Risk-based Internal Audit: Improving Control and Managing Risk in Parallel

Internal Audit is an important part that can support the sustainability of the company. It is often found that there is a disconnect between the controls carried out in the internal audit process and the risks that the company actually has. This is one of the things that encourages companies to carry out internal audit processes with a risk-based approach.

What is a Risk-Based Internal Audit?

Quoting from the Institute of Internal Auditors, Internal Audit is an independent and objective consulting and inspection activity designed to add value and improve the quality of organizational activities. This process helps an organization achieve its goals by using a systematic approach in evaluating and improving the effectiveness of its risk management, control and governance processes. Simply put, internal audit is responsible for monitoring the effectiveness of the internal control processes that have been determined by management.

Risk  -Based Internal Audit (RBIA)is one of the approaches in the internal audit process that mainly focuses on risks owned by the company (which have previously been identified by management) and then adjusts its controls according to the level of urgency of the existing risks. Risk-Based Internal Audit allows the internal audit party to provide assurance to management that the risk management process has been effective. The implementation of this risk-based internal audit can of course vary from one organization to another, depending on the risk management framework of each organization.

Benefits of Risk-Based Internal Auditing

There are several advantages to using a risk-based internal audit compared to using a traditional approach, namely:

1. Implementation of a more adaptive audit
2. Using a consistent approach to risk management allows the company to be more adaptive to changing conditions. Adjustment of the audit implementation schedule with risk management also allows for quick changes in audit strategy when there are changes in business objectives in the organization.
3.  
4. Implementation of audit as a risk management tool A
5. risk-based internal audit approach allows internal audit parties to identify risks correctly and allows management to define appropriate internal controls and determine the effectiveness of these controls.
6.  
7. The implementation of audits is more efficient and on target.
8. A risk-based internal audit approach that refers to the prioritization of risks faced by the organization allows for a more effective and efficient allocation of resources because it prioritizes risk areas with high priority.

Risk-Based Internal Audit Implementation Process

In general, there are 3 stages in the process of implementing a risk-based internal audit, which are as follows:

1. Conduct an assessment of  Risk Maturity
2. In the early stages, it is important to know the extent to which management determines, assesses, manages and monitors risk. This is necessary to get an overview of the indication of the reliability of the risk register ( risk register ) for the purpose of planning the implementation of the audit. This stage will produce an overall audit strategy which will be communicated to management and the Audit Committee.
3.  
4. Periodic audit planning At this stage, identification of assurance and consulting activities
5. is carried out for a specific period, for example an annual period by identifying and prioritizing all coverage areas that require objective assurance. At this stage, a review and identification of the risk management process and key risks, as well as recording and reporting of risks are also carried out. This stage will produce output in the form of an audit plan.
6.  
7. Implementation of  Individual Audit
8. The final stage is carrying out risk-based audit procedures to provide assurance as a part of the risk management framework, including individual or group risk mitigation. The end result of this stage is the audit results which are usually written in the form of an audit report.

Ultimately, a risk-based audit places the Risk Universe as the center point of developing an audit strategy to address management risk according to its priority level. Throughout the audit cycle, risks will be handled appropriately and reported accurately to provide  insight to  top level management so they can make more informed decisions as the next control step.

With increasing pressure on organizations to identify and manage their business risks, having an effective control mechanism is certainly the surest step to anticipate unwanted impacts and take advantage of all opportunities to drive continuous improvement. At Altha, we use a risk perspective in assessing, evaluating and establishing every strategic control measure for our clients. Through IT Audit, Business Advisory and  Corporate Training services  , we help companies determine and take proactive actions to improve internal controls and manage risk more effectively.