UC Santa CruzOffice of Internal Audit and Advisory Services
Home Staff Services A-Z Index

Office of Internal Audit &  Advisory Services
106 Kerr Hall
University of California
Santa Cruz, CA 95064
Phone: 831.459.3205
FAX:  831.459.3876

Mail Stop: Internal Audit Generic office email:  internal.audit@ucsc.edu

Meet the Staff /Org Chart

Internal Audit links
UCSC Audit Services
Policies & Procedures
Audit Risk Ranking
Audit Tests & Best    Practices
•  Cash Handling, Equipment Requirements, & Ticket Sales
Training & Refrence:
    - HIPAA
    - Conflict of Interest

Recommended Links & Information

Related Offices
Audit Committee Members
Business & Admin Services
Campus Provost/EVC
Controller's Office
Emergency Management
Office of the Chancellor
UCOP Internal Audit
 

© UC Santa Cruz
Maintained by deb@ucsc.edu

Internal Audit Process Risk Ranking

RISK RANKING PROCESS AND GUIDELINES
RISK ASSESSMENT MATRIX

Risk Ranking Process and Guidelines 

  • Risk assessment starts when a process or unit is evaluated for audit.

The auditor generally uses various tools and techniques, which may include flowcharts, questionnaires, and interviews or other inquiries, in order to identify key processes, process risks and the controls implemented by the unit to mitigate risk.

  • If a unit has not performed a self-evaluation of their business risks and has not implemented measures appropriate to achieve an acceptable level of risk for their operations, this can be a significant finding.

  • "High-risk" processes or transactions should be subjected to specific controls which address the particular risk, rather than blanket controls or approvals.
  • Risk Factors: The following are 10 risk factors to consider for major process or computing system. Each factor can be weighed to indicate its relative significance.
  1. Quality of system of internal control: Adequate separation of duties; quality of established procedures; availability of clearly documented and understood policies and procedures; quality of process design, good audit trails/system generated audit logs, backup materials available to reproduce results; capable, adequate, and well trained staff; and quality of internal checks and balances such as computerized edits and useful exception reports.
  2. Dollar value of transactions: Total dollar value of annual transactions and assets held (endowment funds, inventories, equipment) increases risk.
  3. Process/System complexity: The greater the complexity of the process/computing system, the greater the likelihood of error and effort required to control the system.
  4. Sensitivity/public perceptions: Is there political or emotional sensitivity of the transaction(s)? What problems have there been in the past? Examples include issues such as employment equity, non-discrimination, environmental pollution, and compliance with donor restrictions.
  5. Level of external requirements: the more laws and regulations required by outside entities and their complexity (such as IRS or EH&S regulations) increase the risk of non-compliance.
  6. Liquidity of operational resources: What is the ease of converting resources to cash? The greater the liquidity, the greater the attractiveness to those who would want to use resources improperly.
  7. Degree of delegated authority: Are staff delegated authority knowledgeable and trained? What is the degree of oversight by knowledgeable staff? Is there accountability and responsibility taken by the decision maker? Is there adequate staff to implement controls?
  8. Stability and obsolescence: Stability in the process, procedures, operational management, and employees performing the task decreases risk. Additional risks occur as IT systems and process become obsolete and require “work arounds”, special programming, and higher maintenance costs. Frequent changes, new regulations or software threats, increases risk.
  9. Timeliness of Monitoring and Reconciliation Activities: Is the frequency of system or process monitoring adequate? (Information performance or adherence to policy or procedures) Is the frequency of supervisory reviews, audits, reconciliations, or other analyses performed on transaction adequate? How quickly are errors detected? How quickly are actions taken to determine the cause of errors and to provide process or system improvements?
  10. Annual transaction volume: The greater the volume of transactions processed, the greater the likelihood of actual numbers of errors and effort required to control the work or data processed.

Risk Assessment Matrix (High-Medium-Low)

The following Matrix can be used to help determine the risk ranking of a finding and its associated recommendations. Classification of high, medium or low usually occurs because of a combination of factors. The problem noted and or failure to implement a recommended solution could have the following impact:

High

Medium

Low

Potential significant life/ safety threat.

Remote life or safety threat.

No life or safety threat.

Potential exposure of large volume PII or other confidential data.

Potential exposure of any amount of confidential data.

No confidential data.

Impact on financial statements is material (PWC SAS-112 financial risk is rated high).

Reportable financial statement impact. (PWC or SAS 112 medium risk ranking).

No financial statement impact. (PWC or SAS 112 low risk ranking).

Potential campus wide impact:

  1. Major administrative computing system internal control weakness.
  2. Potential for mission critical process or system failure or breach. (e.g.: inability to timely register students or pay employees).

Departmental or unit only impact.

Small subsection of people or transactions affected.

Large dollar amounts or highly liquid assets at risk (cash).

Medium dollar amount at risk or assets not liquid or convertible to cash.

Low dollar amount at risk. 

Lack of major control step. Significant control weakness creates potential for fraud.

Other compensating controls exist.

Several other compensating controls. This is a minor control feature.

Public trust loss if bad effect occurs.

Some impact on public trust or Regental concern.

Unlikely public interest.

Potential for wide spread violation of law, grant or contract or actual violation has occurred.

Potential weakness could lead to violation of policy or procedure.

Recommendation is mainly an improvement in controls.

Significant lack of reporting or monitoring results in high risk of no problem detection. (no audit trails or audit reports).

Controls will normally lead to detection of problem or error.

Fine tuning of controls.

Difficult or complex law, policy, procedure lacking significant guidance or training. (e.g. no safety training).

Some training or guidance. Less complex procedure.

Easily understood, minimal training or guidance needed.

***