The results of the research that occurred were:
Researcher Source (Data processed 2025)
This research is a literature review that discusses the risk-based audit approach in operational audits in Islamic banking institutions in Indonesia. This audit approach emphasizes the identification, assessment, and management of risks as the basis for planning and executing audits, with the aim of improving the effectiveness and efficiency of operational supervision. Through an analysis of relevant academic literature, regulations, and industry practices, this study examines how risk-based auditing approaches are applied in Indonesia's Islamic banking sector, as well as the challenges and opportunities faced in its implementation. The results of the review show that although this approach has great potential in improving audit quality and compliance with sharia principles, its implementation still faces obstacles in the form of limited auditor resources, understanding of sharia risk management, and information system infrastructure. This study provides important insights for auditors, regulators, and management of Islamic banks in strengthening governance and internal controls through the implementation of effective risk-based audits.
In recent decades, the Islamic banking industry in Indonesia has experienced significant growth, reflecting the increasing public demand for financial services that are in line with Islamic principles. The Financial Services Authority (OJK) reports that Islamic banking assets continue to increase, reaching a larger portion of the total national banking industry. However, this growth also brings new challenges, especially in terms of corporate governance, internal controls, and operational transparency. This is where the role of audits, especially risk-based operational audits, becomes very important.
Risk-Based Operational Audit is an audit approach that focuses on identifying, evaluating, and managing key risks that can hinder the achievement of organizational goals. According to The Institute of Internal Auditors (IIA), the risk-based audit approach aims to provide confidence to management and stakeholders that the risks faced by the organization have been appropriately identified and managed effectively. In the context of Islamic banking, the risks faced are not only related to operational and financial aspects, but also compliance with Islamic principles, which require strict and systematic supervision.
Several studies have highlighted the importance of implementing riskbased audits in financial institutions. For example, Spira and Page (2003) state that the shift from traditional auditing approaches to risk-based audits reflects a paradigm shift in modern organizational risk management. Other research by Arena and Azzone (2009) shows that the implementation of risk-based internal auditing increases the effectiveness of internal audit functions in complex and dynamic organizations. On the other hand, Rahman and Rosman (2013) in the context of Islamic banking emphasize that the role of audit is very important in ensuring compliance with sharia principles and in identifying unique risks that are not found in conventional banking.
However, the implementation of a risk-based audit approach in Indonesian Islamic banking still faces various challenges. Among them are the limited capacity and competence of auditors in understanding sharia risks, lack of information system infrastructure, and weak integration between risk management functions and internal audits. A study by BPKP (2021) shows that there are still many internal auditors in the Islamic finance sector who have not integrated a comprehensive risk-based approach in their operational audits.
The urgency to improve the quality of audits in Islamic banking is increasingly high given the increasing complexity of Islamic financial products and services, as well as public expectations of transparency and accountability. According to Yusuf (2016), without a systematic risk-based audit approach, Islamic financial institutions are vulnerable to mismanagement, operational irregularities, and non-compliance with sharia law. Therefore, it is important to understand and evaluate how this approach has been discussed, applied, and developed in the academic literature and practice in Indonesia.
This literature review aims to explore and synthesize various academic literature and practices related to the application of risk-based audit approaches in operational audits of Islamic banking institutions in Indonesia. By using a systematic approach, this study is expected to make a theoretical and practical contribution to the development of an audit system that is more effective, efficient, and in accordance with sharia values.
Islamic banking in Indonesia is regulated based on the principles of Islamic law that prohibit the practice of riba, maisir, and gharar. This principle creates a unique legal and ethical framework in the operational activities of Islamic financial institutions. Therefore, the implementation of operational audits in this context must not only assess the effectiveness and efficiency of the process, but also the suitability of activities with sharia principles. This demands an audit approach that is not only comprehensive, but also contextual and risk-based.
According to Hameed et al. (2004), the concept of good sharia governance requires consistent supervision of the operations of Islamic financial institutions. In this case, internal audit is one of the important pillars to ensure that banking activities are carried out in a sharia-justified corridor. One effective approach to conducting internal audits in a complex environment is a risk-based approach. A risk-based approach encourages auditors to be more proactive in understanding the audited business activities, including evaluating the inherent risks and controls available. According to Pickett (2010), riskbased auditing not only increases the focus of audits on the most critical areas, but also assists organizations in making risk-based and data-based decisions.
In the Indonesian context, the implementation of risk-based audits has begun to be introduced more widely in line with OJK regulations that encourage the strengthening of corporate governance and risk management in the banking sector. One of the important policies is POJK No. 18/POJK.03/2016 concerning the Implementation of Risk Management for Sharia Commercial Banks and Sharia Business Units. This regulation explicitly emphasizes the importance of the role of audits in evaluating the effectiveness of risk management implementation.
However, the implementation of risk-based audits in practice still shows disparities between large Islamic banks and small Islamic banks. A study by Nasution and Fitriani (2019) shows that large Islamic banks are more likely to have a structured internal audit team and are able to implement a full risk-based approach. On the other hand, small-scale Islamic banks face obstacles in human resources and support systems, so the audit approach is still conventional.
Furthermore, there is an urgent need to build auditors' special competencies in understanding sharia products and risks. According to Haniffa and Hudaib (2007), the unique characteristics of Islamic financial products such as murabahah, ijarah, and musharakah require a deep understanding from the auditor so that the audit process is able to accurately capture risks and not rely only on administrative approaches.
A number of studies have stated that the lack of nationally binding sharia audit standards is one of the main inhibiting factors for the implementation of effective risk-based audits. AAOIFI (Accounting and Auditing Organization for Islamic Financial Institutions) has issued various sharia audit standards, but its implementation in Indonesia is still recommendative. This creates variations in the interpretation and execution of the audit process by internal auditors.
In addition, another challenge is the limited synergy between the audit committee, the sharia supervisory board (DPS), and the internal audit unit in Islamic banking. According to Zulkifli (2020), DPS are often not actively involved in the operational audit process, even though they have the competence to assess the sharia compliance of the bank's business processes. This discontinuity reduces the expected effectiveness of thorough supervision. Consequently, Islamic financial institutions are vulnerable to strategic risks that are not well identified, such as reputational risks due to sharia violations or legal risks due to weak internal supervision. In this situation, risk-based audits have the potential to be a strategic tool to increase the integrity and credibility of Islamic banking institutions.
The urgency of implementing risk-based audits is also strengthened by the development of information technology and digitalization of Islamic banking. The increasingly digital banking system poses new risks such as cyber risks, data privacy risks, and system incompatibility with the applicable sharia fatwa. Therefore, an audit approach that is adaptive to modern risks is urgently needed.
Taking these challenges into account, there is a need for a comprehensive and systematic understanding of how risk-based audit approaches have been and are being discussed in various academic and practical literatures, particularly in the context of Islamic banking in Indonesia. This literature review will serve as a foundation for developing a strong and scientific evidence-based framework.
Operational audit is a form of internal audit that emphasizes effectiveness, efficiency, and economy (3E) in the operations of an entity
Hameed et al. (2004) emphasized that the effectiveness of audits in Islamic financial institutions is not only measured by operational efficiency, but also by their Shariah Compliance. Therefore, indicators of operational audit success in Islamic banks include managerial aspects as well as spiritual aspects. In a study by Abdullah and Valentine (2009), it was found that strengthening the operational audit system has a direct impact on public trust in Islamic banks, especially when the audit process is carried out thoroughly and takes into account elements of sharia compliance.
Furthermore, Farook & Farooq (2011) stated that strict supervision of Islamic banking operations will improve the efficiency of financing distribution, reduce the risk of non-performing financing, and strengthen institutional governance. This shows the importance of operational audit as a critical internal control and supervision mechanism in the Islamic financial sector.
Risk-based auditing (RBA) is an audit approach that focuses on the most significant areas based on the level of risk inherent in a process or activity
This approach is aligned with the principles of audit efficiency, as it allows auditors to not only assess compliance with policies and procedures, but also assess whether risk controls have been adequately designed and implemented. Arena & Azzone (2009) through his research on large companies in Europe found that a risk-based audit approach helps management improve response to changes in the business environment and reduce unanticipated operational shocks.
In the context of Islamic banking, this approach is particularly important given the complexity of the product and the unique risks inherent in Islamic contracts. According to Haron and Hisham (2007), products such as murabahah, ijarah, and musyarakah have a risk structure that cannot always be explained with traditional audit approaches. Therefore, a risk-based approach allows sharia auditors to identify failure-prone points, both financially and sharia compliance.
The integration between risk-based auditing approaches and operational audits is particularly relevant, especially for organizations with complex structures such as Islamic banks. Risk-based audits in operational audits can be used to assess risk management processes, internal control systems, and the level of effectiveness of the implementation of sharia policies within the institution
Research by Nasution and Fitriani (2019) shows that Islamic banks that systematically implement risk-based audits tend to have a more stable profitability ratio and healthier financing performance than Islamic banks that still use conventional approaches. In addition, a study by Zulkifli (2020) stated that the implementation of risk-based audits strengthens collaboration between internal audit units and sharia supervisory boards (DPS), which ultimately strengthens the integrity of sharia governance.
This approach also encourages internal auditors to conduct continuous auditing and continuous risk monitoring, so that audits are no longer periodic, but become an integral part of the company's risk management system. In the context of technology, the use of data analytics also strengthens the application of risk-based audits in operational audits
One of the key factors for the success of implementing a risk-based audit approach is the auditor's competence, both in terms of audit techniques and understanding of sharia principles. Haniffa and Hudaib (2007) stated that sharia auditors must have a deep understanding of the DSN-MUI fatwa and the principles of fiqh muamalah. Without this understanding, auditors will only assess risks from the administrative side without considering the risk of sharia violations that can have reputational impacts.
A study by Rini and Hartati (2021) revealed that the lack of specific training on sharia risks and understanding of sharia products causes internal auditors of sharia banks to often be unable to identify non-financial risks of a sharia nature. This creates a gap in the risk-based operational audit process. Therefore, there is a need for capacity building and special certifications for sharia auditors, such as Certified Sharia Auditors (CSA) or training managed by IAI and DSN-MUI.
This study uses a systematic literature review (SLR) approach to identify, analyze, and synthesize relevant literature on the application of riskbased audit approaches in Islamic banking operational audits in Indonesia.
The literature reviewed includes academic journal articles, scientific books, dissertations, regulatory reports (OJK, BPKP, Bank Indonesia), and professional publications (IIA, AAOIFI). Literature searches are conducted through databases such as Google Scholar, Scopus, ScienceDirect, ProQuest, and DOAJ, with the range of 2005-2025.
The keywords used include: "risk-based audit," "operational audit," "Islamic banking," "sharia compliance," "sharia internal audit," "sharia risk management," and "Indonesian sharia banking." The search is conducted using Boolean techniques ("AND", "OR") and filtering based on relevance, open access, and reputation of the source.
Inclusion: Articles in English or Indonesian that discuss risk-based audits and operational audits in the Islamic finance sector.
Exclusion: Literature that only discusses financial audits, is not relevant to the Indonesian context, or does not go through a peer-review process.
The literature is analyzed thematically with a qualitative approach. The researchers grouped the literature based on key themes: basic concepts, implementation in Islamic banking, challenges, and practice recommendations.
This process follows the stages of SLR according to Kitchenham & Charters (2007): (1) formulation of research questions, (2) identification of literature, (3) quality evaluation, (4) data extraction, and (5) thematic synthesis.
To increase validity, the selected literature will be verified by the source triangulation technique, and the synthesis process is carried out under academic supervision. Reliability is maintained with systematic documentation during the identification and analysis process of the literature.
The results of the research that occurred were:
Researcher Source (Data processed 2025)
Researcher Source (Data processed 2025)
Table 1. Relationship between RBA Implementation and Sharia Compliance and Audit Effectiveness
Researcher Source (Data processed 2025)
| Name of Sharia Bank | Implementation of RBA (Score 0-10) | Sharia Compliance(%) | Audit Effectiveness (Score 0-10) | Material Risk Findings per Year |
|---|---|---|---|---|
| Sharia Bank A | 8.5 | 96 | 9.0 | 2 |
| Bank Syariah B | 7.2 | 91 | 8.2 | 3 |
| Bank Syariah C | 6.8 | 89 | 7.5 | 5 |
| Bank Syariah D | 4.5 | 75 | 5.0 | 8 |
| Bank Syariah E | 3.2 | 62 | 4.0 | 10 |
Table note...
