Materiality and Risk Assessment

Materiality is assessed by determining how much of a unit’s financial information could be misstated, by error or fraud, without affecting the decisions of reasonable financial information users. Materiality is informed by management’s risk appetite and tolerance, considering quantitative as well as qualitative factors, which may include perceived reputational risk or compliance with regulations.

Risk appetite and tolerance is determined by management’s ability to tolerate deviation from acceptable outcomes relative to their objectives. Read more about Responding to Risk.

The risk assessment identifies and prioritizes risks based on their likelihood and the potential impacts on the university’s progress toward achieving its strategic objectives and priorities. Managers consider risks according to their established risk appetite and tolerance. 

Assessing Risk is an Iterative Process

You should continually assess risk and complete another risk assessment for your unit as things change.

Changes in the following may require another risk assessment:

  • External environment: Have there been changes to the external regulatory, economic, or physical environment? For example, has government regulation impacted your unit's risk? Has an event like the COVID-19 pandemic impacted your unit's risk?
  • Internal environment: Have there been changes to your unit's business operations? For example, have there been new technologies or systems or new business lines introduced?
  • Leadership: Have there been changes in management that changed attitudes or philosophies on the internal control system? For example, has the leadership changed at the board of trustees, senior leadership, or unit level, and has that change impacted your system of internal controls?

Frequently Asked Questions

When doing a risk assessment, do I need to assess all risks (HR, safety, compliance, for example)?

To complete your unit's risk assessment, as part of your unit's financial internal control plan, the Office of the Controller asks units to assess areas of high financial risk primarily.

When assessing my unit’s areas of high financial risk, if there are intersections with HR risk, how do I determine what to include in my unit’s risk assessment?

Examples of areas with HR risk include, but are not limited to, recruiting and retention, competency and skills, and compensation and benefits.

Before performing your risk assessment, determine your unit’s objectives. For example, providing accurate financial statements, ensuring accurate and timely account reconciliations, maintaining compliance with university policies, recruiting and retaining competent finance and administrative personnel, and so on. If your unit has identified HR risks that are also high financial risks, then you should include them in your risk assessment.

Should we include a risk that is below the materiality threshold in our risk assessment?

Suppose you have identified financial risk that is below the materiality threshold (1% of the unit/organization's subtotal of expenditures as represented in the Division of Budget and Planning’s Operating and Capital Budget Plan). Still, you have assessed that it would impede your unit's ability to achieve its objectives, or the risk would cause the university reputational harm. In that case, you should include it in the risk assessment.

What format is required when completing the risk assessment?

The Financial Operations team has provided some examples of formats you can use to complete the risk assessments. You can use these examples as guidelines or use them for your own department’s risk assessment. Each unit should determine which format works best for their needs and may create an entirely different format based on preferences. See Training and Templates for more information.

If a unit has several sub-units, is an individual risk assessment required for each sub-unit?

An individual risk assessment per sub-unit is not required, but we do ask that you look at your unit broadly and holistically as you complete the risk assessment. If there are any areas of high financial risk in the sub-units, please include them in your unit's risk assessment.