Idaho State University

• Academics
• Prospective Students
• Current Students
• Faculty & Staff
• Alumni & Visitors

• IA Home
• About Us
  • Charter
  • Staff
  • Consultative Services
  • Frequently Asked Questions
• Audit Process
  • Types of Audits
  • Steps of an Audit
  • PCard Review Process
• Report Concerns
  • What to Report
  • How to Report
  • Investigation Process
• Policies
  • ISU Policies & Procedures
  • State Board of Education
  • State of Idaho Administrative Rules
  • State of Idaho Division of Human Resources Policies
  • State of Idaho Statutes
  • State of Idaho Board of Examiners
  • State of Idaho Fiscal Policy Manual
  • OMB Circulars
  • NCAA Rules & Bylaws
  • Exempt Student Organizations
• Department Links
  • Affirmative Action
  • Finance & Administration
  • Budget Office
  • General Counsel
  • Human Resources
  • Information Technology
  • Public Safety
  • Purchasing Services
• Staff Resources
  • Bengal Web
  • GMail
  • Student Homepage
  • Google Applications
  • P-Card CCER
  • Faculty/Staff Tools
• Professional Organizations
  • Institute of Internal Auditors (IIA)
  • Association of College and University Auditors (ACUA)
  • American Institute of Certified Public Accountants (AICPA)
  • National Association of College and University Business Officers (NACUBO)
• Documents and Forms

 

 

Stop 8093
Continuing Education Building
1001 N. 7th Ave. Suite 202
Phone: (208) 282-3182
Fax: (208) 282-4682

 

Risk Assessment

The purpose of the risk assessment is to develop an audit plan for performing audit projects in risk areas over a specified time in order to:

• minimize the risk of losses to the University
• prioritize audit projects by the level of risk
• utilize audit staff and time in an effective and efficient manner
• determine the nature, timing, and extent of audit steps and procedures in direct relation to the amount and nature of the risk

The risk assessment consists of three phases:

Identify auditable entities

We review the University structure to identify academic and administrative units.  We evaluate organizational charts and financial information in order to determine how to organize the units into auditable entities.  We also identify processes which apply to all departments such as payroll, meals and entertainment.

Conduct interviews

We interview the director, chair or manager of each auditable entity utilizing a standardized questionnaire. Some interviews cover multiple entities as certain individuals oversee multiple departments or functions. 

Analyze information and develop a risk matrix

After completing each interview, we utilize responses to the questionnaire to rate each entity based on twelve risk factors.  We also analyze financial information and research applicable policies and regulations.  The risk factors include:

1. Dollar volume and number of transactions
2. Quality of internal controls
3. Executive management interest
4. Results of prior audits
5. Changes in personnel, procedures, regulations, or systems
6. Complexity of activity
7. Public and political sensitivity
8. Time since last audit (internal or external)
9. Deviations from budget or plan
10. Compliance with SBOE/Institution policies and procedures, laws, and regulations
11. Audit required by regulatory agencies
12. Inherent risk of misappropriation of assets – cash, equipment, etc.

The risk factors for a given entity are assigned weights from 1 (less significant) to 5 (more significant) based on a standardized rating scale.  The sum of the weights determine the total risk score for each entity.

Audit projects are scheduled based on the highest risk entities. The risk assessment is updated annually as part of the audit planning process.