5 risk-based internal auditing approaches

Key Takeaway: Risk-based internal auditing (RBIA) directs assurance and advisory effort toward the organization's top risks instead of cycling through departments on a fixed rotation. Under IIA Global Internal Audit Standard 9.4, effective January 9, 2025, the audit plan must be built from a documented, annually refreshed risk assessment. Five approaches — rapid assurance, project assurance, facilitated self-assessment, maturity models, and data analytics — let CAEs tailor the engagement to each risk.

IIA Global Standards Standard 9.4 now mandates a documented annual risk assessment as the basis for the audit plan, and Standard 9.5 requires CAEs to coordinate with second-line and external assurance providers to surface coverage gaps. Choosing the right approach for each engagement is how internal audit translates that risk assessment into work that lands with stakeholders.

What is a risk-based approach in auditing?

Risk-based auditing ensures the internal audit function focuses its assurance and advisory effort on the organization's top risks. A risk-based audit approach starts with a risk universe as the basis for the audit plan. The goal of each project is to address management's highest-priority risks. Many audit departments think they are risk-based, but their audit plans are generally built from an audit universe consisting of departments, functions, or processes. A true risk-based audit approach starts with an assessment of management's top risks and business objectives, and every audit on the plan is designed to address those risks and provide insights back to senior management.

Risk-based audit plans rely on establishing the organization's risk appetite, defining inherent risks facing the organization, and focusing on high-risk business processes. An organization may opt to undergo a formal risk assessment at least once each year — a cadence now reinforced by IIA Standard 9.4, which requires the risk assessment to be documented and refreshed annually. Once risk identification has taken place, evaluations performed for each line item generate mitigation plans for each potential risk exposure, allowing the business to address those risk areas.

A comprehensive RBIA risk assessment should cover strategic, operational, financial reporting, compliance, fraud, IT and cyber, governance, and increasingly ESG and AI risks. Mapping each category to business objectives ensures audit coverage aligns with the risks that could actually prevent the organization from achieving its strategy.

The four types of audit risk

When scoping an engagement, internal auditors evaluate four related risk concepts:

1. Inherent risk — the susceptibility of an assertion or process to misstatement or failure before considering controls.
2. Control risk — the risk that internal controls fail to prevent or detect a misstatement or issue.
3. Detection risk — the risk that audit procedures will not catch a material misstatement.
4. Sampling risk — the chance that a sample's conclusions differ from results that would be obtained from testing the full population.

Common risk management frameworks

Audit teams and audit committees use established frameworks to inform the risk approach. Some examples of risk management frameworks include:

• ISO 31000: risk management standards. ISO's standards and guidance are recognized internationally; however, ISO 31000 cannot be certified against.
• COSO: Enterprise Risk Management (ERM). COSO's popular internal controls framework has been adopted by many companies seeking to comply with SOX. Their ERM framework has five integrated principles for managing risk.
• NIST: Risk Management Framework (RMF). As the National Institute for Standards and Technology in the U.S., NIST produces guidance and resources for implementing the RMF, which consists of seven core steps.
• COBIT: IT risk management framework. Control Objectives for Information and Related Technologies (COBIT) is a framework for the governance and management of enterprise IT. Internal auditors use COBIT to assess IT risks and prioritize high-impact areas like cybersecurity controls, identity and access management, and data integrity.

Risk-based vs. compliance-based auditing

The two approaches differ in starting point, scope, and flexibility:

The two approaches differ in starting point, scope, and flexibility:Risk-based audit approaches allow audit teams to customize their audit activities to match the processes and controls they are examining, while compliance audits tend to have a fairly narrow and specific scope.

What are the benefits of risk-based approaches in internal audit?

A risk-based audit approach allows internal auditors to respond to organizational risks more timely and provide insights to management to help solve problems at a regular cadence. Risk-based internal audits — sometimes known as "RBIAs" — get at the issues that are top-of-mind for senior management and leadership, allowing companies to tackle their biggest problems first, and head-on. Using a risk-based audit methodology allows for the identification of previously unrecognized risks, and may even reveal gaps that a traditional approach might have missed. PCAOB inspection data released in March 2025 reported the aggregate deficiency rate fell to 39% in 2024 from 46% in 2023, with risk-based execution cited as a contributing factor.

Flexibility for audit teams. Internal audit plans rooted in risk management practices give audit resources flexibility in how to design their audit process and audit activities, rather than prescribing specific requirements and scopes. Risk-based approaches allow audit teams to customize their audit activities to match the processes and controls they are examining.

Defensible audit frequency. A risk-based approach also helps audit leaders quantify how often each process should be audited, allocating annual or continuous reviews to high-risk areas like revenue recognition, third-party access, and cybersecurity, and a lighter three-to-five year cadence to stable, low-risk areas. This matters more in 2026: 19% of internal audit leaders reported lower 2025 budgets than the prior year in the IIA's March 2026 North American Pulse of Internal Audit Survey.

Strategic decision-making support. By aligning the audit plan to enterprise objectives and the risk appetite, risk-based auditing surfaces forward-looking insight on areas like M&A integration, digital transformation, cyber resilience, and ESG readiness — positioning internal audit as a strategic advisor rather than a backward-looking compliance check. IIA 2026 research finds roughly 32% of internal audit leaders now have at least some second-line involvement, most commonly in enterprise risk management.

Traditionally, internal audit has embraced a controls-based approach that inspects and verifies compliance and financial controls are operating according to an established set of criteria. Increasingly, internal audit departments are turning to risk-based approaches, driven by a more forward-looking perspective aimed at addressing potential risks that could prevent an organization from achieving its objectives. The Institute of Internal Auditors (IIA) has many resources on auditing using a risk-based approach, including guidance on areas like IT governance that go beyond financial statement audits.

When risk-based approaches are paired with a service delivery mindset, it becomes apparent internal audits should not use a one-size-fits-all approach. An effective audit department can create a palette of approaches, making it possible to select the optimal approach on a case-by-case basis.

5 proven risk-based audit approaches and techniques to enhance the customer experience

Here are five proven risk-based audit approaches and techniques to enhance the customer experience of an assurance or advisory engagement, as well as the ideal audit profile characteristics, success factors, and audit skills for each approach.

One more word of advice for organizing an audit: planning goes further than you'd think. Collaborating with the necessary stakeholders and communicating audit plans clearly can make the difference between a smooth audit and a bumpy one.

1. Rapid assurance: pledging just one week of fieldwork

Specifically intended to reduce audit fatigue in processes where documentation is strong, Rapid Assurance involves performing all steps of a standard assurance engagement in a shortened time frame with a commitment to only one week of fieldwork. You could even think of these engagements as "mini audits." Rapid Assurance can typically be divided into three phases covering three to five weeks:

Auditor planning and research (one to two weeks). Auditor planning and research involves reviewing prior audit work papers and public documentation, preparing the work program, sending the request list, obtaining view access to document repositories, and performing testing.

On-site fieldwork (one week). During on-site fieldwork, the auditor interviews customers, performs testing, obtains follow-up requests, conducts "End of Day" status meetings, and communicates draft findings to customers in a "soft" exit meeting.

Finalize testing and report writing (one to two weeks). Final testing and report writing encompasses the completion of testing, finalizing work papers and the audit report, and documenting agreed actions, owners, and target dates in the report.

Approach profile: Rapid Assurance works best with relatively stable processes, people, and technology such as client onboarding, call center operations, or a third-party on-site review. Processes with strong documentation and records management practices make great candidates for Rapid Assurance, as do processes that have been previously audited with low-to-moderate residual risk.

Success factors: Plan ahead by giving early notification and getting a time commitment from the audit client. The audit engagement should have a well-defined and limited scope. Crucially, Rapid Assurance requires the auditor to maintain a singular focus and give full attention to only one audit at a time. The key to a successful Rapid Assurance is to recognize that complexity is neither created nor destroyed — it is simply transferred. The auditor shoulders more of the effort prior to and after the fieldwork so that the client can experience relatively light interaction during a swift week of engagement. Auditors must also receive their requested evidence and interviews in a timely manner; otherwise, the project can drag on.

Audit skills: Given the shortened time frame, the auditor should have strong project management competencies and a deep knowledge of the process to be audited.

2. Project assurance: real-time feedback and real-time assurance

During Project Assurance, the auditor evaluates the governance, risk management, and control capabilities of the project team to identify and manage project-related risks in real time. They also take on a facilitator role by promoting risk and control dialogue throughout a project.

