Vous êtes sur la page 1sur 314

Accounts Payable

Audit

This spreadsheet shows the data for an a risk based


internal audit of accounts payable (number #). It requires
modifying for your organization.

Details for using this risk based audit spreadsheet


are included in Book 4 'Audit Manual ' available on
www.internalaudit.biz

David Griffiths
v2.0

Accounts payable audit

Introduction
Objective of this spreadsheet
This spreadsheet provides the framework for an audit of accounts payable
and is not complete. You will need to amend it for your organization.
The Audit Manual (Book 4) provides detailed information on the use of this
framework
Worksheets are:
A Audit details: The primary function being audited and where it stands in
the organization (see the COSO 'cube')
A Milestones: Important target dates in the audit
A Audit plan: Daily outline plan covering the period of the audit
A Audit diary: Details of the work done each day
B Functions: Some typical functions which might be in a charity. Risks are
linked to these.
B Processes: Some typical processes which might be in a retail company.
Risks are linked to these, which helps group risks together which can be
checked by the same audit.
C Scope: Links to scopes
D Meetings: Links to notes of meetings
E Risk Maturity: Checklist which assists in determining the risk maturity of
the organization.
F Mind Map Reference to mindmap on web
F Objectives, Risks and Controls Register: The foundation of risk based
internal auditing. The audit is based around this.
F Process risks: Diagram of processes and associated risks
G Tests: Links to test schedules
H Potential Deficiencies: Potential deficiencies noted as they arise
H Deficiencies for discussion: Deficiencies to be discussed with
management
I Draft report: Links to draft reports and follow-up memos
J Final Report: Links to final report and associated memos
K Quality control: Links to review notes and staff targets and appraisals
L Follow up: Links to follow up reports
Summary: Table showing numbers of risks in each assessment category.
Used for the report.
Scoring risks: Gives examples of risk scoring
Version control: Shows changes made for this version and date of issue

Risk based internal auditing by David Griffiths is licensed under a Creative Commons Attribution-NonC

Letters on worksheet tabs refer to the relevant audit manual section

Incont

Accounts payable audit

Audit details
Audit Group
This audit number
Last audit number
Audit name

Accounts payable
#
(This is the first audit)
Accounts payable audit

Department
Function
Operating unit
Division
Entity

Accounts Payable

The value in this cell will update all A1 cells


The value in this cell will update all B1 cells

all A1 cells

all B1 cells

Accounts payable audit

Milestones
Milestones

Resp

Set up audit on quarterly plan


Set up computer directories
Set up meetings
Issue draft scope
Final scope signed off.
Authorizing signature:

CAE
Auditor
Auditor
Auditor
CAE

Target

Achieved

Final scope issued


Auditor
Risk maturity confirmed
Auditor
Processes mapped
Auditor
Inherent risks agreed
Auditor
Controls tested
Auditor
Residual risks scored and agreed
Auditor
Deficiencies entered into the database Auditor
Mid-audit file review
CAE
Deficiencies agreed with business
Auditor
Draft report issued
Auditor
Final report signed off.
CAE
Authorizing signature:
Final report circulated
(COSO deficiencies report
completed)
End audit file review
All staff appraised
Paper files stored in archives
Feedback to be obtained from:
Accounts Payable Manager
Other Comments:

Auditor
Auditor
CAE
CAE
Auditor
date

Accounts payable audit

Audit timetable
This audit - #
Date

Accounts payable audit

Audit diary
No.

Title

Staff 1

Staff 2

Date

Next action

Timing
Man

Target date

Accounts payable audit

Company organization chart for departments around AP

Accounts payable audit

Company processes for Accounts Payable


(See Risk and Audit Universe spreadsheet for top-level processes)

#
Scope

Accounts payable audit

Ref

Document
Draft scope
Note with draft scope
Final scope
Note with final scope

Hyperlink
Word

Incont

Accounts payable audit

Meetings
Date

Contents

Hyperlink

Accounts payable audit

Assessment of risk maturity

From 'An approach to implementing Risk Based Internal Auditing' (IIA-UK and Ireland) - may no longer be availa
Modified by a checklist in Guide to ISO 310000. Hyperlink:
Objective Level 1

Maintain profit of existing business

Risk Level 1

Processes do not support the business

Objective Level 2

Pay suppliers the correct amount at the


time agreed

Risk Level 2

Losses result from inadequate controls

Controls

Establish a risk management framework


to identify risks threatening the
objectives and responses required to
manage the risks. See below for details.

Control ISO31000

Control COSO (attribute)

Risk Architecture
Statement produced that sets out
risk responsibilities and lists the
risk-based matters reserved for the
board

Establishes Responsibility and Accountability for


Executing Policies and Procedures management
establishes responsibility and accountability for control
activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside

Statement produced that sets out


risk responsibilities and lists the
risk-based matters reserved for the
board

Establishes Responsibility and Accountability for


Executing Policies and Procedures management
establishes responsibility and accountability for control
activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside

Risk management responsibilities Monitoring activities-Assessing and overseeing the


allocated to an appropriate
nature and scope of monitoring activities and the
management committee
management's evaluation and remediation of
deficiencies
Arrangements are in place to
ensure the availability of
appropriate competent advice on
risks and controls

Attracts, Develops, and Retains Individualsthe


organization provides the mentoring and training
needed to attract, develop, and retain sufficient and
competent personnel and outsourced service providers
to support the achievement of objectives

Risk aware culture exists within the Evaluates Performance Measures, Incentives, and
organization and actions are in
Rewards for Ongoing relevancemanagement and the
hand to enhance the level of risk board of directors align incentives and rewards with the
maturity
fulfillment of internal control responsibilities in the
achievement of objectives
Sources of risk assurance for the
Board have been identified and
validated

Defines, assigns and limits authorities and


Responsibilities management and the board of
directors delegate authority, define responsibilities, use
appropriate process and technology to assign
responsibilities and segregate duties as necessary at
the various levels of the organization

Risk Strategy
Risk management policy produced Considers tolerances for risk- Management consider the acceptable
that describes risk appetite, risk
levels of variation relative to the achievement of operations
culture and philosophy
objectives
Key dependencies for success
identified, together with the matters
that should be avoided
Business objectives validated and Reflects Managements ChoicesThe operations objectives reflect
the assumptions underpinning
managements choices about structure, industry considerations, and
those objectives tested
performance of the entity
Business objectives validated and Reflects Managements ChoicesThe operations objectives reflect
the assumptions underpinning
managements choices about structure, industry considerations, and
those objectives tested
performance of the entity
Significant risks faced by the
organization identified, together
with the critical controls required

Includes Entity, Subsidiary, Division, Operating Unit, and Functional


Levelsthe organization identifies and assesses risks at the entity,
subsidiary, division, operating unit, and functional levels relevant to
the achievement of objectives

Risk management action plan


established that includes the use
of key risk indicators, as
appropriate

Estimates Significance of Risks Identifiedmanagement ensures


that identified risks are analyzed through a process that includes
estimating the potential significance of the risk

Necessary resources identified


and provided to support the risk
management activities

Evaluates Performance and Rewards or Disciplines Individuals


management and the board of directors evaluate performance of
internal control responsibilities, including adherence to standards of
conduct and expected levels of competence and provide rewards or
exercise disciplinary action as appropriate

Risk Protocols
Appropriate risk management
Estimates Significance of Risks Identifiedmanagement ensures
framework identified and adopted, that identified risks are analyzed through a process that includes
with modifications as appropriate estimating the potential significance of the risk
Suitable and sufficient risk
assessments completed and the
results recorded in an appropriate
manner
Procedures to include risk as part Assesses Changes in the Business Modelthe organization
of business decision-making
considers the potential impacts of new business lines, dramatically
established and implemented
altered compositions of existing business lines, acquired or divested
business operations on the system of internal control, rapid growth,
changing reliance on foreign geographies and new technologies
Procedures to include risk as part Assesses Changes in the External Environmentthe risk
of business decision-making
identification process consider changes to regulatory, economic,
established and implemented
and the physical environment in which the entity operates

Details of required risk responses Determines How to Respond to Risksmanagement ensures that
recorded, together with
the risk assessment includes considering how the risk should be
arrangements to track risk
managed and whether to accept, avoid, reduce, or share the risk
improvement recommendations
Details of required risk responses Reassesses Policies and Proceduresmanagement periodically
recorded, together with
reviews control activities to determine their continued relevance,
arrangements to track risk
and refresh them when necessary
improvement recommendations
Incident reporting procedures
established to facilitate
identification of risk trends,
together with risk escalation
procedures

Communicates with the Board of Directorscommunication exists


between management and the board of directors so that both have
information needed to fulfill their roles with respect to the entitys
objectives

Business continuity plans and


disaster recovery plans
established and regularly tested

No equivalent

Arrangements in place to audit the Involves Appropriate Levels of ManagementThe organization puts
efficiency and effectiveness of the into place effective risk assessment mechanisms that involve
controls in place for significant
appropriate levels of management
risks
Arrangements in place to audit the Involves Appropriate Levels of ManagementThe organization puts
efficiency and effectiveness of the into place effective risk assessment mechanisms that involve
controls in place for significant
appropriate levels of management
risks
Arrangements in place for
Assesses Resultsmanagement and the board of directors, as
mandatory reporting on risk,
appropriate, assess results of ongoing and separate evaluations
including reports on at least the
following: Risk appetite, tolerance
and constraints; Risk architecture
and risk escalation procedures;
Risk aware culture currently in
place; Risk assessment
arrangements and protocols;
Significant risks and key risk
indicators; Critical controls and
control weaknesses; Sources of
assurance available to the Board

d) - may no longer be available


http://www.ferma.eu/risk-management/standards/iso-standard

Overall Conclusion:

Internal audit action:

Control IIA with


amendments

Statement produced that sets out


risk responsibilities and lists the
risk-based matters reserved for the
board.

Risks been allocated to specific job


titles

Risk management responsibilities


allocated to an appropriate
management committee or
department
Management have been trained to
understand what risks are, and
their responsibility for them.

AP Control

Managers are assessed on their


risk management performance,
which may require improvements
to the level of risk maturity
Sources of risk assurance for the
Board have been identified and
validated

The risk appetite of the


organization has been defined in
terms of the scoring system.
No equivalent

The organization's objectives are


defined
The organization's objectives are
defined
Processes have been defined to
determine risks, and these have
been followed.
A scoring system for assessing
risks has been defined.

Responsibility for the


determination, assessment, and
management of risks is included in
job descriptions and targets

All risks been assessed in


accordance with the defined
scoring system.
All risks and controls have been
collected into one list.

All significant new projects are


routinely assessed for risk

Risks are identified when functions


and processes change due to
changes in the business or
external changes

Responses to the risks (e.g.


controls) have been selected and
implemented.
Risks are regularly reviewed by the
organization.

Management have reported risks


to directors where responses are
not managing the risks to a level
acceptable to the board.
No equivalent

Management have set up controls


to monitor the proper operation of
key controls.
Management have set up controls
to monitor the proper operation of
key controls.
Managers provide assurance on
the effectiveness of their risk
management

Audit test

Test result

Monitoring Control

Audit Test

Test Result

Risk
enabled

Risk
managed

Risk
defined

Risk aware Risk nave


Risk enabled
Risk managed

Risk defined

Risk aware

Risk nave

Characteristics

Internal audit action


-risks

Risk management and internal controls fully Audit risk management


embedded into the operations
processes and use
management assessment of
Enterprise approach to risk management
Audit
management
risk asrisk
appropriate
developed and communicated
processes and use
management assessment of
risk as appropriate

Strategy and policies in place and


communicated. Risk appetite defined

Facilitate risk
management/liaise with risk
management and use
management assessment of
risk where appropriate

Scattered silo based approach to risk


management

Promote enterprise-wide
approach to risk management
and rely on audit risk
assessment

No formal approach developed for risk


management

Promote risk management


and rely on audit risk
assessment

Internal audit action


-controls
Assume controls are as stated in
the ORCR. Check that they are
an adequate response to the
Assume
controls
as stated
risks. Test
a smallare
selection
of in
the
ORCR.
Check
that
they
are
controls over high inherent risks
an adequate response to the
risks. Test controls over high
inherent risks
Where controls are included in
the ORCR check that they are an
adequate response to the risks.
Facilitate the determination of
controls required to manage other
risks. Test controls over high and
medium inherent risks
Determine the risks and controls
necessary by holding workshops
with appropriate managers and
staff. Check controls over all risks
considered unacceptable
Determine the risks and controls
necessary by holding workshops
with appropriate managers and
staff, otherwise use internal
audit's assessment. Use
specialists if necessary. Check
controls over all risks considered
unacceptable.

#
Mind map

Accounts payable audit

Mind map
The mind map used to create the audit program can be found at www.internalaudit.biz
This mind map does not show COSO attributes copied from the COSO audit program at www.internalaudit.biz

w.internalaudit.biz

Incont

# Accounts payable audit


Objectives, Risks and Controls Register (Incomplete)
No

L1obj

L1 Objectives

L1risk

L1 Risks

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

Maintain profit of existing


business

Processes do not support the


business

10

Maintain profit of existing


business

Processes do not support the


business

11

Maintain profit of existing


business

Processes do not support the


business

12

Maintain profit of existing


business

Processes do not support the


business

13

Maintain profit of existing


business

Processes do not support the


business

L2obj

14

Maintain profit of existing


business

Processes do not support the


business

15

Maintain profit of existing


business

Processes do not support the


business

16

Maintain profit of existing


business

Processes do not support the


business

17

Maintain profit of existing


business

Processes do not support the


business

18

Maintain profit of existing


business

Processes do not support the


business

19

Maintain profit of existing


business

Processes do not support the


business

20

Maintain profit of existing


business

Processes do not support the


business

21

Maintain profit of existing


business

Processes do not support the


business

22

Maintain profit of existing


business

Processes do not support the


business

23

Maintain profit of existing


business

Processes do not support the


business

24

Maintain profit of existing


business

Processes do not support the


business

25

Maintain profit of existing


business

Processes do not support the


business

26

Maintain profit of existing


business

Processes do not support the


business

27

Maintain profit of existing


business

Processes do not support the


business

28

Maintain profit of existing


business

Processes do not support the


business

29

Maintain profit of existing


business

Processes do not support the


business

30

Maintain profit of existing


business

Processes do not support the


business

31

Maintain profit of existing


business

Processes do not support the


business

32

Maintain profit of existing


business

Processes do not support the


business

33

Maintain profit of existing


business

Processes do not support the


business

34

Maintain profit of existing


business

Processes do not support the


business

35

Maintain profit of existing


business

Processes do not support the


business

36

Maintain profit of existing


business

Processes do not support the


business

37

Maintain profit of existing


business

Processes do not support the


business

38

Maintain profit of existing


business

Processes do not support the


business

39

Maintain profit of existing


business

Processes do not support the


business

40

Maintain profit of existing


business

Processes do not support the


business

41

Maintain profit of existing


business

Processes do not support the


business

42

Maintain profit of existing


business

Processes do not support the


business

43

Maintain profit of existing


business

Processes do not support the


business

44

Maintain profit of existing


business

Processes do not support the


business

45

Maintain profit of existing


business

Processes do not support the


business

46

Maintain profit of existing


business

Processes do not support the


business

47

Maintain profit of existing


business

Processes do not support the


business

48

Maintain profit of existing


business

Processes do not support the


business

49

Maintain profit of existing


business

Processes do not support the


business

50

Maintain profit of existing


business

Processes do not support the


business

51

Maintain profit of existing


business

Processes do not support the


business

52

Maintain profit of existing


business

Processes do not support the


business

53

Maintain profit of existing


business

Processes do not support the


business

54

Maintain profit of existing


business

Processes do not support the


business

55

Maintain profit of existing


business

Processes do not support the


business

56

Maintain profit of existing


business

Processes do not support the


business

57

Maintain profit of existing


business

Processes do not support the


business

58

Maintain profit of existing


business

Processes do not support the


business

59

Maintain profit of existing


business

Processes do not support the


business

60

Maintain profit of existing


business

Processes do not support the


business

61

Maintain profit of existing


business

Processes do not support the


business

62

Maintain profit of existing


business

Processes do not support the


business

63

Maintain profit of existing


business

Processes do not support the


business

64

Maintain profit of existing


business

Processes do not support the


business

65

Maintain profit of existing


business

Processes do not support the


business

66

Maintain profit of existing


business

Processes do not support the


business

67

Maintain profit of existing


business

Processes do not support the


business

68

Maintain profit of existing


business

Processes do not support the


business

69

Maintain profit of existing


business

Processes do not support the


business

70

Maintain profit of existing


business

Processes do not support the


business

71

Maintain profit of existing


business

Processes do not support the


business

72

Maintain profit of existing


business

Processes do not support the


business

73

Maintain profit of existing


business

Processes do not support the


business

74

Maintain profit of existing


business

Processes do not support the


business

75

Maintain profit of existing


business

Processes do not support the


business

76

Maintain profit of existing


business

Processes do not support the


business

77

Maintain profit of existing


business

Processes do not support the


business

78

Maintain profit of existing


business

Processes do not support the


business

79

Maintain profit of existing


business

Processes do not support the


business

80

Maintain profit of existing


business

Processes do not support the


business

81

Maintain profit of existing


business

Processes do not support the


business

82

Maintain profit of existing


business

Processes do not support the


business

83

Maintain profit of existing


business

Processes do not support the


business

84

Maintain profit of existing


business

Processes do not support the


business

85

Maintain profit of existing


business

Processes do not support the


business

86

Maintain profit of existing


business

Processes do not support the


business

87

Maintain profit of existing


business

Processes do not support the


business

88

Maintain profit of existing


business

Processes do not support the


business

89

Maintain profit of existing


business

Processes do not support the


business

90

Maintain profit of existing


business

Processes do not support the


business

91

Maintain profit of existing


business

Processes do not support the


business

92

Maintain profit of existing


business

Processes do not support the


business

93

Maintain profit of existing


business

Processes do not support the


business

94

Maintain profit of existing


business

Processes do not support the


business

95

Maintain profit of existing


business

Processes do not support the


business

96

Maintain profit of existing


business

Processes do not support the


business

97

Maintain profit of existing


business

Processes do not support the


business

98

Maintain profit of existing


business

Processes do not support the


business

99

Maintain profit of existing


business

Processes do not support the


business

100

Maintain profit of existing


business

Processes do not support the


business

101

Maintain profit of existing


business

Processes do not support the


business

102

Maintain profit of existing


business

Processes do not support the


business

103

Maintain profit of existing


business

Processes do not support the


business

104

Maintain profit of existing


business

Processes do not support the


business

105

Maintain profit of existing


business

Processes do not support the


business

106

Maintain profit of existing


business

Processes do not support the


business

107

Maintain profit of existing


business

Processes do not support the


business

108

Maintain profit of existing


business

Processes do not support the


business

109

Maintain profit of existing


business

Processes do not support the


business

110

Maintain profit of existing


business

Processes do not support the


business

111

Maintain profit of existing


business

Processes do not support the


business

112

Maintain profit of existing


business

Processes do not support the


business

113

Maintain profit of existing


business

Processes do not support the


business

114

Maintain profit of existing


business

Processes do not support the


business

115

Maintain profit of existing


business

Processes do not support the


business

116

Maintain profit of existing


business

Processes do not support the


business

117

Maintain profit of existing


business

Processes do not support the


business

118

Maintain profit of existing


business

Processes do not support the


business

119

Maintain profit of existing


business

Processes do not support the


business

120

Maintain profit of existing


business

Processes do not support the


business

121

Maintain profit of existing


business

Processes do not support the


business

122

Maintain profit of existing


business

Processes do not support the


business

123

Maintain profit of existing


business

Processes do not support the


business

124

Maintain profit of existing


business

Processes do not support the


business

125

Maintain profit of existing


business

Processes do not support the


business

126

Maintain profit of existing


business

Processes do not support the


business

127

Maintain profit of existing


business

Processes do not support the


business

128

Maintain profit of existing


business

Processes do not support the


business

129

Maintain profit of existing


business

Processes do not support the


business

130

Maintain profit of existing


business

Processes do not support the


business

131

Maintain profit of existing


business

Processes do not support the


business

132

Maintain profit of existing


business

Processes do not support the


business

133

Maintain profit of existing


business

Processes do not support the


business

134

Maintain profit of existing


business

Processes do not support the


business

135

Maintain profit of existing


business

Processes do not support the


business

136

Maintain profit of existing


business

Processes do not support the


business

137

Maintain profit of existing


business

Processes do not support the


business

138

Maintain profit of existing


business

Processes do not support the


business

139

Maintain profit of existing


business

Processes do not support the


business

140

Maintain profit of existing


business

Processes do not support the


business

141

Maintain profit of existing


business

Processes do not support the


business

142

Maintain profit of existing


business

Processes do not support the


business

143

Maintain profit of existing


business

Processes do not support the


business

144

Maintain profit of existing


business

Processes do not support the


business

145

Maintain profit of existing


business

Processes do not support the


business

146

Maintain profit of existing


business

Processes do not support the


business

147

Maintain profit of existing


business

Processes do not support the


business

148

Maintain profit of existing


business

Processes do not support the


business

149

Maintain profit of existing


business

Processes do not support the


business

150

Maintain profit of existing


business

Processes do not support the


business

151

Maintain profit of existing


business

Processes do not support the


business

152

Maintain profit of existing


business

Processes do not support the


business

153

Maintain profit of existing


business

Processes do not support the


business

154

Maintain profit of existing


business

Processes do not support the


business

155

Maintain profit of existing


business

Processes do not support the


business

156

Maintain profit of existing


business

Processes do not support the


business

157

Maintain profit of existing


business

Processes do not support the


business

158

Maintain profit of existing


business

Processes do not support the


business

159

Maintain profit of existing


business

Processes do not support the


business

160

Maintain profit of existing


business

Processes do not support the


business

161

Maintain profit of existing


business

Processes do not support the


business

162

Maintain profit of existing


business

Processes do not support the


business

163

Maintain profit of existing


business

Processes do not support the


business

164

Maintain profit of existing


business

Processes do not support the


business

165

Maintain profit of existing


business

Processes do not support the


business

166

Maintain profit of existing


business

Processes do not support the


business

167

Maintain profit of existing


business

Processes do not support the


business

168

Maintain profit of existing


business

Processes do not support the


business

169

Maintain profit of existing


business

Processes do not support the


business

170

Maintain profit of existing


business

Processes do not support the


business

171

Maintain profit of existing


business

Processes do not support the


business

172

Maintain profit of existing


business

Processes do not support the


business

173

Maintain profit of existing


business

Processes do not support the


business

174

Maintain profit of existing


business

Processes do not support the


business

175

Maintain profit of existing


business

Processes do not support the


business

176

Maintain profit of existing


business

Processes do not support the


business

177

Maintain profit of existing


business

Processes do not support the


business

178

Maintain profit of existing


business

Processes do not support the


business

179

Maintain profit of existing


business

Processes do not support the


business

180

Maintain profit of existing


business

Processes do not support the


business

181

Maintain profit of existing


business

Processes do not support the


business

182

Maintain profit of existing


business

Processes do not support the


business

183

Maintain profit of existing


business

Processes do not support the


business

184

Maintain profit of existing


business

Processes do not support the


business

185

Maintain profit of existing


business

Processes do not support the


business

186

Maintain profit of existing


business

Processes do not support the


business

187

Maintain profit of existing


business

Processes do not support the


business

188

Maintain profit of existing


business

Processes do not support the


business

189

Maintain profit of existing


business

Processes do not support the


business

190

Maintain profit of existing


business

Processes do not support the


business

191

Maintain profit of existing


business

Processes do not support the


business

192

Maintain profit of existing


business

Processes do not support the


business

193

Maintain profit of existing


business

Processes do not support the


business

194

Maintain profit of existing


business

Processes do not support the


business

195

Maintain profit of existing


business

Processes do not support the


business

196

Maintain profit of existing


business

Processes do not support the


business

197

Maintain profit of existing


business

Processes do not support the


business

198

Maintain profit of existing


business

Processes do not support the


business

199

Maintain profit of existing


business

Processes do not support the


business

200

Maintain profit of existing


business

Processes do not support the


business

201

Maintain profit of existing


business

Processes do not support the


business

202

Maintain profit of existing


business

Processes do not support the


business

203

Maintain profit of existing


business

Processes do not support the


business

204

Maintain profit of existing


business

Processes do not support the


business

205

Maintain profit of existing


business

Processes do not support the


business

206

Maintain profit of existing


business

Processes do not support the


business

207

Maintain profit of existing


business

Processes do not support the


business

208

Maintain profit of existing


business

Processes do not support the


business

209

Maintain profit of existing


business

Processes do not support the


business

210

Maintain profit of existing


business

Processes do not support the


business

211

Maintain profit of existing


business

Processes do not support the


business

212

Maintain profit of existing


business

Processes do not support the


business

213

Maintain profit of existing


business

Processes do not support the


business

214

Maintain profit of existing


business

Processes do not support the


business

215

Maintain profit of existing


business

Processes do not support the


business

216

Maintain profit of existing


business

Processes do not support the


business

217

Maintain profit of existing


business

Processes do not support the


business

218

Maintain profit of existing


business

Processes do not support the


business

219

Maintain profit of existing


business

Processes do not support the


business

220

Maintain profit of existing


business

Processes do not support the


business

221

Maintain profit of existing


business

Processes do not support the


business

222

Maintain profit of existing


business

Processes do not support the


business

223

Maintain profit of existing


business

Processes do not support the


business

224

Maintain profit of existing


business

Processes do not support the


business

225

Maintain profit of existing


business

Processes do not support the


business

226

Maintain profit of existing


business

Processes do not support the


business

227

Maintain profit of existing


business

Processes do not support the


business

228

Maintain profit of existing


business

Processes do not support the


business

229

Maintain profit of existing


business

Processes do not support the


business

230

Maintain profit of existing


business

Processes do not support the


business

231

Maintain profit of existing


business

Processes do not support the


business

232

Maintain profit of existing


business

Processes do not support the


business

233

Maintain profit of existing


business

Processes do not support the


business

234

Maintain profit of existing


business

Processes do not support the


business

235

Maintain profit of existing


business

Processes do not support the


business

236

Maintain profit of existing


business

Processes do not support the


business

237

Maintain profit of existing


business

Processes do not support the


business

238

Maintain profit of existing


business

Processes do not support the


business

239

Maintain profit of existing


business

Processes do not support the


business

240

Maintain profit of existing


business

Processes do not support the


business

241

Maintain profit of existing


business

Processes do not support the


business

242

Maintain profit of existing


business

Processes do not support the


business

243

Maintain profit of existing


business

Processes do not support the


business

244

Maintain profit of existing


business

Processes do not support the


business

245

Maintain profit of existing


business

Processes do not support the


business

246

Maintain profit of existing


business

Processes do not support the


business

247

Maintain profit of existing


business

Processes do not support the


business

248

Maintain profit of existing


business

Processes do not support the


business

249

Maintain profit of existing


business

Processes do not support the


business

250

Maintain profit of existing


business

Processes do not support the


business

251

Maintain profit of existing


business

Processes do not support the


business

252

Maintain profit of existing


business

Processes do not support the


business

253

Maintain profit of existing


business

Processes do not support the


business

254

Maintain profit of existing


business

Processes do not support the


business

255

Maintain profit of existing


business

Processes do not support the


business

256

Maintain profit of existing


business

Processes do not support the


business

258

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

259

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

260

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

261

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

262

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

263

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

264

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

265

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

266

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

267

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

257

268

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

269

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

270

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

271

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

272

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

273

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

274

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

275

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

276

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

277

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

278

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

279

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

280

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

281

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

282

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

283

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

284

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

285

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

286

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

287

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

288

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

289

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

290

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

291

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

292

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

293

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

294

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

295

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

296

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

297

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

298

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

299

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

300

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

301

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

302

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

303

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

304

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

305

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

306

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

307

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

308

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

309

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

310

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

311

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

312

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

313

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

314

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

315

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

316

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

317

Establish strategies for


delivering the objectives

Company does not achieve


stakeholder objectives

L2 Objectives

L2risk L2

Risks

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

L3obj

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Processes are not fit for purpose or


will not remain fit for purpose

Pay suppliers the correct


amount at the time agreed

Losses result from inadequate


controls

Pay suppliers the correct


amount at the time agreed

Losses result from inadequate


controls

Pay suppliers the correct


amount at the time agreed

Losses result from inadequate


controls

Pay suppliers the correct


amount at the time agreed

Losses result from inadequate


controls

Pay suppliers the correct


amount at the time agreed

Losses result from inadequate


controls

Pay suppliers the correct


amount at the time agreed

Losses result from inadequate


controls

Pay suppliers the correct


amount at the time agreed

Incorrect set up data

Pay suppliers the correct


amount at the time agreed

Incorrect set up data

Pay suppliers the correct


amount at the time agreed

Incorrect set up data

Pay suppliers the correct


amount at the time agreed

Incorrect set up data

Pay suppliers the correct


amount at the time agreed

Incorrect set up data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Incorrect standing data

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Incorrect supplier data

Pay suppliers the correct


amount at the time agreed

Incorrect supplier data

Pay suppliers the correct


amount at the time agreed

Incorrect supplier data

Pay suppliers the correct


amount at the time agreed

Incorrect supplier data

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Transaction data used to update


balances is incorrect

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Suppliers paid incorrect amount


and/or at wrong time

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Payment (possibly fraudulent) is


made when no goods or services
have been properly received

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect balances

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

Incorrect output

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

The databases are corrupted or


destroyed (The audit covering these
risks may be a separate IT audit)

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Incorrect accounting of goods-and


services

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Pay suppliers the correct


amount at the time agreed

Resources do not support the


objective

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

No foundation for controls (Control


Environment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Risks not identified (Risk Assessment)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not implemented (Control


Activities)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Controls not operated (Information


and Communication)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

Establish an internal
control framework (US COSO)

Control deficiencies not corrected


(Monitoring Activities)

L3 Objectives

L3risk

L3 Risks

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

1 The strategy does not contain clear


objectives, is not financially justified or
documented

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

1 The strategy does not contain clear


objectives, is not financially justified or
documented

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

1 The strategy does not contain clear


objectives, is not financially justified or
documented

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

1 The strategy does not contain clear


objectives, is not financially justified or
documented

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

2 Strategy does not address all the significant


risks

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

3 Objectives within the strategy are not


achieved

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

3 Objectives within the strategy are not


achieved

Maintain a strategy which ensures the process


achieves maximum efficiency and effectiveness
now and in the future

4 The strategy is not communicated to relevant


staff

Maintain processes to ensure that tax, disclosure


and other legal requirements are followed

5 Information relating to specific accounting or


taxation requirements may not be obtainable,
or may be open to misinterpretation.

Maintain processes to ensure that tax, disclosure


and other legal requirements are followed

6 Information relating to specific accounting or


taxation requirements may not be obtainable,
or may be open to misinterpretation.

Maintain processes to ensure that tax, disclosure


and other legal requirements are followed

6 Information relating to specific accounting or


taxation requirements may not be obtainable,
or may be open to misinterpretation.

Maintain processes to ensure that tax, disclosure


and other legal requirements are followed

6 Information relating to specific accounting or


taxation requirements may not be obtainable,
or may be open to misinterpretation for
example payments to bank accounts in 'tax
havens'

Maintain processes to ensure that tax, disclosure


and other legal requirements are followed

7 Legislation may not be followed or


understood.

Maintain processes to ensure that company


policies are established and communicated

8 Company policy may not be clear. (Company


policy includes that defined in: Code of
Conduct; staff manual and AP manual)

Maintain processes to ensure that company


policies are established and communicated

9 Company policies are not adhered to.

Maintain processes to ensure that company


policies are established and communicated

9 Company policies are not adhered to.

Maintain processes to ensure that company


policies are established and communicated

10 Policy may not include the allocation of


capital and expense expenditure

Maintain processes to ensure that company


policies are established and communicated

11 Policy may not take account of latest


accepted best practice or accounting
standards

Maintain processes to ensure that company


policies are established and communicated

12 Examination and review of actual policies


followed may not be done on a regular basis.

Maintain the structure, authority and responsibility


of the functions involved to pay suppliers
efficiently and effectively

13 Structure of the function will not deliver the


processes efficiently and effectively

Maintain the structure, authority and responsibility


of the functions involved to pay suppliers
efficiently and effectively

14 The authority given to individual staff in the


function will not enable them to effectively
achieve the objectives

Maintain the structure, authority and responsibility


of the functions involved to pay suppliers
efficiently and effectively

15 The responsibilities allocated to staff will not


cover all the responsibilities required to
deliver the objectives

Maintain the structure, authority and responsibility


of the functions involved to pay suppliers
efficiently and effectively

16 Responsibilities allocated to staff results in


fraud due to inadequate segregation of duties

Establish a risk management framework to


identify risks threatening the objectives and
responses required to manage the risks

17 Risks to the processes are not identified

Establish a risk management framework to


identify risks threatening the objectives and
responses required to manage the risks

18 Risks to the processes are not identified as


part of routine processes

Establish a risk management framework to


identify risks threatening the objectives and
responses required to manage the risks

19 Risks to the processes are not identified


when functions and processes change due to
changes in the business or external changes

Establish a risk management framework to


identify risks threatening the objectives and
responses required to manage the risks

20 Risks to the processes are not identified and


their response checked

Establish a risk management framework to


identify risks threatening the objectives and
responses required to manage the risks

21 Responses to bring risks to below the risk


appetite are not present

Establish a risk management framework to


identify risks threatening the objectives and
responses required to manage the risks

22 Responses to bring risks to below the risk


appetite are not operating

Data used for set up was complete, accurate and


complied with regulations

23 Data supplied was incorrect

Data used for set up was complete, accurate and


complied with regulations

23 Data supplied was incorrect

Data used for set up was complete, accurate and


complied with regulations

24 Data was input incorrectly

Data used for set up was complete, accurate and


complied with regulations

24 Data was input incorrectly

Data used for set up was complete, accurate and


complied with regulations

24 Data was input incorrectly

Data used for standing data, including suppliers,


was relevant, complete, accurate and complied
with regulations

25 Data supplied was inaccurate

Data used for standing data, including suppliers,


was relevant, complete, accurate and complied
with regulations

26 Data was input incorrectly

Data used for standing data, including suppliers,


was relevant, complete, accurate and complied
with regulations

26 Data was input incorrectly

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

27 Data supplied is inaccurate

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

28 Data supplied is incomplete or not supplied

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

28 Data supplied is incomplete or not supplied

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

28 Data supplied is incomplete or not supplied

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

29 Data is input incorrectly

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

29 Data is input incorrectly

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

30 Data is input at the wrong time, or not at all

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

30 Data is input at the wrong time, or not at all

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

31 Data does not conform to regulations

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

31 Data does not conform to regulations

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

31 Data does not conform to regulations

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

32 Malicious/fraudulent data set up

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

32 Malicious/fraudulent data set up

Data being used to update standing data, such


as tax rates, is relevant, complete, accurate,
timely and complies with regulations

32 Malicious/fraudulent data set up

Data being used to update suppliers using orders


is complete and accurate

33 Supplier data is incorrect

Data being used to update suppliers using orders


is complete and accurate

34 Supplier data is input incorrectly

Data being used to update suppliers using orders


is complete and accurate

35 Data supplied is incomplete or not supplied

Data being used to update suppliers using orders


is complete and accurate

35 Data supplied is incomplete or not supplied

Data being used to update suppliers using orders


is complete and accurate

36 Data is input at the wrong time

Data being used to update suppliers using orders


is complete and accurate

37 Data does not conform to regulations

Data being used to update suppliers using orders


is complete and accurate

37 Data does not conform to regulations

Data being used to update suppliers using orders


is complete and accurate

38 Malicious/fraudulent data set up

Data being used to update suppliers using orders


is complete and accurate

38 Malicious/fraudulent data set up

Data being used to update suppliers using orders


is complete and accurate

38 Malicious/fraudulent data set up

Data being used to update suppliers NOT using


orders is complete and accurate

39 Standing data is input incorrectly

Data being used to update suppliers NOT using


orders is complete and accurate

39 Standing data is input incorrectly

Supplier discount is recorded

40 Supplier discount not agreed

Supplier discount is recorded

40 Supplier discount not agreed

Supplier discount is recorded

41 Supplier discount incorrectly recorded

Supplier discount is recorded

41 Supplier discount incorrectly recorded

Invoices with/without an order number:


Invoice and credit note transaction data being
used to update balances is relevant, complete,
accurate, timely and complies with regulations

42 Invoices don't reach Accounts Payable

Invoices with/without an order number:


Invoice and credit note transaction data being
used to update balances is relevant, complete,
accurate, timely and complies with regulations

43 Batch total calculated incorrectly

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

44 Incorrect supplier selected on input

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

45 Incorrect order number entered

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

46 Incorrect/incomplete data on invoice

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

47 Account coding for invoice is incorrect

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

48 Invoice total is incorrectly calculated

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

48 Invoice total is incorrectly calculated

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

49 Invoice tax incorrectly calculated

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

50 Invoice tax incorrectly calculated or


incorrectly input

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

51 Goods not received

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

51 Goods not received

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

52 Services not received

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

53 Goods/services priced incorrectly/Incorrect


costs input

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

53 Invoice payment delayed if queries from


mismatching not promptly cleared

Invoices with an order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

54 Duplicate invoices posted

Invoices with an order number: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

55 Invoice not sent or received

Invoices with an order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

55 Invoice not sent or received

Invoices with an order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

56 Invoices are input before the charge


becomes due, that is before goods/services
are delivered

Credit notes: Invoice and credit note transaction


data being used to update balances is relevant,
complete, accurate, timely and complies with
regulations

57 Credit note data input incorrectly

Credit notes: Invoice and credit note transaction


data being used to update balances is relevant,
complete, accurate, timely and complies with
regulations

57 Credit note data input incorrectly

Invoices with no order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

58 Invoices are lost in the approval process

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

59 Incorrect supplier selected on input

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

60 Incorrect/incomplete data on invoice

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

61 Account coding for invoice is incorrect

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

62 Excessive prices are paid to untrustworthy


suppliers.

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

63 Invoice total is incorrectly calculated

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

63 Invoice total is incorrectly calculated

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

64 Invoice tax incorrectly calculated

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

65 Invoice tax incorrectly calculated or


incorrectly input

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

66 Goods or services not received

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

67 Invoice recorded for which company has


received no benefits or deficient
goods/services

Invoices without an order: Invoice and credit


note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

68 Goods/services priced incorrectly/Incorrect


costs input

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

69 Standing data is overridden during input

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

69 Standing data is overridden during input

Invoices with no order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

70 Data on invoice supplied is not completely


input

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

71 Invoices are input before the charge


becomes due

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

71 Invoices are input before the charge


becomes due

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

72 Invoices held as a result of matching queries


or awaiting approval are not cleared for
payment promptly- e-mails not sent, not
received or reports not actioned.

Invoices with no order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

73 Invoice recorded for which company has


received no benefits or deficient
goods/services

Invoices with no order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

74 Duplicate invoices posted

Invoices with no order: Invoice and credit note


transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations

74 Duplicate invoices posted

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

74 Duplicate invoices posted

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

75 Incorrect treatment of invoice for taxation


purposes (for example VAT reclaimed on an
entertainment invoice for customers)

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

76 Incorrect treatment of invoice for taxation


purposes

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

76 Incorrect treatment of invoice for taxation


purposes

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

76 Incorrect treatment of invoice for taxation


purposes

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

76 Incorrect treatment of invoice for taxation


purposes

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

76 Incorrect treatment of invoice for taxation


purposes

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

76 Incorrect treatment of invoice for taxation


purposes

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

77 Malicious/fraudulent data input

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

77 Malicious/fraudulent data input

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

77 Malicious/fraudulent data input

Invoices with/without an order: Invoice and


credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations

77 Malicious/fraudulent data input

Cash is available to pay suppliers

78 Insufficient funds in the bank

All payments made are only for goods which go


onto be sold or used

79 Payment made for goods delivered late or


otherwise not meeting contract terms

All payments made are only for goods which go


onto be sold or used

79 Payment made for goods delivered late or


otherwise not meeting contract terms

All payments made are only for goods which go


onto be sold or used

80 Credit not demanded from suppliers for


defective goods

All payments made are only for goods which go


onto be sold or used

80 Credit not demanded from suppliers for


defective goods

All payments made are only for goods which go


onto be sold or used

80 Credit not demanded from suppliers for


defective goods

All payments made are only for goods which go


onto be sold or used

80 Credit not demanded from suppliers for


defective goods

All payments made are only for goods which go


onto be sold or used

9 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

All payments made are only for goods which go


onto be sold or used

81 Amount paid is incorrect

Payment made on time to correct bank account

82 Payments made early or late

Payment made on time to correct bank account

83 Payment made to wrong supplier account

Payment made on time to correct bank account

83 Payment made to wrong supplier account

Payment made on time to correct bank account

83 Payment made to wrong supplier account

Payment made on time to correct bank account

84 Payment made to wrong bank account

All deductions are taken

85 Discounts available not taken

All deductions are taken

85 Discounts available not taken

All deductions are taken

85 Discounts available not taken

All deductions are taken

85 Discounts available not taken

All deductions are taken

86 Credit from suppliers not taken

All deductions are taken

87 Discounts/rebates not taken or taken at


wrong time

All deductions are taken

87 Discounts/rebates not taken or taken at


wrong time

All deductions are taken

87 Discounts/rebates not taken or taken at


wrong time

Payments are checked

88 Checking procedure not thorough

Payments are checked

88 Checking procedure not thorough

Payments are checked

89 A large single fraudulent payment is made

Payments are checked

89 A large single fraudulent payment is made

Payments are checked

90 Payment not put through checking


procedures

Payments are checked

90 Payment not put through checking


procedures

Payments are checked

90 Payment not put through checking


procedures

Payments are properly authorized

91 Payments authorized by wrong person

Payments are properly authorized

91 Payments authorized by wrong person

Payments are properly authorized

91 Payments authorized by wrong person

Payments are properly authorized

91 Payments authorized by wrong person

Payments are properly authorized

91 Payments authorized by wrong person

On-line payments are secure

92 Fraudulent payment made

On-line payments are secure

92 Fraudulent payment made

On-line payments are secure

92 Fraudulent payment made

Check (cheque) payments are secured

93 Cheque machine signature plates are stolen


and misused

Check (cheque) payments are secured

93 Cheque machine signature plates are stolen


and misused

Check (cheque) payments are secured

94 Checks/checks (cheques) are altered after


printing

Check (cheque) payments are secured

95 Blank checks/checks (cheques) are stolen

Check (cheque) payments are secured

95 Blank checks/checks (cheques) are stolen

Check (cheque) payments are secured

95 Blank checks/checks (cheques) are stolen

Bank transfer documents are secure

96 Widely available bank transfer documents


are used to fraudulently transfer payments

Bank transfer documents are secure

96 Widely available bank transfer documents


are used to fraudulently transfer payments

The balance total agrees with that in the general


ledger

97 Data input directly into GL without a system


transaction

The balance total agrees with that in the general


ledger

97 Data input directly into GL without a system


transaction

The balance total agrees with that in the general


ledger

98 Data not transferred from system to GL

The balance total agrees with that in the general


ledger

98 Data not transferred from system to GL

The balance total agrees with that in the general


ledger

98 Data not transferred from system to GL

The balance total agrees with that in the general


ledger

98 Data not transferred from system to GL

The balance total agrees with that in the general


ledger

99 Timing differences between system and GL


input

All balances are comprised of transactions which


are identifiable, authorized and valid

100 Items making up the balance cannot be


identified with authorized transactions

All balances are comprised of transactions which


are identifiable, authorized and valid

100 Items making up the balance cannot be


identified with authorized transactions

All balances are comprised of transactions which


are identifiable, authorized and valid

100 Items making up the balance cannot be


identified with authorized transactions

All balances are comprised of transactions which


are identifiable, authorized and valid

100 Items making up the balance cannot be


identified with independent data

All balances are comprised of transactions which


are identifiable, authorized and valid

100 Items making up the balance cannot be


identified with independent data

All balances are comprised of transactions which


are identifiable, authorized and valid

101 Items making up the balance are overdue

All balances are comprised of transactions which


are identifiable, authorized and valid

102 Items making up the balance don't comply


with regulations

Output data is relevant, complete, accurate,


timely and complies with regulations

103 Output data is not relevant

Output data is relevant, complete, accurate,


timely and complies with regulations

103 Output data is not relevant

Output data is relevant, complete, accurate,


timely and complies with regulations

103 Output data is incorrect

Output data is relevant, complete, accurate,


timely and complies with regulations

104 Output data is incorrect

Output data is relevant, complete, accurate,


timely and complies with regulations

104 Output data is incomplete

Output data is relevant, complete, accurate,


timely and complies with regulations

105 Data is output at the wrong time

Output data is relevant, complete, accurate,


timely and complies with regulations

106 Output data does not conform to regulations

Output data is relevant, complete, accurate,


timely and complies with regulations

106 Output data does not conform to regulations

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

107 Unauthorized alterations occur

The database is secured against alteration, other


than by permitted transactions

108 Unauthorized alterations not detected

The database is secured against alteration, other


than by permitted transactions

108 Unauthorized alterations not detected

The database is secured against alteration, other


than by permitted transactions

108 Unauthorized alterations not detected

Malicious corruption is prevented

109 Computer viruses or other 'malware' corrupts


databases and programs

Malicious corruption is prevented

109 Computer viruses or other 'malware' corrupts


databases and programs

Malicious corruption is prevented

109 Computer viruses or other 'malware' corrupts


databases and programs

Malicious corruption is prevented

109 Computer viruses or other 'malware' corrupts


databases and programs

Malicious corruption is prevented

109 Computer viruses or other 'malware' corrupts


databases and programs

Corruption by malfunctioning IT systems is


prevented

110 Malfunctioning hardware or software corrupts


data

Corruption by malfunctioning IT systems is


prevented

110 Malfunctioning hardware or software corrupts


data

Corruption by malfunctioning IT systems is


prevented

110 Malfunctioning hardware or software corrupts


data

Corruption by malfunctioning IT systems is


prevented

110 Malfunctioning hardware or software corrupts


data

Corruption by malfunctioning IT systems is


prevented

111 Incorrect IT procedures result in incorrect


restoration of files

Corruption by malfunctioning IT systems is


prevented

111 Incorrect IT procedures result in incorrect


restoration of files

Corruption by malfunctioning IT systems is


prevented

111 Incorrect IT procedures result in incorrect


restoration of files

Physical damage to hardware is prevented

112 Hard drives and other storage media


damaged

Physical damage to hardware is prevented

112 Hard drives and other storage media


damaged

Physical damage to hardware is prevented

112 Hard drives and other storage media


damaged

Physical damage to hardware is prevented

113 Hard drives and other storage media stolen

Physical damage to hardware is prevented

113 Hard drives and other storage media stolen

All transactions should be accounted for in the


correct period

114 Transactions posted in the wrong period

All transactions should be accounted for in the


correct period

115 Accruals and pre-payments are incorrect

All transactions should be accounted for in the


correct period

115 Accruals and pre-payments are incorrect

All transactions should be accounted for in the


correct period

115 Accruals and pre-payments are incorrect

All transactions should be accounted for in the


correct period

115 Accruals and pre-payments are incorrect

All transactions should be accounted for in the


correct period

116 Accruals and pre-payments are incorrect

All transactions should be posted to the correct


accounts

117 Transactions are incorrectly coded

All transactions should be posted to the correct


accounts

118 Incorrect adjustments made

All transactions should be posted to the correct


accounts

118 Incorrect adjustments made

All transactions should be posted to the correct


accounts

118 Incorrect adjustments made

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

119 Invoices not identified for special tax


treatment

Transactions should be classified correctly for tax


and regulatory purposes

120 Invoices not identified for special reporting


purposes

Transactions should be classified correctly for tax


and regulatory purposes

120 Invoices not identified for special reporting


purposes

Transactions should be classified correctly for tax


and regulatory purposes

120 Invoices not identified for special reporting


purposes

Transactions should be classified correctly for tax


and regulatory purposes

120 Invoices not identified for special reporting


purposes

Maintain the IT systems which support the


existing business

121 Function does not achieve maximum


efficiency

Maintain the IT systems which support the


existing business

122 IT systems lose data

Maintain the IT systems which support the


existing business

123 IT systems fail

Maintain the IT systems which support the


existing business

124 Programs miscalculate data

Maintain the IT systems which support the


existing business

124 Programs miscalculate data

Maintain the IT systems which support the


existing business

124 Programs miscalculate data

Recruit and train staff to maintain existing


business

125 Insufficient staff to maintain business


operations

Recruit and train staff to maintain existing


business

126 Insufficient staff to maintain business


operations

Recruit and train staff to maintain existing


business

127 Business operations fail due to lack of staff


knowledge

Recruit and train staff to maintain existing


business

127 Business operations fail due to lack of staff


knowledge

Important documents are secured

128 Documents stolen or damaged

Important documents are secured

128 Documents stolen or damaged

1. Demonstrates Commitment to Integrity and


Ethical ValuesThe organization demonstrates a
commitment to integrity and ethical value

Employees (including board members)


damage the reputation of the entity

1. Demonstrates Commitment to Integrity and


Ethical ValuesThe organization demonstrates a
commitment to integrity and ethical value

Employees (including board members)


damage the reputation of the entity

2. Exercises Oversight ResponsibilityThe board


of directors demonstrates independence from
management and exercises oversight for the
development and performance of internal control

Failure of internal control due to lack of


oversight responsibility from directors

2. Exercises Oversight ResponsibilityThe board


of directors demonstrates independence from
management and exercises oversight for the
development and performance of internal control

Failure of internal control due to lack of


oversight responsibility from directors

2. Exercises Oversight ResponsibilityThe board


of directors demonstrates independence from
management and exercises oversight for the
development and performance of internal control

Failure of internal control due to lack of


oversight responsibility from directors

2. Exercises Oversight ResponsibilityThe board


of directors demonstrates independence from
management and exercises oversight for the
development and performance of internal control

Failure of internal control due to lack of


oversight responsibility from directors

3. Establishes Structure, Authority, and


ResponsibilityManagement establishes, with
board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the
pursuit of objectives

Failure to achieve objectives due to lack of


clear accountability

3. Establishes Structure, Authority, and


ResponsibilityManagement establishes, with
board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the
pursuit of objectives

Failure to achieve objectives due to lack of


clear accountability

3. Establishes Structure, Authority, and


ResponsibilityManagement establishes, with
board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the
pursuit of objectives

Failure to achieve objectives due to lack of


clear accountability

4. Demonstrates Commitment to Competence


The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives

Insufficient qualified staff available to deliver


objectives

4. Demonstrates Commitment to Competence


The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives

Insufficient qualified staff available to deliver


objectives

5. Enforces AccountabilityThe organization


holds individuals accountable for their internal
control responsibilities in the pursuit of objectives

No performance measures for individuals

6. Specifies Suitable ObjectivesThe


organization specifies objectives with sufficient
clarity to enable the identification and
assessment of risks relating to objectives

External Non-Financial Reporting objectives


not defined

6. Specifies Suitable ObjectivesThe


organization specifies objectives with sufficient
clarity to enable the identification and
assessment of risks relating to objectives

Internal reporting objectives not defined

6. Specifies Suitable ObjectivesThe


organization specifies objectives with sufficient
clarity to enable the identification and
assessment of risks relating to objectives

Internal reporting objectives not defined

6. Specifies Suitable ObjectivesThe


organization specifies objectives with sufficient
clarity to enable the identification and
assessment of risks relating to objectives

Internal reporting objectives not defined

7. Identifies and Analyzes RiskThe organization


identifies risks to the achievement of its
objectives across the entity and analyses risks as
a basis for determining how the risks should be
managed.

All risks threatening objectives are not


identified or managed

7. Identifies and Analyzes RiskThe organization


identifies risks to the achievement of its
objectives across the entity and analyses risks as
a basis for determining how the risks should be
managed.

All risks threatening objectives are not


identified or managed

7. Identifies and Analyzes RiskThe organization


identifies risks to the achievement of its
objectives across the entity and analyses risks as
a basis for determining how the risks should be
managed.

All risks threatening objectives are not


identified or managed

7. Identifies and Analyzes RiskThe organization


identifies risks to the achievement of its
objectives across the entity and analyses risks as
a basis for determining how the risks should be
managed.

All risks threatening objectives are not


identified or managed

7. Identifies and Analyzes RiskThe organization


identifies risks to the achievement of its
objectives across the entity and analyses risks as
a basis for determining how the risks should be
managed.

All risks threatening objectives are not


identified or managed

8. Assess Fraud RiskThe organization


considers the potential for fraud in assessing
risks to the achievement of objectives.

The opportunities for fraud are not


completely analyzed

8. Assess Fraud RiskThe organization


considers the potential for fraud in assessing
risks to the achievement of objectives.

The opportunities for fraud are not


completely analyzed

8. Assess Fraud RiskThe organization


considers the potential for fraud in assessing
risks to the achievement of objectives.

The opportunities for fraud are not


completely analyzed

9. Identifies and Analyzes Significant Change


The organization identifies and assesses
changes that could significantly impact the
system of internal control

Risks and associated controls not updated to


reflect changes to the business and its
environment

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

10. Selects and Develops Control ActivitiesThe


organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.

Controls are inappropriate to the risks

11. Selects and Develops General Controls over


TechnologyThe organization selects and
develops general control activities over
technology to support the achievement of
objectives.

Risks from technology are uncontrolled

11. Selects and Develops General Controls over


TechnologyThe organization selects and
develops general control activities over
technology to support the achievement of
objectives.

Risks from technology are uncontrolled

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

12. Deploys through Policies and Procedures


The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..

Systems and responsibilities for risks and


internal controls not defined

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

13. Uses Relevant InformationThe organization


obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.

Poor quality information produced

14. Communicates InternallyThe organization


internally communicates information, including
objectives and responsibilities for internal control,
necessary to support the functioning of other
components of internal control

Inadequate internal communication

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

16. Conducts Ongoing and/or Separate


EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning

Components of internal control not operated

17. Evaluates and Communicates Deficiencies


The organization evaluates and communicates
internal control deficiencies in a timely manner to
those parties responsible for taking corrective
action, including senior management and the
board of directors, as appropriate

Failures of internal controls not detected or


remedied

Consequence of risk

Risk source

An inadequate strategy could result in


poor decisions with the failure to seize
opportunities and ultimately result in
inefficiencies

Risk applies to all


objective hierarchies

An inadequate strategy could result in


poor decisions with the failure to seize
opportunities and ultimately result in
inefficiencies

Risk applies to all


objective hierarchies

An inadequate strategy could result in


poor decisions with the failure to seize
opportunities and ultimately result in
inefficiencies

Risk applies to all


objective hierarchies

An inadequate strategy could result in


poor decisions with the failure to seize
opportunities and ultimately result in
inefficiencies

Risk applies to all


objective hierarchies

The strategy fails due to unforseen risks


occuring

Risk applies to all


objective hierarchies

IRC IRL

IRS

0
0

Failure to achieve the strategy will result


in efficiencies

Risk applies to all


objective hierarchies

Failure to achieve the strategy will result


in efficiencies

Risk applies to all


objective hierarchies

0
0
Failure to achieve the strategy will result
in efficiencies

Risk applies to all


objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

Risk applies to all


objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
0
0
0
0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
Risk applies to all
objective hierarchies

0
0
0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Pay too much for goods or services

Accounts Payable
Department

Pay too much for goods or services

Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Payment of invoice delayed with supplier Accounts Payable
possibly refusing to supply more
Department
goods/services. Discount may be lost.

0
May be unable to reclaim the incorrect
payment. Payment of invoice delayed
with supplier possibly refusing to supply
more goods/services. Discount may be
lost.

Accounts Payable
Department

0
Delay in processing invoice

Accounts Payable
Department

Possible incorrect tax calculation and/or


accounting misstatement with danger of
fines

Accounts Payable
Department

0
Fraudulent payments made to suppliers, Accounts Payable
possibly false.
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

0
Accounts Payable
Department

Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

Accounts Payable
Department

COSO Internal Control Integrated Framework


(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)

COSO Internal Control Integrated Framework


(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)

COSO Internal Control Integrated Framework


(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)

COSO Internal Control Integrated Framework


(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)

COSO Internal Control Integrated Framework


(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)

COSO Internal Control Integrated Framework


(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)
COSO Internal Control Integrated Framework
(Draft). Illustrative tools
for assessing
effectiveness (2012)

Process

Accounts Payable - define


strategy

Accounts Payable - define


strategy

Accounts Payable - define


strategy

Accounts Payable - define


strategy

Accounts Payable - define


strategy
Accounts Payable - define
strategy
Accounts Payable - define
strategy
Accounts Payable - define
strategy
Accounts Payable comply with legislation

Accounts Payable comply with legislation

Accounts Payable comply with legislation

Accounts Payable comply with legislation

Accounts Payable comply with legislation

Internal control

Function

Accounts Payable comply with company


policies
Accounts Payable comply with company
policies
Accounts Payable comply with company
policies
Accounts Payable comply with company
policies
Accounts Payable comply with company
policies
Accounts Payable comply with company
policies
Establish structure,
authority and
responsibility

Establish control
environment
Establish control
environment
Establish control
environment

Establish control
environment

Accounts Payable - set up


system
Accounts Payable - set up
system

Accounts Payable - set up


system
Accounts Payable - set up
system
Accounts Payable - set up
standing data
Accounts Payable - set up
standing data
Accounts Payable - set up
standing data
Accounts Payable - set up
standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data
Accounts Payable maintain standing data

Accounts Payable maintain standing data


Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable maintain supplier data
Accounts Payable - input
invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable - input


invoices

Accounts Payable generate payment

Accounts Payable generate payment


Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment

Accounts Payable generate payment


Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment

Accounts Payable generate payment


Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable generate payment
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger

Accounts Payable maintain accounts


payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable maintain accounts
payable ledger
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable produce reports
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases

Accounts Payable secure databases


Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases

Accounts Payable secure databases


Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable secure databases
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions

Accounts Payable account for transactions


Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable account for transactions
Accounts Payable support processes- IT
Accounts Payable support processes- IT
Accounts Payable support processes- IT
Accounts Payable support processes- IT
Accounts Payable support processes- IT
Accounts Payable support processes- IT
Accounts Payable support processes- HR
Accounts Payable support processes- HR
Accounts Payable support processes- HR
Accounts Payable support processes- HR
Accounts Payable support processessecurity

Accounts Payable support processessecurity


Accounts Payable comply with company
policies

Accounts Payable comply with company


policies

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish structure,


authority and
responsibility
Accounts Payable establish structure,
authority and
responsibility
Accounts Payable establish structure,
authority and
responsibility
Accounts Payable support processes- HR

Accounts Payable support processes- HR

Accounts Payable support processes- HR

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable establish control


environment

Accounts Payable produce reports

Accounts Payable produce reports

Accounts Payable produce reports

Accounts Payable produce reports

Accounts Payable produce reports

Accounts Payable produce reports

Accounts Payable produce reports

Accounts Payable establish control


environment

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Accounts Payable Monitoring

Internal
control owner

Control
number

Monitoring control

Monitoring
control owner

Has management has


established risk
management systems?

Test of internal controls

Test
schedule ref.

Result

Test of monitoring controls

Monitoring
Test
schedule ref.

Monitoring Result

RRC RRL RRS CS

Do internal controls,
including monitoring
controls, reduce risks to
acceptable levels?

Is action being taken


to promptly remedy
deficiency?

Report Follow-up 1
reference Test

schedule ref.

Follow-up 1
result

Follow-up 2 Follow-up 2
Test
result
schedule
ref.

Follow-up 3
Test schedule
ref.

Follow-up 3
result

Accounts payable audit

Column key
No
L1obj

L1 Objectives
L1risk

L1 Risks
L2obj

L2 Objectives
L2risk

L2 Risks
L3obj

L3 Objectives
L3risk

L3 Risks
Consequence of risk
Risk source
IRC
IRL
IRS

Process
Internal control
Function
Internal control owner
Monitoring control
Monitoring control owner
Has management has established risk management systems?

Test of internal controls


Test schedule ref.

Result
Test of monitoring controls
Monitoring Test schedule ref.

Monitoring Result
RRC
RRL
RRS
CS
Do internal controls, including monitoring controls, reduce risks
to acceptable levels?
Is action being taken to promptly remedy deficiency?

Follow-up 1 Test schedule ref.


Follow-up 1 result
Follow-up 2 Test schedule ref.
Follow-up 2 result
Follow-up 3 Test schedule ref.
Follow-up 3 result

audit
Line number. Needs resetting after each change. Used to sort spreadsheet.
Level 1 objective number
Level 1 objective
Level 1 risk number
Risk threatening top level objective
Level 2 objective number
Level 2 objective which aims to control the level 1 risk to which it is attached
Level 2 risk number
Risk threatening level 2 objective
Level 3 objective number
Level 3 objective which aims to control the level 2 risk to which it is attached
Level 3 risk number
Risk threatening level 3 objective
The effect when the risk occurs. Should ideally be quantified in cost terms.
Who identified the risk (management, risk workshop, auditor, meeting)
Inherent risk consequence score
Inherent risk likelihood score
Inherent risk scores multiplied. (Inherent Risk Significance score )
The process in which the internal control operates. See separate mind map of
processes.
The control managing the risk
The function affected by the risk (may be the division/operating unit/function)
The job title of the person responsible for operating the control
The control which checks that the internal control is operating - may not always be
such a control
The person responsible for operating the monitoring control
Was the risk identified by management? (Yes/yes with exception/No)
Example of a test which might be used to confirm the control is operating
Reference number of the document detailing the test, or a link to it
Conclusion test (acceptable/issues/unacceptable)
Example of a test which might be used to confirm the control is operating
Reference number of the document detailing the test, or a link to it
Conclusion test (acceptable/issues/unacceptable)
Residual risk consequence score.
Residual risk likelihood score
Residual risk scores multiplied
Control score (=IRS-RRS). Gives a measure of the importance of the control
(Yes/yes with exception/No)
(Yes/yes with exception/No)

Reference number of the document detailing the test, or a link to it


Conclusion test (acceptable/issues/unacceptable)
Reference number of the document detailing the test, or a link to it
Conclusion test (acceptable/issues/unacceptable)
Reference number of the document detailing the test, or a link to it
Conclusion test (acceptable/issues/unacceptable)

Accounts payable audit

Flowchart for - Input invoices with an order


Note that these are only
example flowcharts to
illustrate how they
might be used to
determine risks.
Other flowcharts are
necessary to document
all the processes on the
'Processes' hierarchy
OBJECTIVE
Invoice and credit note
transaction data being
used to update balances
is relevant, complete,
accurate, timely and
complies with
regulations

Receive and
sort mail

Statements

Invoices
No order

See
separate
chart (not
drawn)

Invoices
Order number

Batched
RISKS
Mismatch does not appear
on report
No action taken on
mismatch

Generate buyer
query

Input batch
details

Price or
quantity
delivered
mismatch

Input invoice

Close batch

Receive and
sort mail

RISKS
Invoices lost
Invoices delayed

RISKS
Batch total incorrect

Invoices
Order number

Batched

RISKS
Incorrect supplier selected
Order number incorrect
Incorrect/incomplete data on invoice
Incorrect order coding
Invoice total incorrectly calculated
Invoice tax incorrectly calculated/Incorrect tax
input
Goods not received/Incorrect quantities input
Goods/services priced incorrectly/Incorrect costs
input
Incomplete input

Input batch
details

Input invoice

Close batch

Order matches
Requires
receipt
confirmation

e-mail receipt
confirmation

RISKS
e-mail not sent
e-mail not received
Reply not sent/received

Accounts payable audit

Flow chart
Set up
data

Purchas
e
ordering
system

Purchase
ordering
database
s

Standing
data

Transactio
n data

Reports

Set up
data

AP system

AP
database
s

Standing
data

Transactio
n data

Reports

General
ledger
database

Checks/
checks
(cheque
s)
Bank
transfer
s

General
Ledger
system

Set up
data

Standing
data

Transactio
n data

Reports

This flowchart only shows the main elements of the accounts


payable process and surrounding processes. Although it
applies to computer systems, it is applicable to manual
systems, since both have the common elements of data ,
processes and databases.
Flowcharts should be drawn up, as part of the walkthrough
tests, in order to understand the risk involved in the input,
manipulation, storage and output of data. Typical controls will
include those to ensure the accuracy, completeness and
timeliness of input and output data and data passing
between computer systems.

Accounting
calendar

Foreign currency
rates
Supplier data

Invoices
Credit notes
Payments

Accounts payable audit

Potential deficiencies
Date

Source reference

Control Potential deficiency


number

Resolution

Potential issues are noted on this schedule when they arise, for
example during site visits and before they are identified on the ORCR.
They would ideally be noted on a mobile phone (for example using
'Evernotes') or even a piece of paper!

Accounts payable audit

Deficiencies for discussion


ISSUE
No

H1
H2
H3
H4
H5
H6

Control
Number

Date

Source
reference

Control
opinion

Deficiency and cause

Implication

Action

Action by

Meeting date Action


opinion

Report
reference

Accounts payable audit

Draft report
Ref

Document
Draft report
Letter with draft report

Hyperlink
Word

Accounts payable audit

Final report
Ref

Document
Final report
Letter with final report

Hyperlink
Word

Accounts payable audit

Quality control
Ref

Document
Review notes after risks scored
Review notes - prior to closedown meeting
Review notes draft report
Review notes final report
Review notes file before filing
Proof reading
Feedback Feedback Individual targets
Individual targets
Individual appraisal
Individual appraisal

Hyperlink
Word

Document filed in personnel file


Document filed in personnel file
Document filed in personnel file
Document filed in personnel file

Accounts payable audit

Follow-up
Ref

Document
Follow-up letter

Follow-up report
Letter with follow-up report

Hyperlink
Word

Accounts payable audit

Summary
Objective

Pay suppliers the correct amount at the time agreed

Total number of risks


Red
No
Objective, risk and controls were
identified, evaluated and
managed
Internal controls, including
monitoring controls, reduce risks
to acceptable levels
Action being taken to promptly
remedy deficiency

Amber
No
%

Green
No

Accounts payable audit

Scoring risks, opinion on risk scores and guidance on conclusions

Advice on scoring risks (inherent a


1 to 5 scale
If the consequence when the
risk occurs is:
A catastrophic impact on the
organization, threatening its
existence
Cash at risk> $100,000
To prevent the organization
achieving all, or a major part, of its
objectives for a long time.
Cash at risk <$100,000>$10,000
To stop the organization achieving
its objectives for a limited period.
Cash at risk <$10,000 >$3,000
To stop the organization achieving
its objectives for a limited period.
Cash at risk <$3,000 >$1000
To cause minor inconvenience, not
affecting the achievement of
objectives
Cash at risk <$100

Guidance for conclusions against e


Opinion on
Has management established a
proper control framework? That
is, has management: specified
their objectives, identified the
risks threatening these
objectives and established
controls which should reduce
the risks to acceptable levels?

Definition
Thorough processes have been
used with the result that necessary
controls to risks have been
established. The objective will be
achieved if the controls are
operating.

Are these controls sufficient and


operating to bring the risks to
below the risk appetite and
ensure the achievement of the
related objective?

Controls are sufficient and are


operating to bring risks to below
the risk appetite. (although some
action may be required note in
Supplementary issues.) No more
monitoring is necessary than is
done at present. The objective is
being achieved.

Is action being taken which will The action being taken will result
bring the risks to below the risk in all risks being mitigated to below
appetite and ensure the
the risk appetite.
achievement of the objective?

Opinion:

YES

Report as:

No deficiency

dance on conclusions

Almost certain

Catastrophic (5)

Probable

Major (4)

Possible

Moderate (3)

Unlikely

Minor (2)

Rare

Insignificant (1)

or conclusions against each risk


Definition
Processes have been
used, but there are some
deficiencies which are not
judged sufficient to prevent
the achievement of the
objective.

Inadequate, or no,
processes have been used
and, it is probable that the
objective will not be, OR is
not being achieved

Likelihood of residual risk

the risk occurring is:

Then the measure is


defined to be:

Rare(1) Unlikely (2)

OR the likelihood of

Possible (3) Probable (4) Almost certain (5)

coring risks (inherent and residual)

Controls are sufficient and Controls are not sufficient


are operating to bring most and/or are not operating to
risks to below the risk
bring risks to below the risk
appetite. However, some appetite. It is probable that
risks are not below the risk the objective will not be, OR
appetite but are not judged is not being achieved. Major
sufficient to prevent the
improvements are required
achievement of the
to the monitoring of controls
objective. Some additional
monitoring may be required
(see the report for details)
The action being taken will No action is being taken, OR
still leave some risks above Insufficient action is being
the risk appetite but these taken to mitigate risks to
are not judged sufficient to below the risk appetite.
prevent the achievement of
the objective.

YES WITH
EXCEPTIONS

NO

Deficiency

Major deficiency

Rare(1) Unlikely (2)

Possible (3) Probable (4) Almost certain (5)

Control opinion on risk scores


Are controls sufficient and operating to bring the risk to below the risk
appetite and ensure the achievement of the related objective?

10
15
Unacceptable
Issue
NO
EXCEPTION

Unacceptable
NO

8
4
12
Supplementary
Acceptable
Issue
Issue
YES
EXCEPTION
EXCEPTION

Unacceptable
NO

Unacceptable
NO

6
3
9
12
Supplementary
Acceptable
Issue
Issue
Issue
YES
EXCEPTION
EXCEPTION EXCEPTION

Unacceptable
NO

Supplementary
Issue
EXCEPTION

20

16

25

Unacceptable
NO

20

15

2
Acceptable
YES

6
8
4
10
Supplementary Supplementary
Acceptable
Issue
EXCEPTION
EXCEPTION
EXCEPTION
YES
Issue
Issue

1
Acceptable
YES

2
Acceptable
YES

3
Acceptable
YES

Minor (2)

Moderate (3)

Insignificant (1)

5
4
Supplementary
EXCEPTION
Acceptable
YES
Issue
Major (4)

Catastrophic (5)

Consequence of residual risk


Risk score = Likelihood score X Consequence score
NO:
the risk
EXCEPTION:
YES:

Major deficiency - immediate action required to control


Deficiency - action required to control the risk
No action required

Guide to reporting residual risks

Residual risk
score

Report control
opinion (see
chapter 2)

Greater than15 No

Report as

Action

Major deficiency

Immediate action
required to bring
risk below the risk
appetite

Less than 15
greater than 4

Yes with exceptions Deficiency

Action required to
bring risk below the
risk appetite

Less than 4

Yes

No action required

No deficiency

Accounts payable audit

Version Control
Date
1-Jun-15

Version
V1.0
V2.0

Notes
First issue
Made consistent with AP audit used for manual