top of page

Enhancing Internal Audit Activity Through A Risk Based Approach

An organisation that understand its risks, understand its opportunities. If it does not know its risks, it doesn't know the risks it can accept, it doesn't know the risk to take, it doesn't know how to grow and, sooner or later, it will wither away.

When Harold Macmillan (UK Prime Minister 1957-1963), was asked by a journalist what can most easily steer a government off course, he answered ‘Events, dear boy. Events’. Times don’t change; investors and directors don’t like unexpected events. Which is why organisations need to determine the risks which might give rise to these events and, in some cases, disclose them.

How does any organisation able to control events and seize opportunities? By understanding the risks it faces; the risks it is prepared to accept; and the action necessary to manage those risks it is not prepared to accept.

What is RBIA?

Risk based internal auditing (RBIA) is one of many opinions provided to the board, and audit committee, on corporate governance.

The Institute of Internal Auditors (IIA) defines RBIA as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.

In implementing RBIA, the assurance required by the board from various functions will have to be taken into consideration, and this should be reflected in the internal audit’s charter. It is the internal audit department’s responsibility to fulfil the board’s requirements; and it is the board’s responsibility to fulfil the requirements placed on it by legislation.

Advantages of RBIA

Your organisation has objectives and risks threaten the achievement of these objectives. Your organisation reacts to these threats by introducing internal controls. The Board therefore need to know that these internal controls are reducing the risks to a level which they have approve.

By following RBIA, internal audit should be able to conclude that:

  • Management has identified, assessed and responded to risks above and below risk appetite.

  • The responses to risks are effective but not excessive in managing inherent risks within risk appetite.

  • Where residual risks are not in line with the risk appetite, action is being taken to remedy that.

  • Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively.

  • Risks, response and actions are being properly classified and reported.

Is Your Organisation Ready?

Every organisation is different, with a different attitude to risk, different structures/processes/language. Internal auditors need to adapt this idea to the structures, processes and language of their organisation to implement RBIA.

RBIA seeks at every stage to reinforce the responsibilities of management and the board for managing risk.

If the risk management framework is not very strong or does not exist, the organisation is not ready for RBIA. More importantly, it means that the organisation's system of internal control is poor.



Risk based internal auditing (RBIA) is the methodology which provides assurance that risks are being managed to within the organisation’s risk appetite.

RBIA enables internal audit to provide assurance on the risk management processes both their design and how well they are working, and management of those risks classified as ‘key’, including the effectiveness of the controls.


This article has been published at The Jakarta Post, 22 October 2018


bottom of page