Success factors: Auditors need to engage early in the project to provide support from initiation and design through building and configuration, testing and training, and finally implementation and monitoring. In each phase, internal audit partners with the program manager and product sponsor to provide real-time feedback. The auditor should clearly identify scope components based on relevant frameworks such as the Project Management Body of Knowledge (PMBOK). For a process or initiative impacting a large portion of the company, it is vital that there be a collaboration with all the stakeholder groups involved to ensure successful adoption. Periodic status meetings to align expectations are another key to this type of engagement.

Audit skills: An auditor with prior project or program implementation experience would be a good choice to perform a Project Assurance approach, as would a subject matter expert or guest auditor from an advisory services firm who can help identify pitfalls.

3. Facilitated self-assessment: helping management solve problems

This workshop-style approach enables a department to examine and commit to improving governance, risk management, and/or internal controls for a process or function. In this type of approach, the audit professionals serve as facilitators of the conversation and try to encourage participation in the workshop. After all, when someone is involved in identifying a problem, they are more likely to be energized to fix it.

Approach profile: At its core, "facilitation" means to make an action or process easier, and this approach works well to assist leaders with expanded responsibilities to address their challenges — particularly the tension between tactical execution and achieving a larger strategy. The session can be designed to help departments understand and identify their objectives, the risks associated with achieving those objectives, and the controls needed to address those risks. The workshop can enable the customer to become an internal auditor and assess their own processes. Facilitated Self-Assessment may also equip management to move toward a stronger risk and control culture by practicing real-life application of risk and control principles, and improving risk analysis and response capabilities.

Success factors: The visible engagement of a senior leader is crucial to empowering team members to be honest and transparent in identifying challenges. Rigorous work session design and planning enables the session to proceed smoothly, as does using referenced guidance from a credible framework. It is important to set the expectation that this approach may require testing to be performed on select key controls, and may need to be iterative.

Audit skills: To lead a workshop session, an auditor should have strong small-group facilitation skills and the ability to adjust an approach on the fly. An outward mindset and the ability to influence strong risk management and control behaviors will go a long way toward helping a department identify and commit to improving their response to the specific challenges encountered. Being able to explain why and how risks and controls interact in basic terms can help as well.

4. Maturity models: framing assurance as a journey

Using standard maturity models such as the Capability Maturity Model Integration (CMMI) or creating customized models, a Maturity Models approach enables auditors and audit customers to assess the current effectiveness of a process while also identifying the capabilities needed to improve the process to meet objectives.

Approach profile: This approach works particularly well with combative or defensive customers who have had difficulty accepting a finding. By framing their process within the construct of a Maturity Model, internal audit is able to give the customer credit for what they are doing well in the context of a journey that includes areas for future improvement. A Maturity Model approach is also ideal for corporate processes and areas impacted by M&A or organizational restructuring, for evolving their people, processes, and technology. Organizations with mature controls may also benefit from this approach, as they can discover additional ways to supplement and augment their existing programs.

Process Maturity Model Template

Success factors: Breaking processes down into components enables the auditor to acknowledge strong controls while also identifying issues to be remedied. The Maturity Models approach can be useful in an independent advisory capacity or as an assurance engagement yielding actionable findings. The approach is particularly successful when it creates a more interactive experience of dialogue: the auditor allows the customer to weigh in on where they think they fit in a Maturity Model, and then requests evidence or facilitates a discussion to validate their perspective.

Audit skills: The auditor must be comfortable explaining standard maturity models such as CMMI or their own methodology for creating a custom maturity model. The auditor must also be able to support their conclusions with evidence and confidence.

5. Data analytics: better insight through data

Audit can incorporate data analytical techniques into engagements to provide richer insights, enhanced risk monitoring, and process efficiencies. The shift toward GenAI is accelerating this approach: per Deloitte's 2025 CAE research, nearly 40% of CAEs plan GenAI investments to improve efficiency across risk assessment, planning, and reporting, and PwC compliance data from PwC's 2025 Global Compliance Survey reports 46% of respondents already using or piloting AI for data and predictive analytics.

Approach profile: Data analytics can be considered on every engagement and in all phases of an audit. It can be executed as a singular approach or coupled with any of the other four approaches. Auditors may need to get creative when assessing more qualitative data, but data analytics can be valuable in areas ranging from travel and entertainment to service desk incidents to enterprise program management.

