RISK ASSESSMENT GUIDE IN PUBLIC INTERNAL AUDITING

 

I. INTRODUCTION

This guide has been prepared by Internal Audit Coordination Board as per Article 36 of By-Law on Working Procedures and Principles of Internal Auditors. 

In the preparation process of risk based internal audit plan and programs of the administrations, risk assessment is performed in accordance with this Guide.    

Risk is a case or an event that may prevent the administration from achieving their founding goals and strategic objectives as well as performing their duties or that may cause unexpected damages. 

While carrying out their activities, public administrations are exposed to several risks and uncertainties. Administrations can manage these risks by accepting, avoiding, transferring or controlling them within the scope of risk management. Internal control processes to be established are the most effective solutions in reducing negative effects of risks and uncertainties.

Risk based audit is an audit approach where the risk factors pertaining to the activity fields of administrations are defined, risk levels are measured, efficiency and adequacy of the controls applied for these risks are assessed and highest risk areas are given priority in auditing.   The aim in risk based audit is to ensure the efficient utilization of audit resources and maximise the contribution to the management in increasing the efficiency levels of management, control and risk management processes by concentrating on risky areas in audit.

The management is responsible for developing and implementing the strategies required for definition and control of risks.

All activities of the administrations are subjected to a comprehensive risk analysis by internal audit units within the framework of the risks defined by the management. In the event that no risk management process is established by the management with a view to defining and controlling the risks or the existing process is deemed to be inefficient in former audits, risk identification studies may be performed by internal audit units.

The risks that may affect the services provided by the public administrations are rated as per their riskiness rate and significance by assigning a weighted value for each following the evaluation of the analysis results applied on predetermined risks. Taking into account these evaluation results, internal audit plan and programs are prepared starting with the areas and subjects with highest risk. 

 

II.    RISK ASSESSMENT

Risk assessment to be performed by internal audit unit is composed of following four stages:

·        Identification of audit universe

·        Determination of auditable areas

·        Determination of structural risk levels

·        Prioritization of auditable areas

By means of establishing discussion platforms in risk assessment studies, high participation should be ensured, auditable areas should be taken into account separately and the criteria used in measuring risks should be followed. Risk assessment results should be constantly reviewed and updated for new risks and uncertainties that will arise in time.   

1. Identification of audit universe and determination of auditable areas

Studies relevant to identification of audit universe and determination of auditable areas are carried out in accordance with manual for preparing public internal audit plan and program.

2.      Determination of the structural risk levels

Taking into account that we define risk as likelihood of an event or an activity to have a negative effect on the administration, structural risk may be defined as a kind of risk arising from existing structure of the public administration or nature of the activity when existing controls and measures are excluded. Studies regarding determination of structural risk levels of the administrations are composed of identifying and measuring of structural risk criteria (components).  

2.1  Identification of structural risk criteria

Auditable areas are assessed within the framework of determined risk criteria.  The model which will be used in determination of risk criteria should be as simple as possible and include the definitions of determined risk criteria. It is at great importance that head of public administration and chief audit executive understand the criteria used in determination of risky areas and agree on mentioned criteria. 

Sample risk criteria model that may be used in determination of structural risk levels is provided below.  The administrations should establish their own risk criteria model which best fits their activity fields. However, the administration should be careful not to have an excessive number of structural risk criteria in the model to be established.     

Some examples for risk criteria;

- Budgetary magnitude

The amount of the resources allocated to the public organization with the budget increases the occurrence possibility of losses and damages.

- Transaction volume and number of personnel

When compared with high transaction volume, lack of number of personnel may increase the error probability and put the administration in risky position.

- Complexity of activities

Complexity of activities of the administration may complicate the application of controls, thus may increase possibility to make errors.

- Intensity of legislation

As many legal regulations relevant to the activity field of the public administration are in place, it becomes more difficult to understand the legislation and this may increase the risk of failure in performing the activities in compliance with the legal regulations.  

- Structural, operational and technical changes

Since new units and activities, restructuring projects, significant changes in organization and human resources are at high risk, they should be given priority to be included in audit scope.

- Structure of information technologies system

As the variety of the information technologies and wide data base may make safeguarding of assets difficult and cause loss of significant information, it is a component that may increase riskiness.

2.2  Measurement of structural risk level

After the structural risk criteria pertaining to auditable areas are defined, structural risk levels are determined by assessing the position of auditable areas as per these risk criteria.  Mentioned assessment is performed according to the following two methods:

a. Cumulative method

Each risk criterion is assigned a weighted value by taking into account its impact and significance on activities of the administration. Likewise, a value from 1 to 5 which indicates risk level is assigned  to each risk criterion. 1 is used for the lowest risk level, 5 for the highest risk level. Then, these values assigned to each risk criterion are multiplied with the weighted value of each criterion and risk point is obtained for each criterion. Lastly, risk points of each criterion are summed and the structural risk level of the auditable area is determined.  An example pertaining to the implementation of cumulative method is provided in Annex: 1.

b. Relative method

Each risk criterion is assigned an impact value from 1 to 5 by taking into account the impact and significance of the risk probable to occur with regard to mentioned criterion on activities of the administration. 1 is used for the lowest impact level and 5 for the highest impact level.  Likewise, likelihood value is assigned from 1 to 5 by taking into account the occurrence likelihood of risks related to risk criterion.  1 is used for lowest likelihood level and 5 for the highest likelihood level.  Then, given likelihood impact is multiplied with impact value and risk point is obtained for each criterion. Lastly, risk points of each criterion are summed and the structural risk level of auditable area is determined. An example pertaining to the implementation of relative method is provided in Annex: 2.

 

3.      Prioritization of auditable areas

Last stage of risk assessment is prioritization of auditable areas by comparing the risks pertaining to each auditable area.

            Each auditable area is rated by taking above mentioned risk criteria as basis. According to the results of rating, auditable areas are expressed on a scale as simple as possible.   

            Sample rating scale is as follows:

                        1: High risk areas

                        2: Medium risk areas

                        3: Low risk areas

 

ANNEX- 1/A

 (X) ADMINISTRATION “CUMULATIVE RISK ASSESSMENT” PRACTICAL EXAMPLE

1) Definition of Audit Universe and Determination of Auditable Areas

Regarding (X) administration; audit universe is defined as all the activities of the administration and areas A-J have been determined as auditable areas.

2) Determination of structural risk levels

2.1) Identification of structural risk criteria

Four risk criteria with an effect on the activities of the administration have been identified. These are budgetary magnitude; transaction volume and the number of personnel; complexity of the activities; and structural, functional and technical changes.

2.2) Measurement of structural risk level

Through the assessment of auditable areas by the risk criteria, following structural risk levels have been determined.

 

IDENTIFICATION OF RISK CRITERIA AND ASSESSMENT SCALE FOR ADMINISTRATION (A)

ANNEX: 1/B

 MEASUREMENT OF STRUCTURAL RISK LEVELS OF ADMINISTRATION(X) AUDITABLE AREAS