Risk Assessment 1

Running head: ACTION RESEARCH: RISK ASSESSMENT

Action Research: Risk Assessment for Audit Planning

Linda C. Ciprich

Florida Gulf Coast University

Risk Assessment 2

Abstract

This report is a description of an action research project on risk assessment for internal audit planning.

Risk assessment is a required audit activity that is traditionally a long, tedious process. This project is an

effort to automate and streamline that process, creating an innovative tool that can be adapted for use by

other internal auditors. Developed to be accessed and submitted through the internet and email, the risk

assessment survey described here will be more efficient and effective, resulting in more efficient and

effective practice. In combination with information provided through the website, it will educate the users

in the types of risk the university is exposed to, as well as internal controls that will help mitigate the risk.

The report references the focus and description of the project, audit planning requirements and the role

risk assessment plays, types of risk, evaluation of risk, the method of inquiry, and the strengths and

weaknesses. In a description of significance, it acknowledges that faster and easier does not always

equate to success, and that there is always room for improvement. Contained within the report are

appendices with the survey, action research plan, and example of the automated response upon the

user’s submittal.

Risk Assessment 3

Introduction

The expression risk management is currently a popular term in the business world, although it has

been around quite a while. The expression enterprise risk management, also going by the acronym,

ERM, is more recent and considered an accounting hot topic. With volatile markets and corporate

scandals such as Enron and World Com making national and international headlines, pressure is

increasing on boards and company officials to better manage risk in their organizations. However, before

it can be managed, risk must be identified and assessed. That responsibility often falls to the internal

auditors, or other key financial and business services personnel if the organization lacks an internal audit

department. This is not a new concept. Sawyer and Dittenhofer, two of the most respected names in the

profession have stated “internal auditors have enaged in risk assessment from the earliest days of the

profession (1996, pg. 403).

As the chief audit executive of Florida Gulf Coast University, I am required by professional standards1

to develop and use a risk-based internal audit plan. Specifically, listed under performance standards,

2010.A1:

The internal audit activity’s plan of engagements should be based on a risk assessment,

undertaken at least annually. The input of senior management and the board should be

considered in this process.

My process, as the Inspector General of the university where I wear both the hat of the director of

internal audits and the director of investigations, and have no other staff, is to undergo a detailed risk

assessment for long-term audit planning once every five years. The assessment is updated annually

based on results of internal and external audit reports, additional university units and centers coming

online, major system changes, et cetera. The long-term audit plan is adjusted annually as well in

developing the short-term audit plan for the following fiscal year, taking into consideration changes made

to the risk assessment and requested audits and projects of the university president, board of trustees,

and other university managers.

1 Standards for the Professional Practice of Internal Auditing, promulgated by the Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida.

Risk Assessment 4

Traditionally, my risk assessment process has involved using a long detailed survey instrument that

department heads are responsible for taking the time to complete and which are often not returned to me

after repeated requests. Those that are returned require extensive review and reassessment on my part

as well as ranking. In addition, I perform a series of interviews, although not of all department heads. The

entire process can take several months, and in the end, I often find that the result holds little value: some

of the most significant problems crop up in areas that have qualified as low to moderate risk.

The lack of resources in my department combined with significant university growth during the past

five-year period have resulted in delaying the risk assessment process this past year. Having the

opportunity this semester to develop an action research project using instructional technology has

resulted in my being able to develop a shorter, more efficient survey that can be administered

electronically (Appendix A), and incorporate information within the OIG’s website that will help educate

faculty and staff on the topic of risk and internal control (http://itech.fgcu.edu/general/audit.htm#_Risk_Assessment_and ).

In the following sections, I describe the focus of this project, risk assessment in the audit planning

process, the context in which it is held, the methodology used, project details, and results so far.

Risk Assessment 5

Focus

Risk Assessment and Audit Planning

Risk assessment is typically undertaken to focus attention on significant audit areas, to allocate

scarce audit resources to the most important audit areas, and to help with key audit prioritizing decisions

such as audit frequency, intensity, and timing. In addition to assessing the levels of risk described later,

the Office of the Inspector General does use other factors in determining the audit plan:

• Executive management interest

• Internal control system

• Prior audit findings

• Time since last audit, if ever

• Special request

• Availability of audit staff

Risk Assessment

Reasons for using risk assessment in audit planning include:

• Identification and analysis of relevant risks to the achievement of an organization's objectives, for

the purpose of determining how those risks should be managed.