Success factors: Auditors must have the conviction that even the most basic data and inputs can generate insight when addressing full populations, and the ability to connect risk to data. Testing and audit activities can be very quick, but only if rigorous planning has been first mapped out. Auditors must be prepared to investigate unanticipated results without jumping to conclusions. GenAI adoption should be paired with a documented AI governance framework that addresses model bias, explainability, and data privacy — particularly under the EU AI Act's risk-based regime.

Audit skills: The ability to collaborate with database administrators and reporting groups will make a data analytics approach go more smoothly. Ideally, the auditor will be an analytical, technical, and logical thinker with the ability to write scripts. However, you should not let a lack of technical knowledge prevent you from using data analytics.

Ready to implement a risk-based auditing approach?

With a service delivery mindset and your own collection of risk-based approaches to choose from, your audit department will be in a strong position to select the best approach to create a trusted relationship with your customer as well as a beneficial engagement outcome. By thoughtfully tailoring the audit approach to each particular situation, internal audits can reduce audit fatigue, meet customers where they are, provide real-time assurance, and create a positive impact on their organization.

Optro can help you implement a risk-based audit approach. You can find out more by checking out Optro's Audit Management Playbook.

Frequently asked questions

What is a risk-based approach in auditing?

Risk-based auditing ensures the internal audit function focuses its assurance and advisory effort on the organization's top risks rather than rotating through a fixed audit universe. The plan begins with management's strategy, objectives, and prioritized risks, and every engagement is designed to address one or more of those risks.

What are the key steps to implement a risk-based internal audit methodology?

RBIA follows four core steps: (1) identify and document the organization's risk universe in alignment with strategy and objectives, (2) assess and prioritize risks against the board-approved risk appetite, (3) build the annual audit plan to address the highest-priority risks rather than auditing by rotation, and (4) report insights and residual risk exposures back to senior management and the audit committee. Under IIA Standard 9.4, effective January 9, 2025, the underlying risk assessment must be documented and refreshed at least annually.

What are the four types of risk in audit?

There are three primary types of audit risk — inherent risk, control risk, and detection risk — plus a related fourth concept, sampling risk. Inherent risk is the susceptibility of an assertion to misstatement before considering controls; control risk is the risk that internal controls fail to prevent or detect a misstatement; detection risk is the risk that audit procedures will not catch a material misstatement; and sampling risk reflects the chance that a sample's conclusions differ from results that would be obtained from testing the full population.

How is risk-based auditing different from traditional or compliance-based auditing?

Traditional auditing rotates through an audit universe of departments, functions, or processes on a fixed cycle. Risk-based auditing dynamically allocates resources to the areas with the greatest risk exposure to organizational objectives. Compliance-based audits go further in the opposite direction — they apply fixed regulatory or framework criteria with narrow, prescriptive scopes. The IIA's 2024 Standards now effectively require risk-based planning under Standard 9.4.

How do you determine audit frequency under a risk-based approach?

Under a risk-based approach, frequency is driven by each process's residual risk rating. High-risk areas like revenue recognition, third-party access, and cybersecurity may be audited annually or continuously, while stable, low-risk areas can shift to a three-to-five year cadence or rapid assurance reviews. Practitioners typically weight inherent risk score, control maturity, change velocity (M&A, system implementations), regulatory exposure, and prior audit findings to set the cadence.

How can internal audit use GenAI and data analytics to enhance risk-based auditing?

GenAI and analytics extend risk-based auditing by enabling full-population testing, continuous risk monitoring, and predictive risk scoring rather than point-in-time sampling. Per Deloitte's 2025 internal audit research, nearly 40% of CAEs plan GenAI investments across risk assessment, planning, and reporting, and PwC's 2025 Global Compliance Survey reports 46% of respondents already using or piloting AI for data and predictive analytics and 36% for fraud detection. Pair adoption with a documented AI governance framework addressing bias, explainability, and data privacy under the EU AI Act.

How should internal audit coordinate with second-line risk and compliance functions to avoid duplicated assurance?

IIA Global Internal Audit Standard 9.5, effective January 9, 2025, requires the CAE to coordinate with internal and external assurance providers to minimize duplication and surface coverage gaps. Practitioners typically operationalize this through a combined assurance map — a shared risk register where internal audit, ERM, compliance, SOX, and external auditors align on which line is testing which control. IIA research released in March 2026 indicates roughly 32% of internal audit leaders now have at least some second-line involvement, most commonly in enterprise risk management.

About the authors

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.