On 9 January 2025, the 2024 IIA Global Internal Audit Standards became effective worldwide — and every internal audit function that had been describing itself as “in conformance with the Standards” had to either prove it or stop saying so.
Twelve months in, the 2026 North American Pulse of Internal Audit tells the uncomfortable story: budgets are falling faster than scope is shrinking, 96% of CAEs plan cybersecurity coverage but fewer than half are confident in the assurance they can give, and the ground has shifted under anyone still running last year’s audit plan with this year’s risks.
A risk-based internal audit is no longer a methodology choice. It is the only defensible operating model left.
The Bottom Line — Key Takeaways
- A risk-based internal audit starts with a defensible risk universe, not a historical audit calendar. Everything on the plan traces back to a named risk and an executive owner.
- The IIA Global Internal Audit Standards, effective 9 January 2025, make a strategic, risk-based internal audit approach mandatory, not optional — 15 principles and 52 standards replaced the old IPPF.
- Anchor control evaluation to COSO’s 2013 Internal Control–Integrated Framework: five components, 17 principles, four risk-assessment principles (6-9). Use it top-down, not bottom-up.
- The assurance gap is real. 96% of audit plans cover cybersecurity in 2026, but only 48% of CAEs say they are highly confident in the assurance they can provide — the gap is where your risk-based internal audit earns its budget.
- Budgets are tightening. The IIA’s 2026 Pulse shows more functions reporting cuts than increases for the first time this cycle. A risk-based internal audit is how you prove every dollar lands on material risk.
- Use the IIA Three Lines Model to separate ownership, oversight, and assurance — then stop doing work the first or second line should be doing.
- In 2026, a credible risk-based internal audit has three must-test topics on the plan: cybersecurity, third-party risk, and AI governance. The IIA’s Topical Requirements make these non-optional.
This is a working practitioner’s guide to a risk-based internal audit that survives a new-standards peer review, a tightening budget, and a board that has learned to ask sharper questions. x
It is written for CAEs, audit managers, and audit committee chairs who need to translate the 2024 IIA Global Standards and COSO’s Internal Control–Integrated Framework into a scope, a plan, and a set of reports the organization will actually use.
The sections below replace guesswork with a defensible sequence: build the risk universe, score inherent and residual risk, apply COSO top-down, test the right controls, and close the assurance gap the Pulse data has put in plain view.
Why the Old Internal Audit Playbook Broke — and What Replaced It
The historic audit-calendar model — pick a cycle, rotate through departments, test controls, publish a report — collapses under three pressures the 2025/2026 environment is not going to relax.
First, risk velocity. A single IBM-reported breach now averages USD 4.44 million, and Gartner’s 2026 audit hot-spots research flags cybersecurity, data governance, and regulatory compliance as the three risks consuming the largest share of audit hours.
Second, standards pressure. The 2024 IIA Global Standards collapse the old IPPF into a single framework of five domains, 15 principles, and 52 standards — all of which presume a risk-based internal audit spine.
Third, budget reality. The 2026 Pulse shows the share of functions reporting budget cuts rose year over year, while increases fell.
A risk-based internal audit is what lets you cover more risk with fewer hours without lying to the audit committee about it.
What replaced the old playbook is a risk-based internal audit that starts at the enterprise risk universe, maps coverage to board-approved risk appetite, and re-scores itself quarterly as conditions change. It treats the annual plan as a hypothesis, not a contract.
What a Risk-Based Internal Audit Actually Is (and Isn’t)
A risk-based internal audit is an assurance approach in which the entire audit plan, engagement scope, procedures, and reporting priorities are driven by the organization’s most material risks to strategy, operations, reporting, and compliance — the four COSO objective categories. It is not a style of testing.
It is not a rebranded SOX program. It is not a synonym for “we look at risky areas more often.” Those are symptoms. The defining feature is that nothing on the plan exists unless it traces back to a named risk, a named owner, and a defensible inherent/residual risk score.
