Audit Plan

Risk register and audit plan 8/12/2008 6:59 PM Risks register and audit Universe (RAU) Last updated 21 November 2005 Purpose The purpose of this spreadsheet is to demonstrate how a list of risks can be used to generate an audit plan. The IIA standards (2010.A1) states, "The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process." The starting point: lists of risks from many people in the organisation at various levels The end point: a list of all the audits (the "audit universe") necessary to check that all risks are mitigated by internal controls . These audits to be scored in order to indicate their priority To understand the way this risk register is used, you need to visit www.internalaudit.biz This is not a "Best Practice" guide but an example, which you must change to fit your organisation The process map In order to produce an audit plan from a list of risks, the first task is to group the risks. I believe this is best done by linking them to the processes which any organisation has to fulfill its objectives. The advantage of linking risks to processes is that audits also involve processes. Hence by identifying all important processes, it should be possible to ensure a complete list of audits required (the "audit universe"). Do not confuse this approach with 'Process based' or 'Systems based' auditing. Processes in risk based auditing are used only for convenience. Risks drive the audit plan and individual audits. If you have a risk with no process, go and set up a new process! Processes are the means to achieve the organisation's objectives. They do not necessarily represent actual departments and could be outsourced. It is important to concentrate on the theoretical processes required, since the actual processes may have weaknesses or ommmissions. ©David M Griffiths Introduction 1 of 85 Risk register and audit plan Processes are arranged in a hierarchy (like an organisation chart), with each process being split into more detail. The first level of processes is known as level 1 and these are split into more detailed processes at level 2. It's usually possible to plan audits at this level. Processes are split further in the audit and the more detailed risks and controls are linked to these. The advantage of this approach is that it avoids having a huge database. Each level has "Define objectives" at the start and "Support" at the end. There is a need to define the objectives of any set of processes - even if it only to set targets. "Support" refers to the support directly required by the processes at that level. The example will give you more of an idea. The processes in this spreadsheet are for a company which manufactures goods and sells them through its own shops, to resellers (wholesalers) or direct to the public. 8/12/2008 6:59 PM The risk register The process maps are used to set up the risk register, where risks are linked to processes. Each box on the process map has a row. This enables risks to be attached to processes at each level, and for each level to have a risk score. This is useful in summarising the risk scores for levels 1 & 2. (This format is slightly different to that used in www.internalaudit.biz) Several risks may be linked to one process or several processes to one risk. If you have a process with no risks, you may need to ask management if risks do exist in this area. If you have risks but no process - you need to add a process. Do NOT drop risks because they don't fit neatly into your map! The risk register will be constantly updated with new risks, as they occur to me, or as my researches reveal. It can never be complete. The important point for your risk register is that it gives you a complete "audit universe". It is these audits which need to identify all the key risks in order to assess the controls which mitigate them The last columns in the register show details of the last audit of that risk and the next audit planned. This enables the register to be used as an audit planning tool. By sorting and filtering the database an annual audit plan can be produced. A calculation at the end of the "next audit budget" column will show if sufficient resources are available. The register has one line of titles, so that it can be used as a database (sorted, filtered, reports produced) I intend to produce example audit databases (audit programmes) for many of the audits in the risk register. See www.internalaudit.biz for more details ©David M Griffiths Introduction 2 of 85 Risk register and audit plan Some audit work may be duplicated. For example; "Transaction processing - purchasing goods for resale" may have some audit work which appears in the support processes for "Purchase of goods for resale". This is not necessarily bad, as it may cover important areas in slightly different ways You may have many risks against one process at level 2. If this is the case split the process to give processes at level 3. See 9.6 - Process Transactions Certain major areas of risk, such as health & safety, the environment and quality control only have one entry each. The level of detail will depend on the responsibilities of the internal audit department. It is assumed that these areas are covered by other specialists and the audit would be concerned with the proper operation and reporting of these functions 8/12/2008 6:59 PM The following notes are tips when considering risks: When wording risks, try not to make them just the failure to deliver a process. For example if the process is, "Pay invoices", the risk is not, "Fail to pay invoices". However, one risk would be "Invoices not selected for payment" More importantly risks should not be the absence of a control. For example, the risk “Invoices are not authorised” presupposes a control. The risk is “Invoices may be paid for goods or services not required”; the control is “All invoices are authorised by a senior manager”. Worksheets There are 6 worksheets in this spreadsheet: Introduction Process map Risk register Column key Scoring risks Process map for purchases Language I have used UK english for the risk register. Variations from US english include: Supplier = Vendor Purchase = Procure Cheque = Check ©David M Griffiths Introduction 3 of 85 Risk register and audit plan 8/12/2008 6:59 PM I have used the term "accounts payable" for purchase ledger, since this is now common in the UK. All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product ©David M Griffiths Introduction 4 of 85 Risks register and audit plan Level 1 and 2 processes Define objectives Research Obtain premises Decide strategy Define objectives Define objectives Communicate strategy Research products Obtain offices Deliver strategy Research markets Obtain factories Maintain strategy Research customers Obtain warehousing Purchase finished Support strategy Research locations Obtain retail premises Purchase expense Support research Support obtaining premises Organisation's objectives Purchase Manufacture Promote Supply Define objectives Define objectives Define objectives Define objectives Purchase raw materials Design products Promote in-store Store goods Purchase assets Specify manufacturing Promote to customers Distribute goods Purchase finished goods Plan manufacturing Advertise in papers Support distribution Purchase expense goods Manufacture Advertise on TV Support purchasing Support manufacturing Support promotions Sell Support Define objectives Define objectives Sell in stores Process transactions Sell to resellers Provide systems Sell direct Prepare management accounts Support sales Prepare financial accounts Provide staff Provide legal services Provide tax services Ensure quality Ensure health & safety Manage the environment Ensure security Communicate Manage risks Manage assets Support the support services Risks register and audit plan Risks register and audit plan L1 L2 L3 L4 L Ref Process L1 L2 L3 L4 L Ref Process 1 1 1 1 1 1 1 1 2 3 2 2 2 2 2 1.1 Decide strategy 1.1 Decide strategy 1.1 Decide strategy 1.2 Communicate strategy 1.3 Deliver strategy 1 1 3 3 2 2 1.3 Deliver strategy 1.3 Deliver strategy 1 3 2 1.4 Maintain strategy 1 1 2 2 2 4 5 0 1 2 2 2 1 2 2 1.4 Maintain strategy 1.5 Support strategy 2 Research 2.1 Define objectives 2.2 Research products 2 2 2 2 3 3 3 3 4 5 6 0 1 2 2 2 2 2 1 2 2 2.3 Research markets 2.4 Research customers 2.5 Research locations 2.6 Support research 3 Obtain, and fit out, premises 3.1 Define objectives 3.2 Obtain offices ©David M Griffiths Risk Register 3 3 2 3.3 Obtain factories 3 3 4 5 2 2 3.4 Obtain warehousing 3.5 Obtain retail premises 3 3 4 4 4 4 4 4 4 6 7 0 1 2 2 3 4 5 2 2 1 2 2 2 2 2 2 3.6 Maintain premises 3.7 Support obtaining premises 4 Purchase 4.1 Define objectives 4.2 Purchase raw materials 4.2 Purchase raw materials 4.3 Purchase assets 4.4 Purchase finished goods 4.5 Purchase expense goods and services 4.5 Purchase expense goods and services 4.6 Support purchasing 5 Manufacture 5.1 Define objectives 5.2 Design products 5.3 Specify manufacturing 5.4 Plan manufacturing 5.5 Manufacture 5.5 Manufacture 5.6 Support manufacturing 6 Promote 6.1 Define objectives for promotion 6.2 Promote in-store 6.3 Promote to customers 4 5 2 4 5 5 5 5 5 5 5 5 6 6 6 0 1 2 3 4 5 5 6 0 1 2 1 2 2 2 2 2 2 2 1 2 6 6 2 3 2 2 ©David M Griffiths Risk Register 6 6 6 7 7 7 7 7 8 8 4 5 6 0 1 2 3 4 0 1 2 2 2 1 2 2 2 2 1 2 6.4 Advertise in papers 6.5 Advertise on TV 6.7 Support promotions 7 Supply 7.1 Define objectives for supplying goods 7.2 Store goods 7.3 Distribute goods 7.4 Support supply 8 Sell 8.1 Define objectives for selling goods 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.3 Sell to resellers 8.3 Sell to resellers 8.3 Sell to resellers 8.4 Sell direct 8.4 Sell direct 8.4 Sell direct 8.4 Sell direct 8.4 Sell direct 8.5 Support selling 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 2 2 2 2 2 2 2 2 3 3 3 4 4 4 4 4 5 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ©David M Griffiths Risk Register 9 9 0 1 1 2 9 Support 9.1 Define objectives for supporting the organisation 9.2 Prepare management accounts 9.3 Prepare financial accounts 9.3 Prepare financial accounts 9.4 Provide staff 9.4 Provide staff 9.4 Provide staff 9.4 Provide staff 9.5 Provide systems 9.5 Provide systems 9.5 Provide systems 9.5 Provide systems 9.5 Provide systems 9 2 2 9 9 9 9 9 9 9 9 9 9 9 3 3 4 4 4 4 5 5 5 5 5 2 2 2 2 2 2 2 2 2 2 2 9 6 2 9.6 Process transactions 9 6 1 3 9.6.1 Process transactions purchases 9.6.2 Process transactions retail sales 9.6.3 Process transactions wholesale sales 9.6.4 Process transactions direct sales 9.6.5 Process transactions manufacturing stock 9 6 2 3 9 6 3 3 9 6 4 3 9 6 5 3 9 6 6 3 9.6.6 Process transactions wholesale stock ©David M Griffiths Risk Register 9 6 7 3 9.6.7 Process transactions store stock 9 6 8 3 9.6.8 Process transactions payroll 9.6.9 Process transactions personal expenses 9 6 9 9 6 10 3 9.6.10 Process transactions fixed assets 9.6.11 Process transactions cash and bank 9 6 11 3 9 7 2 9.7 Provide legal services 9 8 2 9.8 Provide tax services 9 9 2 9.9 Ensure quality 9 10 2 9.10 Ensure health & safety 9 11 2 9.11 Manage the environment 9 12 2 9.12 Ensure security 9 12 2 9.12 Ensure security 9 9 13 14 2 2 9.13 Communicate 9.14 Manage risks 9 15 2 9.15 Manage the assets ©David M Griffiths Risk Register 9 15 2 9.15 Manage the assets 9 16 2 9.16 Support the support functions ©David M Griffiths Risk Register egister and audit plan Process Description Key risk to process Process Description Key risk to process The most senior management group (the "board") decide on the objectives of the organisation The most senior management group (the "board") decide on the objectives of the organisation The most senior management group (the "board") decide on the objectives of the organisation The objectives are communicated to all staff in a comprehensible form An action plan is devised, at high level, which will deliver the objectives An action plan is devised, at high level, which will deliver the objectives An action plan is devised, at high level, which will deliver the objectives The strategy is regularly updated to take account of changing business conditions The strategy does not anticipate customer demands The strategy is too risk-averse The objectives within the strategy are not clearly defined, financially justified or documented Staff do not understand the objectives in relation to their own jobs The action plan does not cover all objectives and does not consist of SMART targets addressed to senior management The organisation has not got the resources to deliver the strategy Major projects intended to deliver the strategy are late and/or over budget All staff, including the Board, fail to maintain high ethical standards, which undermine the controls necessary to achieve the organisation's objectives, including that of ensuring compliance with laws and standards Internal and external influences are not monitored to assess their impact on the strategy The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives will not deliver the organisation's objectives effectively and efficiently The research does not identify the most effective products for achieving the objectives The research does not identify the most effective market segments for achieving the objectives The research does not identify the most effective customer segments for achieving the objectives The research does not identify the most effective locations for achieving the objectives The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives will not deliver the organisation's objectives effectively and efficiently The locations are not cost-effective, have insufficient staff in the vicinity and has poor communications The strategy is regularly updated to take account of changing business conditions Resources are made available to carry out the above processes The objectives of the research processes are defined Research the products, to be manufactured or purchased, which will achieve the organisation's objectives Research the market segments which will achieve the organisation's objectives Research the customer profile which will achieve the organisation's objectives Research the locations, in-country and abroad, which will achieve the organisation's objectives Resources are made available to carry out the above processes The objectives of the processes for obtaining premises are defined Decide on the best locations for offices to house the support staff ©David M Griffiths Risk Register Decide on the best locations for factories to manufacture products Decide on the best location for premises to store goods Decide on the best location for shops The environment is not suitable for a factory, insufficient trained labour is available, property costs are too high The buildings are not suitable for storing products, costs are too high and labour is not available The locations are not cost-effective, have insufficient staff in the vicinity and are not near our target customers Poor maintenance results in injury to staff or customers Premises are maintained to ensure safety, effectiveness and efficiency at all times Resources are made available to carry out the above processes The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives of the processes for purchasing are The objectives will not deliver the organisation's defined objectives effectively and efficiently Purchase items to manufacture goods The purchased items are unsuitable, too expensive or delivered late Purchase items to manufacture goods A major supplier of a vital raw material, not obtainable elsewhere, is not able to deliver Purchase fixed assets Assets are not required, not suitable or too expensive Purchase goods for resale Purchase goods and services for the organisation Goods are not suitable, too expensive or delivered late Goods or services are not suitable, too expensive or delivered late Minimum prices for utilities are not negotiated Purchase utilities for the organisation The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives of the processes for manufacturing The objectives will not deliver the organisation's are defined objectives effectively and