AuditNet Sample Risk Assessment
Due to the complexity of operations and limited internal audit resources, a risk assessment is performed annually to measure the financial, compliance and operational risks associated with each department and/or activity. All areas identified for audit coverage are evaluated against nine criteria presented below. A rating scale of 1 to 5, with 5 having the greatest risk, is applied to these criteria.
- Risk of diversion or loss of assets
- Materiality to the financial statements
- Seriousness of deficiencies indicated in previous internal, external, or management audit reports
- Change in management or key personnel positions
- Complexity of the activity or complexity of the transactions processed
- Change in service, technology, or objectives
- Change in regulations or regulatory emphasis
- Any other change or unusual situation
- Need for an audit presence in terms of the time elapsed since
the previous audit
After compiling this information, the audit areas are prioritized into three categories: high risk, moderate risk, and low risk. Our ultimate goal is that all high-risk areas will be audited within 24 months of the previous audit report date, moderate-risk areas will be audited within 36 months of the previous audit date, and low-risk areas will be audited within 48 months of the prior audit report date. This risk assessment will be performed on an annual basis, and it is likely that some category reassignments will occur each year.