OFFICE OF INTERNAL AUDIT
 
 
Header
 
RISK ANALYSIS
seporator

The Institute of Internal Auditors Standards requires that “The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.”

The Standards also state that “the internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.”

In order to meet these standards, Xavier’s Office of Internal Audits, along with the members of senior management, performed a simple yet formal risk assessment of University operations.

A risk assessment is a process that is very important to the development of effective audit work schedules.  Consequently, the end result of this process will be a prioritized audit schedule. The areas with the highest scores will be considered the areas with the highest priority for audit and will be included in the audit activity’s audit plan. This list will be reviewed annually and priorities adjusted as the environment and circumstances dictate.

Attached is a list of the University’s auditable areas.  Below are the definitions of four weighted risk factors that were used to assist in rating the auditable areas.

These four risk factors as defined are as follows:

  1. Department and Management Factors (40%)

    These factors include the complexity of the department or unit’s operations; quality of, and reliance on, internal controls; management abilities, turnover; number of employees; possibility of adverse activity; prior history (audit or management knowledge); and, recent changes (in budget, staff, or systems).

  2. Materiality (30%)

    Factors relative to materiality include size of assets, liquidity, and sensitivity; number of transactions; budget amount; financial impact; health and safety issues; impact of adverse activity; impact of inaccurate data; impact of service delays; impact on other departments; information sensitivity/confidentiality; opportunity for improvements or cost savings.

  3. Public and Outside Factors (15%):

    Public and outside factors include contact with outsiders; the impact of adverse publicity; public or political sensitivity; public relations issues; regulatory requirements and compliance; and audits by outside entities.

  4. Management Interest (15%):

    Management interest includes a manager’s own personal interest in a particular area or department for whatever reason.  Management interest is usually driven by a manager’s ownership and specific knowledge of an area.

Each factor will be assigned a rating of 1 to 3 where “1” is “essentially no risk;” “2” equals “average risk;” and “3” equals “high risk.”  Each area will be scored and ranked according to the results.

An example of the above is as follows:

Xavier University Office of Internal Audit Risk Analysis

 

Dept Fact

Materiality

O/S Factors

Mgnt Int

Risk

Audit Area

40%

30%

15%

15%

Value

 

 

 

 

 

 

Office of the President

2

1

2

1

1.35

Vice President for Academic Affairs

3

2

1

1

2.10

College of Pharmacy

3

3

3

2

2.85

Senior Management’s participation in this process was imperative in that it assisted the Office of Internal Audits to concentrate on what they as managers considered important.

 
Campus Map        Directory         Contact Us         EMERGENCY PREPAREDNESS    © Xavier University of Louisiana. All rights reserved.
(504) 486-7411
EST 1925