Risk assessment

Risk assessment

Risk assessment

In the context of a performance audit, risk assessment is the identification and analysis of the key risks to the achievement of objectives concerning economy, efficiency and effectiveness. It forms a basis for determining audit questions and scope.
Performance audit
Planning
Ref: 34.200

Definition

Risk is considered as the possibility of loss or injury, a threat of something going wrong with the activities or organisation of the entity or persons concerned. In the EU context, we define the risk as an incident or the occurrence of a particular set of circumstances that, if they occur, could adversely affect the organisation, such as exposure to financial loss, loss of reputation or failure to deliver a policy or programme economically, efficiently or effectively. Risks to sound financial management are risks to achieving economy, efficiency and effectiveness. Risks can be inherent in nature (inherent risk) due to the factors that make sound financial management hard to achieve, no matter how well the entity is managed. On the contrary, control risks arise from weaknesses in internal control and thus reflect how well the entity manages performance. Residual risk is the risk level still remaining after taking existing actions and controls into account.

Instructions

In planning a performance audit, the audit team should carry out a risk assessment by analysing the relative significance of the risks to sound financial management, mapping the likelihood of occurrence against the likely impact, both quantitative and qualitative. Identifying and assessing risk is not an exact science and will mostly depend on the sound judgement of the auditor. This judgement should be based on knowledge, analysis and experience. The audit team has to be systematic, comprehensive and rigorous. No important risks should be overlooked, including the consideration of how and where fraud might occur and the extent to which such acts might affect the audit result. Risks related to the use of information technology (IT) have to be taken into account (including weaknesses in the IT environment that can make the organisation vulnerable to other threats like fraud and breaches of data security). The audit team should also consider the impact of Brexit on a given policy or programme. The risk assessment process consists of four progressive steps:
  1. Synthesize the acquired knowledge of the audit area, in particular the logic of the public intervention, key processes and controls;
  2. Identify risks as areas of potential weakness in an organisation;
  3. Assess the risk level of the identified risks whilst also considering the action taken by the auditee to mitigate such risks ('risk response') and to identify those risks which are the most significant and critical to the achievement of good performance; and
  4. Focus on key risks and develop related potential audit questions.
Each step of the risk assessment acts as a filter and leads to the next.

Resources

Template

The decision-making process throughout the risk assessment should be recorded in risk assessment template to enable reviewers and management to fully understand the process. The template has been built to reflect, step by step, the team’s analysis and judgement throughout the risk assessment exercise. Each step of the process has a dedicated sheet(s), leading to the final output, the Potential Audit Question and Scope or PAQS table. RiskFileOverview.JPG

Case study

Audit teams can consult a case study, illustrating how a risk assessment is carried out in practice. The case is adapted from the planning of the audit on the translation expenditure of the institutions (SR 09/2006).

References

Last Modified: 16/09/2021 11:56   Tags: