Risk Assessment Worksheet

8/2/2019 Risk Assessment Worksheet

1/64

Contributed June 27, 2002 by Don Whitehouse

Instructions for completing the risk assessment model.

1. Begin by inputting the information into the Objectives worksheet. The AUDIT column should consistoptional (Type, Unit, Objective and Key Contacts).

2. Each audit listed automatically copies to the remaining worksheets.

3. Go to the Summary worksheet. The Summary worksheet contains a Criteria legend.

4. Input the estimated audit hours needed to complete each audit. See estimated hours column.

5. Next, Point and click on each criteria under the Criteria Legend to input risk assessment data. Eacheach criteria element to help assign rankings. The Summary worksheet is automatically updated.

6. Go to the SORT worksheet. Point and click on the SORT BY RANK button.

7. While in the SORT worksheet, point and click on the available hours link. Input information as requir

8. Input the hours available for each audit by year for a 5-year plan. The net available or needed hoursbeginning at column V.

NOTE: Each time data is updated in step 5, criteria worksheet, all the subsequent steps must be


2/64

of the audit universe. Other columns are

Criteria worksheet contains comments for

d to get total available person-hours.

are automatically calculated. See row 16

repeated.


3/64

AUDIT OBJECTIVES

Data Entry Cells

Audit Type Legend: Unit Legend:

F Financial C1 Company 1

O Operational C2 Company 2

C Compliance C3 Company 3

C4 Company 4

C5 Company 5

C6 Company 6

C7 Company 7

AUDIT UNIT OBJECTIVE

Accounts Payable OF All Effectiveness and efficiency of A/P process. Controls over cash disbursements.

Accounts Receivable OF CII Effectiveness and efficiency of A/R process. Controls over cash receipts

SUMMARY PAGE

TYPE

SORT PAGE


4/64

C7 Company 7

AUDIT UNIT OBJECTIVETYPE


5/64

C7 Company 7

AUDIT UNIT OBJECTIVETYPE


6/64

Key Contacts


7/64

Key Contacts


8/64

Key Contacts


9/64

2002 RISK ASSESSMENT WORKSHEET

INTERNAL AUDITING

FIVE-YEAR AUDIT PLAN RISK ASSESSMENT ANALYSIS

Unit Legend: Criteria Legend:

C1 Company 1 A F

C2 Company 2 B G

C3 Company 3 C H

C4 Company 4 D I

C5 Company 5 E JC6 Company 6

C7 Company 7

Audit Type Legend:

F Financial

O Operational

C Compliance

A B C D E F G H I J RISK EST Last

EVAL MAX AUDIT AUDIT FIVE YEAR A

AUDIT UNIT 45 27 18 18 45 9 27 18 9 27 SCORE SCORE HOURS DATE 2002

OF C1 0 0 0 0 0 0 0 0 0 0 0 243 120

OF C2 0 0 0 0 0 0 0 0 0 0 0 243 120

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

Nature of Operations

Nature of Transactions

Management

Dollar Volume/Materiality

Changes in Procedures/Personnel

Results of Prior Audits/Mgmt Interest

Time Since Last AuditExternal Influences

MAXIMUM SCORE

VARIABLE

SORT PAGE

TYPE

Systems Opportunities to achieve operating benefits

AUDIT OBJECTIVES

Accounts Payable

Accounts Receivable

0

0

0

0

0

0

0

0

0

0

0

Data entry cells


10/64

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0

0

0

0

0

0

0

0

0

0

0

00

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0


11/64

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0

0

0

0

0

0

0

0

0

0

0

00

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0


12/64

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 243

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0


13/64

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 201


14/64


15/64


16/64


17/64

2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 203


18/64


19/64


20/64


21/64

2042 2043


22/64

INTERNAL AUDITING MRU

FIVE-YEAR AUDIT PLAN RISK ASSESSMENT ANALYSIS

Unit Legend: Criteria Legend:

