Annual Audit Risk Assessment 2017-2018


Each year the Office of Inspector General is required by statute and professional standards to develop an annual and long-term audit plan based on the findings of a periodic risk assessment.  The audit plan contains a listing of planned audits providing the audit team a road map that guides their activities throughout the fiscal year.  Additionally, the audit plan is developed to: allocate our audit resources on a risk-basis; ensure any statutorily required audit work is planned; provide flexibility for managing competing audit needs; and minimize potential overlapping of audits with other audit organizations such as the Auditor General.

The risk assessment that feeds the audit plan is developed by consulting with department management to identify, rank and prioritize projects.  We do this through face-to-face discussions with functional area managers as well as District management.  Once the initial sets of interviews are completed, we meet with the department’s Assistant Secretaries and the Secretary to review and rank the projects.

The following 26 functional areas have been identified as our audit universe:

1. Construction 14. Human Resources
2. Design 15. Maps & Publications
3. Emergency Management 16. Organizational Development
4. Environmental Management 17. Procurement
5. Maintenance 18. Support Services
6. Materials 19. Work Program & Budget
7. Program Management 20. Aviation & Spaceports
8. Right of Way 21. Rail & Motor Carrier Operations
9. Safety 22. Seaports & Waterways
10. Traffic Engineering & Operations 23. Transit
11. Comptroller 24. Research Center
12. Equal Opportunity 25. Transportation Development
13. Forms & Procedures 26. Transportation Technology

As part of these meetings we ask managers to consider the risks within their area of control, as well as the whole department. Risk is defined as the probability that an event or action may adversely affect the organization and the achievement of organizational objectives. Some examples of risk we discuss are:

 Operational risk: The risk of loss resulting from inadequate or failed internal controls, operations, or procedures.

Compliance risk: The risk of not adhering to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Financial risk: The risk that the department will not have adequate cash flow to meet financial obligations.

Legal Liability risk: The risk of loss to the department that is primarily caused by: (1) a claim being made or some other event occurring which results in liability for the department; (2) a failure to adequately protect assets owned by the department; or (3) change in the law.

Reputational risk: The risk arising from what vendors, customers, and employees are saying in public and on social media.

Additionally, to help us better scope and define the magnitude of risk we also discuss any substantial changes management foresees that would affect department program areas. For example, information technology, personnel increases/decreases, budget allocation increases/decreases, responsibility increases/decreases (such as federal mandates or statutory changes).  We expect our final product to be completed June 30.