Tax Law Services Ottawa Section
July 2011

Appendix B – Risk assessment guidelines for audit recommendations

Examples of criteria used for assessing the risk level of audit recommendations are outlined below:

Assessment Criteria
High
  • Controls are not in place or are inadequate.
  • Compliance with legislation and regulations is inadequate.
  • Important issues are identified that impact the achievement of program/operational objectives.
Medium
  • Controls are in place but are not being sufficiently complied with.
  • Compliance with central agency/departmental policies and established procedures is inadequate.
  • Issues are identified that impact the efficiency and effectiveness of operations
Low
  • Controls are in place but the level of compliance varies.
  • Compliance with central agency/departmental policies and established procedures varies.
  • Opportunities are identified that could enhance operations.

It should be noted that, in applying the above criteria to a recommendation, Internal Audit Branch takes into consideration the nature, scope, and significance of the audit finding(s), the impact of the recommendation on the organization, and the auditors’ professional judgment.