Risk Methodology

The Internal Audit relies on a continuous risk assessment to carry out its duties (risk‐based
auditing), starting with the annual planning, semi‐annual plan review, preparing and
updating Internal Audit Programs, determining additional tasks, and others.
In order to adopt a comprehensive risk assessment, the Internal Audit is constantly aware
of the identified risks through:
- New activities and projects, and directions of the Organization (including the Strategic
Plan, SWOT Analysis, and others);
- Emerging trends and risks;
- New regulations and laws related directly or indirectly to the activities of the
Organization;
- Risks identified and other input by the Board of Trustees and the Management;
- The independent Internal Audit’s evaluation of the existing risks and the systems of
controls around them, as well as the emerging risks that were identified in the light of
developments affecting the Organization’s operations;
- Internal Audit’s gained information from previous audits as well as available data;
- The risk assessment available in the Organization from the “Risk Management”
department;
- Information acquired by communicating with the relevant parties in the Organization

‫ﻣﻨﻬﺠﻴﺔ اﳌﺨﺎﻃﺮ‬

‫ ﺑﺪءاً ﳌﺨﻄﻂ‬،(Risk‐based auditing) ‫ﺗﻌﺘﻤﺪ داﺋﺮة اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧﻠﻲ ﻋﻠﻰ ﺗﻘﻴﻴﻢ داﺋﻢ ﻟﻠﻤﺨﺎﻃﺮ ﻟﻠﻘﻴﺎم ﲟﻬﺎﻣﻬﺎ‬
.‫ وﻏﲑﻫﺎ‬،‫ ﲢﺪﻳﺪ اﳌﻬﺎم اﻹﺿﺎﻓﻴﺔ‬،‫ ﲢﻀﲑ وﲢﺪﻳﺚ ﺑﺮاﻣﺞ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧﻠﻲ‬،‫ اﳌﺮاﺟﻌﺔ ﻧﺼﻒ اﻟﺴﻨﻮﻳﺔ‬،‫اﻟﺴﻨﻮي‬

‫ ﺗﻄﱠﻠِﻊ داﺋﺮة اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧﻠﻲ ﺑﺸﻜﻞ ﻣﺴﺘﻤﺮ ﻋﻠﻰ اﳌﺨﺎﻃﺮ اﶈ ّﺪدة ﻣﻦ اﳌﺼﺎدر‬،‫ﺪف اﻋﺘﻤﺎد ﺗﻘﻴﻴﻢ ﺷﺎﻣﻞ ﻟﻠﻤﺨﺎﻃﺮ‬
:‫اﻟﺘﺎﻟﻴﺔ‬
‫ وﻏﲑﻫﺎ(؛‬، SWOT analysis،‫ اﻟﻨﺸﺎﻃﺎت واﳌﺸﺎرﻳﻊ اﳉﺪﻳﺪة وﺗﻮﺟﻬﺎت اﳌﺆﺳﺴﺔ )ﻣﻨﻬﺎ اﳋﻄﺔ اﻻﺳﱰاﺗﻴﺠﻴﺔ‬-
‫(؛‬emerging trends and risks) ‫ اﻻﲡﺎﻫﺎت واﳌﺨﺎﻃﺮ اﻟﻨﺎﺷﺌﺔ‬-
‫ اﻟﻠﻮاﺋﺢ واﻟﻘﻮاﻧﲔ اﳉﺪﻳﺪة اﳌﺘﻌﻠﻘﺔ ﺑﻨﺸﺎﻃﺎت اﳌﺆﺳﺴﺔ ﺑﺸﻜﻞ ﻣﺒﺎﺷﺮ أو ﻏﲑ ﻣﺒﺎﺷﺮ؛‬-
‫ ﳐﺎﻃﺮ ﳏ ّﺪدة أو ﻣﻌﻄﻴﺎت أﺧﺮى ﻣﻦ ﻗﺒﻞ ﳎﻠﺲ اﻷﻣﻨﺎء واﻹدارة؛‬-
‫ ﻛﻤﺎ اﳌﺨﺎﻃﺮ اﻟﻨﺎﺷﺌﺔ اﻟﱵ ﺑﻨﻴﺖ ﻋﻠﻰ ﺿﻮء‬،‫ ﺗﻘﻴﻴﻢ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧﻠﻲ اﳌﺴﺘﻘﻞ ﻟﻠﻤﺨﺎﻃﺮ اﻟﻘﺎﺋﻤﺔ وأﻧﻈﻤﺔ اﻟﻀﻮاﺑﻂ ﺣﻮﳍﺎ‬-
‫اﳌﺴﺘﺠﺪات اﳌﺆﺛﺮة ﺑﻌﻤﻠﻴﺎت اﳌﺆﺳﺴﺔ؛‬
‫ ﻣﻌﻠﻮﻣﺎت اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧﻠﻲ اﳌﻜﺘﺴﺒﺔ ﻣﻦ اﳌﺮاﺟﻌﺎت اﻟﺴﺎﺑﻘﺔ ﻛﻤﺎ اﳌﻌﻄﻴﺎت اﳌﺘﻮﻓﺮة؛‬-
 ‫‪ -‬ﺗﻘﻴﻴﻢ اﳌﺨﺎﻃﺮ اﳌﺘﻮﻓﺮ ﰲ اﳌﺆﺳﺴﺔ ﻣﻦ داﺋﺮة "إدارة اﳌﺨﺎﻃﺮ"؛‬
‫‪ -‬اﳌﻌﻠﻮﻣﺎت اﳌﻜﺘﺴﺒﺔ ﻋﻦ ﻃﺮﻳﻖ اﻟﺘﻮاﺻﻞ ﻣﻊ اﻷﻃﺮاف ذوي اﻟﺼﻠﺔ ﰲ اﳌﺆﺳﺴﺔ‪.‬‬
These risks are evaluated according to their impact and likelihood of occurrence as listed
in the following tables:

‫( ﲝﺴﺐ ﻣﺎ ﻫﻮ ﻣﺪرج ﰲ اﳉﺪاول‬Likelihood) ‫( واﺣﺘﻤﺎل ﺣﺪوﺛﻬﺎ‬Impact) ‫ﻳﺘﻢ ﺗﻘﻴﻴﻢ ﻫﺬﻩ اﳌﺨﺎﻃﺮ ﲝﺴﺐ ﺛﲑﻫﺎ‬
:‫اﻟﺘﺎﻟﻴﺔ‬

Risk Impact Parameters

• Financial impact determined based on Materiality Plan table;

• General transaction errors/mistakes that have no material financial impact,
do not hamper operations, and do not affect other department's operations;
• Minor non‐compliance with regulations or claims raised not resulting in
financial liabilities (fines, penalties…) or court proceedings;
• Limited data exposure or loss that can be contained within the business unit.
1. Low
Restoring data in case of loss needs minor effort and takes few days;
• Isolated occurrence of criticism in media;
• Minor impact on internal staff of the Organization;
• Minor reversible health effects;
• Project milestones revised or missed but not affecting project completion;
• Minor impact on the environment where swift cleanup is possible.

• Financial impact determined based on Materiality Plan table;

• Negligence in processing transactions resulting in complaints, delay in project
progress, financial impact, or business interruption of another department;
• Non‐compliance with the Organization’s policies and procedure, set
standards, or guidelines;
• Breach of regulations with possible fines or penalties. Isolated claims raised
that might result in financial liabilities or court proceeding;
• Data exposure or loss that can be contained within the Organization.
2. Moderate Restoration of data in case of loss needs effort and time for update;
• Adverse public opinion or media criticism;
• Moderate impact on the Organization’s staff or minor impact on the
Organization’s related parties;
• Moderate health effects requiring hospitalization, or reversible injury;
• Project milestones missed and project completion changed;
• Moderate environmental impact not affecting the ecosystem but requiring
longer‐term cleanup.
 Risk Impact Parameters

• Financial impact determined based on Materiality Plan table;

• A case of internal/external fraud;
• Grave misconduct or negligence in processing transactions that adversely
affects financial losses, or interrupts cross‐departmental business operations;
• Absence of policies and procedures;
• Serious breach of regulations. Significant legal concerns (e.g. risk of successful
legal challenge with substantial implications for the Organization);
• Data exposure that cannot be contained within the Organization. Restoration
3. Significant of data in case of loss is costly or not possible;
• Adverse public campaign or repeated/permanent criticism by the
national/international media;
• Impact on patients and/or General Public;
• Significant or major injury, permanent disability, or fatality to one or more
persons;
• Key project deadlines/completion missed;
• Major environmental impact requiring expensive/difficult cleanup or affecting
the ecosystem.

Materiality scale
Used to determine whether the misstatement as individual or aggregate materially misstated in
the financial statements. Moreover, those misstatements could be misleading the users who use
the financial information to make the incorrect decision.
When a misstatement occurs in the financial statements, identified individually or collectively,
then it will be evaluated by following the quantitative factors used in the table below.

To determine under which parameter the materiality misstatement will lay, we take the financial
factor that directly relates to the misstatement. In case it relates to multiple ones, we might take
the highest value of the financial factors. For example, higher sales revenue or total assets, and
then calculate the amount of percentage under each parameter, and compare the misstatement
with the amount of materiality misstatement.

‫ﻣﻘﻴﺎس اﻟﺸﻮاﺋﺐ اﳌﺎدﻳﺔ‬

‫ وﻗﺪ‬.‫ﺗﺴﺘﺨﺪم ﻟﺘﺤﺪﻳﺪ ﻣﺎ إذا ﻛﺎﻧﺖ ﻫﺬﻩ اﻟﺸﻮاﺋﺐ اﻟﻔﺮدﻳﺔ أو اﺠﻤﻟ ّﻤﻌﺔ ﳍﺎ ﺛﲑات ﺟﻮﻫﺮً ﻋﻠﻰ ﺻﻴﺎﻏﺔ اﻟﺒﻴﺎ ت اﳌﺎﻟﻴﺔ‬
.‫ﺗﻜﻮن ﻫﺬﻩ اﻟﺸﻮاﺋﺐ ﻣﻀﻠﻠﺔ ﻟﻠﻤﺴﺘﺨﺪﻣﲔ اﻟﺬﻳﻦ ﻳﻌﺘﻤﺪون ﻋﻠﻰ اﳌﻌﻠﻮﻣﺎت اﳌﺎﻟﻴﺔ ﻻﲣﺎذ اﻟﻘﺮارات ﻏﲑ اﻟﺼﺤﻴﺤﺔ‬
‫ وﻣﻦ ﰒ ﻳﺘﻢ ﺗﻘﻴﻴﻤﻪ ﺗﺒﺎع اﻟﻌﻮاﻣﻞ اﻟﻜﻤﻴﺔ‬،‫ ﻳﺘﻢ ﲢﺪﻳﺪﻩ ﺑﺸﻜﻞ ﻓﺮدي أو ﲨﺎﻋﻲ‬،‫وﻋﻨﺪ ﺣﺪوث ﺧﻄﺄ ﰲ اﻟﺒﻴﺎ ت اﳌﺎﻟﻴﺔ‬
.‫اﳌﺴﺘﺨﺪﻣﺔ ﰲ اﳉﺪول أد ﻩ‬
‫ أﻣﺎ ﰲ ﺣﺎل ارﺗﺒﺎط اﳋﻄﺄ ﻛﺜﺮ‬.‫ ﺧﺬ اﻟﻌﺎﻣﻞ اﳌﺎﱄ اﳌﺮﺗﺒﻂ ﻣﺒﺎﺷﺮًة ﳋﻄﺄ‬،‫ﻟﺘﺤﺪﻳﺪ ﻋﺎﻣﻞ اﻟﺘﻐﲑ ﻟﺘﻘﻴﻴﻢ اﻷﺧﻄﺎء اﻟﻨﺴﺒﻴﺔ‬
‫ إﻳﺮادات ﻣﺒﻴﻌﺎت أو إﲨﺎﱄ اﻷﺻﻮل‬،‫ ﻋﻠﻰ ﺳﺒﻴﻞ اﳌﺜﺎل‬.‫ ﻓﻘﺪ ﺧﺬ اﻟﻘﻴﻤﺔ اﳌﺎﻟﻴﺔ اﻷﻋﻠﻰ ﻣﻦ اﻟﻌﻮاﻣﻞ اﳌﺎﻟﻴﺔ‬،‫ﻣﻦ ﻋﺎﻣﻞ ﻣﺎﱄ‬
.‫ وﻣﻘﺎرﻧﺔ اﻟﻘﻴﻤﺔ اﻟﺸﻮاﺋﺐ ﻣﻊ ﻗﻴﻤﺔ اﻷﺧﻄﺎء اﻟﻨﺴﺒﻴﺔ‬،‫ وﻣﻦ ﰒ ﻳﺘﻢ إﺣﺘﺴﺎب ﻗﻴﻤﺔ اﻟﻨﺴﺒﺔ اﳌﺌﻮﻳﺔ ﻣﻦ ﻛﻞ ﻋﺎﻣﻞ ﺗﻐﲑ‬،‫أﻋﻠﻰ‬

Materiality Scale
Materiality Score 3 2 1
Financial impact of Significant Moderate Low
Sales Revenue 1% 0.5% and <1% <0.5%
Total Assets 2% 1% and <2% <1%
Gross Profit 2% 1% and <2% <1%
Shareholders’ Equity 5% 2% and <5% <2%
Net Profit 10% 5% and <10% <5%

Risk Likelihood Scales

Classification Likelihood Score Likelihood in time
Unlikely 1 Risk may materialize in over 1 year
Likely 2 Risk may materialize between 6 months and 1 year
Almost Certain 3 Risk may materialize in less than 6 months

Risk Matrix:

3 3 6 9
Likelihood

2 2 4 6

1 1 2 3

1 2 3
Impact
Risk Rating:
 Low Medium High

Risk Assessment when preparing the Audit programs

In addition to the above‐mentioned risk assessment, risks are evaluated at the level of the Audit
Engagement (department or activity) to identify (or update) the Audit Program. This
identification or update affects the elements of Internal Control that are the subject of review
and examination, as well as the Testing Procedures to follow while auditing these elements and
verifying their existence.

‫ﺗﻘﻴﻴﻢ اﳌﺨﺎﻃﺮ ﻋﻨﺪ ﲢﻀﲑ ﺑﺮاﻣﺞ اﻟﺘﺪﻗﻴﻖ‬

‫ ﻳﺘﻢ ﺗﻘﻴﻴﻢ اﳌﺨﺎﻃﺮ ﻋﻠﻰ ﻣﺴﺘﻮى ﻣﻬﺎم اﻟﺘﺪﻗﻴﻖ )اﻟﺪاﺋﺮة أو اﻟﻨﺸﺎط( ﻟﺘﺤﺪﻳﺪ )أو‬،‫ﻓﻀﻼ ﻋﻦ ﺗﻘﻴﻴﻢ اﳌﺨﺎﻃﺮ اﳌﺬﻛﻮر أﻋﻼﻩ‬
ً
‫( اﻟﱵ ﻫﻲ ﻣﻮﺿﻮع‬Controls) ‫ ﻳﻄﺎل ﻫﺬا اﻟﺘﺤﺪﻳﺪ أو اﻟﺘﺤﺪﻳﺚ ﻋﻨﺎﺻﺮ اﻟﻀﺒﻂ اﻟﺪاﺧﻠﻲ‬.‫ﲢﺪﻳﺚ( ﺑﺮ ﻣﺞ اﻟﺘﺪﻗﻴﻖ‬
‫ واﻟﺘﺤﻘﻖ اﻟﻔﻌﻠﻲ‬،‫( اﻟﻮاﺟﺐ اﺗﺒﺎﻋﻬﺎ ﰲ ﺗﺪﻗﻴﻖ اﻟﻌﻨﺎﺻﺮ‬Testing Procedures) ‫ ﻛﻤﺎ اﻹﺟﺮاءات‬،‫اﳌﺮاﺟﻌﺔ واﻟﻔﺤﺺ‬
.‫ﻣﻦ وﺟﻮدﻫﺎ‬