Risk Assessment Methodology

Internal Audit Department Risk Assessment Methodology

The UNM Internal Audit Department (Internal Audit) works with management to create a risk-conscious climate and a risk-based audit plan that focuses its priorities on those areas where risks and material exposure is greatest. Internal Audit uses a risk assessment methodology to select University colleges, schools, centers, branches, departments, and programs (“Units”) that will be included in the five-year audit plan.

Auditable Units – Auditable units are developed based on the University strategic goals, objectives, financial and key operational systems, organizational structure, significant University processes, and topics of the Association of College & University Auditors (ACUA) surveys. Core audit areas identify those business operations whose key controls are relied on day in and day out for the business of the University to be carried out. In addition to the functional areas, the Units are primarily selected at “Level 3” or “Level 5” organizations on the University of New Mexico Organizational Reporting Structure.

Audit Universe – Audit universe is the compilation of the auditable units. The audit universe serves as the source from which a five-year audit plan and the annual audit schedule can be prepared. The universe will be periodically revised to reflect changes in the overall risk profile.

Internal Audit evaluates overall risk assessment of each individual Unit based on “Likelihood” and “Impact.” “Likelihood” is the probability that non-compliance, misstatement, or fraud may occur within the Unit considering the Unit’s internal controls in place. “Impact” represents the effect a single occurrence of the risk will have upon the successful achievement of the Unit’s goals and objectives.

Internal Audit identifies various factors that may affect “Likelihood” and/or “Impact” that contribute to a rating system of the overall risk assessments. Selected factors are described below:

Risk Assessment Questionnaire: Internal Audit distributes a risk assessment questionnaire to the head of each of the Units included in our University-wide risk assessment. The questionnaire includes a number of selected risk questions that are self-assessed by each Unit, and several open ended questions for each Unit to identify any additional risks or concerns that may exist. The questionnaire presents several possible risk areas throughout the Unit, and requests that the recipient rank the risks based on their perceived likelihood of the risk occurring, and the impact of the risk on the Unit.

Complaints: Internal Audit considers number of complaints received from prior years related to the Unit.

ACUA High Risk Area: Internal Audit reviews the Unit that encompasses components that were identified by ACUA as high risk areas.

Discussions with University Officials: Internal Audit discusses with selected University officials to determine if they have any specific risks and/or concerns related to any college, school, branch, center, department, or program that reports to them.

Size and Significance: The size of the Unit based on annual expenses and/or transaction volume, and the significance of their operations.

Upon completion of the University-wide risk assessment, Internal Audit proposes a five-year audit plan to the UNM Board of Regents’ Audit and Compliance Committee for its review and approval. Internal Audit will revisit the five-year audit plan on an annual basis. Any new information brought to the Internal Audit Department’s attention will be considered for future audit plans.