What is Risk Based Internal Auditing?
Home 1 RBIA Introduction 2 RBIA Compiling an RAU  3 RBIA Implementation  4 RBIA Audit Manual RBIA Audit programs  COSO Audit program auditnet.org users Internal auditing Links introduction

Risk based internal auditing

What is internal auditing?

Internal auditing is fundamentally about internal controls. What are internal controls? They are processes which aim to prevent harm, sometimes called risks. If you need to cross a road, you look left and right to avoid being hit by a car. Risks exist because we have objectives, in this case, to cross a road. But since we have objectives, we also have opportunities to achieve them. If we see a subway we can seize the opportunity and cross under the road safely.

So turning that all round:

There are two types of process that are relevant to internal auditing:

Internal auditing checks that these processes are working to enable the achievement of objectives.

An internal audit department provides an opinion as to whether an organization is likely to achieve its objectives based on the management of opportunities and risks. In other words, do the decisions being made and the internal controls operating maximize the likelihood that objectives will be achieved?

Internal auditing used to be primarily concerned with financial systems and, possibly, computer controls. The term 'risk based internal auditing' is applied to audits decided on the basis of risks and the books available from this website use this methodology.

What’s the aim of this website?

The aim of this website, and the books and spreadsheets available from it, is to provide practical ideas on implementing internal auditing focused on the achievement of objectives. These ideas are not meant to represent ‘best practice’ but to be thought provoking.

There are four books with associated spreadsheets. Click the heading to be taken to the page giving more details, or click the navigation buttons on the left:

1. Book 1: Risk based internal auditing - an introduction. This introduces risk-based principles and details the implementation of risk based auditing for a small charity providing famine relief, as an example. It includes example working papers.

2. Book 2: Compilation of a risk and audit universe. This book aims to show you how to assemble a Risk and Audit Universe (RAU) for a typical company and extract audit programs from it.

3. Book 3: Three views on implementation. Looks at the implementation of risk based internal auditing from three points-of-view: the board; Chief Audit Executive (CAE); internal audit staff.

4. Book 4 Audit Manual. This shows the audit working papers from an accounts payable audit and therefore provides a detailed account of how a risk based audit is carried out in practice.

If you are interested in Specifying, Choosing and Implementing Computer Systems, check out my website at www.systemsimplementation.co.uk

Aim of this site

To provide practical ideas as to how to implement risk based internal auditing. It’s based on my 30 years experience of accounting systems, about half of these being in the internal audit department of a  UK company (£5bn turnover), where I was the Group Head of Internal Audit (Chief Audit Executive).

Internal auditing

Internal auditing provides an independent and rational opinion to an organization as to whether it is likely to achieve its objectives, based on the management of opportunities and risks

My comments to the IIA on their draft of Global Internal Audit Standards are here