Risk Assessment Process
The Institute of Internal Auditors’ (IIA) Standards for the Professional Practice of Internal Auditing advises “… matters to be considered in establishing audit work schedule priorities should include … potential loss and risk.” Risk is the probability that an event or action may adversely affect the organization or the activity or process under audit. Components of risk assessment include:
- The quality and stability of the control environment;
- Potential business exposure considering materiality/liquidity of resources;
- The extent of monitoring activities of the operation or auditable area;
- The impact of external regulations;
- The public and potential sensitivity of the activity;
- The dependence of the auditable area on technology;
- The sensitivity/criticality of the information maintained/processed by the technology;
- The relative financial impact of the auditable area;
- The adequacy of staffing, process documentation, and degree of training for employees in the area;
- Results of prior audits and time elapsed since the last audit was performed, and
- Opportunities to achieve efficiencies in operations.
Audit resources are limited so a comprehensive risk assessment will be performed biennially with less comprehensive risk assessment performed on alternate years (even-numbered fiscal years).
Risk Assessment Principles
In order to provide practical guidance and a consistent framework for development of the risk assessment model used to develop the Audit Plan, we utilized the following principles:
- Consideration was given to unique situations and circumstances (i.e., special audits) which would supersede scheduled audits with higher risk scores;
- Recognition that audit resources of personnel and dollars are limited, which prohibits 100% audit coverage each year. This limiting factor is inherent in the concept of utilizing a risk assessment model to help prioritize audits;
- Consideration of work performed by other auditors. These audits may be mandated by grant provisions, State and Federal Agencies, or special audits;
- Incorporation of perceived or actual knowledge of the system of internal controls in the department or area of operations; and Understanding the inherent risks and limitations associated with any method or system of prioritizing audits. The risk factors and scoring process will be periodically evaluated and modified in order to improve audit planning.
We developed the Plan and risk assessment model by identifying an audit population that represented the total population of potential audits. The population considers: (i) organizational units within a department such as a division or a unit; (ii) transaction cycles or items common “horizontally” across a universe, such as payroll, contract compliance issues, personal service contracts, or grants; and (iii) individual financial statement accounts such as fixed assets or cash receipts/cash disbursements.
Our assessment of risk was developed from a risk model based on relative rankings using a matrix of the audit population and University business processes and sub-processes to track audit coverage by year to ensure all are considered in assessing risk for audit planning. UI has not established a formal process for identifying, ranking, and managing risk as discussed in COSO’s Enterprise Risk Management – an Integrated Framework.
We defined risk as the potential for loss to a department due to error, fraud, inefficiency, failure to comply with statutory requirements, or actions which may have a negative effect on the University. Risk is a function of the probability that such consequences will occur, their magnitude, and their imminence.
Risk assessment is undertaken to focus attention on significant audit areas, to allocate scarce audit resources to the most important audit areas, and to help with key audit prioritizing decisions such as audit frequency, intensity and timing. This approach separates the risk into risk factors which were assessed individually, then combined into an overall score reflecting a department’s risk potential. This approach includes many benefits:
- Documenting the process and basis for decisions.
- Facilitating review and consultation.
- Direct linkage to Internal Audit’s administrative structure and budget.
- New data can be easily incorporated into the analysis.
- Quantitative judgments of risk for balancing the intensity/frequency of audits.
Risk factors were selected based on their relevance to the nature and objectives of the audits and the reporting environment in which the University operates. Risk factor definitions follow.
Based on the total 2011 budgeted expenditures by department.
|A measure of the assessed risk of exposure to potential loss or embarrassment due to the cash nature of transactions and the ease or difficulty of assets being converted to cash, considering the volume/ dollar value of cash transactions compared to the amount of business transacted by check or wire transfer.|
Research or Gift Funding
|A measure of the assessed risk of exposure to potential loss or embarrassment for resources which pass through the departments and are not state appropriated funds.|
Number of Staff
|A measure of the assessed risk of exposure to loss due to the number of employees which may impact the financial exposure, compliance with laws and regulations, control of gift and/or research funds, public exposure and complexity of transactions.|
Compliance with Laws and Regulations
|A measure of the assessed risk of exposure, loss or regulatory sanction due to complexity and volume of regulations or penalties for noncompliance. Considerations include: the nature and type of grants, contracts, and pass through funds; the complexity and volume of regulations or monitoring associated with the funds, and the legal ramifications of noncompliance.|
|A measure of the assessed risk of exposure to loss or embarrassment caused by the level of visibility and/or public interest considering the nature of the operations, physical environment and security of the facilities, data, records and departmental personnel. We also consider the nature and the extent of past situations, issues or incidence.|
Tone at the Top
|A measure of the experience of management and its effect on limiting potential loss through adherence to regulatory compliance, effective use of resources, budget management and the personnel skills utilized. Factors considered include management’s background, time in service, training, level type and nature of service, and the potential effects of managerial changes and turnover (i.e., termination, resignations and retirement).|
Complexity of Transactions
|A measure of the assessed risk of exposure to loss due to the nature and process of recording transactions and maintaining account balances. Contract terms and the nature of pass-through activities are also considered.|
Time Expired Since Last Audit
|Assessment of how risks are mitigated by the frequency level of internal and/or external audits. Factors considered include timing of the last audit or special audits performed and the extent, nature, materiality and purpose of past audit scopes and findings.|