SUPPORT FOR THE RISK ASSESSMENT

The mandate is for Auditors to require ‘non-subjective’ Risk Assessments. Even if your auditor has suggested that your previous Risk Assessments were adequate, chances are they may not be viewed as adequate in the future. Risk Assessments that were based purely on High-Medium-Low with little or no support will most certainly now be questioned.

You may think that subjectivity can never be completely removed from a Risk Assessment. Business knowledge, judgment and intellect will always be required in the Risk Assessment process. However if the business knowledge, judgment and intellect is limited to one person, that will most definitely be viewed as “subjective”. As in previous articles, we indicated that the auditors do not necessarily view “justified belief” as “subjective”.

Building organizational justification and removing subjectivity improves the overall quality of the Risk Assessment. Anytime you can provide actual data to support likelihood of error or magnitude of impact, they most certainly should be considered. However that information may not be readably attainable and may be unreasonably expensive to obtain and measure. Therefore, for those portions of the Risk Assessment where business knowledge, judgment and intellect cannot (and should not) be removed, logic and support for the answers and overall Risk Score MUST be supplied.

This justified belief is obtained by reaching out across the organization and asking questions to various department heads and staff on particular risks and controls that should be addressed by these individuals or organizations.  These questions are usually developed over the course of time or an organization can purchase a set of questions from a number of vendors or even obtaining a list of questions from the auditors themselves.

Note that Risk Assessments are part of an ongoing Enterprise Risk Management process. That being said, the questions should be never be considered to be complete and should be reviewed periodically to make sure they still are valid for the current business environment.  When developing these questions, you should consider how you will translate the answers into the overall risk score. You can make this translation task easier or harder depending on how you word the questions and if you keep the answers consistent or not (All “Yes” answers signifies a risk is mitigated or a control is effective).  You should also build a cross reference between the question and the individual risk, control or regulation you are concerned about.

These questions can be asked in a one-on-one meeting or sent to individuals to answer remotely. For purposes of this paper, one-on-one meeting questions will be considered a “questionnaire”; and questions asked remotely will be considered a “survey”. The questions can be exactly the same between a survey and a questionnaire, the biggest difference between the two would be delivery and audit trail. Questionnaires also make it easier for you to probe for clarification.

Questionnaires are usually assembled in a spreadsheet and asked during one or multiple meetings. To build an audit trail for the questionnaire, you can attached the answers as meeting minutes or you can print the answers and have the participant sign the printed questionnaire.

Surveys are often distributed via a software tool which provides statistics and all audit trails necessary. However, in a small to medium sized organization, spreadsheets and email are still the common method of assembling and distributing surveys. This allows spreadsheet functions such as counting, sorting, etc. to help with statistical reporting and final analysis. Emails may also prove an adequate audit trail for the auditors.

However, the use of email and spreadsheets are extremely time consuming and can be very difficult to build an acceptable audit trail. Auditors have difficulty with the use of excel since there is no audit trail on change control. Emails are often lost by being deleted by a system wide aging or size algorithm. So carefully consider the use of an automated tool in constructing and delivering surveys and questionnaires as support for your risk assessment. A software tool may be well worth it in the long run by reducing the overall manual effort distributing, collecting and analyzing the information as well as building a rock solid audit trail to support your assessment.

Our Value 

    • Utilizing our proprietary SingleVue™  and OpsAudit™ methodologies, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

f you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2007 Visage Solutions, LLC.