[section separator="true"]
[section-item 9]
[row]
[column 12]
[toc-this]
Instructions
List all possible risks
Ideas of can be developed by studying the programme logic model, the Flowchart and the List of Expected Key Controls built in Step 1 in the risk assessment, consulting [link title="examples" link="%23Resources" /]
from other audits and answering the following questions:
- What can go wrong? What can be the risk?
- What
assets are at risk - property, resources, information, reputation, legality?; from what
sources – internal or external?; at which
level: internal, external, legal, strategic, operational, organisational or administrative?
- With whom does the risk lie?
- What factors are / can be constraining performance (economy, efficiency, effectiveness)?
- What could be the cause (including weaknesses in controls)?
- What is the probability of it going wrong?
- What could be the consequences or the impact of it going wrong?
- How could this risk be managed? What is the auditee's strategy to minimise or control the risk?
Initial ideas may also be developed during a brainstorming session. The session could be conducted by an independent colleague, acting as a facilitator, with a limited number of participants. It is often helpful to conduct the session with financial audit colleagues (preferably with auditors which have covered the area) or other experts. In addition, the audit team needs to become familiar with the risk management of the auditee.
Group by categories
A first “raw” list of all possible risks must be closely examined, sorted and fine-tuned. Several distinctions can be made: i) between the inherent risks and the control risks; ii) between the high-level risks and the more operational or detailed risks; iii) between the significant risks and the other risks. Risks can be grouped by affinity i.e. by category, by subject, by theme. Risks can also be sorted by different categories: objective, type, impacted area, root-cause, process, activity, etc. or any other criteria selected by the auditor and which is relevant for the audit.
Describe risks
Relevant selected risks should then be described in a consistent manner in order to be included in the “List of identified risks”. The description of a risk should ideally follow this equation:
[label stroke="true"]Risk formulation = cause + problem + impact[/label]
Therefore, it should include the following information:
-
what are the main reasons for the problem?
-
what is the problem?
-
what are the most important potential consequences?
[toggles]
[toggle title="Example%20-%20Risk%20Description"]
From the [link title="case%20study" link="%2Faware%2FPA%2FPages%2FPlanning%2FRisk-assessment.aspx%23Case-study" /]
on the audit of the translation expenditure of the institutions
Objective: “Translating the minutes of the European Parliaments’ session debates in the 'most recent' official languages in time to be published in the Official Journal”
“Failure to translate in time” (problem). “Lack of translators” (problem).
| Example of a
bad risk formulation because it does not include any indication of the cause or the impact of the problem
|
“Lack of translators for the “most recent” official languages (problem) can lead to delays in publishing the CRE in the OJ (impact)”.
|
Acceptable because it gives an indication of the potential consequence. However, even when the information is not available, the auditor should try to give possible reasons for the problem.
|
“Due to insufficient recruitment (cause) translators for the “most recent” official languages are not available (problem), which leads to a risk of significant delay in the publication of the CRE in the OJ (impact)”.
|
Good because both the cause and the consequence of the problem are clearly stated.
|
[/toggle]
[/toggles]
Select risks
The audit team should prioritise the risks to be able to single out and focus on the
key risks i.e. risks which are critical. In most cases, there are no clear-cut answers to whether the risk is critical or not. A risk should be considered as critical, if it can:
- result in wasting significant amounts of money in the area under study.
- result in major infringement of laws and regulations.
- result in material financial loss.
- put the safety of people or the environment at stake.
- cause serious damage to the EU's stakeholders and institutions.
- in any way seriously affect the EU's image and reputation.
- prevent objectives from being achieved according to the principles of economy, efficiency and effectiveness.
Adapted from Risk Management in the Commission, European Commission, DG Budget, October 2010
Resources
[icons-list icon-size="2" separator="line" icon-vertical-alignment="middle" vertical-alignment="middle"]
[icon-list-item title="Risk%20assessment%20template" description="The%20audit%20team%20records%20this%20analysis%20on%20Sheet%20'St2-List%20identified%20risks'%20of%20the%20template.%20For%20the%20risks%20which%20the%20audit%20team%20considers%20as%20key%20and%20decides%20to%20analyse%20them%20further%20(answer%20Yes%20in%203rd%20column)%2C%20the%20first%202%20columns%20are%20manually%20copied%20to%20the%20next%20sheet%20'St3-%20Risk%20Analysis'.%20The%20team%20will%20explain%20in%20the%20%E2%80%98Comments%E2%80%99%20column%20in%20%E2%80%98ST2-List%20identified%20risks%E2%80%99%20the%20decision%20of%20not%20giving%20the%20risk%20further%20consideration." link="%2Faware%2FDocuments%2FRisk-assessment-template.xlsx" icon="file-excel-o" /]
[icon-list-item title="Case%20study" description="illustrates%20how%20this%20step%20is%20done%20in%20practice." link="%2Faware%2FDocuments%2FRisk-assessment-translation-example.xlsx" icon="file-excel-o" /]
[icon-list-item title="Collection%20of%20examples%20of%20risks" description="from%20the%20ECA%20and%20the%20Commisison%20documents." link="%2Faware%2FDocuments%2FRisks-examples.docx" icon="file-word-o" /]
[icon-list-item title="Landscape%20review%20of%20the%20risks%20to%20the%20financial%20management%20of%20the%20EU%20budget" description="The%20team%20can%20consult%20Annex%20I%20as%20a%20source%20of%20ideas%20about%20possible%20risks%20to%20performance." link="https%3A%2F%2Fwww.eca.europa.eu%2FLists%2FECADocuments%2FLR14_02%2FQJ0614039ENN.pdf%23page%3D38" icon="external-link" linking="new-window" /]
[/icons-list]
[/toc-this]
[/column]
[/row]
[/section-item]
[section-item 3]
[row]
[column 12]
[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]
[/column]
[/row]
[/section-item]
[/section]