efficiently Products to be manufactured are designed There is no market for the product. The product is too expensive to produce Specify how the products are to be manufactured The method of manufacturing specified is inefficient Plan the manufacturing schedule Make the goods Make the goods Resources are made available to carry out the above processes The objectives of the processes for promoting sales are defined The schedule produces the wrong goods at the wrong time The goods are made inefficiently New environmental legislation makes manufacturing process uneconomic The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives will not deliver the organisation's objectives effectively and efficiently Resources are made available to carry out the above processes Promote goods in the retail stores through various Promotions do not make a profit offers Promote goods to resellers using offers Promotions do not make a profit ©David M Griffiths Risk Register Advertise goods in newspapers and magazines Advertise on television Resources are made available to carry out the above processes Promotions do not make a profit Promotions do not make a profit The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives of the processes for supplying The objectives will not deliver the organisation's goods are defined objectives effectively and efficiently Store goods in warehouses at stages of the supply Goods are damaged, or lost chain Distribute goods between factories, warehouses, A strike of fuel suppliers brings transport in the UK to a stores and customers stop Resources are made available to carry out the The resources required are not understood are not above processes sufficient to deliver the strategy (Summary level) The objectives of the processes for selling are The objectives will not deliver the organisation's defined objectives effectively and efficiently Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods to customers who will resell them Sell goods to customers who will resell them Sell goods to customers who will resell them Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Resources are made available to carry out the above processes Fail to stock goods which the customers want to buy Fail to anticipate the competitions' initiatives to take a bigger market share Prices are not competitive Store layout confuses customers Prices are incorrect No stock for customers to buy Higher minimum wage legislation makes some stores unprofitable Poor service/quality of goods leading to customer complaints A major customer goes bankrupt No stock for customers to buy Poor service/quality of goods leading to customer complaints Poor service/quality of goods leading to customer complaints Fraudulent credit cards used No stock for customers to buy Internet sites unavailable Goods are lost The resources required are not understood are not sufficient to deliver the strategy ©David M Griffiths Risk Register (Summary level) The objectives of the processes for supporting the The objectives will not deliver the organisation's organisation are defined objectives effectively and efficiently Collect the data from processed transactions into accounts for management to make decisions Collect the data from processed transactions into accounts for statutory or tax purposes Collect the data from processed transactions into accounts for statutory or tax purposes Recruit staff and manage staff policies Recruit staff and manage staff policies Recruit staff and manage staff policies Recruit staff and manage staff policies Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Process transactions (for example, purchases, payroll, sales) resulting from the organisation's operations Receive invoices, obtain approval for payment, pay for goods and services Management accounts do not provide timely information on which to make decisions Financial accounts are issued which do not comply with UK law The organisation is not prepared for the International Accounting Standards (IAS) High-calibre staff are not recruited and retained Properly qualified staff are not available to take vacancies Staff are not properly trained Staff successfully claim unfair dismissal A virus brings down all computer systems for a week Data is lost Data or programs are corrupted Major hardware failure Major network failure (Summary level) Payment is made where the organisation has not received the goods or services at the price and quality ordered Receive cash and cash equivalents at the till, bank Cash taken at the till is not banked them and check all money is received Carry out credit checks before goods are despatched, issue invoices and receive payment for goods Process the credit card payments before authorising despatch of the goods Goods are sold to customers who cannot pay for them Fail to pass transaction details to the credit card company Receive goods against the order, update stock Stock is incorrectly valued records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock Receive goods from the factory, or supplier,, Stock is incorrectly valued update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock ©David M Griffiths Risk Register Receive goods from the warehouse, update store stock records, sell the goods to customers, manage stock levels, minimise stock losses, account for stock Stock is incorrectly valued Receive details of employees, their