This distinction matters because the old debate in the original article — auditors accusing risk functions of being too generic, risk functions accusing auditors of being too granular — dissolves under a proper risk-based internal audit.
Both sides are looking at the same risk universe. The risk function describes the enterprise exposure. Internal audit decomposes that exposure into the processes and controls that deliver (or fail) the expected risk response. The register and the audit plan are two views of the same object.
Risk-Based Internal Audit vs. Traditional Cyclical Audit
| Dimension | Traditional cyclical audit | Risk-based internal audit |
|---|---|---|
| Starting point | Audit universe of departments/processes | Enterprise risk universe tied to strategy |
| Plan cadence | Annual, fixed rotation | Annual baseline, quarterly re-score, dynamic plan |
| Scope driver | Prior-year scope, materiality, rotation | Inherent risk × residual risk × board appetite |
| Reporting | Department-level findings | Risk-level assurance with trajectory and KRI link |
| Standards alignment | Old IPPF, pre-2024 | 2024 IIA Global Standards; COSO 2013; Three Lines Model |
| CAE accountability | Delivered the plan | Delivered assurance over top risks — and said so where they couldn’t |
The Risk-Based Internal Audit Lifecycle — Six Steps That Each Produce an Artifact
A credible risk-based internal audit runs through six sequential steps. Each produces a tangible artifact the audit committee can inspect and the third line can evidence against the 2024 Standards.
Skipping any one of them is how “risk-based” quietly decays back into cyclical auditing with a new name.
Step 1 — Build the Risk Universe (Not Just an Audit Universe)
A risk universe is the comprehensive inventory of the risks that could materially affect your organization’s strategy and objectives, mapped to the processes, systems, third parties, and geographies that expose the firm to them.
Build it with the CRO, not in isolation. Pull from the enterprise risk register, the strategy document, regulatory inventories, external horizon scans (the IIA Risk in Focus report is a good cross-check), and incident data. A risk-based internal audit that starts from a list of departments has already lost the thread.
Step 2 — Score Inherent Risk Against Board-Approved Appetite
Rate each risk on likelihood and impact before controls. Use the same scale the enterprise risk function uses — typically a 1-5 likelihood and a 1-5 impact, with impact calibrated in the units the board already uses (capital, EBITDA, customer SLA, safety events).
Anchor to the board’s risk appetite statement so you are comparing like to like. A risk-based internal audit without a visible appetite line is just a register with colored squares.
Step 3 — Evaluate Control Design With COSO (Top-Down, Not Bottom-Up)
This is where most programs stall. Adopt the top-down COSO approach: begin with the risk and the assertion, identify the control objective, then find the specific controls that meet that objective — general or application, preventive or detective, manual or automated.
Use the COSO 2013 five-component structure: control environment, risk assessment, control activities, information and communication, and monitoring activities. Each component carries principles (17 total).
The four risk assessment principles (6-9) are where most risk-based internal audit design evaluations succeed or fail.
Step 4 — Rate Residual Risk After Control Effectiveness
Inherent risk minus control effectiveness equals residual risk. Test at least design effectiveness for every top-quartile risk; test operating effectiveness where the financial statement, regulatory, or customer impact warrants it.
Do not default the control risk rating to maximum — PCAOB AS 2110 and the updated US GAAS guidance explicitly prohibit it. A risk-based internal audit that gives itself a free pass on control testing is no longer risk-based.
Step 5 — Build the Plan and Allocate Hours to Residual Risk
Allocate audit hours to the highest residual risks first, then cover the must-do regulatory work (SOX, internal controls over financial reporting, topical requirements), then everything else.
The plan is a defensible capital-allocation document, not a wish list. Any engagement that cannot state the specific risk and the appetite threshold it tests does not belong on the plan.
Step 6 — Execute, Report, Monitor, Refresh
Execute engagements, report findings at the risk level (not just the departmental level), monitor management action plans to closure, and refresh inherent and residual risk scores at least quarterly.
The IIA’s 2026 synergy research shows functions that refresh scores more than once a year close more findings on time and report higher audit committee satisfaction.
