Risk-Based Internal Audit Training

In This Training
You Will Learn:

  • What risk-based internal auditing is and what its not.
  • The Risk-Based Internal Audit Framework – only available in this training.
  • Risk management basics.
  • How to transform your internal audit activity to a truly risk-based function.
  • How to develop a risk-based internal audit plan.

More detailed information about the book this training is based on is included below.

Get the eBook Version

About This Course

Risk based internal auditing is about identifying the key objectives of an organization and selecting the tops risks threatening the attainment of those objectives.

This course enables participants to effectively identify the top objectives and risks in their organizations to provide input on developing a risk based internal audit plan. We discuss risk management basics on how to identify, assess, evaluate, mitigate and monitor risks; to aid in understanding risk management principles necessary to perform risk based audits.  Differences between traditional internal auditing and how to audit using a risk-based approach are discussed.

Through lectures and practical group interaction, discussions, and exercises, participants will develop the skills necessary to effectively plan and perform risk based internal auditing at their organization.

This course can be taught in a 3, 4, or 5 day format.  Participants can also qualify for the Certified Risk Based Auditor (CRBA) certification from the International Academy of Business and Financial Management (IABFM), with the certification option.

  • Learn the components of the Risk-Based Internal Audit Framework and how to implement it at your internal audit activity
  • Understand the history of internal audit and why risk based internal auditing is the future of auditing
  • Understand the basics of risk management
  • How to sell the concept of risk based internal audit to your management and board of directors
  • Know how to develop a risk-based audit universe and audit plan
  • Learn how to identify audit engagements that address the highest risks to your organization

Five-Day Outline

Day One

  • The “Big Picture” of business
  • Understanding performance, risk and compliance in relation to internal audits
  • Definition of internal auditing
  • Types of internal audits
  • Internal audit professional standards
  • The evolving role of internal audit
  • The future of internal audit
  • Audit universe approaches
  • The use of frameworks
  • The Risk-Based Internal Audit Framework

Day Two

  • Understanding external and internal context
  • Understanding and assessing culture
  • Understanding stakeholders
  • Understanding objectives and strategies
  • The nature of risk
  • Identifying opportunities, threats and requirements
  • Identification methods
  • Inherent and residual risk
  • Risk analysis criteria and decision-making guidelines
  • Risk appetite
  • Risk tolerance
  • Risk capacity
  • Assessing reward, risk and compliance
  • How to measure risk
  • Responding to risks: (Terminate, Tolerate, Treat, or Transfer)
  • Internal controls

Day Three

  • Risk standards: (ISO 31000, COSO Enterprise Risk Management, OCEG GRC Capability Framework)
  • Risk language issues and risk models
  • The role of internal audit in risk facilitation
  • Relationship between risk and internal audit
  • Acceptable and unacceptable involvements of internal auditing the risk management process
  • Fraud
  • Identifying and assessing fraud risks
  • Elements in an effective fraud detection program
  • Developing the audit universe
  • Audit plan development
  • Integrating the risk based audit plan into the overall risk agenda

Day Four

  • Planning a risk-based internal audit
  • Performing a risk-based internal audit
  • Assessing residual risk for the audit project
  • Report writing
  • Reporting results to management and the audit committee
  • Audit committee matrix
  • Monitoring management action plans
  • Coordinating efforts with other assurance providers
  • Use of specialists

Day Five

  • Review
  • CRBA Exam
  • Conclusion
  1. Learn risk management principles and the difference between the various risk management frameworks
  2. Identify the highest risks to your organization meeting its objectives
  3. Gain an understanding of the Risk-Based Internal Audit Framework and how to apply it at your organization
  4. Develop a truly risk-based internal audit plan, not just risk rank an audit universe based on something other than organizational objectives
  5. Understand how to apply a risk-based approach at the audit engagement level

Jason Mefford is a sought after adviser and speaker on ethics, corporate governance, GRC, compliance and internal audit topics. He is currently the President of Mefford Associates, a professional training, coaching and boutique advisory firm.

Jason has spent years teaching business professionals all over the world, and is consistently rated as one of the leading experts and most effective trainers in the world.  He is also the author of a book on Risk-Based Internal Auditing and was a contributing author on the OCEG GRC Capability Model v3.0.

Jason has been the chief audit executive at two different multi-billion-dollar manufacturing companies.  His role also included being in charge of information security and being the Chief Ethics and Compliance Officer and Chief Risk Officer.  Prior to that he was a manager at both Arthur Andersen and KPMG, performing internal and external audits and advisory services for clients in various industries.  He was also a national instructor at both firms.

Jason has experience training organizations all over the world in governance, risk management, compliance, internal controls and internal audit topics.  He has years of experience with manufacturing, food, agribusiness, financial services, retail, healthcare, government, technology, oil & gas, real estate and construction companies.

Jason is a Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Governance, Risk Management and Compliance Professional (GRCP), GRC Auditor (GRCA), Certified Risk Based Auditor (CRBA), Certificate in Risk Management Assurance (CRMA), Certified Government Auditing Professional (GRCP) and Certified Internal Controls Auditor (CICA).

He is a member of the Institute of Internal Auditors (IIA) and has been an active IIA volunteer serving at the local and international level. He is currently an OCEG Fellow with the Open Compliance and Ethics Group (OCEG) a nonprofit think tank that uniquely helps organizations drive Principled Performance® by enhancing corporate culture and integrating governance, risk management, and compliance processes. He is also the Managing Director of GRC Certify, the certification body for OCEG.

