In today’s dynamic business environment, medium-sized enterprises face a multitude of internal and external uncertainties that threaten their ability to achieve strategic objectives. Against this backdrop, the internal audit function is increasingly shifting from traditional compliance-oriented reviews toward a risk-based internal auditing (RBIA) approach — one that aligns audit efforts with the organization’s risk profile and its enterprise risk management (ERM) framework [1][2]. By prioritizing areas of highest inherent and residual risk, RBIA enables audit resources to be deployed more strategically, delivering assurance and insight on whether risk mitigation activities are effective, and whether risk‐taking aligns with the entity’s risk appetite [3][4].

Incorporating a risk-based internal audit into an organization’s governance and control ecosystem can strengthen the feedback loop between audit, risk management, and senior leadership, thereby enhancing the overall effectiveness of risk management processes. Internal auditors under RBIA not only verify whether policies and controls are in place, but also assess whether risks are being identified, quantified, responded to, and monitored in a manner that is coherent with strategic objectives and stakeholder expectations [5][6]. In medium enterprises, where resources are often constrained and exposure to volatility may be relatively high, a well‐implemented RBIA framework has the potential to improve resilience, increase management accountability, and promote a culture of continuous risk awareness.

However, empirical research on the actual impact of RBIA on the effectiveness of risk management especially within the context of Indian medium-sized enterprises remains limited. While risk management in MSMEs and SMEs has been recognised as essential for survival and sustainable performance [7], relatively few studies have focused on how the internal audit function, when reoriented through a risk-based lens, contributes to strengthening that risk management capability. This inferential analysis aims to fill that gap by examining medium-sized enterprises in the Delhi-NCR region, investigating whether and how the adoption of risk-based internal auditing influences the effectiveness of risk management practices, and thereby contributes to more robust organizational governance and operational resilience.

2.1 Inferential Statistics:

• Pearson’s Correlation Coefficient: To test the strength and direction of the relationship between RBIA adoption and risk management effectiveness.
• Multiple Linear Regression Analysis: To assess the predictive power of RBIA variables (audit planning, risk prioritization, audit coverage) on various dimensions of risk management (identification, assessment, mitigation).
• ANOVA (Analysis of Variance): To determine whether there are statistically significant differences in RBIA effectiveness across the four industry strata.
• Exploratory Factor Analysis (EFA): To validate the dimensionality and reliability of questionnaire constructs and eliminate multicollinearity or redundancy in item sets. The Kaiser-Meyer-Olkin (KMO) test and Bartlett’s test of sphericity will be applied prior to EFA.

2.2 Hypotheses

In order to investigate the relationship between Risk-Based Internal Auditing (RBIA) and the effectiveness of risk management in medium enterprises, the following research hypotheses have been formulated. These hypotheses are grounded in the theoretical framework of organizational control systems, internal audit maturity models, and enterprise risk management (ERM) effectiveness.

Level of Significance (LOS):

For the purpose of this research, the Level of Significance (α) is set at 0.05 (5%), which is a commonly accepted threshold in social science research. This implies that the probability of rejecting the null hypothesis when it is actually true is limited to 5%.

Hypotheses Framework

Decision Rule

• If p-value < 0.05, reject the null hypothesis and accept the alternative hypothesis, indicating a statistically significant result.
• If p-value ≥ 0.05, fail to reject the null hypothesis, suggesting that the result is not statistically significant.

2.4 Scope of Hypothesis Testing

This hypothesis testing framework will provide empirical validation for:

• The strategic relevance of RBIA in medium enterprises.
• How organizational factors affect audit policy implementation.
• Whether audit maturity leads to actual improvements in risk mitigation and governance structures.

3.1 Inferential Analysis: Hypotheses Testing

Inferential statistical analysis is conducted to test the research hypotheses and determine whether observed relationships between variables are statistically significant. The hypotheses are tested using Pearson’s correlation, multiple linear regression, and one-way ANOVA, depending on the nature of the variables involved.

