Documente Academic
Documente Profesional
Documente Cultură
5:03 AM 4/5/2014
Introduction
Last updated 21 August 2004
Purpose
The purpose of this spreadsheet is to show typical risks, expected controls and example tests for processes related to the purchasing and payment of expense goods and services, (excluding personal expenses) Full details of how to complete and use the database are in the manual which can be downloaded from www.internalaudit.biz The database is not complete - it must be changed to suit your organisation To see how this database fits into the audit universe, download the Risk and Audit Database from www.internalaudit.biz Auditing is not about carrying out tests taken from an audit programme, it is about understanding the objectives of the processes you are auditing, the risks which treaten them and the controls which actually operate to mitigate them.
Worksheets
There are 7 worksheets in this spreadsheet: Introduction Scope Process map Expense purchases database
Copyright D M Griffiths
Introduction
Page1 of 23
5:03 AM 4/5/2014
Language
I have used UK english for the risk register. Variations from US english include: Supplier = Vendor Purchase = Procure Cheque = Check I have used the term "accounts payable" for purchase ledger, since this is now common in the UK. All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product
Copyright D M Griffiths
Introduction
Page2 of 23
Audit work plan In order to carry out this audit the auditors will:
Take into account any previous audits, noting particularly the issues raised Obtain organisation charts, procedure manuals, training documentation and any other documentation which should be being used by the departments involved in the audit Obtain budgets, actual figures and any other relevant financial information If appropriate, meet the external auditors and any other parties with an interest in the processes being auditing Meet with staff at all levels to understand their responsibilities and concerns
Visit all locations which affect the risks involved (warehouses, factories, outsource suppliers) Carry out walkthrough tests to understand the processes involved, including monitoring controls Understand the changes made since the last audit Obtain relevant risk registers, noting when they were last updated Carry out interviews and risk workshops, as necessary, to ensure all risks have been identified Add to the risks in the risk register Score the inherent risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet) Carry out the tests necessary to confirm that the controls are operating properly Score the residual risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet) Draw conclusions as to whether each risk is properly controlled (see the example) Submit a report
Risks
Purchase expense goods
Define objectives
The strategy is not consistent with the overall strategy The strategy has not been communicated
Set up suppliers
Supplier of vital services/goodsmay go out of business Supplier details are not correctly input/modified New suppliers improperly set up
The requistion may be for goods and services not required The requistion may be incorrect
Place order
The order is placed with a supplier not providing the best value The order is incorrect
Receive goods
Goods/services are not what was ordered Incorrect quantities received are input
Return goods
Payment is made when goods/services have not been received Settlement discount is not correctly deducted Payment is not made on the due date
Audit database
L1 4 L2 5 L3 L4 L5
L Ref
2 4.5
Process
Purchase expense goods Define objectives
Risk to process
(Summary level)
Risk source
IRC IRL
IRS
Example control
Example monitoring
Tests
Ref
RRC
RRL
RRS
Cont score
Issue
Action
By whom
Conclusion Risks
Not applicable
Conclusion Controls
Conclusion Action
Conclusion Monitoring
Report ref
Follow-up Risks
Follow-up Controls
Follow-up Action
Follow-up Monitoring
3 4.5.1
(Summary level)
Not applicable
4 4.5.1.1
Define the strategy for expense purchasing Define the strategy for expense purchasing Communicate the strategy Deliver the strategy
Set down targets for the year(s) ahead, for example, The strategy does not maximise efficiency and meeting the budget, improving staff efficiency, handling effectiveness and is not consistent with the more orders organisation's strategy Set down targets for the year(s) ahead, for example, The strategy has not been updated meeting the budget, improving staff efficiency, handling more orders Inform the staff about the targets Staff are unaware of the strategy
4 4.5.1.1
The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned. These targets and approved by management The budgets strategy are for purchasing expense goods finance. and services is updated each year, prior to setting targets and budgets for the areas concerned Staff are briefed by their managers
Directors check the strategy for departments under their control. The overall budget is approved by the board Directors check the strategy for departments under their control The strategy is available on notice boards and the intranet Directors check the action plan for departments under their control
Not applicable
4 4.5.1.2
Examine the latest strategy document. Check that the budget forms part of the organisation's overall budget. Examine variances for the current year and ensure adequate explanations have been made for excessive Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees Examine the action plan Check for progress to implement it.
