| Key Takeaways |
| An internal audit risk assessment is the systematic process of identifying, scoring, and prioritizing auditable entities across the organization to build a risk-based internal audit plan. The 2025 IIA Global Internal Audit Standards (effective January 9, 2025) require the Chief Audit Executive to base the audit plan on a documented risk assessment. |
| The assessment process has five steps: define the audit universe, identify risk factors, score each auditable entity, prioritize and build the audit plan, and obtain board approval. Each step produces a specific deliverable that satisfies IIA Standards and audit committee expectations. |
| Risk scoring should use weighted risk factors across six dimensions: strategic importance, financial materiality, operational complexity, control maturity, regulatory exposure, and change velocity. This multi-factor model replaces arbitrary gut-feel prioritization. |
| The 2025 IIA Standards introduced mandatory Topical Requirements for high-risk areas including cybersecurity, third-party risk, and organizational behavior. Internal audit risk assessments must now determine whether these Topical Requirements apply to planned engagements. |
| Coordination with second-line functions (risk management, compliance) is a 2025 Standards requirement. The CAE must consult with heads of other assurance providers to align risk assessments and minimize coverage gaps or duplication. |
| Only 26% of organizations have strong cross-functional collaboration on risk with a holistic view (KPMG 2025). Internal audit’s risk assessment can bridge this gap by providing an independent, enterprise-wide view of where risk and control weaknesses concentrate. |
| A 90-day roadmap takes the internal audit function from ad hoc audit planning to a fully documented, risk-based audit plan aligned with the 2025 IIA Standards and approved by the audit committee. |
The Institute of Internal Auditors (IIA) published its updated Global Internal Audit Standards (“The Redbook”) effective January 9, 2025.
The standards require the Chief Audit Executive (CAE) to develop a risk-based internal audit plan grounded in a documented risk assessment that considers the organization’s strategies, objectives, and risks.
This is not new in concept, but the 2025 standards sharpen the requirement: the CAE must now consult with second-line functions, consider Topical Requirements for specific high-risk areas (cybersecurity, third-party risk, organizational behavior), and define KPIs for internal audit performance.
The practical challenge remains: how does an internal audit function actually build a risk-based plan from scratch? Only 26% of organizations have strong cross-functional collaboration on risk with a holistic view (KPMG, 2025).
The McKinsey 2025 Global GRC Benchmarking Survey found that 42% of risk function respondents said their GRC system usage needs improvement. Internal audit’s risk assessment is the mechanism that connects these dots: by independently assessing risk across the entire enterprise risk management landscape, internal audit provides the board with a view that neither management nor the second line can deliver alone.
This guide provides the complete internal audit risk assessment framework: five steps from audit universe definition through board approval, a multi-factor risk scoring model, alignment to the 2025 IIA Standards, COSO ERM, and ISO 31000. Each section includes practitioner-ready tables and a 90-day implementation roadmap.
What Is an Internal Audit Risk Assessment?
An internal audit risk assessment is the process by which the internal audit function identifies all auditable entities in the organization (the audit universe), evaluates the risk level of each entity, and uses the results to prioritize the annual internal audit plan.
The assessment answers one question: given limited audit resources, where should internal audit focus to provide the greatest value?
Internal Audit Risk Assessment vs. Enterprise Risk Assessment
| Dimension | Internal Audit Risk Assessment | Enterprise Risk Assessment (ERM) |
| Purpose | Prioritize internal audit engagements based on risk. Build the annual audit plan. | Identify, assess, and manage all risks to the organization’s strategic objectives. |
| Scope | Auditable entities: business units, processes, systems, projects, third parties. | All risk categories: strategic, operational, financial, compliance, cyber, ESG. |
| Owner | Chief Audit Executive (CAE). Third line of defense. | Chief Risk Officer (CRO). Second line of defense. |
| Output | Risk-ranked audit universe. Risk-based internal audit plan. Board-approved engagement schedule. | Enterprise risk register. Risk heat map. Risk appetite compliance report. Board risk pack. |
| Frequency | Annually (with quarterly updates as conditions change). | Continuous monitoring with quarterly reassessment and annual comprehensive review. |
| Standards | IIA Global Internal Audit Standards 2025 (Domain 9: Internal Audit Plan). | ISO 31000. COSO ERM. Industry-specific regulations. |
| Relationship | Internal audit uses the ERM risk assessment as a key input, but conducts its own independent assessment to determine audit priorities. | ERM provides the organizational risk landscape. Internal audit provides independent assurance over ERM effectiveness. |
The key principle: internal audit’s risk assessment is independent from management’s risk assessment.
The CAE should consider the ERM risk register, management’s self-assessments, and second-line function outputs as inputs.
But the CAE forms an independent view on where the highest-risk, lowest-assurance areas are. This independent perspective is the core value the three lines model assigns to internal audit.
The Five-Step Internal Audit Risk Assessment Process
The process below aligns with the 2025 IIA Global Internal Audit Standards (Domain 9: Internal Audit Plan), the IIA’s Practice Guide on developing a risk-based internal audit plan, and COSO ERM principles.
| Step | Objective | Key Activities | IIA Standards Alignment | Output |
| 1 | Define the Audit Universe | List all auditable entities: business units, functions, processes, systems, projects, third parties, and geographic locations. Group entities logically. Update annually based on organizational changes. | Domain 9.1: The CAE must identify and assess risks relevant to the organization. | Audit universe register (complete list of auditable entities with descriptions and owners). |
| 2 | Identify Risk Factors | Select the risk factors that will drive scoring. Common factors: strategic importance, financial materiality, operational complexity, control maturity, regulatory exposure, and change velocity. Weight each factor based on organizational priorities. | Domain 9.1: Assessment must consider the organization’s strategies, objectives, and risks. | Risk factor catalogue with definitions, scoring scales, and weights. |
| 3 | Score Each Auditable Entity | Apply the risk factors to every entity in the audit universe. Use a consistent scoring scale (e.g., 1-5 per factor). Calculate weighted composite scores. Rank from highest to lowest risk. | Domain 9.2: The plan must be risk-based and consider input from management, the board, and other assurance providers. | Scored audit universe. Risk heat map. Ranking of entities by composite score. |
| 4 | Build the Risk-Based Audit Plan | Map high-risk entities to planned engagements. Allocate audit resources proportional to risk. Identify entities that will not be audited this cycle and document the rationale. Check coverage against Topical Requirements (cyber, third-party, organizational behavior). | Domain 9.3: The plan must identify the engagements to be performed, their objectives, scope, timing, and resource needs. | Draft internal audit plan with engagement descriptions, resource allocation, and timeline. |
| 5 | Obtain Board Approval | Present the risk assessment methodology, the scored audit universe, and the proposed plan to the audit committee. Obtain formal approval. Document any changes requested by the board. | Domain 9.4: The board must review and approve the internal audit plan and any significant changes. | Board-approved internal audit plan. Audit committee meeting minutes. |
The Multi-Factor Risk Scoring Model
The risk scoring model converts qualitative judgment into a structured, defensible ranking. The six risk factors below cover the dimensions that drive audit risk in most organizations.
Each factor is scored 1-5 per auditable entity and weighted based on organizational priorities. The table provides the scoring scales.
Six-Factor Internal Audit Risk Scoring Model
| Factor (Weight) | Score 1 | Score 2 | Score 3 | Score 4 | Score 5 | Why This Factor Matters |
| Strategic Importance (20%) | Minimal link to strategy | Supports one objective | Directly enables a strategic objective | Critical to multiple objectives | Mission-critical; failure threatens organizational viability | High-strategy areas warrant audit assurance because failures have enterprise-wide consequences. |
| Financial Materiality (20%) | Revenue/cost < $1M | $1M-$10M | $10M-$50M | $50M-$200M | > $200M | Larger financial exposures justify deeper audit coverage to protect against material misstatement or loss. |
| Operational Complexity (15%) | Simple, stable process with few handoffs | Moderate complexity; some manual steps | Complex process with multiple systems and handoffs | Highly complex; cross-functional with external dependencies | Extreme complexity; novel technology, unproven processes | Complexity creates more failure points and control gaps that internal audit should examine. |
| Control Maturity (20%) | Robust, tested controls with zero recent findings | Adequate controls with minor findings | Controls exist but have gaps; moderate findings | Weak controls; significant findings or repeat issues | No controls or recently failed audit; major findings | Weak control environments are the highest audit priority. This factor inverts: lower maturity = higher risk score. |
| Regulatory Exposure (15%) | No regulatory requirements | Low regulatory scrutiny | Moderate regulation with periodic examination | Heavily regulated with active examination cycle | Subject to consent order, enforcement action, or critical regulatory finding | Regulatory penalties and sanctions create direct financial and reputational damage. |
| Change Velocity (10%) | No significant changes in 12+ months | Minor changes (staff, process tweaks) | Moderate changes (new system, reorganization) | Major changes (M&A, new product, technology migration) | Transformational change (business model shift, regulatory overhaul) | Change destabilizes controls. Newly changed processes are more likely to have gaps than stable ones. |
Composite Score = (Strategic x 0.20) + (Financial x 0.20) + (Complexity x 0.15) + (Control Maturity x 0.20) + (Regulatory x 0.15) + (Change x 0.10). Entities scoring 4.0-5.0 are Priority 1 (audit annually).
