Audit & Assurance

Risk-Based Internal Audit (RBIA) in India: Complete Guide

13 min read Expert verified

TL;DR Summary:
Risk-based internal audit directs audit effort to the areas of highest residual risk instead of spreading it evenly across a fixed checklist, using a risk universe, risk register, and prioritized audit plan. This guide covers how RBIA works in practice, including sector-specific risk areas for manufacturers and exporters, and how PKC structures these engagements.

Internal audit has changed a lot over the last decade or so. Not in terms of the underlying principles – good audit work has always been about identifying what can go wrong and checking whether the right safeguards are in place. But the way that work is planned, prioritized, and executed has shifted quite significantly.

The older model – where auditors rotate through a fixed checklist of processes every year, ticking boxes and confirming whether procedures were followed – is still alive in many organizations. But it is increasingly being replaced by something more useful: a risk-based approach that starts with the question ‘what actually matters here?’ and builds the audit plan from that answer.

Risk-based internal audit, or RBIA, is the approach that the Institute of Internal Auditors (IIA) has advocated for years. It is also the direction that ICAI’s Standards on Internal Audit point toward. In the Indian context, where businesses face a particularly complex combination of regulatory requirements, market volatility, and operational challenges, RBIA has become the standard of practice for any firm doing serious internal audit work.

This guide explains how RBIA works, how to build a risk-based audit plan from scratch, and what it looks like in practice for two common business types: manufacturers and exporters. If you are a CFO, Audit Committee member, or business owner trying to understand what a credible risk-based internal audit engagement looks like this is for you.

What Is Risk-Based Internal Audit (RBIA) and How Does It Differ from Traditional Internal Audit?

Traditional internal audit works from a fixed audit programme. The auditors come in, follow a set of steps for each process area, compare what they find against documented policies and procedures, and note where things deviate. It is methodical and structured, which is its strength. But it has a significant weakness: it treats all processes as equally important and does not adjust the depth of scrutiny based on where the real exposure lies.

Risk-based internal audit starts from a different place. Before writing a single audit step, the RBIA approach requires the auditor to first map out the organization’s risk universe – all the things that could go wrong across finance, operations, compliance, IT, and governance. Each of those risks is then assessed for likelihood and impact. The audit plan is built around the areas with the highest combined risk score, with lower-risk areas receiving lighter-touch coverage or being deferred entirely.

The practical difference is significant. Under a traditional approach, a company might audit its petty cash process every year regardless of whether any material risk exists there, while an area like GST reconciliation or inventory valuation – where the actual exposure runs to crores – gets perfunctory coverage. RBIA fixes this misalignment by directing audit resources to where they can do the most good.

Another key difference is that RBIA is dynamic. A traditional audit plan is often set at the start of the year and does not change much. An RBIA plan is reviewed periodically and adjusted as the organization’s risk profile changes – when a new business line is added, when a regulation changes, or when the business enters a new market.

The RBIA Framework: Risk Universe, Risk Register, and Audit Prioritization

The RBIA framework has three foundational components. Understanding each of them is important before you can make sense of how a risk-based audit plan gets built.

Risk Universe

The risk universe is simply the complete map of all possible risk areas for the organization. It is built by looking at the company’s functions – procurement, finance, HR, sales, IT, logistics, compliance, and so on – and identifying within each function the things that could go wrong. A well-constructed risk universe for a mid-size Indian manufacturer might have 60 to 100 distinct risk items spread across eight to twelve functional areas.

The risk universe is not the audit plan. It is the raw material from which the audit plan is built. Think of it as an inventory of risks, not a list of things to audit.

Risk Register

The risk register takes the risk universe and adds two dimensions: an assessment of likelihood (how probable is it that this risk event actually occurs?) and an assessment of impact (if it does occur, how bad would it be?). Each risk gets a combined score, which is typically expressed as a heat map with high, medium, and low risk classifications.

In the Indian audit context, the risk register also captures the current state of controls for each risk area. A high inherent risk that already has strong controls in place becomes a lower residual risk – meaning the net exposure after controls are accounted for is manageable. The audit priority is determined by residual risk, not just inherent risk.

Audit Prioritization

Once risks are scored and ranked, the auditor selects which areas to cover in the annual audit plan based on available time and resources. High residual risk areas get priority and deeper coverage. Medium-risk areas may be scheduled on a rotational basis. Low-risk areas might only be audited every two or three years, or be covered through a lighter analytical review rather than a full fieldwork exercise.

This prioritization is where RBIA delivers its core value – it ensures that the audit hours go where the exposure is highest, rather than being spread thinly and evenly across everything.

Inherent Risk vs Control Risk: What Indian Auditors Assess

These two concepts are central to any RBIA exercise, and they come up constantly in conversations between internal auditors and Audit Committees. It is worth being clear on what each means.

Inherent risk is the level of risk that exists in a process or area before any controls are applied. It is the raw, baseline risk. For example, a company that deals in large volumes of cash has a high inherent risk of misappropriation – that is simply the nature of cash-heavy businesses. Similarly, a business with complex intercompany transactions faces high inherent risk in the area of transfer pricing compliance.

Control risk is the risk that the existing controls will fail to prevent or detect a problem. A company may have a high inherent risk in cash management but have implemented solid controls – dual authorization, daily reconciliation, surprise counts – that bring the residual risk down to an acceptable level. If those controls are weak, poorly designed, or not actually being followed in practice, the control risk is high, and the residual risk remains elevated.

Indian auditors assess both dimensions when building a risk register. The combination of high inherent risk and high control risk creates a red zone – areas that need immediate and thorough audit attention. High inherent risk with strong and effective controls is a yellow zone: audit it, but focus on verifying whether the controls are genuinely working rather than assuming they are.

What makes Indian businesses somewhat unique in this context is the layered regulatory environment. GST compliance, TDS deductions, transfer pricing rules, FEMA obligations for cross-border transactions, labour law compliance – each of these creates specific inherent risk areas that may not exist in the same form in other markets. A well-calibrated risk register for an Indian company will reflect this regulatory landscape explicitly.

RBIA for Manufacturing Companies: Top 5 Risk Areas to Audit First

Manufacturing is one of the most audit-intensive sectors in India, and for good reason. The combination of physical assets, complex supply chains, multi-stage production processes, and regulatory obligations creates a broad and varied risk landscape. Using RBIA principles, here are the five areas that typically rank highest in the risk register for a mid-size Indian manufacturer:

1. Inventory management and valuation

Inventory is often the single largest asset on the balance sheet for a manufacturer, and it is also one of the most vulnerable to misstatement, misappropriation, and waste. Raw material consumption ratios, work-in-progress tracking, finished goods reconciliation, and the accuracy of inventory valuation – all of these are high-inherent-risk areas. Stock count variances, slow-moving inventory write-offs, and pilferage are common findings in this area.

2. Procurement and vendor management

The procurement function in manufacturing is susceptible to a range of issues: vendor rate manipulation, duplicate payments, fictitious vendors, purchase order splitting to avoid approval thresholds, and goods received not invoiced. These are classic fraud risk areas, and the controls around procurement authorisation, vendor master maintenance, and three-way matching need to be examined carefully.

3. Production costing and variance analysis

Accurate product costing is critical for pricing decisions, margin analysis, and profitability reporting. Errors or manipulations in the bill of materials, machine hour rates, labour allocation, or overhead absorption can materially distort cost data. This area is often under-audited because it requires technical understanding of manufacturing processes, but the exposure is significant.

4. GST compliance – input tax credit and output liability

For manufacturers operating across multiple states or with complex input-output tax credit chains, GST compliance is a high-risk area. Incorrect ITC claims, classification errors, e-way bill compliance, and GSTR reconciliation failures are all common. The financial exposure from GST non-compliance – in terms of demand notices, interest, and penalties – can be material.

5. Fixed assets and capital expenditure

Manufacturers tend to have significant capital expenditure programmes, and the controls around capex authorisation, vendor selection, asset commissioning, and capitalisation timing are frequently weak. Ghost assets, premature or delayed capitalisation, and misclassification between capital and revenue expenditure are recurring findings in this area.

RBIA for Exporters: Forex Exposure, Trade Compliance, and Inventory Risk

Exporters face a distinct risk profile that requires a somewhat specialised approach to internal audit. The primary risk areas that RBIA would prioritise for an Indian exporter include the following:

Foreign exchange exposure and hedging

Export-oriented businesses receive payments in foreign currencies, and the rupee equivalent of those receivables moves with exchange rate fluctuations. The audit focus here is on whether the company has a documented treasury policy for managing forex risk, whether hedges are being taken within approved limits, and whether unrealized forex gains and losses are being correctly accounted for. FEMA compliance – in terms of realization and repatriation timelines and Export Data Processing and Monitoring System (EDPMS) reporting – is a specific regulatory risk that needs to be on the radar.

Trade compliance and export documentation

Customs duty exemptions, advance authorisation licences, Export Promotion Capital Goods (EPCG) scheme obligations, and Directorate General of Foreign Trade (DGFT) compliance are all areas where errors can result in duty demands, licence cancellation, or penal consequences. Internal audit should verify that export benefits being claimed are supported by accurate documentation and that outstanding export obligations are being tracked and fulfilled.

Inventory risk

Exporters often maintain large inventories of finished goods and raw materials, with significant lead times and uncertain demand. RBIA for exporters pays close attention to inventory ageing, export commitment versus inventory availability, and the controls around sample and rejection handling – areas that are easy to exploit and often overlooked.

Receivables management and credit risk

Export receivables carry different risks from domestic ones – credit assessment of overseas buyers is harder, dispute resolution is more complex, and the realization timelines are longer. The audit should review the adequacy of credit checks, the terms of payment for key customers, and whether overdue receivables are being followed up and escalated appropriately.

Building a Risk-Ranked Annual Audit Plan: Step-by-Step

Here is how a well-structured RBIA annual audit plan gets built in practice. This is a simplified version of the process, but it reflects the actual steps that a credible internal audit firm would follow:

• Step 1 – Understand the business: Before mapping risks, the auditor needs to understand the company’s operating model, revenue streams, regulatory obligations, recent changes in the business, and any known issues or concerns from management. This is typically done through discussions with key process owners, a review of prior audit reports, and a walkthrough of major processes.

• Step 2 – Build the risk universe: Identify all functional areas and map out the specific risk items within each. This should cover financial reporting risks, operational risks, compliance risks, IT and data risks, and strategic or external risks.

• Step 3 – Score each risk: Assess inherent risk (likelihood and impact before controls) and evaluate the current state of controls (adequacy of design and operating effectiveness). Derive the residual risk score for each item.

• Step 4 – Rank and classify: Sort risks into high, medium, and low categories. Identify the top 10 to 15 risk areas that will receive full audit coverage in the current year.

• Step 5 – Map audit coverage to risk ranking: Allocate audit days to each area based on risk score and complexity. High-risk areas get more days; medium-risk areas may get rotational coverage; low-risk areas are documented as deferred.

• Step 6 – Present to the Audit Committee: The risk-ranked audit plan should be approved by the Audit Committee or Board before work begins. This is not just a formality – it ensures management is aligned with priorities and that the auditor has the mandate to examine high-risk areas without resistance.

• Step 7 – Execute, report, and track: Fieldwork is conducted against the approved plan. Findings are reported with root cause analysis, risk rating, and specific recommendations. Follow-up is built into the engagement structure to track implementation of prior recommendations.

How Often Should RBIA Plans Be Reviewed in a Dynamic Indian Market?

This is a question that does not get asked often enough. Many companies set their audit plan at the start of the financial year and treat it as fixed, regardless of what happens during the year. That approach is fine in a stable environment. In the Indian business context, it is often inadequate.

Consider what can change in the course of a single year: GST rates get revised, new e-invoicing thresholds kick in, a new business line gets launched, a key vendor relationship changes, the company starts exporting for the first time, or a new IT system goes live. Each of these changes the risk profile and may require the audit plan to be adjusted.

The IIA’s standards recommend that internal audit activity should use a risk-based approach and that audit plans should be updated to reflect changes in the organisation’s risks. In practice, a quarterly review of the risk register — with the ability to substitute audit areas in response to emerging risks — is a reasonable standard for most Indian businesses.

Triggering events that should automatically prompt a plan review include: material regulatory changes affecting the business, significant transactions (acquisitions, disposals, new contracts), fraud incidents or whistleblower complaints, major IT system changes, and significant changes in the business’s financial performance or structure.

The Audit Committee should expect to be informed of any mid-year changes to the audit plan and the rationale for those changes.

PKC’s Approach to Risk-Based Internal Audit Engagements

PKC Management Consulting is a mid-tier CA firm with its roots in Chennai and a practice that extends across India. The firm’s GRC and internal audit team has built risk-based audit engagements across a wide range of sectors – manufacturing, retail, healthcare, real estate, BFSI, e-commerce, and export-oriented businesses, among others.

PKC’s RBIA methodology is built around a few principles that are worth knowing about:

• Risk universe that is built from scratch for each client: PKC does not apply a generic template. The risk mapping process starts with understanding the specific business, its operating context, and its regulatory obligations – and builds a bespoke risk universe from there.

• Integrated risk and control assessment: The risk register PKC builds captures both inherent risk and the current state of controls, which means the audit plan reflects residual risk, not just theoretical exposure. This sits within PKC’s broader risk advisory services practice, which extends beyond internal audit into ERM design, GRC frameworks, and fraud risk advisory

• Proprietary audit tools for data analysis: PKC uses its own tools to automate data extraction and exception identification, which means the audit team spends more time on analysis and judgment rather than manual data work. This is particularly relevant for manufacturing and trading companies where transaction volumes are high.

• Audit Committee alignment from the start: PKC structures its engagement to report directly to the Audit Committee where applicable, and presents the risk-ranked audit plan for approval before fieldwork begins. This preserves the independence of the function and ensures the audit has the necessary mandate.

• Sector-specific benchmarks: Because PKC has worked extensively in specific sectors, the firm brings comparative benchmarks to each engagement – which means findings are contextualized against what is typical for the industry rather than assessed in isolation.

• Follow-up built into the engagement: Recommendations from one audit cycle are tracked in the next cycle. PKC does not treat each year’s engagement as independent – the firm maintains a running tracker of open findings and their implementation status.

If you are looking for a risk advisory firm in Chennai or across India that can build a credible, risk-ranked internal audit programme for your business, PKC is worth speaking with. The team at pkcindia.com can walk you through the methodology and give you a sense of what a well-structured RBIA engagement looks like for your specific sector and size.

Final Thoughts

Risk-based internal audit is not a complicated concept, but it does require discipline to implement well. The fundamental idea — direct your audit resources to where the risk is highest – sounds obvious when you say it out loud. But in practice, moving away from the comfort of a fixed annual checklist takes deliberate effort and, often, a push from an experienced external firm that has done it before.

For Indian businesses navigating a dense regulatory environment, dynamic market conditions, and growing stakeholder expectations around governance, RBIA is not just best practice – it is the most sensible way to get real value from the internal audit function.

The companies that do this well share a few common traits: they build their risk register before they write their audit plan, they review that plan when things change, they ensure findings land with people who can act on them, and they track whether the changes actually happen. Everything else follows from those four habits.

