5 Risk-Based Internal Auditing Approaches

Does your internal audit team struggle to battle audit fatigue? Are your audit customers disengaged or resentful because audits drag on for months with little relevant output? Choosing the right approach can help internal audit be recognized as a trusted advisor, promote customer engagement, and lead to more productive and insightful outcomes. Here are tips and techniques for five risk-based auditing approaches to alleviate audit fatigue for audit customers and position internal audit as a value-adding service provider for the organization, while building productive, collaborative relationships with stakeholders.

What Is a Risk-Based Approach in Auditing?

A risk-based audit approach starts with a risk universe as the basis for the audit plan. In a risk-based audit approach, the goal of the project is to address management’s highest-priority risks. Many audit departments think they are risk-based, but their audit plans are generally built from an audit universe consisting of departments, functions, or processes. A true risk-based audit approach starts with an assessment of management’s top risks and business objectives. All of the audits on the plan are designed to address those risks and provide insights back to senior management.

Risk-based audit plans rely on establishing the organization’s risk appetite, defining inherent risks facing the organization, and focusing on high-risk business processes. An organization may opt to undergo a formal risk assessment, ideally at least once each year. Many common risk management frameworks require companies to perform regular risk assessments as a best practice. Once risk identification has taken place, evaluations performed for each line item generate mitigation plans for each potential risk exposure, allowing the business to address those risk areas. In applying a risk-based approach to auditing, organizations seek to mitigate key risks and implement risk management processes and controls to protect the business from internal and external risks.

Some examples of risk management frameworks include:

• ISO 31000: Risk management standards
  • ISO’s standards and guidance are recognized internationally, however, ISO 31000 cannot be certified against.
• COSO: Enterprise Risk Management (ERM)
  • COSO’s popular Internal Controls framework has been adopted by many companies seeking to comply with SOX. Their ERM framework has five integrated principles for managing risk.
• NIST: Risk Management Framework (RMF)
  • As the National Institute for Standards and Technology in the U.S., NIST produces guidance and resources for implementing their RMF, which consists of seven core steps.

These frameworks can be leveraged by audit teams and company stakeholders like the audit committee to inform their risk approach.

As opposed to risk-based audit approaches, compliance-based audit approaches are grounded in strict criteria and are designed to evaluate an organization’s adherence to those criteria. Risk-based audit approaches allow for audit activities not directly related to any compliance objectives, while compliance audits are almost always designed to meet regulatory or compliance requirements. This means that compliance audits tend to have a fairly narrow and specific scope for their testing and procedures.

What Are the Benefits of Risk-Based Approaches in Internal Audit?

A risk-based audit approach allows internal auditors to respond to organizational risks more timely and provide insights to management to help solve problems at a regular cadence. Risk-based internal audits — sometimes known as “RBIAs” — get at the issues that are top-of-mind for senior management and leadership, allowing companies to tackle their biggest problems first, and head-on. Using a risk-based audit methodology allows for the identification of previously unrecognized risks, and may even reveal gaps that a traditional approach might have missed. Internal audit plans rooted in risk management practices provide audit resources with flexibility in how to design their audit process and audit activities, rather than prescribing specific requirements and scopes. Risk-based approaches allow audit teams to customize their audit activities to match the processes and controls that they are examining.

Traditionally, internal audit has embraced a controls-based approach that inspects and verifies compliance and financial controls are operating according to an established set of criteria. Increasingly, internal audit departments are turning to risk-based approaches, driven by a more forward-looking perspective aimed at addressing potential risks that could prevent an organization from achieving its objectives. The Institute of Internal Auditors (IIA) has many resources on auditing using a risk-based approach, including guidance on areas like IT governance that go beyond financial statement audits.

When risk-based approaches are paired with a service delivery mindset, it becomes apparent internal audits should not use a one-size-fits-all approach. An effective audit department can create a palette of approaches, making it possible to select the optimal approach on a case-by-case basis.

5 Proven Risk-Based Audit Approaches and Techniques to Enhance the Customer Experience

Here are five proven risk-based audit approaches and techniques to enhance the customer experience of an assurance or advisory engagement, as well as the ideal audit profile characteristics, success factors, and audit skills for each approach.

