Scribd Logo
Upload

Welcome to Scribd!

  • Risk Assesment by Program Area

    Uploaded by

    Joanne Perando
    19 views7 pages
    The document provides guidance on conducting a risk assessment for an internal audit. It includes templates for identifying risk factors, defining those factors, categorizing risks, and conducting an annual risk assessment. The templates include scales for scoring impact, probability, and overall risk. Impact and probability are scored on scales of 1-5, with higher numbers indicating greater risk. Risks are also categorized as operational, organizational, financial, compliance, technology, reputation, or customer-related. The annual risk assessment template combines impact and probability scores to calculate a total risk score for various auditable units.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides guidance on conducting a risk assessment for an internal audit. It includes templates for identifying risk factors, defining those factors, categorizing risks, and conducting an annual risk assessment. The templates include scales for scoring impact, probability, and overall risk. Impact and probability are scored on scales of 1-5, with higher numbers indicating greater risk. Risks are also categorized as operational, organizational, financial, compliance, technology, reputation, or customer-related. The annual risk assessment template combines impact and probability scores to calculate a total risk score for various auditable units.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    19 views7 pages

    Risk Assesment by Program Area

    Uploaded by

    Joanne Perando
    The document provides guidance on conducting a risk assessment for an internal audit. It includes templates for identifying risk factors, defining those factors, categorizing risks, and conducting an annual risk assessment. The templates include scales for scoring impact, probability, and overall risk. Impact and probability are scored on scales of 1-5, with higher numbers indicating greater risk. Risks are also categorized as operational, organizational, financial, compliance, technology, reputation, or customer-related. The annual risk assessment template combines impact and probability scores to calculate a total risk score for various auditable units.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    of 7

    State of Oregon Internal Audit

    Risk Assessment Guidance - Tool 1

    Key Feature Uses specific risks, risk factors, and risk categories
    Risk Identification • Risk factors are segregated by impact and likelihood factors.
    Characteristics • Specific risks are identified and categorized (operational, organizational, financial,
    compliance, information technology, reputation, and customer) for each auditable
    unit.These categories can be modified to fit a specific agency.
    Risk • Uses weighted risk factors for risk scoring.
    Measurement/Prioritizati • Each factor is scored on a scale from one to five.(Or can be done Low, Medium,
    on Characteristics High)
    • Risk measurement is a combination of quantitative input (e.g., magnitude/materiality)
    and qualitative judgment (e.g., complexity).
    • Relevant comments providing rationale for risk scores are documented.

    Example 1: Hybrid Model—Templates


    Template 1.1 Annual Risk Assessment for Multiple Audit Topics
    Template 1.2 Risk Factor Definitions
    Template 1.3 Risk CategoryDefinitions
    Template 1.4 Risk Rating Guide

    Risk Assessment Guidance Tool 1 P. 12


    <Agency Name>
    Template 1.1. Annual Risk
    Assessment

    Scores*, low risk = 1– Potential Risks*


    2; moderate risk = 3;
    high risk = 4-5.

    Total Probability Factors


    Total Impact Score
    Entity, division,

    Total Risk Score


    program, business
    process, objective, etc
    Comments on Risk Factors / Information
    Mitigating Factors Operational Risks Organizational Risks Financial Risks Compliance Risks Technology Risks Reputation Risks Customer Risks

    Business units provide erroneous data Business units cannot meet goals Revenue is not collected. Accounts receivable process does not SFMA is unable to process Customers lose trust in Biling is not correct and
    Example: Accounts to Financial Services. because of weaknesses in the billing meet state guidelines. billing information. billing process. customers are misbilled. .
    process.
    Receivable 3 2 2.5

    *Note: Risk categories and scales can be


    modified for agency use; see the 'Risk
    Assessment Guidance' document for further
    information.

    Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission. Risk Assessment Guidance Tool 1 p. 13 Page 2 of 7
    Risk Assessment Guidance Tool 1

    Template 1.2. Risk Factor Definitions


    Factor
    Impact Factors (the effect on the organization)
    Impact of a risk is the effect a single occurrence of that risk will have upon the achievement of agency’s goals
    and objectives. There are three values:
    High (4,5) – The effect will cause the institution not to achieve its goals and objectives: “show stopper”
    Medium (3) – The effect will cause the institution to operate inefficiently and/or expend unplanned resources to
    meet goals and objectives
    Low (1, 2) – There will be no measurable effect upon the achievement of institutional goals and objectives

    Methodology to determine the Impact Value:


    * Identify consequences to the organization if a risk were to become a reality

    * Value the effect on the organization for each consequence (high, medium, or low)

    * Assign Impact value of an identified risk based upon the value of its highest potential consequence

    Probability Factors (the likelihood of the risk occurring)

    Probability of a risk is the likelihood the risk will become reality. There are three values:
    High (4, 5) – The risk will become a reality frequently
    Medium (3) – The risk will become a reality infrequently
    Low (1, 2) – The risk will rarely become a reality

    Scale*: 0 = not applicable; 1-2 = low risk; 3 = moderate risk; 4-5 = high risk
    *Or the scale can be modified to 1-10: 1-3 Low; 4-6 Medium; 7-10 High

    Tool 1 p. 14
    Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission.
    Risk Assessment Guidance Tool 1

    Tool 1 p. 14
    Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission.
    Template 1.3. Risk Category Definitions
    Risk Category Definition
    Operational risk is the possibility of an even or condition occurring that will influence the ability of an
    organization to achieve its objectives through the transformation of inputs into outputs.

    Operational Risk Operational risk arises from the potential that inadequate information systems, operational problems,
    breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. Operational
    - the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, strategies or
    external events.

    Organizational risks include risk associated with organizational strategy and governance. Strategic risk is the
    possibility of an event or condition occurring that will enhance or threaten an organization's achievement of
    stated missions and objectives. Strategic risk is generally managed within an organization's governance
    framework and is closely linked to the environments in which an organization operates.
    Organizational Risk
    Organizational risks also include risks associated with the coordination between departments and/or internal
    and external stakeholders. Organizational communication and change management risks as well employee
    moral concerns are organizational risks.

    Financial risk is any risk that is related to financing the operations of an organization. Specifically, financial
    Financial Risk
    risk is generally concerned with an organization's cash flow and related transactions.

    Compliance risk is the possibility of an event or condition occurring that influences an organization's ability to
    achieve organizational objectives by conforming with value-adding internal policies, guidelines, and
    commitments; or external requirements of governing bodies. External requirements include the risk of
    noncompliance with federal, state and local laws, regulations, regulatory interpretations and guidance.

    Compliance Risk Part of compliance risks are regulatory risks. Regulatory risk are risks that many state agencies have as
    regulatory bodies such as investigation practices and implementation of a regulatory framework. As well as
    risks associated with being regulated by another body.

    Legal risk arises from potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or
    otherwise negatively affect the operations or condition of an organization.

    Information Technology the risk of loss due to inadequate security, confidentiality, integrity, capability
    Information Technology Risk or availability of systems affecting an organization’s operations, assets, customers,
    shareholders or employees.
    Reputation risk is a byproduct of all of the above risk categories. Reputation is the potential that negative
    publicity regarding an organization's business practices, whether true or not, will cause a decline in the
    Reputation Risk customer base, costly litigation, revenue reductions, or result in loss of citizen faith.

    Reputation risk also includes loss of public faith in an agency to meet its objectives.
    Risk of loss of customers or negative impact to customers because of business process or decisions.
    Customer risk could include the risk products
    Customer Risk
    or services will not meet customer quality standards or expectations. Customer risks can also be
    misinformation that costs customer's time or money.

    **See also Guidance document p. 5 for further categories and p. 10 for definitions.

    Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission. Tool 1 p. 15
    Risk Assessment Guidance Tool 1

    Template 1.4. Risk Rating Guide


    Scale: high = 4–5; moderate = 3; 5 4 3 2 1
    low = 1–2
    • Introduction of new service/business line or
    Strategic Risk products present a high level of risk.
    • Significant/material misstatement or inaccuracies on
    the internal and external reporting requiring
    Reporting Risk reissuance of reports to external regulators.

    •The process/business has been significantly modified •The process/business has been somewhat modified •Some processes have recently been modified or •A process has been modified or changed within the •Processes have not been modified or changed within
    or changed within the past year. or changed within the past year. changed within the past year. past year. the past year.
    •The business has added several new •The business frequently adds new products/services. •The business periodically adds new •The business rarely adds new products/services. •New products/services have not been added within
    products/services in the past year. •Some of the business is conducted outside the bank’s products/services. •The business predominantly conducts business inside the past year.
    •Business is conducted outside the bank’s geographic geographic footprint or is somewhat decentralized. •The business is primarily conducted inside the bank’s the bank’s geographic footprint. •The business conducts business inside the bank’s
    footprint or is decentralized. •The process/business is susceptible to error or fraud. geographic footprint. •The process/business has a fairly low level of geographic footprint.
    •The process/business is highly susceptible to error or •The business either sends or receives funds. •The process/business has a relatively moderate level susceptibility to error or fraud. •The process/business has a relatively low level of
    fraud. •There has been staffing turnover within the past of susceptibility to error or fraud. •The business rarely sends or receives funds. susceptibility to error or fraud.
    •The business sends or receives a large amount of year, or senior management has recently changed. •The business sends or receives a moderate amount •There is a low to moderate amount of staffing •The business does not send and/or receive funds.
    funds. •The area processes between 50,000 and 100,000 of funds. turnover. •There is a low amount of staffing turnover.
    •There is a significant amount of staffing turnover, or transactions a day. •There is a moderate amount of staffing turnover. •The area processes between 10,000 and 25,000 •The area processes less than 10,000 transactions a
    Operational senior management has recently changed. •The business processes are manual. •The area processes between 25,000 and 50,000 transactions a day. day.
    •The area processes more than 100,000 transactions a transactions a day. •The process is mostly automated. •The process is automated.
    day. •The business processes are somewhat automated.
    •The business processes are highly manual.

    •There are a significant number of •There are a fairly high number of •There are a relatively moderate number of •There are a relatively low number of •There are no new regulatory/accounting
    regulatory/accounting requirements, or the regulatory/accounting requirements, or the regulatory/accounting requirements, or the regulatory/accounting requirements, or the requirements.
    requirements are highly technical. requirements are technical. requirements are somewhat technical. requirements are not technically complex. •There have been no changes to existing laws,
    •There have been significant changes to existing laws, •There have been changes to existing laws, •There have been some changes to existing laws, •There have been few or no changes to existing laws, regulations, accounting pronouncements, or
    regulations, accounting pronouncements, or regulations, accounting pronouncements, or regulations, accounting pronouncements, or regulations, accounting pronouncements, or regulatory guidelines.
    Legal/Regulatory/Compliance regulatory guidelines. regulatory guidelines. regulatory guidelines. regulatory guidelines. •The area is rarely reviewed by the regulators.
    •The area is reviewed by the regulators several times •The area is reviewed by the regulators regularly. •The area is reviewed by the regulators periodically. •The area is reviewed by the regulators occasionally.
    a year.

    •The process/business relies heavily on complex •The process/business relies on complex and/or new •The process/business relies moderately on complex •The process/business does not rely on new •The process/business does not rely heavily on
    and/or new technology. technology. and/or new technology. technology. complex and/or new technology.
    •Significant changes have been made to existing •Changes have been made to existing technology •Some changes have been made to existing •Significant changes have not been made to existing •Changes have not been made to existing technology
    technology within the past year. within the past year. technology within the past year. technology within the past year. within the past year.
    •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key
    technology is high (less than 24 hours). technology is high (less than 24 hours). technology is moderate (24-72 hours). technology is low (72 hours +). technology is low (72 hours +).
    •The key technology was created and is maintained by •The key technology was created and/or is maintained •The key technology was created by a vendor and is •The key technology was created and/or is maintained •The key technology was created and is maintained by
    Technology a vendor. by a vendor. maintained by the bank. by the bank. the bank.
    •The key technology runs on platforms and •The key technology runs on platforms and •The key technology runs on platforms and •The key technology runs on platforms and •The key technology runs on enterprise scalable
    infrastructure controlled by the segment. infrastructure controlled by the segment. infrastructure controlled by the IT team. infrastructure controlled by the IT team. platforms and infrastructure.

    •The business or its products present a high level of •The business or its products present a moderate to •The business or its products present a moderate level •The business or its products present a fairly low level •The business or its products present a very low level
    reputational risk. high level of reputational risk. of reputational risk. of reputational risk. of reputational risk.
    •Business revenues may be cyclical, possibly resulting •Business revenues are somewhat cyclical, possibly •Business revenues are somewhat cyclical, which may •Business revenues are not cyclical and have a fairly •Business revenues are not cyclical and have very little
    in significant impact to corporate profitability. resulting in significant impact to corporate moderately impact corporate profitability. low impact on corporate profitability. impact on corporate profitability.
    •The program impacts more than 20,000 citizens. profitability. •The business process impacts between 5,000 and •The business process impacts between 1,000 and •The business process impacts less than 1,000 citizens.
    Public Perception and Reputation •The business process impacts between 10,000 and 10,000 citizens. 5,000 citizens.
    Risk 20,000 citizens.

    •The last audit rating was inadequate and/or findings •The last audit rating was needs improvement or •The last audit rating was adequate or needs •The last audit rating was adequate and no findings •The last audit rating was strong, and no findings are
    remain open. adequate, and findings remain open. improvement, and findings remain open. remain open. open.
    •Last exam rating contained numerous matters •The last exam rating contained MRAs that are still •The last exam rating contained MRAs that are closed. •The last exam rating contained no MRAs, and no •The last exam rating was strong or satisfactory, and
    requiring immediate attention (MRIAs) or matters open. •The last credit review rating was satisfactory, and recommendations are still open. no findings are open.
    requiring attention (MRAs). •The last credit review rating was less than findings remain open. •The last credit review rating was satisfactory, and no •The last credit review rating was strong.
    •Last credit review rating was inadequate. satisfactory. •Management’s assessment of the control findings remain open. •Management’s assessment of the control
    •Management’s assessment of the control •Management’s assessment of the control environment area is adequate. •Management's assessment of the control environment area is strong.
    Control Risk environment is inadequate. environment area is needs improvement. •There are open findings in ERMS. environment area is adequate. •There are no open findings in ERMS.
    •There are significant open findings in the electronic •There are several open findings in ERMS. •There are some low findings open in ERMS.
    record management system( ERMS).

    Tool 1 p. 16
    IMPACT
    High - 5
    Med-High - 4
    Medium - 3
    Med-Low - 2
    Low - 1
    PROBABILITY Low - 1 Med-Low - 2 Medium - 3 Med-High - 4 High - 5

    You might also like