Office Of Internal Audit

Risk Analysis

The Institute of Internal Auditors Standards requires that 'ÄúThe chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization'Äôs goals.'Äù

The Standards also state that 'Äúthe internal audit activity'Äôs plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.'Äù

In order to meet these standards, Xavier'Äôs Office of Internal Audits, along with the members of senior management, performed a simple yet formal risk assessment of University operations.

A risk assessment is a process that is very important to the development of effective audit work schedules.¬† Consequently, the end result of this process will be a prioritized audit schedule. The areas with the highest scores will be considered the areas with the highest priority for audit and will be included in the audit activity'Äôs audit plan. This list will be reviewed annually and priorities adjusted as the environment and circumstances dictate.

Attached is a list of the University'Äôs auditable areas.¬† Below are the definitions of four weighted risk factors that were used to assist in rating the auditable areas.

These four risk factors as defined are as follows:

  1. Department and Management Factors (40%)

    These factors include the complexity of the department or unit'Äôs operations; quality of, and reliance on, internal controls; management abilities, turnover; number of employees; possibility of adverse activity; prior history (audit or management knowledge); and, recent changes (in budget, staff, or systems).
  2. Materiality (30%)

    Factors relative to materiality include size of assets, liquidity, and sensitivity; number of transactions; budget amount; financial impact; health and safety issues; impact of adverse activity; impact of inaccurate data; impact of service delays; impact on other departments; information sensitivity/confidentiality; opportunity for improvements or cost savings.
  3. Public and Outside Factors (15%):

    Public and outside factors include contact with outsiders; the impact of adverse publicity; public or political sensitivity; public relations issues; regulatory requirements and compliance; and audits by outside entities.
  4. Management Interest (15%):

    Management interest includes a manager'Äôs own personal interest in a particular area or department for whatever reason.¬† Management interest is usually driven by a manager'Äôs ownership and specific knowledge of an area.

Each factor will be assigned a rating of 1 to 3 where 'Äú1'Äù is 'Äúessentially no risk;'Äù 'Äú2'Äù equals 'Äúaverage risk;'Äù and 'Äú3'Äù equals 'Äúhigh risk.'Äù¬† Each area will be scored and ranked according to the results.

An example of the above is as follows:

Xavier University Office of Internal Audit Risk Analysis

Dept Fact

Materiality

O/S Factors

Mgnt Int

Risk

Audit Area

40%

30%

15%

15%

Value

Office of the President

2

1

2

1

1.35

Vice President for Academic Affairs

3

2

1

1

2.10

College of Pharmacy

3

3

3

2

2.85

Senior Management'Äôs participation in this process was imperative in that it assisted the Office of Internal Audits to concentrate on what they as managers considered important.

Office Of Internal Audit

504-520-5243

wbostick@xula.edu