Risk-Based Auditing

Risk-based auditing has become a key characteristic of modern internal auditing. A control's usefulness depends on its ability to mitigate a risk adequately so its resulting potential impact and/or likelihood lies within the acceptable risk appetite. Risk-based auditing consists of understanding these three components: focusing on prioritizing the objectives, reviewing the objectives in relation to risks, and ranking the mitigating controls so only the key ones are tested. Traditional auditing often consisted of controls-based auditing and auditors whose focus was disproportionately centered on compliance reviews should be aware of the risk of testing controls by rote. A risk-based audit approach makes it possible for internal auditors to prioritize activities in the internal audit universe, which consists of the entire range of auditable activities relevant to the organization and that the internal audit function must provide assurance on. Risks should be tested in descending order; higher risks, and their related controls, first.