Implementation of a Risk-Based Internal Audit Approach According to International Internal Audit Standards
Автор: Fekir N., Fekir S., Chikhi B.
Журнал: Science, Education and Innovations in the Context of Modern Problems @imcra
Статья в выпуске: 4 vol.8, 2025 года.
Бесплатный доступ
Risk-based internal auditing (RBIA) is at the forefront of internal audit practices. Consequently, there remains limited consensus on the best method for its implementation. This study aims to analyze how to implement the risk-based internal audit approach in accordance with the requirements of international internal audit standards. The study details all stages of implementing this approach through an organized methodology that contributes to achieving the organization's objectives. The findings indicate that adopt-ing this approach enhances the efficiency of internal auditing by focusing on inherent risks that may af-fect the achievement of organizational goals. The study also demonstrates that compliance with interna-tional standards improves the accuracy of risk auditing and enhances the effectiveness of resource alloca-tion. Finally, the study emphasizes the necessity of integrating internal auditing with risk management strategies to ensure the organization's success in achieving its objectives.
Короткий адрес: https://sciup.org/16010576
IDR: 16010576 | DOI: 10.56334/sei/8.4.16
Текст научной статьи Implementation of a Risk-Based Internal Audit Approach According to International Internal Audit Standards
In light of the rapid developments in the business environment and the increasing complexities faced by organizations, there has been a need to develop the internal audit function to be more aligned with the requirements of governance, risk management, and internal control. Internal auditing is no longer limited to examining financial processes and reviewing compliance with policies; it has become a strategic tool that contributes to achieving the organization's objectives by providing insights and recommendations based on risk analysis. This transformation has led to the adoption of the risk-based internal audit approach as a modern and effective framework that integrates internal auditing concepts with risk management, enhancing the efficiency and effectiveness of audit activities and increasing their ability to add value to the organization.
The Institute of Internal Auditors (IIA) was established in 1941 in the United States to develop the internal auditing profession. In light of the developments in the international business environment on all fronts, internal auditing is required to keep pace with these developments. Therefore, the IIA reviewed the standards governing the work of internal auditors, making it an activity concerned with adding value to the organization by improving the effectiveness of control systems, risk management processes, and governance.
Problem Statement:
What are the stages of implementing the risk-based internal audit approach in economic institutions according to the requirements of international internal audit standards?
Study Objectives:
-
1. To understand the concept and methodology of implementing risk-based internal auditing.
-
2. To analyze the roles of this approach in improving internal audit performance and its contribution to corporate governance.
-
3. To identify the elements of effective implementation of risk-based internal auditing in economic institutions.
Study Significance:
The importance of this study arises from the increasing need to align internal audit practices with modern risk management concepts, especially in an environment characterized by change and disruption. It also contributes to bridging the knowledge gap on this topic in theoretical literature and provides an analytical framework that institutions can benefit from in enhancing the effectiveness of internal control systems and achieving added value from internal audit activities.
First: Concept of Risk-Based Internal Auditing (RBIA):
The Institute of Internal Auditors defines RBIA as a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
Risk-based internal auditing connects the planning of internal audit activities with the organization's overall risk management framework. It is the process through which the internal audit function identifies and assesses the impact and likelihood of various risks within the organization and the quality of internal controls that mitigate these risks.
It is also defined as the methodology that provides an independent and objective opinion to management regarding whether its risks are being managed to acceptable levels. The IIA agrees that the primary responsibility for risk management lies with management; however, internal auditors should assist management and the audit committee by examining, evaluating, and reporting on the adequacy and effectiveness of risk management processes.
The concept of risk-based internal auditing focuses on and prioritizes business and operational risks, as well as controlling risks that may occur. If internal auditing maturely engages with risk management, it will provide assurance to management regarding control procedures and risk management, contributing to creating value for the organization.
Third: Roles of Risk-Based Internal Auditing:
International Internal Audit Standard 2120, related to risk management, states that internal auditing must evaluate the effectiveness of risk management processes and contribute to their improvement. This means that determining whether risk management is being effectively conducted is a judgment resulting from internal auditing. The IIA has emphasized that management is responsible for making decisions related to risk responses, including risk acceptance or transfer, while the role of internal auditors is to provide advice, guidance, or validation of management's decisions regarding the risk management process without performing it or making decisions on its behalf.
In a position paper issued by the IIA, the role of risk-based internal auditing is described in the ERM wheel as follows:
Figure 01: Role of Risk-Based Internal Auditing in the ERM Wheel

The Institute of Internal Auditors, The Role of Internal Auditing in Enterprise-Wide Risk Management, January 2009,
The activities on the left side of the figure represent the main roles of internal auditing, with the necessity to ensure the independence and objectivity of internal auditors. These are assurance roles aimed at providing assurance on the effectiveness of the risk management system in the organization, which are represented as follows:
-
• Providing assurance regarding the conduct of risk management processes;
-
• Providing assurance on the accuracy of risk assessments;
-
• Evaluating risk management processes;
-
• Auditing key risk management processes;
-
• Evaluating reporting on key risks.
The center of the figure illustrates the legitimate roles of internal auditing, with safeguards for independence and objectivity. These are advisory roles aimed at improving risk management processes and con- tributing to increased risk awareness and reporting on the effectiveness of risk management. They are as follows:
-
• Assisting in the identification and assessment of risks;
-
• Training management on risk response;
-
• Coordinating risk management activities;
-
• Enhancing risk reporting;
-
• Maintaining and developing the enterprise risk management framework;
-
• Supporting the formation of the enterprise risk system;
-
• Developing a risk management strategy after obtaining board approval.
The activities on the right side of the figure represent the unacceptable roles of internal auditing in risk management. These are roles that pose threats to its independence and objectivity, and are the responsibility of management. They include:
-
• Identifying core risks;
-
• Implementing risk management processes and having them under its control;
-
• Providing risk-related managerial assurances;
-
• Making decisions related to risk response;
-
• Executing risk response procedures on behalf of management;
-
• Being accountable for risk management.
Many studies have emphasized the need to develop the traditional role of internal auditing and move more towards achieving the organization's objectives, improving its processes, and adding value. These studies also highlighted the importance of the new risk-based internal auditing approach in enhancing the effectiveness of risk management, control systems, and governance. Additionally, they noted that the role of internal auditing has expanded to include advisory services alongside assurance, evaluation, and inspection services. (Al-Hamaki, 2020)
Internal auditing also evaluates internal control systems, which represent a set of procedures undertaken by the board of directors, management, and other parties to enhance risk management and increase the likelihood of achieving defined goals and objectives. Audit Standard No. 2130 (Control) states that internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency.
Fourth: Stages of Risk-Based Internal Auditing
According to the Institute of Internal Auditors (IIA), risk-based internal auditing passes through three stages, as follows: (Chartered Institute of Internal Auditors, 2023)
Stage One: Assessing Residual Risks
Obtaining an overview of the extent to which the board of directors and management have identified, assessed, managed, and monitored risks through:
-
1. Understanding the business environment of the organization: To conduct an effective risk assessment and develop management models, the internal auditor must understand the nature of the organization's business, its goals, and various processes. To achieve this, the auditor continuously collects information about business plans, operational processes, industry structure, competitors, etc. (Benli & Celayir, 2014, p. 5)
-
2. Risk assessment: When applying risk-based internal audit activities, it is necessary to determine the business condition by considering the areas of highest risk to allocate the most appropriate audit resources to those areas. Risk assessment should align with the current risk state. (NG & Chandrawati, 2022, p. 656)
-
3. Risk-based internal audit strategy: Risk-based internal audit must consider the following elements: (Sayeh, 2015/2016, p. 86)
-
4. Determining risk maturity level: Risk maturity is the organization's ability to adapt and implement risk management correctly and effectively at all levels, to identify, assess, and report on its risk positions that impact its objectives.
o Strategy for assurance missions: Planning audit operations to provide assurances that control processes are functioning according to predetermined objectives or standards. In this context, International Internal Audit Standard No. 1220, under due professional care, states that the internal auditor must direct attention to significant risks that may affect objectives, processes, or resources. Even if assurance procedures are performed with due care, that alone does not guarantee identifying all major risks.
