The simplest way to think about risk-based audit conceptually is to audit the things that really matter to your

organisation.

PHIL GRIFFITHS

The essence of risk-based audit is that it is customer-focused, starting with the objectives of the activity being audited, then moving on to the threats (or risks) to achievement of those goals and then to the procedures and processes to mitigate the risks.

A risk is anything event or circumstance that could affect the achievement of business objectives.

Compliance
This is where Internal Audit began. It is still a valid approach but is rather limited in its focus, as it tends to concentrate efforts on whether or not the procedures and policies are being adhered to.

System Based Auditing (SBA)

This is the approach adopted by more modern Internal Audit functions. Essentially the SBA entails reviewing an activity across the organisation and looking for the areas where there are inconsistencies or interfaces are incomplete.

Risk-based audit
Risk-based audit builds on the SBA approach focusing on the areas of the highest risk to the business and uses a different starting point, business objectives rather than controls.

The next step in the RBA approach is to perform a Risk Assessment (RA).

To identify and focus our audit on the areas that are of greatest risk to the companies we audit. The Risk Assessment is designed to assist in understanding, identifying and evaluating the key business risks that have an impact on the entitys ability to achieve its business objectives.

Updating our understanding of the companys business. Identifying key processes and associated business risks. Evaluating the risks associated with each major process identified.

Validating coverage of risk categories and processes with Management. Mapping the processes to the objectives and strategies of the company. Preparation of the audit work program.

There are two elements of risk:

The consequence (also called the impact). The likelihood (also called probability).

We use a risk rating of High (H), Medium (M) and Low (L). A colour scheme is used to indicate the risk rating.

HIGH (H)

MEDIUM (M)

LOW (L)

Risks are prioritized based on its severity, in that, some risks are more significant than others.

In summary, risk-based auditing aids in widening the audit coverage, tackling some of the non-traditional areas, and focusing to help management achieve their objectives. It requires a demonstration of greater knowledge of the business and, more importantly, allows a much broader level of assurance to be given to the Board.