He has been recognized by Yale University as a rising star in corporate governance, and was a finalist for the Corporate Secretary Magazine rising star in corporate governance award.


IABFM-logoThe IABFM™ is a professional association governed by an advisory Board of standards and a membership code of ethics and standards of practice. The IABFM™ operates as a ‘society’ or non-profit association, with the members of the local or regional chapter making up the ‘owners’ of the society.

Our Internationally Accredited and Certified programs focus on providing professionals, industry experts and highly qualified individuals with the most updated and practical skills and competencies through continuous training in their respective areas of expertise.

Through our extensive expertise in Financial Management, Risk, HR, Operations, Business and Strategy, IABFM ensures that our management certificates impact the career of professionals and help companies to improve their operations and increase their overall profitability.

Why choose IABFM Certification?

The IABFM Certifications demonstrates your high level achievement of standards in skills, professional knowledge and best practice in your corporate role:

  • Help you earn credibility and respect in your company.
  • Open more opportunities for advancement.
  • Increase your salary. Certified professionals earn up to 18% more than their non-certified peers.
  • Demonstrate your commitment to your profession.
  • Advance your skills and knowledge
  • Represent your personal achievement.
  • Build confidence in your own knowledge of the profession.


Sign Up for Jason Mefford's Newsletter

Register now to get regular updates and to be notified about upcoming training sessions.

We value your privacy and would never spam you

Upcoming Public Training Sessions

There are no upcoming events at this time.

Why Risk-Based Internal Auditing?

Historically the internal audit profession has focused mainly on accounting and financial controls for areas to audit.  This makes perfect sense.  Most internal auditors have an accounting or finance background.  Many of them have worked as external financial statement auditors or in accounting departments of organizations.  The significant majority have accounting degrees.  Many internal audit activities also report to the Chief Financial Officer.

This focus on internal controls is also completely in line with the what we have been taught about what is wrong with organizations over the last 30 plus years.  Internal auditors have been seen as the group to help make sure organizations stay out of trouble, so it would make sense that they focus on areas where organizations have been in trouble.

In the late 1970‘s and 1980‘s in the wake of foreign corruption scandals and the savings and loan debacle, people started asking questions.  So many questions that the United States Congress established the Treadway Commission to answer the questions of why all of these businesses failing and corruption issues?  The conclusion was – internal controls were lacking.  The 1992 COSO Internal Control Framework was introduced as the answer to our problems.

Fast forward to ethical issues which lead to financial failures in the early 2000‘s.  Major business failures – including the largest bankruptcies in history – again plagued the world.  Those same questions were asked again and the answer again was – we need better internal controls, this time around financial reporting.  The Sarbanes-Oxley Act of 2003 was introduced as the answer to our problems.

Fast forward again to 2008 with the global financial melt-down and recession.  The answer this time was a failure in risk management – the lack of formality and internal controls around risk management.  The increased interest in the last few years in improving risk management processes and the controls around risk management is now seen as the answer.

Focusing only on internal controls will not stop organizations from failing.  It hasn’t so far and it won’t in the future.  The reason is: lack of internal controls is not what causes organizations to fail.  Organization’s fail because they don’t meet their objectives.  They do this by either not making it through or around their obstacles, or find themselves on the outside of the mandatory and voluntary boundaries.

We continue to repeat history because we are not learning from the past.  We are continuing to try to solve a problem with the same solution that doesn’t work.  Businesses fail because they fail to meet their objectives, not because they don’t have internal controls.  The sooner we accept this reality and start auditing organizational objectives, the sooner we can help our organizations avoid failure.

Risk based internal auditing is concerned with helping make sure management has actions and controls in place to meet organizational objectives while they are addressing uncertainty and staying within their boundaries.  This focus will increase the relevance and value of internal auditing and help our organizations meet their objectives.

About This Book

Internal auditors are told they need to develop a risk-based audit plan, but many internal audit activities simply risk rank their audit universe and believe that is risk-based auditing. Another common mistake is to identify risks to audit without ever determining if they are relevant to the organization’s objectives.

Risk-based internal auditing is really about aligning the annual audit plan, and corresponding audit projects and efforts, with the objectives of the organization. This book takes a unique approach to risk-based auditing by incorporating risk management and internal audit concepts to create a new Risk-Based Internal Audit Framework, while still being consistent with internal auditing standards.

The risk-based internal auditing framework shows how internal audit activities can consider the key objectives of their organizations, the strategies utilized to meet those objectives, and what major threats, and corresponding risks, cause uncertainty about whether the organization can meet those objectives. This is the basis of risk-based internal auditing.

The risk-based internal auditing framework includes eight related components: Understand, Identify, Assess, Plan, Perform, Report, Information & Communication, and Monitor. The main focus of this book is to explain how to approach the Understand, Identify and Assess components of the framework in an innovative way, improving the overall value internal audit can provide to its organization, instead of testing the same internal controls over and over again.

The principles outlined in this book are applicable to all internal audit activities, regardless of geographic location, industry, or type of organization. They can be used in the private or public sector, for profit or non-profit, large or small organizations. The concepts in this book can be used to improve the audit quality in any organization and ensure the internal audit activity is adding value by focusing on helping the organization meet its objectives, not just adding and testing internal controls. It helps the internal audit activity provide much better assurance on what the governance group and management is really concerned about – meeting the organization’s objectives.

This book provides answers and practical how-to information to help internal audit activities take that next step in the evolution of the internal audit profession. It is a must read for any internal auditor.

Get the eBook Version (PDF, ePub, or Mobi)

You can also purchase the book through your favorite eBook retailers, including: