Risk-based audit

1) The essence of risk-based audit (RBA)

• Priority where the combination of probability and influence is maximum.
• Assessment of inherent risk (without controls) and residual risk (including controls).
• Continuous revision of the assessment as the risk landscape changes (product, market, regulatory, incidents).

2) Terms and framework

Audit universe - a catalog of processes, systems, locations, suppliers and regulatory responsibilities potentially subject to audit.
Heatmap of risks - "Probability × Impact" visualization with gradation by priorities.
Risk Appetite/Tolerance - the company's stated willingness to accept risk within the specified limits.
Control levels - preventive/detective/corrective; design and operational efficiency.
Protection lines - 1st (business and operations), 2nd (risk/compliance), 3rd (internal audit).

3) Building an audit universe

• Processes: payments, KYC/KYB, AML monitoring, incident management, DSAR, retention.
• Systems: transaction core, DWH/datalake, IAM, CI/CD, clouds, DLP/EDRM.
• Jurisdictions and licenses, key vendors and outsourcers.
• KPI/KRI, incident/violation history, external Findings/sanctions.
• Monetary and reputational effect, criticality for regulators (GDPR/PCI/AML/SOC 2).

4) Risk assessment methodology

1. Inherent risk (IR): process complexity, data volume, cash flows, external dependencies.
2. Control design (CD): availability, coverage, policy-as-code maturity, automation.
3. Operational efficiency (OE): execution stability, MTTD/MTTR metrics, drift level.
4. Residual risk (RR): 'RR = f (IR, CD, OE)' - normalize on a scale (e.g. 1-5).
5. Modifier factors: regulatory changes, recent incidents, results of past audits, staff rotation.

Example of influence scale: financial damage, regulatory fines, SLA downtime, data loss, reputational consequences.
An example of a probability scale: event frequency, exposure, complexity of attacks/abuses, historical trends.

5) Prioritization and annual audit plan

Sort the audit units by residual risk and strategic importance.
Assign frequency: annually (high), once every 2 years (medium), by monitoring/topics (low).
Include thematic checks (e.g. Data Deletion and Anonymization, Segregation of Duties (SoD), PCI Segmentation).
Plan resources: skills, independence, avoid conflicts of interest.

6) RACI and roles

(R — Responsible; A — Accountable; C — Consulted)

7) Approaches to testing controls

Walkthrough: trace the flow of the "end-to-end transaction "/data.
Design effectiveness: checking for the presence and appropriateness of policies/controls.
Operating effectiveness - selective check of execution for a period.
Re-performance: reproduction of calculations/signals by CaC rules.
CAATs/DA (computer-assisted audit techniques/data analytics): SQL/python scripts, control requests to Compliance showcases, comparison of IaC ↔ actual configs.
Continuous auditing - embedding control tests in the event bus (stream/batch).

8) Sampling

Statistical: random/stratified, determine the size by the level of confidence and the error allowed.
Target (judgmental): high-value/high risk, recent changes, exceptions (waivers).

Abnormal: conclusion from analytics (outliers), near-miss incidents, "top violators."

End-to-end (100%): Where possible, use automated verification of the entire array (e.g. SoD, TTL, sanction screening).

9) Analytics and evidence sources (evidence)

Access logs (IAM), change traces (Git/CI/CD), infrastructure configs (Terraform/K8s), DLP/EDRM reports.
"Compliance" showcases, Legal Hold journals, DSAR registry, AML (SAR/STR) reports.
Dashboard snapshots, CSV/PDF export, hash fixation and WORM/immutability.
Interview protocols, checklists, ticketing/escalation artifacts.

10) Auditing: SOP

1. Preliminary assessment: clarify goals, criteria, boundaries, owners.
2. Data request: list of uploads, accesses, configs, sampling period.
3. Field work: walkthrough, control tests, analytics, interviews.
4. Calibration of conclusions: compare with Risk Appetite, with regulations and policies.
5. Formation of Findings: fact → criterion → influence → reason → recommendation → owner → term.
6. Closing meeting - reconciliation of facts, status and remediation plans.
7. Report and follow-up: release, rating, closing dates, re-verification.

11) Findings Classification and Risk Rating

Severity: Critical/High/Medium/Low (link to the impact on security, compliance, finance, operations, reputation).
Likelihood: Frequent/Possible/Rare.
Risk score: matrix or numerical function (for example, 1-25).
Theme tags: IAM, Data Privacy, AML, PCI, DevSecOps, DR/BCP.

12) Metrics and KRI/KPI for risk audit

Coverage: Share of audit universe covered in the year.
On-time Remediation:% of fixes on time (by severity).

Repeat Findings: Proportion of repeats in 12 months

MTTR Findings: median time to closure.
Control Effectiveness Trend: percentage of Passed/Failed tests by period.
Audit Readiness Time: Time to collect evidence.
Risk Reduction Index: ∆ of total risk rate after remediation.

13) Dashboards (minimum set)

Risk Heatmap: processes × probability/impact × residual risk.
Findings Pipeline: status (Open/In progress/Overdue/Closed) × owners.
Top Themes: frequent violation categories (IAM/Privacy/PCI/AML/DevSecOps).
Aging & SLA: delinquencies and approaching deadlines.
Repeat Issues: repeatability by command/system.
Control Test Results: pass rate, trends, FPR/TPR for detective rules.

14) Artifact patterns

Audit Scope

Purpose and criteria (standards/policies).

Scope: Systems/Period/Locations/Suppliers

Methods: sampling, analytics, interviews, walkthrough.
Exceptions and limitations (if any).

Finding Card

ID/Subject/Severity/Likelihood/Score.
Description of the fact and criterion of non-conformity.
Risk and impact (business/regulatory/safety).
Recommendation and action plan.
Owner and due date.
Evidence (links/hashes/archive).

Audit Report (Structure)

1. Executive Summary.
2. Context and scope.
3. Methodology and data sources.
4. Conclusions and evaluation of controls.
5. Findings and priorities.
6. Remediation plan and follow-up.

15) Communication with continuous monitoring (CCM) and compliance-as-code

Use CCM results as input for risk assessment and audit planning.
Policies-as-code allow the tests to be re-executed by auditors, increasing reproducibility.
Implement continuous auditing for high-risk areas with available telemetry.

16) Antipatterns

"Uniform" risk-free auditing → loss of focus and resources.
Reports without measurable recommendations and owners.
Opaque risk rating methodology.
Ignoring providers and service chain.
No follow-up - problems return.

17) RBA Maturity Model (M0-M4)

M0 Documentary: one-time checks, manual sampling.
M1 Catalog: audit universe and basic heatmap.
M2 Policies and tests: standardized checklists and follow-up requests.
M3 Integrated: communication with CCM, SIEM/IGA/DLP data, semi-automatic evidence collection.
M4 Continuous: continuous auditing, real-time prioritization, automated reperforms.

18) Practical Advice

Calibrate risk scales involving business and compliance - a single "currency" of risk.
Maintain transparency: document method and weights, keep change history.
Align audit plan with strategy and Risk Appetite.
Embed process owner training - auditing as saving future incidents.
Reduce the "noise" with analytics: stratification, exclusion rules, prioritization by damage.

19) Related wiki articles

Continuous Compliance Monitoring (CCM)

Compliance and reporting automation

Legal Hold and Data Freeze

Data Retention and Deletion Schedules

DSAR: user requests for data

PCI DSS/SOC 2 Control and Certification

Business Continuity Plan (BCP) and DRP

Result

Risk-based audits focus on the most significant threats, measure the effectiveness of controls, and accelerate corrective action. Its strength lies in data and transparent methodology: when prioritization is understood, tests are reproducible, and recommendations are measurable and closed on time.