Entities scoring 3.0-3.9 are Priority 2 (audit every 2 years). Entities scoring 2.0-2.9 are Priority 3 (audit every 3 years or on a rotational basis). Below 2.0, include in the universe but audit only if triggered by a specific event.
Worked Example: Scoring the Audit Universe
A mid-sized financial services company has 25 auditable entities in its universe. The CAE scores each entity using the six-factor model. The table below shows the top 10 entities ranked by composite score.
Top 10 Auditable Entities by Risk Score
| # | Auditable Entity | Strat | Fin | Cmplx | Ctrl | Reg | Chg | Score | Priority |
| 1 | Anti-Money Laundering (AML) Program | 5 | 4 | 4 | 3 | 5 | 4 | 4.15 | P1 – Audit This Year |
| 2 | Cybersecurity Operations Center | 5 | 3 | 5 | 3 | 4 | 4 | 3.95 | P1 – Audit This Year |
| 3 | Lending Origination Process | 4 | 5 | 4 | 3 | 4 | 3 | 3.85 | P1 – Audit This Year |
| 4 | Third-Party Vendor Management | 4 | 3 | 4 | 2 | 4 | 4 | 3.45 | P2 – Audit Next Year |
| 5 | Cloud Infrastructure Migration (Project) | 3 | 3 | 5 | 2 | 3 | 5 | 3.30 | P2 – Audit Next Year |
| 6 | Customer Onboarding (KYC/CDD) | 4 | 3 | 3 | 3 | 5 | 3 | 3.55 | P2 – Audit Next Year |
| 7 | Financial Reporting Close Process | 3 | 5 | 3 | 4 | 3 | 2 | 3.45 | P2 – Audit Next Year |
| 8 | Business Continuity Planning | 4 | 2 | 3 | 2 | 3 | 3 | 2.85 | P3 – Rotational |
| 9 | Employee Expense Management | 2 | 2 | 2 | 3 | 2 | 2 | 2.25 | P3 – Rotational |
| 10 | Facilities Management | 2 | 2 | 2 | 4 | 1 | 1 | 2.15 | P3 – Rotational |
The top three entities (AML, Cybersecurity, Lending) all score above 3.8 and are scheduled for audit this year. Entity #2 (Cybersecurity) also triggers the IIA Cybersecurity Topical Requirement, which means the audit engagement must conform to the mandatory requirements in that Topical Requirement. Entity #4 (Third-Party Vendor Management) triggers the Third-Party Topical Requirement for the following year. This linkage between the risk score and mandatory Topical Requirements is a 2025 Standards innovation that the scoring model must accommodate.
Aligning to the 2025 IIA Global Internal Audit Standards
The 2025 IIA Standards (“The Redbook”) are organized into five domains and 15 principles with 52 standards.
The risk assessment process primarily maps to Domain 9 (Internal Audit Plan), but alignment points exist across multiple domains. The table below maps the assessment activities to specific standards.
| Assessment Activity | 2025 IIA Standard | What the Standard Requires | How to Demonstrate Conformance |
| Define the audit universe | Standard 9.1: Assessing Risks | The CAE must identify and assess risks relevant to the organization, considering strategies, objectives, and risks. | Document the audit universe with clear criteria for inclusion/exclusion. Link entities to organizational objectives. |
| Consult with second-line functions | Standard 9.2: Planning Engagements | The CAE must consider input from management, the board, and other assurance providers when planning. | Document meetings with CRO, compliance officer, and other second-line heads. Record their input and how the input influenced the plan. |
| Score and prioritize entities | Standard 9.1: Assessing Risks | The risk assessment must be documented and used as the basis for the audit plan. | Maintain the scored audit universe register. Archive the scoring methodology and factor weights. |
| Check Topical Requirement applicability | Standard 13.2: Engagement Risk Assessment | Internal auditors must determine whether Topical Requirements apply to planned engagements. | Document the assessment of Topical Requirement applicability for each engagement. Retain rationale for exclusions. |
| Build the audit plan | Standard 9.3: Developing the Internal Audit Plan | The plan must identify engagements, their objectives, scope, timing, and resource needs. | Produce a formal audit plan document with all required elements. Include resource allocation and timeline. |
| Obtain board approval | Standard 9.4: Communicating and Obtaining Approval | The board must review and approve the plan and any significant changes during the year. | Present the plan to the audit committee. Record approval in meeting minutes. Communicate any mid-year changes. |
| Define audit KPIs | Standard 11.1: Performance Measurement | The CAE must define KPIs for internal audit performance. | Establish KPIs such as plan completion rate, stakeholder satisfaction, time to issue reports, and findings closure rate. |
The 2025 Standards also require the CAE to establish a quality assurance and improvement program (QAIP).
The risk assessment methodology should be part of the QAIP, subject to periodic internal assessment and at least one external quality assessment every five years. Internal audit risk assessment provides additional guidance on integrating the assessment with the broader audit methodology.
Coordinating with ERM and Second-Line Functions
The 2025 IIA Standards explicitly require the CAE to consult with second-line functions. This coordination serves three purposes: avoiding duplication of assurance effort, identifying coverage gaps, and leveraging existing risk data to enrich the audit risk assessment.
The three lines model provides the governance structure. The table below maps the coordination touchpoints.
| Second-Line Function | What They Provide to Internal Audit | What Internal Audit Provides to Them | Coordination Mechanism |
| Enterprise Risk Management (CRO) | Enterprise risk register. Risk appetite statement. Top 10 enterprise risks. Emerging risk scan. | Independent assurance over ERM effectiveness. Identification of risks not captured in the ERM register. | Annual meeting to share risk assessments. Quarterly alignment check on top risks. |
| Compliance / Regulatory | Compliance risk assessment. Regulatory examination findings. Compliance monitoring results. | Assurance over compliance program effectiveness. Testing of regulatory controls. Root cause analysis of compliance failures. | Semi-annual meeting to align compliance and audit priorities. Shared findings register. |
| Information Security (CISO) | Vulnerability scan results. Cyber incident data. Security maturity assessments. Threat intelligence. | Independent assurance over cybersecurity controls. Testing of incident response procedures. Assessment against NIST CSF or ISO 27001. | Quarterly meeting to review cyber risk landscape. Shared access to vulnerability data. |
| Quality / Operations | Process performance data. Quality metrics. Operational KPIs. Internal control testing results. | Assurance over control effectiveness. Process improvement recommendations. Root cause analysis of operational failures. | Integrated assurance mapping exercise to identify coverage gaps. |
The IIA’s Practice Guide on developing a risk-based internal audit plan recommends building an assurance map: a matrix showing all auditable entities against the assurance activities performed by each line of defense.
Gaps in the map (entities with no assurance coverage) become high-priority candidates for the audit plan. Overlaps (entities covered by both second and third line) become candidates for coordination to reduce effort without losing assurance quality.
Assessing Internal Control Effectiveness
Internal control assessment is a core skill within the audit risk assessment process. The COSO Internal Control framework (2013) provides the five-component model: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
Internal audit evaluates both the design effectiveness (are the right controls in place?) and operating effectiveness (are the controls working as intended?) of these components. The table below provides the assessment criteria.
Control Effectiveness Assessment Criteria
| Component | Design Effectiveness Question | Operating Effectiveness Question | Common Finding | Impact on Audit Risk Score |
| Control Environment | Does tone from the top support ethical behavior and control consciousness? | Are ethical standards consistently enforced? Do employees perceive accountability? | Leadership overrides controls. Ethical tone inconsistent across business units. | Weak control environment raises the Control Maturity factor score to 4-5 (highest risk). |
| Risk Assessment | Has management identified risks to objectives and assessed their likelihood and impact? | Are risk assessments updated when conditions change? Do they drive resource allocation? | Risk assessments are stale. No link between identified risks and control investments. | Absent or outdated risk assessment raises complexity and control maturity scores. |
| Control Activities | Are preventive and detective controls designed to address identified risks? | Are controls performed consistently? Do exceptions get investigated and resolved? | Segregation of duties violations. Reconciliations performed but not reviewed. Automated controls not validated after system changes. | Control gaps directly increase the Control Maturity factor (inverse scoring: worse controls = higher risk). |
| Information and Communication | Is relevant information captured and communicated to support control functioning? | Do reports reach the right people on time? Are communication channels effective? | Management reports delayed. Data quality issues. No escalation protocol for control deviations. | Communication failures reduce the effectiveness of all other controls, amplifying residual risk. |
| Monitoring Activities | Are ongoing evaluations and separate evaluations designed to assess control performance? | Do monitoring results lead to corrective action? Are deficiencies tracked to closure? | Monitoring exists but findings are not acted upon. Repeat findings from prior audits. | Weak monitoring means control degradation goes undetected, increasing the frequency of material findings. |
The control assessment results feed directly back into Step 3 of the audit risk assessment process (scoring the audit universe).
An entity with strong controls across all five COSO components receives a low Control Maturity score (1-2), reducing its overall risk ranking and potentially deferring the next audit. An entity with significant control findings receives a high score (4-5), pushing the entity to the top of the audit plan.
This feedback loop ensures the audit plan responds dynamically to actual control conditions, not just perceived risk.
Implementation Roadmap
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Foundation | Define the audit universe (list all auditable entities). Select and weight the six risk factors. Design the scoring methodology and composite score formula. Meet with the CRO, CISO, and compliance officer to gather second-line risk data. Review the 2025 IIA Standards for Domain 9 requirements. | Audit universe register (complete). Risk factor catalogue with definitions, scales, and weights. Scoring methodology document. Second-line consultation meeting notes. | Audit universe covers 100% of organizational functions. Scoring methodology approved by the CAE. Second-line consultations documented. |
| Days 31-60: Score and Plan | Score every entity in the audit universe using the six-factor model. Rank entities by composite score. Map Priority 1 entities to planned engagements. Check Topical Requirement applicability. Allocate resources and set the annual timeline. Build the draft audit plan. | Scored audit universe with composite rankings. Risk heat map. Draft internal audit plan with engagement descriptions, scope, timing, and resource allocation. Topical Requirement applicability assessment. | All entities scored. Top 10 entities aligned to planned engagements. Topical Requirement review completed. Draft plan reviewed by CAE. |
| Days 61-90: Approve and Launch | Present the risk assessment methodology and proposed audit plan to the audit committee. Incorporate board feedback. Obtain formal approval. Define internal audit KPIs (plan completion rate, time to report, stakeholder satisfaction). Launch first engagement. | Board-approved internal audit plan. Audit committee presentation and meeting minutes. KPI definitions and baseline measurements. First engagement kicked off. | Audit plan approved by the board. KPIs defined and baselined. First Priority 1 engagement commenced within 90 days of plan approval. |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Audit plan based on rotation rather than risk | The function audits every entity on a 3-year cycle regardless of risk level, giving equal attention to low-risk facilities management and high-risk AML compliance. | Score the audit universe using the multi-factor model. Allocate audit days proportional to risk. Low-risk entities rotate on 3-5 year cycles; high-risk entities are audited annually. |
