I think that the approach you take depends on the staff size you have. I think many of us here have already pointed out that we are understaffed and I would daresay that Internal Audit is an "understaffed" profession in general. That being said, I personally try to take somewhat of a more risk-based approach. The reason is simply that you only have a certain number of hours, especially if you are a one person shop, so you want those hours to be spent as wisely as possible. I think the risk-based approach allows you to do that.
I think that the risk-based approach is probably more common nowadays, but I honestly haven't been at this that long. I think that actually performing the risk assessment gives you documentation (so you can show the examiners how wonderful you are
), but it also helps you to get thinking about your particular institution and it's quirks.