action research: risk assessment for audit …student.fgcu.edu/lccipric/actionresearch.pdfaction...
TRANSCRIPT
Risk Assessment 1
Running head: ACTION RESEARCH: RISK ASSESSMENT
Action Research: Risk Assessment for Audit Planning
Linda C. Ciprich
Florida Gulf Coast University
Risk Assessment 2
Abstract
This report is a description of an action research project on risk assessment for internal audit planning.
Risk assessment is a required audit activity that is traditionally a long, tedious process. This project is an
effort to automate and streamline that process, creating an innovative tool that can be adapted for use by
other internal auditors. Developed to be accessed and submitted through the internet and email, the risk
assessment survey described here will be more efficient and effective, resulting in more efficient and
effective practice. In combination with information provided through the website, it will educate the users
in the types of risk the university is exposed to, as well as internal controls that will help mitigate the risk.
The report references the focus and description of the project, audit planning requirements and the role
risk assessment plays, types of risk, evaluation of risk, the method of inquiry, and the strengths and
weaknesses. In a description of significance, it acknowledges that faster and easier does not always
equate to success, and that there is always room for improvement. Contained within the report are
appendices with the survey, action research plan, and example of the automated response upon the
user’s submittal.
Risk Assessment 3
Introduction
The expression risk management is currently a popular term in the business world, although it has
been around quite a while. The expression enterprise risk management, also going by the acronym,
ERM, is more recent and considered an accounting hot topic. With volatile markets and corporate
scandals such as Enron and World Com making national and international headlines, pressure is
increasing on boards and company officials to better manage risk in their organizations. However, before
it can be managed, risk must be identified and assessed. That responsibility often falls to the internal
auditors, or other key financial and business services personnel if the organization lacks an internal audit
department. This is not a new concept. Sawyer and Dittenhofer, two of the most respected names in the
profession have stated “internal auditors have enaged in risk assessment from the earliest days of the
profession (1996, pg. 403).
As the chief audit executive of Florida Gulf Coast University, I am required by professional standards1
to develop and use a risk-based internal audit plan. Specifically, listed under performance standards,
2010.A1:
The internal audit activity’s plan of engagements should be based on a risk assessment,
undertaken at least annually. The input of senior management and the board should be
considered in this process.
My process, as the Inspector General of the university where I wear both the hat of the director of
internal audits and the director of investigations, and have no other staff, is to undergo a detailed risk
assessment for long-term audit planning once every five years. The assessment is updated annually
based on results of internal and external audit reports, additional university units and centers coming
online, major system changes, et cetera. The long-term audit plan is adjusted annually as well in
developing the short-term audit plan for the following fiscal year, taking into consideration changes made
to the risk assessment and requested audits and projects of the university president, board of trustees,
and other university managers.
1 Standards for the Professional Practice of Internal Auditing, promulgated by the Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida.
Risk Assessment 4
Traditionally, my risk assessment process has involved using a long detailed survey instrument that
department heads are responsible for taking the time to complete and which are often not returned to me
after repeated requests. Those that are returned require extensive review and reassessment on my part
as well as ranking. In addition, I perform a series of interviews, although not of all department heads. The
entire process can take several months, and in the end, I often find that the result holds little value: some
of the most significant problems crop up in areas that have qualified as low to moderate risk.
The lack of resources in my department combined with significant university growth during the past
five-year period have resulted in delaying the risk assessment process this past year. Having the
opportunity this semester to develop an action research project using instructional technology has
resulted in my being able to develop a shorter, more efficient survey that can be administered
electronically (Appendix A), and incorporate information within the OIG’s website that will help educate
faculty and staff on the topic of risk and internal control (http://itech.fgcu.edu/general/audit.htm#_Risk_Assessment_and ).
In the following sections, I describe the focus of this project, risk assessment in the audit planning
process, the context in which it is held, the methodology used, project details, and results so far.
Risk Assessment 5
Focus
Risk Assessment and Audit Planning
Risk assessment is typically undertaken to focus attention on significant audit areas, to allocate
scarce audit resources to the most important audit areas, and to help with key audit prioritizing decisions
such as audit frequency, intensity, and timing. In addition to assessing the levels of risk described later,
the Office of the Inspector General does use other factors in determining the audit plan:
• Executive management interest
• Internal control system
• Prior audit findings
• Time since last audit, if ever
• Special request
• Availability of audit staff
Risk Assessment
Reasons for using risk assessment in audit planning include:
• Identification and analysis of relevant risks to the achievement of an organization's objectives, for
the purpose of determining how those risks should be managed.
