E.12 Internal Audit Engagement Risk Assessment Template

A. Steps to Conduct an Engagement Risk Assessment

Background

2018 External Validation Report on PRIA’s self-assessment of its internal audit activity	In the 2017–18 fiscal year, PRIA underwent an external validation of its internal audit activity. Recommendation 2 in the external evaluator’s report (1384301) reads as follows “To help focus limited internal audit resources on the higher risk areas of the audit entity, the PRIA team should develop a standardized methodology and template for engagement-level risk assessments, and ensure that it applies and documents them consistently in all internal audit engagements.”
IIA Standard 2210.A1	The IIA standard requires that internal auditors conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.
PRIA’s Internal Audit Planning	The results of the risk assessment of the relevant activity under review will inform the development of the internal audit plan summary, which provides the client with details on the internal audit objective, scope, timelines, resources, criteria, and sources of criteria.

Steps

1	Obtain background information about the activities to be reviewed in order to determine impact on the engagement objectives and scope. This includes information on governance, activities, risks, and internal controls.
2	Identify the risks associated with the achievement of the audit client’s objectives and expected results, or else the risks related to the activities relevant to the activity under review. The reliability of management’s assessment of risk. Management’s process for monitoring, reporting, and resolving risk and control issues. Management’s reporting of events that exceed the limits of the Office’s risk appetite, and management’s responses to those reports.
3	Assess the relative significance of each risk in terms of the likelihood that it will occur and the impact should it occur. Meet with the Office’s internal specialists, such as for fraud and wrongdoing, as required.
4	Make a preliminary determination of whether management’s assertions on controls are likely to prevent or mitigate the occurrence of the risks of greatest concern.
5	Plan to focus audit objectives and scope on testing the existence or the adequacy and effectiveness of key controls over areas of greatest risk.
6	Using the Risk Assessment Template, summarize results of the review of management’s assessment of risks. Provide relevant background information and survey work. The summary is to include the following elements: significant engagement issues and reasons for pursuing them in more depth engagement objectives and procedures methodologies to be used, such as technology-based audit and sampling techniques potential critical control points, control deficiencies, and/or excess controls when applicable, reasons for not continuing the engagement or for significantly modifying engagement objectives
7	Document key source documents and working papers in TeamMate.

B. Templates to Conduct an Engagement Risk Assessment

Risk #	Risk Statement	Link to Strategic Objective	Risk Rating	Likelihood (H/M/L)	Impact (H/M/L)	Expected Controls	Key Planning Phase Observations	Any Fraud/Wrongdoing Considerations?	Residual Risk Level	Include in Audit Program? Yes/No	Justification for Including In/Excluding From Audit Program	Source Documents	Teammate Reference
1	There is a risk that . . .					(Controls that you would expect to see to mitigate this risk.)	(Key information learned through the planning phase. Includes key controls noted.)
2	There is a risk that . . .

Summary of Results

Significant engagement issues and reasons for pursuing them in more depth.
Engagement objectives and procedures.
Methodologies to be used, such as technology-based audit and sampling techniques.
Potential critical control points, control deficiencies, and/or excess controls.
When applicable, reasons for not continuing the engagement or for significantly modifying engagement objectives.

C. Assessing Fraud Risk

Introduction

IIA Standard 2210.A2 states, “Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.” Internal auditors should understand the characteristics of fraud, techniques used to commit fraud, and types of frauds associated with audited business units and processes.

Key definitions

Fraud—any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving gain. [1]
Inherent risk—the risk an activity poses if no controls or other mitigating factors are in place.
Residual risk—the risk that remains after controls are taken into account.

[1] The Institute of Internal Auditors, The American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners, Managing the Business Risk of Fraud: A Practical Guide, July 2008.

Steps for Assessing for Fraud Risk

Step	Objective(s)	Method/Tools
1	Determine whether the activity under internal audit could be subject to risk of fraud.	Review available resources Review available resources
2	Identify fraud risks that are relevant to the process or business area under audit.	Review documentation Conduct interview management and/or service leaders
	Initial identification should consider inherent and residual risks.	Document assessment in TeamMate Documentation (examples): IIA—2016 Essentials’ Fraud Risk Assessment Matrix (1289784) OAG’s Risk Registers Prior internal audit reports Functional self-assessments Interviews: Opening Conference—PRIA Manual F.4 (1023174 v.5) OAG-Fraud Screening Templates http://cmsprd.oag-bvg.gc.ca/intranet/financial-audits/tem_lp_e_98.shtm OAG-Fraud Questionnaire Templates (1289755) IPPF. Practice Guide on Internal Auditing and Fraud (2009), Appendix B—Questions to Consider (1289737)
3	Determine the internal controls that are in place to mitigate fraud risk.	If no controls are in place, advise CAE If internal controls exist, list internal possible controls to mitigate fraud risk
4	Evaluate whether the identified controls that mitigate fraud risks are properly designed and operate effectively.	Audit programs should include testing of internal controls. To be done during examination phase Advise CAE of findings
5	Determine whether residual fraud risks exist due to lack of internal controls or controls that are not operating effectively. Assess their importance in terms of potential impact (financial, loss, reputational). Communicate findings to CAE and others as required.	Document the following: Identification of residual risks Assessment of importance Communication to CAE Communication if required, Strategic Planning, Internal Specialist for Fraud and Wrongdoing.

D. References

For supporting references, refer to PROXI-#1515857PRIA_-_ _Engagement_Risk_Assessment_Template

Last modified:: 2019-04-09

Global INTRAnet Links

Menu