Posts Tagged ‘risk based internal auditing


Risk-Based Integrated Auditing and the journey so far….

It has been almost one year since my country office started transitioning to ‘risk-based integrated auditing’ (RBIA) approach from the ‘traditional internal auditing’ approach focusing on finance. Similar to any other change process, this journey of transition was not a smooth or comfortable one for our function. (In a sense, it was a humpty-dumpty ride). However, out of this transition to RBIA approach, I have learnt some good lessons both personally and functionally (which I feel worth sharing with my readers):

On the individual front —

  • I have understood the importance of flexibility and creativity for producing the best value adding audit reports. (Structured approach alone does not suffice.)
  • As an internal auditor, most often, it is good to be direct with audit clients rather than being diplomatic. Being direct have helped me gain credibility in the eyes of my clients.
  • Being part of the internal audit profession, I have now learnt to experiment and take reasonable risks within professional boundaries (rather than always being over-defensive and extra-cautious).
  • I have learnt the art of collaboration and negotiation better now. Now, I can empathize with the challenges faced by my audit clients. This has led me to hold more constructive conversations with my stakeholders.

As the internal audit function, some of our important learnings —

  • The success of the RBIA approach is primarily dependent on identifying the correct risks to review from the start.
  • It is important to ensure that both the senior management and the respective departments/ functions share the same view of risk. As a third line of defense, we ensured that they both are on same page when it comes to risk.
  • One of our initial tasks was to review our country office’s risk register and see if it is complete and accurate. Subsequently we also learnt to rank the risk by considering which of those risks would have the most serious impact. By doing so, internal audit’s prioritized areas of focus matched those posing greatest risk to the organization.
  • As skeptics, normally internal audit functions are good at pointing out what might go wrong. But under RBIA approach, (while proposing the corrective action to clients) we also learnt to imagine thinking what needs to go right so as to ensure management focus are aligned to achieve successful outcomes.
  • Our internal audit function has started emphasizing top-down risk-based planning consistent with the country office’s objectives. For this, we took into consideration the input of senior management and the Board.
  • We understood that it is important to induce the senior management to leverage on first and second line of defense when internal audit started moving towards RBIA approach.
  • We learnt that when internal audit aligns its focus with organization’s top high risks, the organizations will be deriving the maximum value.
  • Under the RBIA approach, our internal audit function has become intentional in learning about the business of our organization.
  • RBIA approach is assisting our function to understand the issue by seeing the larger picture in a holistic way rather than having a skewed perspective. As a result, our team is now able to have a more pragmatic view of materiality while stratifying the audit observation.
  • RBIA approach have underscored the importance of findings from internal audits to be commercial, strategic, cost-effective and making business sense.


Question: From your experience and expertise, do you think risk based integrated auditing is a better approach? Please share them by leaving a comment to this post. I welcome your thoughts.



July 2018
« May    



Online Accounting Degree blog feature