• Implies an initial determination of operating objectives, then a systematic identification of those
things that could prevent each objective from being attained. In other words, it's an analysis of
what could go wrong.
• Not all risks are equal. Some are more likely than others to occur, and some will have a greater
impact than others if they occur. So, once risks are identified, their probability and significance
must be assessed.
• Finally, having identified and assessed risk, management must decide how to deal with it. In
some cases, the decision may be to control it; in others, it may be to accept it.
The risk assessment process is an ongoing one. Internal and external threats constantly develop,
presenting new hazards to the organization. Change itself is a risk, and management must continually
adapt its policies and procedures to manage its changing risks to a comfortable level.
Risk Assessment 6
Each operating unit at the university faces its own challenges and must assess how it will manage
them to meet its objectives. A good internal control system can mitigate those risks, and the Office of the
Inspector General can advise departments on developing good internal controls.
Types of Risk
• STRATEGIC RISK IS RISK THAT AFFECTS AN ORGANIZATION'S ABILITY TO ACHIEVE
ITS GOALS. It can be university-wide risk when it involves executive decisions, or it may be a
departmental risk. Departments should determine how critical their function is to the university
and what impact there would be on the university if they were unable to provide service.
• FINANCIAL RISK IS RISK THAT MAY RESULT IN A LOSS OF ASSETS. While dollar volume
exposure is a definite factor, access to large amounts of cash is not the only financial risk to the
organization or department. Inventory such as supplies, equipment, and tools are as vulnerable
to theft and embezzlement as cash. Account receivables, payables, financial aid, and
purchasing are vulnerable areas that can involve numerous university departments.
• OPERATIONAL RISK IS RISK THAT AFFECTS AN ONGOING MANAGEMENT PROCESS.
Day to day operations are affected by changes and breakdowns in communications and
information systems, employee turnover, a lack of policies and procedures, and interdependency
on other departments, as well as other factors. A good system of internal control will mitigate
this type of risk.
• COMPLIANCE RISK IS RISK THAT AFFECTS COMPLIANCE WITH EXTERNALLY IMPOSED
LAWS AND REGULATIONS AS WELL AS WITH INTERNALLY IMPOSED POLICIES AND
PROCEDURES CONCERNING SAFETY, CONFLICT OF INTEREST, ETC. Every area of the
university is affected by compliance risk. Some areas, however, such as financial aid and
sponsored research, are subject to external audits from federal and state auditors, thereby
reducing the risk. Departments can help reduce their risk by ensuring policies and procedures
are implemented to strengthen internal control and encouraging compliance.
Risk Assessment 7
• REPUTATIONAL RISK IS RISK THAT AFFECTS AN ORGANIZATION'S REPUTATION,
BRAND, OR BOTH. As a public institution, we are subject to public disclosure that increases our
risk in this area. Unfavorable press and notoriety can result from errors and misrepresentations,
as well as malfeasance. Note that this risk can result from an organization’s failure to effectively
manage any or all of the other types of risk, due to external perception.
Risk and Control Education
The various types of risk described previously traditionally have caused survey instruments to be very
long and detailed. I once worked in an agency where the survey was over 25 pages long and the auditors
then had to key the data into a program to be tabulated. Very time consuming for both the auditors and
the departments. The purpose of this research project is to develop and continue to refine an innovative
risk assessment process that will be efficient yet effective, saving time for both the auditor and the
departments. Hopefully, the return response rate will be higher and faster. At the same time, personnel
will be gaining knowledge of risk and internal controls that can mitigate the risk.
Jim Deloach of Arthur Anderson feels that internal auditors should be risk educators and facilitators
(Chapman, 2001, pg. 34), similar to my own philosophy: “Internal auditors can help coordinate the
development and gathering of information about risk and the organization’s risk management capabilities”
(pg. 35). Educating the department personnel in risk and good internal control assists the university and
helps a small audit shop cover more ground, or do more, that is, with less. Control self-assessment
(CSA) has been around for a few years now and my project is a way to incorporate it with risk
assessment – get your personnel to think about risk and internal controls. Where are you vulnerable?
What are you doing about it? How can you reduce risk by increasing internal control?
In another Internal Auditor article, the authors mention that self-assessment can “generate wider audit
coverage of an organization at a lower cost than traditional internal audit procedures or widespread CSA
sessions” (Adamec et al, 2002, pg. 58). These same authors go on to state that various employees at
different levels benefit from the exposure to the framework of a strong internal control system (pg. 63).
The objective in this action research project pertains to the diffusion of an innovation through technology
– communicating risk assessment through the internet to responsible individuals of the university
(Rogers, 1995, pp. 1-37).
Risk Assessment 8
Context
Office of the Inspector General
At Florida Gulf Coast University, the Office of the Inspector General (OIG) consists of just one person.
The lack of resources, however, does not alleviate the auditing standards’ requirement of risk
assessment. Therefore, a project to streamline the process is even more valuable to the small-shop than
audit shops with more personnel. Administering the survey in conjunction with the department’s website
may also serve to increase awareness in other areas. For example, the website includes information on
reporting fraud and a fraud awareness powerpoint presentation, the audit process that departments being
audited will be subject to, and even the annual audit plan that will outline which departments are
scheduled to be audited.
Florida Gulf Coast University Departments
During March and April 2002, the state auditors attempted to survey each department of each of the
state universities and other state universities. The survey consisted of 12 pages of questions concerning
the collection of personal information. As coordinator of external audits, I administered the spreadsheet
survey to over 55 departments, centers, and affiliations of FGCU, for the state auditors. The response
rate after several requests and 2 months later was approximately 64%. If nothing else, it brought home to
me just how much the university had grown from my first risk assessment in 1997 before the doors
opened to students. For that risk assessment, I charted the business cycles and departments of the
university and came up with 19 audit areas, although some of those areas would mean multiple unit
areas. For example, Student Services was listed as one area because we didn’t have the units of
Athletics or Housing in the works yet.
I realized that I was going to have to make a survey faster and easier if I wanted to get people to
respond; hence the decision to use risk assessment as an instructional technology action research
project. A Canadian internal audit director, Basil Orsini, described using a benchmarking tool to profile a
range of practices in risk management during 2002 but it still seemed somewhat convoluted when I came
across it during the research for this project. His comment, however, that shifting risk-management
attitudes and expectations presented auditors with an opportunity to enhance value stuck with me (Orsini,
Risk Assessment 9
2002, pg. 66). Evolving my risk assessment into a process that would create learning, as well as
generate interaction between university personnel and my office, would be value-added risk assessment.
With a population of almost 50 departments as respondents, I knew I needed a management buy-in
and that I would have to appeal for support to the president and executive council. Contacting the
departments directly would become the second request after the initial responses. Developing a form
that could be handled online would reduce time and expense plus make it easier for the respondents to
send it back, either through the website or by email.
Additional Implications
I look upon this project as just the first step in an effort to revamp the website for the Office of the
Inspector General and increase the effectiveness and efficiency of the department by increasing the
learning of university personnel in areas of risk and internal control. The McNiff text states that “well-
conducted action research” may lead to:
• Personal development,
• Better professional practice,
• Institutional improvements, and
• A contribution to the good order of society.
One can only hope when one needs all the help one can get. Actually, I do believe this first step is
helping me in both personal and professional development and will benefit university personnel.
Risk Assessment 10
Method of Inquiry
Interaction
Donna Mertens describes the interpretive/constructivist approach to research as one in which the
research is a product of the values of researchers and not independent of them (1998, pg. 11). She also
states that the methodological belief of this paradigm includes qualitative methods such as interviews,
observations, and document reviews (pg. 14). This description fits my model of risk assessment –
socially constructing knowledge through the interaction of the personnel, the surveys, and myself.
Interaction is also used by Fischer to describe teacher research (Burnford et al, 2001, pg. 43). He
describes it as a process of constructing knowledge and meaning through planning, action, reflection,
evaluation, and dialogue with colleagues. In this case, it can also be used to describe the actual learning
format. Perhaps there is not much interaction between the respondent and myself, but the respondent is
interacting with the website and the information incorporated within it.