3.1.1  Hypothesis H₁

H₀ (Null Hypothesis): There is no significant relationship between Risk-Based Internal Audit (RBIA) adoption and the effectiveness of risk management.

Statistical Test: Pearson’s Correlation Coefficient

Variables Used:

• Independent variable: RBIA Composite Score
• Dependent variable: Risk Management Effectiveness Score

Interpretation:
Since the p-value (0.000) < 0.05 and the correlation coefficient is moderately strong (r = 0.61), the null hypothesis is rejected. This indicates a statistically significant positive relationship between RBIA adoption and the effectiveness of risk management.

3.1.2 Hypothesis H₂

H₀ (Null Hypothesis): Organizational characteristics (sector, turnover, firm age) do not significantly influence the adoption of RBIA.

Statistical Test: One-way ANOVA (for categorical variables) and Multiple Regression (for continuous predictors)

ANOVA – RBIA Adoption Across Sectors:

Multiple Regression – RBIA vs. Organizational Characteristics:

Interpretation:
With significant ANOVA (p = 0.003) and regression coefficients (p < 0.05), the null hypothesis is rejected. Organizational characteristics, particularly turnover and sector, significantly influence the level of RBIA adoption among medium enterprises in the region.

3.1.3 Hypothesis H₃

H₀ (Null Hypothesis): The maturity level of internal audit functions does not correlate with the effectiveness of risk management.

Statistical Test: Pearson’s Correlation and Simple Linear Regression

Correlation Results:

Regression Summary:

Interpretation:
The positive correlation (r = 0.68) and highly significant regression (p = 0.000) confirm a strong association between audit maturity and risk management effectiveness. The null hypothesis is therefore rejected. As internal audit functions mature, the effectiveness of risk management processes improves substantially.

Summary of Hypotheses Testing

3.2 Relationship between Risk-Based Internal Audit (RBIA) and Risk Management Effectiveness

This section analyzes the statistical relationship between the adoption level of Risk-Based Internal Audit (RBIA) practices and the perceived effectiveness of risk management systems within medium-sized enterprises in the Delhi-NCR region. The objective is to determine whether higher adoption of RBIA leads to improvements in the quality, responsiveness, and overall robustness of risk management frameworks.

3.2.1. Variables Description

• Independent Variable: RBIA Adoption Index (Derived from aggregated scores on audit planning, risk assessment integration, reporting alignment, and audit committee involvement)
• Dependent Variable: Risk Management Effectiveness Score (Measured through parameters like early risk identification, mitigation success rate, compliance level, and stakeholder confidence)

3.2.2. Pearson’s Correlation Analysis

The Pearson’s correlation coefficient of 0.612 suggests a moderately strong positive relationship between RBIA adoption and risk management effectiveness. The p-value of 0.000 (< 0.05) indicates that this relationship is statistically significant at the 95% confidence level.

3.2.3. Regression Analysis

To further evaluate how much variance in risk management effectiveness can be explained by RBIA, a simple linear regression was performed.

Model Summary

ANOVA Table

Coefficients Table

3.3. Interpretation of Results

The regression analysis confirms that RBIA adoption significantly predicts risk management effectiveness (p < 0.001), and explains approximately 37.5% of the variance (R² = 0.375). The positive coefficient (β = 0.754) implies that for every one-unit increase in the RBIA index score, the risk management effectiveness score increases by 0.754 units, holding other factors constant.

This finding strongly supports the hypothesis that RBIA enhances an organization’s ability to proactively identify, evaluate, and mitigate risks, thereby improving operational stability and compliance posture.

3.4 Sector-wise or Industry-wise Comparative Analysis

This section presents a comparative analysis of the adoption of Risk-Based Internal Auditing (RBIA) and the effectiveness of risk management practices across major industry sectors within the medium-sized enterprise (MSE) segment in the Delhi-NCR region. The analysis provides insights into how industry-specific dynamics influence internal audit maturity and risk management performance.

3.4.1. Sectoral Classification

The sample was stratified into the following four primary sectors:

Sectoral Classification

3.4.2. Descriptive Analysis by Sector

The following table summarizes the mean scores for RBIA adoption and Risk Management Effectiveness across sectors:

Descriptive Analysis by Sector

These results suggest that Healthcare & Pharma enterprises lead in both RBIA adoption and perceived risk management effectiveness, while Logistics & Infrastructure exhibit relatively lower levels in both metrics.

Graph 5.10: Sectoral Mean Scores

The comparative analysis of sector-wise mean scores for RBIA adoption and risk management practices reveals significant differences in the maturity of governance and risk frameworks across industries.

3.5. ANOVA Results: Sectoral Differences

To assess whether the observed differences in RBIA adoption and risk management effectiveness across sectors are statistically significant, One-Way ANOVA tests were conducted.

ANOVA – RBIA Adoption Scores Across Sectors

ANOVA – Risk Management Scores across Sectors

The p-values (< 0.01) for both tests indicate that sector-wise differences in RBIA adoption and risk management effectiveness are statistically significant.

Interpretation and Implications

The comparative analysis reveals that industry sector plays a crucial role in determining the extent to which RBIA is adopted and how effective risk management systems are perceived to be. The relatively higher scores in the Healthcare & Pharma and Services sectors may be attributed to:

• Regulatory scrutiny and compliance standards (especially in pharma and finance)
• Greater awareness and adoption of governance frameworks
• More structured internal audit teams

4. Summary of Findings

This section presents a consolidated summary of the key empirical findings derived from the data analysis and their implications in the context of medium enterprises (MEs) in the Delhi-NCR region. The findings are organized around the central research objectives and tested hypotheses to provide a clear narrative linking RBIA practices with risk management effectiveness.

1. Prevalence and Nature of RBIA Adoption

• A significant proportion of medium enterprises in the sample reported the presence of internal audit functions, though the maturity and structure of these functions varied widely.
• RBIA-specific practices, such as periodic risk assessment, audit planning aligned with risk priorities, and involvement of top management, were more common in service-oriented sectors (e.g., finance, IT, healthcare) than in traditional manufacturing or logistics enterprises.
• The level of RBIA adoption was positively associated with enterprise size (within the medium category), management awareness, and audit budgeting.

2. Impact of RBIA on Risk Management Effectiveness

• Statistical analysis (Pearson’s correlation and regression) confirmed a strong positive relationship between the adoption of RBIA and the perceived effectiveness of risk management practices.
• Enterprises with robust RBIA frameworks demonstrated:
  • Improved ability to anticipate and mitigate financial and operational risks.
  • Higher confidence in compliance and regulatory readiness.
  • More proactive identification of supply chain and cyber risks.
• This finding supports the theoretical assumption that RBIA contributes to a more resilient and forward-looking risk governance culture.

3. Influence of Organizational Characteristics

• Hypothesis testing revealed that organizational characteristics such as sector type, leadership orientation, audit resource allocation, and process formalization significantly influence RBIA adoption.
• Sectors with higher regulatory exposure or client scrutiny (e.g., healthcare, financial services) showed deeper integration of RBIA.
• Conversely, sectors with informal documentation practices or capital limitations (e.g., logistics, construction) showed lower RBIA maturity.

4. Internal Audit Maturity and Risk Performance

Enterprises with formalized internal audit departments (having structured charters, qualified staff, audit committees, and risk mapping) scored significantly higher on risk performance indicators such as:

• Timeliness of risk mitigation actions.
• Frequency of internal audit reporting.
• Integration of audit findings into business decisions.

5. Sectoral Variations

Comparative analysis highlighted sector-specific trends:

• Healthcare and Financial Services: High RBIA maturity, robust compliance structures.
• Manufacturing: Moderate adoption; varied by sub-sector (e.g., auto components vs. textiles).
• Logistics and Infrastructure: Lower RBIA integration; audit often reactive and compliance-driven.
• Sectoral divergence was attributed to regulatory environment, availability of skilled auditors, and perceived ROI of internal auditing.

