Risk based internal auditing

RBIA Introduction RBIA Compiling an RAU RBIA Implementation RBIA Audit Manual RBIA Audit universes RBIA Audit programmes Links introduction

What is risk based internal auditing?

Let’s go back to basics:

Risk based internal auditing starts with all the risks of the organisation and aims to provide assurance that these risks are being reduced down to an acceptable level by internal controls.

What is different about risk based internal auditing?

Internal audits are carried out in many ways and it is therefore difficult to say how risk based internal auditing differs from ‘normal’ internal auditing. However, there are two common types of internal audit:

The problem with these types of audits is that they may not be checking for internal controls which reduce the biggest risks threatening the organisation’s objectives. So risk based internal auditing starts with the all the risks threatening the achievement of the organisation’ s objectives.

There are more details about the differences in Book 1

How do I carry out a risk based audit?

There are free resources available on this site to help you (click the hyperlink for more details):

f you have any comments to make, please e-mail me


A target set by an organisation.

Internal control

A response to a risk. Responses may be:

Tolerate: take no action.

Termination: end the operation threatened by the risk.

Transfer: move the risk to another organisation, for example, insurance.

Treat: introduce processes to reduce risks.


A set of circumstances that hinder the achievement of objectives.

Internal auditing

Internal auditing provides an independent and objective opinion to an organisation’s management as to whether its risks are being managed to acceptable levels.