Approach
My advisor, Dr. Baylen, pointed me in the direction of diffusion of innovation, and I found Everett
Rogers’ text applicable to my research in risk assessment, especially in regard to the innovation-decision
process. Rogers’ model of the innovation-decision process includes the following stages (1995, pg. 162):
• Knowledge of the innovation or technology
• Persuasion
• Decision to use the innovation or technology
• Implementation
• Confirmation
In my case, I had already realized the need to be more innovative and efficient, and I had some
knowledge of the technology…enough knowledge to realize that I could be more efficient in the risk
assessment process by using the internet and my website. I didn’t need any persuasion as far as using
the technology since I was well aware that previous risk assessment surveys were tedious and time-
consuming for the departments, as well as time-consuming for myself. This class afforded me the
opportunity to seek additional information and then make the decision to develop and implement the
innovation, an electronic risk assessment survey.
Risk Assessment 11
Technically I am still within the implementation stage as I continue to receive feedback from university
departments. The fact, though, that I received the first response back within an hour of the first request
was, for me, definite confirmation that there would be some benefit to using the new process.
Action Research Plan
A table with the plan can be found in Appendix B. I found I was not realistic in planned dates and not
able to devote as much time to the project as I would have liked. Although risk assessment is part of my
job, investigations and report deadlines take precedence. Research took longer than I planned – there
was not as much available on risk assessment as I had thought there would be, and even less on
automated risk assessment.
I was able to focus in on what to include on the survey by reviewing previous risk assessments and
those of other internal audit offices, then cutting out the repetitious data, or that data specific to certain
areas only. Even though the 3-page printout of it found in Appendix A still may appear lengthy, it is
considerably shorter than most risk assessment instruments. Automating the survey once it was
developed, though, was harder than I thought it would be. After getting blank return email messages
when submitting test data, I eventually had to contact the Instructional Technology department and ask
for help with the coding. With their help, the electronic submission process was corrected and I sent an
email to the president and direct-reports, asking for their help and buy-in by sending it on to their
department heads.
Strengths and Weaknesses
The main strength of this project should be that by streamlining and automating the risk assessment
process, university personnel will be more apt to complete and submit the surveys. That would mean less
effort on both their part and mine. A second strength is in requiring less time to complete and submit than
traditional, detailed risk assessment instruments. Third, automation increases clarity. There is less
likelihood of error or misinterpretation from handwriting.
On the other side of the coin, I did sacrifice detail in the streamlining so the loss of data is a
weakness, as is not allowing for open-ended responses.
Risk Assessment 12
The Project
Description of Data
The data consists of 16 self-assessment questions that include information concerning risk. They are
grouped by type of risk to facilitate evaluation. Question 1 pertains to strategic risk, questions 2 through 7,
financial risk, questions 8 through 12, operational risk, 13 through 15, compliance risk, and question 16 is
based on risk associated with the institution’s reputation. Each question has the same choices for a
response: high, medium, or low risk.
When the respondent submits the form electronically, I receive an email message with the answers.
An example of a test submission’s email response from the Instructional Technology department is shown
in Appendix C. Between my first request on March 18th to April 18th, I received 13 responses, mostly from
Administrative Service units because the Administrative Service vice-president immediately forwarded my
request to all of his directors. With each subsequent request, I am receiving one or two more responses.
Interpretation of Data
At the User Level. Once the risk assessment surveys are completed and submitted, the data must be
evaluated in order to assign a level of risk. I wanted the participants to be able to see results rather than
simply fill out and submit a form, never to be heard from again. Therefore, I developed a chart the user
could refer to in examining their risk levels. For those who choose to do so, the website gives the
following directions and chart for participants to do their own evaluation of risk.
Review your responses and determine if your overall risk for questions 2 through 7,
questions 8 through 12, and questions 13 through 15 should be low, medium, or high.
Use the chart below to check off each risk area. If you find that you have high risk in
financial, operational, and compliance areas, your department is generally at high risk
overall. If you are only high risk in one of these areas, your risk level is moderately high.
If your only high risk areas are strategic or reputational, or if you’ve consistently chosen
low or medium risk levels, your self- assessed risk level can be judged moderate.
Risk Assessment 13
Copy and paste the questions and responses in an email message to the Inspector
General at [email protected] . Results will be used in a university-wide risk assessment
during Spring 2003.
Please note: Departments that voluntarily submit their own assessment will
automatically be considered as less of an operational and compliance risk when the
long-range audit plan is developed for fiscal years 2004 through 2008.
Overall. Each survey response has to be reviewed and reassessed due to subjectivity. After they are
all received, I will develop a chart outlining the units and their risk levels, discuss concerns that the
Executive Council may have with the president and vice-presidents, then develop the long-term and
short-term audit plans for the president’s approval. It is usually necessary to discuss a few of the
assessments with the department heads in order to clarify issues that may evolve.
Risk Assessment 14
Significance
Today
The most significant thing I learned from this project was that making the risk assessment shorter and
electronic did not guarantee personnel would complete and submit it. The first wave of responses was
exciting because they were so immediate compared to previous risk assessment requests. If you send
out a 25-page document and ask personnel to fill it out and send it back, you will not see the first
response for at least a week. I think that’s part of Murphy’s Laws, somewhere between “Logic is a
systematic method of coming to the wrong conclusion with confidence” and “A subject interesting to the
teacher will bore students,” with the university personnel being the students. Peter Cookson perhaps said
it best:
Participation in education and training programs is generally voluntary. Even when it is
not, the cooperation and willingness of adults to participate are still dependent upon the
individual volition (Cookson, 1998, pg. 485).
That goes for the supervisors as well as the department heads. I need to make a stronger effort in
getting support from management. “Supervisors exert considerable influence over staff attending
education and training programs” (Caffarella, 2002, pg. 87). The next time I envision going to the
Executive Council and doing a presentation. I can demonstrate the website and survey and how it is
submitted electronically.
Tomorrow
Obviously, I will need to send repeated requests each time I begin another risk assessment,
regardless of how easy I make the process. This innovation does enable me to do a complete risk
assessment more often, perhaps even annually, rather than once every five years. It will also make it
easier for me to go in and update individual surveys at the completion of audits. According to Olivier
Lemant, an overall risk assessment for audit planning is engaging in “macro” risk assessment, while
being able to perform it at the assignment level is engaging in “micro” risk assessment (pg. 41). His
article in the Internal Auditor helps one to visualize the transition from risk assessment to risk
Risk Assessment 15
management in the auditor’s arena. I must agree with Lemant that the transition would add value to the
function of internal audit.
Someday?
This research project has caused me to reflect on additional ways I may be able to improve my
practice. Not only does my entire website need updating and revamping, there are other documents I
could automate and have university personnel submit electronically. Cash collection statements where
each employee, including the president, states whether they are involved in collecting any type of cash,
checks or other currency. There are areas where I can expand information so the users are learning as
they peruse. I could expand on control self-assessment, fraud, waste, and abuse topics, and give more
information on what to do and what it means when an auditor comes calling.
In an article mentioned earlier, the authors describe random surveys of management regarding their
perception of internal control in contrast to just doing risk assessment (Adamec et al, 2002). This type of
self-assessment can enhance the system of internal control and enhance the internal audit function at the
same time. The visibility of the function helps mitigate the risk of fraud, waste, and abuse…and the more
proactive internal audit is, the more visible it will become.
In conclusion, it is my hope that I will eventually be able to take both the automated risk assessment
process developed here, and the upcoming website enhancements to other understaffed, small internal
audit shops in a demonstration of the tools they can develop.
Risk Assessment 16
References
Adamec, B. A., Rexroad, W. M., Leinicke, L. M., & Ostrosky, J. A. (December, 2002). Internal reflection.
Internal Auditor, LIX:VI, 56-63.
Fischer, J. (2001). Action research rationale and planning: developing a framework for teacher inquiry. In
Burnaford, Fischer, and Hobson (Ed.), Teachers doing research: the power of action through
inquiry (pp. 29-48). Mahwah, NJ: Lawrence Erlbaum Associates, Publishers.
Caffarella, R. (2002). Planning programs for adult learners (2nd ed.). San Francisco, CA: Jossey-Bass.
Chapman, C. (June, 2001). The big picture. Internal Auditor, LVIII:III, 30-37.
Cookson, P. (1998). Program planning in retrospect. In Peter S. Cookson (Ed.), Program planning for the
training and continuing education of adults (pp. 481-489). Malabar, FL: Krieger Publishing Co.
Lemant, O. (June, 2001). Risk as a tripod. Internal Auditor, LVIII:III, 39-43.
McNiff, J., Lomax, P., & Whitehead, J. (1996). You and your action research project. New York: Hyde
Productions.
Mertens, D. M. (1998). Research methods in education and psychology: integrating diversity with
quantitative & qualitative approaches. Thousand Oaks, CA: Sage Publications, Inc.
Nitko, A. (2001). Educational assessment of students (3rd ed). Columbus, OH: Merrill Prentice-Hall.
