Risk Assessments:
Listed below are the steps taken at FBISD in performing their risk assessment. Also included are links to example documents which should help illustrate how they performed their risk assessment. This model is only an example of one way to perform a risk assessment, other methods are appropriate if they result in a systematic, objective way to evaluate the risk factors within your district.
1. Present
the idea to the Board/Superintendent for approval. (risk
assessment power point)- NOTE: Due to a recent change to the IIA Standards, a risk assessment will be performed annually; a questionnaire will be used for the years 2 and 3 in a 3 year cycle since this process is somewhat time consuming.
2. Determine your risk variables, both subjective and objective variables
and weight each risk variable according to the importance within your
district. The total of all weights should equal 100% (Internal
Audit Risk Variables).
3. Define the audit universe (audit
universe) and identify all auditable units within the organization.
Verify with each department head that you have included all relevant areas
and have not duplicated areas, etc. (B&F
units).
4. Determine a consistent method to evaluate each auditable unit and define
the level of risk required to achieve a particular risk rank per risk
variable (risk
ranking summary).
5. Hold meetings with department heads to gather information on units
which will become the basis for your risk determination. I held interviews
and used a questionnaire to initiate the conversation, but let it expand
to more topics when appropriate (questionnaire).
You should keep the "risk variables" in mind and guide your
questions accordingly.
6. Determine the risk rank (number) for each variable per auditable unit.
Document the results so you will have the foundation of your audit opinions
and include this in your workpapers. If Materiality is one of your risk
variables, it can be a difficult area to assess. I added an additional
document to my workpapers to illustrate how I assessed the rankings for
Materiality (materiality-Word)
(materiality-Excel).
7. Calculate the overall risk rank (risk variable weight times the risk
number you've assigned- sum together) (risk
assessment all areas).
8. Sort the areas by the overall risk rank in descending order and you
will have completed your risk assessment (risk
assessment all areas).
9. Determine the frequency based on the total risk calculation (frequency).
10. Plan your audit schedule accordingly (sample
audit schedule).
The risk assessment should not be considered a static document. Even though it is not recommended that you formally update your risk assessment more frequently than every three years, circumstances will arise throughout the year that may elevate one area to be audited over another.
For questions about this risk assessment process contact:
