E.9 Engagement-Level Risk Assessment Process

  1. The IIA Standard 2210.A1 requires internal auditors to conduct a preliminary assessment of the risks relevant to the activity under review. The engagement objectives must reflect the results of this assessment.

  2. A detailed risk assessment is undertaken during the planning phase of the engagement to confirm that the lines of inquiry and the initial objectives have indeed focused on the most important risks associated with the plan or activity being audited.

  3. The risk assessment template must be used to document the risk assessment of the activity under review. The template can be found in PROxI #1441267.

  4. The objective statements for the audit, as outlined in the risk-based annual internal audit plan, may need to be amended in the specific engagement’s audit plan if the more detailed risk assessment reveals additional risks or assigns higher or lower risk scores to those risks already identified.

  5. The steps involved in performing a detailed risk assessment follow:

    1. Obtain background information about the activities to be reviewed to determine the impact on the engagement objectives and scope. This includes information on governance, activities, risks, and internal controls.

    2. Identify the risks associated with the achievement of the audit client’s objectives and expected results, or the risks related to the activities relevant to the activity under review:

      1. the reliability of management’s assessment of risk;

      2. management’s process for monitoring, reporting, and resolving risk and control issues; and

      3. management’s reporting of events that exceed the limits of the Office’s risk appetite and management’s responses to those reports.

    3. Assess the relative significance of the risks in terms of the likelihood of each risk occurring and the impact should it occur.

    4. Determine on a preliminary basis whether management’s assertions on controls are likely to prevent or mitigate the occurrence of the risks of greatest concern.

    5. Plan to focus audit objectives and scope on testing the existence or adequacy and effectiveness of key controls over areas of greatest risk.

    6. Summarize the results of the review of management’s assessment of risks, including relevant background information and survey work. The summary must include the following elements:

      1. significant engagement issues and reasons for pursuing them in more depth;

      2. engagement objectives and procedures;

      3. methodologies to be used, such as technology-based audit and sampling techniques;

      4. potential critical control points, control deficiencies, or excess controls; and

      5. when applicable, reasons for not continuing the engagement or for significantly modifying engagement objectives.

  6. The results of the risk assessment informs the development of the internal audit plan summary.

  7. The lead auditor may complete the risk assessment alone or with the participation of audit client representatives. In either case, the lead auditor will want to ensure that the client is in general agreement with the completed product since the lead auditor employs it in developing the audit plan.

  8. The lead auditor must be sensitive to situations where management has undertaken a risk assessment and made decisions with which the lead auditor may not be comfortable. Since management can choose to accept, transfer, eliminate, reduce, or mitigate risks, the lead auditor may encounter situations in which the client does not view a given risk with the same degree of concern the lead auditor might. For example, if the client has chosen to accept the risks associated with not developing and implementing action(s) on the basis of recommendations or not implementing an action plan, the lead auditor may need to express, and be prepared to defend, an opinion that the course of action taken is inappropriate.

  9. In other situations, the lead auditor may need to proceed with testing to demonstrate that a chosen course of action to address a risk may be insufficient or unnecessary.

  10. In the event that a serious disagreement arises with the audit client, the lead auditor may need to seek assistance from the Chief Audit Executive who will consult with the Audit Committee or Auditor General in pursuing discussions with the client and the client’s more senior  management.

Last modified:
2019-03-05