6. Challenges to RBIA Implementation

The study identified several structural and behavioral challenges faced by MEs in implementing RBIA, including:

• Lack of trained internal audit professionals with RBIA capabilities.
• Budgetary constraints limiting audit tool deployment and automation.
• Resistance to change, particularly in family-run or informally managed enterprises.
• Limited awareness of the strategic benefits of RBIA beyond regulatory compliance.
• These constraints point to a need for policy-level intervention and ecosystem support to improve audit capability across the MSME sector.

The present study provides empirical evidence on the pivotal role of risk-based internal auditing (RBIA) in enhancing the effectiveness of risk management within medium-sized enterprises (MEs) in the Delhi-NCR region. The findings confirm that RBIA adoption is significantly and positively associated with improved risk governance outcomes, including proactive identification of financial, operational, and compliance risks. Hypotheses testing further revealed that organizational characteristics such as sectoral orientation, leadership style, and resource allocation exert substantial influence on the extent of RBIA adoption, thereby shaping overall risk maturity.

Enterprises with structured and formalized internal audit departments demonstrated superior performance in risk mitigation, timeliness of response, and integration of audit insights into strategic decision-making. Conversely, organizations with ad hoc or compliance-driven audit mechanisms faced persistent vulnerabilities, particularly in rapidly evolving risk environments such as supply chain disruptions and cybersecurity threats.

Despite the benefits, challenges including limited auditor expertise, financial constraints, and cultural resistance continue to hinder the broader adoption of RBIA in the medium enterprise sector. These barriers underline the need for policy interventions, capacity-building programs, and greater awareness campaigns to strengthen audit maturity in the MSME ecosystem. Ultimately, the study underscores RBIA as a strategic enabler of organizational resilience and long-term sustainability, moving beyond its traditional role as a compliance safeguard to become an integral component of enterprise-wide risk management.

[1] Global Practice Guide: Developing a Risk-based Internal Audit Plan, Institute of Internal Auditors theiia.org
[2] Why and How to Perform a Risk-Based Internal Audit (RBIA), ISOtracker isoTracker
[3] Key considerations: Risk based internal audits, MetricStream metricstream.com
[4] Understanding the Role of Risk Management and Internal Audit, V-Comply blog VComply
[5] “The impact of enterprise risk management on the internal audit function”, ResearchGate literature ResearchGate
[6] Fundamentals of Risk-based Auditing, The IIA theiia.org
[7] “Enterprise risk management essential for survival and sustainable development of MSMEs”, Reena Agrawal ResearchGate

[8] Institute of Internal Auditors, A Global View: Internal Audit Survey 2022 — Internal Audit Maturity Levels and Trends, IIA Foundation Report. theiia.org

[9] Faisal Alqurashi & Hussain Alnoor, “Factors Affecting the Implementation of Risk-Based Internal Auditing,” MDPI Journal, 2024. MDPI

[10] Reena Agrawal, “‘Enterprise Risk Management’ Essential for Survival and Sustainable Development of Micro, Small and Medium Enterprises,” Faculty of Business Economics and Entrepreneurship International Review, 2016. ResearchGate

[11] Norman Marks, “Understanding and Practicing Risk-Based Internal Auditing,” blog and practical guidance, 2020. normanmarks.wordpress.com

[12] Włodzimierz Wawak, Risk Based Internal Audit – An Empirical Model for Implementation, Studies in Managerial and Financial Accounting, 2012. press.wz.uw.edu.pl

[13] S. Agrawal & A. K. Mishra, Risk Management in Micro, Small and Medium Enterprises (MSMEs): A Review, International Journal of Innovative Research in Management and Finance, 2021. ijirmf.com

[14] RMA-India blog, “How MSMEs Can Set Up Enterprise Risk Management Framework to Identify, Assess, Manage Business Uncertainties”, RMA-India, 2022.