Risk Assessment Methodology in Performance Auditing By Muhammad Akram Khan Former Deputy Auditor General of Pakistan makram1000@gmail.com
Introduction Performance auditors need to carry out risk assessment at two stages: (a) while preparing annual plan for deciding the audit assignments; (b) while preparing audit plan for an assignment for deciding audit issues to be focused. The present methodology is generic and applies to both stages. In broad terms, “risk” can be defined as anything that prevents an entity from meeting its goals and objectives. An answer to the key question, “what can go wrong?” usually identifies risk in an entity, function or process. The risks are of three types: Inherent risk: It refers to the risk in the first place. It is determined by asking the question: Assuming there are no internal controls in place, what can go wrong? Control risk: It refers to the risk that the internal control may not be working or are inadequate and do not prevent the inherent risk take place. It is also known as residual risk. Ultimate risk: It refers to the probability and impact of the risk, should it take place. It means: Assuming the internal controls are what they are, what is the probability that the identified risk will occur and if it does occur what impact will it have on the operations and objectives of the organization?
Categories of Risk An organization can face numerous types of risks. For sake of simplicity, the auditors can classify the risks in following categories. Classifying the risks in these categories helps in organizing thoughts relating to possible risks. It is more likely that the auditors will be able to enumerate all possible risk if they think through these categories. Strategy risk: Strategy risk encompasses those risks which can occur through lack of strategic thinking that manifests in strategic planning; adverse or improperly implemented decisions; lack of responsiveness to changes in the external environment; and exposure to economic or other considerations. Governance risk: Governance risk arises through inappropriate use of authority in decisionmaking. Examples of governance risk are probability of corruption and misuse of authority; failure to establish appropriate processes and structures for informing, directing, managing and monitoring