audit of each branch every three years).

Q. You talked extensively about the need for a paradigm shift from the conventional mode of audit to the risk based auditing model, and from your description of the risk based audit process, it is very similar to the risk control self-assessment (usually done by the operational risk unit –at least in my bank) , are these two one and the same or there are any form of differences in them.

A. The difference between risk based audit and the risk control self-assessment process is two-fold. First, control self-assessments are usually performed by management (often with validation by auditors, but not all the time) and not an independent, objective assurance function. As you mentioned, in your bank this is performed by the operational risk unit (as part of their management and monitoring of the process), not by internal audit.

The other difference is the level at which the areas are selected for review. Risk control self-assessments start by listing all of the controls in the organization and then risk rank these for testing. A risk based audit plan starts by considering the key objectives of the organization, the strategies the organization is using to meet those objectives, and identifies risks related to those objectives and strategies. Those risks are then ranked to determine the highest to the organization and then the internal audit activity selects audit projects to ensure the necessary actions and controls have been put in place by management to ensure those risks are reduced to an acceptable level. At the end of the day, the auditor is still testing controls, but only those key controls related to key organizational objectives.

Leave a comment