O’Reilly, V. M. et al. (1990). Montgomery’s auditing (11th ed.). New York: John Wiley & Sons.
Orsini, B. (August, 2002). Mature risk management. Internal Auditor, LIX:IV, 66-67.
Ratliffe, R. L. et al. (1996). Internal auditing: principles and techniques (2nd ed.). Altamonte Springs, FL:
The Institute of Internal Auditors.
Sawyer, L. B. & Dittenhofer, M. A. (1996). Sawyer’s internal auditing: the practice of modern internal
auditing (4th ed.). Altamonte Springs, FL: The Institute of Internal Auditors.
Risk Assessment 17
Appendices
Risk Assessment 18
Appendix A
Risk Assessment Survey
Department: Name of Contact: Email Address: 1. A department or unit should determine how critical its function is to the university as a measure of strategic risk. One way of measuring that risk may be to consider the impact on the university if the unit was incapacitated for any reason and for how long.
High -------The university would be affected within days.
Medium----The function of the unit is not critical. The university may not be affected for several weeks.
Low--------The university would not be impacted should this unit not exist. 2. Account or activity balance size has an effect in an agency's risk due to materiality considerations. Account balance size should be measured at the audit area or department's total.
High -------More than $5,000,000.
Medium----Between $1,000,000 and $5,000,000.
Low--------Under $1,000,000. 3. Processing general fund expenditures increases area or department risk due to the budgetary constraints and legislative oversight and concern with the accurate reporting of this data.
High -------Processes more than $1,000,000 in general fund expenditures.
Medium----Processes between $100,000 and $1,000,000 in general fund expenditures.
Low--------Processes none or less than $100,000 in general fund expenditures. 4. Processing federal assistance transactions (Financial Aid, Grants, Contracts, etc) causes an increase in area or department risk due to the stringent administrative and cost principle guidelines that must be met.
High -------Processes more than $1,000,000 in federal assistance transactions.
Medium----Processes between $100,000 and $1,000,000 in federal assistance transactions.
Low--------Processes none or less than $100,000 in federal assistance transactions. 5. Cash and checks are more susceptible to fraud or theft than other assets. Their presence in an area or department increases risk, especially if the process is part of a major system.
High -------The handling of cash and checks or other attractive negotiable instruments is a major part of your area.
Medium----There is limited opportunity for access to cash and check or other attractive negotiable items or potential for access to them.
Low--------Includes no cash or highly liquid instruments.
Risk Assessment 19
6. The presence of large inventory balances (not fixed assets and equipment) or specialized inventories such as controlled substances, hazardous wastes, or precious metals increases an area or department risk.
High -------Inventories valued at more than $100,000 or including specialized items, such as hazardous wastes.
Medium----Inventories between $10,000 and $100,000 that do not include specialized items.
Low-------- Inventories under $10,000 that do not include specialized items or no inventory. 7. State agencies have a history of accountability problems with fixed assets and equipment. The presence of large fixed assets balances or highly desirable small and attractive assets, such as firearms or camera equipment, increases the department’s risk.
High -------Fixed asset balance over $1,000,000 or extensive highly desirable assets.
Medium----Fixed asset balance between $100,000 and $1,000,000 or highly desirable assets.
Low--------Fixed asset balance under $100,000 and no highly desirable assets. 8. Employee turnover increases the risk associated with a particular system of management or accounting controls.
High -------Major turnover in key management or staff.
Medium----Limited turnover in key management or staff.
Low--------No turnover in key management or staff. 9. Generally, an area or department's risk will increase with higher level of automation within systems. Risk will also tend to increase with major system changes.
High -------Your department is responsible for an automated system with major changes or a new major automated system.
Medium----Your department is responsible for an automated system with minor changes or a subsidiary system that feeds to a major system.
Low--------Your department has no responsibility for major or subsidiary automated systems. 10. The extent of decentralization has an effect on an area or department’s internal accounting controls. Generally, decentralized operations are more difficult to control than centralized.
High -------Operations function at more than 3 locations.
Medium----Operations function at 2 to 3 locations.
Low--------Operations housed at 1 location. 11. An area or department's risk increases by the degree that the system is involved in the creation, handling, storage, or affords potential access to sensitive data. ( E.G. personnel files, medical records, client files, research records, student records or other activities deemed confidential by law or policy).
High -------Operations include the creation or handling of sensitive data that is an integral part of the system's internal controls.
