Home > Risk > Understanding and practicing risk-based internal auditing

Understanding and practicing risk-based internal auditing

Recently, I have shared a number of related posts on risk-based internal auditing (RBIA) that received a lot of attention:

One of the comments was by a CAE, Paul Hicks (thank you), who said that he had been practicing risk-based internal auditing for 15-20 years, ever since it came out. He was referring to a 2003 Position Paper on Risk Based Internal Auditing from what is now the Chartered Institute of Internal Auditors (UK and Ireland). Unfortunately, it is no longer available on the Institute’s website, so I have made my copy available here: https://app.box.com/s/5mjlzotbcqoejup5ffyk9oga5ht8teli.

The Position Paper did not invent risk-based internal auditing. I recall discussing it 30 years ago with practitioner, teacher, and author David McNamee – as discussed in a post of mine for the IIA in 2003: Explaining Modern Risk-Based Auditing.

This old Position Paper has some excellent content that is worth reading, including (with my emphasis):

The objective of RBIA is to provide independent assurance to the board that:

  • The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended.
  • These risk management processes are of sound design.
  • The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board.
  • And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat.

RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement.

The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite).

This guidance is supplemented with an excellent and simple flowchart. There are also these points:

  • The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the business has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives.
  • The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk appetite) or to facilitate and/or agree improvements as necessary.

The only change of significance I would make today would be to change the focus from risks that “may hinder their achievement” to a more inclusive discussion that recognizes that management needs to take risk and seize opportunities through informed and intelligent decision-making. Risks (what might happen, both good and bad) need to be at desired levels, not necessarily lowered.

[A quick example from my books: When I was at Tosco, the Treasurer only invested overnight funds in the safest government securities. My auditor, Laura, pointed out that the company was trading derivatives and the risk we were taking in these two activities was inconsistent. After consulting with the CFO, the Treasurer modified the investment policy to include allowing the purchase of less secure securities.]

I would also add the need to maintain the audit plan at the speed of risk. Listen to this video with a CAE who has implemented continuous audit planning at the speed of risk (or speed of the business, if you prefer).

Let me close with a video by my good friend, Richard Chambers, President and CEO of the IIA. It is the latest in his series, IA Insight and Advice. Audit Reporting at the Speed of Risk.

Richard makes some good points and I added this in my comments to him on Twitter:

Richard, excellent topic and points. We talked about this in our video.

    1. Tell them what they need to know, no more
    2. Tell them when they need to know
    3. Tell them in a way [that is] readily consumed
    4. Most important, tell them in person and discuss
    5. Write later if needed

What do you think?

Should the IIA (Global) update and issue this guidance?

Should it update the Standards to be consistent with modern risk-based internal auditing practices?

By the way, as you will know I have written several books on internal auditing that explain all of this, most notably Auditing that Matters. I will soon be announcing the publication of a book of case studies with an accompanying discussion guide that will help practitioners further enhance internal auditing practices.

  1. June 4, 2020 at 11:07 AM

    Norman, I was quite involved in the development of risk based internal auditing within the IIA (UK and Ireland) in the early 2000’s since I was a member of the Technical Development Group. I helped write the PG ‘An approach to implementing Risk Based Internal Auditing’ published in 2006, which is why some of the appendices are similar to those on my website (www.internalaudit.biz).

    But lets drop the ‘risk based’ part. As has been referred to above, all internal auditing is ‘objective based’. Why? Well internal audit is all about controls. Controls exist to mitigate risks. Risks threaten the achievement of objectives. So unless IA understands the objectives of the organization they are never going to understand the controls it requires. That’s why I now think IA should provide an opinion on the achievement of objectives, not on risks or controls.

    However, RIBA (let’s call it that for now) means big changes for many IA departments. As you probably found, copying the audit work done by the last audit, or using questionnaires is out. Audits are very difficult to budget, since the team is operating in areas it may never have audited. Specialists may have to be used. Also, since management are responsible for identifying risks, it is these risks on which the auditing needs to be based – not IA’s list of risks.

    So, in answer to your questions: yes the guidance and standards should be updated to reflect risk based internal auditing. But I don’t think we’re only talking about a change of wording, we’re talking a whole different approach.

    • Norman Marks
      June 4, 2020 at 11:25 AM


      Can you explain your idea further? How do you provide an opinion on the achievement of objectives? Are you providing an opinion on whether the likelihood of achieving objectives, considering past performance and what lies ahead, is at acceptable levels? That would be consistent with my approach to ERM.

      • June 4, 2020 at 11:34 AM

        Yes, I am providing an opinion on whether the objectives of the area audited are likely to be achieved based on management’s correct identification of the risks threatening those objectives, and opportunities benefiting them, and the existence and operation of controls which should bring opportunities and risks to levels acceptable to the board. (To paraphrase a 109 page book)

        • Norman Marks
          June 4, 2020 at 11:35 AM

          That presumes an audit of performance reporting?

          • June 4, 2020 at 12:06 PM

            Yes. That could also be part of an audit covering the decision making process, since information (including performance reporting) is an important part of that.
            Incidentally, can we replace ERM with EOA (Enterprise Objective Achievement)?

