Risk Assessment:

1. Risk Assessment: For an Audit Engagement

2. Learning Objectives • Describe the general phases of a risk assessment on an audit engagement. • Perform an exercise to use risk assessment on our case study.

3. Risk • IIA glossary’s definition of risk: “The uncertainty of an event occurring that could have an impact on the achievement of objectives.”

4. IIA Standards • 2201 Engagement Planning Considerations: “…internal auditors should consider…the significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.”

5. Risk Assessment Steps • Collect background information • Identify objectives/assets/auditable activities • Identify the risks • Consider likelihood and/or significance of risks

6. Measuring Risk • Likelihood • Consequences

7. Risk Assessment Scoring Methods • Quantitative (e.g., score on a scale from 1-Perfect to 3-Average to 5-Poor). • Qualitative (e.g., High, Medium, Low)

8. Risk Assessment Steps (continued) • Rank the risks • Identify any controls over the risks • Determine whether the controls address the risks • Develop your audit plan focused on biggest risks • Option: Discuss the risk assessment with the client • Make any needed adjustments to your audit plan

9. Risk Assessment Example • City of San Jose risk matrix web site risk library: http://www.ci.san-jose.ca.us/auditor/risk3.html