Risk · Audit · Explained
Every bank, every year, has to answer three simple questions: what should we check, how often, and once we’ve checked it — did it pass?
There’s a quiet, sensible machine behind those answers. This is a tour of that machine — no jargon, no formulas, and one everyday picture to hold onto.
Start here
The one idea everything is built on
Forget audit for a second and think about your own health. How worried should a doctor be about you? It comes down to two things: how much could go wrong, and how well you’re looking after it. A 25-year-old marathon runner and a 60-year-old who skips medication can show the same blood-pressure reading and still need very different attention — because the risk that’s left over, after you account for how well it’s managed, is different.
That’s the whole idea. Audit just applies it to branches, departments and IT systems instead of people.
How much could go wrong × how well it’s guarded = how worried we should be Auditors call these three things inherent risk, controls, and residual risk. That’s the only vocabulary you need.
A large, cash-heavy branch in a high-crime area simply has more that could go wrong than a tiny rural one — that’s its built-in risk. But if that big branch has excellent checks, locks, reviews and disciplined staff, the risk that’s actually left over shrinks. Weak safeguards, and it grows. The audit team’s entire job is to find where the leftover risk is highest and go there first.
How it actually runs
The annual check-up, in four steps
Each step hands something to the next — that hand-off is the part most people never see.
Sizing up the risk — the “file review”
Once a year, before anyone visits anywhere, the team reviews every branch and department like a doctor reading your file before you arrive. They look at what drives built-in risk — size, volumes, complaints, location, past problems — and at how strong each one’s safeguards have been. Out of that comes a single honest verdict for each place: low, medium, high, or very high concern. Auditors call this Risk-Based Internal Audit, or RBIA.
Building the year’s calendar — the “appointment schedule”
That verdict decides how soon each place is seen. A doctor asks a healthy patient back in two years and a fragile one back in three months — same logic here. Very-high-concern units are scheduled within a few months; low-concern ones might wait a year or two. Stack all those appointments together and you have the year’s plan. Auditors call this the Annual Audit Plan.
The actual visit — the “check-up”
When a unit’s turn comes, auditors go in and run their tests — just as a check-up isn’t one number but many: blood pressure, heart, bloods, each examined on its own. They work through a checklist of safeguards and rate each one, from “not working at all” to “excellent.” Anything that scores badly is written down on the spot as an issue to fix. Auditors call this fieldwork, or audit execution.
The report card — the “result”
All those individual scores roll up into one overall result — a percentage and a star rating, the way a check-up ends with a clear summary rather than a pile of raw numbers. Everyone can see at a glance whether the place is in good shape, needs work, or is in trouble. Auditors call this the audit rating.
The assessment decides where to go. The plan decides when. The visit decides what was found. The rating sums it up. Four steps, one conversation.
The clever part
The result changes the next appointment
Here is the bit that makes the whole thing feel alive rather than a once-a-year ritual. When a unit finishes its audit and gets its report card, that result doesn’t just get filed away. It quietly updates the unit’s record — exactly like a worrying check-up result going into your medical file. So when next year’s schedule is drawn up, this place is now treated as higher concern, and it gets seen sooner. A great result, and it earns a longer gap before the next visit.
The loop that closes itself
A branch that scored poorly this year doesn’t wait its usual turn — the bad result pulls its next audit forward automatically. A branch that scored well buys itself a little breathing room.
Nobody has to remember to do this. The result of step 4 becomes an input back into step 1, and the cycle starts again — a little smarter each time. That’s the difference between a plan that just exists and one that actually learns.
Translation
The same words, said two ways
In an audit meeting you’ll hear one phrase mean two slightly different things. “Risk” during yearly planning is a big-picture judgement about a whole branch. “Risk” during an actual audit is a close-up judgement about one specific thing being tested. Same idea, different zoom. Here’s the plain-English translation:
| In everyday words | What the audit team calls it |
|---|---|
| How much could go wrong here | Inherent risk |
| How good the safeguards are | Controls / control effectiveness |
| What we’re still worried about | Residual risk |
| Reviewing everyone’s risk once a year | Risk-Based Internal Audit (RBIA) |
| The year’s appointment calendar | Annual Audit Plan |
| The actual visit and testing | Fieldwork / audit execution |
| The overall report card | Audit rating (score & stars) |
| A bad result bringing the next visit forward | Repeat / feedback loop |
One sentence to remember — an audit team works out where the leftover risk is highest, visits those places soonest, scores what it finds, and lets each result reshape next year’s schedule, getting sharper every cycle.
Why it matters
Spending attention where it does the most good
None of this is red tape for its own sake. Money, attention and trained people are limited, and you cannot inspect everything everywhere all the time. This machine is simply how a bank spends that limited attention where it’ll do the most good — the same instinct that sends a doctor’s time to the patients who need it most, rather than to whoever happens to walk in first.
And the most reassuring part is how little of it is invented. The same plain idea — how much could go wrong, set against how well it’s guarded — sits underneath the world’s major audit and risk standards. The words get grander; the picture stays exactly this simple.
Written for anyone who’s ever wondered what an internal audit team actually does all year — no accounting background required. If a step here sparked a question, that’s exactly the kind of thing I dig into on DAXified.
In short
Key takeaways
- Risk-based internal audit (RBIA) targets audit effort where the leftover risk is highest, instead of checking everything on a fixed routine.
- The core idea: how much could go wrong × how well it’s guarded = how worried we should be — the risk that’s left over sets the priority.
- It runs as four connected steps: assess the risk → build the annual plan → run the audit → score the result.
- Each audit result feeds back automatically, adjusting how soon a unit is audited next — a poor result pulls the next visit forward.
- It is the framework the RBI mandates for banks, rooted in global standards from the IIA and COSO.
Common questions
Frequently asked questions
What is risk-based internal audit (RBIA)?
Risk-based internal audit is a method where the audit team decides what to audit and how often based on risk. It focuses first on the areas where the most could go wrong and the safeguards are weakest, rather than auditing everything on a fixed routine. It is the model the RBI requires banks to follow.
How is RBIA different from traditional internal audit?
Traditional internal audit checks everything on a fixed cycle. RBIA prioritises by risk: high-risk branches and processes are audited sooner and more often, while low-risk ones are reviewed less frequently — so limited audit resources go where they matter most.
What is the difference between inherent risk and residual risk?
Inherent risk is how much could go wrong in an area before considering any safeguards. Residual risk is what remains after accounting for how well those safeguards, or controls, are working. Audit priority is driven by the residual risk that is left over.
How does a bank decide how often to audit a branch?
The bank assesses each branch’s risk once a year. The higher the leftover risk, the sooner and more frequently the branch is audited — a very-high-risk unit may be reviewed within a few months, while a low-risk one might be audited once every year or two.
What is an audit rating?
After an audit, the individual control scores are combined into one overall result — usually a percentage and a star rating — that summarises how well-controlled the unit is. A poor rating can automatically bring the unit’s next audit forward.
Why does the RBI require risk-based internal audit?
The RBI’s RBIA framework requires scheduled banks to align audit effort with risk, so that attention concentrates on the riskiest areas. This strengthens governance and improves early detection of control weaknesses across the bank.