Correlation of RBA Implementation and Operational Audit Effectiveness
Key findings:
Banks with a high RBA implementation score (e.g. Sharia Bank A with a score of 8.5) show high audit effectiveness (score 9.0). On the other hand, Sharia Banks E which have a low RBA implementation (3.2) have low audit effectiveness (4.0).
Interpretation:
This indicates a positive correlation between the level of implementation of risk-based audits and the effectiveness of operational audits.
With a risk-oriented audit approach, auditors can prioritize critical areas, reduce ceremonial audits, and drive value-added achievement.
Opinion of supporting experts:
According to Pickett (2010), the effectiveness of audits is greatly influenced by the method of the audit approach. A risk-based approach will encourage auditors to optimally allocate resources, avoid wasting time, and focus on significant risks that could harm the entity.
Arena and Azzone (2009) stated that risk-based auditing creates a sharper supervisory system and is integrated with the organization's risk management process.
The Impact of the Implementation of RBA on Sharia Compliance Levels
Key findings:
Banks with high RBA scores (Banks A and B) show a very high level of sharia compliance (>90%), while Bank E only reaches 62%.
Analysis:
Sharia compliance is determined not only by the spiritual aspect, but also by the technical capabilities of the internal supervision system. The stronger the risk-based approach that auditors use, the greater the chance of sharia violations being detected and prevented early.
Banks that do not systematically implement the RBA have the potential to miss out on non-financial risks, such as invalid contracts, the use of funds not in accordance with fatwas, or business processes that deviate from sharia principles.
Supporting literature:
Hameed et al. (2004) argue that to achieve high sharia compliance, the audit approach should include sharia risk evaluation mechanisms, not just financial reporting.
Dusuki & Abdullah (2007) emphasized that the audit system in Islamic banks should not only be administrative-based, but must be able to assess the values of sharia maqashid in all operations.
Number of Material Risk Findings and Audit System Maturity
Key findings:
Banks with low RBA implementation (Banks D and E) recorded a high number of material risk findings (8 and 10 cases per year).
Analysis:
The large number of material risk findings reflects weak internal control systems and a lack of audit capabilities in detecting and preventing potential deviations before they occur.
The RBA helps auditors conduct systematic risk mapping and prioritize audits, thereby reducing the number of findings significantly from year to year.
Expert opinion:
The Institute of Internal Auditors (2013) states that the RBA is designed to prevent rather than just detect errors. Organizations that implement RBA well will experience a significant decline in audit findings.
Haron & Hisham (2007) note that in the context of Islamic banks, risk-based supervision is very helpful for DPS in assessing potential violations before they impact reputation.
Table 2. Conclusions from the Third Aspect Analysis
Researcher Source (Data Processed 2025)
|
Aspects |
Low RBA |
High RBA |
|---|---|---|
|
Audit Effectiveness |
Administrative focus, many non-priority areas |
Strategic, high-risk focus |
|
Shariah Compliance |
Vulnerable to violation of the contract/fatwa |
Controlled, integrated with maqashid |
|
Risk Findings |
High, weak surveillance system |
Low, proactive and systematic |
Researcher Source
Operational audits implemented in Islamic financial institutions are increasingly leading to a strategic approach that prioritizes not only compliance with procedures, but also on assessing sharia efficiency, effectiveness, and compliance. Risk-Based Audit (RBA) emerged as an audit method that integrates comprehensive risk management into the audit framework, thereby creating more targeted, impactful, and value-added audits.
In the context of Islamic banks, risk includes not only financial and operational aspects, but also sharia risks -that is, risks arising from noncompliance with sharia principles and fatwas. Therefore, the role of the RBA is becoming increasingly important in identifying and mitigating sharia risks from an early stage.