One more word of advice for organizing an audit: planning goes further than you’d think. Collaborating with the necessary stakeholders and communicating audit plans clearly can make the difference between a smooth audit and a bumpy one.

1. Rapid Assurance: Pledging Just One Week of Fieldwork

Specifically intended to reduce audit fatigue in processes where documentation is strong, Rapid Assurance involves performing all steps of a standard assurance engagement in a shortened time frame with a commitment to only one week of fieldwork. You could even think of these engagements as “mini audits.” Rapid Assurance can typically be divided into three phases covering 3–5 weeks:

Auditor Planning and Research (1-2 Weeks)

Auditor planning and research involves reviewing prior audit work papers and public documentation, preparing the work program, sending the request list, obtaining view access to document repositories, and performing testing.

On-Site Fieldwork (1 Week)

During on-site fieldwork, the auditor interviews customers, performs testing, obtains follow-up requests, conducts “End of Day” status meetings, and communicates draft findings to customers in a “soft” exit meeting.

Finalize Testing and Report Writing (1–2 Weeks)

Final testing and report writing encompasses the completion of testing, finalizing work papers and the audit report, and documenting agreed actions, owners, and target dates in the report.

Approach Profile: Rapid Assurance works best with relatively stable processes, people, and technology such as client onboarding, call center operations, or a third-party on-site review. Processes with strong documentation and records management practices make great candidates for Rapid Assurance, as do processes that have been previously audited with low-to-moderate residual risk.

Success Factors: It is important to plan ahead by giving early notification and getting a time commitment from the audit client. The audit engagement should have a well-defined and limited scope. Crucially, Rapid Assurance requires the auditor to maintain a singular focus and give full attention to only one audit at a time. The key to a successful Rapid Assurance is to recognize that complexity is neither created nor destroyed—it is simply transferred. The auditor shoulders more of the effort prior to and after the fieldwork so that the client can experience relatively light interaction during a swift week of engagement. Auditors must also receive their requested evidence and interviews in a timely manner, otherwise, the project can drag on.

Audit Skills: Given the shortened time frame, the auditor should have strong project management competencies and a deep knowledge of the process to be audited.

2. Project Assurance: Real-Time Feedback and Real-Time Assurance

During Project Assurance, the auditor evaluates the governance, risk management, and control capabilities of the project team to identify and manage project-related risks in real-time. They also take on a facilitator role by promoting risk and control dialogue throughout a project.

Approach Profile: This approach is ideal for a large-scale tool, process, or program implementation with an established end date, such as a data center move, new card production site, or new work management tool. ​​​

Success Factors: Auditors need to engage early in the project to provide support from initiation and design through building and configuration, testing and training, and finally implementation and monitoring. In each phase, internal audit partners with the program manager and product sponsor to provide real-time feedback. The auditor should clearly identify scope components based on relevant frameworks such as the Project Management Body of Knowledge (PMBOK). For a process or initiative impacting a large portion of the company, it is vital that there be a collaboration with all the stakeholder groups involved to ensure successful adoption. Periodic status meetings to align expectations are another key to this type of engagement.

Audit Skills: An auditor with prior project or program implementation experience would be a good choice to perform a Project Assurance approach, as would a subject matter expert or guest auditor from an advisory services firm who can help identify pitfalls.

3. Facilitated Self-Assessment: Helping Management Solve Problems

This workshop-style approach enables a department to examine and commit to improving governance, risk management, and/or internal controls for a process or function. In this type of approach, the audit professionals serve as facilitators of the conversation and try to encourage participation in the workshop. After all, when someone is involved in identifying a problem, they are more likely to be energized to fix it.

Approach Profile:  At its core, “facilitation” means to make an action or process easier, and this approach works well to assist leaders with expanded responsibilities to alleviate their challenges—particularly the tension between tactical execution and achieving a larger strategy. The session can be designed to help departments understand and identify their objectives, the risks associated with achieving those objectives, and the controls needed to address those risks. The workshop can enable the customer to become an internal auditor and assess their own processes. Facilitated Self-Assessment may also equip management to move toward a stronger risk and control culture by practicing real-life application of risk and control principles, and improving risk analysis and response capabilities.

