Three views on implementation Last updated 15 January 2006 Copyright D M Griffiths RAU basics Appendix A Scoring risks Appendix B Risk Register Appendix C Assessing risk maturity Appendix D Process map Appendix E Audit Universe Appendix F Risk and audit universe Appendix G Column key Appendix H Audit plan Appendix I Process map - purchases Appendix J Expense purchases database Appendix K Conclusions Figure 1 Risk reduction diagram Figure 2 Risk significance Figure 3 Stages of RBIA Figure 4 Stage 2 Audit planning Figure 5 Frequency of work Figure 6 Stage 3 Individual audits Figure 7 Audit trail The spreadsheets are: The spreadsheets in the Excel workbook support the book 'Risk Based Internal Auditing - Three views on implementation' which can be downloaded from: www.internalaudit.biz For reasons of time, none of the spreadsheets show all the data Risk Based Internal Auditing - Three views on implementation Brief introduction to the process maps and risk registers Advice on the scoring of risks An example risk register in the order of the processes in appendix B. In this risk map Matrix giving the requirements for the five categories of risk maturity and suggested audit tests An example process map for a company manufacturing and retailing List of all audits an organisation considers it requires to provide assurance on risk management. It is not essential, but assists those organisations wishing to ensure audits have particular characteristics, such as length of audit. It can only be considered complete when all risks have been assigned to audits, since some audits may be missing from the plan. The complete list of scored risks and the audits that will check their management. Details of the columns in the RAU The audit plan derived from the RAU An example process map for the processes used to procure any item for the organisation The audit database used for the audit of expense purchases Guidance for providing assurance on an individual audit What is risk based internal auditing? Grid showing the significance of risks Stages involved in RBIA Processes involved in stage 2 Frequency of consultancy and audit work Process involved in the individual audit Links in the audit trail involved in RBIA The spreadsheets are: The spreadsheets in the Excel workbook support the book 'Risk Based Internal Auditing - Three views on implementation' which can be downloaded from: www.internalaudit.biz For reasons of time, none of the spreadsheets show all the data Risk register and audit plan 7/16/2014 8:16 PM Risks register and audit Universe (RAU) basics Purpose The purpose of this spreadsheet is to demonstrate how a list of risks can be used to generate an audit plan. The IIA standards (2010.A1) states, "The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process." The starting point: lists of risks from many people in the organisation at various levels The end point: a list of all the audits (the "audit universe") necessary to check that all risks are mitigated by internal controls . These audits to be scored in order to indicate their priority To understand the way this risk register is used, you need to visit www.internalaudit.biz This is not a "Best Practice" guide but an example, which you must change to fit your organisation The process map In order to produce an audit plan from a list of risks, the first task is to group the risks. I believe this is best done by linking them to the processes which any organisation has to fulfill its Do not confuse this approach with 'Process based' or 'Systems based' auditing. Processes in risk based auditing are used only for convenience. Risks drive the audit plan and individual audits. If you have a risk with no process, go and set up a new process! Processes are the means to achieve the organisation's objectives. They do not necessarily represent actual departments and could be outsourced. It is important to concentrate on the theoretical processes required, since the actual processes may have weaknesses or ommmissions. Processes are arranged in a hierarchy (like an organisation chart), with each process being split into more detail. The first level of processes is known as level 1 and these are split into more detailed processes at level 2. It's usually possible to plan audits at this level. Processes are split further in the audit and the more detailed risks and controls are linked to these. The advantage of this approach is that it avoids having a huge database. Each level has "Define objectives" at the start and "Support" at the end. There is a need to define the objectives of any set of processes - even if it only to set targets. "Support" refers to the support directly required by the processes at that level. The example will give you more of an idea. The processes in this spreadsheet are for a company which manufactures goods and sells them through its own shops, to resellers (wholesalers) or direct to the public. The risk register The process maps are used to set up the risk register, where risks are linked to processes. Each box on the process map has a row. This enables risks to be attached to processes at each level, and for each level to have a risk score. This is useful in summarising the risk scores for levels 1 & 2. (This format is slightly different to that used in www.internalaudit.biz) David M Griffiths RAU basics 3 of 264 Risk register and audit plan 7/16/2014 8:16 PM Several risks may be linked to one process or several processes to one risk. If you have a process with no risks, you may need to ask management if risks do exist in this area. If you have risks but no process - you need to add a process. Do NOT drop risks because they don't fit neatly into your map! The risk register will be constantly updated with new risks, as they occur to me, or as my researches reveal. It can never be complete. The important point for your risk register is that it gives you a complete "audit universe". It is these audits which need to identify all the key risks in order to assess the controls which mitigate them The last columns in the register show details of the last audit of that risk and the next audit planned. This enables the register to be used as an audit planning tool. By sorting and filtering the database an annual audit plan can be produced. A calculation at the end of the "next audit budget" column will show if sufficient resources are available. The register has one line of titles, so that it can be used as a database (sorted, filtered, reports produced) I intend to produce example audit databases (audit programmes) for many of the audits in the risk register. See www.internalaudit.biz for more details Some audit work may be duplicated. For example; "Transaction processing - purchasing goods for resale" may have some audit work which appears in the support processes for "Purchase of goods for resale". This is not necessarily bad, as it may cover important areas in slightly different ways You may have many risks against one process at level 2. If this is the case split the process to give processes at level 3. See 9.6 - Process Transactions Certain major areas of risk, such as health & safety, the environment and quality control only have one entry each. The level of detail will depend on the responsibilities of the internal audit department. It is assumed that these areas are covered by other specialists and the audit would be concerned with the proper operation and reporting of these functions The following notes are tips when considering risks: When wording risks, try not to make them just the failure to deliver a process. For example if the process is, "Pay invoices", the risk is not, "Fail to pay invoices". However, one risk would be "Invoices not selected for payment" More importantly risks should not be the absence of a control. For example, the risk Invoices are not authorised presupposes a control. The risk is Invoices may be paid for goods or services not required; the control is All invoices are authorised by a senior manager. Language I have used UK english for the risk register. Variations from US english include: Supplier = Vendor Purchase = Procure Cheque = Check I have used the term "accounts payable" for purchase ledger, since this is now common in the UK. All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product David M Griffiths RAU basics 4 of 264 Appendix A Advice on scoring risks (inherent and residual) 1 to 5 scale If the consequence when the risk occurs is: OR the likelihood of the risk occurring is: A catastrophic impact on the organisation, threatening its existence Almost certain Cash at risk> 1,000,000 To prevent the organisation achieving all, or a major part, of its objectives for a long time. Probable Cash at risk <1,000,000 >100,000 To stop the organisation achieving its objectives for a limited period. Possible Cash at risk <100,000 >30,000 To stop the organisation achieving its objectives for a limited period. Unlikely Cash at risk <30,000 >5,000 To cause minor inconvenience, not affecting the achievement of objectives Rare Cash at risk <5,000 Values are examples ONLY and must be defined by the board of the organisation concerned R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Advice on scoring risks (inherent and residual) Then the measure is defined to be: Values are examples ONLY and must be defined by the board of the organisation concerned Insignificant (1) Moderate (3) Minor (2) Catatrophic (5) Major (4) R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Appendix B Risks register L1 Level 1 process L2 Level 2 process L3 Level 3 process 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 2 Communicate strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 4 Maintain strategy 1 Define organisation's objectives 4 Maintain strategy 1 Define organisation's objectives 5 Support strategy 2 Research new business opportunities 1 Define objectives 2 Research new business opportunities 2 Research products David M Griffiths B Risk Register 2 Research new business opportunities 3 Research markets 2 Research new business opportunities 4 Research customers 2 Research new business opportunities 5 Research locations 2 Research new business opportunities 6 Support research 3 Obtain, and fit out, premises 1 Define objectives 3 Obtain, and fit out, premises 2 Obtain offices 3 Obtain, and fit out, premises 3 Obtain factories 3 Obtain, and fit out, premises 4 Obtain warehousing 3 Obtain, and fit out, premises 5 Obtain retail premises 3 Obtain, and fit out, premises 6 Maintain premises 3 Obtain, and fit out, premises 7 Support obtaining premises 4 Purchase ggods and services 1 Define objectives 4 Purchase ggods and services 2 Purchase raw materials 4 Purchase ggods and services 2 Purchase raw materials 4 Purchase ggods and services 3 Purchase assets 4 Purchase ggods and services 4 Purchase finished goods 4 Purchase ggods and services 5 Purchase expense goods and services 4 Purchase ggods and services 5 Purchase expense goods and services David M Griffiths B Risk Register 4 Purchase ggods and services 6 Support purchasing 5 Manufacture 1 Define objectives 5 Manufacture 2 Design products 5 Manufacture 3 Specify manufacturing 5 Manufacture 4 Plan manufacturing 5 Manufacture 5 Manufacture 5 Manufacture 5 Manufacture 5 Manufacture 6 Support manufacturing 6 Advertise and promote 1 Define objectives for promotion 6 Advertise and promote 2 Promote in-store 6 Advertise and promote 3 Promote to customers 6 Advertise and promote 4 Advertise in papers 6 Advertise and promote 5 Advertise on TV 6 Advertise and promote 6 Support promotions 7 Store and distribute goods 1 Define objectives for supplying goods 7 Store and distribute goods 2 Store goods 7 Store and distribute goods 3 Distribute goods 7 Store and distribute goods 4 Support supply 8 Sell goods 1 Define objectives for selling goods 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores David M Griffiths B Risk Register 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 3 Sell to resellers 8 Sell goods 3 Sell to resellers 8 Sell goods 3 Sell to resellers 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 5 Support selling 9 Support the organisation in achieving its objectives 1 Define objectives for supporting the organisation 9 Support the organisation in achieving its objectives 2 Prepare management accounts 9 Support the organisation in achieving its objectives 3 Prepare financial accounts David M Griffiths B Risk Register 9 Support the organisation in achieving its objectives 3 Prepare financial accounts 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 6 Process transactions 1 Process transactions - purchases 9 Support the organisation in achieving its objectives 6 Process transactions 2 Process transactions - retail sales 9 Support the organisation in achieving its objectives 6 Process transactions 3 Process transactions - wholesale sales 9 Support the organisation in achieving its objectives 6 Process transactions 4 Process transactions - direct sales David M Griffiths B Risk Register 9 Support the organisation in achieving its objectives 6 Process transactions 5 Process transactions - manufacturing stock 9 Support the organisation in achieving its objectives 6 Process transactions 6 Process transactions - wholesale stock 9 Support the organisation in achieving its objectives 6 Process transactions 7 Process transactions - store stock 9 Support the organisation in achieving its objectives 6 Process transactions 8 Process transactions - payroll 9 Support the organisation in achieving its objectives 6 Process transactions 9 Process transactions - personal expenses 9 Support the organisation in achieving its objectives 6 Process transactions 10 Process transactions - fixed assets 9 Support the organisation in achieving its objectives 6 Process transactions 11 Process transactions - cash and bank 9 Support the organisation in achieving its objectives 7 Provide legal services 9 Support the organisation in achieving its objectives 8 Provide tax services 9 Support the organisation in achieving its objectives 9 Ensure quality 9 Support the organisation in achieving its objectives 10 Ensure health & safety 9 Support the organisation in achieving its objectives 11 Manage the environment David M Griffiths B Risk Register 9 Support the organisation in achieving its objectives 12 Ensure security 9 Support the organisation in achieving its objectives 12 Ensure security 9 Support the organisation in achieving its objectives 13 Communicate 9 Support the organisation in achieving its objectives 14 Manage risks 9 Support the organisation in achieving its objectives 15 Manage the assets 9 Support the organisation in achieving its objectives 15 Manage the assets 9 Support the organisation in achieving its objectives 16 Support the support functions David M Griffiths B Risk Register Reference Business unit Process Process Description 1.1 The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation 1.1 The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation 1.1 The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation 1.2 The board Communicate strategy The objectives are communicated to all staff in a comprehensible form 1.3 The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives 1.3 The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives 1.3 The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives 1.4 The board Maintain strategy The strategy is regularly updated to take account of changing business conditions 1.4 The board Maintain strategy The strategy is regularly updated to take account of changing business conditions 1.5 The board Support strategy Resources are made available to carry out the above processes 2.1 Research and development Define objectives The objectives of the research processes are defined 2.2 Research and development Research products Research the products, to be manufactured or purchased, which will achieve the organisation's objectives David M Griffiths B Risk Register 2.3 Marketing Research markets Research the market segments which will achieve the organisation's objectives 2.4 Marketing Research customers Research the customer profile which will achieve the organisation's objectives 2.5 Property Research locations Research the locations, in-country and abroad, which will achieve the organisation's objectives 2.6 Administration Support research Resources are made available to carry out the above processes 3.1 Property Define objectives The objectives of the processes for obtaining premises are defined 3.2 Property Obtain offices Decide on the best locations for offices to house the support staff 3.3 Property Obtain factories Decide on the best locations for factories to manufacture products 3.4 Property Obtain warehousing Decide on the best location for premises to store goods 3.5 Property Obtain retail premises Decide on the best location for shops 3.6 Facilities management Maintain premises Premises are maintained to ensure safety, effectiveness and efficiency at all times 3.7 Administration Support obtaining premises Resources are made available to carry out the above processes 4.1 Purchasing Define objectives The objectives of the processes for purchasing are defined 4.2 Purchasing Purchase raw materials Purchase items to manufacture goods 4.2 Purchasing Purchase raw materials Purchase items to manufacture goods 4.3 Purchasing Purchase assets Purchase fixed assets 4.4 Purchasing Purchase finished goods Purchase goods for resale 4.5 Purchasing Purchase expense goods and services Purchase goods and services for the organisation 4.5 Purchasing Purchase expense goods and services Purchase utilities for the organisation David M Griffiths B Risk Register 4.6 Administration Support purchasing Resources are made available to carry out the above processes 5.1 Factory Define objectives The objectives of the processes for manufacturing are defined 5.2 Factory Design products Products to be manufactured are designed 5.3 Factory Specify manufacturing Specify how the products are to be manufactured 5.4 Factory Plan manufacturing Plan the manufacturing schedule 5.5 Factory Manufacture Make the goods 5.5 Factory Manufacture Make the goods 5.6 Administration Support manufacturing Resources are made available to carry out the above processes 6.1 Advertising Define objectives for promotion The objectives of the processes for promoting sales are defined 6.2 Advertising Promote in-store Promote goods in the retail stores through various offers 6.3 Advertising Promote to customers Promote goods to resellers using offers 6.4 Advertising Advertise in papers Advertise goods in newspapers and magazines 6.5 Advertising Advertise on TV Advertise on television 6.6 Administration Support promotions Resources are made available to carry out the above processes 7.1 Logistics Define objectives for supplying goods The objectives of the processes for supplying goods are defined 7.2 Logistics Store goods Store goods in warehouses at stages of the supply chain 7.3 Logistics Distribute goods Distribute goods between factories, warehouses, stores and customers 7.4 Administration Support supply Resources are made available to carry out the above processes 8.1 Merchandising Define objectives for selling goods The objectives of the processes for selling are defined 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised David M Griffiths B Risk Register 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.3 Marketing Sell to resellers Sell goods to customers who will resell them 8.3 Marketing Sell to resellers Sell goods to customers who will resell them 8.3 Marketing Sell to resellers Sell goods to customers who will resell them 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.5 Administration Support selling Resources are made available to carry out the above processes 9.1 Administration Define objectives for supporting the organisation The objectives of the processes for supporting the organisation are defined 9.2 Management accounts Prepare management accounts Collect the data from processed transactions into accounts for management to make decisions 9.3 Financial accounts Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes David M Griffiths B Risk Register 9.3 Financial accounts Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.6.1 Purchase accounting services Process transactions - purchases Receive invoices, obtain approval for payment, pay for goods and services 9.6.2 Retail accounting services Process transactions - retail sales Receive cash and cash equivalents at the till, bank them and check all money is received 9.6.3 Sales accounting services Process transactions - wholesale sales Carry out credit checks before goods are despatched, issue invoices and receive payment for goods 9.6.4 Sales accounting services Process transactions - direct sales Process the credit card payments before authorising despatch of the goods David M Griffiths B Risk Register 9.6.5 Factory Process transactions - manufacturing stock Receive goods against the order, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock 9.6.6 Logistics Process transactions - wholesale stock Receive goods from the factory, or supplier,, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock 9.6.7 Stock accounting services Process transactions - store stock Receive goods from the warehouse, update store stock records, sell the goods to customers, manage stock levels, minimise stock losses, account for stock 9.6.8 Payroll accounting services Process transactions - payroll Receive details of employees, their salary and working hours. Calculate pay based on these, less deductions. Pay over deductions 9.6.9 Expense accounting services Process transactions - personal expenses Personal expenses (for travelling) are claimed, authorised and paid 9.6.10 Fixed asset accounting services Process transactions - fixed assets Receive invoice details. Decide on whether to capitalise costs. Add assets to register. Attach depreciation data and calculate. 9.6.11 Cashiers accounting services Process transactions - cash and bank Receive cash transaction data for purchases, sales, payroll, personal expenses and other transactions. Reconcile these to transactions passing through the bank account. Follow-up differences 9.7 Company Secretary Provide legal services Advise all areas of the company concerning action to be taken on legislation 9.8 Taxation Provide tax services Advise all areas of the company concerning action to be taken on tax legislation 9.9 Quality Control Ensure quality Ensure all goods sold meet the quality standards set by legislation and the organisation 9.10 Health and safety Ensure health & safety Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers 9.11 Health and safety Manage the environment Ensure the operations of the organisation obey all environmental laws and good practice David M Griffiths B Risk Register 9.12 Security Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation 9.12 Security Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation 9.13 Public relations Communicate Inform internal and external stakeholders of the organisation's policies and intentions 9.14 Risk manager Manage risks Identify, evaluate and manage risks down to the level considered acceptable by the organisation 9.15 Treasury Manage the assets Ensure that assets of the organisation, particularly cash, are maintained at optimum levels to achieve the objectives 9.15 Treasury Manage the assets Ensure that assets of the organisation, particularly cash, are maintained at optimum levels to achieve the objectives 9.16 Administration Support the support functions Resources are made available to carry out the above processes David M Griffiths B Risk Register Key risk to process Risk Source Process owner Cons Like The strategy does not anticipate customer demands Managing Director 5 5 The strategy is too risk-averse Managing Director 5 5 The objectives within the strategy are not clearly defined, financially justified or documented Managing Director 5 5 Staff do not understand the objectives in relation to their own jobs Managing Director 5 5 The action plan does not cover all objectives and does not consist of SMART targets addressed to senior management Managing Director 5 5 The organisation has not got the resources to deliver the strategy Managing Director 5 5 Major projects intended to deliver the strategy are late and/or over budget Managing Director 5 5 All staff, including the Board, fail to maintain high ethical standards, which undermine the controls necessary to achieve the organisation's objectives, including that of ensuring compliance with laws and standards Managing Director 5 5 Internal and external influences are not monitored to assess their impact on the strategy Managing Director 5 5 The resources required are not understood or are not sufficient to deliver the strategy 5 5 The objectives will not deliver the organisation's objectives effectively and efficiently The research does not identify the most effective products for achieving the objectives Inherent risks David M Griffiths B Risk Register The research does not identify the most effective market segments for achieving the objectives The research does not identify the most effective customer segments for achieving the objectives The research does not identify the most effective locations for achieving the objectives The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently The locations are not cost-effective, have insufficient staff in the vicinity and has poor communications The environment is not suitable for a factory, insufficient trained labour is available, property costs are too high The buildings are not suitable for storing products, costs are too high and labour is not available The locations are not cost-effective, have insufficient staff in the vicinity and are not near our target customers Poor maintenance results in injury to staff or customers The resources required are not understood are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently The purchased items are unsuitable, too expensive or delivered late A major supplier of a vital raw material, not obtainable elsewhere, is not able to deliver Assets are not required, not suitable or too expensive Goods are not suitable, too expensive or delivered late Goods or services are not suitable, too expensive or delivered late Minimum prices for utilities are not negotiated David M Griffiths B Risk Register The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently There is no market for the product. The product is too expensive to produce The method of manufacturing specified is inefficient The schedule produces the wrong goods at the wrong time The goods are made inefficiently New environmental legislation makes manufacturing process uneconomic The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently Promotions do not make a profit Promotions do not make a profit Promotions do not make a profit Promotions do not make a profit The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently Goods are damaged, or lost A strike of fuel suppliers brings transport in the UK to a stop The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently Board risk workshop Merchandis e Director 5 5 Fail to stock goods which the customers want to buy Board risk workshop Merchandis e Director 5 5 Fail to anticipate the competitions' initiatives to take a bigger market share Board risk workshop Merchandis e Director 5 5 David M Griffiths B Risk Register Prices are not competitive Board risk workshop Merchandis e Director 5 5 Store layout confuses customers Board risk workshop Merchandis e Director 4 4 Prices are incorrect Board risk workshop Merchandis e Director 4 5 No stock for customers to buy Board risk workshop Merchandis e Director 5 5 Higher minimum wage legislation makes some stores unprofitable Board risk workshop Merchandis e Director 5 5 Poor service/quality of goods leading to customer complaints Board risk workshop Merchandis e Director 5 5 A major customer goes bankrupt Board risk workshop Marketing Director 4 4 No stock for customers to buy Board risk workshop Marketing Director 5 5 Poor service/quality of goods leading to customer complaints Board risk workshop Marketing Director 5 5 Poor service/quality of goods leading to customer complaints Board risk workshop Merchandis e Director 4 5 Fraudulent credit cards used Finance Director interview Merchandis e Director 4 5 No stock for customers to buy Logistics Director interview Merchandis e Director 4 5 Internet sites unavailable Board risk workshop Merchandis e Director 4 5 Goods are lost Board risk workshop Merchandis e Director 4 5 The resources required are not understood or are not sufficient to deliver the strategy Board risk workshop Merchandis e Director 5 5 The objectives will not deliver the organisation's objectives effectively and efficiently Management accounts do not provide timely information on which to make decisions Financial accounts are issued which do not comply with UK law David M Griffiths B Risk Register The organisation is not prepared for the International Accounting Standards (IAS) High-calibre staff are not recruited and retained Properly qualified staff are not available to take vacancies Staff are not properly trained Staff successfully claim unfair dismissal A virus brings down all computer systems for a week Data is lost Data or programs are corrupted Major hardware failure Major network failure Payment is made where the organisation has not received the goods or services at the price and quality ordered Cash taken at the till is not banked Goods are sold to customers who cannot pay for them Fail to pass transaction details to the credit card company David M Griffiths B Risk Register Stock is incorrectly valued Stock is incorrectly valued Stock is incorrectly valued Receive incorrect data from stores on hours worked and new employees Expenses were not incurred Revenue expenditure capitalised, or capital expenditure put to revenue Differences not cleared The impact of legislation is not anticipated which results in considerable costs Schemes to minimise tax are not used Poor quality goods harms the organisation's reputation A failure in H & S occurs which results in bad publicity and law suits An environmental disaster occurs at one of the organisation's premises David M Griffiths B Risk Register Confidential information is stolen Offices are destroyed by fire The London Stock Exchange is given information which cannot be substantiated The external and internal risks threatening the objectives, and related processes, of the organisation are not understood or mitigated Financial contracts are set up which open the company to significant losses Working capital is not optimised The resources required are not understood or are not sufficient to deliver the strategy David M Griffiths B Risk Register Score Response Control (examples) 25 The board received a quarterly report from outside consultants which forecasts likely trends in customer demand for the next year 25 The quarterly meeting with consultants considers all possible strategy options which are analysed objectively to ensure all are properly considered 25 The strategy is written and published on the intranet. All elements are financially justified and subject to risk modelling 25 The Company Secretary is charged with ensuring all non- sensitive information relating to company objectives and strategy is published on the intranet 25 25 25 25 25 25 0 0 Inherent risks David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 25 treat Overall targets for sales and profits are set by the board in the annual budget. As part of the budget package the Merchandise Director outlines the action to be taken to achieve the targets. See also strategy controls 25 treat Regular visists by Merchandising Director and staff to markets which anticipate ours eg the US. Attendence at trade shows. Focus Groups 25 treat All competitors' advertising campaigns are monitored, with a weekly report to the Merchandising Director. David M Griffiths B Risk Register 25 treat Competitors' prices are monitored every week, with reports going to appropriate Heads of Merchandise Departments 16 treat None 20 treat Retail prices are input by an assisatant buyer and checked by a supervisor. Prices are downloaded onto the EPOS system overnight 25 treat Each store has automatic replenishment, based on sales and PI counts in store 25 treat Monthly profitability report of each store, checked by stores accountant 25 treat All customer complaints logged on a database. Monthly report to the Merchandise Managers, with comments on action being taken 16 transfer with insurance Credit control procedures prevent orders being sent to customers who pay late. Overseas debts are insured. 25 treat Computer report produced which estimates stock holding and orders necessary to ensure 3 weeks stock holding. Report checked by Senior Buyer 25 treat All customer complaints logged on a database. Monthly report to the Merchandise Managers, with comments on action being taken 20 treat All customer complaints logged on a database. Monthly report to the Merchandise Managers, with comments on action being taken 20 treat Credit card details checked to external database of fraudulent cards 20 treat Computer report produced which estimates stock holding and orders necessary to ensure 3 weeks stock holding. Report checked by Senior Buyer 20 tolerate An external internet provide is used who has back-up computers available in the event of hardware and comms failure 20 tolerate Reputable carrier used. Value of goods is relatively low and missing goods are replaced without question 25 treat Various reports (Out of stock, late deliveries) will indicate if insufficient staff are available 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 David M Griffiths B Risk Register Monitoring (examples) Potential issue Cons Like Score The role of the non-executive directors is defined to ensure they challenge board strategy to ensure it is robust 5 1 5 The role of the non-executive directors is defined to ensure they challenge board strategy to ensure it is robust 5 1 5 The role of the non-executive directors is defined to ensure they challenge board strategy to ensure it is robust 5 1 5 A staff council exists to feed back concerns on communication to the board 4 1 4 5 2 10 5 2 10 5 2 10 5 2 10 5 2 10 5 2 10 0 0 Residual risks David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Monthly reports of sales and profits are presented to the Board, with an explanation of variances 5 1 5 Quarterly presentation to Board by Merchandising Director on market trends 5 1 5 None No checks to ensure reports are issued and acted upon 5 3 15 David M Griffiths B Risk Register None No checks to ensure reports are issued and acted upon 5 2 10 None No customer groups to report on their opinions of store layouts 4 4 16 A gross profit exception report is generated for any changes to GP >5%. This should pick up any incorrect input of retail prices. The report is signed off bu a buyer. 4 1 4 Computer report to buyer reports zero stocks in stores 5 1 5 None Stores accountant is not required to report exceptions to senior management 5 4 20 Copy of report sent to Merchandising Director and summaries are put on the intranet 5 1 5 Head of Accounting Services examines Aged Trial Balance each month and follows up overdue debts 4 1 4 Head of Production also receives report and ensures orders have been received where necessary. 5 1 5 Copy of report sent to Marketing Director and summaries are put on the intranet 5 1 5 Copy of report sent to Merchandising Director and summaries are put on the intranet 5 1 5 Report of fraudulent transactions sent to Head of Security. 4 1 4 Computer report to buyer reports zero stocks in warehouse 4 1 4 Sevice agreement with provider commits to 99% availability or compensation 4 1 4 Report of lost goods sent to Head of Security. 4 1 4 Failure to achieve targets may indicate shortage of staff There is no sucession plan, or any attempt to anticipate staff required in the future 5 3 15 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 David M Griffiths B Risk Register Control score 20 20 20 21 15 15 15 15 15 15 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20 20 10 David M Griffiths B Risk Register 15 0 16 20 5 20 12 20 20 15 16 16 16 16 10 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths B Risk Register 0 0 0 0 0 0 0 David M Griffiths B Risk Register Appendix C Assessing the organisations risk maturity (A more detailed matrix is included in the IIA Guidance Note An Approach to Implementing Risk Based Internal Auditing) Risk nave Risk aware Key characteristics (See IIA statement Risk Based Internal Auditing ) No formal approach developed for risk management Scattered silo based approach to risk management Process Are the organisation's objectives defined? Have management have been trained to understand what risks are, and their responsibility for them? Has a scoring system for assessing risks been defined? Have processes been defined to determine risks, and these have been followed? Have all risks been collected into one list? Have risks been allocated to specific job titles? Have all risks been assessed in accordance with the defined scoring system? Have responses to the risks (e.g. controls) been selected and implemented? Have management set up controls to monitor the proper operation of key controls? Are risks regularly reviewed by the organisation? Has the risk appetite of the organisation been defined in terms of the scoring system? No Have management reported risks to directors where responses are not managing the risks to a level acceptable to the board? Are all significant new projects routinely assessed for risk? Is responsibility for the determination, assessment, and management of risks included in job descriptions? Do managers provide assurance on the effectiveness of their risk management? Are managers assessed on their risk management performance? Internal Audit approach Promote risk management and rely on audit risk assessment Promote enterprise- wide approach to risk management and rely on audit risk assessment (A more detailed matrix is included in the IIA Guidance Note An Approach to Implementing Risk Based Internal Auditing) Risk defined Risk managed Risk enabled Strategy and policies in place and communicated. Risk appetite defined Enterprise approach to risk management developed and communicated Risk management and internal controls fully embedded into the operations In part Yes Facilitate risk management/liaise with risk management and use management assessment of risk where appropriate Audit risk management processes and use management assessment of risk as appropriate Audit risk management processes and use management assessment of risk as appropriate In part Yes Audit test Core IA roles are in brackets - see IIA statement The Role of Internal Audit in Enterprise-wide Risk Management Check the organisation's objectives are determined by the board and have been communicated to all staff. Check other objectives and targets are consistent with the organisation's objectives. (1) Interview managers to confirm their understanding of risk and the extent to which they manage it. (1) Check the scoring system has been approved, communicated and is used. (2) Examine the processes to ensure they are sufficient to ensure identification of all risks. Check they are in use, by examining the output from any workshops. (1) Examine the Risk Universe. Ensure it is complete, regularly reviewed, assessed and used to manage risks. Risks are allocated to managers. (1) Check the scoring applied to a selection of risks is consistent with the policy. Look for consistency (that is, similar risks have similar scores). (2) Examine the risk register to ensure proper controls should be in place. (3) For significant risks, examine the control(s) treating it and ensure management would know if the control failed. (5) Check for evidence that a thorough review process is regularly carried out. (1) Check the document on which the controlling body has approved the risk appetite. Ensure it is consistent with the scoring system and has been communicated. (1) For risks above the risk appetite, check that the board has been formally informed of there existence. (4) Examine project proposals for an analysis of the risks which might threaten them. (1) Examine job descriptions. Check the instructions for setting up job descriptions. (1) Examine the assurance provided. For key risks, check that controls and the management system of monitoring, are operating.(4) Examine a sample of appraisals for evidence that risks management was properly assessed for performance. (1) Appendix D Process map for an organisation (levels 1 and 2) Define objectives Obtain premises Research Decide strategy Maintain strategy Deliver strategy Communicate strategy Research markets Research products Research locations Research customers Obtain factories Obtain offices Obtain retail premises Obtain warehousing Purchase expense Define objectives Support research Support strategy Define objectives Support obtaining premises Manufacture Promote Purchase Organisation's objectives Purchase assets Purchase raw materials Purchase expense goods Purchase finished goods Specify manufacturing Design products Manufacture Plan manufacturing Promote to customers Promote in-store Advertise on TV Advertise in papers Define objectives Define objectives Define objectives Support promotions Support manufacturing Support purchasing Sell Supply Support Distribute goods Store goods Support distribution Sell to resellers Sell in stores Support sales Sell direct Prepare financial accounts Prepare management accounts Provide systems Provide staff Define objectives Define objectives Define objectives Process transactions Provide legal services Provide tax services Ensure quality Ensure health & safety Manage the environment Ensure security Communicate
Manage risks
Manage assets
Support the support services
E Audit Universe List of all audits, in business unit order Business unit Process Process Description Last audit number Administration Support manufacturing Resources are made available to carry out the above processes Administration Support promotions Resources are made available to carry out the above processes Administration Support supply Resources are made available to carry out the above processes Administration Support selling Resources are made available to carry out the above processes Administration Define objectives for supporting the organisation The objectives of the processes for supporting the organisation are defined Administration Support the support functions Resources are made available to carry out the above processes Administration Support research Resources are made available to carry out the above processes Administration Support obtaining premises Resources are made available to carry out the above processes Administration Support purchasing Resources are made available to carry out the above processes Advertising Define objectives for promotion The objectives of the processes for promoting sales are defined Advertising Promote in-store Promote goods in the retail stores through various offers Advertising Promote to customers Promote goods to resellers using offers Advertising Advertise on TV Advertise on television Advertising Advertise in papers Advertise goods in newspapers and magazines Cashiers accounting services Process transactions - cash and bank Receive cash transaction data for purchases, sales, payroll, personal expenses and other transactions. Reconcile these to transactions passing through the bank account. Follow-up differences Company Secretary Provide legal services Advise all areas of the company concerning action to be taken on legislation Expense accounting services Process transactions - personal expenses Personal expenses (for travelling) are claimed, authorised and paid Facilities management Maintain premises Premises are maintained to ensure safety, effectiveness and efficiency at all times Factory Plan manufacturing Plan the manufacturing schedule Factory Manufacture Make the goods Factory Manufacture Make the goods Last audit details David M Griffiths E Audit Universe Factory Process transactions - manufacturing stock Receive goods against the order, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock Factory Define objectives The objectives of the processes for manufacturing are defined Factory Design products Products to be manufactured are designed Factory Specify manufacturing Specify how the products are to be manufactured Financial accounts Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes Financial accounts Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes Fixed asset accounting services Process transactions - fixed assets Receive invoice details. Decide on whether to capitalise costs. Add assets to register. Attach depreciation data and calculate. Health and safety Ensure health & safety Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers Health and safety Manage the environment Ensure the operations of the organisation obey all environmental laws and good practice Human resources Provide staff Recruit staff and manage staff policies Human resources Provide staff Recruit staff and manage staff policies Human resources Provide staff Recruit staff and manage staff policies Human resources Provide staff Recruit staff and manage staff policies Information systems Provide systems Provide systems, including computer systems to support the organisations operations Information systems Provide systems Provide systems, including computer systems to support the organisations operations Information systems Provide systems Provide systems, including computer systems to support the organisations operations Information systems Provide systems Provide systems, including computer systems to support the organisations operations Information systems Provide systems Provide systems, including computer systems to support the organisations operations Internet sales Sell direct Sell direct to the public. For example, through the internet Internet sales Sell direct Sell direct to the public. For example, through the internet 130 Internet sales Sell direct Sell direct to the public. For example, through the internet If the audit budget shows only days for the audits due next year, then this calculation will show if David M Griffiths E Audit Universe Internet sales Sell direct Sell direct to the public. For example, through the internet Internet sales Sell direct Sell direct to the public. For example, through the internet Logistics Define objectives for supplying goods The objectives of the processes for supplying goods are defined Logistics Store goods Store goods in warehouses at stages of the supply chain Logistics Distribute goods Distribute goods between factories, warehouses, stores and customers Logistics Process transactions - wholesale stock Receive goods from the factory, or supplier,, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock Management accounts Prepare management accounts Collect the data from processed transactions into accounts for management to make decisions Marketing Sell to resellers Sell goods to customers who will resell them Marketing Sell to resellers Sell goods to customers who will resell them Marketing Sell to resellers Sell goods to customers who will resell them Marketing Research markets Research the market segments which will achieve the organisation's objectives Marketing Research customers Research the customer profile which will achieve the organisation's objectives Merchandising Define objectives for selling goods The objectives of the processes for selling are defined Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 143 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised Payroll accounting services Process transactions - payroll Receive details of employees, their salary and working hours. Calculate pay based on these, less deductions. Pay over deductions Property Research locations Research the locations, in-country and abroad, which will achieve the organisation's objectives David M Griffiths E Audit Universe Property Define objectives The objectives of the processes for obtaining premises are defined 210 Property Obtain offices Decide on the best locations for offices to house the support staff Property Obtain factories Decide on the best locations for factories to manufacture products Property Obtain warehousing Decide on the best location for premises to store goods Property Obtain retail premises Decide on the best location for shops Public relations Communicate Inform internal and external stakeholders of the organisation's policies and intentions Purchase accounting services Process transactions - purchases Receive invoices, obtain approval for payment, pay for goods and services Purchasing Define objectives The objectives of the processes for purchasing are defined Purchasing Purchase raw materials Purchase items to manufacture goods Purchasing Purchase raw materials Purchase items to manufacture goods Purchasing Purchase assets Purchase fixed assets Purchasing Purchase finished goods Purchase goods for resale Purchasing Purchase expense goods and services Purchase goods and services for the organisation Purchasing Purchase expense goods and services Purchase utilities for the organisation Quality Control Ensure quality Ensure all goods sold meet the quality standards set by legislation and the organisation Research and development Define objectives The objectives of the research processes are defined Research and development Research products Research the products, to be manufactured or purchased, which will achieve the organisation's objectives Retail accounting services Process transactions - retail sales Receive cash and cash equivalents at the till, bank them and check all money is received Risk manager Manage risks Identify, evaluate and manage risks down to the level considered acceptable by the organisation Sales accounting services Process transactions - wholesale sales Carry out credit checks before goods are despatched, issue invoices and receive payment for goods Sales accounting services Process transactions - direct sales Process the credit card payments before authorising despatch of the goods Security Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation David M Griffiths E Audit Universe Security Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation Stock accounting services Process transactions - store stock Receive goods from the warehouse, update store stock records, sell the goods to customers, manage stock levels, minimise stock losses, account for stock Taxation Provide tax services Advise all areas of the company concerning action to be taken on tax legislation The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives The board Maintain strategy The strategy is regularly updated to take account of changing business conditions 203 The board Maintain strategy The strategy is regularly updated to take account of changing business conditions The board Support strategy Resources are made available to carry out the above processes Treasury Manage the assets Ensure that assets of the organisation, particularly cash, are maintained at Treasury Manage the assets Ensure that assets of the organisation, particularly cash, are maintained at If the audit budget shows only days for the David M Griffiths E Audit Universe Last audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target Final report achieved Manufacturing resource planning Promotions resource planning Supply resource planning Selling resource planning Support strategy Support resource planning Research resource planning Location resource planning Purchase resource planning Selling strategy Retail promotions Wholesale promotions TV advertising Newspaper advertising Bank and cash Provision of legal services Personal expenses Maintenance of premises Scheduling manufacture Production accounting Environmental audit Last audit details David M Griffiths E Audit Universe Manufacturing stock Manufacturing strategy Product design Manufacturing specification Financial accounting Project - IAS Fixed assets Health and safety Environmental Recruitment Succession planning Staff training Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans - communications Stock control Internet sales 15 14 Mar-05 Heath 5-Apr-05 5-Apr-05 Internet sales If the audit budget shows only days for the audits due next year, then this calculation will show if David M Griffiths E Audit Universe Internet sales See above Complaints procedures Supply strategy Warehouse operations Distribution Wholesale stock Management accounting Stock control Accounts receivable Complaints procedures Market research Market research Selling strategy Market anticipation Market anticipation Store planning Price file maintenance Stock control 20 22 Sep-06 Smith 1-Oct-04 3-Oct-04 Store accounts Pricing policy Complaints procedures Payroll Geographic research David M Griffiths E Audit Universe Location strategy 50 45 2004 Murphy 10/28/2004 10/28/2004 Locating offices Locating factories Locating warehouses Locating shops Communications Accounts Payable Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Quality control Research strategy Product research Retail cash takings Risk management Accounts receivable See above Internet sales See above Site security David M Griffiths E Audit Universe Contingency planning Retail stock Provision of tax services Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) Ethical guidelines 20 23 2003 Smith 6/23/2003 6/28/2003 Monitoring of external influences (Carried out within the above audits) Treasury Working capital David M Griffiths E Audit Universe Last result Audit plan date Next audit number Next audit name Next audit budget Next timing Manufacturing resource planning Promotions resource planning Supply resource planning Selling resource planning Support strategy Support resource planning Research resource planning Location resource planning Purchase resource planning Selling strategy Retail promotions Wholesale promotions TV advertising Newspaper advertising Bank and cash Provision of legal services Personal expenses Maintenance of premises Scheduling manufacture Production accounting Environmental audit Last audit details Next audit details David M Griffiths E Audit Universe Manufacturing stock Manufacturing strategy Product design Manufacturing specification Financial accounting Project - IAS Fixed assets Health and safety Environmental Recruitment Succession planning Staff training Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans - communications Stock control Issues 2006 201 Internet sales 14 Oct-06 Internet sales If the audit budget shows only days for the audits due next year, then this calculation will show if David M Griffiths E Audit Universe Internet sales 207 Complaints procedures (see above) Supply strategy Warehouse operations Distribution Wholesale stock Management accounting Stock control 20 Oct-06 Accounts receivable 10 Aug-06 207 Complaints procedures (see above) Market research Market research 200 Selling strategy 10 Jan-06 201 Market anticipation 20 Jan-06 201 Market anticipation (see above) 203 Store planning 15 Mar-06 204 Price file maintenance 20 Apr-06 Acceptable 2006 205 Stock control 22 Sep-06 206 Store accounts 10 Jun-06 202 Pricing policy 20 Feb-06 207 Complaints procedures 30 Jul-06 Payroll Geographic research David M Griffiths E Audit Universe unacceptable 253 Location strategy Jones Locating offices Locating factories Locating warehouses Locating shops Communications Accounts Payable Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Quality control Research strategy Product research Retail cash takings Risk management Accounts receivable Internet sales Site security David M Griffiths E Audit Universe Contingency planning Retail stock Provision of tax services Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) acceptable 2006 250 Ethical guidelines Q1 2005 Monitoring of external influences (Carried out within the above audits) Treasury Working capital David M Griffiths E Audit Universe Next auditor Status Next final report Target Next final report Achieved 2006 opinion on risk Next audit details David M Griffiths E Audit Universe Heath To start TBA David M Griffiths E Audit Universe Smith To start TBA Khan To start TBA Smith To start 18-Jan-06 Khan To start 18-Feb-06 Smith To start 24-Mar-06 Heath To start TBA Khan To start TBA Smith To start TBA Heath To start 27-Feb-06 Heath To start TBA David M Griffiths E Audit Universe To start 8/20/2005 David M Griffiths E Audit Universe Patel To start David M Griffiths E Audit Universe Appendix F Risk and Audit Universe L1 Level 1 process L2 Level 2 process L3 Level 3 process 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 2 Communicate strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 4 Maintain strategy 1 Define organisation's objectives 4 Maintain strategy 1 Define organisation's objectives 5 Support strategy 2 Research new business opportunities 1 Define objectives 2 Research new business opportunities 2 Research products 2 Research new business opportunities 3 Research markets David M Griffiths F Risk and audit universe 2 Research new business opportunities 4 Research customers 2 Research new business opportunities 5 Research locations 2 Research new business opportunities 6 Support research 3 Obtain, and fit out, premises 1 Define objectives 3 Obtain, and fit out, premises 2 Obtain offices 3 Obtain, and fit out, premises 3 Obtain factories 3 Obtain, and fit out, premises 4 Obtain warehousing 3 Obtain, and fit out, premises 5 Obtain retail premises 3 Obtain, and fit out, premises 6 Maintain premises 3 Obtain, and fit out, premises 7 Support obtaining premises 4 Purchase ggods and services 1 Define objectives 4 Purchase ggods and services 2 Purchase raw materials 4 Purchase ggods and services 2 Purchase raw materials 4 Purchase ggods and services 3 Purchase assets 4 Purchase ggods and services 4 Purchase finished goods 4 Purchase ggods and services 5 Purchase expense goods and services 4 Purchase ggods and services 5 Purchase expense goods and services 4 Purchase ggods and services 6 Support purchasing 5 Manufacture 1 Define objectives 5 Manufacture 2 Design products 5 Manufacture 3 Specify manufacturing 5 Manufacture 4 Plan manufacturing 5 Manufacture 5 Manufacture David M Griffiths F Risk and audit universe 5 Manufacture 5 Manufacture 5 Manufacture 6 Support manufacturing 6 Advertise and promote 1 Define objectives for promotion 6 Advertise and promote 2 Promote in-store 6 Advertise and promote 3 Promote to customers 6 Advertise and promote 4 Advertise in papers 6 Advertise and promote 5 Advertise on TV 6 Advertise and promote 6 Support promotions 7 Store and distribute goods 1 Define objectives for supplying goods 7 Store and distribute goods 2 Store goods 7 Store and distribute goods 3 Distribute goods 7 Store and distribute goods 4 Support supply 8 Sell goods 1 Define objectives for selling goods 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores David M Griffiths F Risk and audit universe 8 Sell goods 3 Sell to resellers 8 Sell goods 3 Sell to resellers 8 Sell goods 3 Sell to resellers 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 5 Support selling 9 Support the organisation in achieving its objectives 1 Define objectives for supporting the organisation 9 Support the organisation in achieving its objectives 2 Prepare management accounts 9 Support the organisation in achieving its 3 Prepare financial accounts 9 Support the organisation in achieving its 3 Prepare financial