Executive Summary

Financial companies face many kinds of risk. These may include credit risk, liquidity risk, operational risk, fraud risk, cybersecurity risk, anti-money laundering risk, consumer protection risk, data privacy risk, tax risk, and regulatory compliance risk.

A risk-based audit helps financial companies focus audit time, resources, and attention on the areas that matter most.

Instead of auditing every process with the same level of intensity, a risk-based audit identifies which areas have the highest exposure and prioritizes them. For example, a financing company may focus more on loan approval, collections, borrower documentation, interest computation, and anti-money laundering controls.

A money service business may focus more on customer due diligence, transaction monitoring, suspicious transaction reporting, and system controls.

In the Philippines, financial companies may be supervised or regulated by the Bangko Sentral ng Pilipinas, Securities and Exchange Commission, Anti-Money Laundering Council, Bureau of Internal Revenue, National Privacy Commission, Insurance Commission, or other regulators depending on the type of institution. For BSP-supervised financial institutions, the BSP recognizes internal audit as an independent function that helps improve internal control, risk management, and governance systems.

This guide explains risk-based audit for financial companies in clear language, with practical examples for financing companies, lending companies, pawnshops, money service businesses, fintech platforms, payment service providers, and other regulated financial institutions.

What Is a Risk-Based Audit?

A risk-based audit is an audit approach that focuses on the areas with the highest risk to the business.

In a traditional checklist-style audit, the auditor may review the same items every year with the same level of attention. In a risk-based audit, the auditor first asks: What can seriously go wrong in this institution, and where should audit work be focused?

For financial companies, this approach is practical because not all risks are equal.

A minor administrative delay may be less urgent than weak loan documentation, suspicious transaction monitoring failures, inaccurate interest computation, unauthorized system access, unfair collection practices, or missing regulatory reports.

A risk-based audit helps the company use audit resources wisely. It does not mean ignoring low-risk areas. It means giving more attention to areas where the possible damage is greater.

Why Risk-Based Audit Matters for Financial Companies

Financial companies operate in a trust-based environment. Customers, investors, regulators, creditors, and business partners expect them to maintain reliable records, effective controls, and compliant operations.

A risk-based audit helps financial companies identify weaknesses before they become serious problems.

For example, if a lending company has weak borrower verification, it may approve loans to fake borrowers. If a financing company has poor collection controls, it may face customer complaints or regulatory action. If a remittance business has weak AML monitoring, it may be exposed to money laundering risk. If a payment platform has poor cybersecurity controls, customer data and transaction integrity may be compromised.

For BSP-supervised financial institutions, the BSP’s Supervisory Assessment Framework, or SAFr, is described as a risk-based supervisory framework intended to support robust, dynamic, and forward-looking assessments of BSP-supervised financial institutions.

This regulatory direction reinforces the importance of risk-based thinking within financial institutions themselves.

For financial companies, risk-based audit is not just an internal exercise. It supports governance, compliance, operational resilience, and public trust.

Step-by-Step Guide: How Risk-Based Audit Works

Step 1: Understand the financial company’s business model

A risk-based audit begins with understanding how the company earns money, serves customers, processes transactions, and complies with regulators.

A financing company may earn from interest, penalties, service fees, and financing charges. A lending company may focus on loan origination, credit approval, collections, and borrower management. A pawnshop may handle collateral, appraisals, vault controls, cash, redemption, and auctions. A money service business may process remittances, fund transfers, foreign exchange, and customer identification.

The auditor must understand the business before identifying the risks. A generic audit checklist is not enough.

Step 2: Identify the major risk areas

After understanding the business, the next step is identifying what can go wrong.

For financial companies, major risk areas usually include credit risk, operational risk, compliance risk, AML risk, fraud risk, cybersecurity risk, data privacy risk, liquidity risk, tax risk, and reputational risk.

The risk areas depend on the institution.

For example, a lending company may face high credit and collection risk.

• A money service business may face high AML and transaction monitoring risk.

  
  

• A fintech platform may face high cybersecurity and data privacy risk.

  
  

• A financing company may face risk in loan documentation, interest computation, collateral, and regulatory disclosures.

This step helps the auditor focus on the real exposure of the institution.

Step 3: Assess the likelihood and impact of each risk

Not every risk has the same probability or consequence.

A risk-based audit evaluates both likelihood and impact. Likelihood asks how probable the risk is. Impact asks how serious the consequence would be if it happens.

For example, a small clerical error in a low-volume report may have limited impact. But failure to monitor suspicious transactions may have serious regulatory consequences.

Weak cybersecurity access may expose confidential customer data. Incorrect interest computation may lead to customer complaints, refund exposure, and regulator attention.

The higher the likelihood and impact, the higher the audit priority.

Step 4: Review existing controls

Once risks are identified, the auditor reviews the controls designed to manage those risks.

Controls may include board approvals, segregation of duties, maker-checker review, access controls, automated system limits, transaction monitoring, customer due diligence, credit scoring, reconciliation, exception reports, approval limits, policies, checklists, and documented procedures.

A control exists to reduce risk. But having a policy is not enough. The auditor must check whether the control is actually working.

For example, a company may have a loan approval policy, but branch personnel may still approve loans without complete documents. A company may have an AML manual, but suspicious transaction escalation may not be consistently followed.

Step 5: Prioritize the audit plan

The audit plan should focus more on high-risk areas.

If loan approvals, AML monitoring, and collections are high-risk, they should be reviewed more frequently and deeply. Lower-risk areas may still be reviewed but with less intensive testing.

A risk-based audit plan usually considers the following factors:

1. Inherent risk of the process.

   
   

2. Volume and value of transactions.

   
   

3. Prior audit findings.

   
   

4. Regulatory importance.

   
   

5. Customer impact.

   
   

6. Management changes or system changes.

   
   

7. History of errors, complaints, or exceptions.

   
   

This approach helps the company avoid wasting audit effort on low-impact areas while missing major risk exposure.

Step 6: Perform audit testing

Audit testing checks whether controls are operating effectively.

For a lending company, testing may include reviewing loan files, borrower IDs, credit approvals, amortization schedules, collections, penalty computation, and complaints.

For a money service business, testing may include customer due diligence, transaction monitoring alerts, sanctions screening, suspicious transaction escalation, and recordkeeping.

For a fintech company, testing may include user access, system logs, cybersecurity controls, data privacy safeguards, transaction reconciliation, vendor controls, and incident response.

The goal is to determine whether the company’s controls are working in real transactions, not only on paper.

Step 7: Report findings clearly

A risk-based audit report should be clear, practical, and useful.

It should explain the finding, risk, root cause, impact, recommendation, responsible person, and target completion date.

For example, instead of simply saying “loan files are incomplete,” a stronger audit finding explains that missing borrower income documents may increase credit risk, weaken collection position, and create regulatory concerns.

Good audit reports do not merely identify errors. They help management understand why the finding matters and how to fix it.

Step 8: Monitor corrective actions

An audit is only useful if findings are addressed.

Financial companies should track corrective actions. Management should assign responsibility, set deadlines, and report progress to the audit committee, board, or senior management.

Unresolved findings should be escalated, especially if they involve high-risk areas such as AML, cybersecurity, regulatory reporting, customer complaints, or financial misstatement.

A finding repeated year after year may indicate weak accountability, poor management response, or ineffective governance.

Key Areas Usually Covered in a Risk-Based Audit

Credit and loan approval

For lending and financing companies, credit approval is often a high-risk area. Audit may review borrower verification, credit scoring, approval authority, supporting documents, collateral, loan releases, and exception handling.

Weak credit controls can lead to high defaults, fraud, unsupported loans, and collection problems.

Collections and customer treatment

Collection practices should be firm but lawful.

A risk-based audit may review collection scripts, contact procedures, third-party collectors, complaint logs, restructuring approvals, payment posting, and compliance with fair collection rules.

This is important because abusive collection practices can create customer complaints, regulatory investigations, and reputational damage.

AML and customer due diligence

Many financial companies are covered persons under anti-money laundering rules.

A risk-based audit may review customer identification, beneficial ownership checks, risk profiling, transaction monitoring, suspicious transaction escalation, covered transaction reporting, sanctions screening, and AML training.

AML failures may create serious regulatory consequences.

Cybersecurity and system access

Financial companies increasingly rely on digital systems.

Audit may review user access rights, password controls, administrator privileges, system logs, incident response, data backup, cybersecurity monitoring, vendor access, and change management.

Cybersecurity risk is especially important for fintech platforms, online lending platforms, payment service providers, and businesses handling customer data.

Regulatory reporting

Financial companies often submit reports to regulators such as BSP, SEC, AMLC, BIR, and other agencies.

Audit may review whether reports are complete, accurate, timely, and supported by records.

Late or inaccurate reports may result in penalties, regulatory findings, or reputational concerns.

Tax and accounting controls

Audit may review tax filings, withholding taxes, VAT or percentage tax, documentary stamp tax, books of accounts, revenue recognition, penalty income, service fees, and reconciliations.

For financial companies, tax compliance must be aligned with contracts, accounting records, financial statements, and regulatory reports.

Risks and Penalties

A weak risk-based audit system can expose financial companies to serious consequences.

The company may fail to detect fraud, poor loan quality, unauthorized transactions, weak AML controls, customer complaints, inaccurate financial records, privacy breaches, and regulatory reporting errors.

Regulators may impose penalties, require corrective action, suspend authority, revoke licenses, or issue compliance findings depending on the violation and the regulator involved.

The company may also suffer business consequences. These include loss of banking relationships, investor concerns, higher default rates, customer distrust, lawsuits, tax assessments, and reputational damage.

For directors and officers, weak audit and control systems may also raise governance concerns. Financial companies must show that risks are identified, monitored, and addressed.

Risk-based audit helps create evidence that the institution is actively managing risk.

Practical Examples

Example 1: Lending company with rising defaults

A lending company notices that default rates are increasing in one branch.

A risk-based audit reviews loan files from that branch and discovers that income documents were often missing, borrower verification was weak, and approval exceptions were not properly documented.

The audit recommends stricter loan file review, branch-level approval limits, exception reporting, and retraining.

This helps address the root cause before losses increase further.

Example 2: Financing company with customer complaints

A financing company receives complaints about penalty charges and collection calls.

A risk-based audit reviews loan contracts, penalty computation, collection scripts, call logs, complaint records, and third-party collection agency practices.

The audit finds that some collectors used inconsistent explanations and that penalty computations were not clearly disclosed.

The company revises its disclosures, improves training, and strengthens collector monitoring.

Example 3: Money service business with AML gaps

A money service business processes high volumes of remittance transactions.

A risk-based audit focuses on customer due diligence and transaction monitoring. It finds that some alerts were closed without sufficient explanation and that staff were not consistently escalating suspicious patterns.

The audit recommends stronger documentation, escalation procedures, and AML refresher training.

Example 4: Fintech platform with access control issues

A fintech company allows several employees to access customer data and transaction records.

A risk-based audit reviews system permissions and finds that former employees still had active accounts, while some users had access beyond their roles.

The company updates access controls, removes inactive users, and implements periodic access reviews.

Example 5: Financial company with repeated reportorial delays

A regulated financial company frequently files reports late.

A risk-based audit reviews the reporting workflow and finds unclear responsibility, poor data reconciliation, and no compliance calendar.

The company assigns report owners, creates a filing tracker, and implements management review before submission.

Common Mistakes Financial Companies Should Avoid

Mistake 1: Treating audit as a checklist

A checklist is useful, but it should not replace risk analysis. Audit should focus on the areas that create the greatest exposure.

Mistake 2: Auditing all areas equally

High-risk areas need more attention. Low-risk areas may be reviewed less frequently or with lighter testing.

Mistake 3: Ignoring prior findings

Repeated findings show that corrective actions are not working. These should be escalated.

Mistake 4: Weak documentation

If audit work, findings, and management responses are not documented, the company may struggle to prove that risks were properly reviewed.

Mistake 5: No follow-up

An audit report is not the end of the process. Corrective action must be tracked until completion.

FAQ Section

What is a risk-based audit?

A risk-based audit is an audit approach that focuses more attention on areas with higher risk. It helps financial companies prioritize audit work based on likelihood, impact, and business importance.

How is risk-based audit different from traditional audit?

Traditional audit may follow the same checklist every period. Risk-based audit adjusts the audit focus based on the institution’s actual risks, prior findings, regulatory concerns, and operational changes.

Why is risk-based audit important for financial companies?

Financial companies handle money, credit, customer data, transactions, and regulatory obligations. Risk-based audit helps identify weaknesses before they lead to losses, penalties, complaints, or reputational harm.

What areas should a financial company audit first?

High-risk areas usually include loan approval, collections, AML compliance, cybersecurity, customer data, regulatory reporting, cash handling, tax compliance, and accounting controls.

Is risk-based audit required by regulators?

Regulatory expectations vary depending on the type of institution. For BSP-supervised financial institutions, BSP materials recognize risk-based supervision and internal audit as part of governance, internal control, and risk management systems.

Who should perform a risk-based audit?

It may be performed by an internal audit team or an outsourced audit provider, depending on the size, complexity, and regulatory requirements of the financial company. The audit function should remain independent from the activities being reviewed.

How often should risk-based audits be performed?

High-risk areas should be reviewed more frequently. The frequency depends on transaction volume, regulatory exposure, prior findings, changes in operations, customer complaints, and management judgment.

What should an audit report include?

An audit report should include the finding, risk, root cause, impact, recommendation, responsible person, target completion date, and follow-up status.

Call-to-Action

A risk-based audit helps financial companies focus on the areas that matter most. It supports stronger governance, better internal controls, earlier detection of problems, and more effective regulatory compliance.

For financial companies, audit should not be treated as a routine checklist. It should be connected to the institution’s actual risks, business model, customer impact, and regulatory obligations.

Aureada CPA Law Firm assists financing companies, lending companies, pawnshops, money service businesses, fintech platforms, payment service providers, directors, investors, and compliance teams in internal control review, risk-based audit planning, regulatory compliance, AML coordination, BIR tax compliance, data privacy, corporate governance, and audit readiness.

If your financial company needs help reviewing audit risks, compliance gaps, internal controls, or reportorial obligations, early legal and accounting guidance can help prevent costly regulatory issues and strengthen long-term operations.