Success Factors: The visible engagement of a senior leader is crucial to empowering team members to be honest and transparent in identifying challenges. Rigorous work session design and planning enables the session to proceed smoothly, as does using referenced guidance from a credible framework. It is important to set the expectation that this approach may require testing to be performed on select key controls, and may need to be iterative.

Audit Skills: To lead a workshop session, an auditor should have strong small-group facilitation skills and the ability to adjust an approach on the fly. An outward mindset and the ability to influence strong risk management and control behaviors will go a long way toward helping a department identify and commit to improving their response to the specific challenges encountered. Being able to explain why and how risks and controls interact in basic terms can help as well.

4. Maturity Models: Framing Assurance as a Journey

Using standard maturity models such as the Capability Maturity Model Integration (CMMI) or creating customized models, a Maturity Models approach enables auditors and audit customers to assess the current effectiveness of a process while also identifying the capabilities needed to improve the process to meet objectives.

Approach Profile: This approach works particularly well with combative or defensive customers who have had difficulty accepting a finding(s). By framing their process within the construct of a Maturity Model, internal audit is able to give the customer credit for what they are doing well in the context of a journey that includes areas for future improvement. A Maturity Model approach is also ideal for corporate processes and areas impacted by M&A or organizational restructuring, for evolving their people, processes, and technology. Organizations with mature controls may also benefit from this approach, as they can discover additional ways to supplement and augment their existing programs.

Success Factors: Breaking processes down into components enables the auditor to acknowledge strong controls while also identifying issues to be remedied. The Maturity Models approach can be useful in an independent advisory capacity or as an assurance engagement yielding actionable findings. The approach is particularly successful when it creates a more interactive experience of dialogue: the auditor allows the customer to weigh in on where they think they fit in a Maturity Model, and then requests evidence or facilitates a discussion to validate their perspective.

Audit Skills: The auditor must be comfortable explaining standard maturity models such as CMMI or their own methodology for creating a custom maturity model. The auditor must also be able to support their conclusions with evidence and confidence.

5. Data Analytics: Better Insight Through Data

Audit can incorporate data analytical techniques into engagements to provide richer insights, enhanced risk monitoring, and process efficiencies.

Approach Profile: Data analytics can be considered on every engagement and in all phases of an audit. It can be executed as a singular approach or coupled with any of the other four approaches. Auditors may need to get creative when assessing more qualitative data, but data analytics can be valuable in areas ranging from travel and entertainment to service desk incidents to enterprise program management.

Success Factors: Auditors must have the conviction that even the most basic data and inputs can generate insight when addressing full populations, and the ability to connect risk to data. Testing and audit activities can be very quick, but only if rigorous planning has been first mapped out. Auditors must be prepared to investigate unanticipated results without jumping to conclusions.

Audit Skills: The ability to collaborate with database administrators and reporting groups will make a data analytics approach go more smoothly. Ideally, the auditor will be an analytical, technical, and logical thinker with the ability to write scripts. However, you should not let a lack of technical knowledge prevent you from utilizing data analytics.

Ready to Implement a Risk-Based Auditing Approach? 

With a service delivery mindset and your own collection of risk-based approaches to choose from, your audit department will be in a strong position to select the best approach to create a trusted relationship with your customer as well as a beneficial engagement outcome. By thoughtfully tailoring the audit approach to each particular situation, internal audits can reduce audit fatigue, meet customers where they are, provide real-time assurance, and create a positive impact on their organization.

AuditBoard can help you implement a risk-based audit approach. You can find out more by checking out AuditBoard’s Audit Management Playbook.

Frequently Asked Questions About Risk-Based Audit

What Is a risk-based approach in auditing?

A risk-based approach in auditing starts with management’s objectives and identified risks rather than a specific audit plan or template.

What are the benefits of risk-based approaches in internal audit?

Taking a risk-based approach to internal audit helps build strong relationships with stakeholders, allows for flexible approaches to auditing, and ultimately leads to better, more insightful audit reports.

What is the difference between a compliance-based and risk-based audit?

A risk-based audit seeks to address risks identified by management while a compliance-based audit seeks to evaluate an organization’s adherence to a set of compliance criteria.