C1 Company 1 A F

C2 Company 2 B G

C3 Company 3 C H

C4 Company 4 D I

C5 Company 5 E JC6 Company 6

C7 Company 7

315

Audit Type Legend: Sum of Assigned Hours 20

F Financial Net 295

O Operational

C Compliance

A B C D E F G H I J RISK EST Last

EVAL MAX AUDIT AUDIT FIVE YEA

AUDIT UNIT 45 27 18 18 45 9 27 18 9 27 SCORE SCORE HOURS DATE 200

Accounts Payable OF C1 0 0 0 0 0 0 0 0 0 0 0 243 120 12

Accounts Receivable OF C2 0 0 0 0 0 0 0 0 0 0 0 243 120 8

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 2430 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 243

NOTE: A

than

Systems Opportunities to achieve operating benefits

AUDIT OBJECTIVES

TYPE

VARIABLE

SUMMARY PAGE

Available Hours

Nature of Operations Dollar Volume/Materiality

MAXIMUM SCORE

Changes in Procedures/PersonnelNature of Transactions

Time Since Last AuditExternal Influences

Results of Prior Audits/Mgmt InterestManagement


23/64

A. Nature of Operations

NATURE OF OPERATIONS

AUDIT

Significant

Changes

Pressure

Meeting

Objectives

Clearly

Defined

Objectives

Strategic

Value

Inherent

Risk Total Score

Total

Possible

Score

Accounts Payable 0 45

Accounts Receivable 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

RANK

1 = Low risk to 9 = High risk

SUMMARY PAGE


24/64


0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45


25/64


0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45


26/64


C5Cell:Significant Changes: Measure of exposure relating to past and future changes impacting the unit.Comment:1. No significant changes experienced and minimal change is anticipated within the next year.5. Significant changes have occurred in the past year but are not anticipated within the next year.9. Unit will significantly change within the year.

D5Cell:Pressure Meeting Objectives: Measure of exposure relating to the sacrificing of accuracy for speed in executing transactionsComment:1 Quality is of the highest priority and existing deadlines have limited influence on work.

3 Unit tries to meet certain deadlines but is frequently late if errors exist.7 Unit must meet deadlines but will delay only if there are material problems.

9 Unit must meet certain deadlines and anything late is not acceptable.

E5Cell:Clearly Defined Objectives: Measure of the unit's understanding of its objectives and how they support the company's overall objectivesComment:1 Unit has clearly defined measures of performance which support the Company's overall objectives.5 Unit has some understanding of its objectives and how they support the company's overall objectives.

9 Unit's objectives are not clearly defined and do not support the Company's overall objectives.

F5Cell:Strategic Value: The company places significant value on the success of the division for future growth.Comment:1 The unit is important, but not significant to future operations, unit's future is stable.9 The unit is crucial for future success of company, uncertainty exists in the unit's future.

G5Cell:Inherent Risk: Each activity carries a certain risk comes with performing that activity.Comment:1 Low volatility or fluctuation to the unit's processes, products or external influences. The unit processes or produces a product that is dimarket or convert to personal use.

5. The unit's processes, products or external influences change frequently, however ample time is allowed to react to the changes. The processes or produces a product that is marketable or converted to personal use with limited difficulty.

9 The unit's processes, products or external influences change frequently and with little or no notice. High volatility.The unit processes oproduces a product very marketable and desired.


27/64

B. Nature of Transactions

NATURE OF TRANSACTIONS

AUDIT

Number of

Transactions

Complexity of

Transactions

Accuracy of

Information Total Score

Total

Possible

Score



0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 270 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 270 0 27

RANK


SUMMARY PAGE


28/64


0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27


29/64


0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27


30/64


C5Cell:Number of Transactions: Measure of the exposure due to accuracy being sacrificed because of the number of transactions that must beComment:handled.1 Unit has low volume and time to recheck work.4 Volume is moderate but time is available to correct most problems.

