Assess risk level

Assess risk level

Assess risk level

Risks should be prioritised according to their level, which is obtained by assessing the likelihood of the event occurring and the impact of that event. Then, the residual level should be determined by considering the management response to the risk.
Performance audit
Planning
Ref: 34.230

Instructions

Assessing the risk level

The audit team should only assess those risks identified as key. The audit team should not aim for unrealistic levels of accuracy. The accuracy of the risk analysis will depend on the quality of the information available. Evidence should be used when it is available. Nevertheless, the auditor has also to rely on common sense and sound professional judgement, based on the knowledge acquired and on experience. It is sufficient to determine the level – high, medium, low - of the key parameters: Risk formulation = likelihood of occurrence x impact of the event
  • When deciding on the likelihood of occurrence, the fundamental difficulties in risk assessment are that statistical information is not available and rare failures are hard to estimate. When estimating the likelihood of an event, the audit team will inevitably work on assumptions. These assumptions should be reasonable and should be documented.
  • To determine the impact (level of seriousness), the audit team should investigate how vulnerable the organisation is to the threats posed, and determine what is the likely consequences of the risks on the organisation and/or the achievement of relevant objectives, should the risk materialise. The analysis of the consequences of risk should not be restricted to the direct effects only but should extend as far as possible.
The time spent on quantifying risks should relate to the significance they are likely to play in formulating the audit objectives. The overall evaluation is the result of the combination of both elements using the risk matrix: Risk matrix

Risk response

For those risks assessed as Medium and High, the audit team should examine management response in place. This examination allows assessing how well an entity is managing major risks rather than simply focusing on areas of suspected weakness. Risk response and control activities are the actions, policies and/or procedures that help to ensure that management directives are carried out, and that necessary actions are taken to address and reduce the risks to the achievement of the organisation's objectives. Several strategies can be adopted to deal with risk. Risk can be avoided, reduced, tolerated, mitigated, eliminated or transferred. Not all risks can or should be avoided; reducing all risk to 'zero' is usually not cost-effective for the organisation. To identify the actions, controls and/or procedures that have been taken to counter the main risks identified, the auditor can start by taking the List of Expected Key Controls set up in Step 1 of the risk assessment and comparing these to the controls that management asserts to be in existence. It is also necessary to ascertain what controls are actually in operation, and establish the extent of their limitations. Controls can also be performed externally by, e.g., national certifying bodies or internally by the Internal Audit Service or a specific unit, e.g. a reconciliation unit. Examples of controls may include:
  • Internal control systems as a whole and more specifically,
  • Financial controls
  • Segregation of duties, access controls, delegation of authorities
  • Policies and procedures for monitoring and supervision
  • Audit and evaluations
  • Reporting on performance and results
  • Guidelines, procedures, manuals, standard forms etc.
  • Training / information campaigns

Assessing residual risk

The final assessment of the risk level, or residual risk level, takes into account the management response in place to adjust, i.e., increase or decrease the initial risk level, if appropriate. Reducing the risk level is a critical decision that should be taken after careful consideration, based on the experience and sound judgement of the auditor.

Involving the auditee

At this stage it is advisable to discuss and confirm the programme logic model, the flowchart and the risk analysis, with the auditee.

Resources

The audit team records the assessment of the risk level on Sheet 'St3- Risk Analysis' of the template. The second and last column are are manually copied to the next sheet 'St4- PAQS table'.

References

 
Last Modified: 13/09/2021 16:13   Tags: