Contributed June 27, 2002 by Don Whitehouse <Don.Whitehouse@cacky.com> Instructions for completing the risk assessment model. 1.

Begin by inputting the information into the Objectives worksheet. The AUDIT column should consist of the audit universe. optional (Type, Unit, Objective and Key Contacts). 2. Each audit listed automatically copies to the remaining worksheets. 3. Go to the Summary worksheet. The Summary worksheet contains a Criteria legend. 4. Input the estimated audit hours needed to complete each audit. See estimated hours column. 5. Next, Point and click on each criteria under the Criteria Legend to input risk assessment data. Each Criteria worksheet c each criteria element to help assign rankings. The Summary worksheet is automatically updated. 6. Go to the SORT worksheet. Point and click on the SORT BY RANK button. 7. While in the SORT worksheet, point and click on the available hours link. Input information as required to get

8. Input the hours available for each audit by year for a 5-year plan. The net available or needed hours are automatically calcu beginning at column V. NOTE: Each time data is updated in step 5, criteria worksheet, all the subsequent steps must be repeated.

hould consist of the audit universe. Other columns are

nt data. Each Criteria worksheet contains comments for

on as required to get total available person-hours.

needed hours are automatically calculated. See row 16

eps must be repeated.

AUDIT OBJECTIVES Data Entry Cells Audit Type Legend: F Financial O Operational C Compliance Unit Legend: C1 Company 1 C2 Company 2 C3 Company 3 C4 Company 4 C5 Company 5 C6 Company 6 TYPE C7 Company 7

SUMMARY PAGE SORT PAGE

AUDIT Accounts Payable Accounts Receivable

OF All

UNIT OBJECTIVE Effectiveness and efficiency of A/P process. Controls over cash disbursements. Effectiveness and efficiency of A/R process. Controls over cash receipts

OF CII

TYPE

C7

Company 7

AUDIT

UNIT OBJECTIVE

TYPE

C7

Company 7

AUDIT

UNIT OBJECTIVE

Key Contacts

Key Contacts

Key Contacts

2002 RISK ASSESSMENT WORKSHEET INTERNAL AUDITING FIVE-YEAR AUDIT PLAN RISK ASSESSMENT ANALYSIS Unit Legend: C1 Company 1 C2 Company 2 C3 Company 3 C4 Company 4 C5 Company 5 C6 Company 6 C7 Company 7 Audit Type Legend: F Financial O Operational C Compliance TYPE Criteria Legend: A Nature of Operations B Nature of Transactions C Management D External Influences E Systems

Data entry cells

F G H I J

Dollar Volume/Materiality Changes in Procedures/Personnel Results of Prior Audits/Mgmt Interest Time Since Last Audit Opportunities to achieve operating benefits

AUDIT OBJECTIVES SORT PAGE

AUDIT Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0

UNIT C1 C2 0 0 0 0 0 0 0 0 0 0 0

VARIABLE A B C D E F G H I J RISK EST MAXIMUM SCORE EVAL MAX AUDIT 45 27 18 18 45 9 27 18 9 27 SCORE SCORE HOURS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 243 243 243 243 243 243 243 243 243 243 243 243 243 120 120

Last AUDIT DATE FIVE YEAR AUDIT PLAN 2002 2003 2004 2005

OF OF 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

2023

2024

2025

2026

2027

2028

2029

2030

2031

2032

2033

2034

2035

2036

2037

2038

2039

2040

2041

2042

2043

INTERNAL AUDITING MRU FIVE-YEAR AUDIT PLAN RISK ASSESSMENT ANALYSIS Unit Legend: C1 Company 1 C2 Company 2 C3 Company 3 C4 Company 4 C5 Company 5 C6 Company 6 C7 Company 7 Audit Type Legend: F Financial O Operational C Compliance TYPE Criteria Legend: A Nature of Operations B Nature of Transactions C Management D External Influences E Systems

F G H I J

Dollar Volume/Materiality Changes in Procedures/Personnel Results of Prior Audits/Mgmt Interest Time Since Last Audit Opportunities to achieve operating benefits NOTE: A red cell indicates assigned hours are less than estimated hours to complete and that additional resources are needed

AUDIT OBJECTIVES SUMMARY PAGE

Available Hours Sum of Assigned Hours

3156 200 2956

3156 0 3156

3156 0 3156

3156 0 3156

3156 0 3156

Net

AUDIT Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

UNIT C1 C2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

VARIABLE C D E F G H I J RISK EST MAXIMUM SCORE EVAL MAX AUDIT 45 27 18 18 45 9 27 18 9 27 SCORE SCORE HOURS A B 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 243 120 120

Last AUDIT DATE FIVE YEAR AUDIT PLAN 2002 120 80 2003 2004 2005 2006

OF OF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

A. Nature of Operations

NATURE OF OPERATIONS

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Pressure Clearly Significant Meeting Defined Strategic Changes Objectives Objectives Value

AUDIT

Inherent Risk

Total Possible Total Score Score

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45

A. Nature of Operations

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45

A. Nature of Operations

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45

A. Nature of Operations

Cell: C5 Comment: Significant Changes: Measure of exposure relating to past and future changes impacting the unit. 1. No significant changes experienced and minimal change is anticipated within the next year. 5. Significant changes have occurred in the past year but are not anticipated within the next year. 9. Unit will significantly change within the year. Cell: D5 Comment: Pressure Meeting Objectives: Measure of exposure relating to the sacrificing of accuracy for speed in executing transactions 1 Quality is of the highest priority and existing deadlines have limited influence on work. 3 Unit tries to meet certain deadlines but is frequently late if errors exist. 7 Unit must meet deadlines but will delay only if there are material problems. 9 Unit must meet certain deadlines and anything late is not acceptable. Cell: E5 Comment: Clearly Defined Objectives: Measure of the unit's understanding of its objectives and how they support the company's overall objectives. 1 Unit has clearly defined measures of performance which support the Company's overall objectives. 5 Unit has some understanding of its objectives and how they support the company's overall objectives. 9 Unit's objectives are not clearly defined and do not support the Company's overall objectives. Cell: F5 Comment: Strategic Value: The company places significant value on the success of the division for future growth. 1 The unit is important, but not significant to future operations, unit's future is stable. 9 The unit is crucial for future success of company, uncertainty exists in the unit's future. Cell: G5 Comment: Inherent Risk: Each activity carries a certain risk comes with performing that activity. 1 Low volatility or fluctuation to the unit's processes, products or external influences. The unit processes or produces a product that is difficult to market or convert to personal use. 5. The unit's processes, products or external influences change frequently, however ample time is allowed to react to the changes. The unit processes or produces a product that is marketable or converted to personal use with limited difficulty. 9 The unit's processes, products or external influences change frequently and with little or no notice. High volatility.The unit processes or produces a product very marketable and desired.

B. Nature of Transactions

NATURE OF TRANSACTIONS

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Number of Transactions Complexity of Accuracy of Transactions Information Total Possible Total Score Score

AUDIT

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

B. Nature of Transactions

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

B. Nature of Transactions

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

B. Nature of Transactions

Cell: C5 Comment: Number of Transactions: Measure of the exposure due to accuracy being sacrificed because of the number of transactions that must be handled. 1 Unit has low volume and time to recheck work. 4 Volume is moderate but time is available to correct most problems. 7 Volume is high and only serious problems are handled immediately. 9 Volume is very high. Almost all error research is put off and only material problems are looked into. Cell: D5 Comment: Complexity of Transactions: Measure of the level of complexity involved in transactions related to the unit. 1 Transactions are simple and routine. 4 Transactions are moderately simple and require limited judgement. 7 Transactions are fairly complex and may require personal judgement. 9 Transactions are complex and require involved thought processes. Cell: E5 Comment: Accuracy of Information: Measure of the exposure that has been mitigated by the accuracy of unit information. 1 Information processed or retained by the unit has an excellent record of complete accuracy. 3 Inaccuracy existing in information is not material to the unit. 5 Unit has experienced or is experiencing information accuracy problems, but the effect is only slightly material. 7 Accuracy of the information is often suspect. 9 Unit has or is experiencing serious accuracy information problems.

C. Management

MANAGEMENT

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Attention given Monitoring by Management Activities Total Possible Total Score Score

AUDIT

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

C. Management

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

C. Management

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

C. Management

Cell: C5 Comment: Attention Given to Area by Senior Management: Measure of the attention given to the unit by senior management which mitigates risk. 1 Senior management is fully aware of the activity of the unit. 3 Senior management has periodic appraisal of the activity of the unit. 5 Senior management has limited awareness of the activity of the unit. 7 Unit has past, current or potential problems and limited awareness by senior management. 9 Serious exposures or actual problems have not been communicated to senior management. Cell: D5 Comment: Monitoring Activities: Measure of the monitoring activities utilized by departmental management to mitigate risk or exposure in the unit. 1 Departmental management is fully aware of all unit activity. 3 Departmental management adequately monitors unit activity. 5 Departmental management monitors problem areas of the unit. 7 Departmental management becomes involved only if there are major problems with unit activity. 9 There is no communication between staff and departmental management of the unit.

D. External Environment

EXTERNAL INFLUENCES

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Compliance with Market Regulations Stability Total Possible Total Score Score

AUDIT

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

D. External Environment

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

D. External Environment

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

D. External Environment

Cell: C5 Comment: Compliance with Regulations: Measure of the exposure due to complexity and volume of regulations or penalties for noncompliance. 1 Few regulations and little risk for noncompliance. 4 Either substantial regulations or penalties. 7 Substantial volume of transactions with substantial penalty. 9 Heavily regulated with serious ramifications for noncompliance. Cell: D5 Comment: Market Stability: Measure of exposure related to the units reliance on customers, vendors, etc. 1 Market is very stable. Customers and vendors are static. 5 Market is relatively stable. Significant customers and vendors are static but smaller customers and vendors are volatile. 9 Market is very volatile. Significant customers and vendors change frequently.

E. Systems

SYSTEMS

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk

Relevance: Integrity: Ability to Reliance on Satisfy Information Business Systems Objectives Access: Complexity: Unauthorized Availability: Relative number Access and Level of of transactions, Transactions Support files and devices Total Possible Total Score Score

AUDIT

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45

E. Systems

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45

E. Systems

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45

E. Systems

Cell: C5 Comment: Reliance on Information Systems Applications/Criticality: Measure of exposure related to the disruption of information processing 1 System applications are time savers and the task can be performed manually. 3 Manual procedures and reinstallation of unmodified application packages are easily performed if the system application is not available. Historical data can be ignored for up to one month. 5 Costs of temporary remedies if the application were unavailable would be significant if extended over one business week. Access to historical data must be available within one week. 7 Unit has critical weeks or periods in which the application and historical data must be available. Transactions must be processed within 1-2 business days in order to be effective. 9 Unit has critical applications which must be available real-time. Processing may require constant supervision. Cell: D5 Comment: Ability to Satisfy Business Objectives: Measure of exposure related to the risk of an information system application not meeting the needs of management. 1 Application is satisfying all or most functional requirements with adequate response periods. 3 Application does not meet all business objectives or has some time response issues. Minor technical or functional changes are required and planned. 5 Technical and functional modifications are scheduled to make the application meet the majority of the unit's business objectives within required time frames. 7 Business objectives are changing such that the application will need significant modifications, which are not yet planned. 9 Application is scheduled for replacement or is currently in the process of being replaced. Cell: E5 Comment: Unauthorized Access: Risk to the company resulting from disclosure of sensitive information. 1 Systems contain generally available information, manipulation of data would have no impact. 5 Systems contain confidential information; however, disclosure or manipulation of such information would only have a minimal impact on operations. Controls are strong. 9 System contains highly confidential information; disclosure or manipulation would have a significant impact on operations. Cell: F5 Comment: Level of Support: Measure of exposure related to systems not being adequately supported. 1 Technical support (in-house or vendor) is proactive to platform and functional issues with the application and provides timely, cost-effective upgrades. They solicit user requests for changes and initiate technical change requests when appropriate with user knowledge, approval and testing. 3 Technical support (in-house or vendor) has minimal requests for changes and completes work adequately and timely with user approval and tests of changes. 5 Technical support (in-house or vendor) is responsive to business needs and objectives and provides timely, cost-effective modifications. Some changes are not communicated to and tested by users. 9 Technical support (in-house or vendor) delays completion of support requests due to limited staff or knowledge. Some changes have failed due to lack of user involvement and approval resulting in failures. Cell: G5 Comment: Complexity: Measures the relative number of users, interfaces, input items, physical files, logical files, simultaneous interactive queries, time

E. Systems

xones supported, devices, and transaction volume. Also, measures the complexity of individual transactions, core programming language and network. 1 Relative low complexity 5 Average complexity 9 Applicable systems are highly complex and require experienced personnel to maintain.

F. Dollar Volume/Materiality

DOLLAR VOLUME/MATERIALITY

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Total Possible Total Score Score

AUDIT

Materiality

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

F. Dollar Volume/Materiality

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

F. Dollar Volume/Materiality

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

F. Dollar Volume/Materiality

Cell: C5 Comment: Measure of the volume and/or materiality of the unit. 1. Less than $100,000 3. Less than $500,000 5. Less than $1,000,000 7. Less than $10,000,000 9. Greater than $50,000,000

G. Changes in Procedures/Personnel

CHANGES IN PROCEDURES/PERSONNEL

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Adequacy of Training / Staffing Segregation of Experience Levels Duties

