Evaluating Risk Assessment in Performance Audits

Written By Parker Skaats

Performance audits are indispensable tools for government auditors, aimed at assessing the efficiency, effectiveness, and economy of operations. Following our look at the control environment last week, we now turn our attention to another vital component of internal control—risk assessment. This post is the second in a series of five, each delving into one of the components of internal control as specified in the Green Book.

Risk Assessment

Understanding Risk Assessment

Some staff struggle with this particular component as it is not necessarily something that comes naturally to auditors. It’s all about making sure that the organization puts resources towards what matters. The organization does not need controls over processes that are not a concern. Remember, controls are there to mitigate or reduce risks.

The Four Principles of Risk Assessment

Principle #6: Define objectives clearly to enable the identification of risks and define risk tolerance

  • Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement. Legislators, regulators, and standard-setting bodies set external requirements by establishing the laws, regulations, and standards with which the entity is required to comply.

  • Management defines risk tolerances for its defined objectives in specific and measurable terms. As in defining objectives, management considers the risk tolerances in the context of the entity’s applicable laws, regulations, and standards as well as the entity’s standards of conduct, oversight structure, organizational structure, and expectations of competence. If risk tolerances for defined objectives are not consistent with these requirements and expectations, management revises the risk tolerances to achieve consistency.

Principle #7: Identify, analyze, and respond to risks related to achieving the defined objectives

  • Management identifies risks throughout the entity to provide a basis for analyzing risks. Risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses. Internal risk factors may include the complex nature of an entity’s programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Management considers these factors at both the entity and transaction levels to comprehensively identify risks that affect defined objectives. Risk identification methods may include qualitative and quantitative ranking activities, forecasting and strategic planning, and consideration of deficiencies identified through audits and other assessments.

  • Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective.

  • Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective.

Principle #8: Consider the potential for fraud when identifying, analyzing, and responding to risks

  • Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks. Types of fraud are as follows:

    • Fraudulent financial reporting - Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.

    • Misappropriation of assets - Theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments.

    • Corruption - Bribery and other illegal acts.

  • Management considers fraud risk factors. Fraud risk factors do not necessarily indicate that fraud exists but are often present when fraud occurs. Fraud risk factors include the following:

    • Incentive/pressure - Management or other personnel have an incentive or are under pressure, which provides a motive to commit fraud.

    • Opportunity - Circumstances exist, such as the absence of controls, ineffective controls, or the ability of management to override controls, that provide an opportunity to commit fraud.

    • Attitude/rationalization - Individuals involved are able to rationalize committing fraud. Some individuals possess an attitude, character, or ethical values that allow them to knowingly and intentionally commit a dishonest act.

  • Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur.

Principle #9: Identify, analyze, and respond to significant changes that could impact the internal control system

  • As part of risk assessment or a similar process, management identifies changes that could significantly impact the entity’s internal control system. Identifying, analyzing, and responding to change is similar to, if not part of, the entity’s regular risk assessment process.

    • Changes in internal conditions include changes to the entity’s programs or activities, oversight structure, organizational structure, personnel, and technology.

    • Changes in external conditions include changes in the governmental, economic, technological, legal, regulatory, and physical environments. Identified significant changes are communicated across the entity through established reporting lines to appropriate personnel.

  • As part of risk assessment or a similar process, management analyzes and responds to identified changes and related risks in order to maintain an effective internal control system. Changes in conditions affecting the entity and its environment often require changes to the entity’s internal control system, as existing controls may not be effective for meeting objectives or addressing risks under changed conditions. Management analyzes the effect of identified changes on the internal controls.

Evaluating the Risk Assessment during Performance Audits

To thoroughly evaluate the operationalization of risk assessment principles, auditors need to access a variety of specific documents from management. This includes strategic plans and risk tolerance policies, which outline the organization’s long-term goals and the acceptable levels of risk it is prepared to accept. Auditors should also review risk registers and risk assessment reports that provide a comprehensive list and detailed analysis of identified risks, including their sources, potential impacts, and probabilities. Additionally, documents related to fraud risk, such as fraud risk analysis reports and anti-fraud policies, are crucial for understanding how the organization identifies and mitigates fraud risks.

Moreover, auditors should obtain records of control activities and action plans that detail the steps management has taken to mitigate significant risks. Finally, internal communication records and monitoring reports demonstrate how risk-related information is disseminated and monitored within the organization.

Conclusion

By carefully obtaining and analyzing critical documentation—from strategic planning and risk management policies to detailed risk registers and fraud prevention measures—auditors are equipped to thoroughly assess the effectiveness of risk assessment practices. This comprehensive approach ensures that entities are proactive in identifying and mitigating risks, thus enhancing their resilience and adaptability in a dynamic operational landscape. Stay tuned for the next installment in our series, where we will explore the integration of control activities, further deepening our understanding of effective internal control practices as outlined in the Green Book.

For those interested in deepening their understanding and expertise in this critical area, I invite you to join my upcoming online class, Assessing Controls in Performance Audits. This course will provide detailed guidance on practical techniques for evaluating control environments, enhancing your skills to conduct more effective performance audits.

Parker Skaats
Previous

Evaluating Control Activities During Performance Audits

Next

Enhancing Performance Audits: The Critical Role of the Control Environment