• Implies an initial determination of operating objectives, then a systematic identification of those

things that could prevent each objective from being attained. In other words, it's an analysis of

what could go wrong.

• Not all risks are equal. Some are more likely than others to occur, and some will have a greater

impact than others if they occur. So, once risks are identified, their probability and significance

must be assessed.

• Finally, having identified and assessed risk, management must decide how to deal with it. In

some cases, the decision may be to control it; in others, it may be to accept it.

The risk assessment process is an ongoing one. Internal and external threats constantly develop,

presenting new hazards to the organization. Change itself is a risk, and management must continually

adapt its policies and procedures to manage its changing risks to a comfortable level.

Risk Assessment 6

Each operating unit at the university faces its own challenges and must assess how it will manage

them to meet its objectives. A good internal control system can mitigate those risks, and the Office of the

Inspector General can advise departments on developing good internal controls.

Types of Risk

• STRATEGIC RISK IS RISK THAT AFFECTS AN ORGANIZATION'S ABILITY TO ACHIEVE

ITS GOALS. It can be university-wide risk when it involves executive decisions, or it may be a

departmental risk. Departments should determine how critical their function is to the university

and what impact there would be on the university if they were unable to provide service.

• FINANCIAL RISK IS RISK THAT MAY RESULT IN A LOSS OF ASSETS. While dollar volume

exposure is a definite factor, access to large amounts of cash is not the only financial risk to the

organization or department. Inventory such as supplies, equipment, and tools are as vulnerable

to theft and embezzlement as cash. Account receivables, payables, financial aid, and

purchasing are vulnerable areas that can involve numerous university departments.

• OPERATIONAL RISK IS RISK THAT AFFECTS AN ONGOING MANAGEMENT PROCESS.

Day to day operations are affected by changes and breakdowns in communications and

information systems, employee turnover, a lack of policies and procedures, and interdependency

on other departments, as well as other factors. A good system of internal control will mitigate

this type of risk.

• COMPLIANCE RISK IS RISK THAT AFFECTS COMPLIANCE WITH EXTERNALLY IMPOSED

LAWS AND REGULATIONS AS WELL AS WITH INTERNALLY IMPOSED POLICIES AND

PROCEDURES CONCERNING SAFETY, CONFLICT OF INTEREST, ETC. Every area of the

university is affected by compliance risk. Some areas, however, such as financial aid and

sponsored research, are subject to external audits from federal and state auditors, thereby

reducing the risk. Departments can help reduce their risk by ensuring policies and procedures

are implemented to strengthen internal control and encouraging compliance.

Risk Assessment 7

• REPUTATIONAL RISK IS RISK THAT AFFECTS AN ORGANIZATION'S REPUTATION,

BRAND, OR BOTH. As a public institution, we are subject to public disclosure that increases our

risk in this area. Unfavorable press and notoriety can result from errors and misrepresentations,

as well as malfeasance. Note that this risk can result from an organization’s failure to effectively

manage any or all of the other types of risk, due to external perception.

Risk and Control Education

The various types of risk described previously traditionally have caused survey instruments to be very

long and detailed. I once worked in an agency where the survey was over 25 pages long and the auditors

then had to key the data into a program to be tabulated. Very time consuming for both the auditors and

the departments. The purpose of this research project is to develop and continue to refine an innovative

risk assessment process that will be efficient yet effective, saving time for both the auditor and the

departments. Hopefully, the return response rate will be higher and faster. At the same time, personnel

will be gaining knowledge of risk and internal controls that can mitigate the risk.

Jim Deloach of Arthur Anderson feels that internal auditors should be risk educators and facilitators

(Chapman, 2001, pg. 34), similar to my own philosophy: “Internal auditors can help coordinate the

development and gathering of information about risk and the organization’s risk management capabilities”

(pg. 35). Educating the department personnel in risk and good internal control assists the university and

helps a small audit shop cover more ground, or do more, that is, with less. Control self-assessment

(CSA) has been around for a few years now and my project is a way to incorporate it with risk

assessment – get your personnel to think about risk and internal controls. Where are you vulnerable?

What are you doing about it? How can you reduce risk by increasing internal control?

In another Internal Auditor article, the authors mention that self-assessment can “generate wider audit

coverage of an organization at a lower cost than traditional internal audit procedures or widespread CSA

sessions” (Adamec et al, 2002, pg. 58). These same authors go on to state that various employees at

different levels benefit from the exposure to the framework of a strong internal control system (pg. 63).

The objective in this action research project pertains to the diffusion of an innovation through technology

– communicating risk assessment through the internet to responsible individuals of the university

(Rogers, 1995, pp. 1-37).

Risk Assessment 8

Context

Office of the Inspector General

At Florida Gulf Coast University, the Office of the Inspector General (OIG) consists of just one person.

The lack of resources, however, does not alleviate the auditing standards’ requirement of risk

assessment. Therefore, a project to streamline the process is even more valuable to the small-shop than

audit shops with more personnel. Administering the survey in conjunction with the department’s website

may also serve to increase awareness in other areas. For example, the website includes information on

reporting fraud and a fraud awareness powerpoint presentation, the audit process that departments being

audited will be subject to, and even the annual audit plan that will outline which departments are

scheduled to be audited.

Florida Gulf Coast University Departments

During March and April 2002, the state auditors attempted to survey each department of each of the

state universities and other state universities. The survey consisted of 12 pages of questions concerning

the collection of personal information. As coordinator of external audits, I administered the spreadsheet

survey to over 55 departments, centers, and affiliations of FGCU, for the state auditors. The response

rate after several requests and 2 months later was approximately 64%. If nothing else, it brought home to

me just how much the university had grown from my first risk assessment in 1997 before the doors

opened to students. For that risk assessment, I charted the business cycles and departments of the

university and came up with 19 audit areas, although some of those areas would mean multiple unit

areas. For example, Student Services was listed as one area because we didn’t have the units of

Athletics or Housing in the works yet.

I realized that I was going to have to make a survey faster and easier if I wanted to get people to

respond; hence the decision to use risk assessment as an instructional technology action research

project. A Canadian internal audit director, Basil Orsini, described using a benchmarking tool to profile a

range of practices in risk management during 2002 but it still seemed somewhat convoluted when I came

across it during the research for this project. His comment, however, that shifting risk-management

attitudes and expectations presented auditors with an opportunity to enhance value stuck with me (Orsini,

Risk Assessment 9

2002, pg. 66). Evolving my risk assessment into a process that would create learning, as well as

generate interaction between university personnel and my office, would be value-added risk assessment.

With a population of almost 50 departments as respondents, I knew I needed a management buy-in

and that I would have to appeal for support to the president and executive council. Contacting the

departments directly would become the second request after the initial responses. Developing a form

that could be handled online would reduce time and expense plus make it easier for the respondents to

send it back, either through the website or by email.

Additional Implications

I look upon this project as just the first step in an effort to revamp the website for the Office of the

Inspector General and increase the effectiveness and efficiency of the department by increasing the

learning of university personnel in areas of risk and internal control. The McNiff text states that “well-

conducted action research” may lead to:

• Personal development,

• Better professional practice,

• Institutional improvements, and

• A contribution to the good order of society.

One can only hope when one needs all the help one can get. Actually, I do believe this first step is

helping me in both personal and professional development and will benefit university personnel.

Risk Assessment 10

Method of Inquiry

Interaction

Donna Mertens describes the interpretive/constructivist approach to research as one in which the

research is a product of the values of researchers and not independent of them (1998, pg. 11). She also

states that the methodological belief of this paradigm includes qualitative methods such as interviews,

observations, and document reviews (pg. 14). This description fits my model of risk assessment –

socially constructing knowledge through the interaction of the personnel, the surveys, and myself.

Interaction is also used by Fischer to describe teacher research (Burnford et al, 2001, pg. 43). He

describes it as a process of constructing knowledge and meaning through planning, action, reflection,

evaluation, and dialogue with colleagues. In this case, it can also be used to describe the actual learning

format. Perhaps there is not much interaction between the respondent and myself, but the respondent is

interacting with the website and the information incorporated within it.

Approach

My advisor, Dr. Baylen, pointed me in the direction of diffusion of innovation, and I found Everett

Rogers’ text applicable to my research in risk assessment, especially in regard to the innovation-decision

process. Rogers’ model of the innovation-decision process includes the following stages (1995, pg. 162):

• Knowledge of the innovation or technology

• Persuasion

• Decision to use the innovation or technology

• Implementation

• Confirmation

In my case, I had already realized the need to be more innovative and efficient, and I had some

knowledge of the technology…enough knowledge to realize that I could be more efficient in the risk

assessment process by using the internet and my website. I didn’t need any persuasion as far as using

the technology since I was well aware that previous risk assessment surveys were tedious and time-

consuming for the departments, as well as time-consuming for myself. This class afforded me the

opportunity to seek additional information and then make the decision to develop and implement the

innovation, an electronic risk assessment survey.

Risk Assessment 11

Technically I am still within the implementation stage as I continue to receive feedback from university

departments. The fact, though, that I received the first response back within an hour of the first request

was, for me, definite confirmation that there would be some benefit to using the new process.

Action Research Plan

A table with the plan can be found in Appendix B. I found I was not realistic in planned dates and not

able to devote as much time to the project as I would have liked. Although risk assessment is part of my

job, investigations and report deadlines take precedence. Research took longer than I planned – there

was not as much available on risk assessment as I had thought there would be, and even less on

automated risk assessment.

I was able to focus in on what to include on the survey by reviewing previous risk assessments and

those of other internal audit offices, then cutting out the repetitious data, or that data specific to certain

areas only. Even though the 3-page printout of it found in Appendix A still may appear lengthy, it is

considerably shorter than most risk assessment instruments. Automating the survey once it was

developed, though, was harder than I thought it would be. After getting blank return email messages

when submitting test data, I eventually had to contact the Instructional Technology department and ask

for help with the coding. With their help, the electronic submission process was corrected and I sent an

email to the president and direct-reports, asking for their help and buy-in by sending it on to their

department heads.

Strengths and Weaknesses

The main strength of this project should be that by streamlining and automating the risk assessment

process, university personnel will be more apt to complete and submit the surveys. That would mean less

effort on both their part and mine. A second strength is in requiring less time to complete and submit than

traditional, detailed risk assessment instruments. Third, automation increases clarity. There is less

likelihood of error or misinterpretation from handwriting.

On the other side of the coin, I did sacrifice detail in the streamlining so the loss of data is a

weakness, as is not allowing for open-ended responses.

Risk Assessment 12

The Project

Description of Data

The data consists of 16 self-assessment questions that include information concerning risk. They are

grouped by type of risk to facilitate evaluation. Question 1 pertains to strategic risk, questions 2 through 7,

financial risk, questions 8 through 12, operational risk, 13 through 15, compliance risk, and question 16 is

based on risk associated with the institution’s reputation. Each question has the same choices for a

response: high, medium, or low risk.

When the respondent submits the form electronically, I receive an email message with the answers.

An example of a test submission’s email response from the Instructional Technology department is shown

in Appendix C. Between my first request on March 18th to April 18th, I received 13 responses, mostly from

Administrative Service units because the Administrative Service vice-president immediately forwarded my

request to all of his directors. With each subsequent request, I am receiving one or two more responses.

Interpretation of Data

At the User Level. Once the risk assessment surveys are completed and submitted, the data must be

evaluated in order to assign a level of risk. I wanted the participants to be able to see results rather than

simply fill out and submit a form, never to be heard from again. Therefore, I developed a chart the user

could refer to in examining their risk levels. For those who choose to do so, the website gives the

following directions and chart for participants to do their own evaluation of risk.

Review your responses and determine if your overall risk for questions 2 through 7,

questions 8 through 12, and questions 13 through 15 should be low, medium, or high.

Use the chart below to check off each risk area. If you find that you have high risk in

financial, operational, and compliance areas, your department is generally at high risk

overall. If you are only high risk in one of these areas, your risk level is moderately high.

If your only high risk areas are strategic or reputational, or if you’ve consistently chosen

low or medium risk levels, your self- assessed risk level can be judged moderate.

Risk Assessment 13

Copy and paste the questions and responses in an email message to the Inspector

General at lciprich@fgcu.edu . Results will be used in a university-wide risk assessment

during Spring 2003.

Please note: Departments that voluntarily submit their own assessment will

automatically be considered as less of an operational and compliance risk when the

long-range audit plan is developed for fiscal years 2004 through 2008.

Overall. Each survey response has to be reviewed and reassessed due to subjectivity. After they are

all received, I will develop a chart outlining the units and their risk levels, discuss concerns that the

Executive Council may have with the president and vice-presidents, then develop the long-term and

short-term audit plans for the president’s approval. It is usually necessary to discuss a few of the

assessments with the department heads in order to clarify issues that may evolve.

Risk Assessment 14

Significance

Today

The most significant thing I learned from this project was that making the risk assessment shorter and

electronic did not guarantee personnel would complete and submit it. The first wave of responses was

exciting because they were so immediate compared to previous risk assessment requests. If you send

out a 25-page document and ask personnel to fill it out and send it back, you will not see the first

response for at least a week. I think that’s part of Murphy’s Laws, somewhere between “Logic is a

systematic method of coming to the wrong conclusion with confidence” and “A subject interesting to the

teacher will bore students,” with the university personnel being the students. Peter Cookson perhaps said

it best:

Participation in education and training programs is generally voluntary. Even when it is

not, the cooperation and willingness of adults to participate are still dependent upon the

individual volition (Cookson, 1998, pg. 485).

That goes for the supervisors as well as the department heads. I need to make a stronger effort in

getting support from management. “Supervisors exert considerable influence over staff attending

education and training programs” (Caffarella, 2002, pg. 87). The next time I envision going to the

Executive Council and doing a presentation. I can demonstrate the website and survey and how it is

submitted electronically.

Tomorrow

Obviously, I will need to send repeated requests each time I begin another risk assessment,

regardless of how easy I make the process. This innovation does enable me to do a complete risk

assessment more often, perhaps even annually, rather than once every five years. It will also make it

easier for me to go in and update individual surveys at the completion of audits. According to Olivier

Lemant, an overall risk assessment for audit planning is engaging in “macro” risk assessment, while

being able to perform it at the assignment level is engaging in “micro” risk assessment (pg. 41). His

article in the Internal Auditor helps one to visualize the transition from risk assessment to risk

Risk Assessment 15

management in the auditor’s arena. I must agree with Lemant that the transition would add value to the

function of internal audit.

Someday?

This research project has caused me to reflect on additional ways I may be able to improve my

practice. Not only does my entire website need updating and revamping, there are other documents I

could automate and have university personnel submit electronically. Cash collection statements where

each employee, including the president, states whether they are involved in collecting any type of cash,

checks or other currency. There are areas where I can expand information so the users are learning as

they peruse. I could expand on control self-assessment, fraud, waste, and abuse topics, and give more

information on what to do and what it means when an auditor comes calling.

In an article mentioned earlier, the authors describe random surveys of management regarding their

perception of internal control in contrast to just doing risk assessment (Adamec et al, 2002). This type of

self-assessment can enhance the system of internal control and enhance the internal audit function at the

same time. The visibility of the function helps mitigate the risk of fraud, waste, and abuse…and the more

proactive internal audit is, the more visible it will become.

In conclusion, it is my hope that I will eventually be able to take both the automated risk assessment

process developed here, and the upcoming website enhancements to other understaffed, small internal

audit shops in a demonstration of the tools they can develop.

Risk Assessment 16

References

Adamec, B. A., Rexroad, W. M., Leinicke, L. M., & Ostrosky, J. A. (December, 2002). Internal reflection.

Internal Auditor, LIX:VI, 56-63.

Fischer, J. (2001). Action research rationale and planning: developing a framework for teacher inquiry. In

Burnaford, Fischer, and Hobson (Ed.), Teachers doing research: the power of action through

inquiry (pp. 29-48). Mahwah, NJ: Lawrence Erlbaum Associates, Publishers.

Caffarella, R. (2002). Planning programs for adult learners (2nd ed.). San Francisco, CA: Jossey-Bass.

Chapman, C. (June, 2001). The big picture. Internal Auditor, LVIII:III, 30-37.

Cookson, P. (1998). Program planning in retrospect. In Peter S. Cookson (Ed.), Program planning for the

training and continuing education of adults (pp. 481-489). Malabar, FL: Krieger Publishing Co.

Lemant, O. (June, 2001). Risk as a tripod. Internal Auditor, LVIII:III, 39-43.

McNiff, J., Lomax, P., & Whitehead, J. (1996). You and your action research project. New York: Hyde

Productions.

Mertens, D. M. (1998). Research methods in education and psychology: integrating diversity with

quantitative & qualitative approaches. Thousand Oaks, CA: Sage Publications, Inc.

Nitko, A. (2001). Educational assessment of students (3rd ed). Columbus, OH: Merrill Prentice-Hall.

O’Reilly, V. M. et al. (1990). Montgomery’s auditing (11th ed.). New York: John Wiley & Sons.

Orsini, B. (August, 2002). Mature risk management. Internal Auditor, LIX:IV, 66-67.

Ratliffe, R. L. et al. (1996). Internal auditing: principles and techniques (2nd ed.). Altamonte Springs, FL:

The Institute of Internal Auditors.

Sawyer, L. B. & Dittenhofer, M. A. (1996). Sawyer’s internal auditing: the practice of modern internal

auditing (4th ed.). Altamonte Springs, FL: The Institute of Internal Auditors.

Risk Assessment 17

Appendices

Risk Assessment 18

Appendix A

Risk Assessment Survey

Department: Name of Contact: Email Address: 1. A department or unit should determine how critical its function is to the university as a measure of strategic risk. One way of measuring that risk may be to consider the impact on the university if the unit was incapacitated for any reason and for how long.

High -------The university would be affected within days.

Medium----The function of the unit is not critical. The university may not be affected for several weeks.

Low--------The university would not be impacted should this unit not exist. 2. Account or activity balance size has an effect in an agency's risk due to materiality considerations. Account balance size should be measured at the audit area or department's total.

High -------More than $5,000,000.

Medium----Between $1,000,000 and $5,000,000.

Low--------Under $1,000,000. 3. Processing general fund expenditures increases area or department risk due to the budgetary constraints and legislative oversight and concern with the accurate reporting of this data.

High -------Processes more than $1,000,000 in general fund expenditures.

Medium----Processes between $100,000 and $1,000,000 in general fund expenditures.

Low--------Processes none or less than $100,000 in general fund expenditures. 4. Processing federal assistance transactions (Financial Aid, Grants, Contracts, etc) causes an increase in area or department risk due to the stringent administrative and cost principle guidelines that must be met.

High -------Processes more than $1,000,000 in federal assistance transactions.

Medium----Processes between $100,000 and $1,000,000 in federal assistance transactions.

Low--------Processes none or less than $100,000 in federal assistance transactions. 5. Cash and checks are more susceptible to fraud or theft than other assets. Their presence in an area or department increases risk, especially if the process is part of a major system.

High -------The handling of cash and checks or other attractive negotiable instruments is a major part of your area.

Medium----There is limited opportunity for access to cash and check or other attractive negotiable items or potential for access to them.

Low--------Includes no cash or highly liquid instruments.

Risk Assessment 19

6. The presence of large inventory balances (not fixed assets and equipment) or specialized inventories such as controlled substances, hazardous wastes, or precious metals increases an area or department risk.

High -------Inventories valued at more than $100,000 or including specialized items, such as hazardous wastes.

Medium----Inventories between $10,000 and $100,000 that do not include specialized items.

Low-------- Inventories under $10,000 that do not include specialized items or no inventory. 7. State agencies have a history of accountability problems with fixed assets and equipment. The presence of large fixed assets balances or highly desirable small and attractive assets, such as firearms or camera equipment, increases the department’s risk.

High -------Fixed asset balance over $1,000,000 or extensive highly desirable assets.

Medium----Fixed asset balance between $100,000 and $1,000,000 or highly desirable assets.

Low--------Fixed asset balance under $100,000 and no highly desirable assets. 8. Employee turnover increases the risk associated with a particular system of management or accounting controls.

High -------Major turnover in key management or staff.

Medium----Limited turnover in key management or staff.

Low--------No turnover in key management or staff. 9. Generally, an area or department's risk will increase with higher level of automation within systems. Risk will also tend to increase with major system changes.

High -------Your department is responsible for an automated system with major changes or a new major automated system.

Medium----Your department is responsible for an automated system with minor changes or a subsidiary system that feeds to a major system.

Low--------Your department has no responsibility for major or subsidiary automated systems. 10. The extent of decentralization has an effect on an area or department’s internal accounting controls. Generally, decentralized operations are more difficult to control than centralized.

High -------Operations function at more than 3 locations.

Medium----Operations function at 2 to 3 locations.

Low--------Operations housed at 1 location. 11. An area or department's risk increases by the degree that the system is involved in the creation, handling, storage, or affords potential access to sensitive data. ( E.G. personnel files, medical records, client files, research records, student records or other activities deemed confidential by law or policy).

High -------Operations include the creation or handling of sensitive data that is an integral part of the system's internal controls.

Medium----Operations include the handling of sensitive data that is not part of the system's internal controls.

Risk Assessment 20

Low--------The operation does not include the creation or handling of sensitive data; however, information could be used by outside parties. 12. An area or department's risk increases by the degree that duties are not sufficiently segregated. For example, one person should not be solely responsible for collecting, depositing, and recording cash collections. In areas where personnel are limited, steps to mitigate risk should be taken, such as increasing supervisory oversight.

High -------This department is understaffed to the point that it is not possible to segregate duties sufficiently or increase oversight.

Medium----A limited number of personnel in this department have resulted in a risk that has been mitigated by increasing supervisory control.

Low--------The department has enough personnel to sufficiently separate duties. 13. The existence and applicability of external laws, regulations, contractual or reporting requirements increases the diversity and complexity of system requirements and hence, the opportunity for noncompliance.

High -------Subject to 3 or more outside entities.

Medium----Subject to 1 or 2 outside entities.

Low--------Subject to no apparent external laws, regulations, contractual, or reporting requirements, of outside entities. 14. External and internal auditing of an area or department's internal controls may decrease an agency's risk associated with management and accounting controls.

High -------Last review by internal or external auditors was completed over 5 years ago.

Medium----Last review by internal or external auditors was conducted within 3 to 5 years ago.

Low--------Reviewed by either internal or external auditor within the last 2 years. 15. Areas or departments with a history of audit findings and/ or informal internal control comments (external or internal audit) normally have a higher level of risk for an agency.

High -------Internal control audit finding less than 2 years ago that resulted in either a compliance failure or a significant adjustment to an account balance.

Medium----Informal internal control comment less than 5 years ago or last internal control audit finding less than 5 years ago.

Low--------Last internal control audit finding more than 5 years ago or no internal control audit findings in the last 5 years. 16. Interest shown by outside parties such as legislators, news media, citizen groups, the general public or others (including agency personnel) increases an agency's risk related to a system.

High -------Outside parties have shown a major interest in the area.

Medium----Outside parties have shown a moderate interest in the area.

Low--------Outside parties have shown no or very little interest in the area. Submit Reset

Risk Assessment 21

Appendix B

Action Research Plan

I. Getting Started Status Target Date A. Finding a research focus Complete. Using departmental website to

improve interaction of internal audit function with faculty and staff. (Educating university personnel to recognize risk and internal control concerns.)

B. Background reading In progress. Main sources are other web

pages of internal audit shops, esp. those in college and university settings. Secondary sources are information regarding risk assessment, audit planning, and self control-assessment.

(Continuous)

C. Ethics Complete. Already covered in policy,

procedures, and web site of this office.

D. Resourcing In progress. Budget not necessary but

availability of technology is a big factor in how the risk assessment will be conducted on the website.

Feb 25th

E. Working with others I will be using email to request university

departments complete the online risk assessment. Initial request – March 1st. Second request – March 15th.

(continuous)

II. Doing the project Status Target Date

A. Identification of concern Complete. How can I improve my interaction with university personnel to increase the effectiveness of risk assessment and efficiency of the internal audit function?

B. Values statement Complete.

C. Gathering the data In progress. Focused on specific risk

assessment data, specific target group. March 1st

D. Imagining possible solutions In progress. Ultimate goal is to use

automation through web site rather than send out paper survey that generally results in low response rate. Need to

March 1st

E. Gathering the data (part 2) Incomplete. March 15th

F. Evaluating the impact and its significance

Incomplete. Prelim report due 3/27. March 23rd

Risk Assessment 22

G. Validating the claim to improvement

Incomplete. March 23rd

H. Modification of practice Incomplete. April 1st

I. Evaluation of project Including feedback from draft report. April 17th

J. Writing up Draft due 4/7. Due May 1st

Risk Assessment 23

Appendix C

Presentation of Data

Email Response to Test Submission of Electronic Form

From: Risk-Form Sent: Tuesday, March 18, 2003 10:57 AM To: Ciprich, Linda Cc: Jaeger, David Subject: Risk Form Response Department: IT (TEST) Name: David Jaeger (TEST) Email: djaeger@fgcu.edu (TEST) Question 1: high Question 2: medium Question 3: low Question 4: high Question 5: medium Question 6: low Question 7: high Question 8: medium Question 9: low Question 10: high Question 11: medium Question 12: low Question 13: high Question 14: medium Question 15: low Question 16: medium