accounts 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff David M Griffiths F Risk and audit universe 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 6 Process transactions 1 Process transactions - purchases 9 Support the organisation in achieving its objectives 6 Process transactions 2 Process transactions - retail sales 9 Support the organisation in achieving its objectives 6 Process transactions 3 Process transactions - wholesale sales 9 Support the organisation in achieving its objectives 6 Process transactions 4 Process transactions - direct sales 9 Support the organisation in achieving its objectives 6 Process transactions 5 Process transactions - manufacturing stock 9 Support the organisation in achieving its objectives 6 Process transactions 6 Process transactions - wholesale stock 9 Support the organisation in achieving its objectives 6 Process transactions 7 Process transactions - store stock 9 Support the organisation in achieving its objectives 6 Process transactions 8 Process transactions - payroll David M Griffiths F Risk and audit universe 9 Support the organisation in achieving its objectives 6 Process transactions 9 Process transactions - personal expenses 9 Support the organisation in achieving its objectives 6 Process transactions 10 Process transactions - fixed assets 9 Support the organisation in achieving its objectives 6 Process transactions 11 Process transactions - cash and bank 9 Support the organisation in achieving its objectives 7 Provide legal services 9 Support the organisation in achieving its objectives 8 Provide tax services 9 Support the organisation in achieving its objectives 9 Ensure quality 9 Support the organisation in achieving its objectives 10 Ensure health & safety 9 Support the organisation in achieving its objectives 11 Manage the environment 9 Support the organisation in achieving its objectives 12 Ensure security 9 Support the organisation in achieving its objectives 12 Ensure security 9 Support the organisation in achieving its 13 Communicate 9 Support the organisation in achieving its objectives 14 Manage risks 9 Support the organisation in achieving its objectives 15 Manage the assets 9 Support the organisation in achieving its objectives 15 Manage the assets 9 Support the organisation in achieving its objectives 16 Support the support functions David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Reference Business unit Process 1.1 The board Decide strategy 1.1 The board Decide strategy 1.1 The board Decide strategy 1.2 The board Communicate strategy 1.3 The board Deliver strategy 1.3 The board Deliver strategy 1.3 The board Deliver strategy 1.4 The board Maintain strategy 1.4 The board Maintain strategy 1.5 The board Support strategy 2.1 Research and development Define objectives 2.2 Research and development Research products 2.3 Marketing Research markets David M Griffiths F Risk and audit universe 2.4 Marketing Research customers 2.5 Property Research locations 2.6 Administration Support research 3.1 Property Define objectives 3.2 Property Obtain offices 3.3 Property Obtain factories 3.4 Property Obtain warehousing 3.5 Property Obtain retail premises 3.6 Facilities management Maintain premises 3.7 Administration Support obtaining premises 4.1 Purchasing Define objectives 4.2 Purchasing Purchase raw materials 4.2 Purchasing Purchase raw materials 4.3 Purchasing Purchase assets 4.4 Purchasing Purchase finished goods 4.5 Purchasing Purchase expense goods and services 4.5 Purchasing Purchase expense goods and services 4.6 Administration Support purchasing 5.1 Factory Define objectives 5.2 Factory Design products 5.3 Factory Specify manufacturing 5.4 Factory Plan manufacturing 5.5 Factory Manufacture David M Griffiths F Risk and audit universe 5.5 Factory Manufacture 5.6 Administration Support manufacturing 6.1 Advertising Define objectives for promotion 6.2 Advertising Promote in-store 6.3 Advertising Promote to customers 6.4 Advertising Advertise in papers 6.5 Advertising Advertise on TV 6.6 Administration Support promotions 7.1 Logistics Define objectives for supplying goods 7.2 Logistics Store goods 7.3 Logistics Distribute goods 7.4 Administration Support supply 8.1 Merchandising Define objectives for selling goods 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores 8.2 Merchandising Sell in stores David M Griffiths F Risk and audit universe 8.3 Marketing Sell to resellers 8.3 Marketing Sell to resellers 8.3 Marketing Sell to resellers 8.4 Internet sales Sell direct 8.4 Internet sales Sell direct 8.4 Internet sales Sell direct 8.4 Internet sales Sell direct 8.4 Internet sales Sell direct 8.5 Administration Support selling 9.1 Administration Define objectives for supporting the organisation 9.2 Management accounts Prepare management accounts 9.3 Financial accounts Prepare financial accounts 9.3 Financial accounts Prepare financial accounts 9.4 Human resources Provide staff 9.4 Human resources Provide staff 9.4 Human resources Provide staff David M Griffiths F Risk and audit universe 9.4 Human resources Provide staff 9.5 Information systems Provide systems 9.5 Information systems Provide systems 9.5 Information systems Provide systems 9.5 Information systems Provide systems 9.5 Information systems Provide systems 9.6.1 Purchase accounting services Process transactions - purchases 9.6.2 Retail accounting services Process transactions - retail sales 9.6.3 Sales accounting services Process transactions - wholesale sales 9.6.4 Sales accounting services Process transactions - direct sales 9.6.5 Factory Process transactions - manufacturing stock 9.6.6 Logistics Process transactions - wholesale stock 9.6.7 Stock accounting services Process transactions - store stock 9.6.8 Payroll accounting services Process transactions - payroll David M Griffiths F Risk and audit universe 9.6.9 Expense accounting services Process transactions - personal expenses 9.6.10 Fixed asset accounting services Process transactions - fixed assets 9.6.11 Cashiers accounting services Process transactions - cash and bank 9.7 Company Secretary Provide legal services 9.8 Taxation Provide tax services 9.9 Quality Control Ensure quality 9.10 Health and safety Ensure health & safety 9.11 Health and safety Manage the environment 9.12 Security Ensure security 9.12 Security Ensure security 9.13 Public relations Communicate 9.14 Risk manager Manage risks 9.15 Treasury Manage the assets 9.15 Treasury Manage the assets 9.16 Administration Support the support functions David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Process Description Key risk to process The most senior management group (the "board") decide on the objectives of the organisation The strategy does not anticipate customer demands The most senior management group (the "board") decide on the objectives of the organisation The strategy is too risk-averse The most senior management group (the "board") decide on the objectives of the organisation The objectives within the strategy are not clearly defined, financially justified or documented The objectives are communicated to all staff in a comprehensible form Staff do not understand the objectives in relation to their own jobs An action plan is devised, at high level, which will deliver the objectives The action plan does not cover all objectives and does not consist of SMART targets addressed to senior management An action plan is devised, at high level, which will deliver the objectives The organisation has not got the resources to deliver the strategy An action plan is devised, at high level, which will deliver the objectives Major projects intended to deliver the strategy are late and/or over budget The strategy is regularly updated to take account of changing business conditions All staff, including the Board, fail to maintain high ethical standards, which undermine the controls necessary to achieve the organisation's objectives, including that of ensuring compliance with laws and standards The strategy is regularly updated to take account of changing business conditions Internal and external influences are not monitored to assess their impact on the strategy Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the research processes are defined The objectives will not deliver the organisation's objectives effectively and efficiently Research the products, to be manufactured or purchased, which will achieve the organisation's objectives The research does not identify the most effective products for achieving the objectives Research the market segments which will achieve the organisation's objectives The research does not identify the most effective market segments for achieving the objectives David M Griffiths F Risk and audit universe Research the customer profile which will achieve the organisation's objectives The research does not identify the most effective customer segments for achieving the objectives Research the locations, in-country and abroad, which will achieve the organisation's objectives The research does not identify the most effective locations for achieving the objectives Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the processes for obtaining premises are defined The objectives will not deliver the organisation's objectives effectively and efficiently Decide on the best locations for offices to house the support staff The locations are not cost-effective, have insufficient staff in the vicinity and has poor communications Decide on the best locations for factories to manufacture products The environment is not suitable for a factory, insufficient trained labour is available, property costs are too high Decide on the best location for premises to store goods The buildings are not suitable for storing products, costs are too high and labour is not available Decide on the best location for shops The locations are not cost-effective, have insufficient staff in the vicinity and are not near our target customers Premises are maintained to ensure safety, effectiveness and efficiency at all times Poor maintenance results in injury to staff or customers Resources are made available to carry out the above processes The resources required are not understood are not sufficient to deliver the strategy The objectives of the processes for purchasing are defined The objectives will not deliver the organisation's objectives effectively and efficiently Purchase items to manufacture goods The purchased items are unsuitable, too expensive or delivered late Purchase items to manufacture goods A major supplier of a vital raw material, not obtainable elsewhere, is not able to deliver Purchase fixed assets Assets are not required, not suitable or too expensive Purchase goods for resale Goods are not suitable, too expensive or delivered late Purchase goods and services for the organisation Goods or services are not suitable, too expensive or delivered late Purchase utilities for the organisation Minimum prices for utilities are not negotiated Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the processes for manufacturing are defined The objectives will not deliver the organisation's objectives effectively and efficiently Products to be manufactured are designed There is no market for the product. The product is too expensive to produce Specify how the products are to be manufactured The method of manufacturing specified is inefficient Plan the manufacturing schedule The schedule produces the wrong goods at the wrong time Make the goods The goods are made inefficiently David M Griffiths F Risk and audit universe Make the goods New environmental legislation makes manufacturing process uneconomic Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the processes for promoting sales are defined The objectives will not deliver the organisation's objectives effectively and efficiently Promote goods in the retail stores through various offers Promotions do not make a profit Promote goods to resellers using offers Promotions do not make a profit Advertise goods in newspapers and magazines Promotions do not make a profit Advertise on television Promotions do not make a profit Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the processes for supplying goods are defined The objectives will not deliver the organisation's objectives effectively and efficiently Store goods in warehouses at stages of the supply chain Goods are damaged, or lost Distribute goods between factories, warehouses, stores and customers A strike of fuel suppliers brings transport in the UK to a stop Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the processes for selling are defined The objectives will not deliver the organisation's objectives effectively and efficiently Sell goods in stores operated by the organisation, or franchised Fail to stock goods which the customers want to buy Sell goods in stores operated by the organisation, or franchised Fail to anticipate the competitions' initiatives to take a bigger market share Sell goods in stores operated by the organisation, or franchised Prices are not competitive Sell goods in stores operated by the organisation, or franchised Store layout confuses customers Sell goods in stores operated by the organisation, or franchised Prices are incorrect Sell goods in stores operated by the organisation, or franchised No stock for customers to buy Sell goods in stores operated by the organisation, or franchised Higher minimum wage legislation makes some stores unprofitable Sell goods in stores operated by the organisation, or franchised Poor service/quality of goods leading to customer complaints David M Griffiths F Risk and audit universe Sell goods to customers who will resell them A major customer goes bankrupt Sell goods to customers who will resell them No stock for customers to buy Sell goods to customers who will resell them Poor service/quality of goods leading to customer complaints Sell direct to the public. For example, through the internet Poor service/quality of goods leading to customer complaints Sell direct to the public. For example, through the internet Fraudulent credit cards used Sell direct to the public. For example, through the internet No stock for customers to buy Sell direct to the public. For example, through the internet Internet sites unavailable Sell direct to the public. For example, through the internet Goods are lost Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy The objectives of the processes for supporting the organisation are defined The objectives will not deliver the organisation's objectives effectively and efficiently Collect the data from processed transactions into accounts for management to make decisions Management accounts do not provide timely information on which to make decisions Collect the data from processed transactions into accounts for statutory or tax purposes Financial accounts are issued which do not comply with UK law Collect the data from processed transactions into accounts for statutory or tax purposes The organisation is not prepared for the International Accounting Standards (IAS) Recruit staff and manage staff policies High-calibre staff are not recruited and retained Recruit staff and manage staff policies Properly qualified staff are not available to take vacancies Recruit staff and manage staff policies Staff are not properly trained David M Griffiths F Risk and audit universe Recruit staff and manage staff policies Staff successfully claim unfair dismissal Provide systems, including computer systems to support the organisations operations A virus brings down all computer systems for a week Provide systems, including computer systems to support the organisations operations Data is lost Provide systems, including computer systems to support the organisations operations Data or programs are corrupted Provide systems, including computer systems to support the organisations operations Major hardware failure Provide systems, including computer systems to support the organisations operations Major network failure Receive invoices, obtain approval for payment, pay for goods and services Payment is made where the organisation has not received the goods or services at the price and quality ordered Receive cash and cash equivalents at the till, bank them and check all money is received Cash taken at the till is not banked Carry out credit checks before goods are despatched, issue invoices and receive payment for goods Goods are sold to customers who cannot pay for them Process the credit card payments before authorising despatch of the goods Fail to pass transaction details to the credit card company Receive goods against the order, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock Stock is incorrectly valued Receive goods from the factory, or supplier,, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock Stock is incorrectly valued Receive goods from the warehouse, update store stock records, sell the goods to customers, manage stock levels, minimise stock losses, account for stock Stock is incorrectly valued Receive details of employees, their salary and working hours. Calculate pay based on these, less deductions. Pay over deductions Receive incorrect data from stores on hours worked and new employees David M Griffiths F Risk and audit universe Personal expenses (for travelling) are claimed, authorised and paid Expenses were not incurred Receive invoice details. Decide on whether to capitalise costs. Add assets to register. Attach depreciation data and calculate. Revenue expenditure capitalised, or capital expenditure put to revenue Receive cash transaction data for purchases, sales, payroll, personal expenses and other transactions. Reconcile these to transactions passing through the bank account. Follow-up differences Differences not cleared Advise all areas of the company concerning action to be taken on legislation The impact of legislation is not anticipated which results in considerable costs Advise all areas of the company concerning action to be taken on tax legislation Schemes to minimise tax are not used Ensure all goods sold meet the quality standards set by legislation and the organisation Poor quality goods harms the organisation's reputation Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers A failure in H & S occurs which results in bad publicity and law suits Ensure the operations of the organisation obey all environmental laws and good practice An environmental disaster occurs at one of the organisation's premises The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation Confidential information is stolen The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation Offices are destroyed by fire Inform internal and external stakeholders of the organisation's policies and intentions The London Stock Exchange is given information which cannot be substantiated Identify, evaluate and manage risks down to the level considered acceptable by the organisation The external and internal risks threatening the objectives, and related processes, of the organisation are not understood or mitigated Ensure that assets of the organisation, particularly cash, are maintained at optimum levels to achieve the objectives Financial contracts are set up which open the company to significant losses Ensure that assets of the organisation, particularly cash, are maintained at optimum levels to achieve the objectives Working capital is not optimised Resources are made available to carry out the above processes The resources required are not understood or are not sufficient to deliver the strategy David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Risk Source Process owner Cons Like Score Response Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 Managing Director 5 5 25 5 5 25 0 0 0 Inherent risks David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 Board risk workshop Merchandise Director 5 5 25 treat Board risk workshop Merchandise Director 5 5 25 treat Board risk workshop Merchandise Director 5 5 25 treat Board risk workshop Merchandise Director 5 5 25 treat Board risk workshop Merchandise Director 4 4 16 treat Board risk workshop Merchandise Director 4 5 20 treat Board risk workshop Merchandise Director 5 5 25 treat Board risk workshop Merchandise Director 5 5 25 treat Board risk workshop Merchandise Director 5 5 25 treat David M Griffiths F Risk and audit universe Board risk workshop Marketing Director 4 4 16 transfer with insurance Board risk workshop Marketing Director 5 5 25 treat Board risk workshop Marketing Director 5 5 25 treat Board risk workshop Merchandise Director 4 5 20 treat Finance Director interview Merchandise Director 4 5 20 treat Logistics Director interview Merchandise Director 4 5 20 treat Board risk workshop Merchandise Director 4 5 20 tolerate Board risk workshop Merchandise Director 4 5 20 tolerate Board risk workshop Merchandise Director 5 5 25 treat 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Control (examples) Monitoring (examples) The board received a quarterly report from outside consultants which forecasts likely trends in customer demand for the next year The role of the non-executive directors is defined to ensure they challenge board strategy to ensure it is robust The quarterly meeting with consultants considers all possible strategy options which are analysed objectively to ensure all are properly considered The role of the non-executive directors is defined to ensure they challenge board strategy to ensure it is robust The strategy is written and published on the intranet. All elements are financially justified and subject to risk modelling The role of the non-executive directors is defined to ensure they challenge board strategy to ensure it is robust The Company Secretary is charged with ensuring all non-sensitive information relating to company objectives and strategy is published on the intranet A staff council exists to feed back concerns on communication to the board David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Overall targets for sales and profits are set by the board in the annual budget. As part of the budget package the Merchandise Director outlines the action to be taken to achieve the targets. See also strategy controls Monthly reports of sales and profits are presented to the Board, with an explanation of variances Regular visists by Merchandising Director and staff to markets which anticipate ours eg the US. Attendence at trade shows. Focus Groups Quarterly presentation to Board by Merchandising Director on market trends All competitors' advertising campaigns are monitored, with a weekly report to the Merchandising Director. None Competitors' prices are monitored every week, with reports going to appropriate Heads of Merchandise Departments None None None Retail prices are input by an assisatant buyer and checked by a supervisor. Prices are downloaded onto the EPOS system overnight A gross profit exception report is generated for any changes to GP >5%. This should pick up any incorrect input of retail prices. The report is signed off bu a buyer. Each store has automatic replenishment, based on sales and PI counts in store Computer report to buyer reports zero stocks in stores Monthly profitability report of each store, checked by stores accountant None All customer complaints logged on a database. Monthly report to the Merchandise Managers, with comments on action being taken Copy of report sent to Merchandising Director and summaries are put on the intranet David M Griffiths F Risk and audit universe Credit control procedures prevent orders being sent to customers who pay late. Overseas debts are insured. Head of Accounting Services examines Aged Trial Balance each month and follows up overdue debts Computer report produced which estimates stock holding and orders necessary to ensure 3 weeks stock holding. Report checked by Senior Buyer Head of Production also receives report and ensures orders have been received where necessary. All customer complaints logged on a database. Monthly report to the Merchandise Managers, with comments on action being taken Copy of report sent to Marketing Director and summaries are put on the intranet All customer complaints logged on a database. Monthly report to the Merchandise Managers, with comments on action being taken Copy of report sent to Merchandising Director and summaries are put on the intranet Credit card details checked to external database of fraudulent cards Report of fraudulent transactions sent to Head of Security. Computer report produced which estimates stock holding and orders necessary to ensure 3 weeks stock holding. Report checked by Senior Buyer Computer report to buyer reports zero stocks in warehouse An external internet provide is used who has back-up computers available in the event of hardware and comms failure Sevice agreement with provider commits to 99% availability or compensation Reputable carrier used. Value of goods is relatively low and missing goods are replaced without question Report of lost goods sent to Head of Security. Various reports (Out of stock, late deliveries) will indicate if insufficient staff are available Failure to achieve targets may indicate shortage of staff David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Potential issue Cons Like Score Control score Audit action 5 1 5 20 5 1 5 20 5 1 5 20 4 1 4 21 5 2 10 15 5 2 10 15 5 2 10 15 5 2 10 15 5 2 10 15 5 2 10 15 0 0 0 0 0 0 Residual risks David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 1 5 20 audit 5 1 5 20 audit No checks to ensure reports are issued and acted upon 5 3 15 10 consultancy No checks to ensure reports are issued and acted upon 5 2 10 15 consultancy No customer groups to report on their opinions of store layouts 4 4 16 0 consultancy 4 1 4 16 audit 5 1 5 20 audit Stores accountant is not required to report exceptions to senior management 5 4 20 5 consultancy 5 1 5 20 audit David M Griffiths F Risk and audit universe 4 1 4 12 audit insurance cover 5 1 5 20 audit 5 1 5 20 audit 5 1 5 15 audit 4 1 4 16 audit 4 1 4 16 audit 4 1 4 16 check contingency plans 4 1 4 16 audit There is no sucession plan, or any attempt to anticipate staff required in the future 5 3 15 10 consultancy 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 David M Griffiths F Risk and audit universe If the audit budget shows only days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. David M Griffiths F Risk and audit universe Audit Group Last audit number Last audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target A Organisation's strategy A Organisation's strategy A Organisation's strategy A Organisation's strategy B Delivery of strategy B Delivery of strategy C (Projects are individually audited) D 203 Ethical guidelines 20 23 2003 Smith 6/23/2003 E Monitoring of external influences (Carried out within the above audits) F Research strategy G Product research G Market research Last audit details David M Griffiths F Risk and audit universe H Market research I Geographic research J Research resource planning K 210 Location strategy 50 45 2004 Murphy 10/28/2004 L Locating offices M Locating factories N Locating warehouses O Locating shops CE Maintenance of premises P Location resource planning Q Purchasing strategy R Purchasing for manufacture R Purchasing for manufacture S Purchase of assets T Purchase of goods for resale U Purchase of expense goods and services U Purchase of expense goods and services V Purchase resource planning X Manufacturing strategy Y Product design Z Manufacturing specification AA Scheduling manufacture AB Production accounting David M Griffiths F Risk and audit universe AC Environmental audit AD Manufacturing resource planning AE Selling strategy AF Retail promotions AG Wholesale promotions BD Newspaper advertising AH TV advertising AI Promotions resource planning AJ Supply strategy AK Warehouse operations AL Distribution AM Supply resource planning AN Selling strategy AO Market anticipation AO Market anticipation CE Pricing policy AP Store planning AQ Price file maintenance AR 143 Stock control 20 22 Sep-06 Smith 1-Oct-04 AS Store accounts CF Complaints procedures David M Griffiths F Risk and audit universe AT Accounts receivable AR Stock control CF Complaints procedures CF Complaints procedures AU 130 Internet sales 15 14 Mar-05 Heath 5-Apr-05 AR Stock control AU Internet sales AU Internet sales See above AV Selling resource planning AW Support strategy AX Management accounting AY Financial accounting Project audit Project - IAS AZ Recruitment BA Succession planning BB Staff training David M Griffiths F Risk and audit universe BC Staff policies BE Virus checking BF Back-up procedures BG Access controls BH IS contingency plans - hardware BI IS contingency plans - communications BJ Accounts Payable BK Retail cash takings AT Accounts receivable See above AU Internet sales See above BL Manufacturing stock BM Wholesale stock BN Retail stock BO Payroll David M Griffiths F Risk and audit universe BP Personal expenses BQ Fixed assets BR Bank and cash BS Provision of legal services BT Provision of tax services BU Quality control BV Health and safety BW Environmental BX Site security BY Contingency planning BZ Communications CA Risk management CB Treasury CC Working capital CD Support resource planning David M Griffiths F Risk and audit universe If the audit budget shows only days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. David M Griffiths F Risk and audit universe Final report achieved Last result Audit plan date Next audit number Next audit name Next audit budget Next timing Organisation's strategy Organisation's strategy Organisation's strategy Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) 6/28/2003 acceptable 2006 250 Ethical guidelines Q1 2005 Monitoring of external influences (Carried out within the above audits) Research strategy Product research Market research Next audit details Last audit details David M Griffiths F Risk and audit universe Market research Geographic research Research resource planning 10/28/2004 unacceptable 253 Location strategy Jones Locating offices Locating factories Locating warehouses Locating shops Maintenance of premises Location resource planning Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Purchase resource planning Manufacturing strategy Product design Manufacturing specification Scheduling manufacture Production accounting David M Griffiths F Risk and audit universe Environmental audit Manufacturing resource planning Selling strategy Retail promotions Wholesale promotions Newspaper advertising TV advertising Promotions resource planning Supply strategy Warehouse operations Distribution Supply resource planning 200 Selling strategy 10 Jan-06 201 Market anticipation 20 Jan-06 201 Market anticipation (see above) 202 Pricing policy 20 Feb-06 203 Store planning 15 Mar-06 204 Price file maintenance 20 Apr-06 3-Oct-04 Acceptable 2006 205 Stock control 22 Sep-06 206 Store accounts 10 Jun-06 207 Complaints procedures 30 Jul-06 David M Griffiths F Risk and audit universe Accounts receivable 10 Aug-06 Stock control 20 Oct-06 207 Complaints procedures (see above) 207 Complaints procedures (see above) 5-Apr-05 Issues 2006 201 Internet sales 14 Oct-06 Stock control Internet sales Internet sales Selling resource planning Support strategy Management accounting Financial accounting Project - IAS Recruitment Succession planning Staff training David M Griffiths F Risk and audit universe Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans - communications Accounts Payable Retail cash takings Accounts receivable Internet sales Manufacturing stock Wholesale stock Retail stock Payroll David M Griffiths F Risk and audit universe Personal expenses Fixed assets Bank and cash Provision of legal services Provision of tax services Quality control Health and safety Environmental Site security Contingency planning Communications Risk management Treasury Working capital Support resource planning David M Griffiths F Risk and audit universe TOTAL 191 Available auditors 3 Weekdays (auditors*52*5) 780 Holidays 75 Training 15 Projects 100 Secondments 100 Total available for above audits 490 Surplus/deficit 299 If the audit budget shows only days for the audits due next year, then this calculation will show if the David M Griffiths F Risk and audit universe Next auditor Status Next final report Target Next final report Achieved 2006 opinion on risk Patel To start Next audit details David M Griffiths F Risk and audit universe To start 8/20/2005 David M Griffiths F Risk and audit universe Smith To start 18-Jan-06 Khan To start 18-Feb-06 Heath To start 27-Feb-06 Smith To start 24-Mar-06 Heath To start TBA Khan To start TBA Smith To start TBA Heath To start TBA David M Griffiths F Risk and audit universe Khan To start TBA Smith To start TBA Heath To start TBA David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe David M Griffiths F Risk and audit universe Appendix G Risk and Audit Universe - details of columns L1 Level 1 process L2 Level 2 process L3 Level 3 process Reference Process Process Description Risk Risk source Process owner IRC IRL IRS Response Control Monitoring control Potential issue RRC RRL RRS Audit action Audit Group Control score Last audit number Audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target L a s t
a u d i t Final report achieved Last result Audit plan date Next audit number Next audit name Next audit Budget Next timing Next auditor Status Next final report target Next final report Achieved 2006 opinion on risk L a s t
a u d i t C u r r e n t / N e x t
a u d i t Risk and Audit Universe - details of columns Level 1 risk number. Corresponds to the Risk database Name of process Level 2 risk number. Corresponds to the Risk database Name of process Level 3 risk number Name of process Unique reference number for the process Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Job title of the person responsible for ensuring the risk is controlled and therefore for the monitoring controls Inherent risk consequence score Inherent risk likelihood score Inherent risk scores multiplied. (Inherent Risk Significance score ) Tolerate, Terminate, Transfer, Treat Direct response to the risk Management's response to ensure the control is operating properly Identifies a possible issue where the controls do not seem sufficient. Occurs if residual score > 8 Residual risk consequence score. Residual risk likelihood score Residual risk scores multiplied Audit; no audit (risk below risk appetite); assurance available from last audit; consultancy (residual risk above risk appetite); not covered due to lack of resources, etc. Letter(s) given in order to group several risks into one audit (if necessary). They will not necessarily be in order, as new risks, with associated audits, will be added and some may be removed Inherent Risk Significance minus Residual Risk Significance scores Unique number given to each audit. This is the number of the last audit to cover this risk Name given to the audit Approximate number of auditor-days the audit should take. This aids resource planning Number of days the last audit actually required Months/year of last audit Names of principal auditors Target date for producing report (from scope) Date actually achieved for issuing final report Conclusion of last audit (acceptable/issues/unacceptable) The date of the audit plan which includes the next audit (for example 2006/7) Unique number given to each audit. This is the number of the next audit to cover this risk - if it has been allocated Audit name. Will usually be the same as for the last audit, but could be different if this risk has been included in another audit Approximate number of auditor-days the audit should take - based on last audit's actual time. This aids resource planning Expected quarter/year of next audit - if it can be allocated Name|(s) of auditors - if allocated Status of audit (Planning/fieldwork/reporting) when it is in progress Target date for producing report (from scope) Actual date the final report was issued The opinion as to whether the risk was being properly managed (When the final report from "next audit", its details are moved into the "last audit" columns Appendix H Audit plan (sorted by next audit number) L1 Level 1 process L2 Level 2 process L3 Level 3 process 8 Sell goods 2 Sell in stores 8 Sell goods 4 Sell direct 8 Sell goods 2 Sell in stores 8 Sell goods 4 Sell direct 1 Define organisation's objectives 4 Maintain strategy 3 Obtain, and fit out, premises 1 Define objectives 8 Sell goods 1 Define objectives for selling goods 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 2 Sell in stores 8 Sell goods 3 Sell to resellers 1 Define organisation's objectives 1 Decide strategy David M Griffiths H Audit plan 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 1 Decide strategy 1 Define organisation's objectives 2 Communicate strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 3 Deliver strategy 1 Define organisation's objectives 4 Maintain strategy 1 Define organisation's objectives 5 Support strategy 2 Research new business opportunities 1 Define objectives 2 Research new business opportunities 2 Research products 2 Research new business opportunities 3 Research markets 2 Research new business opportunities 4 Research customers 2 Research new business opportunities 5 Research locations 2 Research new business opportunities 6 Support research 3 Obtain, and fit out, premises 2 Obtain offices David M Griffiths H Audit plan 3 Obtain, and fit out, premises 3 Obtain factories 3 Obtain, and fit out, premises 4 Obtain warehousing 3 Obtain, and fit out, premises 5 Obtain retail premises 3 Obtain, and fit out, premises 6 Maintain premises 3 Obtain, and fit out, premises 7 Support obtaining premises 4 Purchase ggods and services 1 Define objectives 4 Purchase ggods and services 2 Purchase raw materials 4 Purchase ggods and services 2 Purchase raw materials 4 Purchase ggods and services 3 Purchase assets 4 Purchase ggods and services 4 Purchase finished goods 4 Purchase ggods and services 5 Purchase expense goods and services 4 Purchase ggods and services 5 Purchase expense goods and services 4 Purchase ggods and services 6 Support purchasing 5 Manufacture 1 Define objectives 5 Manufacture 2 Design products 5 Manufacture 3 Specify manufacturing 5 Manufacture 4 Plan manufacturing David M Griffiths H Audit plan 5 Manufacture 5 Manufacture 5 Manufacture 5 Manufacture 5 Manufacture 6 Support manufacturing 6 Advertise and promote 1 Define objectives for promotion 6 Advertise and promote 2 Promote in-store 6 Advertise and promote 3 Promote to customers 6 Advertise and promote 4 Advertise in papers 6 Advertise and promote 5 Advertise on TV 6 Advertise and promote 6 Support promotions 7 Store and distribute goods 1 Define objectives for supplying goods 7 Store and distribute goods 2 Store goods 7 Store and distribute goods 3 Distribute goods 7 Store and distribute goods 4 Support supply 8 Sell goods 3 Sell to resellers 8 Sell goods 3 Sell to resellers 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 4 Sell direct 8 Sell goods 5 Support selling 9 Support the organisation in achieving its objectives 1 Define objectives for supporting the organisation 9 Support the organisation in achieving its objectives 2 Prepare management accounts 9 Support the organisation in achieving its objectives 3 Prepare financial accounts David M Griffiths H Audit plan 9 Support the organisation in achieving its objectives 3 Prepare financial accounts 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 4 Provide staff 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 5 Provide systems 9 Support the organisation in achieving its objectives 6 Process transactions 1 Process transactions - purchases 9 Support the organisation in achieving its objectives 6 Process transactions 2 Process transactions - retail sales 9 Support the organisation in achieving its objectives 6 Process transactions 3 Process transactions - wholesale sales 9 Support the organisation in achieving its objectives 6 Process transactions 4 Process transactions - direct sales 9 Support the organisation in achieving its objectives 6 Process transactions 5 Process transactions - manufacturing stock 9 Support the organisation in achieving its objectives 6 Process transactions 6 Process transactions - wholesale stock 9 Support the organisation in achieving its objectives 6 Process transactions 7 Process transactions - store stock David M Griffiths H Audit plan 9 Support the organisation in achieving its objectives 6 Process transactions 8 Process transactions - payroll 9 Support the organisation in achieving its objectives 6 Process transactions 9 Process transactions - personal expenses 9 Support the organisation in achieving its objectives 6 Process transactions 10 Process transactions - fixed assets 9 Support the organisation in achieving its objectives 6 Process transactions 11 Process transactions - cash and bank 9 Support the organisation in achieving its objectives 7 Provide legal services 9 Support the organisation in achieving its objectives 8 Provide tax services 9 Support the organisation in achieving its objectives 9 Ensure quality 9 Support the organisation in achieving its objectives 10 Ensure health & safety 9 Support the organisation in achieving its objectives 11 Manage the environment 9 Support the organisation in achieving its objectives 12 Ensure security 9 Support the organisation in achieving its objectives 12 Ensure security 9 Support the organisation in achieving its objectives 13 Communicate 9 Support the organisation in achieving its objectives 14 Manage risks 9 Support the organisation in achieving its objectives 15 Manage the assets David M Griffiths H Audit plan 9 Support the organisation in achieving its objectives 15 Manage the assets 9 Support the organisation in achieving its objectives 16 Support the support functions David M Griffiths H Audit plan David M Griffiths H Audit plan Reference Business unit Process Process Description 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 1.4 The board Maintain strategy The strategy is regularly updated to take account of changing business conditions 3.1 Property Define objectives The objectives of the processes for obtaining premises are defined 8.1 Merchandising Define objectives for selling goods The objectives of the processes for selling are defined 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.2 Merchandising Sell in stores Sell goods in stores operated by the organisation, or franchised 8.3 Marketing Sell to resellers Sell goods to customers who will resell them 1.1 The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation David M Griffiths H Audit plan 1.1 The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation 1.1 The board Decide strategy The most senior management group (the "board") decide on the objectives of the organisation 1.2 The board Communicate strategy The objectives are communicated to all staff in a comprehensible form 1.3 The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives 1.3 The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives 1.3 The board Deliver strategy An action plan is devised, at high level, which will deliver the objectives 1.4 The board Maintain strategy The strategy is regularly updated to take account of changing business conditions 1.5 The board Support strategy Resources are made available to carry out the above processes 2.1 Research and development Define objectives The objectives of the research processes are defined 2.2 Research and development Research products Research the products, to be manufactured or purchased, which will achieve the organisation's objectives 2.3 Marketing Research markets Research the market segments which will achieve the organisation's objectives 2.4 Marketing Research customers Research the customer profile which will achieve the organisation's objectives 2.5 Property Research locations Research the locations, in-country and abroad, which will achieve the organisation's objectives 2.6 Administration Support research Resources are made available to carry out the above processes 3.2 Property Obtain offices Decide on the best locations for offices to house the support staff David M Griffiths H Audit plan 3.3 Property Obtain factories Decide on the best locations for factories to manufacture products 3.4 Property Obtain warehousing Decide on the best location for premises to store goods 3.5 Property Obtain retail premises Decide on the best location for shops 3.6 Facilities management Maintain premises Premises are maintained to ensure safety, effectiveness and efficiency at all times 3.7 Administration Support obtaining premises Resources are made available to carry out the above processes 4.1 Purchasing Define objectives The objectives of the processes for purchasing are defined 4.2 Purchasing Purchase raw materials Purchase items to manufacture goods 4.2 Purchasing Purchase raw materials Purchase items to manufacture goods 4.3 Purchasing Purchase assets Purchase fixed assets 4.4 Purchasing Purchase finished goods Purchase goods for resale 4.5 Purchasing Purchase expense goods and services Purchase goods and services for the organisation 4.5 Purchasing Purchase expense goods and services Purchase utilities for the organisation 4.6 Administration Support purchasing Resources are made available to carry out the above processes 5.1 Factory Define objectives The objectives of the processes for manufacturing are defined 5.2 Factory Design products Products to be manufactured are designed 5.3 Factory Specify manufacturing Specify how the products are to be manufactured 5.4 Factory Plan manufacturing Plan the manufacturing schedule David M Griffiths H Audit plan 5.5 Factory Manufacture Make the goods 5.5 Factory Manufacture Make the goods 5.6 Administration Support manufacturing Resources are made available to carry out the above processes 6.1 Advertising Define objectives for promotion The objectives of the processes for promoting sales are defined 6.2 Advertising Promote in-store Promote goods in the retail stores through various offers 6.3 Advertising Promote to customers Promote goods to resellers using offers 6.4 Advertising Advertise in papers Advertise goods in newspapers and magazines 6.5 Advertising Advertise on TV Advertise on television 6.6 Administration Support promotions Resources are made available to carry out the above processes 7.1 Logistics Define objectives for supplying goods The objectives of the processes for supplying goods are defined 7.2 Logistics Store goods Store goods in warehouses at stages of the supply chain 7.3 Logistics Distribute goods Distribute goods between factories, warehouses, stores and customers 7.4 Administration Support supply Resources are made available to carry out the above processes 8.3 Marketing Sell to resellers Sell goods to customers who will resell them 8.3 Marketing Sell to resellers Sell goods to customers who will resell them 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.4 Internet sales Sell direct Sell direct to the public. For example, through the internet 8.5 Administration Support selling Resources are made available to carry out the above processes 9.1 Administration Define objectives for supporting the organisation The objectives of the processes for supporting the organisation are defined 9.2 Management accounts Prepare management accounts Collect the data from processed transactions into accounts for management to make decisions 9.3 Financial accounts Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes David M Griffiths H Audit plan 9.3 Financial accounts Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.4 Human resources Provide staff Recruit staff and manage staff policies 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.5 Information systems Provide systems Provide systems, including computer systems to support the organisations operations 9.6.1 Purchase accounting services Process transactions - purchases Receive invoices, obtain approval for payment, pay for goods and services 9.6.2 Retail accounting services Process transactions - retail sales Receive cash and cash equivalents at the till, bank them and check all money is received 9.6.3 Sales accounting services Process transactions - wholesale sales Carry out credit checks before goods are despatched, issue invoices and receive payment for goods 9.6.4 Sales accounting services Process transactions - direct sales Process the credit card payments before authorising despatch of the goods 9.6.5 Factory Process transactions - manufacturing stock Receive goods against the order, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock 9.6.6 Logistics Process transactions - wholesale stock Receive goods from the factory, or supplier,, update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock 9.6.7 Stock accounting services Process transactions - store stock Receive goods from the warehouse, update store stock records, sell the goods to customers, manage stock levels, minimise stock losses, account for stock David M Griffiths H Audit plan 9.6.8 Payroll accounting services Process transactions - payroll Receive details of employees, their salary and working hours. Calculate pay based on these, less deductions. Pay over deductions 9.6.9 Expense accounting services Process transactions - personal expenses Personal expenses (for travelling) are claimed, authorised and paid 9.6.10 Fixed asset accounting services Process transactions - fixed assets Receive invoice details. Decide on whether to capitalise costs. Add assets to register. Attach depreciation data and calculate. 9.6.11 Cashiers accounting services Process transactions - cash and bank Receive cash transaction data for purchases, sales, payroll, personal expenses and other transactions. Reconcile these to transactions 9.7 Company Secretary Provide legal services Advise all areas of the company concerning action to be taken on legislation 9.8 Taxation Provide tax services Advise all areas of the company concerning action to be taken on tax legislation 9.9 Quality Control Ensure quality Ensure all goods sold meet the quality standards set by legislation and the organisation 9.10 Health and safety Ensure health & safety Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers 9.11 Health and safety Manage the environment Ensure the operations of the organisation obey all environmental laws and good practice 9.12 Security Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation 9.12 Security Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation 9.13 Public relations Communicate Inform internal and external stakeholders of the organisation's policies and intentions 9.14 Risk manager Manage risks Identify, evaluate and manage risks down to the level considered acceptable by the organisation 9.15 Treasury Manage the assets Ensure that assets of the organisation, particularly cash, are maintained at optimum levels to achieve the objectives David M Griffiths H Audit plan 9.15 Treasury Manage the assets Ensure that assets of the organisation, particularly cash, are maintained at optimum levels to achieve the objectives 9.16 Administration Support the support functions Resources are made available to carry out the above processes David M Griffiths H Audit plan David M Griffiths H Audit plan Key risk to process Risk Source Process owner Cons Like Fail to stock goods which the customers want to buy Board risk workshop Merchandise Director 5 5 Fraudulent credit cards used Finance Director interview Merchandise Director 4 5 Fail to anticipate the competitions' initiatives to take a bigger market share Board risk workshop Merchandise Director 5 5 Poor service/quality of goods leading to customer complaints Board risk workshop Merchandise Director 4 5 All staff, including the Board, fail to maintain high ethical standards, which undermine the controls necessary to achieve the organisation's objectives, including that of ensuring compliance with laws and standards Managing Director 5 5 The objectives will not deliver the organisation's objectives effectively and efficiently The objectives will not deliver the organisation's objectives effectively and efficiently Board risk workshop Merchandise Director 5 5 Prices are not competitive Board risk workshop Merchandise Director 5 5 Store layout confuses customers Board risk workshop Merchandise Director 4 4 Prices are incorrect Board risk workshop Merchandise Director 4 5 No stock for customers to buy Board risk workshop Merchandise Director 5 5 Higher minimum wage legislation makes some stores unprofitable Board risk workshop Merchandise Director 5 5 Poor service/quality of goods leading to customer complaints Board risk workshop Merchandise Director 5 5 Poor service/quality of goods leading to customer complaints Board risk workshop Marketing Director 5 5 The strategy does not anticipate customer demands Managing Director 5 5 Inherent risks David M Griffiths H Audit plan The strategy is too risk-averse Managing Director 5 5 The objectives within the strategy are not clearly defined, financially justified or documented Managing Director 5 5 Staff do not understand the objectives in relation to their own jobs Managing Director 5 5 The action plan does not cover all objectives and does not consist of SMART targets addressed to senior management Managing Director 5 5 The organisation has not got the resources to deliver the strategy Managing Director 5 5 Major projects intended to deliver the strategy are late and/or over budget Managing Director 5 5 Internal and external influences are not monitored to assess their impact on the strategy Managing Director 5 5 The resources required are not understood or are not sufficient to deliver the strategy 5 5 The objectives will not deliver the organisation's objectives effectively and efficiently The research does not identify the most effective products for achieving the objectives The research does not identify the most effective market segments for achieving the objectives The research does not identify the most effective customer segments for achieving the objectives The research does not identify the most effective locations for achieving the objectives The resources required are not understood or are not sufficient to deliver the strategy The locations are not cost- effective, have insufficient staff in the vicinity and has poor communications David M Griffiths H Audit plan The environment is not suitable for a factory, insufficient trained labour is available, property costs are too high The buildings are not suitable for storing products, costs are too high and labour is not available The locations are not cost- effective, have insufficient staff in the vicinity and are not near our target customers Poor maintenance results in injury to staff or customers The resources required are not understood are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently The purchased items are unsuitable, too expensive or delivered late A major supplier of a vital raw material, not obtainable elsewhere, is not able to deliver Assets are not required, not suitable or too expensive Goods are not suitable, too expensive or delivered late Goods or services are not suitable, too expensive or delivered late Minimum prices for utilities are not negotiated The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently There is no market for the product. The product is too expensive to produce The method of manufacturing specified is inefficient The schedule produces the wrong goods at the wrong time David M Griffiths H Audit plan The goods are made inefficiently New environmental legislation makes manufacturing process uneconomic The resources required are not understood or are not sufficient The objectives will not deliver the organisation's objectives effectively and efficiently Promotions do not make a profit Promotions do not make a profit Promotions do not make a profit Promotions do not make a profit The resources required are not understood or are not sufficient to deliver the strategy The objectives will not deliver the organisation's objectives effectively and efficiently Goods are damaged, or lost A strike of fuel suppliers brings transport in the UK to a stop The resources required are not understood or are not sufficient to deliver the strategy A major customer goes bankrupt Board risk workshop Marketing Director 4 4 No stock for customers to buy Board risk workshop Marketing Director 5 5 No stock for customers to buy Logistics Director interview Merchandise Director 4 5 Internet sites unavailable Board risk workshop Merchandise Director 4 5 Goods are lost Board risk workshop Merchandise Director 4 5 The resources required are not understood or are not sufficient to deliver the strategy Board risk workshop Merchandise Director 5 5 The objectives will not deliver the organisation's objectives effectively and efficiently Management accounts do not provide timely information on which to make decisions Financial accounts are issued which do not comply with UK law David M Griffiths H Audit plan The organisation is not prepared for the International Accounting Standards (IAS) High-calibre staff are not recruited and retained Properly qualified staff are not available to take vacancies Staff are not properly trained Staff successfully claim unfair dismissal A virus brings down all computer systems for a week Data is lost Data or programs are corrupted Major hardware failure Major network failure Payment is made where the organisation has not received the goods or services at the price Cash taken at the till is not banked Goods are sold to customers who cannot pay for them Fail to pass transaction details to the credit card company Stock is incorrectly valued Stock is incorrectly valued Stock is incorrectly valued David M Griffiths H Audit plan Receive incorrect data from stores on hours worked and new employees Expenses were not incurred Revenue expenditure capitalised, or capital expenditure put to revenue Differences not cleared The impact of legislation is not anticipated which results in considerable costs Schemes to minimise tax are not used Poor quality goods harms the organisation's reputation A failure in H & S occurs which results in bad publicity and law suits An environmental disaster occurs at one of the organisation's premises Confidential information is stolen Offices are destroyed by fire The London Stock Exchange is given information which cannot be substantiated The external and internal risks threatening the objectives, and related processes, of the organisation are not understood Financial contracts are set up which open the company to significant losses David M Griffiths H Audit plan Working capital is not optimised The resources required are not understood or are not sufficient to deliver the strategy David M Griffiths H Audit plan David M Griffiths H Audit plan Score Response Cons Like Score Control score Audit action Audit Group 25 treat 5 1 5 20 audit AO 20 treat 4 1 4 16 audit AU 25 treat 5 3 15 10 consultancy AO 20 treat 5 1 5 15 audit CF 25 5 2 10 15 D 0 0 0 K 25 treat 5 1 5 20 audit AN 25 treat 5 2 10 15 consultancy CE 16 treat 4 4 16 0 consultancy AP 20 treat 4 1 4 16 audit AQ 25 treat 5 1 5 20 audit AR 25 treat 5 4 20 5 consultancy AS 25 treat 5 1 5 20 audit CF 25 treat 5 1 5 20 audit CF 25 5 1 5 20 A Inherent risks Residual risks David M Griffiths H Audit plan 25 5 1 5 20 A 25 5 1 5 20 A 25 4 1 4 21 A 25 5 2 10 15 B 25 5 2 10 15 B 25 5 2 10 15 C 25 5 2 10 15 E 25 5 2 10 15 0 0 0 F 0 0 0 G 0 0 0 G 0 0 0 H 0 0 0 I 0 0 0 J 0 0 0 L David M Griffiths H Audit plan 0 0 0 M 0 0 0 N 0 0 0 O 0 0 0 CE 0 0 0 P 0 0 0 Q 0 0 0 R 0 0 0 R 0 0 0 S 0 0 0 T 0 0 0 U 0 0 0 U 0 0 0 V 0 0 0 X 0 0 0 Y 0 0 0 Z 0 0 0 AA David M Griffiths H Audit plan 0 0 0 AB 0 0 0 AC 0 0 0 AD 0 0 0 AE 0 0 0 AF 0 0 0 AG 0 0 0 BD 0 0 0 AH 0 0 0 AI 0 0 0 AJ 0 0 0 AK 0 0 0 AL 0 0 0 AM 16 transfer with insurance 4 1 4 12 audit insurance cover AT 25 treat 5 1 5 20 audit AR 20 treat 4 1 4 16 audit AR 20 tolerate 4 1 4 16 check contingenc y plans AU 20 tolerate 4 1 4 16 audit AU 25 treat 5 3 15 10 consultancy AV 0 0 0 AW 0 0 0 AX 0 0 0 AY David M Griffiths H Audit plan 0 0 0 Project audit 0 0 0 AZ 0 0 0 BA 0 0 0 BB 0 0 0 BC 0 0 0 BE 0 0 0 BF 0 0 0 BG 0 0 0 BH 0 0 0 BI 0 0 0 BJ 0 0 0 BK 0 0 0 AT 0 0 0 AU 0 0 0 BL 0 0 0 BM 0 0 0 BN David M Griffiths H Audit plan 0 0 0 BO 0 0 BP 0 0 0 BQ 0 0 0 BR 0 0 0 BS 0 0 0 BT 0 0 0 BU 0 0 0 BV 0 0 0 BW 0 0 0 BX 0 0 0 BY 0 0 0 BZ 0 0 0 CA 0 0 0 CB David M Griffiths H Audit plan 0 0 0 CC 0 0 0 CD If the audit budget shows days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. If the audit budget shows only days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. David M Griffiths H Audit plan David M Griffiths H Audit plan Last audit number Last audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target Market anticipation 130 Internet sales 15 14 Mar-05 Heath 5-Apr-05 Market anticipation Complaints procedures 203 Ethical guidelines 20 23 2003 Smith 6/23/2003 210 Location strategy 50 45 2004 Murphy 10/28/2004 Selling strategy Pricing policy Store planning Price file maintenance 143 Stock control 20 22 Sep-06 Smith 1-Oct-04 Store accounts Complaints procedures Complaints procedures Organisation's strategy Last audit details David M Griffiths H Audit plan Organisation's strategy Organisation's strategy Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) Monitoring of external influences (Carried out within the above audits) Research strategy Product research Market research Market research Geographic research Research resource planning Locating offices David M Griffiths H Audit plan Locating factories Locating warehouses Locating shops Maintenance of premises Location resource planning Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Purchase resource planning Manufacturing strategy Product design Manufacturing specification Scheduling manufacture David M Griffiths H Audit plan Production accounting Environmental audit Manufacturing resource Selling strategy Retail promotions Wholesale promotions Newspaper advertising TV advertising Promotions resource planning Supply strategy Warehouse operations Distribution Supply resource planning Accounts receivable Stock control Stock control Internet sales Internet sales See above Selling resource planning Support strategy Management accounting Financial accounting David M Griffiths H Audit plan Project - IAS Recruitment Succession planning Staff training Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans - communicatio Accounts Payable Retail cash takings Accounts receivable See above Internet sales See above Manufacturing stock Wholesale stock Retail stock David M Griffiths H Audit plan Payroll Personal expenses Fixed assets Bank and cash Provision of legal services Provision of tax services Quality control Health and safety Environmental Site security Contingency planning Communicatio ns Risk management Treasury David M Griffiths H Audit plan Working capital Support resource planning TOTAL 40,968 Available auditors Weekdays (auditors*52*5) 0 Holidays If the audit budget shows days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. If the audit budget shows only days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. David M Griffiths H Audit plan Training Projects Secondments Total available for above audits 0 Surplus/deficit (40,968) David M Griffiths H Audit plan Final report achieved Last result Audit plan date Next audit number Next audit name Next audit budget Next timing Next auditor 201 Market anticipation 20 Jan-06 Khan 5-Apr-05 Issues 2006 201 Internet sales 14 Oct-06 Heath 201 Market anticipation (see above) 207 Complaints procedures (see above) 6/28/2003 acceptable 2006 250 Ethical guidelines Q1 2005 Patel 10/28/2004 unacceptable 253 Location strategy Jones 200 Selling strategy 10 Jan-06 Smith 202 Pricing policy 20 Feb-06 Heath 203 Store planning 15 Mar-06 Smith 204 Price file maintenance 20 Apr-06 Heath 3-Oct-04 Acceptable 2006 205 Stock control 22 Sep-06 Khan 206 Store accounts 10 Jun-06 Smith 207 Complaints procedures 30 Jul-06 Heath 207 Complaints procedures (see above) Organisation's strategy Last audit details Next audit details David M Griffiths H Audit plan Organisation's strategy Organisation's strategy Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) Monitoring of external influences (Carried out within the above audits) Research strategy Product research Market research Market research Geographic research Research resource planning Locating offices David M Griffiths H Audit plan Locating factories Locating warehouses Locating shops Maintenance of premises Location resource planning Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Purchase resource planning Manufacturing strategy Product design Manufacturing specification Scheduling manufacture David M Griffiths H Audit plan Production accounting Environmental audit Manufacturing resource Selling strategy Retail promotions Wholesale promotions Newspaper advertising TV advertising Promotions resource planning Supply strategy Warehouse operations Distribution Supply resource planning Accounts receivable 10 Aug-06 Khan Stock control 20 Oct-06 Smith Stock control Internet sales Internet sales Selling resource planning Support strategy Management accounting Financial accounting David M Griffiths H Audit plan Project - IAS Recruitment Succession planning Staff training Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans - communications Accounts Payable Retail cash takings Accounts receivable Internet sales Manufacturing stock Wholesale stock Retail stock David M Griffiths H Audit plan Payroll Personal expenses Fixed assets Bank and cash Provision of legal services Provision of tax services Quality control Health and safety Environmental Site security Contingency planning Communications Risk management Treasury David M Griffiths H Audit plan Working capital Support resource planning TOTAL 191 Available auditors 3 Weekdays (auditors*52*5) 780 Holidays 75 Training 15 Projects 100 Secondments 100 Total available for above audits 490 Surplus/deficit 299 If the audit budget shows only days for the audits due next year, then this calculation will show if the David M Griffiths H Audit plan David M Griffiths H Audit plan Status Next final report Target Next final report Achieved 2006 opinion on risk To start 18-Feb-06 To start TBA To start To start 8/20/2005 To start 18-Jan-06 To start 27-Feb-06 To start 24-Mar-06 To start TBA To start TBA To start TBA To start TBA Next audit details David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan To start TBA To start TBA David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan David M Griffiths H Audit plan Appendix I Level 2 and 3 processes Define objectives Purchase finished Purchase assets Purchase raw materials Purchase Decide strategy Maintain strategy Deliver strategy Communicate strategy
Define objectives Support purchase raw materials Support strategy Define objectives Support purchase assets Purchase expense goods Purchase finished goods Support
Set up items Set up vendors Place order Requistion goods and services Prepare financial accounts Prepare management accounts Provide systems Provide staff Define objectives Define objectives Define objectives Process transactions Support purchase finshed goods Receive goods Provide legal services Provide tax services Ensure quality Ensure health & safety Manage the environment Ensure security Communicate
Support purchase expense goods Return goods Appendix J Audit database Ref Process Process Description Risk to process IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont score Issue Action By whom Conclusion Controls Conclusion Action Conclusion Monitoring Report ref Follow-up Risks Follow-up Controls Follow-up Action Follow-up Monitoring 4.5 Purchase expense goods Purchase goods and services for the organisation (Summary level) 4.5.1 Define objectives Define the strategy for expense purchases, communicate and deliver it (Summary level) 4.5.1.1 Define the strategy for expense purchasing Set down targets for the year(s) ahead, for example, meeting the budget, improving staff efficiency, handling more orders The strategy does not maximise efficiency and effectiveness and is not consistent with the organisation's strategy The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned. These targets and budgets are approved by management finance. Directors check the strategy for departments under their control. The overall budget is approved by the board Examine the latest strategy document 4.5.1.1 Define the strategy for expense purchasing Set down targets for the year(s) ahead, for example, meeting the budget, improving staff efficiency, handling more orders The strategy has not been updated The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned Directors check the strategy for departments under their control Examine the latest strategy document. Check that the budget forms part of the organisation's overall budget. Examine variances for the current year and ensure adequate explanations have been made for excessive 4.5.1.2 Communicate the strategy Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice boards and the intranet Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the budgeting process Directors check the action plan for departments under their control Examine the action plan Check for progress to implement it. 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy The strategy is not built into individuals' targets Individuals are given their targets based on those of the department Directors, or senior managers, check the staff targets for departments under their control Examine staff targets for a selection of staff 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Any member of staff can authorise the purchase of any goods or services Rights to place requisitions and orders are in a written policy The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Any member of staff can requisition any goods or services Rights to authorise requisitions and orders are in a written policy The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Supplier details are not correctly input/modified Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Check individual reports over the last six months for evidence of checking. Observe the process in action. 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms False Suppliers are set up and paid Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Check individual reports over the last six months for evidence of checking. Observe the process in action. 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms No settlement discount, or other discounts, are negotiated Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Check individual reports over the last six months for evidence of checking. Observe the process in action. 4.5.4 Departments requisition goods/services Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Expense goods/services requested are not needed or are not for the benefit of the company Requisitions are authorised by an appropriate manager Budgets are maintained for all expenses with monthly monitoring against actual Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. 4.5.4 Departments requisition goods/services Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Details on the requisition are incorrect Requisitions are authorised by an appropriate manager Budgets are maintained for all expenses with monthly monitoring against actual Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. 4.5.5 Purchasing order raised for goods/services Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier The order is incorrect, that is does not agree to the approved requisition Confirmation is required on the order screen before the order is sent or printed The requisitioner will query any difference Observe the process and try submitting without confirmation 4.5.5 Purchasing order raised for goods/services Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier The price on the order does not give the organisation maximum value The order is placed by trained purchasing staff using prices on the computer, or negotiated with the supplier. Budgets are maintained for all expenses with monthly monitoring against actual Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. 4.5.5 Purchasing order raised for goods/services Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Orders are placed with suppliers who do not provide best value (quality/price/delivery) Orders can only be placed with suppliers previously set up on the computer Half-yearly report listing suppliers and spend which is approved by the Purchasing Director Examine the input of orders. Try and set up a new supplier from the order screen 4.5.5 Purchasing order raised for goods/services Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Orders are placed late Computer report showing requisitions not turned into orders within 2 days is checked by the supervisor Requistioners will complain if orders are received late Examine this report for items older than 2 days 4.5.5 Purchasing order raised for goods/services Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Orders have incorrect account codes input The requisitioner supplies the codes. The computer checks these exist but cannot check if they are correct. Budget holders check their expenses each month for incorrect items Examine accounts journals and other documentation used to correct coding errors to judge how frequent they are 4.5.5 Purchasing order raised for goods/services Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Orders are placed for goods not required, without approved requisitions All orders have to be placed through the computer. Orders can only be raised by purchasing staff. Orders without requisitions must be approved by a senior manager Budget holders check their expenses each month for incorrect items Check access to order screens is limited to approved purchasing staff. Check orders raised without approved requisitions are approved 4.5.6 Goods/services received. Quantity received input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Goods/services vital to the organisation's operation become unavailable or too expensive If possible, have two, or more, sources of supply. Hold sufficient stocks of vital spares. Have contingency plans for failure of vital supplies Check for the existence of recent, tested contingency plans 4.5.6 Goods/services received. Quantity received input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Quantities, or service, is not what was ordered Computer report showing where quantities received differ from the order Requistioners should complain if the goods/services differ from the order Examine this report and check on the action taken. Note items which may be old and uncorrected 4.5.6 Goods/services received. Quantity received input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Quantities incorrectly input The computer warns if the quantity received is different from that ordered Requistioners should complain if the goods/services differ from the order Observe the process and try submitting a different quantity 4.5.6 Goods/services received. Quantity received input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Stock records (for example engineers' spares) not updated Automatic update with exception reports where this has not occurred Periodic physical checks to stock records Check a sample of items received through to the stock system 4.5.6 Goods/services received. Quantity received input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receipt details input when no goods or services have been received Division of duties between requisitioners, purchasing staff and receivers Budget holders check their expenses each month for incorrect items Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. 4.5.6 Goods/services received. Date of receipt input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Quality is not up to standard Responsibility of the person receiving the goods/services to complain of poor quality to the ordering department No formal monitoring Ask a sample of staff their opinions on the quality of goods received 4.5.6 Goods/services received. Date of receipt input Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Goods are lost All goods are received at one, secure, location, which inputs their receipt against the order Requisitioner will complain if goods are not received Visit the receiving area. Check security and observe the receipt of goods. 4.5.7 Goods/services returned If the goods are not those ordered, are damaged, or too many are delivered, they will be returned to the Supplier. If they are found to be faulty after the processing of an invoice, or payment, a credit note will be required Credit is not obtained from the supplier Goods can only be returned on the authority of the buyer, who raises a "Goods Return Note". One copy goes with the goods, the other is keyed into the computer as a debit note. This automatically reduced the next payment. Requisition will complain if credit is not received Take a sample of Goods Returned Notes and check that the correct credit has been received 4.5.8 Support purchasing of expenses (Summary level) 4.5.8.1 Define objectives for supporting expense purchasing Define the strategy Set down targets for the year(s) ahead, for example, meeting the budget, improving staff efficiency, handling more orders The strategy has not been updated The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned Directors check the strategy for departments under their control Examine the latest strategy document Communicate the strategy Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice boards and the intranet Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the budgeting process Directors check the action plan for departments under their control Examine the action plan Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy The strategy is not built into individuals' targets Individuals are given their targets based on those of the department Directors, or senior managers, check the staff targets for departments under their control Examine staff targets for a selection of staff Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy No limitation is set on the authority of staff to commit the organisation Rights to place requisitions and orders are in a written policy The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Deliver the strategy Form an action plan, with the staff involved, to deliver the strategy No limitation is set on the authority of staff to commit the organisation Rights to authorise requisitions and orders are in a written policy The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy 4.5.8.2 Process transactions Process transactions resulting from the purchase of expenses Transactions are not processed completely and accurately 4.5.8.2. 1 Purchasing expenses - Invoice input Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Invoice input against incorrect supplier Most invoices are input against an order and the supplier details are checked. If no order exists there is no control The supplier will send a reminder to pay 4.5.8.2. 1 Purchasing expenses - Invoice input Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Incorrect values input Where the invoice is matched to an order, an exception report is produced for invoices not matching and these are held until purchasing approve the difference. Invoices without orders are batch totalled Monthly check, by management, of the report showing invoices held in query. Follow-up of invoices over one month old 4.5.8.2. 1 Purchasing expenses - Invoice input Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Invoices are input twice Where the invoice is matched to an order the computer will not allow the input of another invoice. Invoices are stamped "input" 4.5.8.2. 1 Purchasing expenses - Invoice input Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Duplicate invoices are input Where the invoice is matched to an order the computer will not allow the input of another invoice. If copy invoices are received, where no orders exist, they are checked to the supplier account before processing. The computer will not accept duplicate invoices 4.5.8.2. 1 Purchasing expenses - Invoice input Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Invoice input where no goods or services have been received. Most invoices are matched against approved orders. Other invoices must be approved by a senior manager and accountant, who writes the account code on. Invoices can only be paid to suppliers set up on the system, for which separate checks apply. Duties are split between staff. Budget holders check their expenses each month for incorrect items 4.5.8.2. 1 Purchasing expenses - Invoice input Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by The tax analysis of invoices is incorrect, for example "Business entertainment" All purchasing and transaction processing staff have specific training on the analysis of Value added tax (VAT). Detailed guidelines are available. The computer checks for incorrect calculations 4.5.8.2 Purchasing expenses - Invoice filed Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Invoices are not filed and microfiched Invoices are sequentially numbered on input. When microfiching, the continuity of these numbers is checked 4.5.8.2 Purchasing expenses - no invoice payment, for example tax Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by Incorrect payments may be made 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details Computer payment is made for goods or services which have not been received Computer payments can only be made against invoices matched to orders, or authorised invoices. Payments can only be generated by staff who do not have access to order, invoice or Supplier master data input 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details Incorrect settlement discount is taken 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details Payment is not made on the due date Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer Payment terms are checked by buyers every 6 months 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details Computer payment is made for goods or services which have not been received Manual cheques must be supported by invoices and are signed by two directors Last follow-up results (date) David MGriffiths J Expense purchases database 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details Manual payments made are fraudulent Cheques are kept in a locked cupboard to prevent theft and subsequent forgery. Overseas payment instructions are signed by two directors. The bank has instructions to telephone the Chief Financial Officer if payments are over an agreed amount. Bank reconciliation will detect payments made not correctly entered in the books of account 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details Cheques are altered or forged Cheque signing signatures are embossed. Cheques are printed by specialist printers with the latest security features Bank reconciliation will detect payments made not correctly entered in the books of account 4.5.8.2 Purchasing expenses - payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details The payment output file is altered. (This file holds payment data to be transmitted to the bank, or used to print cheques) Access controls on the computer to prevent alteration Exception reports, checked by management, which detail exceptional alterations to files Obtain details of those staff with access to the computer files. They should only be senior IT staff with no access to accounting systems 4.5.8.2 Purchase expense invoices / credit notes posted to accounts Invoices and payments are posted to the general (nominal) ledger in the same accounting period Invoice / credit notes are posted to incorrect accounts Invoices are posted to the account set up on the requisition. The computer verifies that these exist and prevents certain combinations of cost centre and nominal codes Budget holders check their expenses each month for incorrect items. Plus Financial Accounts check balances to the previous month's and investigate significant discrepancies 4.5.8.2 Accounts Payable month- end processes In order to compile month-end accounts, the value of goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been corr Accruals not calculated The value of all goods received not invoiced is calculated by the computer Comparison made with previous month's figure. Major differences investigated 4.5.8.2 Accounts Payable month- end processes In order to compile month-end accounts, the value of goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been corr Accruals not calculated correctly In major expense service functions (for example advertising) managers must detail services provided which have not been invoiced Major variances from budget are investigated 4.5.8.2 Accounts Payable month- end processes In order to compile month-end accounts, the value of goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been corr Accounts payable ledger total does not represent all liabilities Total of supplier balances reconciled to Accounts Payable control account in the General ledger Reconciliation is signed by a senior manager 4.5.8.2 Manage the accounts payable ledger Ensure the accounts payable ledger is correctly updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Accounts payable ledger total does not represent all liabilities Sample check reconciliation of Supplier statements to the Accounts Payable balance The check is noted and scrutinised by a senior manager at month-end 4.5.8.2 Manage the accounts payable ledger Ensure the accounts payable ledger is correctly updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Supplier with a debit balance, due to credits issued, goes out of business Exception report highlighting large debit balances. Payment stop put on the account. Systems in place to request repayment of the amount owing Management scrutiny of large debit balances each month, with a progress report on their recovery 4.5.8.3 Provide systems Provide systems, including computer systems to support the organisations operations (Summary level) n/a 4.5.8.3. 1 Maintain central systems The proper operation of applications is maintained by a central IT department Data lost through main computer failure, systems unavailable for a prolonged period Range of controls maintained by the IT department Users monitor their output, such as reconciling the accounts payable balance with the general ledger Covered by audits of the IT processes 4.5.8.3. 2 Maintain user systems Users set up their own computer systems (for example spreadsheets) to produce data User-maintained systems lose data Data is kept on the network which is backed-up daily IT management should monitor system reports Ensure data is backed-up - try retrieving yesterday's files. If a stand-alone computer, check back-up to discs 4.5.8.3. 2 Maintain user systems Users set up their own computer systems (for example spreadsheets) to produce data User-maintained systems produce inaccurate data All important data is checked, or reconciled, to an independent source to ensure it is correct. If this is not possible, some manual reperformance of calculations, or checks of formulas. Output should be examined for "reasonableness" Check formulas are correct. If possible use a spreadsheet analyser to detect possible problems. Reperform manually important calculations, if possible. 4.5.8.3. 2 Maintain user systems Users set up their own computer systems (for example spreadsheets) to produce data User-maintained systems understood by only the programmer Auser guide has been written and independently tested after each revision Manager holds a copy Check all programs have a clearly written user guide. 4.5.8.4 Prepare management accounts Collect the data from processed transactions into accounts for management to make decisions Information is incorrectly analysed and summarised Totals on the management accounts are reconciled to totals from the accounts payable system Output should be examined for "reasonableness" Trace figures from the accounts payable system through to totals in the top level management accounts 4.5.8.5 Prepare financial accounts Collect the data from processed transactions into accounts for statutory or tax purposes Information is incorrectly analysed and summarised Each month, or more frequently, the accounts payable ledger total is reconciled to the accounts payable control account in the general ledger Manager checks the reconciliation. Management and financial accounts are reconciled Trace figures from the accounts payable system through to totals in the top level financial accounts 4.5.8.6 Provide staff Recruit staff and manage staff policies (Summary level) 4.5.8.6. 1 Establish job descriptions Job descriptions, in accordance with policy, are written and approved Staff competencies required have not been identified All jobs have written job descriptions, which show the competencies required HR and manager sign off job descriptions Check for job descriptions of all staff levels 4.5.8.6. 2 Carry out regular appraisals Targets are set for staff with regular appraisals in accordance with policy Actual competencies of the staff have not been matched with required competencies The targets take into account the competencies required HR and manager sign off appraisals Check appraisal files 4.5.8.6. 3 Training of staff Staff are trained in order to achieve their targets with maximum effectiveness and efficiency, within the ethical guidelines Training is not provided, or is inadequate. For example it omits ethical guidance Training is provided when taking on new responsibilities and during a job, to ensure the staff member understand how to do the job and the controls which must operate Managers monitor the training their staff receive to ensure it is appropriate at all times Check training materials. Ask staff who have recently changed jobs about their training 4.5.8.6. 3 Training of staff Staff are trained in order to achieve their targets with maximum effectiveness and efficiency, within the ethical guidelines Staff not allowed to attend training Clear policy from the board that training is important. HR monitor staff not attending training courses and determine why Question staff who have been on courses 4.5.8.6. 4 Recruit suitable staff Recruit staff to fill vacancies Applicants falsify references All references and qualifications are checked by HR Manager can request references if required Take a sample of recent joiners and check that references were supplied. (Other tests are carried out as part of the audit of HR) 4.5.8.6. 4 Recruit suitable staff Recruit staff to fill vacancies Insufficient staff are available to carry out all duties, and maintain division of duties HR maintain succession plans for senior key staff. Managers have plans for other key staff Senior managers should monitor their managers to ensure succession plans exist Examine staff budgets to ensure staff numbers are being maintained at levels which ensure controls are operated 4.5.8.7 Provide legal services Advise all areas of the company concerning action to be taken on legislation Staff involved in expense purchasing are not aware of legislation which affects them, thus threatening the organisation with prosecution There is a clear, preferably written, understanding that legal services will update the appropriate managers with legislation which affects them. The managers will brief their staff Senior management check that important legislation is understood by the functions under their control Determine when the last update from legal services was received and how it was briefed to staff. If you are aware of any legislation affecting the processes being audited (for example competition legislation), make sure it has been briefed in. 4.5.8.8 Provide tax services Advise all areas of the company concerning action to be taken on tax legislation Staff involved in expense purchasing are not aware of tax legislation which affects them, thus threatening the organisation with fines or the loss of tax credits 4.5.8.9 Ensure quality Ensure all goods sold meet the quality standards set by legislation and the organisation 4.5.8.10 Ensure health & safety Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers 4.5.8.11 Manage the environment Ensure the operations of the organisation obey all environmental laws and good practice Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation (Summary level) Provide security All assets, including physical assets, stock and information, are physically secure Loss of the organisation's assets Identify documents required to achieve the objective of these processes Documents may not be recorded Decide on arrangements to safeguard these Level of protection may not be sufficient Communicate Inform internal and external stakeholders of the organisation's policies and intentions Manage risks threatening expense purchasing processes (Summary level) Identify risks Risks are not known 5 5 25 Examine processes to set up the risk register and examine the register. Ensure all types of risk, including external risks, have been considered 3 3 9 16 Not applicable Evaluate risks Significant risks are not understood Examine the process to score the risks Not applicable Control risks Significant risks are not controlled Controls are put into operation which reduce residual risks to the risk appetite of the organisation Check controls - below Not applicable David MGriffiths J Expense purchases database David MGriffiths J Expense purchases database Appendix K Advice on allocating conclusions Conclusion on: Risks have been identified, evaluated and managed Thorough processes have been used and all significant risks should have been identified. Processes have been used, but there are some deficiencies and not all significant risks may have been identified. Internal controls reduce risks to acceptable levels (that is to within the risk appetite of the organisation) Risks are being managed to within acceptable levels, as defined by the board. Report as Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report Not all risks are being managed to within acceptable levels, as defined by the board, although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved Report as: Key issue Action being taken to promptly remedy significant failings or weaknesses The action being taken will result in all risks being managed to within acceptable levels. The action being taken will result in some reduction in risk but not to acceptable levels Current levels of monitoring are sufficient No more monitoring is necessary than is done at present Some additional monitoring is required Colour: green amber Grading: Acceptable Issues Criteria Inadequate, or no, processes have been used. The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results Report as: Key issue No action is being taken, OR insufficient action is being taken to manage risks to within acceptable levels Major improvements are required to the monitoring of controls red Unacceptable Criteria Figure 1 What is risk based internal auditing? C o n s e q u e n c e
Likelihood inherent risk Risk appetite RBIA provides assurance that these controls are operating effectively residual risk control Fig 1 What is Risk Based Internal Auditing? RBIA provides assurance that these controls are operating effectively Figure 2 Risk significance Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk I n t e r n a l
c o n t r o l Fig.2 Grid showi ng the significance of risks Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk I n t e r n a l
c o n t r o l Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk I n t e r n a l
c o n t r o l Fig.2 Grid showi ng the significance of risks Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk I n t e r n a l
c o n t r o l Fig.2 Grid showi ng the significance of risks Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk I n t e r n a l
c o n t r o l Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required R a r e ( 1 )
U n l i k e l y
( 2 )
P o s s i b l e
( 3 )
P r o b a b l e
( 4 ) A l m o s t
c e r t a i n
( 5 ) 2 Acceptable Insigni ficant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) L i k e l i h o o d
o f
r i s k Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk I n t e r n a l
c o n t r o l Fig.2 Grid showi ng the significance of risks Figure 3 Stages of an audit Assess risk maturity Feedback results into RAU Individual audit Management's Risk Register (if available) Audit plan Audit report Risk Naive Risk Enabled Risk Managed Risk Defined Risk Aware Use organisation's risks Facilitate risk identification Audit Committee report Audit universe Management's Risk Register (amended) Assign risks to audits Risk and audit universe (RAU) Fig 3 Stages of an audit Use organisation's Audit Committee Stage 2 Stage 1 Stage 3 Risk-based internal auditing Stage 2 Audit planning Figure 4 Stage 2 Audit planning Risk and Audit Universe Filter risks Audit plan Risks on which assurance is required Risks within the risk appetite Risk Register (audited) Categorise risks Risks not requiring an audit in this period Link risks to audits Select risks to be Alllocate resources to audits Audit Universe Fig 4 Processes involved in Stage 2 Risks which will be tolerated Risks on which assurance is provided by others Select risks to be covered Audit Committee report report Figure 5 Frequency of Audits and Consultancy risk appetite value C o n t r o l
s c o r e
Inherent risk risk appetite value when inherent risk is maximum maximum zero assurance every year maximum residual risk equals zero residual risk equals maximum assurance every two years assurance every three years consultancy this year consultancy next year 1 2 3 line of maximum control score 4 risk appetite value when inherent risk is maximum residual risk equals zero residual risk equals maximum Figure 6 Stage 3 Individual audits Define draft audit scope Set up an audit database to record the audit details, or update the Risk and Audit Universe Agreed scope Audit plan Meetings to determine objectives, risks and agree scope Obtain relevant documentation on processes Audit database Examine the risk management process for the area audited Decide on audit approach Conclude on risk maturity for the area audited Risk and audit universe Feedback results into risk and audit universe Audit report Test the monitoring and proper operation of controls Draw preliminary conclusions and discuss them Fig 5 Processes involved in stage 3 Agreed scope Audit database Figure 7 Audit trails in the Risk and Audit Universe and individual audits processes
risks
last audits
scores
controls
Audit
Committee
report
risk and audit universe processes
risks
tests
scores
controls
audit
reports
audit databases objectives risks
last audits
scores
controls
Audit
Committee
report
processes
risks
tests
scores
controls
audit
reports
objective Fig 7 Audit trails in the risks and audit universe and audit databases Audit trails in the Risk and Audit Universe and individual audits processes risks tests scores controls audit reports audit databases processes risks tests scores controls audit reports objectives Audit trails in the risks and audit universe and audit databases
Audit Risk Management (Driving Audit Value, Vol. II) - The Best Practice Strategy Guide for Minimising the Audit Risks and Achieving the Internal Audit Strategies and Objectives