How to respond to auditors asking for Risk Assessment documentation?

When auditors ask to see your Risk Assessment documents, and you don’t have any ready to give them, don’t panic. Oftentimes, auditors ask for documentation of things that senior management are already doing (or at least should be doing in a well-managed government).
​The post below describes an easy way to perform a risk assessment that meets auditors’ request and provides an example you can tailor to your organization.

What do auditors mainly want to see?

Auditors want to know that your government has identified the major risks that could keep it from being successful.
Although risks can be assessed at any level, auditors are most concerned about events that could have huge negative financial impacts. This is because a huge financial impact might require use of a lot of a government’s reserves or might reduce revenues by maybe 30%.
Keep in mind that it is unlikely that a 10% reduction in revenues would be considered “huge” in this context, even if the dollar amount is large. So, auditors are generally not concerned about risks at the level of financial internal controls when asking about a risk assessment (those risks are covered in their internal control analyses). Instead, they are usually just looking for evidence that the largest risks a government faces have been identified and that management has considered whether controls in place are adequate to minimize those risks.

Internal controls are procedures put in place by an organization to manage its risks. Management should be comfortable that the resulting exposure (uncontrolled risk) is acceptable.

This relationship is denoted as:

Exposure = Risk - Control

What about bigger risks?

It is common for the management team of a government to know the major risks it faces, and to be appropriately managing those risks. However, it is also common that this “risk assessment” is not well documented. Auditors want to see documented evidence of the fact that this risk assessment occurred, however. They typically request that this be in a format that they can review for reasonableness and completeness.

​As an example of a risk assessment, a client of ours recently identified the following significant risks:

• Negative Outcome in Pending Lawsuit
• Workplace Violence 
• Natural Disaster 
• Labor Strike 
• Loss of Critical IT Functionality
• Financial Fraud 
• Legislative Changes 
• Non-compliance with Laws

For each of these identified risks, the senior management team discussed the likelihood that each risk will occur and the consequences to the government if it did. They discussed the ways the government is currently managing these risks (i.e., the controls already in place). They also came to a conclusion about whether each risk is being managed adequately. For any risk they deemed not managed adequately, they agreed on a work plan to improve their management of it. The work plan included a list of tasks to be done, by whom and dates. This risk assessment was conducted over the course of two senior management meetings with an average of 15 minutes spent discussing each risk.
 
​
See below an example of the documentation that was provided to auditors for one of these risks:

Click the image to download this sample documentation as a Word document.

Providing auditors with a risk assessment does not have to be an overwhelming request. And it is time well spent for senior management (and the audit committee) to discuss large risks and how they are managed.

---

If you have more questions about Risk Assessment documentation, feel free to reach out to Kevin directly:

Kevin Harper, CPA
kharper@kevinharpercpa.com
(510) 593-503

If you'd like to get more free tips, as well as downloadable tools and templates for your agency, please join our mailing list here! ​
​
(We’ll send you a monthly curated selection of our blog posts. You can unsubscribe at any time.)