Internal audit risk assessment is the structured process of identifying, evaluating, and ranking the auditable entities and risks that warrant assurance coverage. It produces the risk-based audit plan required by IIA Global Internal Audit Standard 9.4. Done well, it concentrates audit resources where they matter and gives the audit committee a defensible answer to "why this work, in this order, with this depth?"
This guide walks through the methodology step by step, with examples a CAE or audit director can use this quarter.
The Four-Layer Model
The risk assessment that produces a defensible audit plan operates at four layers. Most audit functions skip one or more and discover the gap during their QAR.
| Layer | Output | Why it matters |
|---|---|---|
| 1. Audit universe | Comprehensive inventory of auditable entities (processes, systems, business units, third parties) | You can't risk-rank what you haven't inventoried |
| 2. Risk identification | List of risks per entity, mapped to ERM where possible | Without this, scoring is generic |
| 3. Risk evaluation | Scoring of each entity / risk across defined factors | The basis for prioritization |
| 4. Audit plan derivation | Sequenced engagements with coverage logic | The deliverable the audit committee actually sees |
Skipping layer 1 leads to "I didn't know we had that vendor exposure." Skipping layer 2 leads to entity-level scoring that misses material risks within entities. Skipping layer 3 produces generic high-medium-low rankings that don't survive challenge. Skipping layer 4 produces a list that doesn't actually plan the year.
Step 1: Build (or Refresh) the Audit Universe
The audit universe is the comprehensive list of everything the audit function could potentially provide assurance on. It typically includes:
- Business units / functions (Finance, HR, IT, Operations, etc.)
- Processes (Order-to-cash, procure-to-pay, payroll, etc.)
- Systems / applications (ERP, HRIS, CRM, key SaaS)
- Third parties (Critical vendors, outsourced functions)
- Compliance programs (SOX, GDPR, AI Act, sector-specific)
- Topical Requirement applicability (Cybersecurity, Third-Party, Organizational Behavior per IIA TRs)
Practical sources to build it:
- Org chart for business units
- Process inventory (or finance process narratives from SOX)
- Application portfolio from IT (or your SOX system inventory)
- Third-party risk register from procurement / vendor management
- Compliance register from legal / compliance
- ERM register as a sanity check
A common mistake is letting the universe drift to ~200 entries because every project, every team, every system became its own entry. A good universe is granular enough to risk-rank meaningfully (typically 40-150 entities depending on company size) but not so granular that it becomes unmanageable.
For a methodology specifically focused on building the universe, see How to Build an Audit Universe.
Step 2: Identify Risks at Entity Level
For each auditable entity, identify the risks that, if they materialized, would cause material harm. The output is a risk register entry per entity, ideally cross-referenced to the ERM risk register where one exists.
Risk identification sources:
- ERM risk register (where one exists)
- Prior audit findings (historical issue patterns)
- External risk signals (industry incidents, regulatory updates, peer-company disclosures)
- Management interviews (process owners often know risks the formal register misses)
- Topical Requirement requirements (mapped to relevant entities)
- Continuous monitoring outputs (where the function operates continuous monitoring)
This is where AI can meaningfully accelerate the work. Drafting an initial risk list from an entity description, industry, and framework context takes hours manually; AI can produce a first-pass list in minutes. The auditor reviews, edits, and approves. As we wrote in our agentic audit testing analysis, the right model is AI as preparer, human as reviewer.
Step 3: Define and Apply Risk Factors
This is the step that most often fails QAR. Audit functions adopt generic risk factors that don't match their organization's risk profile, then score against them inconsistently across entities.
A defensible risk scoring framework has five characteristics:
- Factors tailored to organizational context — not borrowed wholesale
- 5-10 factors total — fewer and you lose nuance; more and you can't apply consistently
- Weighted to sum to 100% — explicit weighting forces prioritization
- Scored on a defined scale (typically 1-5) — with anchor descriptions per score level
- Scoring rationale documented per entity — not just a number, the reason for the number
A representative factor set for mid-market internal audit might look like:
| Factor | Weight | What it measures |
|---|---|---|
| Financial materiality | 20% | Revenue, expense, or asset exposure tied to the entity |
| Regulatory exposure | 15% | Penalty risk, license risk, public reporting requirements |
| Process complexity | 10% | Manual processes, system integration count, exception volume |
| Control environment | 15% | Maturity of preventive controls, prior findings, tone at top |
| Change | 15% | Recent process / system / leadership change |
| Audit history | 10% | Time since last audit + significant prior findings |
| Topical Requirement applicability | 10% | TR coverage required (Cyber / Third-Party / Org Behavior) |
| Fraud susceptibility | 5% | Inherent exposure to fraud given access and flows |
Weights and factors should be reviewed annually with the CAE and discussed with the audit committee. They are not arbitrary; they are an articulation of the function's risk philosophy.
