E.12 Internal Audit Engagement Risk Assessment Template
A. Steps to Conduct an Engagement Risk Assessment
Background
2018 External Validation Report on PRIA’s self-assessment of its internal audit activity | In the 2017–18 fiscal year, PRIA underwent an external validation of its internal audit activity. Recommendation 2 in the external evaluator’s report (1384301) reads as follows “To help focus limited internal audit resources on the higher risk areas of the audit entity, the PRIA team should develop a standardized methodology and template for engagement-level risk assessments, and ensure that it applies and documents them consistently in all internal audit engagements.” |
IIA Standard 2210.A1 | The IIA standard requires that internal auditors conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. |
PRIA’s Internal Audit Planning | The results of the risk assessment of the relevant activity under review will inform the development of the internal audit plan summary, which provides the client with details on the internal audit objective, scope, timelines, resources, criteria, and sources of criteria. |
Steps
1 | Obtain background information about the activities to be reviewed in order to determine impact on the engagement objectives and scope. This includes information on governance, activities, risks, and internal controls. |
2 |
Identify the risks associated with the achievement of the audit client’s objectives and expected results, or else the risks related to the activities relevant to the activity under review.
|
3 | Assess the relative significance of each risk in terms of the likelihood that it will occur and the impact should it occur. Meet with the Office’s internal specialists, such as for fraud and wrongdoing, as required. |
4 | Make a preliminary determination of whether management’s assertions on controls are likely to prevent or mitigate the occurrence of the risks of greatest concern. |
5 | Plan to focus audit objectives and scope on testing the existence or the adequacy and effectiveness of key controls over areas of greatest risk. |
6 |
Using the Risk Assessment Template, summarize results of the review of management’s assessment of risks. Provide relevant background information and survey work. The summary is to include the following elements:
|
7 | Document key source documents and working papers in TeamMate. |
B. Templates to Conduct an Engagement Risk Assessment
Risk # | Risk Statement | Link to Strategic Objective | Risk Rating | Likelihood (H/M/L) |
Impact (H/M/L) |
Expected Controls | Key Planning Phase Observations | Any Fraud/Wrongdoing Considerations? | Residual Risk Level | Include in Audit Program? Yes/No |
Justification for Including In/Excluding From Audit Program | Source Documents | Teammate Reference |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | There is a risk that . . . | (Controls that you would expect to see to mitigate this risk.) | (Key information learned through the planning phase. Includes key controls noted.) | ||||||||||
2 | There is a risk that . . . |
Summary of Results
- Significant engagement issues and reasons for pursuing them in more depth.
- Engagement objectives and procedures.
- Methodologies to be used, such as technology-based audit and sampling techniques.
- Potential critical control points, control deficiencies, and/or excess controls.
- When applicable, reasons for not continuing the engagement or for significantly modifying engagement objectives.
C. Assessing Fraud Risk
Introduction
IIA Standard 2210.A2 states, “Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.” Internal auditors should understand the characteristics of fraud, techniques used to commit fraud, and types of frauds associated with audited business units and processes.
Key definitions
- Fraud—any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving gain. [1]
- Inherent risk—the risk an activity poses if no controls or other mitigating factors are in place.
- Residual risk—the risk that remains after controls are taken into account.
[1] The Institute of Internal Auditors, The American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners, Managing the Business Risk of Fraud: A Practical Guide, July 2008.
Steps for Assessing for Fraud Risk
Step | Objective(s) | Method/Tools |
---|---|---|
1 |
|
|
2 |
|
|
Initial identification should consider inherent and residual risks. |
Documentation (examples):
Interviews:
|
|
3 |
|
|
4 |
|
|
5 |
|
Document the following:
|
D. References
For supporting references, refer to PROXI-#1515857PRIA_-_ _Engagement_Risk_Assessment_Template
- Last modified:
- 2019-04-09