Annual Audit Risk Assessment 2018-2019

The Office of Inspector General is required by statute and professional standards to develop an annual and long-term audit plan based on the findings of a periodic risk assessment. The audit plan contains a listing of planned audits that should be conducted throughout the fiscal year. Additionally, the audit plan is developed to: allocate our audit resources on a risk-basis; ensure any statutorily required audit work is planned; provide flexibility for managing competing audit needs, and minimize potential overlapping of audits with other audit organizations such as the Auditor General.

The risk assessment that feeds the audit plan is developed by consulting with department management to identify, rank and prioritize projects. We do this through face-to-face discussions with functional area managers as well as District management. Once the initial sets of interviews are completed, we meet with the department’s Assistant Secretaries and the Secretary to review and rank the projects.

The following 28 functional areas have been identified as our audit universe.

1. Construction 15. Procurement
2. Design 16. Comptroller
3. Emergency Management 17. Work Program & Budget
4. Maintenance 18. Aviation & Spaceports
5. Materials 19. Freight & Multimodal Services
6. Program Management 20. Seaports & Waterways
7. Right of Way 21. Transit
8. Traffic Engineering & Operations 22. Policy Planning
9. Safety 23. Systems Implementation
10. Environmental Management 24. Forecasting & Trends
11. Equal Opportunity 25. Civil Integrated Management
12. Human Resources 26. Information (Cyber) Security Management
13. Organizational Development 27. Information Technology
14. Support Services 28. Process & Quality Improvement

As part of these meetings, we ask managers to consider the risks within their area of control, as well as the whole department. Risk is defined as the probability that an event or action may adversely affect the organization and the achievement of organizational objectives. Some examples of risk we discuss are:

Operational risk: The risk of loss resulting from inadequate or failed internal controls, operations, or procedures.

Compliance risk: The risk of not adhering to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Financial risk: The risk that the department will not have adequate cash flow to meet financial obligations.

Legal Liability risk: The risk of loss to the department that is primarily caused by (1) a claim being made or some other event occurring which results in liability for the department; (2) a failure to adequately protect assets owned by the department; or (3) change in the law.

Reputational risk: The risk arising from what vendors, customers, and employees are saying in public and on social media.

To help us scope and define the magnitude of risk better, we also discuss any substantial changes management foresees that would affect department program areas. For example, responsibility increases/decreases (such as federal mandates or statutory changes), budget allocation increases/decreases, information technology, or personnel increases/decreases.

Our final product was completed and distributed in July 2018.

To view the 2018-2019 Annual Audit Risk Assessment, click here.


by DeGreta Corbin | QAOS Manager