Medium----Operations include the handling of sensitive data that is not part of the system's internal controls.
Risk Assessment 20
Low--------The operation does not include the creation or handling of sensitive data; however, information could be used by outside parties. 12. An area or department's risk increases by the degree that duties are not sufficiently segregated. For example, one person should not be solely responsible for collecting, depositing, and recording cash collections. In areas where personnel are limited, steps to mitigate risk should be taken, such as increasing supervisory oversight.
High -------This department is understaffed to the point that it is not possible to segregate duties sufficiently or increase oversight.
Medium----A limited number of personnel in this department have resulted in a risk that has been mitigated by increasing supervisory control.
Low--------The department has enough personnel to sufficiently separate duties. 13. The existence and applicability of external laws, regulations, contractual or reporting requirements increases the diversity and complexity of system requirements and hence, the opportunity for noncompliance.
High -------Subject to 3 or more outside entities.
Medium----Subject to 1 or 2 outside entities.
Low--------Subject to no apparent external laws, regulations, contractual, or reporting requirements, of outside entities. 14. External and internal auditing of an area or department's internal controls may decrease an agency's risk associated with management and accounting controls.
High -------Last review by internal or external auditors was completed over 5 years ago.
Medium----Last review by internal or external auditors was conducted within 3 to 5 years ago.
Low--------Reviewed by either internal or external auditor within the last 2 years. 15. Areas or departments with a history of audit findings and/ or informal internal control comments (external or internal audit) normally have a higher level of risk for an agency.
High -------Internal control audit finding less than 2 years ago that resulted in either a compliance failure or a significant adjustment to an account balance.
Medium----Informal internal control comment less than 5 years ago or last internal control audit finding less than 5 years ago.
Low--------Last internal control audit finding more than 5 years ago or no internal control audit findings in the last 5 years. 16. Interest shown by outside parties such as legislators, news media, citizen groups, the general public or others (including agency personnel) increases an agency's risk related to a system.
High -------Outside parties have shown a major interest in the area.
Medium----Outside parties have shown a moderate interest in the area.
Low--------Outside parties have shown no or very little interest in the area. Submit Reset
Risk Assessment 21
Appendix B
Action Research Plan
I. Getting Started Status Target Date A. Finding a research focus Complete. Using departmental website to
improve interaction of internal audit function with faculty and staff. (Educating university personnel to recognize risk and internal control concerns.)
B. Background reading In progress. Main sources are other web
pages of internal audit shops, esp. those in college and university settings. Secondary sources are information regarding risk assessment, audit planning, and self control-assessment.
(Continuous)
C. Ethics Complete. Already covered in policy,
procedures, and web site of this office.
D. Resourcing In progress. Budget not necessary but
availability of technology is a big factor in how the risk assessment will be conducted on the website.
Feb 25th
E. Working with others I will be using email to request university
departments complete the online risk assessment. Initial request – March 1st. Second request – March 15th.
(continuous)
II. Doing the project Status Target Date
A. Identification of concern Complete. How can I improve my interaction with university personnel to increase the effectiveness of risk assessment and efficiency of the internal audit function?
B. Values statement Complete.
C. Gathering the data In progress. Focused on specific risk
assessment data, specific target group. March 1st
D. Imagining possible solutions In progress. Ultimate goal is to use
automation through web site rather than send out paper survey that generally results in low response rate. Need to
March 1st
E. Gathering the data (part 2) Incomplete. March 15th
F. Evaluating the impact and its significance
Incomplete. Prelim report due 3/27. March 23rd
Risk Assessment 22
G. Validating the claim to improvement
Incomplete. March 23rd
H. Modification of practice Incomplete. April 1st
I. Evaluation of project Including feedback from draft report. April 17th
J. Writing up Draft due 4/7. Due May 1st
Risk Assessment 23
Appendix C
Presentation of Data
Email Response to Test Submission of Electronic Form
From: Risk-Form Sent: Tuesday, March 18, 2003 10:57 AM To: Ciprich, Linda Cc: Jaeger, David Subject: Risk Form Response Department: IT (TEST) Name: David Jaeger (TEST) Email: [email protected] (TEST) Question 1: high Question 2: medium Question 3: low Question 4: high Question 5: medium Question 6: low Question 7: high Question 8: medium Question 9: low Question 10: high Question 11: medium Question 12: low Question 13: high Question 14: medium Question 15: low Question 16: medium