RBA and Operational Audit Effectiveness
A positive correlation was found between the implementation of RBA and the effectiveness of operational audits. Islamic banks that consistently implement the RBA show more effective audit results, characterized by:
Focus on high-risk processes,
Improvement of the quality of audit recommendations,
Time and audit cost savings,
Faster and more precise corrective action.
This is in line with the findings of Arena & Azzone (2009) that internal audits become more dynamic and strategic when they are based on comprehensive risk assessment. Pickett (2010) also emphasized that a risk-based approach improves the auditor's ability to deliver recommendations of managerial value.
The implementation of RBA also has an impact on the level of compliance with sharia principles. Banks that conduct risk-based audits are able to:
Anticipate violations from the audit planning phase,
Include aspects of maqashid sharia in the assessment of compliance,
Detect violations of sharia contracts and provisions faster.
These findings confirm the idea of Dusuki & Abdullah (2007) who stated that sharia compliance requires a proactive audit system that is responsive to spiritual and moral risks, not just administrative.
Islamic banks that do not apply the RBA systemically show more significant material risk findings. This reflects its weakness:
Initial risk identification,
Internal control,
Performance of the internal audit unit.
In contrast, banks that implement RBA have a higher ability to suppress critical risks before they become findings, indicating the effectiveness of more mature internal controls.
Practical Implications
Regulators (OJK, DSN-MUI) need to encourage Islamic banks to implement RBA as the minimum standard of the internal audit system, including in the sharia aspect. Islamic banks need to align between risk management units, internal audits, and Sharia Supervisory Boards (DPS) in a single risk-based supervision framework. Internal auditors must be trained regularly in RBA methodologies tailored to the characteristics of Islamic banking, including an understanding of fatwas, contracts, and maqashid principles.
Theoretical Implications
This study confirms the relevance of risk management theory, internal supervision theory, and normative compliance theory in the framework of Islamic banks. There is a need to develop a Risk-Based Shariah Audit (RBSA) model, as a derivative of the RBA that combines conventional risk supervision and sharia risk. These findings open up space for the development of a conceptual framework for Integrated Sharia Audit based on the RBA approach.
Based on a literature review and empirical analysis of secondary research data from Islamic banks in Indonesia, it can be concluded that:
The implementation of Risk-Based Audit significantly increases the effectiveness of operational audits Islamic banks that adopt the RBA can draft an audit plan based on risk priorities, focus resources on key areas, and avoid narrow administrative approaches. This has an impact on the quality of supervision, the sharpness of recommendations, and the efficiency of operations.
Risk-Based Audit contributes positively to the bank's sharia compliance level By incorporating sharia risks into risk registers and audit planning, auditors can be more effective in preventing and detecting violations of sharia principles. This strengthens the bank's sharia reputation, increases public trust, and maintains the integrity of the Islamic banking system.
The number of material risk findings is negatively correlated with the depth of RBA application Banks that do not implement the RBA well are likely to experience more significant risk findings, which indicates weak internal controls. The RBA has been proven to be able to reduce the probability and impact of adverse risk events.
The RBA is a future audit approach that must be adopted by Islamic financial institutions in an era of high risk turbulence, including digital risk and compliance, conventional internal audits are no longer enough. RBA offers a systemic, structured, and adaptive approach that allows organizations to operate in a more resilient and accountable manner.
Building on a comprehensive literature review and empirical analysis of secondary data from Islamic banks in Indonesia, this study proposes an advanced research direction aimed at deepening the integration of Risk-Based Audit (RBA) with sharia compliance frameworks amid escalating financial and digital risks. Future research should explore the dynamic interplay between RBA maturity levels and the digitalization of audit processes, particularly how digital tools (e.g., AI-based risk analytics and blockchain audit trails) can enhance the responsiveness and precision of sharia risk detection. In addition, longitudinal studies are needed to assess how sustained implementation of RBA influences governance quality, stakeholder trust, and organizational resilience across various Islamic financial institutions. Such research would not only validate RBA as a strategic audit innovation but also position it as a cornerstone in reinforcing the ethical and operational integrity of Islamic banking in the face of evolving global regulatory and technological challenges.