GAO’s 4 Facets of Inherent Risk

GAO’s Four Risk Factors

Up until now, the GAO’s Yellow Book has been mostly tight-lipped about the finer points of conducting a risk assessment on a performance audit. The standards hadn’t meaningfully addressed the topic in decades, long enough for an entire generation of auditors to rise, retire, and develop opinions about paperclip preferences.

But in the 2024 update, the GAO finally speaks up.

Chapter 5 introduces a fresh focus on assessing risk to audit quality. And with it, new tools for evaluating inherent risk. Or, the kind of risk that exists before you’ve done anything to manage it. In Section 5.38, they outline four risk factors to consider.

And here’s the twist… these four insightful considerations can apply at two levels:

• Audit Subject Risk Assessment: The risk something might go really wrong in the thing you’re auditing.
• Audit Quality Risk Assessment: The risk something might go really wrong in your audit of the thing.

Let’s unpack them with a few real-life examples and just a splash of levity to keep us from falling asleep in our rolling chairs.

1. How the risk would affect achievement of objectives

📌 Audit Subject Risk Assessment
Start with the big question: If this goes south, how bad could it be?
The risk isn’t paperwork delays when you audit foster care. It’s that a child might be harmed while in state custody. If you’re looking at student financial aid, the risk could be thousands of dollars flowing to students who aren’t real, aren’t eligible, or are really good at faking it. If you give the high school track coach a government-issued credit card, well… you might end up reading about it in the local news, next to the phrase “alcohol purchase at out-of-town tournament.”

The more serious the potential harm, the higher the inherent risk.

🏛 Audit Quality Risk Assessment
At the audit quality level, think about how this risk could derail your ability to meet professional standards. If your team lacks subject matter expertise, or if your review process is more “suggestion box” than “gatekeeper,” the risk is that you issue findings that are inaccurate, unsupported or (worst of all) boring and wrong.

2. How frequently the risk is expected to occur

📌 Audit Subject Risk Assessment
Is this a one-time blip or a repeat offender? If your entity has a five-year pattern of overpaying financial aid, or foster care incidents keep showing up in the headlines, frequency is high. And if every extracurricular department has its own interpretation of “reasonable business expense,” you’ve probably got a systemic issue on your hands.

🏛 Audit Quality Risk Assessment
If documentation issues keep popping up across engagements, or if scoping decisions are consistently rushed because “we just don’t have the time,” frequency is your warning bell. When your internal audit risks show up more often than donuts at the Friday staff meeting, it’s time to pay attention.

3. How quickly the risk would have an effect

📌 Audit Subject Risk Assessment
Some risks hit fast. In foster care, if placement decisions are flawed, harm could occur overnight. For financial aid, a scammer might get paid this week and then vanish before you finish your planning memo. In other words, some risks move faster than your inbox on a Monday morning.

🏛 Audit Quality Risk Assessment
When an internal risk occurs, how fast does it make trouble? If your lead auditor resigns mid-engagement and no one else understands the scope, things could unravel immediately. On the flip side, training gaps or weak supervisory feedback might take longer to erode quality. But by the time it shows up, the damage has already been done.

4. How long the risk’s effects would last

📌 Audit Subject Risk Assessment
Let’s say something does go wrong. How long will it cause problems? A one-time purchase card misuse might be embarrassing, but fixable. But if your audit reveals years of untracked payments or foster care placements without safety checks, the damage could last long after your final report is filed. Some risks linger like that forgotten tuna sandwich in the office fridge.

🏛 Audit Quality Risk Assessment
At the organizational level, quality issues can cast a long shadow. If an audit falls apart or gets flagged in peer review, the damage to credibility, morale, and public trust can take a while to clean up. Some risks fade quickly. Others become the stuff of annual training examples for the next five years.

Final thoughts: Timing isn’t everything, but it’s close

Yellow Book Section 5.38 gives us a helpful framework for thinking through inherent risk: before mitigation, methodology, and the first awkward client meeting.

The four questions to ask at both the audit subject and audit quality levels are:

• How bad could it be?
• How often does it happen?
• How fast would it hit?
• How long would it last?

When you apply these consistently, you build more precise risk ratings, smarter audit scopes, and stronger systems of quality management.

Looking for high-quality and convenient CPE?

We have you covered! Our live webinars are a great choice if you want the learning to come to you. Just log on at the scheduled time and enjoy wherever you are! Here are a few of our upcoming courses:

• Aug 27: Excel Formulas & Functions Made Easy (2 CPE hours)
• Sept 4: Auditing for Fraud in Government Procurement & Contracting (3 CPE hours)
• Sept 8-11: Internal Controls & Root Cause Analysis (16 CPE hours)
• Sept 17: Time-Saving Features & Advanced Tools of Excel (2 CPE Hours)
• Sept 23: Manage Audit Projects Using Microsoft Planner (2 CPE Hours)

Need to do things at your own speed, but still get all your credits? Plan your CPE around your life, not the other way around! Yellowbook-CPE.com has dozens of self-study e-book and video courses, including the popular Internal Controls Bundle. This helpful bundle uses simple terms to explain how the Green Book is the COSO model for government application.