Below is one example of steps that can be used to perform a risk assessment. Also included are links to example documents that help to illustrate how the assessment was performed. Other methods are appropriate if they result in a systematic and objective method to evaluate the risk factors in your organization.
1. Present the idea to the Board / Superintendent for approval. Based on the IIA Standards, a risk assessment will be performed annually. A questionnaire will be used for the years 2 and 3 in a 3-year cycle since this process is time consuming.
2. Determine your risk variables, both subjective and objective. Weight each risk variable according to the importance within your organization. The total of all weights should equal 100%.
3. Define the audit universe and identify all auditable units within the organization. Verify with each department head that you have included all relevant areas and have not duplicated areas.
4. Determine a consistent method to evaluate each auditable unit and define the level of risk required to achieve a particular risk rank per risk variable.
5. Hold meetings with department heads to gather information on units that will become the basis for your risk determination. A questionnaire can be used in interviews to initiate the conversation, but let it expand to more topics when appropriate. Keep the risk variables in mind and guide your questions accordingly.
6. Determine the risk rank (number) for each variable per auditable unit. Document the results so you have the foundation of your audit opinions and include this information in your workpapers. If materiality is a risk variable, it can be difficult to assess. You may want to add a workpaper to determine how materiality was assessed.
7. Calculate the overall risk rank. Multiply the risk variable weight times the risk number you assigned. Then add each of the numbers together to calculate the overall risk.
8. Sort the areas by overall risk rank in descending order and you will have completed your risk assessment.
9. Determine the frequency based on the total risk calculation.
10. Plan your audit schedule accordingly.
The risk assessment should not be considered a static document. Circumstances can arise at any time that may elevate one area to be audited over another.