A worked example
Take a mid-size company's "Vendor Management" process as the entity:
- Financial materiality: 4/5 (significant spend through vendor ecosystem)
- Regulatory exposure: 4/5 (Third-Party TR effective September 2026)
- Process complexity: 3/5 (moderate — multiple onboarding workflows)
- Control environment: 3/5 (control matrix exists but not formally tested)
- Change: 5/5 (new vendor management platform implemented last year)
- Audit history: 5/5 (not audited in past three years)
- Topical Requirement applicability: 5/5 (Third-Party TR directly applicable)
- Fraud susceptibility: 3/5 (moderate — segregation issues possible)
Weighted score: (4×0.20) + (4×0.15) + (3×0.10) + (3×0.15) + (5×0.15) + (5×0.10) + (5×0.10) + (3×0.05) = 3.95 out of 5.
This is a high-risk entity that almost certainly belongs in the year's audit plan. The scoring rationale is documented and defensible.
Step 4: Derive the Audit Plan
The risk assessment is not the audit plan. The plan derives from the assessment by:
- Sorting entities by composite risk score
- Applying coverage logic — high-risk = audit this year; medium-risk = audit in 2-year cycle; low-risk = audit in 3-year cycle (or risk-acceptance with documented rationale)
- Applying resource constraint — total estimated hours can't exceed the function's capacity, so the cut line is where capacity ends
- Adding mandatory engagements — SOX, regulatory-required audits, follow-up audits regardless of risk score
- Adding management-requested advisory — non-assurance work the function takes on
- Documenting deferrals — entities that didn't make the cut and the rationale
The output is the audit plan presented to the audit committee. It should answer three questions the committee will inevitably ask:
- "Why are these entities in the plan and others not?"
- "How does this align to the most significant enterprise risks?"
- "What changed from last year and why?"
The risk assessment methodology, the entity scoring, and the coverage-logic explanation should make those answers straightforward.
Where 2026 Changes the Game
Three forces are reshaping internal audit risk assessment in 2026:
IIA Topical Requirements
Cybersecurity (effective February 2026), Third-Party (September), and Organizational Behavior (December) impose explicit risk-assessment expectations. Every applicable entity needs explicit TR consideration in scoring, and the function must document non-applicability where exclusions are intentional. See our Topical Requirements deep dive for the full implementation framework.
AI in risk assessment
AI now accelerates the most labor-intensive parts of risk assessment: external risk signal scanning, draft risk identification, and rationale drafting. Audit committees will increasingly ask how AI was used. The right response is documented AI involvement, human review, and explicit acknowledgment in methodology documentation. AI must not make the final risk ranking call; that remains a CAE judgment.
Continuous risk assessment
Annual-only risk assessment is increasingly insufficient. The audit functions producing the strongest QAR outcomes in 2026 operate a continuous-update model: formal annual assessment plus quarterly lighter-weight updates driven by significant change events. The platform supporting this should make refresh cheap, not painful.
A Common Failure Mode: The Risk Assessment That Wasn't
The most common QAR finding on risk assessment is not "the methodology is wrong." It's "the methodology was applied inconsistently" or "the documented rationale doesn't match the scoring."
This happens when:
- The risk register is in a spreadsheet that's been version-thrashed
- Scoring rationale lives in someone's head but not in the file
- Updates throughout the year were verbal, not documented
- The "audit plan" presented to the committee doesn't trace back to the risk assessment
The fix is operational, not methodological: the risk register, scoring, and plan derivation need to live in a system that enforces traceability, version-controls changes, and makes the audit-plan-to-risk-assessment linkage explicit.
A Practical Quarterly Cadence
For a function with steady-state operation:
- Q1: Full annual risk assessment refresh and audit plan approval
- Q2: Light-touch update — check for significant change events; update TR applicability
- Q3: Mid-year reassessment — major risk changes? Plan adjustments?
- Q4: Pre-annual prep — start gathering data for next year's full refresh
A mature function with this rhythm rarely needs to do a "big risk assessment" because the asset is always current.
How Audvera Supports This
Audvera's risk register is canonical at the tenant level, with engagement-level scoring sidecars that preserve audit-trail history. Each engagement's risk assessment links back to the canonical risk register, with full version history per change. AI-suggested risks and risk-control linkages preserve preparer/reviewer signoff so the audit trail shows who ran the assistant and who reviewed it.
If you want to see what risk assessment looks like in Audvera, start with a free risk assessment — describe your audit scope and Audvera will draft an initial risk identification you can review and tailor.