7 Volume is high and only serious problems are handled immediately.9 Volume is very high. Almost all error research is put off and only material problems are looked into.

D5Cell:

Complexity of Transactions: Measure of the level of complexity involved in transactions related to the unit.Comment:1 Transactions are simple and routine.

4 Transactions are moderately simple and require limited judgement.7 Transactions are fairly complex and may require personal judgement.

9 Transactions are complex and require involved thought processes.

E5Cell:Accuracy of Information: Measure of the exposure that has been mitigated by the accuracy of unit information.Comment:1 Information processed or retained by the unit has an excellent record of complete accuracy.3 Inaccuracy existing in information is not material to the unit.

5 Unit has experienced or is experiencing information accuracy problems, but the effect is only slightly material.7 Accuracy of the information is often suspect.

9 Unit has or is experiencing serious accuracy information problems.


31/64

C. Management

MANAGEMENT

AUDIT

Attention given

by Management

Monitoring

Activities Total Score

Total

Possible

Score



0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 180 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

RANK


SUMMARY PAGE


32/64

C. Management

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18


33/64

C. Management

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18


34/64

C. Management

C5Cell:Attention Given to Area by Senior Management: Measure of the attention given to the unit by senior management which mitigates risk.Comment:1 Senior management is fully aware of the activity of the unit.3 Senior management has periodic appraisal of the activity of the unit.5 Senior management has limited awareness of the activity of the unit.

7 Unit has past, current or potential problems and limited awareness by senior management.9 Serious exposures or actual problems have not been communicated to senior management.

D5Cell:

Monitoring Activities: Measure of the monitoring activities utilized by departmental management to mitigate risk or exposure in the unit.Comment:1 Departmental management is fully aware of all unit activity.

3 Departmental management adequately monitors unit activity.5 Departmental management monitors problem areas of the unit.

7 Departmental management becomes involved only if there are major problems with unit activity.9 There is no communication between staff and departmental management of the unit.


35/64

D. External Environment

EXTERNAL INFLUENCES

AUDIT

Compliance

with

Regulations

Market

Stability Total Score

Total

Possible

Score



0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 180 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

RANK


SUMMARY PAGE


36/64


0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18


37/64


0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18


38/64


C5Cell:Compliance with Regulations: Measure of the exposure due to complexity and volume of regulations or penalties for noncompliance.Comment:1 Few regulations and little risk for noncompliance.4 Either substantial regulations or penalties.7 Substantial volume of transactions with substantial penalty.

9 Heavily regulated with serious ramifications for noncompliance.

D5Cell:Market Stability: Measure of exposure related to the units reliance on customers, vendors, etc.Comment:

1 Market is very stable. Customers and vendors are static.5 Market is relatively stable. Significant customers and vendors are static but smaller customers and vendors are volatile.

9 Market is very volatile. Significant customers and vendors change frequently.


39/64

E. Systems

SYSTEMS

AUDIT

Integrity:

Reliance on

Information

Systems

Relevance:

Ability to

Satisfy

Business

Objectives

Access:

Unauthorized

Access and

Transactions

Availability:

Level of

Support

Complexity:

Relative number

of transactions,

files and devices Total Score

Total

Possible

Score



0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

SUMMARY PAGE

RANK



40/64

E. Systems

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45


41/64

E. Systems

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 45

0 0 450 0 45

0 0 45

0 0 45


42/64

E. Systems

C5Cell:Reliance on Information Systems Applications/Criticality: Measure of exposure related to the disruption of information processingComment:1 System applications are time savers and the task can be performed manually.

3 Manual procedures and reinstallation of unmodified application packages are easily performed if the system application is not availablHistorical data can be ignored for up to one month.5 Costs of temporary remedies if the application were unavailable would be significant if extended over one business week. Access to

historical data must be available within one week.7 Unit has critical weeks or periods in which the application and historical data must be available. Transactions must be processed with

business days in order to be effective.9 Unit has critical applications which must be available real-time. Processing may require constant supervision.

