Risk Assessment Methodology Introduction The Internal Audit and Oversight Division (IAOD) has developed a Risk Assessment Methodology which is based on the Institute of Internal Auditor (IIA) advisory and guidance as well as generally accepted good practice adopted for such exercises. The main purpose of the Risk Assessment Methodology is to enhance the objectivity and transparency and provide for a sound basis for the preparation of the Audit Needs Assessment (ANA) and Annual Audit Work Plan. The main definitions of risk and risk assessment to enable a better understanding of the Risk Assessment process undertaken by IAOD: Risk Assessment Definitions Risk It is an uncertain future event which could adversely affect the achievement of an organization’s objectives. Risk Likelihood It is the probability that a risk can occur. The factors that should be taken into account in the determination of likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low. · High: An event is expected to occur in most circumstances · Medium: An event will probably occur in many circumstances · Low: An event may occur at some time Risk Impact It is the potential effect that a risk could have on the organization if it arises. It is worth mentioning that not all threats will have the same impact as each system in the organization is worth differently. The magnitude of impact also can be categorized as high, medium and low. · High: Serious impact on operation, reputation, or funding status · Medium: Significant impact on operations, reputation, or funding status · Low: Less significant impact on operations, reputation, or funding status The combination of likelihood and impact gives us the value for