Frequently Asked Questions (FAQs)

Is risk-based internal audit mandatory under SEBI or Companies Act?

RBIA as a specific methodology is not expressly mandated by name under either the Companies Act, 2013 or SEBI regulations. However, the Companies Act requires certain classes of companies to appoint an internal auditor under Section 138, and the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 require listed companies to have a functioning internal audit system and an Audit Committee that reviews the scope and findings of internal audit. (See our guide on when internal audit is mandatory in India for the specific turnover and borrowing thresholds that trigger this requirement.) The ICAI’s Standards on Internal Audit, particularly SIA 1 (Planning an Internal Audit), are aligned with a risk-based approach and are the professional framework that practising internal auditors are expected to follow. In effect, while the term ‘RBIA’ is not written into statute, a structured, risk-focused approach to internal audit is what any credible engagement is expected to follow – and regulators and Audit Committees increasingly expect to see evidence of risk-based planning when reviewing internal audit programmes.

How Do You Build a Risk Register for an Internal Audit in India?

Building a risk register for internal audit involves four broad steps. First, identify the complete risk universe for the organization by mapping all functional areas – finance, procurement, HR, IT, compliance, operations – and the specific risk items within each. Second, assess each risk item for inherent risk: how likely is it to occur, and how significant would the impact be if it did? Third, evaluate the current state of controls for each risk item – are the controls well-designed, and are they actually being followed in practice? Fourth, derive a residual risk score by combining the inherent risk assessment with the control effectiveness assessment. The resulting risk register should be presented to management and the Audit Committee, and the annual audit plan should be built around the areas with the highest residual risk scores. In the Indian regulatory context, the risk register should explicitly capture GST compliance, TDS, FEMA (where applicable), and labour law obligations as distinct risk categories, given the specific exposure these areas carry.

What Is the Difference Between RBIA and Traditional Compliance-Based Internal Audit?

The core difference is in how the audit plan is constructed and where audit effort is directed. A traditional compliance-based audit follows a fixed programme that rotates through process areas on a predetermined schedule, checking whether documented procedures have been followed. It is thorough within its scope but does not distinguish between high-risk and low-risk areas – a process with ₹10 crore in annual exposure might get the same audit attention as one with ₹10 lakh in exposure. RBIA starts by mapping and scoring risks, and allocates audit effort in proportion to residual risk. High-risk areas get deeper coverage; low-risk areas are covered lightly or deferred. RBIA plans are also more dynamic – they are updated as the organization’s risk profile changes, rather than being set once and left unchanged. A compliance-based audit will tell you whether procedures were followed. A risk-based audit will tell you whether the things that really matter are under control.

How Many Auditors Does an RBIA Engagement Require for a ₹200 Crore Manufacturer?

There is no fixed formula, because the staffing requirement depends on the number of locations, the complexity of the manufacturing process, the breadth of the risk universe, and the number of audit areas in the annual plan. That said, for a single-location manufacturer with a turnover of around ₹200 crore, a reasonably comprehensive RBIA engagement might involve a team of two to three auditors from the external firm – typically one senior auditor and one or two field auditors – working over three to five weeks per quarter, or a concentrated engagement of six to eight weeks annually. Engagements spread across multiple plants or product lines would require proportionally more coverage. The more relevant question is not how many auditors, but how many person-days are allocated to high-risk areas relative to the total engagement size. A well-structured RBIA engagement will be able to show you exactly how audit days map to risk priorities.

How PKC can help you

Your dream business is just a click away. Book a FREE 30-minute consultation.

Call us: +91 91761 00095

Got a question after reading?

Drop your details and one of our consultants will call you back — usually within a business day.

Want to talk? Get a call back today
+91 91761 00095

Fill out your details

Once submitted, a calendar will open to book your 30-minute meeting slot.

or call us: +91 91761 00095

Index