Risk assessment includes input from management and staff in identifying risks. The Director of Internal Audit will meet with the President to discuss the proposed audit plan prior to submission to the IHL for approval. The IHL Chief Audit Executive (CAE) provides the approved audit plan to the University President. During the course of the year, the Director of Internal Audit may make changes to the plan, in consultation with the University President and the IHL Chief Audit Executive, to address changes in identified risks or management’s requests, such changes are documented in status reports submitted to the CAE. Factors considered within the risk assessment include:
Quality and stability of the control environment: includes the evaluation of the adequacy of the existing control structure, expertise of management, historical problems, adherence to budget, complexity of operations and economic impact. Questions to consider include:
- Have administrative personnel changes occurred within the department?
- Have major program modifications occurred?
- Have departmental procedural problems been noted by the departmental chair/director?
- How long since the last audit?
- Are monthly reconciliations performed on all departmental revenues and expenditures (compare documents to ERP “Banner” postings)?
Business Exposure: larger potential losses are normally associated with larger sized activities, as indicated by revenues and expenditures. Other things being equal, large dollar amounts either following through a system or committed to an activity or project will increase audit interest. Dollar amount and relative liquidity of assets safeguard will impact this factor. Other objective information to be considered for each auditable area includes the dollar amount of cash receipts, receivables, inventory and property safeguarded. Questions to consider include:
- How many programs/areas are encompassed within department?
- What is the amount of the total department budget?
- What is the amount of the total department revenue?
- How many full-time employees (FTE) for all programs/areas?
Public & Political Sensitivity: a public relations exposure exists whenever an event occurs which would erode public confidence in the University. The following conditions influence this factor: probability of adverse publicity, reduced support, tarnished reputation or depletion of goodwill, erosion of the legitimacy of ASU’s mission or miscommunication of traditional values. Questions to consider include:
- How sensitive is the department to bad media publicity?
- How much effect could politics have on meeting departmental goals?
Compliance Requirements: risk associated with non-compliance related to the inability to meet business objectives which can result in monetary loss due to improper business practices, levy of fines or litigation, loss of funding sources and disallowed costs from funding agencies. Questions to consider include:
- Is the department governed by external regulations other than state law?
- Does the department have external audits?
Information technology and management reporting: reliable information is needed at all levels of an organization to run the business and move toward achievement of the entity’s objectives in all categories. Reliable internal measures, including information technology, are essential for generating information used. Questions to consider include:
- Are computer systems other than the ERP operated within the department?
- Does the department have any external reporting requirements?
- Have procedures been established to backup data files, including the identification of all critical data files and programs on work stations and servers?
Management concerns regarding meeting departmental goals, fraud, departmental confidentiality, current operating procedures, etc. are also taken into consideration.