Audit: Purchase of expense goods and services

5:03 AM 4/5/2014

Audit: Purchasing and payment of expense goods and services

Introduction
Last updated 21 August 2004

Purpose
The purpose of this spreadsheet is to show typical risks, expected controls and example tests for processes related to the purchasing and payment of expense goods and services, (excluding personal expenses) Full details of how to complete and use the database are in the manual which can be downloaded from www.internalaudit.biz The database is not complete - it must be changed to suit your organisation To see how this database fits into the audit universe, download the Risk and Audit Database from www.internalaudit.biz Auditing is not about carrying out tests taken from an audit programme, it is about understanding the objectives of the processes you are auditing, the risks which treaten them and the controls which actually operate to mitigate them.

The database (Audit programme)

The audit programme is in the form of an Excel database. It can be treated just like a large "Word" table but can also be sorted and filtered. The database covers those processes which might be involved in purchases and payments using a computerised system. Thus it covers not only ordering and invoice approval, but also staff management and computer controls Rows with processes which are split down into more detailed processes are coloured and do not have data in some columns The processes are only intended as an example. You must change them to those in your organisation If you construct audit databases please make them available to other auditors through AuditNet (http://www.auditnet.org/) For a full explanation of the content of the columns, go to the "Column key" worksheet

The example controls and monitoring

These examples are suggestions only. They cannot possibly apply to every size of organisation who might use this database. You must decide on the controls which mitigate the risks to accepatable levels in your organisation Remember that the examples are general and therefore rather vague. Your entries should be much more specific, in particular, noting the names of staff carrying out the checks

Worksheets
There are 7 worksheets in this spreadsheet: Introduction Scope Process map Expense purchases database

Copyright D M Griffiths

Introduction

Page1 of 23

Audit: Purchase of expense goods and services

5:03 AM 4/5/2014

Column key Scoring risks Allocating conclusions

Language
I have used UK english for the risk register. Variations from US english include: Supplier = Vendor Purchase = Procure Cheque = Check I have used the term "accounts payable" for purchase ledger, since this is now common in the UK. All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product

Copyright D M Griffiths

Introduction

Page2 of 23

Audit: Purchasing and payment of expense goods and services

Scope of the audit

Reasons for the audit
The organisations risk analysis has identified significant risks to its objectives from the processes involved in the purchase of expense goods and services. The audit will conclude on whether: Risks threatening the objectives of the processes have been properly identified, evaluated and managed. Internal controls are operating properly to mitigate these risks to levels defined as acceptable by board policy. Action is being taken to improve controls, where risks are not being properly mitigated More monitoring, by management, is necessary to ensure proper internal controls into the future. A sound system of internal control is maintained for the processes audited

Objectives of the processes being audited

The overall objective of the process (4.5) is to purchase expense goods and services for the organisation. (That is goods which are not for resale) The processes covered by this audit are: Define the objectives for purchasing expenses Set up suppliers on the computer file Set up items for purchase on the computer file Raising requistions Raising orders Receive goods/services Returning of unsatisfactory goods In addition, the following support functions are covered: Invoice processing Payment to suppliers Accounting for expense purchases

Key risks of the processes being audited

Expense goods/services requested are not needed or are not for the benefit of the company Orders are placed with suppliers who do not provide best value (quality/price/delivery) Payment is made for goods or services which have not been received Transactions are not correctly entered in the books of account The processes concerned are not operated efficiently and effectively

Audit work plan In order to carry out this audit the auditors will:
Take into account any previous audits, noting particularly the issues raised Obtain organisation charts, procedure manuals, training documentation and any other documentation which should be being used by the departments involved in the audit Obtain budgets, actual figures and any other relevant financial information If appropriate, meet the external auditors and any other parties with an interest in the processes being auditing Meet with staff at all levels to understand their responsibilities and concerns

Visit all locations which affect the risks involved (warehouses, factories, outsource suppliers) Carry out walkthrough tests to understand the processes involved, including monitoring controls Understand the changes made since the last audit Obtain relevant risk registers, noting when they were last updated Carry out interviews and risk workshops, as necessary, to ensure all risks have been identified Add to the risks in the risk register Score the inherent risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet) Carry out the tests necessary to confirm that the controls are operating properly Score the residual risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet) Draw conclusions as to whether each risk is properly controlled (see the example) Submit a report

Audit: Purchasing and payment of expense goods and services

Diagram of processes with key risks

This diagram shows the key processes for purchasing expenses and is the next level down from the risk register Key risks are collected in the boxes, prior to putting them on the audit database It is used to drive the main audit database

Risks
Purchase expense goods

Define objectives

The strategy is not consistent with the overall strategy The strategy has not been communicated

Set up suppliers

Supplier of vital services/goodsmay go out of business Supplier details are not correctly input/modified New suppliers improperly set up

Item details are not correctly input/modified

Set up items

Requistion goods and services

The requistion may be for goods and services not required The requistion may be incorrect

Place order

The order is placed with a supplier not providing the best value The order is incorrect

Receive goods

Goods/services are not what was ordered Incorrect quantities received are input

Credit is not obtained for goods returned

Return goods

Return goods

Support purchase expense goods

Payment is made when goods/services have not been received Settlement discount is not correctly deducted Payment is not made on the due date

el down from the risk register

Audit: Purchasing and payment of expense goods and services

Audit database
L1 4 L2 5 L3 L4 L5

Last follow-up results (date)

Process Description
Purchase goods and services for the organisation Define the strategy for expense purchases, communicate and deliver it

L Ref
2 4.5

Process
Purchase expense goods Define objectives

Risk to process
(Summary level)

Risk source

IRC IRL

IRS

Example control

Example monitoring

Tests

Ref

RRC

RRL

RRS

Cont score

Issue

Action

By whom

Conclusion Risks
Not applicable

Conclusion Controls

Conclusion Action

Conclusion Monitoring

Report ref

Follow-up Risks

Follow-up Controls

Follow-up Action

Follow-up Monitoring

3 4.5.1

(Summary level)

Not applicable

4 4.5.1.1

Define the strategy for expense purchasing Define the strategy for expense purchasing Communicate the strategy Deliver the strategy

Set down targets for the year(s) ahead, for example, The strategy does not maximise efficiency and meeting the budget, improving staff efficiency, handling effectiveness and is not consistent with the more orders organisation's strategy Set down targets for the year(s) ahead, for example, The strategy has not been updated meeting the budget, improving staff efficiency, handling more orders Inform the staff about the targets Staff are unaware of the strategy

4 4.5.1.1

The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned. These targets and approved by management The budgets strategy are for purchasing expense goods finance. and services is updated each year, prior to setting targets and budgets for the areas concerned Staff are briefed by their managers

Directors check the strategy for departments under their control. The overall budget is approved by the board Directors check the strategy for departments under their control The strategy is available on notice boards and the intranet Directors check the action plan for departments under their control

Examine the latest strategy document

Not applicable

4 4.5.1.2

Examine the latest strategy document. Check that the budget forms part of the organisation's overall budget. Examine variances for the current year and ensure adequate explanations have been made for excessive Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees Examine the action plan Check for progress to implement it.

Not applicable

Not applicable

4 4.5.1.3

Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Suitable suppliers are identified to supply goods/services. Sealed tenders (quotes) are called for and opened in the presence of an independent person. The cheapest tender is chosen, if all conditions have been complied with Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services If the goods are not those ordered, are damaged, or too many are delivered, they will be returned to the Supplier. If they are found to be faulty after the processing of an invoice, or payment, a credit note will be required

No action plan exists to deliver the strategy

An action plan to deliver the strategy is part of the budgeting process

Not applicable

4 4.5.1.3

Deliver the strategy

The strategy is not built into individuals' targets

Individuals are given their targets based on those of the Directors, or senior managers, check Examine staff targets for a selection of staff department the staff targets for departments under their control Rights to place requisitions and orders are in a written policy Rights to authorise requisitions and orders are in a written policy Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Requisitions are authorised by an appropriate manager The policy is checked every year to ensure it is correct The policy is checked every year to ensure it is correct Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Budgets are maintained for all expenses with monthly monitoring against actual Budgets are maintained for all expenses with monthly monitoring against actual The requisitioner will query any difference Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Check individual reports over the last six months for evidence of checking. Observe the process in action.

Not applicable

4 4.5.1.3

Deliver the strategy

Any member of staff can authorise the purchase of any goods or services Any member of staff can requisition any goods or services Supplier details are not correctly input/modified

Not applicable

4 4.5.1.3 3 4.5.2

Deliver the strategy

Not applicable

Set up Suppliers

Not applicable

3 4.5.2

Set up Suppliers

False Suppliers are set up and paid

Check individual reports over the last six months for evidence of checking. Observe the process in action.

Not applicable

3 4.5.2

Set up Suppliers

No settlement discount, or other discounts, are negotiated

Check individual reports over the last six months for evidence of checking. Observe the process in action.

Not applicable

3 4.5.4 3 4.5.4 3 4.5.5

Departments requisition goods/services Departments requisition goods/services Purchasing order raised for goods/services

Expense goods/services requested are not needed or are not for the benefit of the company Details on the requisition are incorrect

Requisitions are authorised by an appropriate manager

The order is incorrect, that is does not agree to the approved requisition

Confirmation is required on the order screen before the order is sent or printed

Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. Observe the process and try submitting without confirmation

Not applicable

Not applicable

Not applicable

3 4.5.5

Purchasing order raised for goods/services

The price on the order does not give the organisation maximum value

The order is placed by trained purchasing staff using prices on the computer, or negotiated with the supplier.

Budgets are maintained for all expenses with monthly monitoring against actual

Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. Examine the input of orders. Try and set up a new supplier from the order screen

Not applicable

3 4.5.5

Purchasing order raised for goods/services

Orders are placed with suppliers who do not provide best value (quality/price/delivery)

Orders can only be placed with suppliers previously set Half-yearly report listing suppliers and up on the computer spend which is approved by the Purchasing Director Computer report showing requisitions not turned into orders within 2 days is checked by the supervisor Requistioners will complain if orders are received late

Not applicable

3 4.5.5

Purchasing order raised for goods/services

Orders are placed late

Examine this report for items older than 2 days

Not applicable

3 4.5.5

Purchasing order raised for goods/services

Orders have incorrect account codes input

The requisitioner supplies the codes. The computer checks these exist but cannot check if they are correct.

Budget holders check their expenses each month for incorrect items

Examine accounts journals and other documentation used to correct coding errors to judge how frequent they are Check access to order screens is limited to approved purchasing staff. Check orders raised without approved requisitions are approved Check expenditure over X to see if contracts have been raised. Examine the tendering process, and last contracts signed, to ensure the process is operating. (This could done as a separate audit) Check for the existence of recent, tested contingency plans

Not applicable

3 4.5.5

Purchasing order raised for goods/services

Orders are placed for goods not required, without approved requisitions

3 4.5.6

Contracts raised for continuing services or supply of materials

Contracts are not negotiated to ensure the best prices for ongoing services such as maintenance

All orders have to be placed through the computer. Orders can only be raised by purchasing staff. Orders without requisitions must be approved by a senior manager Expenditure on services is constantly monitored to check if contracts should be raised to ensure best prices and service. Contracts are tendered, as necessary, to ensure best prices.

Budget holders check their expenses each month for incorrect items

Not applicable

Senior purchasing management monitor expenses, and check all tenders to confirm the process

3 4.5.7

Goods/services received. Quantity received input

Goods/services vital to the organisation's operation become unavailable or too expensive

If possible, have two, or more, sources of supply. Hold Continuity of supply is written into sufficient stocks of vital spares. Have contingency plans managers' targets, on which they are for failure of vital supplies assessed Computer report showing where quantities received differ from the order Requistioners should complain if the goods/services differ from the order

Not applicable

3 4.5.7

Goods/services received. Quantity received input

Quantities, or service, is not what was ordered

Examine this report and check on the action taken. Note items which may be old and uncorrected

Not applicable

3 4.5.7

Goods/services received. Quantity received input

Quantities incorrectly input

The computer warns if the quantity received is different from that ordered

Requistioners should complain if the goods/services differ from the order

Observe the process and try submitting a different quantity

Not applicable

3 4.5.7

Goods/services received. Quantity received input

Stock records (for example engineers' spares) not updated

Automatic update with exception reports where this has not occurred

Periodic physical checks to stock records

Check a sample of items received through to the stock system

Not applicable

3 4.5.7

Goods/services received. Quantity received input

Receipt details input when no goods or services have been received

Division of duties between requisitioners, purchasing staff and receivers

Budget holders check their expenses each month for incorrect items

Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. Ask a sample of staff their opinions on the quality of goods received

Not applicable

3 4.5.7

Goods/services received. Date of receipt input

Quality is not up to standard

Responsibility of the person receiving the goods/services to complain of poor quality to the ordering department All goods are received at one, secure, location, which inputs their receipt against the order

No formal monitoring

Not applicable

3 4.5.7

Goods/services received. Date of receipt input

Goods are lost

Requisitioner will complain if goods are Visit the receiving area. Check security and observe the not received receipt of goods.

Not applicable

3 4.5.8

Goods/services returned

Credit is not obtained from the supplier

Goods can only be returned on the authority of the buyer, who raises a "Goods Return Note". One copy goes with the goods, the other is keyed into the computer as a debit note. This automatically reduced the next payment.

Requisition will complain if credit is not received

Take a sample of Goods Returned Notes and check that the correct credit has been received

Not applicable

3 4.5.8
1

Support purchasing of expenses Define objectives for supporting expense purchasing Define the strategy

(Summary level)

Not applicable

4 4.5.8.1
1

(Summary level)

Not applicable

Set down targets for the year's) ahead, for example, The strategy has not been updated meeting the budget, improving staff efficiency, handling more orders Inform the staff about the targets Staff are unaware of the strategy

The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned Staff are briefed by their managers

Directors check the strategy for departments under their control The strategy is available on notice boards and the intranet Directors check the action plan for departments under their control

Examine the latest strategy document

Not applicable

Communicate the strategy Deliver the strategy

Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees Examine the action plan

Not applicable

Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Process transactions resulting from the purchase of expenses Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. After input of the invoice, it is sent for microfiching and the paper copy destroyed Receive a properly approved cheque requistion, with supporting documentation

No action plan exists to deliver the strategy

An action plan to deliver the strategy is part of the budgeting process

Not applicable

Deliver the strategy

The strategy is not built into individuals' targets

Individuals are given their targets based on those of the Directors, or senior managers, check Examine staff targets for a selection of staff department the staff targets for departments under their control Rights to place requisitions and orders are in a written policy Rights to authorise requisitions and orders are in a written policy The policy is checked every year to ensure it is correct The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy

Not applicable

Deliver the strategy

No limitation is set on the authority of staff to commit the organisation No limitation is set on the authority of staff to commit the organisation Transactions are not processed completely and accurately Invoice input against incorrect supplier

Not applicable

5 4 4.5.8.2

Deliver the strategy

Not applicable

Process transactions

Not applicable

5 4.5.8.2. Purchasing expenses 1 Invoice input

Most invoices are input against an order and the supplier details are checked. If no order exists there is no control

The supplier will send a reminder to pay

Examine transactions which correct mis-postings

Not applicable

5 4.5.8.2. Purchasing expenses 1 Invoice input

Incorrect values input

Where the invoice is matched to an order, an exception report is produced for invoices not matching and these are held until purchasing approve the difference. Invoices without orders are batch totalled

Monthly check, by management, of the Examine the query report to ensure no queries are report showing invoices held in query. outstanding for an excessive period of time, and that all Follow-up of invoices over one month are being actively persued old

Not applicable

5 4.5.8.2. Purchasing expenses 1 Invoice input

Invoices are input twice

Where the invoice is matched to an order the computer will not allow the input of another invoice. Invoices are stamped "input"

Budget holders should check the actual expenditure against their budget each month

Ask a sample of budget holders to provide evidence that they have checked the expenses for the previous month

Not applicable

5 4.5.8.2. Purchasing expenses 1 Invoice input

Duplicate invoices are input

Where the invoice is matched to an order the computer Budget holders should check the will not allow the input of another invoice. If copy actual expenditure against their invoices are received, where no orders exist, they are budget each month checked to the supplier account before processing. The computer will not accept duplicate invoice numbers

Examine transactions which correct mis-postings

Not applicable

5 4.5.8.2. Purchasing expenses 1 Invoice input

Invoice input where no goods or services have been received.

5 4.5.8.2. Purchasing expenses 1 Invoice input

The tax analysis of invoices is incorrect, for example "Business entertainment"

Most invoices are matched against approved orders. Other invoices must be approved by a senior manager and accountant, who writes the account code on. Invoices can only be paid to suppliers set up on the system, for which separate checks apply. Duties are divided to ensure staff who input invoices do not set up suppliers or payments All purchasing and transaction processing staff have specific training on the analysis of Value added tax (VAT). Detailed guidelines are available. The computer checks for incorrect calculations

Budget holders should check the actual expenditure against their budget each month

Check a sample of items received through to the stock system, or other evidence, to prove that the goods/services were received Check the access to computer screens to ensure division of duties is enforced

Not applicable

Tax department scrutinise certain nominal codes for exceptional items

Check a sample of invoices to ensure that the tax treatment is correct

Not applicable

4.5.8.2. 2

Purchasing expenses Invoice filed

Invoices are not filed and microfiched

5 4.5.8.2. Purchasing expenses 3 no invoice received, for example tax

Incorrect payments may be made

Invoices are sequentially numbered on input. When The fiche are checked by staff when microfiching, the continuity of these numbers is checked received back from the microfiching department Computer payments can only be made against invoices Budget holders should check the matched to orders, or authorised invoices. Payments actual expenditure against their can only be generated by staff who do not have access budget each month to order, invoice or supplier master data input. Manual payments cheques must be supported by the cheque requistion and signed by two senior managers Computer payments can only be made against invoices matched to orders, or authorised invoices. Payments can only be generated by staff who do not have access to order, invoice or supplier master data input. Manual payments cheques must be supported by the original invoices and signed by two senior managers Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer. Settlement discount can be overidden for a specific order, but only a manager Budget holders should check the actual expenditure against their budget each month

Check a selection of fiche to ensure no numbers are missing Check a sample of cheque requistions, to ensure this type of transaction should have been used (that is no invoice is available) nad it was properly approved. Check that the item being paid for is genuine

Not applicable

Not applicable

5 4.5.8.2. Purchasing expenses 4 payment

5 4.5.8.2. Purchasing expenses 4 payment

5 4.5.8.2. Purchasing expenses 4 payment

The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.

Computer payment is made for goods or services which have not been received

Check a sample of payments taken from the cash sheets to proof that the goods/services paid for were received

Not applicable

Incorrect settlement discount is taken

Payment terms are checked by buyers For the sample of payments used in the above test, every 6 months check that the correct settlement discount has been taken

Not applicable

Payment is not made on the due date

Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer

Payment terms are checked by buyers For the sample of payments used in the above test, every 6 months check that the payment was made on the correct date

Not applicable

David M Griffiths

Expense purchases database

5 4.5.8.2. Purchasing expenses 4 payment

5 4.5.8.2. Purchasing expenses 4 payment

5 4.5.8.2. Purchasing expenses 4 payment

5 4.5.8.2. Purchase expense

5 invoices / credit notes posted to accounts

The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. Invoices and payments are posted to the general (nominal) ledger in the same accounting period

Manual payments made are fraudulent

Cheques are kept in a locked cupboard to prevent theft and subsequent forgery. Overseas payment instructions are signed by two directors. The bank has instructions to telephone the Chief Financial Officer if payments are over an agreed amount.

Bank reconciliation will detect payments made not correctly entered in the books of account

For a sample of manual and overseas payments, ensure that goods/services were received. Check the bank understands its instructions to phone the CFO. If appropriate, carry out a separate audit on foreign payments

Not applicable

Cheques are altered or forged

Cheque signing signatures are embossed. Cheques are Bank reconciliation will detect printed by specialist printers with the latest security payments made not correctly entered features in the books of account

Observe the cheque printing process to ensure it is physically secure. Check that the signature plates are stored in a safe with limited access

Not applicable

The payment output file is altered. (This file holds payment data to be transmitted to the bank, or used to print cheques)

Access controls on the computer to prevent alteration

Exception reports, checked by management, which detail exceptional alterations to files

Obtain details of those staff with access to the computer files. They should only be senior IT staff with no access to accounting systems

Not applicable

Invoice / credit notes are posted to incorrect accounts

5 4.5.8.2. Accounts Payable month- In order to compile month-end accounts, the value of
6 end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Accounts Payable month- In order to compile month-end accounts, the value of end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Accounts Payable month- In order to compile month-end accounts, the value of end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Manage the accounts Ensure the accounts payable ledger is correctly payable ledger updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Manage the accounts Ensure the accounts payable ledger is correctly payable ledger updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Provide systems Provide systems, including computer systems to support the organisations operations Maintain central systems The proper operation of applications is maintained by a central IT department Users set up their own computer systems (for example spreadsheets) to produce data Users set up their own computer systems (for example spreadsheets) to produce data

Accruals not calculated

Invoices are posted to the cost centre and nominal Budget holders check their expenses account set up on the requisition. The computer verifies each month for incorrect items. Plus that these exist and prevents certain combinations of Financial Accounts check balances to cost centre and nominal codes the previous month's and investigate significant discrepancies The value of all goods received not invoiced is Comparison made with previous calculated by the computer month's figure. Major differences investigated

For a sample of invoices, check the coding is correct

Not applicable

Check the report providing the accruals figure. Check that large variances from the previous month have been explained

Not applicable

5 4.5.8.2.
6

Accruals not calculated correctly

In major expense service functions (for example advertising) managers must detail services provided which have not been invoiced

Major variances from budget are investigated

Check the composition of the accruals figure. For a sample of recepts on the report, ensure they are recent and obtain expalnations why old receipts have not had invoices processed

Not applicable

5 4.5.8.2.
6

Accounts payable ledger total does not represent all liabilities

Total of supplier balances reconciled to Accounts Payable control account in the General ledger

Reconciliation is signed by a senior manager

For a number of months, check this reconciliation has been properly carried out

Not applicable

5 4.5.8.2.
7

Accounts payable ledger total does not represent all liabilities

Sample check reconciliation of Supplier statements to the Accounts Payable balance

The check is noted and scrutinised by a senior manager at month-end

Scrutinise the reconciliations carried out to ensure they contain no unusual items. If necessary, reperform some reconciliations to ensure they are correct Check the accounts payable list of balances for debit balances. For a sample of balances, determine why they arose and the action being taken to recover them n/a

Not applicable

5 4.5.8.2.
7

Supplier with a debit balance, due to credits issued, goes out of business

Exception report highlighting large debit balances. Payment stop put on the account. Systems in place to request repayment of the amount owing

Management scrutiny of large debit balances each month, with a progress report on their recovery

Not applicable

4 4

5 5

8 8

3 3 1

4 4.5.8.3 5 4.5.8.3.
1

(Summary level) Data lost through main computer failure, systems unavailable for a prolonged period User-maintained systems lose data User-maintained systems produce inaccurate data Range of controls maintained by the IT department Users monitor their output, such as reconciling the accounts payable balance with the general ledger IT management should monitor system reports Output should be examined for "reasonableness"

Not applicable Not applicable

Covered by audits of the IT processes

4 4

5 5

8 8

3 3

2 2

5 4.5.8.3. Maintain user systems 5

2 4.5.8.3. 2 Maintain user systems

Data is kept on the network which is backed-up daily All important data is checked, or reconciled, to an independent source to ensure it is correct. If this is not possible, some manual reperformance of calculations, or checks of formulas.

Ensure data is backed-up - try retrieving yesterday's files. If a stand-alone computer, check back-up to discs Check formulas are correct. If possible use a spreadsheet analyser to detect possible problems. Reperform manually important calculations, if possible. Check all programs have a clearly written user guide. Trace figures from the accounts payable system through to totals in the top level management accounts Trace figures from the accounts payable system through to totals in the top level financial accounts

Not applicable

Not applicable

4 4 4

5 5 5

8 8 8

3 4 5

5 4.5.8.3. Maintain user systems

2

Users set up their own computer systems (for example spreadsheets) to produce data Collect the data from processed transactions into accounts for management to make decisions Collect the data from processed transactions into accounts for statutory or tax purposes

User-maintained systems understood by only the programmer Information is incorrectly analysed and summarised Information is incorrectly analysed and summarised

A user guide has been written and independently tested Manager holds a copy after each revision Totals on the management accounts are reconciled to totals from the accounts payable system Each month, or more frequently, the accounts payable ledger total is reconciled to the accounts payable control account in the general ledger All jobs have written job descriptions, which show the competencies required The targets take into account the competencies required Training is provided when taking on new responsibilities and during a job, to ensure the staff member understand how to do the job and the controls which must operate Clear policy from the board that training is important. Output should be examined for "reasonableness" Manager checks the reconciliation. Management and financial accounts are reconciled HR and manager sign off job descriptions HR and manager sign off appraisals

Not applicable

4 4.5.8.4 4 4.5.8.5

Prepare management accounts Prepare financial accounts

Not applicable Not applicable

4 4 4 4

5 5 5 5

8 8 8 8

6 6 6 6

1 2 3

Recruit staff and manage staff policies 4 4.5.8.6 Provide staff 5 4.5.8.6. Establish job descriptions Job descriptions, in accordance with policy, are written

(Summary level) Staff competencies required have not been identified

Not applicable

Check for job descriptions of all staff levels Check appraisal files

Not applicable Not applicable Not applicable

5 5

1 4.5.8.6. 2 4.5.8.6. 3

Carry out regular appraisals Training of staff

and approved Targets are set for staff with regular appraisals in Actual competencies of the staff have not been accordance with policy matched with required competencies Staff are trained in order to achieve their targets with Training is not provided, or is inadequate. For example maximum effectiveness and efficiency, within the ethical it omits ethical guidance guidelines Staff are trained in order to achieve their targets with Staff not allowed to attend training maximum effectiveness and efficiency, within the ethical guidelines Recruit staff to fill vacancies Applicants falsify references

Managers monitor the training their Check training materials. Ask staff who have recently staff receive to ensure it is appropriate changed jobs about their training at all times HR monitor staff not attending training courses and determine why Manager can request references if required Senior managers should monitor their managers to ensure succession plans exist Question staff who have been on courses

5 4.5.8.6. Training of staff

3

Not applicable

5 4.5.8.6. Recruit suitable staff

4

All references and qualifications are checked by HR

5 4.5.8.6. Recruit suitable staff

4

Recruit staff to fill vacancies

Insufficient staff are available to carry out all duties, and maintain division of duties Staff involved in expense purchasing are not aware of legislation which affects them, thus threatening the organisation with prosecution

HR maintain succession plans for senior key staff. Managers have plans for other key staff

Take a sample of recent joiners and check that references were supplied. (Other tests are carried out as part of the audit of HR) Examine staff budgets to ensure staff numbers are being maintained at levels which ensure controls are operated Determine when the last update from legal services was received and how it was briefed to staff. If you are aware of any legislation affecting the processes being audited (for example competition legislation), make sure it has been briefed in. These processes will also be covered by audit BS Ask staff about their induction. Do they understand the tax implications of their work? Check invoices for correct treatment of taxes (for example VAT) Examine documents given to suppliers and their written agreement. Attend, with qualified staff, the suppliers working on-site Check training records, and H & S audit documentation

Not applicable

Not applicable

4 4.5.8.7

Provide legal services

Advise all areas of the company concerning action to be taken on legislation

There is a clear, preferably written, understanding that Senior management check that legal services will update the appropriate managers with important legislation is understood by legislation which affects them. The managers will brief the functions under their control their staff

Not applicable

4 4.5.8.8

Provide tax services

Advise all areas of the company concerning action to be taken on tax legislation Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers environmental laws and good practice

Staff involved in expense purchasing are not aware of tax legislation which affects them, thus threatening the organisation with fines or the loss of tax credits Suppliers provide services without observing safety procedures, resulting in injury to staff Goods purchased, for example cleaning solvents, may create an unsafe environment for employees (Summary level)

Regular briefings from tax department to all staff concerned. Induction training to include the relevant aspects of tax

Senior manager to check that new tax legislation has been briefed to staff

Not applicable

4 4.5.8.9

Ensure health & safety

10

4 4.5.8.10 Manage the environment Ensure the operations of the organisation obey all
Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation All assets, including physical assets, stock and information, are physically secure

Audit of suppliers to ensure they understand health and Qualified staff check suppliers working safety legislation. Orders and contracts contain clause to ensure suppliers comply with regulations Purchasing staff have training on general health and Periodic audits by health and safety safety topics, with specific training for staff ordering department chemicals and other potentially hazardous items

Not applicable

Not applicable

12

Not applicable

12

5 4.5.8.12 Provide security

.1

Loss of the organisation's assets

All buildings have entry restricted by card operated gates Supplies of paper documents, such as orders and cheques, are stored in a separate building. Documents which must be kept for tax purposes are microfiched, and these are stored in a fireproof safe A formal process has been carried out to identify the documents used and their method of storage

Periodic audits, by security department, of the access to buildings It is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessary It is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessary The Ethical Committee ensures a complete policy is communicated to all stakeholders

12

5 4.5.8.12 Identify documents

.2 required to achieve the objective of these processes 4.5.8.12 Decide on arrangements .3 to safeguard these

12

Decide on the documents, paper or electronic, which Documents essential to operations (such as cheques) are essential to the operation of expense purchases, or may be lost in a fire for tax reasons. These may include paper orders, supplier invoices, cash sheets and cheques For each document, decide on the appropriate storage Level of protection may not be sufficient medium

During audit, observe security precautions. Otherwise the test of physical security are carried out in audit group BX Check the existence of the paper documents kept offsite. Check that all microfiche are stored in the fireproof safe, with none left out at night. Check for evidence of the formal process, and that it is being followed

Not applicable

Not applicable

Not applicable

13

4 4.5.8.13 Communicate 4
1

Inform internal and external stakeholders of the organisation's policies and intentions

14

14

4.5.8.14 Manage risks threatening expense purchasing processes 4.5.8.14 Identify risks Risk workshops and interviews are held to determine .1 the risks threatening the objectives of the expense purchasing function Score the risks on the organisation's likelihood and consequence scales

Reputation of the company suffers because the press are mis-informed about the organisation's policy of not using suppliers who might use child labour (Summary level)

A documented ethical policy, which includes purchasing policy

Examine the policy and check specifically for purchasing policy

Not applicable

Not applicable

Risks are not known

14

5 4.5.8.14 Evaluate risks

.2

Significant risks are not understood

14

5 4.5.8.14 Control risks

.3

For all risks, decide on a cost-effective control to reduce the risk to the risk appetite of the organisation

Significant risks are not controlled

Quarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessary Quarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessary Controls are put into operation which reduce residual risks to the risk appetite of the organisation

Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls

Examine processes to set up the risk register and examine the register. Ensure all types of risk, including external risks, have been considered Examine the process which score the risks

Not applicable

Not applicable

Check controls as part of the audit

Not applicable

David M Griffiths

Expense purchases database

David M Griffiths

Expense purchases database

Audit: Purchasing and payment of expense goods and services

Column key:
L1 L2 L3 L4 L5 L Ref Process Process Description Risk to process Risk source IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont score Issue Action By whom Conclusion Risks Conclusion Controls Conclusion Action Conclusion Monitoring Report ref Follow-up Risks Follow-up Controls Follow-up Action Follow-up Monitoring

nd payment of expense goods and services

Level 1 risk number. Corresponds to the Risk database Level 2 risk number. Corresponds to the Risk database Level 3 risk number Level 4 risk number Level 5 risk number Level of the process on this row (1 to 5) Reference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this process throughout the organisation Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Inherent risk consequence score. See "Scoring risks" worksheet Inherent risk likelihood score score. See "Scoring risks" worksheet Inherent risk scores multiplied to give significance An example of a control which might mitigate the risks An example of a monitoring control which might check the operation of the control An example of a test which might confirm the operation of the control Reference to the schedule giving more details of the test Residula risk consequence score. See "Scoring risks" worksheet Residual risk likelihood score score. See "Scoring risks" worksheet Residual risk scores multiplied to give significance Control score = IRS - RRS. The higher it is the more important the control Details where the risk is not mitigated to the acceptable level ("Risk appetite") Action which management is taking to reduce the risk The job title and name of the person responsible for ensuring the action takes place Conclusion on risk management (see "Allocating conclusions" worksheet) Conclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet) Conclusion on any action required to reduce risks (see "Allocating conclusions" worksheet) Conclusion on the adequacy of processes to monitor the correct operation of controls(see "Allocating conclusions" worksheet) The paragraph number in the report where the issue is reported Conclusion on risk management from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on any action required to reduce risks from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on the adequacy of processes to monitor the correct operation of controls from the last follow-up audit (see "Allocating conclusions" worksheet)

Audit: Purchasing and payment of expense goods and services

Advice on scoring risks (inherent and residual)

1 to 3 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is:
To prevent the organisation Almost certain achieving all, or a major part, of its objectives for a long time. Cash at risk> 100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <100,000 >5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <5,000 Unlikely Low (1)

Then the measure is defined to be:

High (3)

Medium (2)

Values are an example only. They should be agreed at board level as part of setting the risk appetite of the organisation

Grading individual risks (residual)

High (3)

Likelihood of residual risk

Supplementary Issue 3 3 Acceptable

6 Unacceptable risk

9 Unacceptable risk

Medium (2)

2 Acceptable

4 Issue risk

6 Unacceptable risk
Supplementary Issue 3 3 Acceptable

Low(1)

1 Acceptable

2 Acceptable

Low(1)

Medium (2)

High (3)

Consequence of residual risk

Likelih

Low(1)

1 Acceptable

2 Acceptable

Supplementary Issue 3 3 Acceptable

Low(1)

Medium (2)

High (3)

Consequence of residual risk

Risk score = Likelihood score X C

Unacceptable: Immediate action required Issue: Action required to control the risk Supplementary issue: Action is advisable Acceptable: No action required

nd residual)
1 to 5 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is:
A catastrophic impact on the organisation, threatening its existence Almost certain

Cash at risk> 1,000,000 To prevent the organisation Probable achieving all, or a major part, of its objectives for a long time. Cash at risk <1,000,000 >100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <100,000 >30,000 To stop the organisation achieving Unlikely its objectives for a limited period. Cash at risk <30,000 >5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <5,000

Rare

Probable (4) Almost certain (5)

Likelihood of residual risk

9 acceptable risk

5
Supplementary Issue

10 Issue

15
Unacceptable

20
Unacceptable

25
Unacceptable

4 Acceptable

8
Supplementary Issue

12 Issue

16
Unacceptable

20
Unacceptable

Possible (3)

6 acceptable risk
Supplementary Issue 3

3 Acceptable

6
Supplementary Issue

9 Issue

12 Issue

15
Unacceptable

Unlikely (2)

2 Acceptable

4 Acceptable

6
Supplementary Issue

8
Supplementary Issue

10 Issue

3 ptable

Rare(1)

1 Acceptable

2 Acceptable

3 Acceptable

4 Acceptable

5
Supplementary Issue

High (3)

risk

Insignificant (1)

Minor (2)

Moderate (3)

Major (4)

Catastrophic (5)

Likelihood

Unlikely (2)

Supplementary Issue 3

2 Acceptable

4 Acceptable

6
Supplementary Issue

8
Supplementary Issue

10 Issue

3 ptable

Rare(1)

1 Acceptable

2 Acceptable

3 Acceptable

4 Acceptable

5
Supplementary Issue

High (3)

risk

Insignificant (1)

Minor (2)

Moderate (3)

Major (4)

Catastrophic (5)

Consequence of residual risk

isk score = Likelihood score X Consequence score

nacceptable: Immediate action required to control the risk sue: Action required to control the risk upplementary issue: Action is advisable if it is cost-effective cceptable: No action required

Then the measure is defined to be:

Catatrophic (5)

Major (2)

Moderate (2)

Minor (2)

Insignificant (1)

15

20
Unacceptable

25
Unacceptable

nacceptable

12 Issue

16
Unacceptable

20
Unacceptable

9 Issue

12 Issue

15
Unacceptable

8
Supplementary Issue

pplementary Issue

10 Issue

3 cceptable

4 Acceptable

5
Supplementary Issue

oderate (3)

Major (4)

Catastrophic (5)

8
Supplementary Issue

pplementary Issue

10 Issue

3 cceptable

4 Acceptable

5
Supplementary Issue

oderate (3)

Major (4)

Catastrophic (5)

e of residual risk

Audit: Purchasing and payment of expense goods and services

Advice on allocating conclusions

Conclusion on: Thorough processes have been used and all significant risks should have been identified Internal controls reduce The risk is being mitigated to risks to acceptable levels an acceptable level by the control(s) Risks have been identified, evaluated and managed Criteria Processes have been used, but there are some deficiencies

The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved

Action being taken to promptly remedy significant failings or weaknesses

The action being taken will result in all risks being mitigated

The action being taken will result in some reduction in risk but not to acceptable levels

Current levels of monitoring are sufficient

No more monitoring is necessary than is done at present

Some additional monitoring is required

Score (1 to 3 scale) Score (1 to 5 scale) Colour: Grading: Report as

Score 0,1,2 or 3 Score =<8 green Acceptable Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report

Score: 4 (possibly 3) Score: >9 <14 amber Issues Key issue

Looking at it another way:

Criteria Inadequate, or no, processes have been used Score (1 Score (1 Colour to 3 to 5 Grading scale) scale) Score Score 0,1,2 or 3 =<8 green acceptable

The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results No action is being taken, OR insufficient action is being taken to mitigate risks

Score: 4 Score: (possibly >9 <14 3)

amber issue

Major improvements are required to the monitoring of controls

Score: 6 or 9

Score:>1 red 4 unacceptable

Score: 6 or 9 Score:>14 red Unacceptable Key issue

g at it another way:
Risks have been identified, Internal controls reduce Action being taken to evaluated and managed risks to acceptable promptly remedy levels significant failings or weaknesses Thorough processes have The risk is being mitigated The action being taken been used and all significant to an acceptable level by will result in all risks risks should have been the control(s) being mitigated identified Current levels of monitoring are sufficient No more monitoring is necessary than is done at present

The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results

The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results

The action being taken Some additional will result in some monitoring is reduction in risk but not required to acceptable levels

No action is being taken, OR insufficient action is being taken to mitigate risks

Major improvements are required to the monitoring of controls

Report as

Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report

Key issue

Key issue