Answer: I am sorry, but the Internal Audit, and the Risk management are things completely different in ISO 27001. The Risk management is performed to identify and treat risks. The Internal Audit is performed (after the risk management) to check the compliance with ISO 27001.
Anyway, if one year you identify a risk, and you define a treatment for it, you don’t need to include this risk in your assessment of the next year, because in that moment the treatment will be closed, and won’t be a risk for your business.
And remember that no matter what the results of the risk assessment are, internal audit is mandatory - at least once a year