Risk Discussion Questionnaire

During the planning phase of an assurance audit, IACS may use the Risk Discussion Questionnaire (RDQ) to help focus the audit to more specific areas. 

Please note: Audit clients do not need to complete these questions in advance but may desire to become familiar with it by reviewing the questions involved. IACS staff will work with you to complete the questionnaire.

Sample Questions

General Information

  • Department or Process
  • Contact Person
  • Contact Phone
  • Date Completed

  1. What is the purpose/mission/objective of this unit or process?
  2. How many employees work in the department? What is your organizational structure?
  3. Do you have job descriptions for each employee? What is each of the employee's key responsibilities?
  4. What documented policies and procedures are available?
  5. What is the worst thing that could happen to this unit or process?
  6. What is the worst thing that has already happened to this unit or process?
  7. What are the critical interfaces (other work groups or processes) that give you the most concern (and why)?
  8. Please describe the areas of your department's operations you feel are the most vulnerable to risk and any related internal control currently in place to offset those risks.

I. Systems, Data, Information Security

  1. Please indicate if this area has implemented any new or extensive information systems within the past 12 months. If yes, was the software developed or purchased? What was the cost of implementation (hardware and software)?
  2. What is the nature of the data processed by this unit or process? Is it private, confidential, proprietary, classified, financial, operational, sensitive, or public?
  3. To what extent are policies, procedures, standards, and guidelines developed, implemented and enforced so that information system risk is minimized for this unit or process?
  4. Are any information systems considered critical to the mission of this unit or process, or to the University as a whole?

II. Operations, Management Controls, and Accountability

  1. If the department has been audited within the last 5 years by either an external group or IACS, please indicate when and by whom. (State auditors, federal auditors, other).
  2. Does the department have a written and tested disaster recovery plan? If yes, was the plan specifically developed for your department?
    • University Disaster Recovery Plan
    • Departmental Disaster Recovery Plan
    • None
    If departmental plan, please describe what specific areas of operation (e.g. network interruption, disruption of routine business operations due to an emergency situation) the recovery plan addresses.
  3. What procedures have been developed to monitor and evaluate employee performance in the areas of accountability and contribution toward attainment of management goals and objectives?
  4. How much have procedures or processes changed in the last 12 months?
    • No changes
    • Some significant changes
    • Major changes have occurred to one or more procedures or processes, or a significant new system has been developed and implemented.
    Please specify details.
  5. To what extent have reorganization, management turnover, employee turnover, or other departmental changes (e.g. budget size, size of operations) affected the environment of the area (experience, continuity, control, and accountability) in the last 12 months?
    • No changes
    • Moderate Impact
    • Significant Impact
    Please describe all relevant changes that have occurred in the department in the last 12 months.
  6. Segregation of duties is an internal control where responsibilities are assigned so that no one individual controls all aspects of a process or transaction. Please choose the answer that best fits the department at this time:
    • No individual has full control over all aspects of a process or transaction.
    • Some individuals have full control over some transactions; however, there are some mitigating controls to reduce risk, such as a subsequent review of the transactions by another person.
    • Some individuals have full control over some transactions; there are no mitigating controls in place.

III. Financial Management

  1. Please list all current fiscal year index codes, purpose, and associated fund balances available to or processed through the department.
    Include all of the following funds:
    • E&G
    • Designated
    • Restricted gift
    • Auxiliary
    • Restricted grant or sponsored program
    • Plant funds
  2. Has management developed written rules, guidelines, policies, and/or procedures for all transactions and critical financial activities?
    • Yes
    • Somewhat
    • No
  3. How often are actual income and expenditures monitored against the budget and are significant variances identified and reported to management?
    • Monthly
    • Annually
    • Not at all
  4. How many cash collection points exist in your department?
    • None
    • 1-4
    • 5-10
    • 11-20
    • More than 20
    Please list the location of each cash collection point.

IV. Legal and Regulatory Compliance

  1. Due to the mission of this unit or process, what is the level of inherent risk of fines, penalties, or lawsuits that may result from noncompliance with various federal or state regulations or agencies (e.g. EPA, OSHA, Title IV, Title IX, NCAA, and ORC)?
    • Not Applicable
    • Minimal
    • Moderate
    • Significant
    Please specify what regulations are applicable to this department or process.
  2. Describe current measures taken to ensure compliance with any applicable regulatory body.
  3. If the unit has grant or sponsored research funding, how is compliance with OMB Uniform Guidance ensured? What types of oversight are in place to monitor sponsored research activity?
  4. How many employees or students have filed grievances or legal actions against the unit's employees within the past year? What was the basis of the complaint(s) and the outcome?

V. Public and Political Sensitivity

  1. What is the level of inherent risk of adverse public relations or publicity due to the nature of the department's basic operations (e.g., research on human or animal subjects, hazardous waste disposal, research involving controlled substances, significant impact on students, access to confidential information)?
    • Minimal
    • Moderate
    • High
  2. What controls currently exist to ensure that each faculty or staff member has a working knowledge of the conflict of interest policies of the University? Has there been any conflict of interest situations brought to management's attention in the last year?
  3. How often, if ever, have negative stories resulting from a complaint or disagreement either from faculty, staff, or students, concerning this unit been publicized (or threatened with publication) in the local media?

    Please describe any previous occurrences of adverse public relations or publicity.

VI. Other Questions

  1. Do you know of anyone who is breaking the rules?
  2. Has anyone in the organization asked you to do something that you thought was illegal or unethical?
  3. What would you do if someone asked you to do something that you thought was wrong?