| Risk assessment done by the CAE alone without second-line input | The CAE builds the plan independently, missing risks identified by compliance, risk management, or information security. | Schedule formal consultation meetings with CRO, CISO, and compliance heads annually. Document their input and show how the input influenced the plan. |
| Audit universe is stale and does not reflect organizational changes | The universe was defined three years ago. New business lines, systems, and third-party relationships are absent. | Refresh the audit universe annually at minimum. Add entities triggered by M&A, new products, system implementations, or regulatory changes. |
| Scoring model is not documented or defensible | Scoring relies on the CAE’s judgment without a documented methodology. Audit committee members cannot understand why certain areas were prioritized. | Document the scoring model with factor definitions, scales, and weights. Present the methodology alongside the plan. Archive for quality assessment evidence. |
| Topical Requirements ignored in planning | The internal audit function does not assess whether new IIA Topical Requirements (cybersecurity, third-party, organizational behavior) apply to planned engagements. | Add a Topical Requirement applicability check to Step 4 of the process. Document the assessment for each engagement and retain the rationale. |
| No mid-year adjustment mechanism | The plan is approved in January and followed rigidly through December, even when significant risks emerge mid-year. | Build a quarterly plan update process. Reserve 10-15% of audit capacity for unplanned engagements. Present mid-year plan changes to the audit committee. |
Looking Ahead: Internal Audit Risk Assessment Trends 2025-2027
The 2025 IIA Standards represent the profession’s most significant evolution in a decade. Topical Requirements for cybersecurity, third-party risk, and organizational behavior are now mandatory when the risk assessment leads to these areas being audited.
Additional Topical Requirements for privacy, sustainability/ESG, and IT governance are expected in 2026-2027, expanding the scope of what internal audit must cover and how the risk assessment must evaluate these domains.
AI is entering the audit risk assessment process. Data analytics tools can now score the audit universe continuously rather than annually, incorporating real-time KRI feeds, incident data, and financial trends.
Organizations deploying AI-driven risk scoring identify emerging audit priorities weeks earlier than manual assessment cycles. AI risk assessment frameworks will also become audit subjects themselves, requiring internal audit to assess the governance, bias controls, and data integrity of AI models used across the organization.
Integrated assurance is becoming the expected operating model. Rather than internal audit, risk management, and compliance each conducting separate assessments, leading organizations build assurance maps that show all coverage across all three lines.
The 2025 IIA Standards support this through the coordination requirement, and the trend will accelerate as boards demand consolidated assurance views rather than fragmented reports from each function.
GRC frameworks and enterprise risk management programs that integrate internal audit’s risk assessment with second-line monitoring create a unified risk intelligence capability that no single function can achieve alone.
The internal audit functions that will deliver the most value are those that treat the risk assessment as a continuous, data-driven process rather than an annual compliance exercise.
When the scored audit universe updates quarterly, when KRI feeds trigger mid-year plan adjustments, and when second-line coordination eliminates coverage gaps, the risk-based audit plan becomes a true strategic asset that the board relies on to understand where the organization is most vulnerable and what is being done about the vulnerabilities.
Ready to build a risk-based internal audit plan? Visit riskpublishing.com to access internal audit risk assessment guides, RCSA resources, and risk register templates. Need a tailored audit planning workshop? Contact our consulting team to design a risk-based audit methodology aligned to the 2025 IIA Standards.
References
1. IIA Global Internal Audit Standards 2025 (The Redbook) — Institute of Internal Auditors
2. IIA Topical Requirements — Institute of Internal Auditors
3. IIA Practice Guide: Developing a Risk-Based Internal Audit Plan — Institute of Internal Auditors
4. 2025 IIA Standards: Key Changes and Considerations — Cherry Bekaert
5. Implementing the IIA’s Global Internal Audit Standards — PwC
6. IIA Standards Update: Value for Executive Management and Boards — Plante Moran
7. Navigating the New IIA Internal Audit Standards — Ideagen
8. COSO Enterprise Risk Management Framework — Committee of Sponsoring Organizations
9. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization
10. The State of Enterprise Risk Management, 2025 — Forrester Research
11. 2025 KPMG Risk and Resilience Survey — KPMG International
12. 2025 Global GRC Benchmarking Survey — McKinsey & Company
13. IIA Three Lines Model — Institute of Internal Auditors
14. Cybersecurity and Internal Auditing: Risk-Based Approach to IIA Standards — AuditBoard
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.