Risk assessment
Show/hide Sharepoint toolbar
Toggle navigation
Menu
Home
General
Compliance
Concepts
Planning
Examination
Reporting
Financial
Concepts
Planning
Examination
Reporting
Performance
Currently selected
Concepts
Planning
Examination
Reporting
More
Review
Opinion
Tools
How To ?
Page index
Resources
Terms
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Risk assessment
Risk assessment
In the context of a performance audit, risk assessment is the identification and analysis of the key risks to the achievement of objectives concerning economy, efficiency and effectiveness. It forms a basis for determining audit questions and scope.
Performance audit
Planning
Ref: 34.200
Page Content
Definition
Risk
is considered as the possibility of loss or injury, a threat of something going wrong with the activities or organisation of the entity or persons concerned. In the EU context, we define the risk as an incident or the occurrence of a particular set of circumstances that, if they occur, could adversely affect the organisation, such as exposure to financial loss, loss of reputation or failure to deliver a policy or programme economically, efficiently or effectively.
Risks to sound financial management
are risks to achieving
economy
,
efficiency
and
effectiveness
.
Risks can be inherent in nature (
inherent risk
) due to the factors that make sound financial management hard to achieve, no matter how well the entity is managed. On the contrary,
control risks
arise from weaknesses in internal control and thus reflect how well the entity manages performance.
Residual risk
is the risk level still remaining after taking existing actions and controls into account.
Instructions
In planning a performance audit, the audit team should carry out a risk assessment by analysing the relative significance of the risks to
sound financial management
, mapping the likelihood of occurrence against the likely impact, both quantitative and qualitative. Identifying and assessing risk is not an exact science and will mostly depend on the sound judgement of the auditor. This judgement should be based on knowledge, analysis and experience. The audit team has to be systematic, comprehensive and rigorous. No important risks should be overlooked, including the consideration of how and where
fraud
might occur and the extent to which such acts might affect the audit result. Risks related to the use of information technology (IT) have to be taken into account (including weaknesses in the IT environment that can make the organisation vulnerable to other threats like fraud and breaches of data security). The audit team should also consider the impact of Brexit on a given policy or programme.
The risk assessment process consists of four progressive steps:
Synthesize the acquired knowledge
of the audit area, in particular the
logic of the public intervention
, key processes and controls;
Identify risks
as areas of potential weakness in an organisation;
Assess the risk level
of the identified risks whilst also considering the action taken by the auditee to mitigate such risks ('risk response') and to identify those risks which are the most significant and critical to the achievement of good performance; and
Focus on key risks
and develop related potential audit questions.
Each step of the risk assessment acts as a filter and leads to the next.
Resources
Template
The decision-making process throughout the risk assessment should be recorded in
risk assessment template
to enable reviewers and management to fully understand the process. The template has been built to reflect, step by step, the team’s analysis and judgement throughout the risk assessment exercise. Each step of the process has a dedicated sheet(s), leading to the final output, the Potential Audit Question and Scope or PAQS table.
Case study
Audit teams can consult a
case study
, illustrating how a risk assessment is carried out in practice. The case is adapted from the planning of the audit on the translation expenditure of the institutions (
SR 09/2006
).
References
Enterprise Risk Management - Integrated Framework,
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004
) .
Related documents
Standards
ISSAI 100/46
ISSAI 300/37
ISSAI 3000/100
GUID 3920/21,28
Definition
Instructions
Resources
Template
Case study
References
Last Modified
: 16/09/2021 11:56
Tags
:
‹
›
×