Risk-based internal auditing focuses efforts where risks to objectives are greatest, moving from cyclical rotation to dynamic prioritization. Audit planning considers inherent risk, control effectiveness, risk velocity, and time since last audit. A retail bank might prioritize anti-money-laundering audits over facilities management based on regulatory risk and potential impact. The approach requires current risk assessments, stakeholder consultation, and flexible audit plans adapting to emerging risks. Continuous auditing technologies enable real-time monitoring of high-risk areas. IIA standards mandate risk-based approaches, requiring chief audit executives to consider organizational risk appetite and appetite when planning. Effectiveness depends on audit independence, competency, and access to robust risk information.