Assess risk level
Show/hide Sharepoint toolbar
Toggle navigation
Menu
Home
General
Compliance
Concepts
Planning
Examination
Reporting
Financial
Concepts
Planning
Examination
Reporting
Performance
Currently selected
Concepts
Planning
Examination
Reporting
More
Review
Opinion
Tools
How To ?
Page index
Resources
Terms
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Assess risk level
Page Content
Assess risk level
Risks should be prioritised according to their level, which is obtained by assessing the likelihood of the event occurring and the impact of that event. Then, the residual level should be determined by considering the management response to the risk.
Performance audit
Planning
Ref: 34.230
Instructions
Assessing the risk level
The audit team should only assess those risks identified as
key
.
The audit team should not aim for unrealistic levels of accuracy. The accuracy of the risk analysis will depend on the quality of the information available. Evidence should be used when it is available. Nevertheless, the auditor has also to rely on common sense and sound professional judgement, based on the knowledge acquired and on experience. It is sufficient to determine the level – high, medium, low - of the key parameters:
Risk formulation = likelihood of occurrence x impact of the event
When deciding on the
likelihood of occurrence
, the fundamental difficulties in risk assessment are that statistical information is not available and rare failures are hard to estimate. When estimating the likelihood of an event, the audit team will inevitably work on assumptions. These assumptions should be reasonable and should be documented.
To determine the
impact
(level of seriousness), the audit team should investigate how vulnerable the organisation is to the threats posed, and determine what is the likely consequences of the risks on the organisation and/or the achievement of relevant objectives, should the risk materialise. The analysis of the consequences of risk should not be restricted to the direct effects only but should extend as far as possible.
The time spent on quantifying risks should relate to the significance they are likely to play in
formulating the audit objectives
.
The overall evaluation is the result of the combination of both elements using the risk matrix:
Risk response
For those risks assessed as Medium and High, the audit team should examine management response in place. This examination allows assessing how well an entity is
managing major risks
rather than simply focusing on areas of suspected weakness. Risk response and
control activities
are the actions, policies and/or procedures that help to ensure that management directives are carried out, and that necessary actions are taken to address and reduce the risks to the achievement of the organisation's objectives. Several strategies can be adopted to deal with risk.
Risk can be avoided, reduced, tolerated, mitigated, eliminated or transferred.
Not all risks can or should be avoided; reducing all risk to 'zero' is usually not cost-effective for the organisation. To identify the actions, controls and/or procedures that have been taken to counter the main risks identified, the auditor can start by taking the
List of Expected Key Controls
set up in
Step 1
of the risk assessment and comparing these to the controls that management asserts to be in existence. It is also necessary to ascertain what
controls are actually in operation
, and
establish the extent of their limitations
. Controls can also be performed externally by, e.g., national certifying bodies or internally by the Internal Audit Service or a specific unit, e.g. a reconciliation unit. Examples of controls may include:
Internal control systems as a whole and more specifically,
Financial controls
Segregation of duties, access controls, delegation of authorities
Policies and procedures for monitoring and supervision
Audit and evaluations
Reporting on performance and results
Guidelines, procedures, manuals, standard forms etc.
Training / information campaigns
Assessing residual risk
The final assessment of the risk level, or residual risk level, takes into account the management response in place to adjust, i.e., increase or decrease the initial risk level, if appropriate. Reducing the risk level is a critical decision that should be taken after careful consideration, based on the experience and sound judgement of the auditor.
Involving the auditee
At this stage it is advisable to discuss and confirm the
programme logic model
, the
flowchart
and the risk analysis, with the auditee.
Resources
Risk assessment template
The audit team records the assessment of the risk level on Sheet 'St3- Risk Analysis' of the template. The second and last column are are manually copied to the next sheet 'St4- PAQS table'.
References
Enterprise Risk Management - Integrated Framework,
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004
.
Instructions
Assessing the risk level
Risk response
Assessing residual risk
Involving the auditee
Resources
References
Last Modified
: 13/09/2021 16:13
Tags
:
‹
›
×