Risk-based internal auditing is a methodology by which the internal audit activity is focusing its efforts on providing assurance and advisory services related to the organization’s top risks.

The history of Risk-Based Internal Audit (RBIA) represents a global paradigm shift from a reactive, transaction-based "checker" mentality to a proactive, strategic partnership that aligns with Enterprise Risk Management (ERM). Risk-Based Approaches was formalized in 1990s when Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the Internal Control–Integrated Framework, which emphasized the importance of risk assessment as a key component of internal control. RBIA now becomes standard across various sectors through the introduction of various ERM frameworks such as, COSO ERM (Enterprise Risk Management—Integrating with Strategy and Performance), ISO 31000:, NIST Risk Management Framework (RMF), RIMS Risk Maturity Models, COBIT (Control Objectives for Information and Related Technologies) etc.

In the context of Bangladesh’s public sector, internal audit functions existed in few MDAs but mainly compliance based. This evolution gained momentum following the Public Money and Budget Management Act (2009), which transitioned the government away from traditional compliance-based oversight toward modern, systemic evaluations. Under current Strengthening Public Financial Management (SPFMS) reforms, Bangladesh is actively institutionalizing RBIA across high-spending ministries to replace "post-mortem" audits with value-added assessments that identify and mitigate risks before they impact service delivery or public funds.

Internal Audit Standards are maintained through a combination of professional regulation and organizational governance, where the Institute of Internal Auditors (IIA) sets and periodically updates the Global Internal Audit Standards, organizations adopt them through an approved Internal Audit Charter, and compliance is enforced via risk-based audit planning, Audit Committee oversight, and a mandatory Quality Assurance and Improvement Program (QAIP) that includes internal reviews and independent external assessments, ensuring internal audit remains independent, competent, risk-focused, and aligned with good governance.

- It ensures resources are allocated efficiently, and audits are aligned with the organization's objectives and potential risks.

- Better resource allocation, improved risk management, and enhanced decision-making are some of the benefits.

- Traditional audits often follow a fixed schedule, while risk-based audits prioritize areas with higher risk.

The relationship between Internal Audit (IA) and External Audit (EA) is maintained through structured coordination, mutual reliance, and clear professional boundaries, where both share risk assessments and audit plans, exchange relevant working papers and findings, and hold regular coordination meetings to avoid duplication and gaps, while the external auditor evaluates and, where appropriate, relies on the work of internal audit under international auditing standards. The Audit Committee provides oversight to ensure independence, cooperation, and effective coverage of organizational risks.

An Internal Audit body in the public sector should be established as soon as a ministry, department, or public entity begins managing public funds, delivering services, or implementing projects, and it should be created through a formal government decision or regulation that approves an Internal Audit Charter, defines its independence, authority, and reporting line to the Audit Committee or Secretary, and provides qualified staff and budget, so that the Internal Audit function can operate using a risk-based approach to provide assurance on governance, risk management, internal controls, and the proper use of public resources from the very start of operations.

The role of an internal auditor in the public sector is to provide independent and objective assurance and advisory services to help government ministries, departments, and agencies achieve their objectives, by evaluating the effectiveness of governance, risk management, internal controls, and the use of public funds, ensuring compliance with laws and regulations, promoting economy, efficiency, and effectiveness (value for money), supporting transparency and accountability, and helping management identify and manage risks, prevent fraud, and improve public service delivery.

- Internal auditor’s independence means that auditors must be free from biasness and conflicts of interest to perform their duties objectively. It ensures the integrity and credibility of audit findings and reports.

- Auditors should avoid financial and personal interests that could compromise their objectivity. Also, they report directly to the PAO of the line ministry.

- Risk-based internal audits can help auditors prioritize areas where independence is crucial, ensuring their focus on high-risk areas.

A Risk Register is a structured document that lists and records all significant risks that could affect an organization’s ability to achieve its objectives, including their causes, impacts, likelihood, risk ratings, existing controls, and responsible owners. It is prepared through a systematic risk assessment process involving management and key stakeholders who identify risks, analyze their likelihood and impact, evaluate existing controls, and prioritize them, after which it is used by management and internal audit to support risk-based decision-making, internal control improvement, and preparation of the Risk-Based Internal Audit Plan.

- Policies and procedures are in place to identify, disclose, and mitigate conflicts of interest among auditors.

- Quality control mechanisms, peer reviews, and adherence to professional standards help maintain audit quality.

- Some organizations outsource, but safeguards must be in place to maintain independence.

- Regular reporting and open communication with stakeholders help maintain transparency.

- Audit committees oversee the internal audit function and monitor auditor independence.

- Risk-based internal audit supports good governance by promoting transparency, accountability, and effective risk management.