Excel Sheet Download 12369 | Tool 2 Risk Assessment By Business Objectives

Partial file snippet.

Sheet 1: Overview

	
	
	
		Risk Assessment by Business Objective —Overview
		

	
	
		Key Feature
		Prioritizes risks using red/yellow/green rating system
	
	
		Risk Identification Characteristics
		• Specific risks are identified for each business objective.
• Risks are determined via various sources, including discussions with management, knowledge of the business, ERM alignment, prior audit projects, etc.
	
	
		Risk Measurement Characteristics
		• Impact and likelihood of specific risks are determined and rated on a high/medium/low scale. 
• Impact and likelihood scales are predefined.
• Rationales are documented to support risk ratings.
	
	
		Risk Prioritization Characteristics
		• Risks are prioritized using a red/yellow/green scale.
• The priority score determines key risks that will be included in audit plan.  
• Red represents high priority and recommended for inclusion in plan.  
• Yellow represents medium priority and considered for inclusion in audit plan.  
• Green represents low risks that are not recommended for inclusion in plan.

	
	
		

		

	
	
		Example 1: Hybrid  Model—Templates
		

	
	
		Template 1.1
		1.1 Evaluation Approach'!A1
	
	
		Template 1.2
		1.2. Risk Factor Definitions'!A1
	
	
		Template 1.3
		1.3 Risk Evaluation Form'!A1
	



Sheet 2: 1.1 Evaluation Approach

	
	
	
		1.1 Evaluation Approach
		

	
	
		

		

	
	
		Risk Assessment
		
The purpose of the risk assessment is to identify high priority topics to include in the audit plan and allocate resources accordingly.  Auditors should perform an initial analysis to identify the business/process objectives to include in the risk assessment process. Preliminary risk considerations for each objective include process complexity, degree of program change, and previous audits and results.

For each business/process objective, risks should be identified and evaluated upon: 
 
• The potential impact on the business objectives;
• The likelihood of that risk materializing; and 
• Alignment with the agency’s Enterprise Risk Management program (if one is in place).

The combined assessment provides a red, yellow, or green status of whether the risk should be included in the audit plan. The rationale for inclusion or exclusion of risks from the audit plan should be documented on the evaluation summary as follows: 
 
• Green status (low priority) – risk not recommended for inclusion in the audit plan, unless a mandatory audit requirement. 

• Yellow status (medium priority) – risk could be considered for inclusion on the plan subject to available resources. 

• Red status (high priority) – risk recommended to be include on plan; if not included for audit coverage other management action should be taken to address. 

Each key risk identified during the risk assessment process should be prioritized and recorded on the Risk Evaluation Form. 

	



Sheet 3: 1.2. Risk Factor Definitions

	
	
	
	
		Template 1.2. Risk Factor Definitions
		

		

		

		

		

		

		

		Impact
		

		

	
	
		Factor
		Definition
		

		

		

		

		

		

		High
		Medium
		Low
		

		

	
	
		Impact Factors (the effect on the organization)
		

		

		

		

		

		

		
 
		
		

		

	
	
		High
		We will not achieve our objective or it will require major damage control
		

		

		

		Likelihood
		High
		
 
		
		HH
		HM
		HL
		

		

	
	
		Medium
		We will have to do extra work or we will be inefficient, but we can still achieve our goal or objective
		

		

		

		Medium
		MH
		MM
		ML
		

		

	
	
		Low
		We will be aware of it but it will have little or no effect upon operations or achievement of the objective
		

		

		

		Low
		LH
		LM
		LL
		

		

	
	
		Probability Factors (the likelihood of the risk occurring)
		

		

		

		

		

		

		

		

		

		

		

	
	
		High
		The risk is certain or almost certain to occur
		

		

		

		

		

		

		Impact
		
	
		Medium
		The risk is likely to occur
		

		

		

		

		

		

		High
		Medium-High
		Medium
		Medium-Low
		Low
	
	
		Low
		It is unlikely that the risk will occur
		

		

