2/.

RISK ASSESSMENT: The process of risk assessment should be taken through the stages:

Identification of auditing objects (clients)

Define Sources of Risk of each category

Risk Identification

Risk Assessment & Evaluation

First, The Auditor should rely on the internal audit plan of the year, the requirements of senior managers in the company to determine which objects will be included in this audit program. Then, the auditor need to understand each specific auditing object and consider the factors likely to increase the risk of enterprises. This task is always considered important though the auditor is member of the Company because the auditor cannot understand deeply all the work in each operation, each department in the company. In the discovery process, the auditor asks questions and finds the most reasonable answers: - The risks that may occur during the operation of company. - What policies that Leaders at all levels of the company apply in the management and operations of the company as well as the attention to the internal audit results (In the past and present)? - In current period, do enterprises prefer to maximize profits? - The mechanism for the calculation of the salaries and bonuses for managers and employees? - Does company participate in activities of the community? - Do Chiefs of the department of accounting, business ... sustain abnormal pressure? - Do the staffs in positions and important parts have relationship of kinship or emotion? - Within 12 months, does company have new products and services?
1

On the basis of the risks that may occur, the internal audit department select key factors and sort by priority order as a basis for evaluation. Because there may be many kinds of risks, the auditor should select the most important risks to parts of company (5-10 types) for consideration. This work is carried out based on the experience of the auditor with auditing objects, combined with reference information from the managers and other sources. For example, when auditing the raising capital activities of banks, the auditor should consider interest rate risk, environmental risk in the country and the world and moral hazard of mobilizing staff. When auditing the process of construction in of construction companies, the auditor need pay more attention to risks failure to comply with regulations in the construction and design, the risk of not aggregate cost accurately and on schedule and the risk of production efficiency. In any case, the internal audit departments build models of risk assessment for each auditing objects in the form:
RISK ASSESSMENT TABLE
Departments (operation)......... Risk Scores for impact Scores for likelihood

Internal auditors score the possibility and severity for each activity departments, each content on the principle that the greater the potential risks are, the higher the score (scale 10/10). In particular, the risk of severity, with the possibility is almost certain (76-100%) has the highest score from 80 to 10 points, the risks rarely happen(less than 5%) have the lowest score from 0 to 2 points. Then, the auditor may make a risks factors summary table of auditing subjects, in which arranging parts (activities) in order of priority based on the total risk score. If there are objects of the same base point, the auditors add other factors to rank.
2

RISK FACTOR SUMMARY TABLE ..... ...... Total scores Department (Operation) 1 2 ...

Risk
No

The risk assessment methods that the internal auditor can use are: - Hi c method: evaluating past activities through valid evidence (documents and secondary information).
-

Forecasting method: assessing potential impacts caused by existing agents and would develop in the future.