Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and information technology (IT). This paper focuses on risk-based auditing from an enterprise IT perspective. It covers the requirements for a risk-based audit and the steps necessary before, during and after an audit. Additionally, it discusses risk mitigation methods, and provides analysis for selecting controls and measuring control effectiveness. This paper offers a simple risk-based audit methodology for organizations to develop an internal IT audit program, or those looking for new ways to assess security risks.