RISK ASSESSMENTS

Listed below are the steps that Fort Bend ISD used to perform their risk assessment.  Also included are links to example documents that help to illustrate how the assessment was performed.  This model is only an example of one way to perform a risk assessment. Other methods are appropriate if they result in a systematic and objective method to evaluate the risk factors in your organization.

1.  Present the idea to the Board / Superintendent for approval (Risk Assessment Power Point).  Because of changes to the IIA Standards, a risk assessment will be performed annually.  A questionnaire will be used for the years 2 and 3 in a 3-year cycle since this process is time consuming.

2.  Determine your risk variables, both subjective and objective.  Weight each risk variable according to the importance within your organization.  The total of all weights should equal 100%.  (Internal Audit Risk Variables)

3.  Define the audit universe and identify all auditable units within the organization.  Verify with each department head that you have included all relevant areas and have not duplicated areas.  (B&F Example Units)

4.  Determine a consistent method to evaluate each auditable unit and define the level of risk required to achieve a particular risk rank per risk variable (Risk Ranking Summary).

5.  Hold meetings with department heads to gather information on units that will become the basis for your risk determination.  Fort Bend held interviews and used a questionnaire to initiate the conversation, but let it expand to more topics when appropriate.  Keep the risk variables in mind and guide your questions accordingly.

6.Determine the risk rank (number) for each variable per auditable unit.  Document the results so you have the foundation of your audit opinions and include this information in your workpapers.  If materiality is a risk variable, it can be difficult to assess.  Fort Bend added a workpaper to determine how materiality was assessed (Materiality-Word) (Materiality-Excel).

7.  Calculate the overall risk rank.  Multiple the risk variable weight times the risk number you assigned.  Then add each of the number together to calculate the overall risk. (F&P Example)

8.  Sort the areas by overall risk rank in descending order and you will have completed your risk assessment (Summary Example).

9.  Determine the frequency based on the total risk calculation (Frequency).

10. Plan your audit schedule accordingly (Audit Schedule Example).

The risk assessment should not be considered a static document.  Circumstances can arise at any time that may elevate one area to be audited over another.