Scribd
Upload
376 views3 pages

Impact and Likelihood Scales

Uploaded by

Rhea Simone
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
376 views3 pages

Impact and Likelihood Scales

Uploaded by

Rhea Simone
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

IIA Audit Tool

Category: Professional
Purpose: How To

Risk Engagement
Gather Information Planning Reporting
Assessment Execution

IIA Standard 2210.A1 states, in part, that


Fraud Risk Matrix for Accounts Payable
“Internal auditors must conduct a
preliminary assessment of the risks
relevant to the activity under review.” 1

An effective way to perform and


document an engagement-level risk
assessment is to create a risk matrix
listing the relevant risks and then expand
the matrix to include measures of
significance. The format of the matrix may
vary but typically includes a row for each
risk and a column for each risk measure,
such as impact and likelihood. Impact and
likelihood are assessed as being low,
medium, or high.

An example of a risk matrix concerning


frauds that may occur within an
organization’s accounts payable process
is shown to the right and is used as an
example throughout this paper.

Assessing impact can be complicated


because it involves both quantitative and
qualitative factors. Internal auditors
should account for not only the financial,
operational, and regulatory impact of
potential risks, but also the nonfinancial impacts, such as damage to the organization’s reputation or relationships
with customers or vendors. For example, a risk with an immaterial, direct financial impact to an organization could still
greatly affect its reputation and therefore be categorized as high impact.

Factors to consider when assessing likelihood include past allegations or occurrences, prevalence of similar incidents
in the industry, and the complexity and number of people involved in a process.

Risk ratings from the matrix can then be represented on a basic graph, such as a heat map as shown below. By
plotting each risk’s impact along one axis and its likelihood along the other axis, internal auditors can depict the risk’s
overall significance, or priority. Typically, the combined significance of impact and likelihood is indicated using a color
system: red denotes the highest priorities, orange denotes risks that are significant enough to warrant consideration,
and yellow denotes risks that are not significant.

1. Internal auditors may wish to review Standard 2210 – Engagement Objectives in its entirety.

1
This heat map depicts the impact and likelihood from the accounts payable example above. Heat maps should be
included in an engagement’s workpapers because they support internal audit’s decisions on risk significance.

One limitation of heat maps is that impact and likelihood appear Sample Heat Map
to be equally important. While such equivalence may be true at
times, impact usually takes priority over likelihood. For example, in
most cases, a risk rated high impact and low likelihood (H, L)
should be prioritized over a risk considered low impact, (L, H).

An additional limitation of heat maps is that only two measures can


be considered at a time (in this case, impact and likelihood). It may
be desirable or necessary to also consider such measures as
velocity, vulnerability, volatility, interdependency, and/or correlation
when determining the significance of risk.

Based on the completed heat map, internal auditors can easily


visualize significant risks that should be included in an engagement
for further testing. The table below shows the fraud risk matrix
adjusted to reflect only the prioritized fraud risks from the accounts
payable engagement example.

In the example shown below, internal auditors can provide management with the identified fraud risks to be
considered for inclusion in the organizationwide risk assessment. Fraud risks that are not selected for further
evaluation during this engagement may be transferred to internal audit’s fraud risk inventory, or watch list, to be
considered for future engagements. In this example, if information discovered during the fraud risk assessment
indicates a potentially fraudulent act, internal auditors should follow established protocols for internally reporting and
investigating the allegations.

Typically, internal auditors would report the concern and preliminary evidence to the CAE, who would decide whether
the issue should be escalated to senior management and/or the board.

Significant Fraud Risks from Heat Map

2
ABOUT THE IIA
The Institute of Internal Auditors (IIA) is the internal audit profession’s most widely recognized advocate, educator, and provider of standards,
guidance, and certifications. Established in 1941, The IIA today serves more than 200,000 members from more than 170 countries and territories.
The association’s global headquarters is in Lake Mary, Fla. For more information, visit www.theiia.org.

COPYRIGHT
Copyright © 2021 The Institute of Internal Auditors, Inc. All rights reserved. For permission to reproduce, please contact copyright@theiia.org.

March 2021

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy