Implementation v1.0

Introduction
Risk Based Internal Auditing -

Three views on implementation
Last updated 15 January 2006
Copyright D M Griffiths
RAU basics
Appendix A Scoring risks
Appendix B Risk Register
Appendix C Assessing risk maturity
Appendix D Process map
Appendix E Audit Universe
Appendix F Risk and audit universe
Appendix G Column key
Appendix H Audit plan
Appendix I Process map - purchases
Appendix J Expense purchases
database
Appendix K Conclusions
Figure 1 Risk reduction diagram
Figure 2 Risk significance
Figure 3 Stages of RBIA
Figure 4 Stage 2 Audit planning
Figure 5 Frequency of work
Figure 6 Stage 3 Individual audits
Figure 7 Audit trail
The spreadsheets are:
The spreadsheets in the Excel workbook support the book 'Risk Based Internal Auditing - Three views on implementation'
which can be downloaded from:
www.internalaudit.biz
For reasons of time, none of the spreadsheets show all the data
Risk Based Internal Auditing -
Three views on implementation
Brief introduction to the process maps and risk registers
Advice on the scoring of risks
An example risk register in the order of the processes in appendix B. In this risk
map
Matrix giving the requirements for the five categories of risk maturity and
suggested audit tests
An example process map for a company manufacturing and retailing
List of all audits an organisation considers it requires to provide assurance on
risk management. It is not essential, but assists those organisations wishing to
ensure audits have particular characteristics, such as length of audit. It can only
be considered complete when all risks have been assigned to audits, since
some audits may be missing from the plan.
The complete list of scored risks and the audits that will check their
management.
Details of the columns in the RAU
The audit plan derived from the RAU
An example process map for the processes used to procure any item for the
organisation
The audit database used for the audit of expense purchases
Guidance for providing assurance on an individual audit
What is risk based internal auditing?
Grid showing the significance of risks
Stages involved in RBIA
Processes involved in stage 2
Frequency of consultancy and audit work
Process involved in the individual audit
Links in the audit trail involved in RBIA
The spreadsheets are:
The spreadsheets in the Excel workbook support the book 'Risk Based Internal Auditing - Three views on implementation'
which can be downloaded from:
www.internalaudit.biz
For reasons of time, none of the spreadsheets show all the data
Risk register and audit plan 7/16/2014 8:16 PM
Risks register and audit Universe (RAU) basics
Purpose
The purpose of this spreadsheet is to demonstrate how a list of risks can be used to
generate an audit plan. The IIA standards (2010.A1) states, "The internal audit activity's plan of
engagements should be based on a risk assessment, undertaken at least annually. The input
of senior management and the board should be considered in this process."
The starting point: lists of risks from many people in the organisation at various levels
The end point: a list of all the audits (the "audit universe") necessary to check that all risks are
mitigated by internal controls . These audits to be scored in order to indicate their priority
To understand the way this risk register is used, you need to visit www.internalaudit.biz
This is not a "Best Practice" guide but an example, which you must change to fit your
organisation
The process map
In order to produce an audit plan from a list of risks, the first task is to group the risks. I believe
this is best done by linking them to the processes which any organisation has to fulfill its
Do not confuse this approach with 'Process based' or 'Systems based' auditing. Processes in
risk based auditing are used only for convenience. Risks drive the audit plan and individual
audits. If you have a risk with no process, go and set up a new process!
Processes are the means to achieve the organisation's objectives. They do not necessarily
represent actual departments and could be outsourced. It is important to concentrate on the
theoretical processes required, since the actual processes may have weaknesses or
ommmissions.
Processes are arranged in a hierarchy (like an organisation chart), with each process being
split into more detail. The first level of processes is known as level 1 and these are split into
more detailed processes at level 2. It's usually possible to plan audits at this level. Processes
are split further in the audit and the more detailed risks and controls are linked to these. The
advantage of this approach is that it avoids having a huge database.
Each level has "Define objectives" at the start and "Support" at the end. There is a need to
define the objectives of any set of processes - even if it only to set targets. "Support" refers to
the support directly required by the processes at that level. The example will give you more of
an idea.
The processes in this spreadsheet are for a company which manufactures goods and sells
them through its own shops, to resellers (wholesalers) or direct to the public.
The risk register
The process maps are used to set up the risk register, where risks are linked to processes.
Each box on the process map has a row. This enables risks to be attached to processes at
each level, and for each level to have a risk score. This is useful in summarising the risk
scores for levels 1 & 2. (This format is slightly different to that used in www.internalaudit.biz)
David M Griffiths RAU basics 3 of 264
Risk register and audit plan 7/16/2014 8:16 PM
Several risks may be linked to one process or several processes to one risk. If you have a
process with no risks, you may need to ask management if risks do exist in this area. If you
have risks but no process - you need to add a process. Do NOT drop risks because they don't
fit neatly into your map!
The risk register will be constantly updated with new risks, as they occur to me, or as my
researches reveal. It can never be complete. The important point for your risk register is that it
gives you a complete "audit universe". It is these audits which need to identify all the key risks
in order to assess the controls which mitigate them
The last columns in the register show details of the last audit of that risk and the next audit
planned. This enables the register to be used as an audit planning tool. By sorting and filtering
the database an annual audit plan can be produced. A calculation at the end of the "next audit
budget" column will show if sufficient resources are available.
The register has one line of titles, so that it can be used as a database (sorted, filtered, reports
produced)
I intend to produce example audit databases (audit programmes) for many of the audits in the
risk register. See www.internalaudit.biz for more details
Some audit work may be duplicated. For example; "Transaction processing - purchasing goods
for resale" may have some audit work which appears in the support processes for "Purchase of
goods for resale". This is not necessarily bad, as it may cover important areas in slightly
different ways
You may have many risks against one process at level 2. If this is the case split the process to
give processes at level 3. See 9.6 - Process Transactions
Certain major areas of risk, such as health & safety, the environment and quality control only
have one entry each. The level of detail will depend on the responsibilities of the internal audit
department. It is assumed that these areas are covered by other specialists and the audit
would be concerned with the proper operation and reporting of these functions
The following notes are tips when considering risks:
When wording risks, try not to make them just the failure to deliver a process. For example if
the process is, "Pay invoices", the risk is not, "Fail to pay invoices". However, one risk would be
"Invoices not selected for payment"
More importantly risks should not be the absence of a control. For example, the risk Invoices
are not authorised presupposes a control. The risk is Invoices may be paid for goods or
services not required; the control is All invoices are authorised by a senior manager.
Language
I have used UK english for the risk register. Variations from US english include:
Supplier = Vendor
Purchase = Procure
Cheque = Check
I have used the term "accounts payable" for purchase ledger, since this is now common in the
UK.
All sheets copyright David M Griffiths
Not to be copied or distributed without acknowledging the author, or in conjunction with a
commercial product
David M Griffiths RAU basics 4 of 264
Appendix A
Advice on scoring risks (inherent and residual)
1 to 5 scale
If the consequence when the
risk occurs is:
OR the likelihood of
the risk occurring is:
A catastrophic impact on the
organisation, threatening its
existence
Almost certain
Cash at risk> 1,000,000
To prevent the organisation
achieving all, or a major part, of its
objectives for a long time.
Probable
Cash at risk <1,000,000
>100,000
To stop the organisation achieving
its objectives for a limited period.
Possible
Cash at risk <100,000 >30,000
To stop the organisation achieving
its objectives for a limited period.
Unlikely
Cash at risk <30,000 >5,000
To cause minor inconvenience, not
affecting the achievement of
objectives
Rare
Cash at risk <5,000
Values are examples ONLY and must be defined by the board of the organisation concerned
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
Advice on scoring risks (inherent and residual)
Then the measure is
defined to be:
Values are examples ONLY and must be defined by the board of the organisation concerned
Insignificant (1)
Moderate (3)
Minor (2)
Catatrophic (5)
Major (4)
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
Appendix B
Risks register
L1 Level 1 process L2 Level 2 process L3 Level 3 process
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
2 Communicate strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
4 Maintain strategy
1 Define
organisation's
objectives
4 Maintain strategy
1 Define
organisation's
objectives
5 Support strategy
2 Research new
business
opportunities
1 Define objectives
2 Research new
business
opportunities
2 Research products
David M Griffiths B Risk Register
2 Research new
business
opportunities
3 Research markets
2 Research new
business
opportunities
4 Research customers
2 Research new
business
opportunities
5 Research locations
2 Research new
business
opportunities
6 Support research
3 Obtain, and fit
out, premises
1 Define objectives
3 Obtain, and fit
out, premises
2 Obtain offices
3 Obtain, and fit
out, premises
3 Obtain factories
3 Obtain, and fit
out, premises
4 Obtain warehousing
3 Obtain, and fit
out, premises
5 Obtain retail premises
3 Obtain, and fit
out, premises
6 Maintain premises
3 Obtain, and fit
out, premises
7 Support obtaining premises
4 Purchase ggods
and services
1 Define objectives
4 Purchase ggods
and services
2 Purchase raw materials
4 Purchase ggods
and services
4 Purchase ggods
and services
3 Purchase assets
4 Purchase ggods
and services
4 Purchase finished goods
4 Purchase ggods
and services
5 Purchase expense goods and
services
4 Purchase ggods
and services
5 Purchase expense goods and
services
4 Purchase ggods
and services
6 Support purchasing
5 Manufacture 1 Define objectives
5 Manufacture 2 Design products
5 Manufacture 3 Specify manufacturing
5 Manufacture 4 Plan manufacturing
5 Manufacture 5 Manufacture
5 Manufacture 6 Support manufacturing
6 Advertise and
promote
1 Define objectives for
promotion
6 Advertise and
promote
2 Promote in-store
6 Advertise and
promote
3 Promote to customers
6 Advertise and
promote
4 Advertise in papers
6 Advertise and
promote
5 Advertise on TV
6 Advertise and
promote
6 Support promotions
7 Store and
distribute goods
supplying goods
7 Store and
distribute goods
2 Store goods
7 Store and
distribute goods
3 Distribute goods
7 Store and
distribute goods
4 Support supply
8 Sell goods 1 Define objectives for selling
goods
8 Sell goods 2 Sell in stores
8 Sell goods 3 Sell to resellers
8 Sell goods 4 Sell direct
8 Sell goods 5 Support selling
9 Support the
organisation in
achieving its
objectives
supporting the organisation
9 Support the
organisation in
achieving its
objectives
2 Prepare management
accounts
9 Support the
organisation in
achieving its
objectives
3 Prepare financial accounts
9 Support the
organisation in
achieving its
objectives
3 Prepare financial accounts
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
6 Process transactions 1 Process transactions -
purchases
9 Support the
organisation in
achieving its
objectives
retail sales
9 Support the
organisation in
achieving its
objectives
wholesale sales
9 Support the
organisation in
achieving its
objectives
direct sales
9 Support the
organisation in
achieving its
objectives
manufacturing stock
9 Support the
organisation in
achieving its
objectives
wholesale stock
9 Support the
organisation in
achieving its
objectives
store stock
9 Support the
organisation in
achieving its
objectives
payroll
9 Support the
organisation in
achieving its
objectives
personal expenses
9 Support the
organisation in
achieving its
objectives
fixed assets
9 Support the
organisation in
achieving its
objectives
cash and bank
9 Support the
organisation in
achieving its
objectives
7 Provide legal services
9 Support the
organisation in
achieving its
objectives
8 Provide tax services
9 Support the
organisation in
achieving its
objectives
9 Ensure quality
9 Support the
organisation in
achieving its
objectives
10 Ensure health & safety
9 Support the
organisation in
achieving its
objectives
11 Manage the environment
9 Support the
organisation in
achieving its
objectives
12 Ensure security
9 Support the
organisation in
achieving its
objectives
12 Ensure security
9 Support the
organisation in
achieving its
objectives
13 Communicate
9 Support the
organisation in
achieving its
objectives
14 Manage risks
9 Support the
organisation in
achieving its
objectives
15 Manage the assets
9 Support the
organisation in
achieving its
objectives
9 Support the
organisation in
achieving its
objectives
16 Support the support functions
Reference
Business unit Process Process Description
1.1 The board Decide strategy The most senior management group (the
"board") decide on the objectives of the
organisation
organisation
organisation
1.2 The board Communicate
strategy
The objectives are communicated to all
staff in a comprehensible form
1.3 The board Deliver strategy An action plan is devised, at high level,
which will deliver the objectives
1.4 The board Maintain strategy The strategy is regularly updated to take
account of changing business conditions
1.4 The board Maintain strategy The strategy is regularly updated to take
1.5 The board Support strategy Resources are made available to carry
out the above processes
2.1 Research and
development
Define
objectives
The objectives of the research processes
are defined
2.2 Research and
development
Research
products
Research the products, to be
manufactured or purchased, which will
achieve the organisation's objectives
2.3 Marketing Research
markets
Research the market segments which will
customers
Research the customer profile which will
2.5 Property Research
locations
Research the locations, in-country and
abroad, which will achieve the
organisation's objectives
2.6 Administration Support
research
Resources are made available to carry
3.1 Property Define
objectives
The objectives of the processes for
obtaining premises are defined
3.2 Property Obtain offices Decide on the best locations for offices to
house the support staff
3.3 Property Obtain factories Decide on the best locations for factories
to manufacture products
3.4 Property Obtain
warehousing
Decide on the best location for premises
to store goods
3.5 Property Obtain retail
premises
Decide on the best location for shops
3.6 Facilities management Maintain
premises
Premises are maintained to ensure safety,
effectiveness and efficiency at all times
obtaining
premises
4.1 Purchasing Define
objectives
purchasing are defined
4.2 Purchasing Purchase raw
materials
Purchase items to manufacture goods
materials
Purchase items to manufacture goods
4.3 Purchasing Purchase assets Purchase fixed assets
4.4 Purchasing Purchase
finished goods
Purchase goods for resale
expense goods
and services
Purchase goods and services for the
organisation
expense goods
and services
Purchase utilities for the organisation
purchasing
5.1 Factory Define
objectives
manufacturing are defined
5.2 Factory Design products Products to be manufactured are
designed
5.3 Factory Specify
manufacturing
Specify how the products are to be
manufactured
5.4 Factory Plan
manufacturing
Plan the manufacturing schedule
5.5 Factory Manufacture Make the goods
manufacturing
6.1 Advertising Define
objectives for
promotion
promoting sales are defined
6.2 Advertising Promote in-store Promote goods in the retail stores through
various offers
6.3 Advertising Promote to
customers
Promote goods to resellers using offers
6.4 Advertising Advertise in
papers
Advertise goods in newspapers and
magazines
6.5 Advertising Advertise on TV Advertise on television
promotions
7.1 Logistics Define
objectives for
supplying goods
supplying goods are defined
7.2 Logistics Store goods Store goods in warehouses at stages of
the supply chain
7.3 Logistics Distribute goods Distribute goods between factories,
warehouses, stores and customers
7.4 Administration Support supply Resources are made available to carry
8.1 Merchandising Define
objectives for
selling goods
The objectives of the processes for selling
are defined
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.3 Marketing Sell to resellers Sell goods to customers who will resell
them
them
them
8.4 Internet sales Sell direct Sell direct to the public. For example,
through the internet
8.5 Administration Support selling Resources are made available to carry
9.1 Administration Define
objectives for
supporting the
organisation
supporting the organisation are defined
9.2 Management accounts Prepare
management
accounts
Collect the data from processed
transactions into accounts for
management to make decisions
9.3 Financial accounts Prepare financial
accounts
transactions into accounts for statutory or
tax purposes
9.3 Financial accounts Prepare financial
accounts
tax purposes
9.4 Human resources Provide staff Recruit staff and manage staff policies
9.5 Information systems Provide systems Provide systems, including computer
systems to support the organisations
operations
operations
operations
operations
operations
9.6.1 Purchase accounting
services
Process
transactions -
purchases
Receive invoices, obtain approval for
payment, pay for goods and services
9.6.2 Retail accounting
services
Process
transactions -
retail sales
Receive cash and cash equivalents at the
till, bank them and check all money is
received
9.6.3 Sales accounting
services
Process
transactions -
wholesale sales
Carry out credit checks before goods are
despatched, issue invoices and receive
payment for goods
services
Process
transactions -
direct sales
Process the credit card payments before
authorising despatch of the goods
9.6.5 Factory Process
transactions -
manufacturing
stock
Receive goods against the order, update
stock records, issue the goods to
manufacture, manage stock levels,
minimise stock losses, account for stock
9.6.6 Logistics Process
transactions -
wholesale stock
Receive goods from the factory, or
supplier,, update stock records, issue the
goods to manufacture, manage stock
levels, minimise stock losses, account for
stock
9.6.7 Stock accounting
services
Process
transactions -
store stock
Receive goods from the warehouse,
update store stock records, sell the goods
to customers, manage stock levels,
9.6.8 Payroll accounting
services
Process
transactions -
payroll
Receive details of employees, their salary
and working hours. Calculate pay based
on these, less deductions. Pay over
deductions
9.6.9 Expense accounting
services
Process
transactions -
personal
expenses
Personal expenses (for travelling) are
claimed, authorised and paid
9.6.10 Fixed asset accounting
services
Process
transactions -
fixed assets
Receive invoice details. Decide on
whether to capitalise costs. Add assets to
register. Attach depreciation data and
calculate.
9.6.11 Cashiers accounting
services
Process
transactions -
cash and bank
Receive cash transaction data for
purchases, sales, payroll, personal
expenses and other transactions.
Reconcile these to transactions passing
through the bank account. Follow-up
differences
9.7 Company Secretary Provide legal
services
Advise all areas of the company
concerning action to be taken on
legislation
9.8 Taxation Provide tax
services
concerning action to be taken on tax
legislation
9.9 Quality Control Ensure quality Ensure all goods sold meet the quality
standards set by legislation and the
organisation
9.10 Health and safety Ensure health &
safety
Ensure the organisation complies with
legislation and good practice to ensure
the safety of staff and customers
9.11 Health and safety Manage the
environment
Ensure the operations of the organisation
obey all environmental laws and good
practice
9.12 Security Ensure security The physical security of tangible and
intangible assets, and staff and
customers, is maintained at all times to
ensure the continued operation of the
organisation
9.12 Security Ensure security The physical security of tangible and
organisation
9.13 Public relations Communicate Inform internal and external stakeholders
of the organisation's policies and
intentions
9.14 Risk manager Manage risks Identify, evaluate and manage risks down
to the level considered acceptable by the
organisation
9.15 Treasury Manage the
assets
Ensure that assets of the organisation,
particularly cash, are maintained at
optimum levels to achieve the objectives
assets
Ensure that assets of the organisation,
optimum levels to achieve the objectives
9.16 Administration Support the
support
functions
Key risk to process Risk Source
Process
owner
Cons Like
The strategy does not anticipate
customer demands
Managing
Director
5 5
The strategy is too risk-averse Managing
Director
5 5
The objectives within the strategy
are not clearly defined, financially
justified or documented
Managing
Director
5 5
Staff do not understand the
objectives in relation to their own
jobs
Managing
Director
5 5
The action plan does not cover all
objectives and does not consist of
SMART targets addressed to senior
management
Managing
Director
5 5
The organisation has not got the
resources to deliver the strategy
Managing
Director
5 5
Major projects intended to deliver
the strategy are late and/or over
budget
Managing
Director
5 5
All staff, including the Board, fail to
maintain high ethical standards,
which undermine the controls
necessary to achieve the
organisation's objectives, including
that of ensuring compliance with
laws and standards
Managing
Director
5 5
Internal and external influences are
not monitored to assess their impact
on the strategy
Managing
Director
5 5
The resources required are not
understood or are not sufficient to
deliver the strategy
5 5
The objectives will not deliver the
organisation's objectives effectively
and efficiently
The research does not identify the
most effective products for
achieving the objectives
Inherent risks
most effective market segments for
most effective customer segments
for achieving the objectives
most effective locations for
and efficiently
The locations are not cost-effective,
have insufficient staff in the vicinity
and has poor communications
The environment is not suitable for
a factory, insufficient trained labour
is available, property costs are too
high
The buildings are not suitable for
storing products, costs are too high
and labour is not available
The locations are not cost-effective,
have insufficient staff in the vicinity
and are not near our target
customers
Poor maintenance results in injury
to staff or customers
understood are not sufficient to
and efficiently
The purchased items are
unsuitable, too expensive or
delivered late
A major supplier of a vital raw
material, not obtainable elsewhere,
is not able to deliver
Assets are not required, not suitable
or too expensive
Goods are not suitable, too
expensive or delivered late
Goods or services are not suitable,
too expensive or delivered late
Minimum prices for utilities are not
negotiated
and efficiently
There is no market for the product.
The product is too expensive to
produce
The method of manufacturing
specified is inefficient
The schedule produces the wrong
goods at the wrong time
The goods are made inefficiently
New environmental legislation
makes manufacturing process
uneconomic
and efficiently
Promotions do not make a profit
and efficiently
Goods are damaged, or lost
A strike of fuel suppliers brings
transport in the UK to a stop
and efficiently
Board risk workshop Merchandis
e Director
5 5
Fail to stock goods which the
customers want to buy
e Director
5 5
Fail to anticipate the competitions'
initiatives to take a bigger market
share
e Director
5 5
Prices are not competitive Board risk workshop Merchandis
e Director
5 5
Store layout confuses customers Board risk workshop Merchandis
e Director
4 4
Prices are incorrect Board risk workshop Merchandis
e Director
4 5
No stock for customers to buy Board risk workshop Merchandis
e Director
5 5
Higher minimum wage legislation
makes some stores unprofitable
e Director
5 5
Poor service/quality of goods
leading to customer complaints
e Director
5 5
A major customer goes bankrupt Board risk workshop Marketing
Director
4 4
No stock for customers to buy Board risk workshop Marketing
Director
5 5
Board risk workshop Marketing
Director
5 5
e Director
4 5
Fraudulent credit cards used Finance Director interview Merchandis
e Director
4 5
No stock for customers to buy Logistics Director interview Merchandis
e Director
4 5
Internet sites unavailable Board risk workshop Merchandis
e Director
4 5
Goods are lost Board risk workshop Merchandis
e Director
4 5
e Director
5 5
and efficiently
Management accounts do not
provide timely information on which
to make decisions
Financial accounts are issued which
do not comply with UK law
The organisation is not prepared for
the International Accounting
Standards (IAS)
High-calibre staff are not recruited
and retained
Properly qualified staff are not
available to take vacancies
Staff are not properly trained
Staff successfully claim unfair
dismissal
A virus brings down all computer
systems for a week
Data is lost
Data or programs are corrupted
Major hardware failure
Major network failure
Payment is made where the
organisation has not received the
goods or services at the price and
quality ordered
Cash taken at the till is not banked
Goods are sold to customers who
cannot pay for them
Fail to pass transaction details to
the credit card company
Stock is incorrectly valued
Receive incorrect data from stores
on hours worked and new
employees
Expenses were not incurred
Revenue expenditure capitalised, or
capital expenditure put to revenue
Differences not cleared
The impact of legislation is not
anticipated which results in
considerable costs
Schemes to minimise tax are not
used
Poor quality goods harms the
organisation's reputation
A failure in H & S occurs which
results in bad publicity and law suits
An environmental disaster occurs at
one of the organisation's premises
Confidential information is stolen
Offices are destroyed by fire
The London Stock Exchange is
given information which cannot be
substantiated
The external and internal risks
threatening the objectives, and
related processes, of the
organisation are not understood or
mitigated
Financial contracts are set up which
open the company to significant
losses
Working capital is not optimised
Score Response
Control (examples)
25 The board received a quarterly report from outside
consultants which forecasts likely trends in customer
demand for the next year
25 The quarterly meeting with consultants considers all
possible strategy options which are analysed objectively
to ensure all are properly considered
25 The strategy is written and published on the intranet. All
elements are financially justified and subject to risk
modelling
25 The Company Secretary is charged with ensuring all non-
sensitive information relating to company objectives and
strategy is published on the intranet
25
25
25
25
25
25
0
0
Inherent risks
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
25 treat Overall targets for sales and profits are set by the board
in the annual budget. As part of the budget package the
Merchandise Director outlines the action to be taken to
achieve the targets. See also strategy controls
25 treat Regular visists by Merchandising Director and staff to
markets which anticipate ours eg the US. Attendence at
trade shows. Focus Groups
25 treat All competitors' advertising campaigns are monitored,
with a weekly report to the Merchandising Director.
25 treat Competitors' prices are monitored every week, with
reports going to appropriate Heads of Merchandise
Departments
16 treat None
20 treat Retail prices are input by an assisatant buyer and
checked by a supervisor. Prices are downloaded onto
the EPOS system overnight
25 treat Each store has automatic replenishment, based on sales
and PI counts in store
25 treat Monthly profitability report of each store, checked by
stores accountant
25 treat All customer complaints logged on a database. Monthly
report to the Merchandise Managers, with comments on
action being taken
16 transfer with
insurance
Credit control procedures prevent orders being sent to
customers who pay late. Overseas debts are insured.
25 treat Computer report produced which estimates stock holding
and orders necessary to ensure 3 weeks stock holding.
Report checked by Senior Buyer
action being taken
action being taken
20 treat Credit card details checked to external database of
fraudulent cards
20 treat Computer report produced which estimates stock holding
and orders necessary to ensure 3 weeks stock holding.
Report checked by Senior Buyer
20 tolerate An external internet provide is used who has back-up
computers available in the event of hardware and
comms failure
20 tolerate Reputable carrier used. Value of goods is relatively low
and missing goods are replaced without question
25 treat Various reports (Out of stock, late deliveries) will indicate
if insufficient staff are available
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Monitoring (examples) Potential issue
Cons Like Score
The role of the non-executive directors
is defined to ensure they challenge
board strategy to ensure it is robust
5 1 5
5 1 5
5 1 5
A staff council exists to feed back
concerns on communication to the
board
4 1 4
5 2 10
5 2 10
5 2 10
5 2 10
5 2 10
5 2 10
0
0
Residual risks
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Monthly reports of sales and profits are
presented to the Board, with an
explanation of variances
5 1 5
Quarterly presentation to Board by
Merchandising Director on market
trends
5 1 5
None No checks to ensure reports are
issued and acted upon
5 3 15
None No checks to ensure reports are
issued and acted upon
5 2 10
None No customer groups to report on
their opinions of store layouts
4 4 16
A gross profit exception report is
generated for any changes to GP >5%.
This should pick up any incorrect input
of retail prices. The report is signed off
bu a buyer.
4 1 4
Computer report to buyer reports zero
stocks in stores
5 1 5
None Stores accountant is not
required to report exceptions to
senior management
5 4 20
Copy of report sent to Merchandising
Director and summaries are put on the
intranet
5 1 5
Head of Accounting Services examines
Aged Trial Balance each month and
follows up overdue debts
4 1 4
Head of Production also receives
report and ensures orders have been
received where necessary.
5 1 5
Copy of report sent to Marketing
intranet
5 1 5
Copy of report sent to Merchandising
intranet
5 1 5
Report of fraudulent transactions sent
to Head of Security.
4 1 4
Computer report to buyer reports zero
stocks in warehouse
4 1 4
Sevice agreement with provider
commits to 99% availability or
compensation
4 1 4
Report of lost goods sent to Head of
Security.
4 1 4
Failure to achieve targets may indicate
shortage of staff
There is no sucession plan, or
any attempt to anticipate staff
required in the future
5 3 15
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Control
score
20
20
20
21
15
15
15
15
15
15
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
20
20
10
15
0
16
20
5
20
12
20
20
15
16
16
16
16
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Appendix C
Assessing the organisations risk maturity
(A more detailed matrix is included in the IIA Guidance Note An Approach to Implementing Risk Based Internal Auditing)
Risk nave Risk aware
Key characteristics (See IIA
statement Risk Based Internal
Auditing )
No formal approach
developed for risk
management
Scattered silo based
approach to risk
management
Process
Are the organisation's objectives defined?
Have management have been trained to
understand what risks are, and their
responsibility for them?
Has a scoring system for assessing risks
been defined?
Have processes been defined to
determine risks, and these have been
followed?
Have all risks been collected into one list?
Have risks been allocated to specific job
titles?
Have all risks been assessed in
accordance with the defined scoring
system?
Have responses to the risks (e.g. controls)
been selected and implemented?
Have management set up controls to
monitor the proper operation of key
controls?
Are risks regularly reviewed by the
organisation?
Has the risk appetite of the organisation
been defined in terms of the scoring
system?
No
Have management reported risks to
directors where responses are not
managing the risks to a level acceptable to
the board?
Are all significant new projects routinely
assessed for risk?
Is responsibility for the determination,
assessment, and management of risks
included in job descriptions?
Do managers provide assurance on the
effectiveness of their risk management?
Are managers assessed on their risk
management performance?
Internal Audit approach
Promote risk
management and
rely on audit risk
assessment
Promote enterprise-
wide approach to
risk management
and rely on audit
risk assessment
(A more detailed matrix is included in the IIA Guidance Note An Approach to Implementing Risk Based Internal Auditing)
Risk defined Risk managed Risk enabled
Strategy and policies
in place and
communicated. Risk
appetite defined
Enterprise approach
to risk management
developed and
communicated
Risk management
and internal controls
fully embedded into
the operations
In
part
Yes
Facilitate risk
management/liaise
with risk management
and use management
assessment of risk
where appropriate
Audit risk
management
processes and use
management
assessment of risk
as appropriate
Audit risk
management
processes and use
management
assessment of risk
as appropriate
In
part
Yes
Audit test
Core IA roles are in brackets - see IIA statement
The Role of Internal Audit in Enterprise-wide Risk
Management
Check the organisation's objectives are determined by
the board and have been communicated to all staff.
Check other objectives and targets are consistent with
the organisation's objectives. (1)
Interview managers to confirm their understanding of risk
and the extent to which they manage it. (1)
Check the scoring system has been approved,
communicated and is used. (2)
Examine the processes to ensure they are sufficient to
ensure identification of all risks. Check they are in use, by
examining the output from any workshops. (1)
Examine the Risk Universe. Ensure it is complete,
regularly reviewed, assessed and used to manage risks.
Risks are allocated to managers. (1)
Check the scoring applied to a selection of risks is
consistent with the policy. Look for consistency (that is,
similar risks have similar scores). (2)
Examine the risk register to ensure proper controls
should be in place. (3)
For significant risks, examine the control(s) treating it and
ensure management would know if the control failed. (5)
Check for evidence that a thorough review process is
regularly carried out. (1)
Check the document on which the controlling body has
approved the risk appetite. Ensure it is consistent with the
scoring system and has been communicated. (1)
For risks above the risk appetite, check that the board
has been formally informed of there existence. (4)
Examine project proposals for an analysis of the risks
which might threaten them. (1)
Examine job descriptions. Check the instructions for
setting up job descriptions. (1)
Examine the assurance provided. For key risks, check
that controls and the management system of monitoring,
are operating.(4)
Examine a sample of appraisals for evidence that risks
management was properly assessed for performance. (1)
Appendix D
Process map for an organisation (levels 1 and 2)
Define objectives Obtain premises Research
Decide strategy
Maintain strategy
Deliver strategy
Communicate
strategy
Research markets
Research products
Research locations
Research
customers
Obtain factories
Obtain offices
Obtain retail
premises
Obtain
warehousing
Purchase expense
Define objectives
Support research
Support strategy
Define objectives
Support obtaining
premises
Manufacture Promote Purchase
Organisation's
objectives
Purchase assets
Purchase raw
materials
Purchase expense
goods
Purchase finished
goods
Specify
manufacturing
Design products
Manufacture
Plan manufacturing
Promote to
customers
Promote in-store
Advertise on TV
Advertise in papers
Define objectives Define objectives Define objectives
Support
promotions
Support
manufacturing
Support
purchasing
Sell Supply Support
Distribute goods
Store goods
Support
distribution
Sell to resellers
Sell in stores
Support sales
Sell direct
Prepare financial
accounts
Prepare
management
accounts
Provide systems
Provide staff
Process
transactions
Provide legal
services
Provide tax
services
Ensure quality
Ensure health &
safety
Manage the
environment
Ensure security
Communicate

Manage risks

Manage assets

Support the
support services

E Audit Universe
List of all audits, in business unit order
Business
unit
Process Process Description
Last audit
number
Administration Support manufacturing Resources are made available to carry
Administration Support promotions Resources are made available to carry
Administration Support supply Resources are made available to carry
Administration Support selling Resources are made available to carry
Administration Define objectives for supporting
the organisation
supporting the organisation are defined
Administration Support the support functions Resources are made available to carry
Administration Support research Resources are made available to carry
Administration Support obtaining premises Resources are made available to carry
Administration Support purchasing Resources are made available to carry
Advertising Define objectives for promotion The objectives of the processes for
Advertising Promote in-store Promote goods in the retail stores through
various offers
Advertising Promote to customers Promote goods to resellers using offers
Advertising Advertise on TV Advertise on television
Advertising Advertise in papers Advertise goods in newspapers and
magazines
Cashiers
accounting
services
Process transactions - cash
and bank
Reconcile these to transactions passing
through the bank account. Follow-up
differences
Company
Secretary
Provide legal services Advise all areas of the company
legislation
Expense
accounting
services
Process transactions - personal
expenses
Personal expenses (for travelling) are
claimed, authorised and paid
Facilities
management
Maintain premises Premises are maintained to ensure
safety, effectiveness and efficiency at all
times
Factory Plan manufacturing Plan the manufacturing schedule
Factory Manufacture Make the goods
Factory Manufacture Make the goods
Last audit details
David M Griffiths E Audit Universe
Factory Process transactions -
manufacturing stock
Receive goods against the order, update
stock records, issue the goods to
manufacture, manage stock levels,
Factory Define objectives The objectives of the processes for
Factory Design products Products to be manufactured are
designed
Factory Specify manufacturing Specify how the products are to be
manufactured
Financial
accounts
Prepare financial accounts Collect the data from processed
tax purposes
Financial
accounts
Prepare financial accounts Collect the data from processed
tax purposes
Fixed asset
accounting
services
Process transactions - fixed
assets
whether to capitalise costs. Add assets to
register. Attach depreciation data and
calculate.
Health and
safety
Ensure health & safety Ensure the organisation complies with
legislation and good practice to ensure
the safety of staff and customers
Health and
safety
Manage the environment Ensure the operations of the organisation
obey all environmental laws and good
practice
Human
resources
Provide staff Recruit staff and manage staff policies
Human
resources
Human
resources
Human
resources
Information
systems
Provide systems Provide systems, including computer
operations
Information
systems
operations
Information
systems
operations
Information
systems
operations
Information
systems
operations
Internet sales Sell direct Sell direct to the public. For example,
130
If the audit budget shows only days for the audits due next year, then this calculation will show if
Logistics Define objectives for supplying
goods
Logistics Store goods Store goods in warehouses at stages of
the supply chain
Logistics Distribute goods Distribute goods between factories,
Logistics Process transactions -
wholesale stock
supplier,, update stock records, issue the
goods to manufacture, manage stock
levels, minimise stock losses, account for
stock
Management
accounts
Prepare management accounts Collect the data from processed
Marketing Sell to resellers Sell goods to customers who will resell
them
them
them
Marketing Research markets Research the market segments which will
Marketing Research customers Research the customer profile which will
Merchandising Define objectives for selling
goods
The objectives of the processes for selling
are defined
Merchandising Sell in stores Sell goods in stores operated by the
143
Payroll
accounting
services
Process transactions - payroll Receive details of employees, their salary
and working hours. Calculate pay based
on these, less deductions. Pay over
deductions
Property Research locations Research the locations, in-country and
abroad, which will achieve the
Property Define objectives The objectives of the processes for
210
Property Obtain offices Decide on the best locations for offices to
house the support staff
Property Obtain factories Decide on the best locations for factories
to manufacture products
Property Obtain warehousing Decide on the best location for premises
to store goods
Property Obtain retail premises Decide on the best location for shops
Public relations Communicate Inform internal and external stakeholders
of the organisation's policies and
intentions
Purchase
accounting
services
Process transactions -
purchases
Receive invoices, obtain approval for
payment, pay for goods and services
Purchasing Define objectives The objectives of the processes for
Purchasing Purchase raw materials Purchase items to manufacture goods
Purchasing Purchase raw materials Purchase items to manufacture goods
Purchasing Purchase assets Purchase fixed assets
Purchasing Purchase finished goods Purchase goods for resale
Purchasing Purchase expense goods and
services
Purchase goods and services for the
organisation
Purchasing Purchase expense goods and
services
Purchase utilities for the organisation
Quality Control Ensure quality Ensure all goods sold meet the quality
standards set by legislation and the
organisation
Research and
development
Define objectives The objectives of the research processes
are defined
Research and
development
Research products Research the products, to be
manufactured or purchased, which will
Retail
accounting
services
Process transactions - retail
sales
Receive cash and cash equivalents at the
till, bank them and check all money is
received
Risk manager Manage risks Identify, evaluate and manage risks down
to the level considered acceptable by the
organisation
Sales
accounting
services
wholesale sales
despatched, issue invoices and receive
payment for goods
Sales
accounting
services
Process transactions - direct
sales
Process the credit card payments before
authorising despatch of the goods
Security Ensure security The physical security of tangible and
organisation
Security Ensure security The physical security of tangible and
organisation
Stock
accounting
services
Process transactions - store
stock
update store stock records, sell the goods
to customers, manage stock levels,
Taxation Provide tax services Advise all areas of the company
legislation
The board Decide strategy The most senior management group (the
organisation
The board Deliver strategy An action plan is devised, at high level,
The board Maintain strategy The strategy is regularly updated to take
203
The board Maintain strategy The strategy is regularly updated to take
The board Support strategy Resources are made available to carry
Treasury Manage the assets Ensure that assets of the organisation,
Treasury Manage the assets Ensure that assets of the organisation,
If the audit budget shows only days for the
Last audit name Last audit
Budget
Last audit
actual
Last
timing
Last
auditor
Last final
report
Target
Final
report
achieved
Manufacturing resource
planning
Promotions resource
planning
Supply resource planning
Selling resource planning
Support strategy
Support resource planning
Research resource planning
Location resource planning
Purchase resource planning
Selling strategy
Retail promotions
Wholesale promotions
TV advertising
Newspaper advertising
Bank and cash
Provision of legal services
Personal expenses
Maintenance of premises
Scheduling manufacture
Production accounting
Environmental audit
Last audit details
Manufacturing stock
Manufacturing strategy
Product design
Manufacturing specification
Financial accounting
Project - IAS
Fixed assets
Health and safety
Environmental
Recruitment
Succession planning
Staff training
Staff policies
Virus checking
Back-up procedures
Access controls
IS contingency plans -
hardware
communications
Stock control
Internet sales 15 14 Mar-05 Heath 5-Apr-05 5-Apr-05
Internet sales
Internet sales See above
Complaints procedures
Supply strategy
Warehouse operations
Distribution
Wholesale stock
Management accounting
Stock control
Accounts receivable
Market research
Market research
Selling strategy
Market anticipation
Market anticipation
Store planning
Price file maintenance
Stock control 20 22 Sep-06 Smith 1-Oct-04 3-Oct-04
Store accounts
Pricing policy
Payroll
Geographic research
Location strategy 50 45 2004 Murphy 10/28/2004 10/28/2004
Locating offices
Locating factories
Locating warehouses
Locating shops
Communications
Accounts Payable
Purchasing strategy
Purchasing for manufacture
Purchase of assets
Purchase of goods for
resale
Purchase of expense goods
and services
Purchase of expense goods
and services
Quality control
Research strategy
Product research
Retail cash takings
Risk management
Accounts receivable See above
Site security
Contingency planning
Retail stock
Provision of tax services
Organisation's strategy
Delivery of strategy
(Projects are individually
audited)
Ethical guidelines 20 23 2003 Smith 6/23/2003 6/28/2003
Monitoring of external
influences
(Carried out within the
above audits)
Treasury
Working capital
Last result Audit plan
date
Next audit
number
Next audit name Next audit
budget
Next
timing
Manufacturing resource
planning
Promotions resource planning
Supply resource planning
Selling resource planning
Support strategy
Support resource planning
Research resource planning
Location resource planning
Purchase resource planning
Selling strategy
Retail promotions
Wholesale promotions
TV advertising
Newspaper advertising
Bank and cash
Provision of legal services
Personal expenses
Maintenance of premises
Scheduling manufacture
Production accounting
Environmental audit
Last audit details Next audit details
Manufacturing stock
Manufacturing strategy
Product design
Manufacturing specification
Financial accounting
Project - IAS
Fixed assets
Health and safety
Environmental
Recruitment
Succession planning
Staff training
Staff policies
Virus checking
Back-up procedures
Access controls
IS contingency plans - hardware
communications
Stock control
Issues 2006 201 Internet sales 14 Oct-06
Internet sales
Internet sales
207 Complaints procedures (see above)
Supply strategy
Warehouse operations
Distribution
Wholesale stock
Management accounting
Stock control 20 Oct-06
Accounts receivable 10 Aug-06
207 Complaints procedures (see above)
Market research
Market research
200 Selling strategy 10 Jan-06
201 Market anticipation 20 Jan-06
201 Market anticipation (see above)
203 Store planning 15 Mar-06
204 Price file maintenance 20 Apr-06
Acceptable 2006 205 Stock control 22 Sep-06
206 Store accounts 10 Jun-06
202 Pricing policy 20 Feb-06
207 Complaints procedures 30 Jul-06
Payroll
Geographic research
unacceptable
253
Location strategy
Jones
Locating offices
Locating factories
Locating warehouses
Locating shops
Communications
Accounts Payable
Purchasing strategy
Purchase of assets
Purchase of goods for resale
Purchase of expense goods and
services
Purchase of expense goods and
services
Quality control
Research strategy
Product research
Retail cash takings
Risk management
Accounts receivable
Internet sales
Site security
Contingency planning
Retail stock
Provision of tax services
Organisation's strategy
(Projects are individually
audited)
acceptable 2006 250 Ethical guidelines Q1 2005
Monitoring of external influences
(Carried out within the above
audits)
Treasury
Working capital
Next
auditor
Status Next final
report
Target
Next final
report
Achieved
2006
opinion on
risk
Next audit details
Heath To start TBA
Smith To start TBA
Khan To start TBA
Smith To start 18-Jan-06
Khan To start 18-Feb-06
Smith To start 24-Mar-06
Heath To start TBA
Khan To start TBA
Smith To start TBA
Heath To start 27-Feb-06
Heath To start TBA
To start 8/20/2005
Patel To start
Appendix F
Risk and Audit Universe
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
4 Maintain strategy
1 Define
organisation's
objectives
4 Maintain strategy
1 Define
organisation's
objectives
5 Support strategy
2 Research new
business
opportunities
1 Define objectives
2 Research new
business
opportunities
2 Research products
2 Research new
business
opportunities
3 Research markets
David M Griffiths F Risk and audit universe
2 Research new
business
opportunities
2 Research new
business
opportunities
2 Research new
business
opportunities
6 Support research
3 Obtain, and fit out,
premises
1 Define objectives
premises
2 Obtain offices
premises
3 Obtain factories
premises
premises
premises
6 Maintain premises
premises
7 Support obtaining
premises
4 Purchase ggods
and services
1 Define objectives
4 Purchase ggods
and services
4 Purchase ggods
and services
4 Purchase ggods
and services
3 Purchase assets
4 Purchase ggods
and services
4 Purchase finished
goods
4 Purchase ggods
and services
5 Purchase expense
goods and services
4 Purchase ggods
and services
5 Purchase expense
goods and services
4 Purchase ggods
and services
6 Advertise and
promote
promotion
6 Advertise and
promote
2 Promote in-store
6 Advertise and
promote
3 Promote to customers
6 Advertise and
promote
4 Advertise in papers
6 Advertise and
promote
5 Advertise on TV
6 Advertise and
promote
6 Support promotions
7 Store and distribute
goods
supplying goods
goods
2 Store goods
goods
3 Distribute goods
goods
4 Support supply
8 Sell goods 1 Define objectives for
selling goods
9 Support the
organisation in
achieving its
objectives
supporting the
organisation
9 Support the
organisation in
achieving its
objectives
accounts
9 Support the
organisation in
achieving its
3 Prepare financial
accounts
9 Support the
organisation in
achieving its
3 Prepare financial
accounts
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
4 Provide staff
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
5 Provide systems
9 Support the
organisation in
achieving its
objectives
6 Process transactions 1 Process transactions
- purchases
9 Support the
organisation in
achieving its
objectives
- retail sales
9 Support the
organisation in
achieving its
objectives
- wholesale sales
9 Support the
organisation in
achieving its
objectives
- direct sales
9 Support the
organisation in
achieving its
objectives
- manufacturing
stock
9 Support the
organisation in
achieving its
objectives
- wholesale stock
9 Support the
organisation in
achieving its
objectives
- store stock
9 Support the
organisation in
achieving its
objectives
- payroll
9 Support the
organisation in
achieving its
objectives
- personal expenses
9 Support the
organisation in
achieving its
objectives
- fixed assets
9 Support the
organisation in
achieving its
objectives
- cash and bank
9 Support the
organisation in
achieving its
objectives
9 Support the
organisation in
achieving its
objectives
9 Support the
organisation in
achieving its
objectives
9 Ensure quality
9 Support the
organisation in
achieving its
objectives
9 Support the
organisation in
achieving its
objectives
11 Manage the
environment
9 Support the
organisation in
achieving its
objectives
12 Ensure security
9 Support the
organisation in
achieving its
objectives
12 Ensure security
9 Support the
organisation in
achieving its
13 Communicate
9 Support the
organisation in
achieving its
objectives
14 Manage risks
9 Support the
organisation in
achieving its
objectives
9 Support the
organisation in
achieving its
objectives
9 Support the
organisation in
achieving its
objectives
16 Support the support
functions
Reference
Business
unit
Process
1.1 The board Decide strategy
1.2 The board Communicate strategy
1.3 The board Deliver strategy
1.4 The board Maintain strategy
1.4 The board Maintain strategy
1.5 The board Support strategy
2.1 Research and
development
Define objectives
2.2 Research and
development
Research products
2.3 Marketing Research markets
2.4 Marketing Research customers
2.5 Property Research locations
2.6 Administration Support research
3.1 Property Define objectives
3.2 Property Obtain offices
3.3 Property Obtain factories
3.4 Property Obtain warehousing
3.5 Property Obtain retail premises
3.6 Facilities
management
Maintain premises
3.7 Administration Support obtaining premises
4.1 Purchasing Define objectives
4.2 Purchasing Purchase raw materials
4.2 Purchasing Purchase raw materials
4.3 Purchasing Purchase assets
4.4 Purchasing Purchase finished goods
4.5 Purchasing Purchase expense goods
and services
4.5 Purchasing Purchase expense goods
and services
4.6 Administration Support purchasing
5.1 Factory Define objectives
5.2 Factory Design products
5.3 Factory Specify manufacturing
5.4 Factory Plan manufacturing
5.5 Factory Manufacture
5.5 Factory Manufacture
5.6 Administration Support manufacturing
6.1 Advertising Define objectives for
promotion
6.2 Advertising Promote in-store
6.3 Advertising Promote to customers
6.4 Advertising Advertise in papers
6.5 Advertising Advertise on TV
6.6 Administration Support promotions
7.1 Logistics Define objectives for
supplying goods
7.2 Logistics Store goods
7.3 Logistics Distribute goods
7.4 Administration Support supply
8.1 Merchandising Define objectives for selling
goods
8.2 Merchandising Sell in stores
8.3 Marketing Sell to resellers
8.4 Internet sales Sell direct
8.5 Administration Support selling
9.1 Administration Define objectives for
supporting the organisation
9.2 Management
accounts
Prepare management
accounts
9.3 Financial accounts Prepare financial accounts
9.3 Financial accounts Prepare financial accounts
9.4 Human resources Provide staff
9.5 Information
systems
Provide systems
9.5 Information
systems
Provide systems
9.5 Information
systems
Provide systems
9.5 Information
systems
Provide systems
9.5 Information
systems
Provide systems
9.6.1 Purchase
accounting
services
purchases
9.6.2 Retail accounting
services
retail sales
services
wholesale sales
services
direct sales
9.6.5 Factory Process transactions -
manufacturing stock
9.6.6 Logistics Process transactions -
wholesale stock
9.6.7 Stock accounting
services
store stock
9.6.8 Payroll accounting
services
payroll
9.6.9 Expense
accounting
services
personal expenses
9.6.10 Fixed asset
accounting
services
fixed assets
9.6.11 Cashiers
accounting
services
cash and bank
9.7 Company
Secretary
Provide legal services
9.8 Taxation Provide tax services
9.9 Quality Control Ensure quality
9.10 Health and safety Ensure health & safety
9.11 Health and safety Manage the environment
9.12 Security Ensure security
9.12 Security Ensure security
9.13 Public relations Communicate
9.14 Risk manager Manage risks
9.15 Treasury Manage the assets
9.15 Treasury Manage the assets
9.16 Administration Support the support
functions
Process Description Key risk to process
The most senior management group (the "board")
decide on the objectives of the organisation
The strategy does not anticipate customer
demands
The strategy is too risk-averse
The objectives within the strategy are not clearly
defined, financially justified or documented
The objectives are communicated to all staff in a
comprehensible form
Staff do not understand the objectives in relation
to their own jobs
An action plan is devised, at high level, which will
deliver the objectives
The action plan does not cover all objectives and
does not consist of SMART targets addressed to
senior management
The organisation has not got the resources to
Major projects intended to deliver the strategy are
late and/or over budget
The strategy is regularly updated to take account of
changing business conditions
All staff, including the Board, fail to maintain high
ethical standards, which undermine the controls
necessary to achieve the organisation's
objectives, including that of ensuring compliance
with laws and standards
The strategy is regularly updated to take account of
changing business conditions
Internal and external influences are not monitored
to assess their impact on the strategy
Resources are made available to carry out the
above processes
The resources required are not understood or are
not sufficient to deliver the strategy
The objectives of the research processes are
defined
The objectives will not deliver the organisation's
objectives effectively and efficiently
Research the products, to be manufactured or
purchased, which will achieve the organisation's
objectives
The research does not identify the most effective
products for achieving the objectives
Research the market segments which will achieve
the organisation's objectives
market segments for achieving the objectives
Research the customer profile which will achieve the
customer segments for achieving the objectives
Research the locations, in-country and abroad,
which will achieve the organisation's objectives
locations for achieving the objectives
above processes
The objectives of the processes for obtaining
premises are defined
Decide on the best locations for offices to house the
support staff
The locations are not cost-effective, have
insufficient staff in the vicinity and has poor
communications
Decide on the best locations for factories to
manufacture products
The environment is not suitable for a factory,
insufficient trained labour is available, property
costs are too high
Decide on the best location for premises to store
goods
The buildings are not suitable for storing products,
costs are too high and labour is not available
Decide on the best location for shops The locations are not cost-effective, have
insufficient staff in the vicinity and are not near our
target customers
Premises are maintained to ensure safety,
effectiveness and efficiency at all times
Poor maintenance results in injury to staff or
customers
above processes
The resources required are not understood are
The objectives of the processes for purchasing are
defined
Purchase items to manufacture goods The purchased items are unsuitable, too
Purchase items to manufacture goods A major supplier of a vital raw material, not
obtainable elsewhere, is not able to deliver
Purchase fixed assets Assets are not required, not suitable or too
expensive
Purchase goods for resale Goods are not suitable, too expensive or delivered
late
Purchase goods and services for the organisation Goods or services are not suitable, too expensive
or delivered late
Purchase utilities for the organisation Minimum prices for utilities are not negotiated
above processes
The objectives of the processes for manufacturing
are defined
Products to be manufactured are designed There is no market for the product. The product is
too expensive to produce
Specify how the products are to be manufactured The method of manufacturing specified is
inefficient
Plan the manufacturing schedule The schedule produces the wrong goods at the
wrong time
Make the goods The goods are made inefficiently
Make the goods New environmental legislation makes
manufacturing process uneconomic
above processes
The objectives of the processes for promoting sales
are defined
Promote goods in the retail stores through various
offers
Promote goods to resellers using offers Promotions do not make a profit
Advertise goods in newspapers and magazines Promotions do not make a profit
Advertise on television Promotions do not make a profit
above processes
The objectives of the processes for supplying goods
are defined
Store goods in warehouses at stages of the supply
chain
Distribute goods between factories, warehouses,
stores and customers
A strike of fuel suppliers brings transport in the UK
to a stop
above processes
The objectives of the processes for selling are
defined
Sell goods in stores operated by the organisation, or
franchised
Fail to stock goods which the customers want to
buy
franchised
Fail to anticipate the competitions' initiatives to
take a bigger market share
franchised
Prices are not competitive
franchised
Store layout confuses customers
franchised
Prices are incorrect
franchised
No stock for customers to buy
franchised
Higher minimum wage legislation makes some
stores unprofitable
franchised
Poor service/quality of goods leading to customer
complaints
Sell goods to customers who will resell them A major customer goes bankrupt
Sell goods to customers who will resell them No stock for customers to buy
Sell goods to customers who will resell them Poor service/quality of goods leading to customer
complaints
Sell direct to the public. For example, through the
internet
Poor service/quality of goods leading to customer
complaints
internet
Fraudulent credit cards used
internet
No stock for customers to buy
internet
Internet sites unavailable
internet
Goods are lost
above processes
The objectives of the processes for supporting the
organisation are defined
Collect the data from processed transactions into
accounts for management to make decisions
Management accounts do not provide timely
information on which to make decisions
accounts for statutory or tax purposes
Financial accounts are issued which do not
comply with UK law
The organisation is not prepared for the
International Accounting Standards (IAS)
Recruit staff and manage staff policies High-calibre staff are not recruited and retained
Recruit staff and manage staff policies Properly qualified staff are not available to take
vacancies
Recruit staff and manage staff policies Staff are not properly trained
Recruit staff and manage staff policies Staff successfully claim unfair dismissal
Provide systems, including computer systems to
support the organisations operations
A virus brings down all computer systems for a
week
Data is lost
Receive invoices, obtain approval for payment, pay
for goods and services
Payment is made where the organisation has not
received the goods or services at the price and
quality ordered
Receive cash and cash equivalents at the till, bank
them and check all money is received
Cash taken at the till is not banked
despatched, issue invoices and receive payment for
goods
Goods are sold to customers who cannot pay for
them
Process the credit card payments before authorising
despatch of the goods
Fail to pass transaction details to the credit card
company
Receive goods against the order, update stock
records, issue the goods to manufacture, manage
stock levels, minimise stock losses, account for
stock
Receive goods from the factory, or supplier,, update
stock records, issue the goods to manufacture,
manage stock levels, minimise stock losses,
account for stock
Receive goods from the warehouse, update store
stock records, sell the goods to customers, manage
stock levels, minimise stock losses, account for
stock
Receive details of employees, their salary and
working hours. Calculate pay based on these, less
deductions. Pay over deductions
Receive incorrect data from stores on hours
worked and new employees
Personal expenses (for travelling) are claimed,
authorised and paid
Receive invoice details. Decide on whether to
capitalise costs. Add assets to register. Attach
depreciation data and calculate.
Revenue expenditure capitalised, or capital
expenditure put to revenue
Receive cash transaction data for purchases, sales,
payroll, personal expenses and other transactions.
Reconcile these to transactions passing through the
bank account. Follow-up differences
Advise all areas of the company concerning action
to be taken on legislation
The impact of legislation is not anticipated which
results in considerable costs
Advise all areas of the company concerning action
to be taken on tax legislation
Schemes to minimise tax are not used
Ensure all goods sold meet the quality standards set
by legislation and the organisation
Poor quality goods harms the organisation's
reputation
Ensure the organisation complies with legislation
and good practice to ensure the safety of staff and
customers
A failure in H & S occurs which results in bad
publicity and law suits
Ensure the operations of the organisation obey all
environmental laws and good practice
An environmental disaster occurs at one of the
organisation's premises
The physical security of tangible and intangible
assets, and staff and customers, is maintained at all
times to ensure the continued operation of the
organisation
The physical security of tangible and intangible
assets, and staff and customers, is maintained at all
times to ensure the continued operation of the
organisation
Inform internal and external stakeholders of the
organisation's policies and intentions
The London Stock Exchange is given information
which cannot be substantiated
Identify, evaluate and manage risks down to the
level considered acceptable by the organisation
The external and internal risks threatening the
objectives, and related processes, of the
organisation are not understood or mitigated
Ensure that assets of the organisation, particularly
cash, are maintained at optimum levels to achieve
the objectives
Financial contracts are set up which open the
company to significant losses
Ensure that assets of the organisation, particularly
cash, are maintained at optimum levels to achieve
the objectives
above processes
Risk Source
Process
owner
Cons Like Score Response
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
Managing
Director
5 5 25
5 5 25
0
0
0
Inherent risks
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Board risk workshop Merchandise
Director
5 5 25 treat
Director
5 5 25 treat
Director
5 5 25 treat
Director
5 5 25 treat
Director
4 4 16 treat
Director
4 5 20 treat
Director
5 5 25 treat
Director
5 5 25 treat
Director
5 5 25 treat
Director
4 4 16 transfer with
insurance
Director
5 5 25 treat
Director
5 5 25 treat
Director
4 5 20 treat
Finance Director interview Merchandise
Director
4 5 20 treat
Logistics Director interview Merchandise
Director
4 5 20 treat
Director
4 5 20 tolerate
Director
4 5 20 tolerate
Director
5 5 25 treat
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Control (examples) Monitoring (examples)
The board received a quarterly report from
outside consultants which forecasts likely
trends in customer demand for the next year
The role of the non-executive directors is
defined to ensure they challenge board
strategy to ensure it is robust
The quarterly meeting with consultants
considers all possible strategy options which
are analysed objectively to ensure all are
properly considered
The strategy is written and published on the
intranet. All elements are financially justified
and subject to risk modelling
The Company Secretary is charged with
ensuring all non-sensitive information relating
to company objectives and strategy is
published on the intranet
A staff council exists to feed back concerns
on communication to the board
Overall targets for sales and profits are set by
the board in the annual budget. As part of the
budget package the Merchandise Director
outlines the action to be taken to achieve the
targets. See also strategy controls
Monthly reports of sales and profits are
presented to the Board, with an explanation of
variances
Regular visists by Merchandising Director and
staff to markets which anticipate ours eg the
US. Attendence at trade shows. Focus
Groups
Quarterly presentation to Board by
Merchandising Director on market trends
All competitors' advertising campaigns are
monitored, with a weekly report to the
Merchandising Director.
None
Competitors' prices are monitored every
week, with reports going to appropriate Heads
of Merchandise Departments
None
None None
Retail prices are input by an assisatant buyer
and checked by a supervisor. Prices are
downloaded onto the EPOS system overnight
A gross profit exception report is generated
for any changes to GP >5%. This should pick
up any incorrect input of retail prices. The
report is signed off bu a buyer.
Each store has automatic replenishment,
based on sales and PI counts in store
Computer report to buyer reports zero stocks
in stores
Monthly profitability report of each store,
checked by stores accountant
None
All customer complaints logged on a
database. Monthly report to the Merchandise
Managers, with comments on action being
taken
Copy of report sent to Merchandising Director
and summaries are put on the intranet
Credit control procedures prevent orders
being sent to customers who pay late.
Overseas debts are insured.
Head of Accounting Services examines Aged
Trial Balance each month and follows up
overdue debts
Computer report produced which estimates
stock holding and orders necessary to ensure
3 weeks stock holding. Report checked by
Senior Buyer
Head of Production also receives report and
ensures orders have been received where
necessary.
taken
Copy of report sent to Marketing Director and
summaries are put on the intranet
taken
Copy of report sent to Merchandising Director
and summaries are put on the intranet
Credit card details checked to external
database of fraudulent cards
Report of fraudulent transactions sent to
Head of Security.
Computer report produced which estimates
stock holding and orders necessary to ensure
3 weeks stock holding. Report checked by
Senior Buyer
Computer report to buyer reports zero stocks
in warehouse
An external internet provide is used who has
back-up computers available in the event of
hardware and comms failure
Sevice agreement with provider commits to
99% availability or compensation
Reputable carrier used. Value of goods is
relatively low and missing goods are replaced
without question
Report of lost goods sent to Head of Security.
Various reports (Out of stock, late deliveries)
will indicate if insufficient staff are available
Failure to achieve targets may indicate
shortage of staff
Potential issue
Cons Like Score Control
score
Audit action
5 1 5 20
5 1 5 20
5 1 5 20
4 1 4 21
5 2 10 15
5 2 10 15
5 2 10 15
5 2 10 15
5 2 10 15
5 2 10 15
0 0
0 0
0 0
Residual risks
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
5 1 5 20 audit
5 1 5 20 audit
No checks to ensure reports are issued and
acted upon
5 3 15 10 consultancy
No checks to ensure reports are issued and
acted upon
No customer groups to report on their
opinions of store layouts
4 1 4 16 audit
5 1 5 20 audit
Stores accountant is not required to report
exceptions to senior management
5 1 5 20 audit
4 1 4 12 audit insurance
cover
5 1 5 20 audit
5 1 5 20 audit
5 1 5 15 audit
4 1 4 16 audit
4 1 4 16 audit
4 1 4 16 check
contingency
plans
4 1 4 16 audit
There is no sucession plan, or any attempt to
anticipate staff required in the future
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
If the audit budget shows only days for the audits due next year, then this calculation will show if the
resources available are sufficient to complete all of the audits.
Audit
Group
Last audit
number
Last audit name Last audit
Budget
Last audit
actual
Last
timing
Last
auditor
Last final
report
Target
A Organisation's
strategy
A Organisation's
strategy
A Organisation's
strategy
A Organisation's
strategy
B Delivery of strategy
B Delivery of strategy
C (Projects are
individually audited)
D 203 Ethical guidelines 20 23 2003 Smith 6/23/2003
E Monitoring of
external influences
(Carried out within
the above audits)
F Research strategy
G Product research
G Market research
Last audit details
H Market research
I Geographic
research
J Research resource
planning
K 210 Location strategy 50 45 2004 Murphy 10/28/2004
L Locating offices
M Locating factories
N Locating
warehouses
O Locating shops
CE Maintenance of
premises
P Location resource
planning
Q Purchasing
strategy
R Purchasing for
manufacture
R Purchasing for
manufacture
S Purchase of assets
T Purchase of goods
for resale
U Purchase of
expense goods and
services
U Purchase of
expense goods and
services
V Purchase resource
planning
X Manufacturing
strategy
Y Product design
Z Manufacturing
specification
AA Scheduling
manufacture
AB Production
accounting
AC Environmental
audit
AD Manufacturing
resource planning
AE Selling strategy
AF Retail promotions
AG Wholesale
promotions
BD Newspaper
advertising
AH TV advertising
AI Promotions
resource planning
AJ Supply strategy
AK Warehouse
operations
AL Distribution
AM Supply resource
planning
AN Selling strategy
AO Market anticipation
AO Market anticipation
CE Pricing policy
AP Store planning
AQ Price file
maintenance
AR 143 Stock control 20 22 Sep-06 Smith 1-Oct-04
AS Store accounts
CF Complaints
procedures
AT Accounts
receivable
AR Stock control
CF Complaints
procedures
CF Complaints
procedures
AU 130 Internet sales 15 14 Mar-05 Heath 5-Apr-05
AR Stock control
AU Internet sales
AU Internet sales See above
AV Selling resource
planning
AW Support strategy
AX Management
accounting
AY Financial
accounting
Project
audit
Project - IAS
AZ Recruitment
BA Succession
planning
BB Staff training
BC Staff policies
BE Virus checking
BF Back-up
procedures
BG Access controls
BH IS contingency
plans - hardware
BI IS contingency
plans -
communications
BJ Accounts Payable
BK Retail cash takings
AT Accounts
receivable
See above
AU Internet sales See above
BL Manufacturing
stock
BM Wholesale stock
BN Retail stock
BO Payroll
BP Personal expenses
BQ Fixed assets
BR Bank and cash
BS Provision of legal
services
BT Provision of tax
services
BU Quality control
BV Health and safety
BW Environmental
BX Site security
BY Contingency
planning
BZ Communications
CA Risk management
CB Treasury
CC Working capital
CD Support resource
planning
Final
report
achieved
date
Next
audit
number
budget
Next
timing
Organisation's
strategy
Organisation's
strategy
Organisation's
strategy
Organisation's
strategy
(Projects are
individually audited)
6/28/2003 acceptable 2006 250 Ethical guidelines Q1 2005
Monitoring of
external influences
(Carried out within
the above audits)
Research strategy
Product research
Market research
Next audit details Last audit details
Market research
Geographic
research
Research resource
planning
10/28/2004 unacceptable
253
Location strategy
Jones
Locating offices
Locating factories
Locating
warehouses
Locating shops
Maintenance of
premises
Location resource
planning
Purchasing
strategy
Purchasing for
manufacture
Purchasing for
manufacture
Purchase of assets
Purchase of goods
for resale
Purchase of
expense goods and
services
Purchase of
expense goods and
services
Purchase resource
planning
Manufacturing
strategy
Product design
Manufacturing
specification
Scheduling
manufacture
Production
accounting
Environmental
audit
Manufacturing
resource planning
Selling strategy
Retail promotions
Wholesale
promotions
Newspaper
advertising
TV advertising
Promotions
resource planning
Supply strategy
Warehouse
operations
Distribution
Supply resource
planning
200 Selling strategy 10 Jan-06
201 Market anticipation 20 Jan-06
201 Market anticipation (see above)
202 Pricing policy 20 Feb-06
203 Store planning 15 Mar-06
204 Price file
maintenance
20 Apr-06
3-Oct-04 Acceptable 2006 205 Stock control 22 Sep-06
206 Store accounts 10 Jun-06
207 Complaints
procedures
30 Jul-06
Accounts
receivable
10 Aug-06
Stock control 20 Oct-06
207 Complaints
procedures
(see above)
207 Complaints
procedures
(see above)
5-Apr-05 Issues 2006 201 Internet sales 14 Oct-06
Stock control
Internet sales
Internet sales
Selling resource
planning
Support strategy
Management
accounting
Financial
accounting
Project - IAS
Recruitment
Succession
planning
Staff training
Staff policies
Virus checking
Back-up
procedures
Access controls
IS contingency
plans - hardware
IS contingency
plans -
communications
Accounts Payable
Retail cash takings
Accounts
receivable
Internet sales
Manufacturing
stock
Wholesale stock
Retail stock
Payroll
Personal expenses
Fixed assets
Bank and cash
Provision of legal
services
Provision of tax
services
Quality control
Health and safety
Environmental
Site security
Contingency
planning
Communications
Risk management
Treasury
Working capital
Support resource
planning
TOTAL 191
Available auditors 3
Weekdays
(auditors*52*5)
780
Holidays 75
Training 15
Projects 100
Secondments 100
Total available for
above audits
490
Surplus/deficit 299
Next
auditor
Status Next final
report
Target
Next final
report
Achieved
2006
opinion on
risk
Patel To start
Next audit details
To start 8/20/2005
Smith To start 18-Jan-06
Khan To start 18-Feb-06
Heath To start 27-Feb-06
Smith To start 24-Mar-06
Heath To start TBA
Khan To start TBA
Smith To start TBA
Heath To start TBA
Khan To start TBA
Smith To start TBA
Heath To start TBA
Appendix G
Risk and Audit Universe - details of columns
L1
Level 1 process
L2
Level 2 process
L3
Level 3 process
Reference
Process
Process Description
Risk
Risk source
Process owner
IRC
IRL
IRS
Response
Control
Monitoring control
Potential issue
RRC
RRL
RRS
Audit action
Audit Group
Control score
Last audit number
Audit name
Last audit Budget
Last audit actual
Last timing
Last auditor
Last final report Target
L
a
s
t

a
u
d
i
t
Final report achieved
Last result
Audit plan date
Next audit number
Next audit name
Next audit Budget
Next timing
Next auditor
Status
Next final report target
Next final report Achieved
2006 opinion on risk
L
a
s
t

a
u
d
i
t
C
u
r
r
e
n
t
/
N
e
x
t

a
u
d
i
t
Risk and Audit Universe - details of columns
Level 1 risk number. Corresponds to the Risk database
Name of process
Level 2 risk number. Corresponds to the Risk database
Name of process
Level 3 risk number
Name of process
Unique reference number for the process
Title of the process
A brief description of what the process does. Any more details should be filed in the
audit file
The threat to the process. There may be several risks to one process, or one risk
may threaten several processes
Who identified the risk (management, risk workshop, auditor, meeting)
Job title of the person responsible for ensuring the risk is controlled and therefore for
the monitoring controls
Inherent risk consequence score
Inherent risk likelihood score
Inherent risk scores multiplied. (Inherent Risk Significance score )
Tolerate, Terminate, Transfer, Treat
Direct response to the risk
Management's response to ensure the control is operating properly
Identifies a possible issue where the controls do not seem sufficient. Occurs if
residual score > 8
Residual risk consequence score.
Residual risk likelihood score
Residual risk scores multiplied
Audit; no audit (risk below risk appetite); assurance available from last audit;
consultancy (residual risk above risk appetite); not covered due to lack of resources,
etc.
Letter(s) given in order to group several risks into one audit (if necessary). They will
not necessarily be in order, as new risks, with associated audits, will be added and
some may be removed
Inherent Risk Significance minus Residual Risk Significance scores
Unique number given to each audit. This is the number of the last audit to cover this
risk
Name given to the audit
Approximate number of auditor-days the audit should take. This aids resource
planning
Number of days the last audit actually required
Months/year of last audit
Names of principal auditors
Target date for producing report (from scope)
Date actually achieved for issuing final report
Conclusion of last audit (acceptable/issues/unacceptable)
The date of the audit plan which includes the next audit (for example 2006/7)
Unique number given to each audit. This is the number of the next audit to cover this
risk - if it has been allocated
Audit name. Will usually be the same as for the last audit, but could be different if
this risk has been included in another audit
Approximate number of auditor-days the audit should take - based on last audit's
actual time. This aids resource planning
Expected quarter/year of next audit - if it can be allocated
Name|(s) of auditors - if allocated
Status of audit (Planning/fieldwork/reporting) when it is in progress
Target date for producing report (from scope)
Actual date the final report was issued
The opinion as to whether the risk was being properly managed
(When the final report from "next audit", its details are moved into the "last audit"
columns
Appendix H
Audit plan (sorted by next audit number)
1 Define organisation's
objectives
4 Maintain strategy
premises
1 Define objectives
8 Sell goods 1 Define objectives for
selling goods
objectives
1 Decide strategy
David M Griffiths H Audit plan
objectives
1 Decide strategy
objectives
1 Decide strategy
objectives
objectives
3 Deliver strategy
objectives
3 Deliver strategy
objectives
3 Deliver strategy
objectives
4 Maintain strategy
objectives
5 Support strategy
2 Research new business
opportunities
1 Define objectives
opportunities
2 Research products
opportunities
3 Research markets
opportunities
opportunities
opportunities
6 Support research
premises
2 Obtain offices
premises
3 Obtain factories
premises
premises
premises
6 Maintain premises
premises
7 Support obtaining
premises
4 Purchase ggods and
services
1 Define objectives
services
services
services
3 Purchase assets
services
4 Purchase finished
goods
services
5 Purchase expense
goods and services
services
5 Purchase expense
goods and services
services
6 Advertise and promote 1 Define objectives for
promotion
6 Advertise and promote 2 Promote in-store
6 Advertise and promote 3 Promote to customers
6 Advertise and promote 4 Advertise in papers
6 Advertise and promote 5 Advertise on TV
6 Advertise and promote 6 Support promotions
goods
supplying goods
goods
2 Store goods
goods
3 Distribute goods
goods
4 Support supply
9 Support the organisation
in achieving its
objectives
supporting the
organisation
in achieving its
objectives
accounts
in achieving its
objectives
3 Prepare financial
accounts
in achieving its
objectives
3 Prepare financial
accounts
in achieving its
objectives
4 Provide staff
in achieving its
objectives
4 Provide staff
in achieving its
objectives
4 Provide staff
in achieving its
objectives
4 Provide staff
in achieving its
objectives
5 Provide systems
in achieving its
5 Provide systems
in achieving its
objectives
5 Provide systems
in achieving its
objectives
5 Provide systems
in achieving its
objectives
5 Provide systems
in achieving its
objectives
purchases
in achieving its
objectives
retail sales
in achieving its
objectives
wholesale sales
in achieving its
objectives
direct sales
in achieving its
objectives
manufacturing stock
in achieving its
objectives
wholesale stock
in achieving its
objectives
store stock
in achieving its
objectives
payroll
in achieving its
objectives
personal expenses
in achieving its
objectives
fixed assets
in achieving its
objectives
cash and bank
in achieving its
objectives
in achieving its
objectives
in achieving its
objectives
9 Ensure quality
in achieving its
objectives
in achieving its
objectives
11 Manage the
environment
in achieving its
objectives
12 Ensure security
in achieving its
objectives
12 Ensure security
in achieving its
objectives
13 Communicate
in achieving its
objectives
14 Manage risks
in achieving its
objectives
in achieving its
objectives
in achieving its
objectives
16 Support the support
functions
Reference
Business
unit
Process Process Description
8.4 Internet sales Sell direct Sell direct to the public. For
example, through the internet
1.4 The board Maintain strategy The strategy is regularly updated to
take account of changing business
conditions
3.1 Property Define objectives The objectives of the processes for
8.1 Merchandising Define objectives
for selling goods
selling are defined
8.3 Marketing Sell to resellers Sell goods to customers who will
resell them
1.1 The board Decide strategy The most senior management
group (the "board") decide on the
objectives of the organisation
1.2 The board Communicate
strategy
The objectives are communicated
to all staff in a comprehensible form
1.3 The board Deliver strategy An action plan is devised, at high
level, which will deliver the
objectives
objectives
objectives
1.4 The board Maintain strategy The strategy is regularly updated to
take account of changing business
conditions
1.5 The board Support strategy Resources are made available to
carry out the above processes
2.1 Research and
development
Define objectives The objectives of the research
processes are defined
2.2 Research and
development
Research
products
Research the products, to be
manufactured or purchased, which
will achieve the organisation's
objectives
markets
Research the market segments
which will achieve the organisation's
objectives
customers
Research the customer profile
which will achieve the organisation's
objectives
2.5 Property Research
locations
Research the locations, in-country
and abroad, which will achieve the
2.6 Administration Support research Resources are made available to
3.2 Property Obtain offices Decide on the best locations for
offices to house the support staff
3.3 Property Obtain factories Decide on the best locations for
factories to manufacture products
3.4 Property Obtain
warehousing
Decide on the best location for
premises to store goods
3.5 Property Obtain retail
premises
Decide on the best location for
shops
3.6 Facilities
management
Maintain
premises
Premises are maintained to ensure
safety, effectiveness and efficiency
at all times
obtaining
premises
Resources are made available to
4.1 Purchasing Define objectives The objectives of the processes for
materials
Purchase items to manufacture
goods
materials
Purchase items to manufacture
goods
4.3 Purchasing Purchase assets Purchase fixed assets
finished goods
Purchase goods for resale
expense goods
and services
Purchase goods and services for
the organisation
expense goods
and services
Purchase utilities for the
organisation
purchasing
5.1 Factory Define objectives The objectives of the processes for
5.2 Factory Design products Products to be manufactured are
designed
5.3 Factory Specify
manufacturing
Specify how the products are to be
manufactured
5.4 Factory Plan
manufacturing
Plan the manufacturing schedule
manufacturing
6.1 Advertising Define objectives
for promotion
6.2 Advertising Promote in-store Promote goods in the retail stores
through various offers
6.3 Advertising Promote to
customers
Promote goods to resellers using
offers
6.4 Advertising Advertise in
papers
Advertise goods in newspapers and
magazines
6.5 Advertising Advertise on TV Advertise on television
promotions
7.1 Logistics Define objectives
for supplying
goods
7.2 Logistics Store goods Store goods in warehouses at
stages of the supply chain
7.3 Logistics Distribute goods Distribute goods between factories,
7.4 Administration Support supply Resources are made available to
resell them
resell them
8.5 Administration Support selling Resources are made available to
9.1 Administration Define objectives
for supporting
the organisation
supporting the organisation are
defined
9.2 Management
accounts
Prepare
management
accounts
9.3 Financial
accounts
Prepare financial
accounts
statutory or tax purposes
9.3 Financial
accounts
Prepare financial
accounts
statutory or tax purposes
9.4 Human
resources
Provide staff Recruit staff and manage staff
policies
9.4 Human
resources
policies
9.4 Human
resources
policies
9.4 Human
resources
policies
9.5 Information
systems
Provide systems Provide systems, including
computer systems to support the
organisations operations
9.5 Information
systems
9.5 Information
systems
9.5 Information
systems
9.5 Information
systems
9.6.1 Purchase
accounting
services
Process
transactions -
purchases
Receive invoices, obtain approval
for payment, pay for goods and
services
9.6.2 Retail
accounting
services
Process
transactions -
retail sales
Receive cash and cash equivalents
at the till, bank them and check all
money is received
9.6.3 Sales
accounting
services
Process
transactions -
wholesale sales
Carry out credit checks before
goods are despatched, issue
invoices and receive payment for
goods
9.6.4 Sales
accounting
services
Process
transactions -
direct sales
Process the credit card payments
before authorising despatch of the
goods
9.6.5 Factory Process
transactions -
manufacturing
stock
Receive goods against the order,
update stock records, issue the
goods to manufacture, manage
stock levels, minimise stock losses,
account for stock
9.6.6 Logistics Process
transactions -
wholesale stock
supplier,, update stock records,
issue the goods to manufacture,
manage stock levels, minimise
stock losses, account for stock
9.6.7 Stock
accounting
services
Process
transactions -
store stock
update store stock records, sell the
goods to customers, manage stock
levels, minimise stock losses,
account for stock
9.6.8 Payroll
accounting
services
Process
transactions -
payroll
Receive details of employees, their
salary and working hours. Calculate
pay based on these, less
deductions. Pay over deductions
9.6.9 Expense
accounting
services
Process
transactions -
personal
expenses
Personal expenses (for travelling)
are claimed, authorised and paid
9.6.10 Fixed asset
accounting
services
Process
transactions -
fixed assets
whether to capitalise costs. Add
assets to register. Attach
depreciation data and calculate.
9.6.11 Cashiers
accounting
services
Process
transactions -
cash and bank
Reconcile these to transactions
9.7 Company
Secretary
Provide legal
services
legislation
9.8 Taxation Provide tax
services
legislation
9.9 Quality Control Ensure quality Ensure all goods sold meet the
quality standards set by legislation
and the organisation
9.10 Health and
safety
Ensure health &
safety
Ensure the organisation complies
with legislation and good practice to
ensure the safety of staff and
customers
9.11 Health and
safety
Manage the
environment
Ensure the operations of the
organisation obey all environmental
laws and good practice
9.12 Security Ensure security The physical security of tangible
and intangible assets, and staff and
customers, is maintained at all
times to ensure the continued
operation of the organisation
9.12 Security Ensure security The physical security of tangible
and intangible assets, and staff and
customers, is maintained at all
times to ensure the continued
operation of the organisation
9.13 Public relations Communicate Inform internal and external
stakeholders of the organisation's
policies and intentions
9.14 Risk manager Manage risks Identify, evaluate and manage risks
down to the level considered
acceptable by the organisation
assets
Ensure that assets of the
organisation, particularly cash, are
maintained at optimum levels to
achieve the objectives
assets
Ensure that assets of the
organisation, particularly cash, are
maintained at optimum levels to
achieve the objectives
9.16 Administration Support the
support functions
Key risk to process Risk Source
Process
owner
Cons Like
Fail to stock goods which the
customers want to buy
Director
5 5
Fraudulent credit cards used Finance Director interview Merchandise
Director
4 5
Fail to anticipate the
competitions' initiatives to take a
bigger market share
Director
5 5
Director
4 5
All staff, including the Board, fail
to maintain high ethical
standards, which undermine the
controls necessary to achieve the
organisation's objectives,
including that of ensuring
compliance with laws and
standards
Managing
Director
5 5
effectively and efficiently
Director
5 5
Prices are not competitive Board risk workshop Merchandise
Director
5 5
Store layout confuses customers Board risk workshop Merchandise
Director
4 4
Prices are incorrect Board risk workshop Merchandise
Director
4 5
No stock for customers to buy Board risk workshop Merchandise
Director
5 5
Higher minimum wage legislation
makes some stores unprofitable
Director
5 5
Director
5 5
Director
5 5
The strategy does not anticipate
customer demands
Managing
Director
5 5
Inherent risks
The strategy is too risk-averse Managing
Director
5 5
The objectives within the strategy
are not clearly defined, financially
justified or documented
Managing
Director
5 5
Staff do not understand the
objectives in relation to their own
jobs
Managing
Director
5 5
The action plan does not cover
all objectives and does not
consist of SMART targets
addressed to senior management
Managing
Director
5 5
The organisation has not got the
resources to deliver the strategy
Managing
Director
5 5
Major projects intended to deliver
the strategy are late and/or over
budget
Managing
Director
5 5
Internal and external influences
are not monitored to assess their
impact on the strategy
Managing
Director
5 5
understood or are not sufficient
to deliver the strategy
5 5
The research does not identify
the most effective products for
the most effective market
segments for achieving the
objectives
the most effective customer
segments for achieving the
objectives
the most effective locations for
The locations are not cost-
effective, have insufficient staff in
the vicinity and has poor
communications
The environment is not suitable
for a factory, insufficient trained
labour is available, property costs
are too high
The buildings are not suitable for
storing products, costs are too
high and labour is not available
The locations are not cost-
effective, have insufficient staff in
the vicinity and are not near our
target customers
Poor maintenance results in
injury to staff or customers
understood are not sufficient to
The purchased items are
unsuitable, too expensive or
delivered late
A major supplier of a vital raw
material, not obtainable
elsewhere, is not able to deliver
Assets are not required, not
suitable or too expensive
Goods are not suitable, too
Goods or services are not
suitable, too expensive or
delivered late
Minimum prices for utilities are
not negotiated
There is no market for the
product. The product is too
expensive to produce
The method of manufacturing
specified is inefficient
The schedule produces the
wrong goods at the wrong time
The goods are made inefficiently
New environmental legislation
makes manufacturing process
uneconomic
A strike of fuel suppliers brings
transport in the UK to a stop
A major customer goes bankrupt Board risk workshop Marketing
Director
4 4
No stock for customers to buy Board risk workshop Marketing
Director
5 5
No stock for customers to buy Logistics Director
interview
Merchandise
Director
4 5
Internet sites unavailable Board risk workshop Merchandise
Director
4 5
Goods are lost Board risk workshop Merchandise
Director
4 5
Director
5 5
Management accounts do not
provide timely information on
which to make decisions
Financial accounts are issued
which do not comply with UK law
The organisation is not prepared
for the International Accounting
Standards (IAS)
High-calibre staff are not
recruited and retained
Properly qualified staff are not
available to take vacancies
Staff are not properly trained
Staff successfully claim unfair
dismissal
A virus brings down all computer
systems for a week
Data is lost
Payment is made where the
organisation has not received the
goods or services at the price
Cash taken at the till is not
banked
Goods are sold to customers who
cannot pay for them
Fail to pass transaction details to
the credit card company
Receive incorrect data from
stores on hours worked and new
employees
Revenue expenditure capitalised,
or capital expenditure put to
revenue
The impact of legislation is not
anticipated which results in
considerable costs
Schemes to minimise tax are not
used
Poor quality goods harms the
organisation's reputation
A failure in H & S occurs which
results in bad publicity and law
suits
An environmental disaster occurs
at one of the organisation's
premises
The London Stock Exchange is
given information which cannot
be substantiated
The external and internal risks
threatening the objectives, and
related processes, of the
organisation are not understood
Financial contracts are set up
which open the company to
significant losses
Score Response Cons Like Score Control
score
Audit
action
Audit
Group
25 treat 5 1 5 20 audit AO
20 treat 4 1 4 16 audit AU
25 treat 5 3 15 10 consultancy AO
20 treat 5 1 5 15 audit CF
25 5 2 10 15 D
0 0 0 K
25 treat 5 1 5 20 audit AN
25 treat 5 2 10 15 consultancy CE
16 treat 4 4 16 0 consultancy AP
20 treat 4 1 4 16 audit AQ
25 treat 5 1 5 20 audit AR
25 treat 5 4 20 5 consultancy AS
25 5 1 5 20 A
Inherent risks Residual risks
25 5 1 5 20 A
25 5 1 5 20 A
25 4 1 4 21 A
25 5 2 10 15 B
25 5 2 10 15 B
25 5 2 10 15 C
25 5 2 10 15 E
25 5 2 10 15
0 0 0 F
0 0 0 G
0 0 0 G
0 0 0 H
0 0 0 I
0 0 0 J
0 0 0 L
0 0 0 M
0 0 0 N
0 0 0 O
0 0 0 CE
0 0 0 P
0 0 0 Q
0 0 0 R
0 0 0 R
0 0 0 S
0 0 0 T
0 0 0 U
0 0 0 U
0 0 0 V
0 0 0 X
0 0 0 Y
0 0 0 Z
0 0 0 AA
0 0 0 AB
0 0 0 AC
0 0 0 AD
0 0 0 AE
0 0 0 AF
0 0 0 AG
0 0 0 BD
0 0 0 AH
0 0 0 AI
0 0 0 AJ
0 0 0 AK
0 0 0 AL
0 0 0 AM
16 transfer with
insurance
4 1 4 12 audit
insurance
cover
AT
20 tolerate 4 1 4 16 check
contingenc
y plans
AU
20 tolerate 4 1 4 16 audit AU
25 treat 5 3 15 10 consultancy AV
0 0 0 AW
0 0 0 AX
0 0 0 AY
0 0 0 Project
audit
0 0 0 AZ
0 0 0 BA
0 0 0 BB
0 0 0 BC
0 0 0 BE
0 0 0 BF
0 0 0 BG
0 0 0 BH
0 0 0 BI
0 0 0 BJ
0 0 0 BK
0 0 0 AT
0 0 0 AU
0 0 0 BL
0 0 0 BM
0 0 0 BN
0 0 0 BO
0 0 BP
0 0 0 BQ
0 0 0 BR
0 0 0 BS
0 0 0 BT
0 0 0 BU
0 0 0 BV
0 0 0 BW
0 0 0 BX
0 0 0 BY
0 0 0 BZ
0 0 0 CA
0 0 0 CB
0 0 0 CC
0 0 0 CD
If the audit budget shows days for
the audits due next year, then this
calculation will show if the
resources available are sufficient to
complete all of the audits.
Last audit
number
Last audit
name
Last audit
Budget
Last audit actual Last
timing
Last
auditor
Last final
report
Target
Market
anticipation
130 Internet sales 15 14 Mar-05 Heath 5-Apr-05
Market
anticipation
Complaints
procedures
203 Ethical
guidelines
20 23 2003 Smith 6/23/2003
210 Location
strategy
50 45 2004 Murphy 10/28/2004
Selling
strategy
Pricing policy
Store planning
Price file
maintenance
143 Stock control 20 22 Sep-06 Smith 1-Oct-04
Store
accounts
Complaints
procedures
Complaints
procedures
Organisation's
strategy
Last audit details
Organisation's
strategy
Organisation's
strategy
Organisation's
strategy
Delivery of
strategy
Delivery of
strategy
(Projects are
individually
audited)
Monitoring of
external
influences
(Carried out
within the
above audits)
Research
strategy
Product
research
Market
research
Market
research
Geographic
research
Research
resource
planning
Locating
offices
Locating
factories
Locating
warehouses
Locating
shops
Maintenance
of premises
Location
resource
planning
Purchasing
strategy
Purchasing for
manufacture
Purchasing for
manufacture
Purchase of
assets
Purchase of
goods for
resale
Purchase of
expense
goods and
services
Purchase of
expense
goods and
services
Purchase
resource
planning
Manufacturing
strategy
Product
design
Manufacturing
specification
Scheduling
manufacture
Production
accounting
Environmental
audit
Manufacturing
resource
Selling
strategy
Retail
promotions
Wholesale
promotions
Newspaper
advertising
TV advertising
Promotions
resource
planning
Supply
strategy
Warehouse
operations
Distribution
Supply
resource
planning
Accounts
receivable
Stock control
Stock control
Internet sales
Selling
resource
planning
Support
strategy
Management
accounting
Financial
accounting
Project - IAS
Recruitment
Succession
planning
Staff training
Staff policies
Virus checking
Back-up
procedures
Access
controls
IS contingency
plans -
hardware
IS contingency
plans -
communicatio
Accounts
Payable
Retail cash
takings
Accounts
receivable
See above
Manufacturing
stock
Wholesale
stock
Retail stock
Payroll
Personal
expenses
Fixed assets
Bank and cash
Provision of
legal services
Provision of
tax services
Quality control
Health and
safety
Environmental
Site security
Contingency
planning
Communicatio
ns
Risk
management
Treasury
Working
capital
Support
resource
planning
TOTAL 40,968
Available auditors
Weekdays
(auditors*52*5)
0
Holidays
If the audit budget shows days for
the audits due next year, then this
calculation will show if the
resources available are sufficient to
complete all of the audits.
Training
Projects
Secondments
Total available for
above audits
0
Surplus/deficit (40,968)
Final
report
achieved
date
Next audit
number
budget
Next
timing
Next
auditor
201 Market
anticipation
20 Jan-06 Khan
5-Apr-05 Issues 2006 201 Internet sales 14 Oct-06 Heath
201 Market
anticipation
(see above)
207 Complaints
procedures
(see above)
6/28/2003 acceptable 2006 250 Ethical guidelines Q1 2005 Patel
10/28/2004 unacceptable 253 Location strategy
Jones
200 Selling strategy 10 Jan-06 Smith
202 Pricing policy 20 Feb-06 Heath
203 Store planning 15 Mar-06 Smith
204 Price file
maintenance
20 Apr-06 Heath
3-Oct-04 Acceptable 2006 205 Stock control 22 Sep-06 Khan
206 Store accounts 10 Jun-06 Smith
207 Complaints
procedures
30 Jul-06 Heath
207 Complaints
procedures
(see above)
Organisation's
strategy
Last audit details Next audit details
Organisation's
strategy
Organisation's
strategy
Organisation's
strategy
Delivery of
strategy
Delivery of
strategy
(Projects are
individually
audited)
Monitoring of
external
influences
(Carried out
within the above
audits)
Research
strategy
Product research
Market research
Market research
Geographic
research
Research
resource
planning
Locating offices
Locating factories
Locating
warehouses
Locating shops
Maintenance of
premises
Location
resource
planning
Purchasing
strategy
Purchasing for
manufacture
Purchasing for
manufacture
Purchase of
assets
Purchase of
goods for resale
Purchase of
expense goods
and services
Purchase of
expense goods
and services
Purchase
resource
planning
Manufacturing
strategy
Product design
Manufacturing
specification
Scheduling
manufacture
Production
accounting
Environmental
audit
Manufacturing
resource
Selling strategy
Retail promotions
Wholesale
promotions
Newspaper
advertising
TV advertising
Promotions
resource
planning
Supply strategy
Warehouse
operations
Distribution
Supply resource
planning
Accounts
receivable
10 Aug-06 Khan
Stock control 20 Oct-06 Smith
Stock control
Internet sales
Internet sales
Selling resource
planning
Support strategy
Management
accounting
Financial
accounting
Project - IAS
Recruitment
Succession
planning
Staff training
Staff policies
Virus checking
Back-up
procedures
Access controls
IS contingency
plans - hardware
IS contingency
plans -
communications
Accounts
Payable
Retail cash
takings
Accounts
receivable
Internet sales
Manufacturing
stock
Wholesale stock
Retail stock
Payroll
Personal
expenses
Fixed assets
Bank and cash
Provision of legal
services
Provision of tax
services
Quality control
Health and safety
Environmental
Site security
Contingency
planning
Communications
Risk
management
Treasury
Working capital
Support resource
planning
TOTAL 191
Available
auditors
3
Weekdays
(auditors*52*5)
780
Holidays 75
Training 15
Projects 100
Secondments 100
Total available
for above audits
490
Surplus/deficit 299
Status Next final
report
Target
Next final
report
Achieved
2006
opinion on
risk
To start 18-Feb-06
To start TBA
To start
To start 8/20/2005
To start 18-Jan-06
To start 27-Feb-06
To start 24-Mar-06
To start TBA
To start TBA
To start TBA
To start TBA
Next audit details
To start TBA
To start TBA
Appendix I
Level 2 and 3 processes
Define objectives
Purchase finished
Purchase assets
Purchase raw
materials
Purchase
Decide strategy
Maintain strategy
Deliver strategy
Communicate
strategy

Define objectives
Support purchase
raw materials
Support strategy
Define objectives
Support purchase
assets
Purchase expense
goods
Purchase finished
goods
Support

Set up items
Set up vendors
Place order
Requistion goods
and services
Prepare financial
accounts
Prepare
management
accounts
Provide systems
Provide staff
Process
transactions
Support purchase
finshed goods
Receive goods
Provide legal
services
Provide tax
services
Ensure quality
Ensure health &
safety
Manage the
environment
Ensure security
Communicate

Support purchase
expense goods
Return goods
Appendix J
Audit database
Ref Process Process Description Risk to process IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont
score
Issue Action By whom Conclusion
Controls
Conclusion
Action
Conclusion
Monitoring
Report
ref
Follow-up
Risks
Follow-up
Controls
Follow-up
Action
Follow-up
Monitoring
4.5 Purchase expense
goods
Purchase goods and services for the organisation (Summary level)
4.5.1 Define objectives Define the strategy for expense purchases,
communicate and deliver it
(Summary level)
4.5.1.1 Define the strategy for
expense purchasing
Set down targets for the year(s) ahead, for example,
meeting the budget, improving staff efficiency, handling
more orders
The strategy does not maximise efficiency and
effectiveness and is not consistent with the organisation's
strategy
The strategy for purchasing expense goods and services is
updated each year, prior to setting targets and budgets for
the areas concerned. These targets and budgets are
approved by management finance.
Directors check the strategy for
departments under their control. The
overall budget is approved by the board
Examine the latest strategy document
4.5.1.1 Define the strategy for
expense purchasing
Set down targets for the year(s) ahead, for example,
more orders
The strategy has not been updated The strategy for purchasing expense goods and services is
the areas concerned
departments under their control
Examine the latest strategy document. Check that the
budget forms part of the organisation's overall budget.
Examine variances for the current year and ensure
adequate explanations have been made for excessive 4.5.1.2 Communicate the strategy Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice boards
and the intranet
Ask staff to confirm they have been briefed. Determine the
date of the briefing and attendees
4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver the
strategy
No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the budgeting
process
Directors check the action plan for
Examine the action plan Check for progress to implement it.
strategy
The strategy is not built into individuals' targets Individuals are given their targets based on those of the
department
Directors, or senior managers, check the
staff targets for departments under their
control
Examine staff targets for a selection of staff
strategy
Any member of staff can authorise the purchase of any
goods or services
Rights to place requisitions and orders are in a written
policy
The policy is checked every year to
ensure it is correct
Examine the policy. Check it is up-to-date, appropriate staff
have a copy and know how to use it. As part of other tests,
ensure adherence to the policy
strategy
Any member of staff can requisition any goods or services Rights to authorise requisitions and orders are in a written
policy
4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or modify
existing details. Includes addresses and payment terms
Supplier details are not correctly input/modified Details of all changes to the Supplier master file are printed
on a report which is checked to supporting documentation
by staff who are not involved in changing Supplier details
Details of Suppliers and the amount
spent with them are printed out every six
months for authorisation by the
Purchasing Director
Check individual reports over the last six months for
evidence of checking. Observe the process in action.
False Suppliers are set up and paid Details of all changes to the Supplier master file are printed
Purchasing Director
No settlement discount, or other discounts, are negotiated Details of all changes to the Supplier master file are printed
Purchasing Director
4.5.4 Departments requisition
goods/services
Raise a request (may be on the computer system, but
could be an e-mail or manual form) for goods or services
to be ordered
Expense goods/services requested are not needed or are
not for the benefit of the company
Requisitions are authorised by an appropriate manager Budgets are maintained for all expenses
with monthly monitoring against actual
Observe the procedure for electronically authorising
requisitions. If possible, have the computer controls checked
by a competent auditor.
4.5.4 Departments requisition
goods/services
Raise a request (may be on the computer system, but
could be an e-mail or manual form) for goods or services
to be ordered
Details on the requisition are incorrect Requisitions are authorised by an appropriate manager Budgets are maintained for all expenses
Observe the procedure for electronically authorising
requisitions. If possible, have the computer controls checked
by a competent auditor.
4.5.5 Purchasing order raised for
goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new Supplier
The order is incorrect, that is does not agree to the
approved requisition
Confirmation is required on the order screen before the
order is sent or printed
The requisitioner will query any difference Observe the process and try submitting without confirmation
goods/services
The price on the order does not give the organisation
maximum value
The order is placed by trained purchasing staff using prices
on the computer, or negotiated with the supplier.
Budgets are maintained for all expenses
Examine a report which shows the access rights of each
person in purchasing and payables. Confirm that proper
division of duties exists.
goods/services
Orders are placed with suppliers who do not provide best
value (quality/price/delivery)
Orders can only be placed with suppliers previously set up
on the computer
Half-yearly report listing suppliers and
spend which is approved by the
Purchasing Director
Examine the input of orders. Try and set up a new supplier
from the order screen
goods/services
Orders are placed late Computer report showing requisitions not turned into orders
within 2 days is checked by the supervisor
Requistioners will complain if orders are
received late
Examine this report for items older than 2 days
goods/services
Orders have incorrect account codes input The requisitioner supplies the codes. The computer checks
these exist but cannot check if they are correct.
Budget holders check their expenses
each month for incorrect items
Examine accounts journals and other documentation used
to correct coding errors to judge how frequent they are
goods/services
Orders are placed for goods not required, without
approved requisitions
All orders have to be placed through the computer. Orders
can only be raised by purchasing staff. Orders without
requisitions must be approved by a senior manager
Check access to order screens is limited to approved
purchasing staff. Check orders raised without approved
requisitions are approved
4.5.6 Goods/services received.
Quantity received input
Receive the goods and services ordered. Goods may be
received at a central location, and their receipt keyed into
the computer. Some type of confirmation should be
required for the receipt of services
Goods/services vital to the organisation's operation
become unavailable or too expensive
If possible, have two, or more, sources of supply. Hold
sufficient stocks of vital spares. Have contingency plans for
failure of vital supplies
Check for the existence of recent, tested contingency plans
Quantities, or service, is not what was ordered Computer report showing where quantities received differ
from the order
Requistioners should complain if the
goods/services differ from the order
Examine this report and check on the action taken. Note
items which may be old and uncorrected
Quantities incorrectly input The computer warns if the quantity received is different
from that ordered
Requistioners should complain if the
goods/services differ from the order
Observe the process and try submitting a different quantity
Stock records (for example engineers' spares) not
updated
Automatic update with exception reports where this has not
occurred
Periodic physical checks to stock
records
Check a sample of items received through to the stock
system
Receipt details input when no goods or services have
been received
Division of duties between requisitioners, purchasing staff
and receivers
Examine a report which shows the access rights of each
person in purchasing and payables. Confirm that proper
division of duties exists.
Date of receipt input
Quality is not up to standard Responsibility of the person receiving the goods/services to
complain of poor quality to the ordering department
No formal monitoring Ask a sample of staff their opinions on the quality of goods
received
Date of receipt input
Goods are lost All goods are received at one, secure, location, which
inputs their receipt against the order
Requisitioner will complain if goods are
not received
Visit the receiving area. Check security and observe the
receipt of goods.
4.5.7 Goods/services returned If the goods are not those ordered, are damaged, or too
many are delivered, they will be returned to the Supplier. If
they are found to be faulty after the processing of an
invoice, or payment, a credit note will be required
Credit is not obtained from the supplier Goods can only be returned on the authority of the buyer,
who raises a "Goods Return Note". One copy goes with the
goods, the other is keyed into the computer as a debit note.
This automatically reduced the next payment.
Requisition will complain if credit is not
received
Take a sample of Goods Returned Notes and check that the
correct credit has been received
4.5.8 Support purchasing of
expenses
(Summary level)
4.5.8.1 Define objectives for
supporting expense
purchasing
Define the strategy Set down targets for the year(s) ahead, for example,
more orders
The strategy has not been updated The strategy for purchasing expense goods and services is
the areas concerned
Examine the latest strategy document
Communicate the strategy Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice boards
and the intranet
Ask staff to confirm they have been briefed. Determine the
date of the briefing and attendees
Deliver the strategy Form an action plan, with the staff involved, to deliver the
strategy
No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the budgeting
process
Directors check the action plan for
Examine the action plan
strategy
The strategy is not built into individuals' targets Individuals are given their targets based on those of the
department
Directors, or senior managers, check the
staff targets for departments under their
control
Examine staff targets for a selection of staff
strategy
No limitation is set on the authority of staff to commit the
organisation
Rights to place requisitions and orders are in a written
policy
strategy
No limitation is set on the authority of staff to commit the
organisation
Rights to authorise requisitions and orders are in a written
policy
4.5.8.2 Process transactions Process transactions resulting from the purchase of
expenses
Transactions are not processed completely and accurately
4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by
Invoice input against incorrect supplier Most invoices are input against an order and the supplier
details are checked. If no order exists there is no control
The supplier will send a reminder to pay
4.5.8.2.
1
Invoice input
Incorrect values input Where the invoice is matched to an order, an exception
report is produced for invoices not matching and these are
held until purchasing approve the difference. Invoices
without orders are batch totalled
Monthly check, by management, of the
report showing invoices held in query.
Follow-up of invoices over one month old
4.5.8.2.
1
Invoice input
Invoices are input twice Where the invoice is matched to an order the computer will
not allow the input of another invoice. Invoices are stamped
"input"
4.5.8.2.
1
Invoice input
Duplicate invoices are input Where the invoice is matched to an order the computer will
not allow the input of another invoice. If copy invoices are
received, where no orders exist, they are checked to the
supplier account before processing. The computer will not
accept duplicate invoices
4.5.8.2.
1
Invoice input
Invoice input where no goods or services have been
received.
Most invoices are matched against approved orders. Other
invoices must be approved by a senior manager and
accountant, who writes the account code on. Invoices can
only be paid to suppliers set up on the system, for which
separate checks apply. Duties are split between staff.
4.5.8.2.
1
Invoice input
The tax analysis of invoices is incorrect, for example
"Business entertainment"
All purchasing and transaction processing staff have
specific training on the analysis of Value added tax (VAT).
Detailed guidelines are available. The computer checks for
incorrect calculations
4.5.8.2 Purchasing expenses -
Invoice filed
Invoices are not filed and microfiched Invoices are sequentially numbered on input. When
microfiching, the continuity of these numbers is checked
4.5.8.2 Purchasing expenses - no
invoice payment, for
example tax
Incorrect payments may be made
payment
The computer automatically schedules payments
depending on the terms set for each Supplier. Payments
may be made by electronic funds transfer (home and
foreign) or cheque. Non-invoice payments (for example
payments of tax) may be made by entering details
Computer payment is made for goods or services which
have not been received
Computer payments can only be made against invoices
matched to orders, or authorised invoices. Payments can
only be generated by staff who do not have access to order,
invoice or Supplier master data input
payment
Incorrect settlement discount is taken
payment
Payment is not made on the due date Payment terms are set up on the supplier account. They
can only be changed on written instructions for a buyer
Payment terms are checked by buyers
every 6 months
payment
Computer payment is made for goods or services which
have not been received
Manual cheques must be supported by invoices and are
signed by two directors
Last follow-up results (date)
David MGriffiths J Expense purchases database
payment
Manual payments made are fraudulent Cheques are kept in a locked cupboard to prevent theft and
subsequent forgery. Overseas payment instructions are
signed by two directors. The bank has instructions to
telephone the Chief Financial Officer if payments are over
an agreed amount.
Bank reconciliation will detect payments
made not correctly entered in the books
of account
payment
Cheques are altered or forged Cheque signing signatures are embossed. Cheques are
printed by specialist printers with the latest security features
Bank reconciliation will detect payments
made not correctly entered in the books
of account
payment
The payment output file is altered. (This file holds payment
data to be transmitted to the bank, or used to print
cheques)
Access controls on the computer to prevent alteration Exception reports, checked by
management, which detail exceptional
alterations to files
Obtain details of those staff with access to the computer
files. They should only be senior IT staff with no access to
accounting systems
4.5.8.2 Purchase expense invoices
/ credit notes posted to
accounts
Invoices and payments are posted to the general (nominal)
ledger in the same accounting period
Invoice / credit notes are posted to incorrect accounts Invoices are posted to the account set up on the requisition.
The computer verifies that these exist and prevents certain
combinations of cost centre and nominal codes
each month for incorrect items. Plus
Financial Accounts check balances to
the previous month's and investigate
significant discrepancies
4.5.8.2 Accounts Payable month-
end processes
In order to compile month-end accounts, the value of
goods received not invoiced is calculated by the computer ,
from unmatched receipts. Checks are made to ensure all
services received, but not invoiced, are also accrued. To
ensure details have been corr
Accruals not calculated The value of all goods received not invoiced is calculated by
the computer
Comparison made with previous month's
figure. Major differences investigated
end processes
Accruals not calculated correctly In major expense service functions (for example
advertising) managers must detail services provided which
have not been invoiced
Major variances from budget are
investigated
end processes
Accounts payable ledger total does not represent all
liabilities
Total of supplier balances reconciled to Accounts Payable
control account in the General ledger
Reconciliation is signed by a senior
manager
4.5.8.2 Manage the accounts
payable ledger
Ensure the accounts payable ledger is correctly updated,
properly represents amounts owed to creditors and is
correctly included in the accounts of the organisation
Accounts payable ledger total does not represent all
liabilities
Sample check reconciliation of Supplier statements to the
Accounts Payable balance
The check is noted and scrutinised by a
senior manager at month-end
4.5.8.2 Manage the accounts
payable ledger
Ensure the accounts payable ledger is correctly updated,
properly represents amounts owed to creditors and is
correctly included in the accounts of the organisation
Supplier with a debit balance, due to credits issued, goes
out of business
Exception report highlighting large debit balances. Payment
stop put on the account. Systems in place to request
repayment of the amount owing
Management scrutiny of large debit
balances each month, with a progress
report on their recovery
4.5.8.3 Provide systems Provide systems, including computer systems to support
the organisations operations
(Summary level) n/a
4.5.8.3.
1
Maintain central systems The proper operation of applications is maintained by a
central IT department
Data lost through main computer failure, systems
unavailable for a prolonged period
Range of controls maintained by the IT department Users monitor their output, such as
reconciling the accounts payable
balance with the general ledger
Covered by audits of the IT processes
4.5.8.3.
2
Maintain user systems Users set up their own computer systems (for example
spreadsheets) to produce data
User-maintained systems lose data Data is kept on the network which is backed-up daily IT management should monitor system
reports
Ensure data is backed-up - try retrieving yesterday's files. If
a stand-alone computer, check back-up to discs
4.5.8.3.
2
User-maintained systems produce inaccurate data All important data is checked, or reconciled, to an
independent source to ensure it is correct. If this is not
possible, some manual reperformance of calculations, or
checks of formulas.
Output should be examined for
"reasonableness"
Check formulas are correct. If possible use a spreadsheet
analyser to detect possible problems. Reperform manually
important calculations, if possible.
4.5.8.3.
2
User-maintained systems understood by only the
programmer
Auser guide has been written and independently tested
after each revision
Manager holds a copy Check all programs have a clearly written user guide.
4.5.8.4 Prepare management
accounts
accounts for management to make decisions
Information is incorrectly analysed and summarised Totals on the management accounts are reconciled to
totals from the accounts payable system
Output should be examined for
"reasonableness"
Trace figures from the accounts payable system through to
totals in the top level management accounts
4.5.8.5 Prepare financial accounts Collect the data from processed transactions into
Information is incorrectly analysed and summarised Each month, or more frequently, the accounts payable
ledger total is reconciled to the accounts payable control
account in the general ledger
Manager checks the reconciliation.
Management and financial accounts are
reconciled
Trace figures from the accounts payable system through to
totals in the top level financial accounts
4.5.8.6 Provide staff Recruit staff and manage staff policies (Summary level)
4.5.8.6.
1
Establish job descriptions Job descriptions, in accordance with policy, are written and
approved
Staff competencies required have not been identified All jobs have written job descriptions, which show the
competencies required
HR and manager sign off job descriptions Check for job descriptions of all staff levels
4.5.8.6.
2
Carry out regular
appraisals
Targets are set for staff with regular appraisals in
accordance with policy
Actual competencies of the staff have not been matched
with required competencies
The targets take into account the competencies required HR and manager sign off appraisals Check appraisal files
4.5.8.6.
3
Training of staff Staff are trained in order to achieve their targets with
maximum effectiveness and efficiency, within the ethical
guidelines
Training is not provided, or is inadequate. For example it
omits ethical guidance
Training is provided when taking on new responsibilities and
during a job, to ensure the staff member understand how to
do the job and the controls which must operate
Managers monitor the training their staff
receive to ensure it is appropriate at all
times
Check training materials. Ask staff who have recently
changed jobs about their training
4.5.8.6.
3
Training of staff Staff are trained in order to achieve their targets with
maximum effectiveness and efficiency, within the ethical
guidelines
Staff not allowed to attend training Clear policy from the board that training is important. HR monitor staff not attending training
courses and determine why
Question staff who have been on courses
4.5.8.6.
4
Recruit suitable staff Recruit staff to fill vacancies Applicants falsify references All references and qualifications are checked by HR Manager can request references if
required
Take a sample of recent joiners and check that references
were supplied. (Other tests are carried out as part of the
audit of HR)
4.5.8.6.
4
Recruit suitable staff Recruit staff to fill vacancies Insufficient staff are available to carry out all duties, and
maintain division of duties
HR maintain succession plans for senior key staff.
Managers have plans for other key staff
Senior managers should monitor their
managers to ensure succession plans
exist
Examine staff budgets to ensure staff numbers are being
maintained at levels which ensure controls are operated
4.5.8.7 Provide legal services Advise all areas of the company concerning action to be
taken on legislation
Staff involved in expense purchasing are not aware of
legislation which affects them, thus threatening the
organisation with prosecution
There is a clear, preferably written, understanding that legal
services will update the appropriate managers with
legislation which affects them. The managers will brief their
staff
Senior management check that important
legislation is understood by the functions
under their control
Determine when the last update from legal services was
received and how it was briefed to staff. If you are aware of
any legislation affecting the processes being audited (for
example competition legislation), make sure it has been
briefed in.
4.5.8.8 Provide tax services Advise all areas of the company concerning action to be
taken on tax legislation
Staff involved in expense purchasing are not aware of tax
legislation which affects them, thus threatening the
organisation with fines or the loss of tax credits
4.5.8.9 Ensure quality Ensure all goods sold meet the quality standards set by
legislation and the organisation
4.5.8.10 Ensure health & safety Ensure the organisation complies with legislation and good
practice to ensure the safety of staff and customers
4.5.8.11 Manage the environment Ensure the operations of the organisation obey all
environmental laws and good practice
Ensure security The physical security of tangible and intangible assets, and
staff and customers, is maintained at all times to ensure
the continued operation of the organisation
(Summary level)
Provide security All assets, including physical assets, stock and
information, are physically secure
Loss of the organisation's assets
Identify documents required
to achieve the objective of
these processes
Documents may not be recorded
Decide on arrangements to
safeguard these
Level of protection may not be sufficient
Communicate Inform internal and external stakeholders of the
organisation's policies and intentions
Manage risks threatening
expense purchasing
processes
(Summary level)
Identify risks Risks are not known 5 5 25 Examine processes to set up the risk register and examine
the register. Ensure all types of risk, including external risks,
have been considered
3 3 9 16 Not applicable
Evaluate risks Significant risks are not understood Examine the process to score the risks Not applicable
Control risks Significant risks are not controlled Controls are put into operation which reduce residual risks
to the risk appetite of the organisation
Check controls - below Not applicable
Appendix K
Advice on allocating conclusions
Conclusion on:
Risks have been identified,
evaluated and managed
Thorough processes have
been used and all significant
risks should have been
identified.
Processes have been used,
but there are some
deficiencies and not all
significant risks may have
been identified.
Internal controls reduce
risks to acceptable levels
(that is to within the risk
appetite of the organisation)
Risks are being managed to
within acceptable levels, as
defined by the board. Report
as Supplementary issue, if
cost effective controls can
reduce the risk further,
otherwise do not report
Not all risks are being
managed to within acceptable
levels, as defined by the
board, although the
consequence from the risk
occurring, or likelihood of the
risk occurring, is not
considered significant. There
is the possibility that some
objectives will not be achieved
Report as: Key issue
Action being taken to
promptly remedy significant
failings or weaknesses
The action being taken will
result in all risks being
managed to within acceptable
levels.
The action being taken will
result in some reduction in risk
but not to acceptable levels
Current levels of monitoring
are sufficient
No more monitoring is
necessary than is done at
present
Some additional monitoring is
required
Colour: green amber
Grading: Acceptable Issues
Criteria
Inadequate, or no, processes
have been used.
The risk is not being mitigated
to an acceptable level by the
control(s) and it is probable
that some objectives will not
be achieved, with significant
(material) results (red) or The
risk is not being mitigated to
an acceptable level by the
control(s) and objectives are
not being achieved, with
significant results Report as:
Key issue
No action is being taken, OR
insufficient action is being
taken to manage risks to within
acceptable levels
Major improvements are
required to the monitoring of
controls
red
Unacceptable
Criteria
Figure 1
What is risk based internal auditing?
C
o
n
s
e
q
u
e
n
c
e

Likelihood
inherent
risk
Risk appetite
RBIA provides
assurance that these
controls are operating
effectively
residual
risk
control
Fig 1 What is Risk Based Internal Auditing?
RBIA provides
assurance that these
controls are operating
effectively
Figure 2
Risk significance
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
Risk appetite, as defined by the board
IR
RR
IR = Inherent Risk RR = Residual Risk
I
n
t
e
r
n
a
l

c
o
n
t
r
o
l
Fig.2 Grid showi ng the significance of risks
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
IR
RR
I
n
t
e
r
n
a
l

c
o
n
t
r
o
l
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
IR
RR
I
n
t
e
r
n
a
l

c
o
n
t
r
o
l
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
IR
RR
I
n
t
e
r
n
a
l

c
o
n
t
r
o
l
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
IR
RR
I
n
t
e
r
n
a
l

c
o
n
t
r
o
l
R
a
r
e
(
1
)

U
n
l
i
k
e
l
y

(
2
)

P
o
s
s
i
b
l
e

(
3
)

P
r
o
b
a
b
l
e

(
4
)
A
l
m
o
s
t

c
e
r
t
a
i
n

(
5
)
2
Acceptable
L
i
k
e
l
i
h
o
o
d

o
f

r
i
s
k
Consequence of risk
16
Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5
Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6
Supplementary
Issue
6
Supplementary
Issue
9
Issue
12
Issue
8
Supplementary
Issue
8
Supplementary
Issue
12
Issue
10
Issue
10
Issue
15
Unacceptable
20
Unacceptable
15
Unacceptable
20
Unacceptable
25
Unacceptable
IR
RR
I
n
t
e
r
n
a
l

c
o
n
t
r
o
l
Figure 3
Stages of an audit
Assess risk
maturity
Feedback results
into RAU
Individual audit
Management's
Risk Register
(if available)
Audit plan
Audit report
Risk Naive Risk Enabled
Risk Managed
Risk Defined
Risk Aware
Use organisation's
risks
Facilitate risk
identification
Audit Committee
report
Audit universe
Management's
Risk Register
(amended)
Assign risks to
audits
Risk and audit
universe
(RAU)
Fig 3 Stages of an audit
Use organisation's
Audit Committee
Stage 2
Stage 1
Stage 3
Risk-based internal auditing
Stage 2 Audit planning
Figure 4
Stage 2 Audit planning
Risk and Audit
Universe
Filter risks
Audit plan
Risks on which
assurance is
required
Risks within the risk
appetite
Risk Register
(audited)
Categorise risks
Risks not requiring an
audit in this period
Link risks to
audits
Select risks to be
Alllocate
resources to
audits
Audit Universe
Fig 4 Processes involved in Stage 2
Risks which will be
tolerated
Risks on which
assurance is provided
by others
Select risks to be
covered
Audit Committee
report
report
Figure 5
Frequency of Audits and Consultancy
risk appetite
value
C
o
n
t
r
o
l

s
c
o
r
e

Inherent risk
risk appetite
value when
inherent risk is
maximum
maximum
zero
assurance
every year
maximum
residual risk
equals zero
residual risk
equals
maximum
assurance
every two
years
assurance
every three
years
consultancy
this year
consultancy
next year
1
2
3
line of maximum control score
4
risk appetite
value when
inherent risk is
maximum
residual risk
equals zero
residual risk
equals
maximum
Figure 6
Stage 3 Individual audits
Define draft audit
scope
Set up an audit database
to record the audit details,
or update the Risk and
Audit Universe
Agreed scope
Audit plan
Meetings to determine
objectives, risks and agree
scope
Obtain relevant
documentation on
processes
Audit
database
Examine the risk
management process for
the area audited
Decide on audit
approach
Conclude on risk
maturity for the
area audited
Risk and audit universe
Feedback results into risk
and audit universe
Audit report
Test the monitoring and
proper operation of
controls
Draw preliminary
conclusions and discuss
them
Fig 5 Processes involved in stage 3
Agreed scope
Audit
database
Figure 7
Audit trails in the Risk and Audit Universe and individual audits
processes

risks

last audits

scores

controls

Audit

Committee

report

risk and audit
universe
processes

risks

tests

scores

controls

audit

reports

audit databases
objectives
risks

last audits

scores

controls

Audit

Committee

report

processes

risks

tests

scores

controls

audit

reports

objective
Fig 7 Audit trails in the risks and audit universe and audit databases
Audit trails in the Risk and Audit Universe and individual audits
processes
risks
tests
scores
controls
audit
reports
audit databases
processes
risks
tests
scores
controls
audit
reports
objectives
Audit trails in the risks and audit universe and audit databases

Implementation v1.0

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Implementation v1.0

Transféré par

Droits d'auteur :

Formats disponibles

Introduction

Risk Based Internal Auditing -

Vous aimerez peut-être aussi