Risk Based Auditing



The Institute of Internal Auditors in a professional guidance statement stated the following:-
‘Internal Audit are being asked to provide much greater assurance to Senior Management than ever before. The Institute believes that the only way to provide such objective assurance is by means of risk based auditing’.

Audit functions that are able to focus their efforts towards the significant risk in their organisations are able to concentrate their limited resources on the issues which drive business goals and aspirations. In consequence audit plans are directed at the issues, which really matter (which often are the operational risks).

This course covers the latest developments. The course features a case study on the step by step approach to a risk based operational audit.

Benefits of attending

Why you should attend

  • Audit managers and senior auditors
  • Auditors responsible for developing or implementing a risk based approach
  • Other assurance professionals such as those in Compliance and QA functions who are wanting to develop their Risk based approach
  • Managers and Directors of business functions – to aid their knowledge of a risk based audit approach.

Course Details

Course Level

  • This is an intermediary level course and delegates should have at least 12 months experience in Internal Audit (or other assurance roles) to attend
  • Delegates should have a good educational standard and/or a professional qualification or be in the process of studying for such qualifications
  • No advance preparation is required
  • Delivery method – On-line live (with exercises and case studies to provide practical application of the tools and techniques)

After completing this course you will be able to

  • ENHANCE internal audit’s contribution to the business
  • ENGAGE more positively with senior management
  • DELIVER more focussed audit plans through developing the appreciation of operational risk
  • PLAN assignments effectively to focus on opportunity as well as risk
  • ASSIST management to simplify and streamline operational processes
  • AUDIT business areas which may have not been previously covered
  • PLAN risk based assignments efficiently and effectively
  • MEASURE success more effectively
  • APPLY a simple method to reduce unnecessary controls

CPE credits

Participants will earn 10 CPE credits ( 7 in the Auditing field of study and 3 in the Management Advisory Services field of study)


Day 1: Embedding a risk based audit process

Embedding a risk based audit process

  • The principles of RBA
  • Worldwide trends
  • Trends (from GRC research and our Internal audit best practice database)
  • The need to focus more audit attention on the operational risks
  • The need to significantly refocus the Internal audit to meet the updated IIA standards :-
    • Internal audit credibility and value are enhanced when auditors offer new insights and consider future impact
    • A higher level of assurance (coordinated with the work of the other assurance providers) must be provided
    • Internal Audit needs to add measurable value to the business.
    • IA needs to be regarded as a strategic partner and advisor
    • The function needs to enhance organisational value by providing stakeholders with risk-based, objective and reliable assurance, advice and insight.
    • IA must ensure that appropriate risk responses are selected that align risks with the organisation’s risk appetite
  • How risk based audit has changed the face of auditing
  • New 2020 Code of Conduct
  • Helping the Board to protect the assets, reputation and sustainability of the organisation.
  • Internal audit should have the right to attend and observe all or part of executive committee meetings
  • Exercise 1 Challenges for Internal Audi

Enterprise risk management and the IA role

  • Explanation of ERM and why it is not fully understood
  • The current economic crisis and how ERM can help
  • The role and responsibilities of directors and senior management with respect to ERM
  • ERM roles and responsibilities
  • Categories of risk.
  • Selling the benefits to top management

Strategic Audit Planning

  • Strategic audit planning
  • How to decide which areas to audit and ensure more focus on operational risks
  • The audit universe – new IIA guidance
  • Determining the level of assurance
  • IIA guidance – Production of the audit plan
  • The RBA audit plan preparation
  • Risk Based Internal Audit Plan Example
  • A best practice audit risk planning model will be used (an electronic version will be provided to all delegates)
  • Exercise 3: Developing a strategic audit Plan using the model

Ensuring your role is fully coordinated with the other assurance providers

  • Ensuring your assurance providers roles e.g. Internal Audit,
  • Compliance, Risk Management, Insurance, Security are coordinated to avoid duplication of effort
  • Why you should incorporate internal audit agreed actions in your risk register
  • Ensure environmental risk is taken seriously (even if you are in a sector such as Financial Services
  • Ensure that your Business Continuity plan covers all eventualities and ensure it is fully tested
  • Identify new ways to benefit the least able section of the wider community you serve
  • New guidance on coordinating RM & assurance
  • Exercise 4 – Team exercise – the mystery

Day 2: Risk Based Auditing in Practice

Risk Based Auditing in Practice

  • Brainstorming the functional objectivesBuilding a picture of the risks
  • Consider threats and opportunities
  • Building the details of the controls
  • Planning the assignment
  • Determining the types of test and techniques to use
  • Determining the threats to success
  • Exercise 5. Audit topics will be chosen for the purpose by the delegates and the functional objectives and risks brainstormed in groups