The Three Lines Model — Where a Risk-Based Internal Audit Actually Fits
A risk-based internal audit is the third line. The first line owns the risk and runs the control. The second line sets methodology, frames appetite, challenges first-line judgment, and aggregates for the board.
The third line — internal audit — provides independent assurance on whether the first two are doing what they claim. When any line collapses into another, the assurance breaks.
The original article’s call to “get the team together and make sure everyone knows their part” understated how often that sentence is exactly what is missing.
| Line | Role in the risk-based internal audit system | What goes wrong when it collapses |
|---|---|---|
| First line — Management | Owns risk, designs and operates controls, self-identifies issues | “Internal audit will find it” culture — controls get soft |
| Second line — Risk, compliance, QA | Frames appetite, methodology, aggregation; challenges the first line | Risk function becomes scorekeeper, not challenger |
| Third line — Internal audit | Independent assurance on design and effectiveness of 1st/2nd line | Audit does 2nd-line work; loses independence; board loses assurance |
| Governing body — Audit Committee | Oversees; holds management accountable; approves RBIA plan | Rubber-stamps plans; no challenge; no evidence trail |
Closing the 2026 Assurance Gap — Cyber, AI, Third Party
The biggest gap in a 2026 risk-based internal audit is not scope. It is confidence. IIA Pulse data and Gartner both show audit plans covering the right topics; the gap is that CAEs do not feel confident signing off on the assurance. That gap compounds every month it stays open.
Three specific actions close it. First, adopt the IIA Topical Requirements as plan anchors. The Cybersecurity Topical Requirement is already in force; the third-party risk topical requirement opened for public comment in 2025 and is expected to become a mandatory plan component.
A risk-based internal audit that skips the Topical Requirements will fail its next external quality assessment under the 2024 Standards.
Second, bring AI governance into the plan as a standalone engagement, not a subsection of IT audit. Use NIST’s AI Risk Management Framework and the Generative AI Profile (released July 2024) as the criteria.
EY’s 2026 internal audit AI guidance and PwC’s Responsible AI guidance are useful reference patterns. Test model inventory, provenance, bias testing, and human-in-the-loop controls — not just GenAI acceptable-use policies.
Third, escalate third-party concentration. The DTEX 2026 Insider Risk Report and IBM 2025 breach report both show third-party involvement in breaches near 30%.
A risk-based internal audit should audit concentration, substitutability, and exit time — not just whether the vendor questionnaire was returned.
Traditional Audit vs. Risk-Based Internal Audit — A Side-by-Side
The fastest way to ground a board conversation is to show the two operating models next to each other.
A cyclical audit plan and a risk-based internal audit plan can look superficially similar on a cover page — the difference is in what drives the scope, where the hours land, and what the audit committee hears at the end.
| Dimension | Traditional cyclical audit | Risk-based internal audit |
|---|---|---|
| Plan anchor | Department or process rotation | Enterprise risk universe mapped to strategy |
| Scoping trigger | Calendar cycle (3-5 years) | Inherent risk, appetite breach, or KRI signal |
| Hour allocation | Even spread across audit universe | Concentrated on top-quartile residual risk |
| Control evaluation | Narrative walkthroughs, default control risk | COSO design + operating effectiveness, evidence-of-conformance |
| Refresh cadence | Annual plan; SALY common | Quarterly re-scoring; plan flexes with risk |
| Reporting lens | Activity report — what was audited | Assurance report — what residual risk remains, with trajectory |
| Primary standards | Legacy IPPF language, cycle-based | 2024 IIA Global Standards, COSO 2013, ISO 31000, Topical Requirements |
| Budget defensibility | Hard to justify when cuts come | Every hour tied to a named, quantified risk |
Risk-Based Internal Audit Approaches and Delivery Modes
“Risk-based internal audit” is the operating philosophy. Within it, mature functions pick from a toolkit of audit approaches and delivery modes depending on the risk, the speed required, and the maturity of the control environment.
The 2024 IIA Global Standards do not prescribe one — they prescribe that the choice be deliberate and documented.
Five Risk-Scoping Approaches
Top-down approach. Start from enterprise objectives and board-level risks, decompose into processes and controls, then test. Best for strategic and financial statement risk. This is the default for a risk-based internal audit plan under the IIA Practice Guide.
Bottom-up approach. Start from processes, transactions, and control activities; aggregate exceptions into risk themes. Useful when the risk register is immature and the function needs to build one from observed reality.
Risk Control Self-Assessment (RCSA). Business units self-score likelihood, impact, and control effectiveness; audit validates a sample and challenges outliers.
Scales assurance into areas that the plan cannot reach directly, and feeds the risk universe at low cost.
Continuous auditing. Automated, rules-based testing of full populations — journal entries, access provisioning, third-party payments — with exception workflow.
Shortens detection latency from months to days and materially offsets the budget squeeze the Pulse trendline captured.
Event-driven audits. Triggered by a KRI breach, a regulatory action, a cyber incident, or a material change (acquisition, new product, system migration).
The plan reserves capacity — typically 15-20% of hours — for these engagements rather than trying to pre-schedule everything.
Five Delivery Modes That Match the Risk
Rapid assurance. One-week fieldwork sprints on tightly scoped risks. Ideal when the audit committee needs a point-of-view before the next quarterly meeting, or when a regulator has put a deadline on the table.
Project assurance. Embedded, real-time feedback during a transformation — core banking migration, ERP implementation, AI model deployment.
Controls are tested as they are built, not after go-live when the cost of rework is 10x higher.
Facilitated self-assessment. Audit facilitates a risk-and-control workshop with process owners; the output is owned by management but validated by audit.
Builds control culture in second-line and first-line teams without consuming direct audit hours.
Maturity-model assessments. Frame assurance as a journey — CMMI-style levels against NIST CSF 2.0, NIST AI RMF, or a bespoke model. Gives the audit committee a trajectory, not just a point-in-time rating, and makes the forward plan self-evident.
Data analytics-led engagements. Full-population testing, anomaly detection, and benchmark analysis as the primary evidence source, with targeted walkthroughs to confirm.
The ISACA Journal has documented data-analytics approaches consistently producing 3-5x the finding density of sample-based testing.
Leading risk-based internal audit functions document, for each engagement, which approach and which delivery mode they chose and why.
That single paragraph in the planning memo is what the external quality assessor looks for under the 2024 Standards.
Where Risk-Based Internal Audit Programs Stall — And How to Unstick Them
Seven failure patterns show up in quality assessments and post-mortems. Each has a clean remedy, and each quietly erodes board trust while it goes unaddressed.
| Pitfall | Root cause | Remedy |
|---|---|---|
| Audit universe is a list of departments | Plan built bottom-up from legacy cycle | Replace with a risk universe mapped to strategy and the enterprise risk register |
| Inherent risk scored without board appetite | No quantified appetite statement or it is not shared with audit | Adopt the CRO’s appetite statement in the risk-based internal audit methodology — literally the same numbers |
| Control testing defaults to maximum control risk | Time pressure; legacy habits | Require design evaluation on every top-quartile risk — no default ratings (US GAAS / IIA Standards both prohibit) |
| SALY mindset — “same as last year” plan | Risk re-scoring happens annually or not at all | Quarterly plan refresh against re-scored risks; document what changed and why |
| Cyber and AI buried inside IT audit | Organizational inertia; unclear ownership | Standalone engagements with NIST CSF 2.0 and NIST AI RMF as criteria |
| Third-party audits stop at questionnaire review | Procurement owns vendor data; audit never tests concentration | Test concentration, exit time, and substitutability — and audit the vendor, not just the file |
| Audit committee gets activity reports, not assurance | Reports map to departments, not risks | Rewrite the quarterly pack as risk-level assurance with trajectory arrows and KRI links |
The Best Practices That Separate Leading Risk-Based Internal Audit Functions
Across the programs that clear an external quality assessment under the 2024 IIA Global Standards with minimal findings, three operating practices stand out.