Not applicable
Not applicable
4 4.5.1.3
Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Suitable suppliers are identified to supply goods/services. Sealed tenders (quotes) are called for and opened in the presence of an independent person. The cheapest tender is chosen, if all conditions have been complied with Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services If the goods are not those ordered, are damaged, or too many are delivered, they will be returned to the Supplier. If they are found to be faulty after the processing of an invoice, or payment, a credit note will be required
Not applicable
4 4.5.1.3
Individuals are given their targets based on those of the Directors, or senior managers, check Examine staff targets for a selection of staff department the staff targets for departments under their control Rights to place requisitions and orders are in a written policy Rights to authorise requisitions and orders are in a written policy Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Requisitions are authorised by an appropriate manager The policy is checked every year to ensure it is correct The policy is checked every year to ensure it is correct Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Budgets are maintained for all expenses with monthly monitoring against actual Budgets are maintained for all expenses with monthly monitoring against actual The requisitioner will query any difference Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Check individual reports over the last six months for evidence of checking. Observe the process in action.
Not applicable
4 4.5.1.3
Any member of staff can authorise the purchase of any goods or services Any member of staff can requisition any goods or services Supplier details are not correctly input/modified
Not applicable
4 4.5.1.3 3 4.5.2
Not applicable
Set up Suppliers
Not applicable
3 4.5.2
Set up Suppliers
Check individual reports over the last six months for evidence of checking. Observe the process in action.
Not applicable
3 4.5.2
Set up Suppliers
Check individual reports over the last six months for evidence of checking. Observe the process in action.
Not applicable
Departments requisition goods/services Departments requisition goods/services Purchasing order raised for goods/services
Expense goods/services requested are not needed or are not for the benefit of the company Details on the requisition are incorrect
The order is incorrect, that is does not agree to the approved requisition
Confirmation is required on the order screen before the order is sent or printed
Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. Observe the process and try submitting without confirmation
Not applicable
Not applicable
Not applicable
3 4.5.5
The price on the order does not give the organisation maximum value
The order is placed by trained purchasing staff using prices on the computer, or negotiated with the supplier.
Budgets are maintained for all expenses with monthly monitoring against actual
Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. Examine the input of orders. Try and set up a new supplier from the order screen
Not applicable
3 4.5.5
Orders are placed with suppliers who do not provide best value (quality/price/delivery)
Orders can only be placed with suppliers previously set Half-yearly report listing suppliers and up on the computer spend which is approved by the Purchasing Director Computer report showing requisitions not turned into orders within 2 days is checked by the supervisor Requistioners will complain if orders are received late
Not applicable
3 4.5.5
Not applicable
3 4.5.5
The requisitioner supplies the codes. The computer checks these exist but cannot check if they are correct.
Budget holders check their expenses each month for incorrect items
Examine accounts journals and other documentation used to correct coding errors to judge how frequent they are Check access to order screens is limited to approved purchasing staff. Check orders raised without approved requisitions are approved Check expenditure over X to see if contracts have been raised. Examine the tendering process, and last contracts signed, to ensure the process is operating. (This could done as a separate audit) Check for the existence of recent, tested contingency plans
Not applicable
3 4.5.5
Orders are placed for goods not required, without approved requisitions
3 4.5.6
Contracts are not negotiated to ensure the best prices for ongoing services such as maintenance
All orders have to be placed through the computer. Orders can only be raised by purchasing staff. Orders without requisitions must be approved by a senior manager Expenditure on services is constantly monitored to check if contracts should be raised to ensure best prices and service. Contracts are tendered, as necessary, to ensure best prices.
Budget holders check their expenses each month for incorrect items
Not applicable
Senior purchasing management monitor expenses, and check all tenders to confirm the process
3 4.5.7
If possible, have two, or more, sources of supply. Hold Continuity of supply is written into sufficient stocks of vital spares. Have contingency plans managers' targets, on which they are for failure of vital supplies assessed Computer report showing where quantities received differ from the order Requistioners should complain if the goods/services differ from the order
Not applicable
3 4.5.7
Examine this report and check on the action taken. Note items which may be old and uncorrected
Not applicable
3 4.5.7
The computer warns if the quantity received is different from that ordered
Not applicable
3 4.5.7
Automatic update with exception reports where this has not occurred
Not applicable
3 4.5.7
Budget holders check their expenses each month for incorrect items
Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. Ask a sample of staff their opinions on the quality of goods received
Not applicable
3 4.5.7
Responsibility of the person receiving the goods/services to complain of poor quality to the ordering department All goods are received at one, secure, location, which inputs their receipt against the order
No formal monitoring
Not applicable
3 4.5.7
Requisitioner will complain if goods are Visit the receiving area. Check security and observe the not received receipt of goods.
Not applicable
3 4.5.8
Goods/services returned
Goods can only be returned on the authority of the buyer, who raises a "Goods Return Note". One copy goes with the goods, the other is keyed into the computer as a debit note. This automatically reduced the next payment.
Take a sample of Goods Returned Notes and check that the correct credit has been received
Not applicable
3 4.5.8
1
Support purchasing of expenses Define objectives for supporting expense purchasing Define the strategy
(Summary level)
Not applicable
4 4.5.8.1
1
(Summary level)
Not applicable
Set down targets for the year's) ahead, for example, The strategy has not been updated meeting the budget, improving staff efficiency, handling more orders Inform the staff about the targets Staff are unaware of the strategy
The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned Staff are briefed by their managers
Directors check the strategy for departments under their control The strategy is available on notice boards and the intranet Directors check the action plan for departments under their control
Not applicable
Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees Examine the action plan
Not applicable
Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Process transactions resulting from the purchase of expenses Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. After input of the invoice, it is sent for microfiching and the paper copy destroyed Receive a properly approved cheque requistion, with supporting documentation
Not applicable
Individuals are given their targets based on those of the Directors, or senior managers, check Examine staff targets for a selection of staff department the staff targets for departments under their control Rights to place requisitions and orders are in a written policy Rights to authorise requisitions and orders are in a written policy The policy is checked every year to ensure it is correct The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy
Not applicable
No limitation is set on the authority of staff to commit the organisation No limitation is set on the authority of staff to commit the organisation Transactions are not processed completely and accurately Invoice input against incorrect supplier
Not applicable
5 4 4.5.8.2
Not applicable
Process transactions
Not applicable
Most invoices are input against an order and the supplier details are checked. If no order exists there is no control
Not applicable
Where the invoice is matched to an order, an exception report is produced for invoices not matching and these are held until purchasing approve the difference. Invoices without orders are batch totalled
Monthly check, by management, of the Examine the query report to ensure no queries are report showing invoices held in query. outstanding for an excessive period of time, and that all Follow-up of invoices over one month are being actively persued old
Not applicable
Where the invoice is matched to an order the computer will not allow the input of another invoice. Invoices are stamped "input"
Budget holders should check the actual expenditure against their budget each month
Ask a sample of budget holders to provide evidence that they have checked the expenses for the previous month
Not applicable
Where the invoice is matched to an order the computer Budget holders should check the will not allow the input of another invoice. If copy actual expenditure against their invoices are received, where no orders exist, they are budget each month checked to the supplier account before processing. The computer will not accept duplicate invoice numbers
Not applicable
Most invoices are matched against approved orders. Other invoices must be approved by a senior manager and accountant, who writes the account code on. Invoices can only be paid to suppliers set up on the system, for which separate checks apply. Duties are divided to ensure staff who input invoices do not set up suppliers or payments All purchasing and transaction processing staff have specific training on the analysis of Value added tax (VAT). Detailed guidelines are available. The computer checks for incorrect calculations
Budget holders should check the actual expenditure against their budget each month
Check a sample of items received through to the stock system, or other evidence, to prove that the goods/services were received Check the access to computer screens to ensure division of duties is enforced
Not applicable
Not applicable
4.5.8.2. 2
Invoices are sequentially numbered on input. When The fiche are checked by staff when microfiching, the continuity of these numbers is checked received back from the microfiching department Computer payments can only be made against invoices Budget holders should check the matched to orders, or authorised invoices. Payments actual expenditure against their can only be generated by staff who do not have access budget each month to order, invoice or supplier master data input. Manual payments cheques must be supported by the cheque requistion and signed by two senior managers Computer payments can only be made against invoices matched to orders, or authorised invoices. Payments can only be generated by staff who do not have access to order, invoice or supplier master data input. Manual payments cheques must be supported by the original invoices and signed by two senior managers Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer. Settlement discount can be overidden for a specific order, but only a manager Budget holders should check the actual expenditure against their budget each month
Check a selection of fiche to ensure no numbers are missing Check a sample of cheque requistions, to ensure this type of transaction should have been used (that is no invoice is available) nad it was properly approved. Check that the item being paid for is genuine
Not applicable
Not applicable
The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.
Computer payment is made for goods or services which have not been received
Check a sample of payments taken from the cash sheets to proof that the goods/services paid for were received
Not applicable
Payment terms are checked by buyers For the sample of payments used in the above test, every 6 months check that the correct settlement discount has been taken
Not applicable
Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer
Payment terms are checked by buyers For the sample of payments used in the above test, every 6 months check that the payment was made on the correct date
Not applicable
David M Griffiths
The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. Invoices and payments are posted to the general (nominal) ledger in the same accounting period
Cheques are kept in a locked cupboard to prevent theft and subsequent forgery. Overseas payment instructions are signed by two directors. The bank has instructions to telephone the Chief Financial Officer if payments are over an agreed amount.
Bank reconciliation will detect payments made not correctly entered in the books of account
For a sample of manual and overseas payments, ensure that goods/services were received. Check the bank understands its instructions to phone the CFO. If appropriate, carry out a separate audit on foreign payments
Not applicable
Cheque signing signatures are embossed. Cheques are Bank reconciliation will detect printed by specialist printers with the latest security payments made not correctly entered features in the books of account
Observe the cheque printing process to ensure it is physically secure. Check that the signature plates are stored in a safe with limited access
Not applicable
The payment output file is altered. (This file holds payment data to be transmitted to the bank, or used to print cheques)
Obtain details of those staff with access to the computer files. They should only be senior IT staff with no access to accounting systems
Not applicable
5 4.5.8.2. Accounts Payable month- In order to compile month-end accounts, the value of
6 end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Accounts Payable month- In order to compile month-end accounts, the value of end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Accounts Payable month- In order to compile month-end accounts, the value of end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Manage the accounts Ensure the accounts payable ledger is correctly payable ledger updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Manage the accounts Ensure the accounts payable ledger is correctly payable ledger updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Provide systems Provide systems, including computer systems to support the organisations operations Maintain central systems The proper operation of applications is maintained by a central IT department Users set up their own computer systems (for example spreadsheets) to produce data Users set up their own computer systems (for example spreadsheets) to produce data
Invoices are posted to the cost centre and nominal Budget holders check their expenses account set up on the requisition. The computer verifies each month for incorrect items. Plus that these exist and prevents certain combinations of Financial Accounts check balances to cost centre and nominal codes the previous month's and investigate significant discrepancies The value of all goods received not invoiced is Comparison made with previous calculated by the computer month's figure. Major differences investigated
Not applicable
Check the report providing the accruals figure. Check that large variances from the previous month have been explained
Not applicable
5 4.5.8.2.
6
In major expense service functions (for example advertising) managers must detail services provided which have not been invoiced
Check the composition of the accruals figure. For a sample of recepts on the report, ensure they are recent and obtain expalnations why old receipts have not had invoices processed
Not applicable
5 4.5.8.2.
6
Total of supplier balances reconciled to Accounts Payable control account in the General ledger
For a number of months, check this reconciliation has been properly carried out
Not applicable
5 4.5.8.2.
7
Scrutinise the reconciliations carried out to ensure they contain no unusual items. If necessary, reperform some reconciliations to ensure they are correct Check the accounts payable list of balances for debit balances. For a sample of balances, determine why they arose and the action being taken to recover them n/a
Not applicable
5 4.5.8.2.
7
Supplier with a debit balance, due to credits issued, goes out of business
Exception report highlighting large debit balances. Payment stop put on the account. Systems in place to request repayment of the amount owing
Management scrutiny of large debit balances each month, with a progress report on their recovery
Not applicable
4 4
5 5
8 8
3 3 1
4 4.5.8.3 5 4.5.8.3.
1
(Summary level) Data lost through main computer failure, systems unavailable for a prolonged period User-maintained systems lose data User-maintained systems produce inaccurate data Range of controls maintained by the IT department Users monitor their output, such as reconciling the accounts payable balance with the general ledger IT management should monitor system reports Output should be examined for "reasonableness"
4 4
5 5
8 8
3 3
2 2
Data is kept on the network which is backed-up daily All important data is checked, or reconciled, to an independent source to ensure it is correct. If this is not possible, some manual reperformance of calculations, or checks of formulas.
Ensure data is backed-up - try retrieving yesterday's files. If a stand-alone computer, check back-up to discs Check formulas are correct. If possible use a spreadsheet analyser to detect possible problems. Reperform manually important calculations, if possible. Check all programs have a clearly written user guide. Trace figures from the accounts payable system through to totals in the top level management accounts Trace figures from the accounts payable system through to totals in the top level financial accounts
Not applicable
Not applicable
4 4 4
5 5 5
8 8 8
3 4 5
Users set up their own computer systems (for example spreadsheets) to produce data Collect the data from processed transactions into accounts for management to make decisions Collect the data from processed transactions into accounts for statutory or tax purposes
User-maintained systems understood by only the programmer Information is incorrectly analysed and summarised Information is incorrectly analysed and summarised
A user guide has been written and independently tested Manager holds a copy after each revision Totals on the management accounts are reconciled to totals from the accounts payable system Each month, or more frequently, the accounts payable ledger total is reconciled to the accounts payable control account in the general ledger All jobs have written job descriptions, which show the competencies required The targets take into account the competencies required Training is provided when taking on new responsibilities and during a job, to ensure the staff member understand how to do the job and the controls which must operate Clear policy from the board that training is important. Output should be examined for "reasonableness" Manager checks the reconciliation. Management and financial accounts are reconciled HR and manager sign off job descriptions HR and manager sign off appraisals
Not applicable
4 4.5.8.4 4 4.5.8.5
4 4 4 4
5 5 5 5
8 8 8 8
6 6 6 6
1 2 3
Recruit staff and manage staff policies 4 4.5.8.6 Provide staff 5 4.5.8.6. Establish job descriptions Job descriptions, in accordance with policy, are written
Not applicable
Check for job descriptions of all staff levels Check appraisal files
5 5
1 4.5.8.6. 2 4.5.8.6. 3
and approved Targets are set for staff with regular appraisals in Actual competencies of the staff have not been accordance with policy matched with required competencies Staff are trained in order to achieve their targets with Training is not provided, or is inadequate. For example maximum effectiveness and efficiency, within the ethical it omits ethical guidance guidelines Staff are trained in order to achieve their targets with Staff not allowed to attend training maximum effectiveness and efficiency, within the ethical guidelines Recruit staff to fill vacancies Applicants falsify references
Managers monitor the training their Check training materials. Ask staff who have recently staff receive to ensure it is appropriate changed jobs about their training at all times HR monitor staff not attending training courses and determine why Manager can request references if required Senior managers should monitor their managers to ensure succession plans exist Question staff who have been on courses
Not applicable
Insufficient staff are available to carry out all duties, and maintain division of duties Staff involved in expense purchasing are not aware of legislation which affects them, thus threatening the organisation with prosecution
HR maintain succession plans for senior key staff. Managers have plans for other key staff
Take a sample of recent joiners and check that references were supplied. (Other tests are carried out as part of the audit of HR) Examine staff budgets to ensure staff numbers are being maintained at levels which ensure controls are operated Determine when the last update from legal services was received and how it was briefed to staff. If you are aware of any legislation affecting the processes being audited (for example competition legislation), make sure it has been briefed in. These processes will also be covered by audit BS Ask staff about their induction. Do they understand the tax implications of their work? Check invoices for correct treatment of taxes (for example VAT) Examine documents given to suppliers and their written agreement. Attend, with qualified staff, the suppliers working on-site Check training records, and H & S audit documentation
Not applicable
Not applicable
4 4.5.8.7
There is a clear, preferably written, understanding that Senior management check that legal services will update the appropriate managers with important legislation is understood by legislation which affects them. The managers will brief the functions under their control their staff
Not applicable
4 4.5.8.8
Advise all areas of the company concerning action to be taken on tax legislation Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers environmental laws and good practice
Staff involved in expense purchasing are not aware of tax legislation which affects them, thus threatening the organisation with fines or the loss of tax credits Suppliers provide services without observing safety procedures, resulting in injury to staff Goods purchased, for example cleaning solvents, may create an unsafe environment for employees (Summary level)
Regular briefings from tax department to all staff concerned. Induction training to include the relevant aspects of tax
Senior manager to check that new tax legislation has been briefed to staff
Not applicable
4 4.5.8.9
10
4 4.5.8.10 Manage the environment Ensure the operations of the organisation obey all
Ensure security The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation All assets, including physical assets, stock and information, are physically secure
Audit of suppliers to ensure they understand health and Qualified staff check suppliers working safety legislation. Orders and contracts contain clause to ensure suppliers comply with regulations Purchasing staff have training on general health and Periodic audits by health and safety safety topics, with specific training for staff ordering department chemicals and other potentially hazardous items
Not applicable
Not applicable
12
Not applicable
12
All buildings have entry restricted by card operated gates Supplies of paper documents, such as orders and cheques, are stored in a separate building. Documents which must be kept for tax purposes are microfiched, and these are stored in a fireproof safe A formal process has been carried out to identify the documents used and their method of storage
Periodic audits, by security department, of the access to buildings It is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessary It is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessary The Ethical Committee ensures a complete policy is communicated to all stakeholders
12
12
Decide on the documents, paper or electronic, which Documents essential to operations (such as cheques) are essential to the operation of expense purchases, or may be lost in a fire for tax reasons. These may include paper orders, supplier invoices, cash sheets and cheques For each document, decide on the appropriate storage Level of protection may not be sufficient medium
During audit, observe security precautions. Otherwise the test of physical security are carried out in audit group BX Check the existence of the paper documents kept offsite. Check that all microfiche are stored in the fireproof safe, with none left out at night. Check for evidence of the formal process, and that it is being followed
Not applicable
Not applicable
Not applicable
13
4 4.5.8.13 Communicate 4
1
Inform internal and external stakeholders of the organisation's policies and intentions
14
14
4.5.8.14 Manage risks threatening expense purchasing processes 4.5.8.14 Identify risks Risk workshops and interviews are held to determine .1 the risks threatening the objectives of the expense purchasing function Score the risks on the organisation's likelihood and consequence scales
Reputation of the company suffers because the press are mis-informed about the organisation's policy of not using suppliers who might use child labour (Summary level)
Not applicable
Not applicable
14
14
For all risks, decide on a cost-effective control to reduce the risk to the risk appetite of the organisation
Quarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessary Quarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessary Controls are put into operation which reduce residual risks to the risk appetite of the organisation
Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls
Examine processes to set up the risk register and examine the register. Ensure all types of risk, including external risks, have been considered Examine the process which score the risks
Not applicable
Not applicable
Not applicable
David M Griffiths
David M Griffiths
Column key:
L1 L2 L3 L4 L5 L Ref Process Process Description Risk to process Risk source IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont score Issue Action By whom Conclusion Risks Conclusion Controls Conclusion Action Conclusion Monitoring Report ref Follow-up Risks Follow-up Controls Follow-up Action Follow-up Monitoring
Level 1 risk number. Corresponds to the Risk database Level 2 risk number. Corresponds to the Risk database Level 3 risk number Level 4 risk number Level 5 risk number Level of the process on this row (1 to 5) Reference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this process throughout the organisation Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Inherent risk consequence score. See "Scoring risks" worksheet Inherent risk likelihood score score. See "Scoring risks" worksheet Inherent risk scores multiplied to give significance An example of a control which might mitigate the risks An example of a monitoring control which might check the operation of the control An example of a test which might confirm the operation of the control Reference to the schedule giving more details of the test Residula risk consequence score. See "Scoring risks" worksheet Residual risk likelihood score score. See "Scoring risks" worksheet Residual risk scores multiplied to give significance Control score = IRS - RRS. The higher it is the more important the control Details where the risk is not mitigated to the acceptable level ("Risk appetite") Action which management is taking to reduce the risk The job title and name of the person responsible for ensuring the action takes place Conclusion on risk management (see "Allocating conclusions" worksheet) Conclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet) Conclusion on any action required to reduce risks (see "Allocating conclusions" worksheet) Conclusion on the adequacy of processes to monitor the correct operation of controls(see "Allocating conclusions" worksheet) The paragraph number in the report where the issue is reported Conclusion on risk management from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on any action required to reduce risks from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on the adequacy of processes to monitor the correct operation of controls from the last follow-up audit (see "Allocating conclusions" worksheet)
Medium (2)
Values are an example only. They should be agreed at board level as part of setting the risk appetite of the organisation
High (3)
6 Unacceptable risk
9 Unacceptable risk
Medium (2)
2 Acceptable
4 Issue risk
6 Unacceptable risk
Supplementary Issue 3 3 Acceptable
Low(1)
1 Acceptable
2 Acceptable
Low(1)
Medium (2)
High (3)
Likelih
Low(1)
1 Acceptable
2 Acceptable
Low(1)
Medium (2)
High (3)
Unacceptable: Immediate action required Issue: Action required to control the risk Supplementary issue: Action is advisable Acceptable: No action required
nd residual)
1 to 5 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is:
A catastrophic impact on the organisation, threatening its existence Almost certain
Cash at risk> 1,000,000 To prevent the organisation Probable achieving all, or a major part, of its objectives for a long time. Cash at risk <1,000,000 >100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <100,000 >30,000 To stop the organisation achieving Unlikely its objectives for a limited period. Cash at risk <30,000 >5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <5,000
Rare
9 acceptable risk
5
Supplementary Issue
10 Issue
15
Unacceptable
20
Unacceptable
25
Unacceptable
4 Acceptable
8
Supplementary Issue
12 Issue
16
Unacceptable
20
Unacceptable
Possible (3)
6 acceptable risk
Supplementary Issue 3
3 Acceptable
6
Supplementary Issue
9 Issue
12 Issue
15
Unacceptable
Unlikely (2)
2 Acceptable
4 Acceptable
6
Supplementary Issue
8
Supplementary Issue
10 Issue
3 ptable
Rare(1)
1 Acceptable
2 Acceptable
3 Acceptable
4 Acceptable
5
Supplementary Issue
High (3)
risk
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Catastrophic (5)
Likelihood
Unlikely (2)
Supplementary Issue 3
2 Acceptable
4 Acceptable
6
Supplementary Issue
8
Supplementary Issue
10 Issue
3 ptable
Rare(1)
1 Acceptable
2 Acceptable
3 Acceptable
4 Acceptable
5
Supplementary Issue
High (3)
risk
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Catastrophic (5)
nacceptable: Immediate action required to control the risk sue: Action required to control the risk upplementary issue: Action is advisable if it is cost-effective cceptable: No action required
Catatrophic (5)
Major (2)
Moderate (2)
Minor (2)
Insignificant (1)
15
20
Unacceptable
25
Unacceptable
nacceptable
12 Issue
16
Unacceptable
20
Unacceptable
9 Issue
12 Issue
15
Unacceptable
8
Supplementary Issue
pplementary Issue
10 Issue
3 cceptable
4 Acceptable
5
Supplementary Issue
oderate (3)
Major (4)
Catastrophic (5)
8
Supplementary Issue
pplementary Issue
10 Issue
3 cceptable
4 Acceptable
5
Supplementary Issue
oderate (3)
Major (4)
Catastrophic (5)
e of residual risk
The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved
The action being taken will result in all risks being mitigated
The action being taken will result in some reduction in risk but not to acceptable levels
Score 0,1,2 or 3 Score =<8 green Acceptable Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report
The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results No action is being taken, OR insufficient action is being taken to mitigate risks
amber issue
Score: 6 or 9
g at it another way:
Risks have been identified, Internal controls reduce Action being taken to evaluated and managed risks to acceptable promptly remedy levels significant failings or weaknesses Thorough processes have The risk is being mitigated The action being taken been used and all significant to an acceptable level by will result in all risks risks should have been the control(s) being mitigated identified Current levels of monitoring are sufficient No more monitoring is necessary than is done at present
The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results
The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results
The action being taken Some additional will result in some monitoring is reduction in risk but not required to acceptable levels
Report as
Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report
Key issue
Key issue