Materiality is assessed by determining how much of a unit’s financial information could be misstated, by error or fraud, without affecting the decisions of reasonable financial information users. Materiality is informed by management’s risk appetite and tolerance, considering quantitative as well as qualitative factors, which may include perceived reputational risk or compliance with regulations.
Risk appetite and tolerance is determined by management’s ability to tolerate deviation from acceptable outcomes relative to their objectives. Read more about Responding to Risk.
The risk assessment identifies and prioritizes risks based on their likelihood and the potential impacts on the university’s progress toward achieving its strategic objectives and priorities. Managers consider risks according to their established risk appetite and tolerance.
You should continually assess risk and complete another risk assessment for your unit as things change.
Changes in the following may require another risk assessment:
To complete your unit's risk assessment, as part of your unit's financial internal control plan, the Office of the Controller asks units to assess areas of high financial risk primarily.
Examples of areas with HR risk include, but are not limited to, recruiting and retention, competency and skills, and compensation and benefits.
Before performing your risk assessment, determine your unit’s objectives. For example, providing accurate financial statements, ensuring accurate and timely account reconciliations, maintaining compliance with university policies, recruiting and retaining competent finance and administrative personnel, and so on. If your unit has identified HR risks that are also high financial risks, then you should include them in your risk assessment.
Suppose you have identified financial risk that is below the materiality threshold (1% of the unit/organization's subtotal of expenditures as represented in the Division of Budget and Planning’s Operating and Capital Budget Plan). Still, you have assessed that it would impede your unit's ability to achieve its objectives, or the risk would cause the university reputational harm. In that case, you should include it in the risk assessment.
The Financial Operations team has provided some examples of formats you can use to complete the risk assessments. You can use these examples as guidelines or use them for your own department’s risk assessment. Each unit should determine which format works best for their needs and may create an entirely different format based on preferences. See Training and Templates for more information.
An individual risk assessment per sub-unit is not required, but we do ask that you look at your unit broadly and holistically as you complete the risk assessment. If there are any areas of high financial risk in the sub-units, please include them in your unit's risk assessment.