Risk Assessment:
For an Audit Engagement
�Learning Objectives
• Describe the general phases of a risk assessment on an audit engagement. • Perform an exercise to use risk assessment on our case study.
�Risk
• IIA glossary’s definition of risk: “The uncertainty of an event occurring that could have an impact on the achievement of objectives.”
�IIA Standards
• 2201 Engagement Planning Considerations: “…internal auditors should consider…the significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.”
�Risk Assessment Steps
1. Collect background information 2. Identify objectives/assets/auditable activities 3. Identify the risks 4. Consider likelihood and/or significance of risks
�Measuring Risk
• Likelihood • Consequences
�Risk Assessment Scoring Methods
• Quantitative (e.g., score on a scale from 1Perfect to 3-Average to 5-Poor). • Qualitative (e.g., High, Medium, Low)
�Risk Assessment Steps (continued)
Rank the risks Identify any controls over the risks Determine whether the controls address the risks Develop your audit plan focused on biggest risks Option: Discuss the risk assessment with the client 10. Make any needed adjustments to your audit plan 5. 6. 7. 8. 9.
�Risk Assessment Example
• City of San Jose risk matrix web site risk library: http://www.ci.sanjose.ca.us/auditor/risk3.html
