Risk Methodology

Risk Intelligence Organization

AMASRIRole image


The internal audit risk assessment is an annual and on-going predictive risk based exercise established to identify concerns and potential risk areas to be considered for inclusion in the annual audit plan and as a source of campus risk intelligence gathering.  It is relied upon by senior campus leadership as an independent perspective on potential areas of campus risk.  Refer to AMAS Risk Assessment Process below.

The approach as prescribed by the UC Internal Audit Program begins with the UC audit risk universe consisting of over 180 campus entities and processes.  Each audit risk universe topic is risk ranked and scored using UC audit risk factors. Input into the process included consideration of themes and concerns generated from more than 43 interviews conducted with campus leaders. 

High risk topics were integrated with campus risk intelligence and compliance program efforts, the campus risk register, and the risk intelligence priority list maintained by the Campus Ethics and Compliance Officer (CECO).  This year’s list of top rated topics is included in Appendix A and used to generate the FY2017 internal audit plan.

The FY 2017 internal audit plan was shared with the campus Risk Intelligence Oversight Committee for review and concurrence, and forwarded to the Chancellor for final approval.  

AMAS Risk Assessment Process

AMAS Risk Assessment Factors and Scoring

Audit Project Risk Assessment

A preliminary survey is conducted which usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational, and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes, and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes, and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.