GRC - Internal Audit > Audit Execution > Executing Audits > Defining and Assessing Risks Detected during the Audit
Defining and Assessing Risks Detected during the Audit
Risks can be identified during audit execution.
Example: within the framework of an audit on hardware purchase, a risk on requirement suitability may be identified, such as a bad technological choice.
*We differentiate risks discovered during the audit from those previously defined in the audit scope and in the different activities. See Specifying the Audit Scope.
Risks discovered during audit execution should be connected to the activity finding, or to the recommendation.
Displaying the list of risks 
In the Risks page of audit properties, you can view risks related to:
the audit
the audit objects
Assessing Risks 
To assess the objects (in their context):
1. Open the properties of the audit.
2. Select the risks Assessment page.
3. Select the risk(s) you want to assess.
4. Select the value(s) characterizing the risk(s).
Impact: impact of the risk when it occurs
Likelihood: probability that the risk will appear
Control Level
*Control level characterizes the efficiency level of control elements deployed (controls) to assess the risk.
5. Click Validate Multiple Assessment Table.
*Assessment validation enables you to view results in the risk map. Validation can take a while, therefore the wizard offers to execute this process later if needed.
The following values are calculated:
inherent risk
*The inherent (or gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence likelihood or impact of this risk. This is the result of multiplying the impact value and the likelihood value before taking account of risk prevention or reduction measures.
residual risk
*The residual (or net) risk indicates the risk to which the organization remains exposed after management has processed the risk. This is the difference between the Inherent Risk and the Control Level.
Generating the risk heatmap 
A report enables you to view the map of risks associated with an audit, depending on their assessment criteria (Impact, Likelihood, etc.).
To view the risk map associated with an audit:
*In the properties of the audit, select the Reporting page then Internal Audit > Audit Risks Heatmaps.
The audit risk map appears.
*The number of risks displayed depends on the number of contexts.
*Risks must have first been assessed for you to get results in this risk map.