            • Norman Marks
              June 4, 2020 at 12:09 PM

              How about EM – effective management.

              You can’t assess the likelihood of achieving objectives if you haven’t audited how you know where you are now.

  2. June 4, 2020 at 2:45 PM

    Hello Norman, thanks for some helpful historical perspective on the evolution of internal auditing and the link to the video series. Here are some thoughts I’m wrestling with regarding IA evolution.

    The objective-risk-control (ORC) linkage or paradigm explained by COSO in 1994 is fundamental to what IA does. Management sets objectives and hopefully does a good job identifying risks and mitigation steps, then IA figures out how we can contribute to achieving those objectives, while helping protect the company from bad things happening.

    While audits of financial reporting, legal compliance, and IT may be against specified criteria in industry frameworks, the operational/strategic audits require a bit more creativity, as the ORC structure may not be apparent.

    For those, the state of the art for a long time in operational audits was to improve the processes most aligned with important objectives, typically immature processes that management wasn’t happy about.

    However, a recent evolution in this process-based approach is that with better technology and metrics, we may be able to micro-target within processes on specific issues or risk areas. For example, if we have reporting of process defects available, we can drill down on those without blind sampling. This borrows a bit from Six Sigma thinking. Management may report the defects, but doesn’t have the time or resources to dig into the root cause, so they call IA.

    So as we try to focus our efforts, a modern auditor may ask: What are the processes that align with the metrics you want to achieve? What are the defects in those processes? If they don’t have visibility to defects, that’s an important finding. Once they do, IA can help dig into them.

    • Norman Marks
      June 4, 2020 at 4:13 PM

      David, thank you for the comment.

      I have had no problem performing operational auditing the same way. What could go wrong and what do I need to go right in my processes to achieve my objectives. That helps me focus on those aspects of the processes that are important. It enables me to include the adequacy of the human side of processes: enough people who are competent to perform the work.

      With respect, my idea of the modern auditor is one who uses all appropriate tools to provide the opinion explained in the Position Paper (with my modification).

  3. June 6, 2020 at 4:11 AM

    Norman, I’ve just dug out my comments on the proposed changes to the standards in 2016. I don’t think they have changed:
    ‘I believe the Standards need revising because the emphasis and environment of internal audit work has changed. In particular, it has now been clearly established in the regulations of most countries that the Board of Directors is responsible for identifying, assessing and managing risks. This moves internal audit’s work away from its own risk assessment (2010 interpretation as amended and 2010.A1) to an assessment of the organisation’s own risk management framework and whether this is suitable as a basis for risk-based planning. Standard 2120 is close to this approach but does not require the evaluation of risk management before planning or a report to the board if the risk management framework is not suitable for planning. Standard 2110.A3 covers this subject at engagement level.
    The changes to internal audit’s approach driven by external changes have resulted in Standards which need reordering and rewording. Continually ‘tinkering’ by making minor amendments has not produced Standards suitable for the current environment in which the internal audit activity operates.’
    The current standards are not helped by the absence of a clear ‘audit trail’ from the mission statement to the core principles to the standards (including the definition of internal audit). The core principles seemed to come out of nowhere and there has been no attempt to rewrite the standards with reference to these principles.

    • Norman Marks
      June 6, 2020 at 5:58 AM

      Well said

      Your last point is one I made when we concluded the task force writing the Core Principles. The Standards and related guidance (PA/PG) need to explain what is needed to achieve the Principles.

  4. Sadaqat Ali khan
    June 16, 2020 at 12:31 AM

    This is a right identification of internal auditor on risk management.

  5. AntiRBIA
    July 17, 2020 at 1:58 AM

    I think it is good to provide heretical perspective here to develop this.

    After a near 20 year track record of dismal failure, isnt it time for RBIA to be junked and new paradigms to be developed?

    Most of what passes for RBIA is nothing more than a massive rebranding of previous audit approaches. It is little more than a practitioner con trick.

    Most corporate risk appetite statements are farcically generic and so many Heads of Audit trod like sheep to base their ‘risk based plans’ on risk registers they know are nonsense, but which enables them to sleep well at night as the IIA can claim another pyrrhic victory for a methodology that has failed and so called Audit Committes can tick that ‘We’ve got a risk based approach’ box, knowing its a massive smoke and mirrors exercise.

    More epicyclic than Ptolemaic astronomy, so called developments in RBIA,via practice notes, standards (!!!!)and guidance ensures the internet is clogged up with pleas for developing risk approaches. These pleas often have a quixotic character, promising nirvana but in reality recommending obvious false dawns, or worse, reverse alchemy!!

    It’s way past the time for this internal audit charade to end. Dump RBIA: invent a new paradigm.

    • July 17, 2020 at 4:22 AM

      Could you suggest what the new paradigm might look like?

    • Norman Marks
      July 17, 2020 at 6:51 AM

      How about practicing enterprise risk-based auditing the way it should be performed, consistent with the IIA UK guidance and what I have written?

      You say it has failed but I fail to see it practiced!

  1. June 4, 2020 at 10:53 AM
  2. June 4, 2020 at 4:29 PM
  3. June 7, 2020 at 5:50 AM
  4. June 7, 2020 at 9:54 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: