The business risk auditing (BRA) approach was developed in the late 1990s and partly incorporated into audit standards in the early 2000s. As such, BRA was a significant innovation in audit methodology. In our interview study, we examine the experiences of 38 non-Big 4 auditors toward the theorization and diffusion of BRA. We use the widely recognized framework from Greenwood, Suddaby, and Hinings (2002), emphasizing the importance of legitimacy within an organizational field, to evaluate the change process toward BRA. First, we observe that the theorization of the new concept of BRA was often of limited success as many non-Big 4 auditors found it to be too complex and remained unconvinced that BRA was developed in response to problems with previous audit approaches (“moral legitimacy”). The lack of moral legitimacy can provide the underlying basis for resistance toward change. Second, auditors often expressed skeptical views about the benefits of BRA (“pragmatic legitimacy”), resulting in only limited use of nonmandatory BRA tools. Finally, we find that auditors were divided in considering elements of BRA as the natural way of doing audits (“cognitive legitimacy”). In all, our findings help to understand the role of regulatory mechanisms and of non-Big 4 audit firms in institutional processes in auditing.