o Audit planning framework: Risk-based internal audit planning is developed by analyzing the organization's risk register. Major risks that may impact organizational objectives and operations are identified. The risk register is a critical tool for identifying weaknesses in the internal system and areas needing improvement.
o Strategy for advisory missions: In organizations with a low level of risk, the internal audit objective may be to allocate time to improve risk management processes. This type of consulting aims to enhance risk management in the organization. In this regard, International Internal Audit Standard No. 2010 indicates that when accepting an advisory mission, the chief audit executive must consider the potential to improve risk management, add value, and improve the company's operations. Accepted advisory missions must be included in the audit plan.
o Mixed risk state: When risk management is conducted within a specific department of the organization, with other risks remaining in different departments, internal audit should not conclude that the organization’s risk management is effective or that all risks have been effectively managed. Instead, a report should be issued indicating the existence of various risks not fully managed and a detailed audit strategy should be developed for each department.
According to the concept of risk-based internal auditing (RBIA), the internal auditor prepares a detailed program based on risk analysis. International Internal Audit Standard No. 2210 – A1 states that it is necessary to identify and assess the risks associated with the audited activity. This helps direct resources toward the highest risk areas that require more auditing.
Stage Two: Periodic Audit Planning
During this stage, all areas where management requires objective assurance are identified and prioritized, including risk management processes, key risk management, risk recording, and reporting.
-
1. Developing a risk-based audit plan: International Internal Audit Standard No. 2010 emphasized the need to prepare a risk-based plan to set priorities aligned with the organization’s objectives, considering the organization’s risk management framework and the risk appetite determined by senior management at various levels. If the organization lacks a risk management framework, the internal auditor relies on
-
2. Requirements for building a risk-based audit plan: The implementation of a risk-based internal audit plan is based on four requirements: (Dahhou, 2018)
their own risk assessment in consultation with senior management. The plan can be modified as needed to respond to changes in the business, risks, operations, programs, systems, and control measures at the organization level.
o Relying on specialists: Experts should be relied upon when auditing areas outside the auditor’s expertise, utilizing their knowledge of the field and surrounding conditions.
o Following a process approach: By evaluating the group of activities that make up the process under audit to identify strengths and weaknesses and improve the entire process.
o Conducting a self-assessment of internal control risks: Through workshops and meetings involving specialists to identify key risks and propose control solutions to reduce them.
o Using modern auditing techniques: These contribute to increasing accuracy and speed in internal auditing, in addition to raising its quality level.
Steps for Building a Risk-Based Plan:
To ensure the achievement of the second stage of risk-based internal auditing, internal auditing must also carry out the following steps: (Sayeh, 2015/2016, p. 88)
-
• Determine risk responses and management processes according to the required assurance objective: Internal auditing must review the assurance requirements requested by the audit committee, the risk register, and the list of all responses according to the assurance objective requirements, with documenting the associated risk information.
-
• Classify and prioritize risks: Risks are classified and arranged logically, based on business units, objectives, functions, or systems, with priority given to the most significant risks that require careful auditing.
-
• Link risks to audit tasks: Internal auditing must link risks to the required audit activities, with identifying the business unit responsible for each audit and verifying its response to the associated risks.
-
• Set a periodic plan for account auditing: The number of days required for each audit should be estimated and determine which audit operations can be performed with the available resources, with the preparation of a work plan that includes reporting to management and the audit committee.
-
• Submit reports to management and the audit committee: The periodic audit plan must be submitted for discussion with management and approved by the audit committee, providing details about the risks and the required assurances, and identifying the impact of resource constraints on the work. Here, the internal auditor must enjoy organizational independence within the organizational structure of the institution and report administratively to the highest level in the organizational structure. International Internal Auditing Standard No. 1110 indicates the necessity of providing this type of independence to facilitate the approval of the risk-based internal audit plan. Additionally, International Standard No. 2020 states that the internal auditor must inform management and the board of directors of the impact of limited resources on the work plan.
Third: Periodic Execution of Auditing
Implementation of individual risk-based tasks to provide assurances regarding part of the risk management framework, including the mitigation of individual risks or risk groups. To ensure the achievement of the third stage of risk-based internal auditing, internal auditing must carry out the following steps: (Sayeh, 2015/2016, p. 93)
1. Create an audit mission plan:
International Internal Audit Standard No. 2200 states that the internal auditor should plan the audit mission, and this planning must include identifying objectives, scope, and specialized resources for the mission. The following matters must be considered: (Dahhou, 2018, p. 135)
• The objectives of the activity being audited, how its performance is monitored, and the means used;
• Identify high risks, objectives, resources, and operations related to the activity, focusing on the means used to keep the effects of these risks at an acceptable level;
• Evaluate the adequacy and effectiveness of risk management and control in this activity compared to a relevant framework or model;
• Discover opportunities to introduce significant improvements in the risk management and control process;
• The mission’s objectives, the institution's risks, and its ability to bear and respond to them, with evaluation in accordance with the institution's objectives.
2. Evaluate the effectiveness of risk management processes:
Internal Audit Standard No. 2120 emphasizes the importance of internal auditing evaluating the effectiveness of risk management and contributing to its improvement. Determining the effectiveness of risk management is a matter of judgment or opinion based on the internal auditor’s evaluation, confirming:
• The alignment of the organization's objectives with its mission and contribution to achieving it;
• Identification and assessment of high risks;
• Selection and implementation of appropriate strategies for managing risks in line with the organization’s risk appetite;
• Collecting and timely communicating relevant information to enable employees and management to perform their tasks effectively.
3. Evaluate the residual risk of the audited unit:
4. Conclude the mission-level for perceived risk:
5. Confirm the audit mission scope:
6. Discuss and monitor control measures:
7. Verify evidence and guidance topics:8. Document audit work results:
By taking more detailed procedures than in the first stage. The criteria used at this stage should be consistent with those used in the previous stage and in other situations. This task may include auditing risks identified by management that may require adding or relying on experts, and the mission objectives should reflect the results of this assessment.
In this context, International Internal Audit Standard No. 1210 states that the internal auditor must have sufficient knowledge to evaluate fraud risks and how the organization manages them; however, the auditor is not expected to have the same level of expertise as the person primarily responsible for detecting and investigating fraud.
The internal audit function must provide assurance on whether the organization's initial risk assessment is effective or not, by comparing the expected risk with the actual risk.
The scope of the audit mission should be comprehensive and sufficient to achieve the mission objectives.
This represents the first stage of audit testing, aimed at analyzing the controls used to ensure the effectiveness of the risk management framework, with directing recommendations to enhance the effectiveness of internal controls.
This activity includes providing additional evidence regarding the response to key risks and evaluating the effectiveness of control measures to support conclusions about them.
In risk-based internal auditing, information related to risks is documented, and recommendations are drafted in cooperation with risk management and internal auditing, where each conclusion and observation is linked to the existing risks.
9. Evaluate management’s estimate of residual risks:
This includes drawing conclusions and making recommendations regarding the areas specified in the risk register, the management's estimate of residual risks, and how management generally identified residual risks.
In this context, International Internal Audit Standard No. 2600 states that when the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, he must discuss the matter with management, and if unresolved, the board must be informed.
10. Conclusions on responses and risk management processes covered by the mission: This includes all procedures and their effectiveness, and these conclusions are linked to the risks that were managed through the responses. 11. Report preparation:
International Internal Audit Standard No. 2060 states that the chief audit executive must periodically report to senior management and the board on the responsibilities, powers, objectives, and performance of internal auditing according to his work plan. The report must include the significant risks facing the organization, and risk-based internal audit reports must possess the qualitative attributes mentioned in International Standard No. 2420, namely: objectivity, accuracy, clarity, completeness, constructive impact, brevity, and timeliness. Also, according to International Standard No. 2440, the internal auditor must communicate the results of the audit mission to concerned parties who can ensure that these results receive adequate attention.
12. Monitor and follow up on reports:
By following up on the implementation of the recommendations mentioned in the reports. This followup may lead to increased reliance on internal audit and risk management activities. These activities are coordinated between the internal audit unit and the risk management unit, with the aim of effectively controlling risks and managing them in a way that reduces the organization's exposure to losses. International Internal Audit Standard No. 2500 emphasizes the need for the chief audit executive to prepare, implement, and update a system for following up on the results reported to management.
13. Summarize audit results for the audit committee:
By meeting the requirements of the regulations in force in the institution and complying with the requirements of the audit charter, and providing an opinion on the effectiveness of risk management to ensure the achievement of the organization’s objectives within reasonable limits.
14. Repeat the risk-based internal audit cycle:
As the final step of risk-based internal auditing, the audit cycle is repeated. The risk-based internal auditing (RBIA) methodology is cyclical, and the time interval between the review of internal audit risk assessments and audit planning depends on the nature of the organization and changes in circumstances.
All these stages were summarized by the Institute of Internal Auditors (IIA) in the following diagram: Figure No. 04: Stages of Risk-Based Internal Auditing (RBIA)

Source: Chartered institute of internal Auditors, Risk based internal auditing, 01 february 2023, P03,
Fifth: Requirements for Activating Risk-Based Internal Auditing. To implement the risk-based internal auditing approach, a set of requirements must be met within the organization, among internal auditors, and in the procedures and methods of auditing. Among these requirements are the following: (Al-Batoush, 2015)
-
• Preparing a work plan based on risk assessment, identifying risk factors expected to face the economic institution, including the policies and practices followed, information systems, and various operational processes;
-
• Applying the code of ethics to support the professional practice of internal auditing;
-
• Providing sound communication systems between the internal auditor, the board of directors, and executive management.
In addition to:
-
• The availability of a strong risk management framework, as an institution that lacks a strong risk management system and has a weak internal control system is not ready to implement the risk-based internal auditing approach.
-
• The necessity of sufficient independence for internal auditing so it can perform its role according to the risk-based internal audit approach, at an organizational level that ensures coverage and follow-up of its activities without interference from executive management, and provides direct communication with the board of directors or the audit committee.
-
• Expanding auditors’ knowledge to include all risks facing the institution; therefore, specialized knowledge is very important, and in case it is not available within the institution, specialists from outside can be relied upon.
Also, senior management must ensure that: (Sayeh, 2015/2016, p. 81)
-
• The risks that hinder the achievement of objectives have been identified, evaluated by management, and an effective internal control system has been developed to control their negative effects at a level below the risk appetite, with reporting in case this cannot be achieved;
-
• Inherent risks have been recorded and evaluated in a way that allows ranking them according to their significance;
-
• The responsibilities of the entities accountable for ensuring the effectiveness of the risk management framework and methodology have been determined, including the responsibilities of management, external audit, internal audit, and any other department with oversight functions.
Conclusion
Following the development that the internal audit function has undergone, the need emerged for a modern definition of internal auditing capable of reflecting its new roles. Risk-based internal auditing has emerged as an approach that links internal audit concepts with risk management. It aims to provide assurance to the organization's management that risk is being managed effectively by examining, assessing, and reporting on the adequacy and effectiveness of risk management processes and offering recommendations and guidance concerning the identification, assessment, and application of risk management methodologies and controls to confront risks.
Accordingly, the risk-based internal audit approach focuses on and prioritizes the risks facing the organization. If internal auditing handles risk management maturely by following a set of stages and relying on specific requirements and methods that must be available in every institution, this will provide assurance regarding the effectiveness of control procedures and risk management processes, contributing to facilitating governance, adding value to the institution, and assisting in drawing up its policies and strategies in a way that allows it to achieve its objectives.
Based on the stages of risk-based internal auditing, it can be concluded that this approach operates according to an organized methodology that contributes to achieving the organization's objectives through:
First, through risk assessment, the matters that may expose the organization to threats and potential opportunities are identified and evaluated, allowing the identification of weaknesses and strengths in the organization's internal system.
Second , when the audit plan is developed based on this assessment, it becomes possible to direct resources and efforts effectively toward areas that need special attention, thereby reducing the risks of failure or corruption in the organization.
Finally, through the implementation of risk-based auditing, the primary goal of the internal audit process is more effectively achieved, as it focuses on the most important aspects that have the greatest impact on the organization’s performance and the achievement of its objectives.