Assesing the Risks

The risk assessment process provides a structured means of evaluating information and applying professional judgment as to the most important areas for audit examination.
A detailed risk assessment is undertaken during the planning phase of the engagement to confirm that the lines of enquiry and the initial objectives have indeed focused on the most important risks associated with the program or activity being audited.
The objective statements for the audit, as outlined in the Risk-based Audit Plan, may need to be amended if the more detailed risk assessment reveals additional risks or assigns higher or lower risk scores to those risks already identified.
The steps involved in performing a detailed risk assessment are:

• Identify the risks associated with the achievement of the auditee's objectives and expected results
• Assess the relative significance of the risks in terms of the likelihood of each risk occurring and the impact should it occur
• Determine on a preliminary basis whether management's assertions on controls are likely to prevent or mitigate the occurrence of the risks of greatest concern and
• Plan to focus audit objectives and scope on testing the existence or adequacy and effectiveness of key controls over areas of greatest risk. Appendix G provides a Template for Documenting Engagement Risk Assessment.

Sources of Information

Some of the key documents and information that the audit manager can use to gain a good understanding include:

• Acts and related legislation or regulations
• Policy, procedures and standards manuals and directives
• Results of previous audits or evaluations by the AES or by the Office of the Auditor General
• Organization charts
• Job descriptions and delegation instruments
• Listings of key personnel
• Process and system maps or flowcharts
• Operational and financial data and reports
• Planning and performance reports (i.e. the INAC Performance Report, the INAC Report on Plans and Priorities)
• Management meeting reports or minutes
• Management control frameworks, e.g. results-based management and accountability frameworks (RMAFs), risk-based audit frameworks (RBAFs)
• Risk assessments
• Management studies or reports

In addition to reviewing documentation and analyzing financial and non-financial performance information, the audit manager may also want to consider visiting sites and observing operations, interviewing management, field staff, central agency representatives or subject matter experts, and reviewing any available internal controls documentation.

Understanding the Audit Entity

The audit manager needs to develop a sound understanding of the program, activity, organization or initiative being audited, including its management practices, business processes, policies and procedures, and external and internal environments.The audit manager needs to be focused on all important aspects of risk management, control, and governance processes for the program, activity, organization or initiative being audited.

Planning Scenario

The planning phase normally consists of three distinct, but often overlapping, activities, i.e. gaining an understanding of the nature of the program, activity, organization or initiative being audited, determining and assessing risks, and determining the most appropriate audit objectives, scope and criteria to be employed.

Holding an Opening Meeting

During an opening meeting, the audit manager should clarify with the auditee the known details of the program, activity or organization to be audited, e.g. mandate, resources, structure, and should explain the auditee's responsibilities in the process. The audit manager can request copies of documents deemed to be important to acquiring a good understanding of the auditee's activities.
If the auditee has any suggestions for the audit objectives or scope, or has raised any concerns that the audit might address, these can be discussed at this time.

Notifying the Auditee

Before any work formally commences on an audit, AES informs the auditee in writing normally via a bilingual e-mail message, with terms of reference attached. The auditee is normally the most senior manager directly responsible or accountable for the program, activity, organization or initiative. In some cases, there may be a shared accountability or an intersection of line and functional authority, e.g. national programs delivered at the regional level. In these cases, more than one auditee will be identified and informed of the audit. The individuals identified in regions as the Audit and Evaluation Coordinators should be copied on the communication.
The initial communication with the auditee is normally drafted by the audit manager and issued by the Director, Audit and Assurance Services. In the event of highly sensitive audit engagements the CAEE may be called upon to issue the announcement. The communication specifies information known at the outset of the engagement such as the initial objectives and scope, any specific considerations or concerns, and the names of the auditors assigned to the audit. The communication could request the scheduling of an opening meeting and the identification of a primary contact to facilitate the coordination of the audit work if an Audit and Evaluation Coordinator has not been identified to do so.
Shortly after the formal communication has been issued, the audit manager or Director should follow-up by telephone, if necessary, to ensure that the auditee has received the notification and taken the appropriate steps to schedule the opening meeting or otherwise facilitate the audit commencement. The audit manager can also address any questions that the auditee may have concerning the audit.

Planning

During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps.

Audit Process

Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report, and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from your department's usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities.