Hi Eric,
I have used a risk based assessment for our internal audit schedule. As we have a National system (across Australia) involving five business units, I have asked each Department Manager in all businesses to assess each procedure based on risk to the business.
A rating of "1" is considered a high risk, "2" is considered a medium risk, and "3" a low one. These are then scheduled to be audited six monthly, annually and biennially respectively.
This was a good and easy approach which has worked well for us and also impressed our third party auditors. It is an easy approach to compiling an audit schedule based on risk.
Recently (last week) I re-issued our schedule and changed it somewhat. I have made the schedule more of a "real-time" schedule rather than an excessive planned approach, and also cut back dramatically on the base schedule.
Now we have our category "1's" which are audited by an internal Corporate Team annually. Category "2's" are scheduled once every two years, and category "3's" are considered optional based on need as they are not considered a risk to the day-to-day operation of the business.
The intent is that the trends identified in the Corrective/Preventive Action system are added to the audit schedule on a progressive basis. So this then reflects the current "real-time risks" of the business rather than trying to plan risks over two years based on gut-feel.
Of course, should the business wish to audit areas at a higher rate than the base schedule then that is up to each respective business.
This approach seems to be good on paper so far, and time will tell how effective it is. I am banking on it being a winner though.
Hope this insight helps.