Practice 1 — A Living Risk Universe, Not an Annual Snapshot
The leading risk-based internal audit functions refresh their risk universe at least quarterly and maintain a data feed from enterprise risk, compliance, incident management, and KRI platforms.
When a KRI breaches amber, the plan flexes inside the quarter. When a new regulation drops — DORA, the EU AI Act, SEC climate disclosure — the universe absorbs it in weeks, not at the next annual planning workshop.
Practice 2 — Top-Down COSO Evaluation With Evidence-of-Conformance Mindset
The 2024 Standards require “evidence of conformance” for every principle the function claims. Leading practices bake the evidence trail into the workpapers: every control evaluated, every judgment documented, every deviation from the methodology called out.
Use the top-down COSO method to scope — start with the financial statement or risk objective, move to entity-level controls, then down to significant accounts and transactions.
A risk-based internal audit that cannot produce evidence-of-conformance will struggle under the new Standards.
Practice 3 — Continuous Auditing and Monitoring in the Critical Risks
For the top cyber, financial, and third-party risks, periodic testing is no longer enough. Continuous controls monitoring, analytics-driven sampling, and automated evidence collection shorten the gap between control failure and audit detection from months to days.
The IIA CAE Bulletin (January 2026) highlighted continuous auditing as one of the few capabilities that meaningfully offsets budget and staff cuts. A risk-based internal audit without continuous coverage of at least three top risks is leaving capability on the table.
The Next Wave — Where Risk-Based Internal Audit Is Heading in 2026-2028
Three shifts will separate leading risk-based internal audit functions from laggards in the next three years.
First, AI-assisted auditing becomes table stakes. Generative AI is already being used to draft workpaper summaries, surface anomalies, and automate evidence collection.
Expect it to compress the hours-per-engagement metric materially by 2027 — and to force a conversation with the audit committee about how AI-generated evidence is validated.
Second, Topical Requirements expand. The IIA has signaled further Topical Requirements beyond cybersecurity and third-party risk, including environmental and social reporting assurance linked to IFRS S2 and the EU Corporate Sustainability Reporting Directive.
A risk-based internal audit that builds capacity now will not have to retrofit under examiner pressure.
Third, independent assurance over the risk function itself becomes the norm. As the second line matures and takes on more automated risk work, internal audit will spend proportionally more of its hours auditing the risk function’s models, data, and judgments.
This is healthy — and it is explicitly contemplated by the 2024 IIA Global Standards’ domain on performance.
Risk-Based Internal Audit Glossary
Terms the 2024 IIA Global Standards, COSO 2013, and ISO 31000 use — translated into language the audit committee can follow in a single reading.
| Term | Working definition |
|---|---|
| Risk universe | The full inventory of risks that could affect strategy, operations, reporting, and compliance — the starting point of a risk-based internal audit plan. |
| Inherent risk | Exposure before any controls are considered. Scored on likelihood × impact against board appetite. |
| Residual risk | Exposure after the control environment is evaluated. What actually lands on the plan. |
| Risk appetite | The level of risk the board is willing to accept in pursuit of objectives, expressed in quantified limits wherever possible. |
| Evidence of conformance | 2024 Standards term — documented proof that each claimed principle is being applied in practice, available for external quality assessment. |
| Topical Requirement | Mandatory IIA guidance on a specific risk domain (cybersecurity, third-party) that must be embedded in every risk-based internal audit plan where the risk is present. |
| Three Lines Model | The IIA’s 2020 governance model separating management ownership of risk (1st line), risk and compliance oversight (2nd line), and independent assurance (3rd line). |
| KRI (Key Risk Indicator) | A forward-looking metric with amber and red thresholds that signals rising exposure before an incident; feeds the risk universe refresh cycle. |
| SALY | “Same as last year” — the anti-pattern of copying the prior-year plan. A failure mode the risk-based approach exists to eliminate. |
| Continuous auditing | Automated, full-population testing with exception workflow, as opposed to periodic sample-based testing. |
Frequently Asked Questions About Risk-Based Internal Audit
What is a risk-based internal audit in simple terms?
