The OIG considers the following based on a risk analysis consistent with the standards prescribed by the Institute of Internal Auditors (IIA). The OIG considered the following criteria to determine the level of risk:
- Financial Exposure
- Regulatory / Safety / Security / Compliance
- Audit History
- Image / Reputation
- Maturity of Process / Management
- Information Technology / Cybersecurity
- Equity Impact
- Mission Critical Operations
