Regional Contracting
August 2011

APPENDIX C – RISK ASSESSMENT GUIDELINES FOR AUDIT RECOMMENDATIONS

Examples of criteria used for assessing the risk level of audit recommendations are outlined below:

Assessment	Criteria
High	Controls are not in place or are inadequate. Compliance with legislation and regulations is inadequate. Important issues are identified that impact the achievement of program/operational objectives.
Medium	Controls are in place but are not being sufficiently complied with. Compliance with central agency/departmental policies and established procedures is inadequate. Issues are identified that impact the efficiency and effectiveness of operations
Low	Controls are in place but the level of compliance varies. Compliance with central agency/departmental policies and established procedures varies. Opportunities are identified that could enhance operations.

It should be noted that, in applying the above criteria to a recommendation, Internal Audit Branch takes into consideration the nature, scope, and significance of the audit finding(s), the impact of the recommendation on the organization, and the auditors’ professional judgment.