D5Cell:Ability to Satisfy Business Objectives: Measure of exposure related to the r isk of an information system application not meeting the needComment:management.

1 Application is satisfying all or most functional requirements with adequate response periods.3 Application does not meet all business objectives or has some time response issues. Minor technical or functional changes are requir

planned.5 Technical and functional modifications are scheduled to make the application meet the majority of the unit's business objectives within

required time frames.7 Business objectives are changing such that the application will need significant modifications, which are not yet planned.

9 Application is scheduled for replacement or is currently in the process of being replaced.

E5Cell:Unauthorized Access: Risk to the company resulting from disclosure of sensitive information.Comment:1 Systems contain generally available information, manipulation of data would have no impact.

5 Systems contain confidential information; however, disclosure or manipulation of such information would only have a minimal impact ooperations. Controls are strong.

9 System contains highly confidential information; disclosure or manipulation would have a significant impact on operations.

F5Cell:Level of Support: Measure of exposure related to systems not being adequately supported.Comment:1 Technical support (in-house or vendor) is proactive to platform and functional issues with the application and provides timely, cost-effeupgrades. They solicit user requests for changes and initiate technical change requests when appropriate with user knowledge, approv

testing.3 Technical support (in-house or vendor) has minimal requests for changes and completes work adequately and timely with user approv

tests of changes.5 Technical support (in-house or vendor) is responsive to business needs and objectives and provides timely, cost-effective modification

Some changes are not communicated to and tested by users.9 Technical support (in-house or vendor) delays completion of support requests due to limited staff or knowledge. Some changes havedue to lack of user involvement and approval resulting in failures.

G5Cell:Complexity: Measures the relative number of users, interfaces, input items, physical files, logical files, simultaneous interactive queries, Comment:


43/64

E. Systems

xones supported, devices, and transaction volume. Also, measures the complexity of individual transactions, core programming languag

network.1 Relative low complexity

5 Average complexity9 Applicable systems are highly complex and require experienced personnel to maintain.


44/64

F. Dollar Volume/Materiality

DOLLAR VOLUME/MATERIALITY

AUDIT Materiality Total Score

Total

Possible

Score



0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 90 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

RANK


SUMMARY PAGE


45/64


0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9


46/64


0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9


47/64


C5Cell:Measure of the volume and/or materiality of the unit.Comment:1. Less than $100,0003. Less than $500,0005. Less than $1,000,000

7. Less than $10,000,0009. Greater than $50,000,000


48/64

G. Changes in Procedures/Personnel

CHANGES IN PROCEDURES/PERSONNEL

AUDIT

Training /

Experience

Adequacy of

Staffing

Levels

Segregation of

Duties Total Score

Total

Possible

Score



0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 270 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

SUMMARY PAGE

RANK



49/64


0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27


50/64


0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27


51/64


C5Cell:Training/Experience: Measure of the level of training and related experience given to the employees of the unit.Comment:1 Staff is well-experienced and well-trained with all unit policies and procedures.4 Staff experience is adequate and training is provided.7 Staff has a mix of experience and training is only provided if problems arise.

9 Staff is inexperienced and little or no training is provided.

D5Cell:Adequacy of Staffing Levels: Considers the number of transactions and the number of employees; measure of the adequacy of the staffComment:

level of the unit as it relates to the achievement of the unit's objectives.1 Staffing levels are appropriate to support the volume of transactions.

5 Open positions are causing difficulty in supporting the volume of transactions9 Staffing levels are not adequate to support the volume of transactions.

E5Cell:Segregation of Duties: Measure of how exposure has been mitigated by separating duties within critical operations.Comment:1 Segregation of duties provides good error detection and requires collusion to defraud.

4 Responsibilities for certain functions are divided, however, individuals have full control over some transactions.7 Individuals have full control over certain transactions but their work is subject to periodic review.

9 Individuals have full authority and responsibility for transactions with no or ineffective monitoring controls. I.e. there is no segregation oduties.


52/64

H. Results of Prior Audits/

Management Interest

PRIOR AUDIT RESULTS/MGT INTEREST

AUDIT

Audit

Findings Follow-up Total Score

Total

Possible

Score



0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 180 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

RANK


SUMMARY PAGE


53/64


Management Interest

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18


54/64


Management Interest

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18

0 0 18


55/64


Management Interest

C5Cell:Measure of the results of prior audits (based on report classification) and any know weaknesses of the unit.Comment:1. No audit findings.3. Low risk audit findings only.5. No audit findings above medium risk.

7. No audit findings above high risk.9. A high risk audit finding was discovered.

D5Cell:

Measures the committment of management to address audit issues.Comment:1. No audit findings or all findings were corrected within target completion date.

3. Action taken to address findings is reasonable although some target dates may have been missed.5. Little action was taken to address findings, however intermediate fixes reduce the level of risk.

7. Procedures were developed to address findings, but were not enforced.9. No action was taken to address the findings. Circumstances have not changed and the findings still exist.


56/64

I. Time Since Last Audit

TIME SINCE LAST AUDIT

AUDIT

Time since

Last Audit Total Score

Total

Possible

Score



0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 90 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

RANK


SUMMARY PAGE


57/64


0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9


58/64


0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9

0 0 9


59/64


C5Cell:Measure of the time period (in years) since the last audit was performed on the unit.Comment:1 Less than one year since last audit.3 One to two years since last audit.5 Two to three years since last audit.

7 Three to four years since last audit.9 Greater than four years since last audit or never audited.


60/64

J. Opportunities For Improvement

OPPORTUNITIES FOR IMPROVEMENT

AUDIT

Opportunity

Identification

Risk

Assessment

Management

Interest /

Request Total Score

Total

Possible

Score



0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 270 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

RANK


SUMMARY PAGE


61/64


0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27


62/64


0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27

0 0 27


63/64


C5Cell:Opportunity Identifiction: The unit keeps abreast of current practices and benchmarks against other units.Comment:1. The unit has a formal documented process for identifying opportunities, has strong measures, utilizes a problem solving model and bucorrective action into its operating plan.5. The unit has some processes for identifying opportunities, and may have some measures, may use a problem solving model and doe

always follow-up on taking corrective action.9. The unit does not look for improvement opportunities, has no or ineffective measures, and is satisfied with status quo.

D5Cell:

Risk Assessment: A risk assessment process is used to develop an annual operating plan.Comment:1. The unit has a documented formal risk assessment process in place that allows recognition and assessment of changes to its risk pro

The process allows the unit to make informed decisions about accepting, transfering, avoiding or reducing the risk to an acceptable leveunit is proactive.

4. The unit uses a formal risk assessment occasionally or when new risks are identified.7. The unit inconsistently uses an informal and incomplete risk assessment process and is reactive to changes to its risk profile.

9. The unit does not have a risk assessment process and is reactive using ad hoc problem solving. "Fights fires"

E5Cell:Management Interest/Request: Measures the level of interest expressed by Management to have Internal Audit review or audit the activComment:1 No management interest.3 Interest by management expressed through casual conversation.

5 Interest by direct management expressed as a concern.7 Interest by multiple managers or a senior manager.9 Request or interest by a stratum 4 or above manager.


64/64

Available productive hours

Total 1 2 3 4Regular hours 2080 2080 800Vacation 80 120Holidays 80 80

Sick 40 40Training 80 80TravelAdministrative 104 250Audit Follow-up 50 50Misc 50 50Special Audit Projects 200 200Management Request 100 150Net Hours Available 1296 1060 800 0

Combined Net Hours Available 3156

Sort Page

Risk Assessment Worksheet

Documents

Transcript of Risk Assessment Worksheet