Chapter 3. Risk Assessments

Transcription

1 Chapter 3 Risk Assessments A. Background With the adoption of the 2006 audit plan, the Audit Committee endorsed basing the annual audit plan upon the relative risk of the various operations of the County subject to audit. The audit staff prepared the first risk assessments using a group discussion, brainstorming format. The staff relied on its own knowledge and experience of County operations in making the preliminary determinations of risk. These preliminary risk assessments have been reviewed with department management and County Administration. The preliminary risk assessments were broad and somewhat generic and reached a level of detail that was not conducive to effective, efficient audits. Accordingly staff undertook a research and development effort to enhance the utility and effectiveness of the risk assessments. B. Types of Risk Assessments Two types of risk assessments are conducted in the Office. The first is done for the development of the annual audit plan and is discussed in Chapter 4 - Preparation of the Annual Audit Work Plan, and is somewhat general in nature at the department, division and program level. The second is done for the development of the specific audit engagement audit program, and is discussed in detail in Chapter 5 Planning the Audit Engagement and is more detailed at the program level. C. Definition of Risk At its most basic, risk is the potential for things to happen which we do not want to happen, or for something to not happen which we do want to happen. Generally, a risk will be evaluated in relation to selected business objectives and methods. For our purposes, we have limited risk descriptively to being high, moderate or low. These labels are subjective and judgmental. Risk may also be considered from two other perspectives. The first is inherent risk meaning that there is a certain amount of risk associated with opening for business each day. The only way to affect inherent risk is to change the nature of the business. The second type of risk is residual risk which is that amount of risk remaining after management has implemented controls to mitigate significant risks inherent in the business. Chapter 3 - Page 1 of 6

2 D. Basis of Risk Assessments A risk assessment matrix has been developed drawing on the concepts in the Treadway Commission s report Internal Control An Integrated Framework. A sample of the matrix is included at the end of this chapter. The matrix focuses on four categories of risks: Operational; Reporting; Compliance; and Other. Within each category there is a focus on management s objectives, methods used to achieve those objectives, risks associated with the chosen methods and controls implemented by management to mitigate those risks. Areas in which management may establish various objectives are listed below. The list is not intended to be all inclusive or prescriptive, only illustrative. Operational Objectives: Service delivery Quality Efficiency Business continuity Technology development/utilization Equipment utility Adequate facilities Fraud, theft or misuse Security of assets Environmental Availability of materials Availability of staff Reporting Objectives Accuracy Timeliness Distributed to the right people Technology needed to support requirements Data security Sensitivity of information Interruption of data gathering or reporting Regulatory Compliance Objectives Awareness of new laws and regulations Grants and contracts requirements New governance issues Other Objectives Reputation Customers/stakeholders Media Communication/coordination Chapter 3 - Page 2 of 6

3 Investments Capital availability Economic changes Demographics Revenue concentration Intergovernmental coordination The risk analysis will be very dependent on the objectives chosen by management and the methods adopted by management to implement those objectives. Management s objectives may not be clearly established, they may be inherent or assumed in various programs, and they may not be reduced to writing. However, to be effective objectives should be specific, measurable, attainable, reasonable, and time constrained. Without these elements program evaluations may be difficult to conduct. The purpose of engagement planning is to identify relevant operational objectives, the methods used to achieve those objectives, and risks relevant to those objectives. Chapter 3 - Page 3 of 6

4 Department Name Audit Name WP # Risk Assessment Reviewed by Approved by Review date Approved date Program Objectives Operational: Program Objectives Reporting: Chapter 3 - Page 4 of 6

5 Program Objectives Compliance: Program Objectives Other: Chapter 3 - Page 5 of 6

6 PROPOSED AUDIT OBJECTIVE We are conducting this audit to answer the following objective: Chapter 3 - Page 6 of 6