Why risk based approach?

A risk-based audit approach is the latest best practice in the evolution of internal auditing, aimed at
maximizing the impact of audit by focusing on the major strategic, regulatory, financial and operational
risks that confront an organization. This approach targets high risk areas and helps the auditors achieve
maximum value for the company from their efforts. It involves challenging existing structures and
processes to identify areas for improvement and propose value-adding changes to the organizations.

How does this approach differ from the other approaches?

The other approaches to internal auditing are the shotgun approach, compliance-based and controlbased approaches. These approaches are the old, traditional ways of auditing, usually long and timeconsuming, using an extremely high number of samples (if not 100 percent), based on gut-feel or intuition
of the auditor, which often lead to adverse and counterproductive relationships with the auditees (or audit
customers).

Shotgun approach

The shotgun approach is full-blast auditing based on individual auditors experience and judgment
(usually gut-feel or intuition) or triggered by tips from whistle blowers or concerned employees, with the
intent of seeking or uncovering mistakes, errors and irregularities, and identifying and reporting malicious,
negligent, or incompetent people. A number of times this approach works in catching culprits or
violators and is viewed as appropriate under a not-so-ideal, dark or ominous control environment.
However, some critics complain that the shotgun approach leans or borders on trivial or small items and
veers away from the more important business concerns of serving the customers well, creating and
preserving values and improving operational efficiency and effectiveness. Typically, this type of audit is
time intensive and requires involvement of many audit resources. Invariably, the auditors relationship with
the auditee is strained and may not promote transparency on the part of the auditee.

Compliance-based approach

The compliance-based approach involves a rigorous check of current practices against established
policies and procedures as well as with existing laws and regulations. This is not bad per se and is in fact
quite useful in many instances to the company. Its drawback is when it ignores the possibility that the noncompliant behavior of the auditees is actually a welcome innovation and appropriate response to the new
business requirements or paradigm. Thus, an audit exception may be raised and the auditee is bitterly
and unjustifiably criticized when, on the contrary, the auditee should really be commended for a job well
done.
If the auditor does not put himself in the shoes of the auditee and does not go deeper to see the
auditees perspective, this audit approach may be counterproductive, and even discourage creativity and

initiatives for improvements. It does not make sense to apply this approach if the existing policies and
procedures are outdated and not in line with the organizations needs.

Control-based approach

The control-based approach is similar to compliance-based, except that the auditor is using best
practices in internal control (e.g. a checklist or an inventory of generally accepted controls using various
control frameworks or from peers in the same industry or same profession) not yet adopted or employed
by the company in addition to current control policies and procedures.
While better than the two previously mentioned approaches, one drawback to the control-based focus is
that it tends to overemphasize controlling activities, while overlooking the practical factors and costbenefit considerations associated with implementing the required controls. The result is often
disagreement with the auditee management on the necessity of performing the additional controls.

Risk-based approach

The risk-based audit methodology is the preferred and modern approach required by the ISPPIA (the
Standards). With this approach, the auditor must first understand the companys mission/vision,
strategies, objectives, targets, key result areas and goals (corporate ends); and then identify and analyze
the risks (risk assessment) that may hinder or prevent the achievements of the said corporate ends. The
auditor then determines whether controls are in place (or test of design) and whether such controls are
effectively working as designed (or test of operating effectiveness) to address those risks assessed to be
high or have significant impact to the business objectives (both operational and control objectives).
As companies continue to enhance their processes, such as through the implementation enterprise risk
management frameworks, future internal audit functions will need to work closely with the risk
management functions to provide an additional layer of monitoring and proactively address risks before
they materialize.
This approach requires performing periodic risk assessments (at least annual) of the auditable units and
crafting an audit strategy that will prioritize and schedule audit engagements in accordance with the risk
profiles. This means that the higher the risk, the more frequent the audit and conversely speaking, the
lower the risk, the less frequent the audit, or none at all (in extreme case given scarce audit resources)!
Please take note that the risk profiles of companies are inherently dynamic and change with time and that
new emerging risks may require the auditor to revisit and revise its audit strategy.
Conclusion
Risk based approach allows the auditor to come out with a risk-based audit plan that is aligned with the
business strategies and responsive to the managements requirements and expectations. The auditor can
now focus its limited resources on major risk areas of the company. That is, doing more with less and
delivering assurances with fewer resources.

More importantly, rather than feast or pound on the mistakes of the individuals, the RBA approach is
process-based and intended to evaluate control design (or Test of Design) and identify gaps or control
weaknesses using various control frameworks or best practices in internal control. Afterwards, in
consultation with the auditees, with the end view of obtaining their buy-in, the auditor considers
alternative solutions to address significant risks noted and, if necessary, issues value-adding suggestions
to further improve the process.
It is important to note that the compliance-based approach is not totally eliminated or forgotten when we
apply RBA. When appropriate and sound control policies and procedures have been put in place by
management, performing a test of compliance (or Test of Operating Effectiveness) is integral to RBA. It is
prudent though to always reassess the risks and revisit the appropriateness and soundness of the
policies and procedures every audit, especially if the intervening period is at least a year and there have
been recent changes in technology, organization and system.