Home 1 RBIA Introduction 2 RBIA Compiling an RAU 3 RBIA Implementation 4 RBIA Audit Manual RBIA Audit programs COSO Audit program users RBIA images Links introduction

Risk based internal auditing

What is risk based internal auditing?

Let’s go back to basics:

Risk based internal auditing starts with all the risks of the organization and aims to provide assurance that these risks are being reduced down to an acceptable level by internal controls.

What is different about risk based internal auditing?

Internal audits are carried out in many ways and it is therefore difficult to say how risk based internal auditing differs from ‘normal’ internal auditing. However, there are two common types of internal audit:

The problem with these types of audits is that they may not be checking for internal controls which reduce the biggest risks threatening the organization's objectives. So risk based internal auditing starts with the all the risks threatening the achievement of the organization s objectives.

There are more details about the differences in Book 1

How do I carry out a risk based audit?

There are free resources available on this site to help you (click the hyperlink for more details):

f you have any comments to make, please e-mail me


A target set by an organization.

Internal control

A response to a risk. Responses may be:

Tolerate: take no action.

Termination: end the operation threatened by the risk.

Transfer: move the risk to another organization, for example, insurance.

Treat: introduce processes to reduce risks.


A set of circumstances that hinder the achievement of objectives.

Internal auditing

Internal auditing provides an independent and objective opinion to an organization's management as to whether its risks are being managed to acceptable levels.

Aim of this site

To provide practical ideas as to how to implement risk based internal auditing. It’s based on my 30 years experience of accounting systems, about half of these being in the internal audit department of a  UK company (£5bn turnover), where I was the Head of Audit (Chief Audit Executive).