Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Auditing Best Practice > Best Practices in Risk-Based Internal Auditing

Auditing Best Practice

Best Practices in Risk-Based Internal Auditing

by Sheryl Vacca

Table of contents

Executive Summary

  • Agree on a common framework for the risk-based auditing and monitoring program.

  • Assess risks across the enterprise and then prioritize them by looking at the likelihood of occurrence and impact for the organization.

  • Develop a risk-based auditing and monitoring plan from the identified risk priorities.

  • Execute a corrective action plan developed by management to mitigate risks and/or resolve risks.

  • Assess the auditing and monitoring process for effectiveness.

Getting Started

In designing risk-based auditing and monitoring activities, it is important that the internal auditor works closely with the organization’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimize and mitigate risks for the organization. These discussions should also include leadership from the legal, compliance, and risk management functions, if they are not already a part of the senior leadership team.

This process should include performing periodic audits to determine compliance with respect to applicable regulatory and legal requirements, and to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behavior. Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action through an ongoing performance management process to address any noncompliance.

Once the common framework for the risk-based auditing and monitoring program has been established, four key tasks must be performed:

  1. Assessment and prioritization of risks, conducted enterprise-wide;

  2. Development of a risk-based auditing and monitoring plan;

  3. Execution of a corrective action plan developed by management to mitigate risks and/or resolve risks;

  4. Periodic assessment of the overall process for effectiveness.

Risk Assessment

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) helped to define “risk” as any event that can keep an organization from achieving its objectives.1 According to the COSO model, risk is viewed in four major areas:

  • operational (processes and procedures);

  • financial (data rolling up to internal/external statements);

  • regulatory (federal, state, local, organizational policy);

  • reputation (institutional).

There are several ways in which risk assessments in these areas can be conducted. These include the use of:

  • focus groups to assist in the identification of risks;

  • interviews of key leadership and the board;

  • surveys;

  • reviews of previous audit findings, external audits conducted in the organization, and identifying what is occurring within the industry and the local market, etc.

Once risks have been identified, a prioritization process is needed to identify the likelihood of the risk occurring, the ability of management to mitigate risk (i.e. are there controls in place for risk, regardless of the likelihood of those risks of occurring?), and the impact of risk on the organization. Risk prioritization is an ongoing process and should include periodic reviews during the year to ensure that previous prioritization methods, when applied in real time, are still applicable for the risk.

It is important that senior leadership participate in, and agree with, the determination of the high-risk priorities for the audit and monitoring plan. This will ensure management buy-in and focus on risk priorities. Also, with managers involved at the development stage of the plan, they will be educated as to the type of activities being planned and the resources needed to conduct these activities. Hence, during the plan year, if there are changes, management will understand the need for additional resources or a change in focus in the plan as the business environment and priorities may change.

Developing the Plan

The International Standards for the Professional Practice of Internal Audit (IIA), Standard 2120 says “The internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk management processes.” 2

This is done through the development and execution of the risk-based auditing and monitoring plan.

Risk assessments and prioritization are important elements in the development of your risk-based auditing and monitoring plan. Considerations related to the plan should also include:

  • Review of other business areas in the organization which may be conducting an audit or monitoring activity in this area:

    • If so, could you leverage this resource for assistance in completing the stated activity, or utilize their activity and integrate the results into the overall plan?

  • Resources available to implement plan:

    • Do you have the appropriate resources for the subject matter as needed within your department? (If not, is there subject matter expertise somewhere else in the organization?)

    • If subject matter requires outsourcing, budget considerations and overall risk priorities may need to be re-evaluated.

  • Hours needed to complete the plan

  • Projected timeframes

  • Defined auditing or monitoring activities and determination as to whether they are outcomes or process oriented

  • Flexibility incorporated into the plan to address changes in risk priorities and possibly unplanned compliance risks/crises which may need an immediate audit or monitoring to occur.

IIA Standard 2120.A1 identifies the focus of the risk assessment process: “The internal audit activity must evaluate risk exposures related to the organization’s governance, operations, and information systems regarding the:

  • Reliability and integrity of financial and operational information.

  • Effectiveness and efficiency of operations.

  • Safeguarding of assets;

  • Compliance with laws, regulations, and contracts.

The process of risk assessment continues through the execution of the plan where the engagement objectives would reflect the results of the risk assessment. Risk-based auditing and monitoring is ongoing and dynamic with the needs of the organization.

Back to Table of contents

Further reading


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share