Applying Risk Assessment to Government

by Chris Goeman, CPA, CGFM, Audit Manager

Posted on March 28, 2018

The implementation of a risk assessment process is a critical component of an organization’s system of internal control. It allows managers and those charged with governance to take a proactive approach to understanding risks which could prevent the accomplishment of entity objectives. The risk assessment process aims to develop appropriate responses to risks based on available resources, severity of risks, and other considerations.

The risk assessment process outlined in the Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States (Green Book) breaks the risk assessment down into four principles:

1. Define Objectives and Risk Tolerances
2. Identify, Analyze, and Respond to Risks
3. Assess Fraud Risk
4. Identify, Analyze, and Respond to Change

To illustrate the process in this article, we will walk through a risk assessment in relation to the following compliance objective: “The Section 8 Housing Assistance Payments Program eligibility determinations are conducted and documented in accordance with the terms and conditions of the grant, federal statutes, and regulations outlined in the Compliance Supplement.”

Define Objectives and Risk Tolerances:

Before risks can be assessed, organizations must establish measurable, observable, relevant and time-bound objectives. The objective above meets this criteria and can be used for the basis of the risk assessment. The next step is determining the government’s tolerance for not meeting the eligibility requirement. It’s likely that management’s risk tolerance is low considering eligibility is a central requirement to the program and any deviations from the prescribed determinations would have a direct and material effect on the program.  The established risk tolerance will affect the rest of the process including the appropriate response to the risk.

Identify, Analyze, and Respond to Risks:

The organization will then examine risks at the entity and transactional level. The risk factors could be driven by external or internal forces. An example of an internal entity level risk relevant to our example could be the Housing Department has experienced extreme turnover and lacks experienced personnel who are responsible for making eligibility determinations. An external entity-level risk could be the Federal Government has recently changed the eligibility process making it more complex. A transactional level risk could include the calculation of annual income is performed in error, or eligibility determinations are based on outdated income limits.

After risks are identified, a risk analysis is performed to determine the likelihood of the risk occurring and the magnitude of the risk. This process should involve employees who are conducting the eligibility determinations, managers, and the audit committee or other governing body charged with oversight. In our example, the likelihood of clerical errors in applying the eligibility requirements is assessed as low due to the use of an automated system designed specifically for making Section 8 eligibility decisions. The magnitude of an error is assessed as high due to the potential for providing ineligible families with vouchers resulting in direct and material noncompliance. 

The next step is determining how the organization will respond to the risks identified. The risks can be accepted (do nothing), avoided (eliminate the Section 8 program at the City), reduced (implement controls), or shared (outsource eligibility determinations). The organization’s response is dictated by the risk tolerance identified in the first step as well as a cost benefit analysis. It should be noted that the cost of a response which could be in the form of additional controls should not outweigh the benefit the organization receives in mitigating the risk. In our example the organization has decided to reduce the risk of clerical errors in processing eligibility determinations by implementing a periodic management review of determinations which is considered a detective control. After controls are applied to the risks there still remains a residual risk that should be equal to or lower than the organization’s risk tolerance.

Assess Fraud Risk:

The risk assessment process should also consider risks relating to fraud including fraudulent reporting, misappropriation of assets, and corruption. Fraud is more likely to occur where there is opportunity (i.e., lack of internal control), pressure (i.e., employees with financial hardships), or attitudes and rationalizations (i.e., unethical employees/poor tone at the top). In our example there is a risk of corruption with employees who improperly process eligibility determinations for financial gain. The fraud risk would then be analyzed and an appropriate response would be developed to address the risk. The organization in this case is responding by implementing a periodic management review of determinations and advertising the whistleblower hotline in the Housing offices and its website.

Identify, Analyze, and Respond to Change:

The final step in the risk assessment is evaluating and forecasting changes that could impact the achievement of your organization’s objectives. This process should involve all stakeholders and should be performed periodically to prepare for change in the organization’s environment. Changes can be in the form of technological changes (i.e., new financial reporting system), regulatory changes (i.e., additional compliance requirements), program changes (i.e., increase in program participation and funding), or personnel changes (i.e., turnover of key positions). In our example, management has been notified that the supervisor over federal programs plans to retire at the end of the fiscal year. Management responds to this change by putting in place a succession plan to identify a staff person capable of handling the supervisor responsibilities, and establishing a training plan to ensure a smooth transition. This forward thinking approach enables the organization to continue meeting its objectives despite significant changes to the operating environment.

Why Your Organization Should Prioritize Risk Assessment:

• It helps ensure your organization accomplishes its goals and objectives.
• It’s a critical component of a sound system of internal control.
• Part 6 of the Federal Compliance Supplement identifies this method of Risk Assessment as best practice.
• It demonstrates to your board/council and constituents that the organization is proactive in identifying and responding to operational, compliance and reporting risks as well as fraud risks.
• A formally documented risk assessment process will allow your organization’s auditors to obtain a greater confidence level in your system of internal control.

It could potentially save your organization time and resources through avoidance of audit findings, questioned costs, development of corrective action plans, and increased oversight from regulators and grantors.