		

		

		

		

		
 
		
		
	
		Audit Plan Priority
		

		

		

		Likelihood
		High
		
 
		
		HH
		HMH
		HM
		HML
		HL
	
	
		Red
		Recommended for inclusion in audit plan or management action
		

		

		

		Medium-High
		MHH
		MHMH
		MHM
		MHML
		MHL
	
	
		Yellow
		Consider including in plan
		

		

		

		Medium
		MH
		MMH
		MM
		MML
		ML
	
	
		Green
		Not include in plan
		

		

		

		Medium-Low
		MLH
		MLMH
		MLM
		MLML
		MLL
	
	
		

		

		

		

		Low
		LH
		LMH
		LM
		LML
		LL
	
	
		

		

		

		

		

		

		

		

		

		

		

	
	
		Note: Can also modify with numbered scale 1-5 or 1-10; i.e. 1-2 = Low/Green; 3 = Medium/Yellow; 4-5 = High/Red)

The words contained in this file might help you see if this file matches what you are looking for:

...Sheet overview risk assessment by business objective mdash key feature prioritizes risks using redyellowgreen rating system identification characteristics bull specific are identified for each determined via various sources including discussions with management knowledge of the erm alignment prior audit projects etc measurement impact and likelihood rated on a highmediumlow scale scales predefined rationales documented to support ratings prioritization prioritized priority score determines that will be included in plan red represents high recommended inclusion yellow medium considered green low not example hybrid model templates template evaluation approach factor definitions form purpose is identify topics include allocate resources accordingly auditors should perform an initial analysis businessprocess objectives process preliminary considerations complexity degree program change previous audits resultsfor evaluated upon potential materializing agency rsquo s enterprise if one place ...

Risk Assessment by Business Objective —Overview
Key Feature	Prioritizes risks using red/yellow/green rating system
Risk Identification Characteristics	• Specific risks are identified for each business objective. • Risks are determined via various sources, including discussions with management, knowledge of the business, ERM alignment, prior audit projects, etc.
Risk Measurement Characteristics	• Impact and likelihood of specific risks are determined and rated on a high/medium/low scale. • Impact and likelihood scales are predefined. • Rationales are documented to support risk ratings.
Risk Prioritization Characteristics	• Risks are prioritized using a red/yellow/green scale. • The priority score determines key risks that will be included in audit plan. • Red represents high priority and recommended for inclusion in plan. • Yellow represents medium priority and considered for inclusion in audit plan. • Green represents low risks that are not recommended for inclusion in plan.

Example 1: Hybrid Model—Templates
Template 1.1	1.1 Evaluation Approach'!A1
Template 1.2	1.2. Risk Factor Definitions'!A1
Template 1.3	1.3 Risk Evaluation Form'!A1

Related files

Share

Help

1.1 Evaluation Approach

Risk Assessment	The purpose of the risk assessment is to identify high priority topics to include in the audit plan and allocate resources accordingly. Auditors should perform an initial analysis to identify the business/process objectives to include in the risk assessment process. Preliminary risk considerations for each objective include process complexity, degree of program change, and previous audits and results. For each business/process objective, risks should be identified and evaluated upon: • The potential impact on the business objectives; • The likelihood of that risk materializing; and • Alignment with the agency’s Enterprise Risk Management program (if one is in place). The combined assessment provides a red, yellow, or green status of whether the risk should be included in the audit plan. The rationale for inclusion or exclusion of risks from the audit plan should be documented on the evaluation summary as follows: • Green status (low priority) – risk not recommended for inclusion in the audit plan, unless a mandatory audit requirement. • Yellow status (medium priority) – risk could be considered for inclusion on the plan subject to available resources. • Red status (high priority) – risk recommended to be include on plan; if not included for audit coverage other management action should be taken to address. Each key risk identified during the risk assessment process should be prioritized and recorded on the Risk Evaluation Form.

Related files

Share

Share to social media

Help

Login Area