I would be interested in thoughts on how you apply weights to different risk categories when performing your risk assessments. How do you determine the weights? Does each category of risk have the same weighting in the risk assesssment for each auditable entity/process in the audit universe?

It seems more and more the examiners are pushing weights and calculations on risk assessments and less reliance on auditor's judgement. However, in the end, isn't applying a risk weight to one category vs the other based on auditor judgement? Adding weights and mathematical calculations to arrive at the risk rating implies a level of precision that does not exist in my opinion.

Anyone? Or do you not apply weights?

They do want a hard rule. For instance, how do you rate ACH knowing you have to perform this audit each year.

The risk assessment results will not come into play for audit plan purposes for those audits that are required to be conducted at a specfic interval (for example, ACH, BSA/AML, SAFE Act). Although we still would perform the risk assessment.

Assuming you perform a risk assessment for each auditable entity, do you weight each risk category (examples of categories: business impact, credit risk, market risk [includes IRR and liquidity risk], operational risk, technology risk, legal risk, compliance risk, reputation risk, strategic risk)?

If yes, how did you determine the weights? Are the weights the same for every auditable entity? Any feedback or criticism from examiners?

If weighting is not used, are examiners "ok" with that?

Thanks.

I sit down with the business unit and discuss. I inform them I have final rating over each component. It gets them involved in the process, especially if they have new products or services, I am not aware of.

The risk assessment I use has factors (1-5) and then each factor is multiplies by the weight it carries. I obtained this risk assessment from audit school. if you are interested send me your email address and I can send you what I have.

I bet mine is from the same audit school, the external auditors and OCC have blessed it.