Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 7

State of Oregon Internal Audit

Risk Assessment Guidance - Tool 1

Key Feature Uses specific risks, risk factors, and risk categories
Risk Identification • Risk factors are segregated by impact and likelihood factors.
Characteristics • Specific risks are identified and categorized (operational, organizational, financial,
compliance, information technology, reputation, and customer) for each auditable
unit.These categories can be modified to fit a specific agency.
Risk • Uses weighted risk factors for risk scoring.
Measurement/Prioritizati • Each factor is scored on a scale from one to five.(Or can be done Low, Medium,
on Characteristics High)
• Risk measurement is a combination of quantitative input (e.g., magnitude/materiality)
and qualitative judgment (e.g., complexity).
• Relevant comments providing rationale for risk scores are documented.

Example 1: Hybrid Model—Templates


Template 1.1 Annual Risk Assessment for Multiple Audit Topics
Template 1.2 Risk Factor Definitions
Template 1.3 Risk CategoryDefinitions
Template 1.4 Risk Rating Guide

Risk Assessment Guidance Tool 1 P. 12


<Agency Name>
Template 1.1. Annual Risk
Assessment

Scores*, low risk = 1– Potential Risks*


2; moderate risk = 3;
high risk = 4-5.

Total Probability Factors


Total Impact Score
Entity, division,

Total Risk Score


program, business
process, objective, etc
Comments on Risk Factors / Information
Mitigating Factors Operational Risks Organizational Risks Financial Risks Compliance Risks Technology Risks Reputation Risks Customer Risks

Business units provide erroneous data Business units cannot meet goals Revenue is not collected. Accounts receivable process does not SFMA is unable to process Customers lose trust in Biling is not correct and
Example: Accounts to Financial Services. because of weaknesses in the billing meet state guidelines. billing information. billing process. customers are misbilled. .
process.
Receivable 3 2 2.5

*Note: Risk categories and scales can be


modified for agency use; see the 'Risk
Assessment Guidance' document for further
information.

Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission. Risk Assessment Guidance Tool 1 p. 13 Page 2 of 7
Risk Assessment Guidance Tool 1

Template 1.2. Risk Factor Definitions


Factor
Impact Factors (the effect on the organization)
Impact of a risk is the effect a single occurrence of that risk will have upon the achievement of agency’s goals
and objectives. There are three values:
High (4,5) – The effect will cause the institution not to achieve its goals and objectives: “show stopper”
Medium (3) – The effect will cause the institution to operate inefficiently and/or expend unplanned resources to
meet goals and objectives
Low (1, 2) – There will be no measurable effect upon the achievement of institutional goals and objectives

Methodology to determine the Impact Value:


* Identify consequences to the organization if a risk were to become a reality

* Value the effect on the organization for each consequence (high, medium, or low)

* Assign Impact value of an identified risk based upon the value of its highest potential consequence

Probability Factors (the likelihood of the risk occurring)

Probability of a risk is the likelihood the risk will become reality. There are three values:
High (4, 5) – The risk will become a reality frequently
Medium (3) – The risk will become a reality infrequently
Low (1, 2) – The risk will rarely become a reality

Scale*: 0 = not applicable; 1-2 = low risk; 3 = moderate risk; 4-5 = high risk
*Or the scale can be modified to 1-10: 1-3 Low; 4-6 Medium; 7-10 High

Tool 1 p. 14
Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission.
Risk Assessment Guidance Tool 1

Tool 1 p. 14
Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission.
Template 1.3. Risk Category Definitions
Risk Category Definition
Operational risk is the possibility of an even or condition occurring that will influence the ability of an
organization to achieve its objectives through the transformation of inputs into outputs.

Operational Risk Operational risk arises from the potential that inadequate information systems, operational problems,
breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. Operational
- the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, strategies or
external events.

Organizational risks include risk associated with organizational strategy and governance. Strategic risk is the
possibility of an event or condition occurring that will enhance or threaten an organization's achievement of
stated missions and objectives. Strategic risk is generally managed within an organization's governance
framework and is closely linked to the environments in which an organization operates.
Organizational Risk
Organizational risks also include risks associated with the coordination between departments and/or internal
and external stakeholders. Organizational communication and change management risks as well employee
moral concerns are organizational risks.

Financial risk is any risk that is related to financing the operations of an organization. Specifically, financial
Financial Risk
risk is generally concerned with an organization's cash flow and related transactions.

Compliance risk is the possibility of an event or condition occurring that influences an organization's ability to
achieve organizational objectives by conforming with value-adding internal policies, guidelines, and
commitments; or external requirements of governing bodies. External requirements include the risk of
noncompliance with federal, state and local laws, regulations, regulatory interpretations and guidance.

Compliance Risk Part of compliance risks are regulatory risks. Regulatory risk are risks that many state agencies have as
regulatory bodies such as investigation practices and implementation of a regulatory framework. As well as
risks associated with being regulated by another body.

Legal risk arises from potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or
otherwise negatively affect the operations or condition of an organization.

Information Technology the risk of loss due to inadequate security, confidentiality, integrity, capability
Information Technology Risk or availability of systems affecting an organization’s operations, assets, customers,
shareholders or employees.
Reputation risk is a byproduct of all of the above risk categories. Reputation is the potential that negative
publicity regarding an organization's business practices, whether true or not, will cause a decline in the
Reputation Risk customer base, costly litigation, revenue reductions, or result in loss of citizen faith.

Reputation risk also includes loss of public faith in an agency to meet its objectives.
Risk of loss of customers or negative impact to customers because of business process or decisions.
Customer risk could include the risk products
Customer Risk
or services will not meet customer quality standards or expectations. Customer risks can also be
misinformation that costs customer's time or money.

**See also Guidance document p. 5 for further categories and p. 10 for definitions.

Source: The Internal Auditor's Guide to Risk Assessment by Rick Wright (The IIARF, 2013). Used by permission. Tool 1 p. 15
Risk Assessment Guidance Tool 1

Template 1.4. Risk Rating Guide


Scale: high = 4–5; moderate = 3; 5 4 3 2 1
low = 1–2
• Introduction of new service/business line or
Strategic Risk products present a high level of risk.
• Significant/material misstatement or inaccuracies on
the internal and external reporting requiring
Reporting Risk reissuance of reports to external regulators.

•The process/business has been significantly modified •The process/business has been somewhat modified •Some processes have recently been modified or •A process has been modified or changed within the •Processes have not been modified or changed within
or changed within the past year. or changed within the past year. changed within the past year. past year. the past year.
•The business has added several new •The business frequently adds new products/services. •The business periodically adds new •The business rarely adds new products/services. •New products/services have not been added within
products/services in the past year. •Some of the business is conducted outside the bank’s products/services. •The business predominantly conducts business inside the past year.
•Business is conducted outside the bank’s geographic geographic footprint or is somewhat decentralized. •The business is primarily conducted inside the bank’s the bank’s geographic footprint. •The business conducts business inside the bank’s
footprint or is decentralized. •The process/business is susceptible to error or fraud. geographic footprint. •The process/business has a fairly low level of geographic footprint.
•The process/business is highly susceptible to error or •The business either sends or receives funds. •The process/business has a relatively moderate level susceptibility to error or fraud. •The process/business has a relatively low level of
fraud. •There has been staffing turnover within the past of susceptibility to error or fraud. •The business rarely sends or receives funds. susceptibility to error or fraud.
•The business sends or receives a large amount of year, or senior management has recently changed. •The business sends or receives a moderate amount •There is a low to moderate amount of staffing •The business does not send and/or receive funds.
funds. •The area processes between 50,000 and 100,000 of funds. turnover. •There is a low amount of staffing turnover.
•There is a significant amount of staffing turnover, or transactions a day. •There is a moderate amount of staffing turnover. •The area processes between 10,000 and 25,000 •The area processes less than 10,000 transactions a
Operational senior management has recently changed. •The business processes are manual. •The area processes between 25,000 and 50,000 transactions a day. day.
•The area processes more than 100,000 transactions a transactions a day. •The process is mostly automated. •The process is automated.
day. •The business processes are somewhat automated.
•The business processes are highly manual.

•There are a significant number of •There are a fairly high number of •There are a relatively moderate number of •There are a relatively low number of •There are no new regulatory/accounting
regulatory/accounting requirements, or the regulatory/accounting requirements, or the regulatory/accounting requirements, or the regulatory/accounting requirements, or the requirements.
requirements are highly technical. requirements are technical. requirements are somewhat technical. requirements are not technically complex. •There have been no changes to existing laws,
•There have been significant changes to existing laws, •There have been changes to existing laws, •There have been some changes to existing laws, •There have been few or no changes to existing laws, regulations, accounting pronouncements, or
regulations, accounting pronouncements, or regulations, accounting pronouncements, or regulations, accounting pronouncements, or regulations, accounting pronouncements, or regulatory guidelines.
Legal/Regulatory/Compliance regulatory guidelines. regulatory guidelines. regulatory guidelines. regulatory guidelines. •The area is rarely reviewed by the regulators.
•The area is reviewed by the regulators several times •The area is reviewed by the regulators regularly. •The area is reviewed by the regulators periodically. •The area is reviewed by the regulators occasionally.
a year.

•The process/business relies heavily on complex •The process/business relies on complex and/or new •The process/business relies moderately on complex •The process/business does not rely on new •The process/business does not rely heavily on
and/or new technology. technology. and/or new technology. technology. complex and/or new technology.
•Significant changes have been made to existing •Changes have been made to existing technology •Some changes have been made to existing •Significant changes have not been made to existing •Changes have not been made to existing technology
technology within the past year. within the past year. technology within the past year. technology within the past year. within the past year.
•The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key •The recovery time objective (RTO) on the key
technology is high (less than 24 hours). technology is high (less than 24 hours). technology is moderate (24-72 hours). technology is low (72 hours +). technology is low (72 hours +).
•The key technology was created and is maintained by •The key technology was created and/or is maintained •The key technology was created by a vendor and is •The key technology was created and/or is maintained •The key technology was created and is maintained by
Technology a vendor. by a vendor. maintained by the bank. by the bank. the bank.
•The key technology runs on platforms and •The key technology runs on platforms and •The key technology runs on platforms and •The key technology runs on platforms and •The key technology runs on enterprise scalable
infrastructure controlled by the segment. infrastructure controlled by the segment. infrastructure controlled by the IT team. infrastructure controlled by the IT team. platforms and infrastructure.

•The business or its products present a high level of •The business or its products present a moderate to •The business or its products present a moderate level •The business or its products present a fairly low level •The business or its products present a very low level
reputational risk. high level of reputational risk. of reputational risk. of reputational risk. of reputational risk.
•Business revenues may be cyclical, possibly resulting •Business revenues are somewhat cyclical, possibly •Business revenues are somewhat cyclical, which may •Business revenues are not cyclical and have a fairly •Business revenues are not cyclical and have very little
in significant impact to corporate profitability. resulting in significant impact to corporate moderately impact corporate profitability. low impact on corporate profitability. impact on corporate profitability.
•The program impacts more than 20,000 citizens. profitability. •The business process impacts between 5,000 and •The business process impacts between 1,000 and •The business process impacts less than 1,000 citizens.
Public Perception and Reputation •The business process impacts between 10,000 and 10,000 citizens. 5,000 citizens.
Risk 20,000 citizens.

•The last audit rating was inadequate and/or findings •The last audit rating was needs improvement or •The last audit rating was adequate or needs •The last audit rating was adequate and no findings •The last audit rating was strong, and no findings are
remain open. adequate, and findings remain open. improvement, and findings remain open. remain open. open.
•Last exam rating contained numerous matters •The last exam rating contained MRAs that are still •The last exam rating contained MRAs that are closed. •The last exam rating contained no MRAs, and no •The last exam rating was strong or satisfactory, and
requiring immediate attention (MRIAs) or matters open. •The last credit review rating was satisfactory, and recommendations are still open. no findings are open.
requiring attention (MRAs). •The last credit review rating was less than findings remain open. •The last credit review rating was satisfactory, and no •The last credit review rating was strong.
•Last credit review rating was inadequate. satisfactory. •Management’s assessment of the control findings remain open. •Management’s assessment of the control
•Management’s assessment of the control •Management’s assessment of the control environment area is adequate. •Management's assessment of the control environment area is strong.
Control Risk environment is inadequate. environment area is needs improvement. •There are open findings in ERMS. environment area is adequate. •There are no open findings in ERMS.
•There are significant open findings in the electronic •There are several open findings in ERMS. •There are some low findings open in ERMS.
record management system( ERMS).

Tool 1 p. 16
IMPACT
High - 5
Med-High - 4
Medium - 3
Med-Low - 2
Low - 1
PROBABILITY Low - 1 Med-Low - 2 Medium - 3 Med-High - 4 High - 5

You might also like