AUDIT

Total Possible Total Score Score

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

G. Changes in Procedures/Personnel

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

G. Changes in Procedures/Personnel

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

G. Changes in Procedures/Personnel

Cell: C5 Comment: Training/Experience: Measure of the level of training and related experience given to the employees of the unit. 1 Staff is well-experienced and well-trained with all unit policies and procedures. 4 Staff experience is adequate and training is provided. 7 Staff has a mix of experience and training is only provided if problems arise. 9 Staff is inexperienced and little or no training is provided. Cell: D5 Comment: Adequacy of Staffing Levels: Considers the number of transactions and the number of employees; measure of the adequacy of the staffing level of the unit as it relates to the achievement of the unit's objectives. 1 Staffing levels are appropriate to support the volume of transactions. 5 Open positions are causing difficulty in supporting the volume of transactions 9 Staffing levels are not adequate to support the volume of transactions. Cell: E5 Comment: Segregation of Duties: Measure of how exposure has been mitigated by separating duties within critical operations. 1 Segregation of duties provides good error detection and requires collusion to defraud. 4 Responsibilities for certain functions are divided, however, individuals have full control over some transactions. 7 Individuals have full control over certain transactions but their work is subject to periodic review. 9 Individuals have full authority and responsibility for transactions with no or ineffective monitoring controls. I.e. there is no segregation of duties.

H. Results of Prior Audits/ Management Interest PRIOR AUDIT RESULTS/MGT INTEREST SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Audit Findings Total Possible Total Score Score

AUDIT

Follow-up

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

H. Results of Prior Audits/ Management Interest 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

H. Results of Prior Audits/ Management Interest 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18

H. Results of Prior Audits/ Management Interest Cell: C5 Comment: Measure of the results of prior audits (based on report classification) and any know weaknesses of the unit. 1. No audit findings. 3. Low risk audit findings only. 5. No audit findings above medium risk. 7. No audit findings above high risk. 9. A high risk audit finding was discovered. Cell: D5 Comment: Measures the committment of management to address audit issues. 1. No audit findings or all findings were corrected within target completion date. 3. Action taken to address findings is reasonable although some target dates may have been missed. 5. Little action was taken to address findings, however intermediate fixes reduce the level of risk. 7. Procedures were developed to address findings, but were not enforced. 9. No action was taken to address the findings. Circumstances have not changed and the findings still exist.

I. Time Since Last Audit

TIME SINCE LAST AUDIT

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Time since Last Audit Total Possible Total Score Score

AUDIT

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

I. Time Since Last Audit

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

I. Time Since Last Audit

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

I. Time Since Last Audit

Cell: C5 Comment: Measure of the time period (in years) since the last audit was performed on the unit. 1 Less than one year since last audit. 3 One to two years since last audit. 5 Two to three years since last audit. 7 Three to four years since last audit. 9 Greater than four years since last audit or never audited.

J. Opportunities For Improvement

OPPORTUNITIES FOR IMPROVEMENT

SUMMARY PAGE RANK 1 = Low risk to 9 = High risk Management Opportunity Risk Interest / Identification Assessment Request

AUDIT

Total Possible Total Score Score

Accounts Payable Accounts Receivable 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

J. Opportunities For Improvement

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

J. Opportunities For Improvement

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27

J. Opportunities For Improvement

Cell: C5 Comment: Opportunity Identifiction: The unit keeps abreast of current practices and benchmarks against other units. 1. The unit has a formal documented process for identifying opportunities, has strong measures, utilizes a problem solving model and builds corrective action into its operating plan. 5. The unit has some processes for identifying opportunities, and may have some measures, may use a problem solving model and does not always follow-up on taking corrective action. 9. The unit does not look for improvement opportunities, has no or ineffective measures, and is satisfied with status quo. Cell: D5 Comment: Risk Assessment: A risk assessment process is used to develop an annual operating plan. 1. The unit has a documented formal risk assessment process in place that allows recognition and assessment of changes to its risk profile. The process allows the unit to make informed decisions about accepting, transfering, avoiding or reducing the risk to an acceptable level. The unit is proactive. 4. The unit uses a formal risk assessment occasionally or when new risks are identified. 7. The unit inconsistently uses an informal and incomplete risk assessment process and is reactive to changes to its risk profile. 9. The unit does not have a risk assessment process and is reactive using ad hoc problem solving. "Fights fires" Cell: E5 Comment: Management Interest/Request: Measures the level of interest expressed by Management to have Internal Audit review or audit the activity. 1 No management interest. 3 Interest by management expressed through casual conversation. 5 Interest by direct management expressed as a concern. 7 Interest by multiple managers or a senior manager. 9 Request or interest by a stratum 4 or above manager.

Available productive hours Total Regular hours Vacation Holidays Sick Training Travel Administrative Audit Follow-up Misc Special Audit Projects Management Request Net Hours Available Combined Net Hours Available

Sort Page Employee 1 2 2080 2080 80 120 80 80 40 40 80 80 104 250 50 50 50 50 200 200 100 150 1296 1060 3156 3 800 4

800