• Audit Home
• Staff
• Audit Plan
• Institutional Audit Committee
• Internal Audit Charter
• Resources and Links
• Audit Manual
• External Audit

Engagement Risk Assessment Guidelines

Audit Services performs a risk assessment in the planning phase of each engagement. Risk is assessed as low, medium or high. Definitions are as follows:

• Low - There is a minimal probability that the risks identified may adversely affect the activity under examination.
• Medium - There is a moderate probability that the risks identified may adversely affect the activity under examination.
• High - It is probable that the risks identified may adversely affect the activity under examination.

The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing Performance Standard 2201 – Planning Considerations require “internal auditors to consider the significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level”. Other planning considerations can be obtained from The Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing.

Risk assessments should consider the possible effects of risk:

• An erroneous decision from using incorrect, untimely, incomplete, or otherwise unreliable information.
• Erroneous record keeping, inappropriate accounting, fraudulent financial reporting, financial loss, and exposure.
• Failure to adequately safeguard assets.
• Customer dissatisfaction, negative publicity, and damage to the organization’s reputation.
• Failure to adhere to organizational policies, plans, and procedures, or not complying with relevant laws and regulations.
• Acquiring resources uneconomically or using them inefficiently or ineffectively.
• Failure to accomplish established objectives and goals for operations or programs.

Risk Assessment Process

1. Identify auditable activities - examples include:

• Policies, procedures and practices
• General ledger balances
• Information systems
• Transaction systems (sales, collection, purchasing)
• Financial statements
• Laws and regulations

2. Identify relevant risk factors - examples include:

• Management interest
• Adequacy and effectiveness of system of internal control
• Public visibility
• Organizational or operational changes
• Date and results of previous engagements
• Competence, adequacy, and integrity of personnel
• Degree of computerized information systems
• Asset size, liquidity, or transaction volume
• Complexity or volatility of activities

3. Assess relative significance - discuss the significance of various factors with the Engagement Manager and the Director of Audits, as appropriate, on an engagement by engagement basis.

4. Assess risk as low, medium or high based on the definitions above.

Alternative Risk Assessment Process

For larger, more complex engagements or engagements without a pre-defined objective, it may be more appropriate to perform a risk assessment of the area being reviewed using Enterprise Risk Management, which creates a risk footprint that assists in the identification of key risks. This alternative method should be discussed with the Engagement Manager and Director of Audits as part the understanding meeting to ensure an appropriate risk assessment for the engagement is completed.

UTMB | Search | Directories | Toolbox | News | Employment | Sitemap 
UT System | Reports to the State | Compact With Texans | Statewide Search
 
Send email to the Office of Audit Services with questions or comments about this website.
Copyright © 2007 The University of Texas Medical Branch. Please review our Privacy Policy and Internet Guidelines.