Annual Audit Risk Assessment

Risk ImageEach year the Office of Inspector General is required by statute and professional standards to develop an annual and long-term audit plan based on the findings of a periodic risk assessment.  The audit plan contains a listing of planned audits providing the audit team a road map that guides their activities throughout the fiscal year.  Additionally, the audit plan is developed to: allocate our audit resources on a risk-basis; ensure any statutorily required audit work is planned; provide flexibility for managing competing audit needs; and minimize potential overlapping of audits with other audit organizations such as the Auditor General.

The risk assessment that feeds the plan is developed by consulting with department management to identify, rank and prioritize projects.  We do this through face-to-face discussions with functional area managers as well as District management.  Once the initial sets of interviews are completed, we meet with the department’s Assistant Secretaries and the Secretary to review and rank the projects.

Although we consider risks throughout the whole department, we focus on the following 21 key functions, as defined in the department’s business plan: Construction, Design, Turnpike Enterprise/Tolls, Maintenance, Materials, Human Resources, Right Of Way, Safety, Information Systems,  Traffic Operations, Performance Management, Support Services, Work Program & Budget, Procurement Services, Equal Employment Opportunity, General Counsel, Public Information, Contracts Administration, Comptroller/Financial Services, Intermodal Systems Development, and Disadvanctaged Business Enterprise.

Risk is defined as the probability that an event or action may adversely affect the organization and the achievement of organizational objectives

As part of these meetings we ask managers to consider the risks within their area of control, as well as the whole department. Risk is defined as the probability that an event or action may adversely affect the organization and the achievement of organizational objectives. Some examples of risk we discuss are:

• Operational risk:
The risk of loss resulting from inadequate or failed controls, operations, or procedures.

• Compliance risk: The risk of not adhering to policies, plans, procedures, laws, regulations, contracts, or other requirements.

• Financial risk: The risk that there will not be adequate finances to meet financial obligations.

Additionally, to help us better scope and define the magnitude of risk we discuss the following criteria.

Degree of change or stability –
to what extent have there been significant changes in the last year to areas such as, information technology, office reorganization, staff turnover, new programs.

Complexity of operations –
how complex are the operations, i.e., simple, many processes, several complex processes performed by several different areas.

Performance measures – are performance measures in place, are performance measures easily achieved and/or are performance measures meaningful.

Policies, procedures, practices and other internal controls – to what extent have policies, procedures, practices and/or other controls changed in the last year.

We have begun scheduling and holding this year’s meetings with management and will have a final product ready for the Secretary by June 1. If you have a topic or idea you want to discuss, please contact Amy Furney or myself at 410-5800 or by email (, ).
[1] Section 20.055, Florida Statutes

Author: Kris Sullivan, Director of Audit