IT Audit and Risk Assessment

IT Audit and Risk Assessment

Over the last few years, the need to manage risks has become recognized as an essential part of good corporate governance practice. This has put organizations under increasing pressure to identify all the business risks they face and to explain how they manage them.

In fact, the activities involved in managing risks have been recognized as playing a central and essential role in maintaining a sound system of internal control.

While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed.

We believe that a professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organization's own risk management framework.

What is risk based auditing?

Our definition

IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.

Is the organization ready?

Every organization is different, with a different attitude to risk, different structure, different processes and different language. Experienced internal auditors need to adapt these ideas to the structures, processes and language of their organization in order to implement RBIA.


By following RBIA internal audit should be able to conclude that:

  1. Management has identified, assessed and responded to risks above and below the risk appetite
  2. The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
  3. Where residual risks are not in line with the risk appetite, action is being taken to remedy that
  4. Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively

Implementation of RBIA

The implementation and ongoing operation of RBIA has three stages and we have produced detailed guidance on each of them:

Stage 1: Assessing risk maturity
Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.

Stage 2: Periodic audit planning
Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritising all those areas on which the board requires objective assurance, including the risk management processes, the management of key risks, and the recording and reporting of risks.

Stage 3: Individual audit assignments
Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.