A risk-based internal audit is an assurance approach in which the audit plan, scope, and testing are driven by the organization’s most material risks to strategy, operations, reporting, and compliance — rather than by a fixed cycle of departments or processes.
The function starts with the risk universe, scores inherent and residual risk against board-approved appetite, and allocates its limited hours to where the organization is most exposed.
How is a risk-based internal audit different from a traditional audit?
A traditional cyclical audit rotates through departments on a set schedule and tests controls because the calendar says to.
A risk-based internal audit tests controls because a specific, named risk warrants it, and skips areas where residual risk is within appetite.
The difference shows up in the annual plan: traditional plans look like a rotation schedule; risk-based plans look like a capital-allocation document.
Which standards govern a risk-based internal audit in 2026?
The 2024 IIA Global Internal Audit Standards, effective 9 January 2025, are the primary framework — five domains, 15 principles, 52 standards, and a growing set of Topical Requirements on cybersecurity, third-party risk, and (likely) sustainability.
Control evaluation is anchored to COSO’s 2013 Internal Control–Integrated Framework. For public companies, PCAOB standards and SOX still apply.
For financial services, Basel, DORA, and local prudential regulators add layers. A credible risk-based internal audit maps to all of them.
How do you build a risk universe for a risk-based internal audit?
Start with the enterprise risk register from the CRO. Add strategy risks from the strategic plan, regulatory obligations from the compliance inventory, and incident data from the past 18-24 months.
Map each risk to the processes, systems, third parties, and geographies that expose the firm. Validate with business unit leaders, then score inherent risk against the board’s risk appetite. The universe is living — refresh it quarterly.
How do you score risks in a risk-based internal audit?
Use the same scale the enterprise risk function uses — typically 1-5 likelihood and 1-5 impact, with impact expressed in the units the board already uses (capital ratio, EBITDA, customer SLA, safety incidents, compliance fines).
Score inherent risk first, then subtract control effectiveness to get residual risk. Never default control risk to maximum — both the 2024 IIA Standards and US GAAS prohibit it. The top-quartile residual risks drive the plan; the rest are monitored.
Who owns the risk-based internal audit plan — the CAE or the audit committee?
The Chief Audit Executive (CAE) builds and proposes the risk-based internal audit plan; the audit committee approves it; management is consulted but does not own it.
The 2024 IIA Standards are explicit that the CAE reports functionally to the audit committee, not management.
Where that reporting line is weak, independence erodes and the plan gets shaped by the people it is meant to assure — the most common failure pattern in external quality assessments.
How often should a risk-based internal audit plan be refreshed?
Annually as a formal baseline, approved by the audit committee; quarterly as a light-touch re-score against KRIs, incidents, regulatory change, and new strategic initiatives; and on-demand whenever a material event occurs — a breach, a regulatory action, an acquisition, a rating downgrade.
Functions that only refresh annually are running a risk-based internal audit in name only.
What is the biggest mistake organizations make with risk-based internal audit?
Treating it as a methodology label rather than an operating model. The name change is easy.
The hard part is actually scoping from a risk universe, accepting that some departments will not be audited this year because their residual risk does not warrant it, and defending that choice to management teams who expected their annual visit.
A risk-based internal audit that cannot say “we are not auditing that” is still a traditional audit in new packaging.
If your risk-based internal audit function is preparing for its first external quality assessment under the 2024 IIA Global Standards — or rebuilding the plan around the Topical Requirements — the work is less about templates and more about judgment: where to cover, where to trust, where to say “this is not on the plan.”
Our team helps CAEs and audit committees build risk universes, rescore residual risk, wire up continuous auditing, and land a risk-based internal audit that survives a peer review and a recession.
See our risk advisory services or contact the team for a scoping call.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.