The Risk Based audit step by step

  • A risk based programme case study will be walked through
  • Reviewing the business objectives
    • Are the objectives comprehensive and SMART?
  • Do the risks in the register relate properly to the objectives?
    • Are they specifically linked to the objectives and recorded?
  • Are the inherent risks correctly evaluated?
  • Are any key risks missing?
  • Are the causes of the event identified?
  • Have mitigating actions been recorded for each risk?
    • Is such mitigating detailed enough?
  • Are there any actions in progress to deal with risk?
    • Assess the status of such actions
    • Are there any management decisions pending?
    • Has a target risk been established?
    • Assess confidence level in the potential for such actions to
    • reduce the risk required
    • Is the target risk realistic?
  • Audit testing
    • Test each mitigating control by means of walk through tests
    • Extend testing as required to obtain sufficient evidence
  • Determining an audit risk and control assessment
    • Evaluating and recording such assessments
    • Presenting the evidence to management
    • How to ensure consistency
  • Exercise 6: The RBA in practice – using audits selected by the delegates

Identifying over-managed risks

  • These are likely to be the risks in the green zone of the risk matrix
  • Why unnecessary controls are often not removed
  • Why Internal Audit does not focus on this aspect
  • When did you last suggest reducing controls?
  • Challenge ‘we have always done it this way’
  • Do we have to do it?
  • What are the benefits / penalties associated?
  • Can you reduce effort in some areas to give time and resource for the priorities? Case study
  • Exercise 7–How to identify over-managed activities

Opportunity Auditing

  • Why risk can be an opportunity in disguise (e.g. Failure to innovate)
  • Why specifically targeting significant areas of business opportunities can deliver major measurable benefits
  • Many business opportunities are overlooked by the business because management are too busy
  • With budgets under even greater scrutiny, demonstrating value for money is more important than ever
  • The need for an opportunity register
  • Opportunity audit topics
    • Travel management
    • Mobile communications
    • Insurance
    • Consultancy
    • Energy management
    • Budgeting
    • Meetings management
    • Decision making
  • Exercise 8– Opportunity exercise – Moonshot

Developing the consultancy role

  • The IIA standards
  • Why consultancy should be encouraged
  • The difference in approach
  • How to document these assignments
  • Reporting consultancy assignments
  • Audit by workshop
  • Facilitation –do’s and don’ts
  • Exercise 9 – How to convince management that consultancy is the direction for Internal Audit

About Phil Griffiths

Phil Griffiths, FCA

Phil Grifffiths

Phil Griffiths is founder and Managing Director of Business Risk Management Ltd.

A Chartered Accountant, he has over 30 years experience in risk management, Corporate Governance, internal audit and fraud prevention as practitioner, professional adviser, facilitator and trainer.

His areas of specialism are:


  • Assisting Senior Management to identify, manage and then exploit the risks within their business via facilitated business risk management programmes
  • Helping Internal Audit functions to implement world class standards.
  • Developing fraud prevention, detection and investigation programmes
  • Training both private and public sector organisations in all the above disciplines.

He has extensive experience of the European, Asian, Middle Eastern, and African markets having trained professionals from over 1000 organisations in these regions during the past 15 years

He has extensive experience of managing and auditing major International projects. He has also direct experience of negotiating major contracts (including the largest mobile telecommunications contract in the world at the time)

Phil has developed strategic alliances with professional bodies and world renowned training companies, to deliver training and consultancy services across Europe, Asia, the Middle East and Africa.

He has developed over 300 training courses on all aspects of internal audit, risk management and fraud and delivered them across the globe.

He has led risk management programmes for more than 120 private and public sector clients tailored specifically to include facilitated workshops, development of risk strategies and assistance with implementation

He is an accomplished author. His book ‘Risk Based Auditing’ is an international best seller and his new book ‘Enterprise Risk Management – the key to business success’ is receiving much acclaim

Phil has published research into many aspects of internal audit and risk management best practice, including “Strategic Risk management” “The Need to Co-ordinate Assurance Providers” and “The Expectations of Chief Executives towards Internal Audit and its future”

He is recognised as an accomplished and charismatic facilitator, trainer and lecturer and is in continual demand to speak at the most prestigious events on risk management, internal audit and fraud.

Schedule Overview

Course Fee and Timings

The fee for the 2-day course is GBP 500 (US$ 650) which includes comprehensive course materials. The course will consist of three 1.5 hour sessions each day.


Back to Top

Enter your email and subscribe for regular updates from Innoverto