salary and Receive incorrect data from stores on hours worked and working hours. Calculate pay based on these, less new employees deductions. Pay over deductions Personal expenses (for travelling) are claimed, authorised and paid Receive invoice details. Deceide on whether to capitalise costs. Add assets to register. Attach depreciation data and calculte. Expenses were not incurred Revenue expendite capitalised, or capital expenditure put to revenue Receive cash transaction data for purchases, Differences not cleared sales, payroll, personal expenses and other transactions. Reconcile these to transactions passing through the bank account. Follow-up differences Advise all areas of the company concerning action The impact of legislation is not anticipated which results to be taken on legislation in considerable costs Advise all areas of the company concerning action Schemes to minimise tax are not used to be taken on tax legislation Ensure all goods sold meet the quality standards set by legislation and the organisation Poor quality goods harms the organisation's reputation Ensure the organisation complies with legislation A failure in H & S occurs which results in bad publicity and good practice to ensure the safety of staff and and law suits customers Ensure the operations of the organisation obey all environmental laws and good practice The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation Inform internal and external stakeholders of the organisation's policies and intentions Identify, evaluate and manage risks down to the level considered acceptable by the organisation An environmental disaster occurs at one of the organisation's premises Confidential information is stolen Offices are destroyed by fire The London Stock Exchange is given information which cannot be substantiated The external and internal risks threatening the objectives, and related processes, of the organisation are not understood or mitigated Ensure that assets of the organisation, particularly Financial contracts are set up which open the company cash, are maintained at optimum levels to achieve to significant losses the objectives ©David M Griffiths Risk Register Ensure that assets of the organisation, particularly Working capital is not optimised cash, are maintained at optimum levels to achieve the objectives Resources are made available to carry out the The resources required are not understood are not above processes sufficient to deliver the strategy ©David M Griffiths Risk Register Consequence of risk Risk source IRC IRL IRS Last Audit Adjusted inherent score Opinio Year Gap n LA LA year arc opinion Consequence of risk Risk source irc irl irs 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths Risk Register 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths Risk Register 0 0 ©David M Griffiths Risk Register Adjusted inherent Process owner score Factor Sig arl ars Owner Audit Group Control Monitoring control Monitoring control Residual risks Cons. Like. rrl Audit Group Control rrc 0 0 0 0 0 Managing Director Managing Director Managing Director A A A A B 0 0 B C 0 D 0 0 E 0 0 F G 0 0 0 0 G H I J 0 0 K L ©David M Griffiths Risk Register 0 M 0 0 N O 0 0 P 0 0 0 0 0 0 Q Q R S T U 0 U 0 V 0 0 0 0 0 0 0 X Y Z AA AB AC AD 0 AE 0 0 AF AG ©David M Griffiths Risk Register 0 0 0 BD AH AI 0 0 0 0 AJ AK AL AM 0 AN 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 AO AO AO AP AQ AR AS AS AT AR AR AU AU AR AU AU AV ©David M Griffiths Risk Register 0 AW 0 AX 0 0 0 0 0 0 0 0 0 0 0 AY Project audit AZ BA BB BC BE BF BG BH BI 0 BJ 0 BK 0 AT 0 AU 0 BL 0 BM ©David M Griffiths Risk Register 0 BN 0 BO 0 BP 0 BQ 0 BR 0 BS 0 BT 0 BU 0 BV 0 BW 0 BX 0 BY 0 0 BZ CA 0 CB ©David M Griffiths Risk Register 0 CC 0 CD ©David M Griffiths Risk Register Last audit details Residual risks Sig. rrs Last audit number Last audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target Last audit Audit name number Last audit Budget Last audit actual Last timing Last auditor Last final report Target Organisation's strategy Organisation's strategy Organisation's strategy Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) Ethical guidelines Monitoring of external influences (Carried out within the above audits) Research strategy Product research Market research Market research Geographic research Research resource planning Location strategy Locating offices ©David M Griffiths Risk Register Locating factories Locating warehouses Locating shops Maintenance of premises Location resource planning Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Purchase resource planning Manufacturing strategy Product design Manufacturing specification Scheduling manufacture Production accounting Environmental audit Manufacturing resource planning Selling strategy Retail promotions Wholesale promotions ©David M Griffiths Risk Register Newspaper advertising TV advertising Promotions resource planning Supply strategy Warehouse operations Distribution Supply resource planning Selling strategy Pricing Pricing Pricing Store planning Price file maintenance Stock control Store accounts Store accounts Accounts receivable Stock control Stock control Internet sales Internet sales Stock control Internet sales Internet sales Selling resource planning See above ©David M Griffiths Risk Register Support strategy Management accounting Financial accounting Project - IAS Recruitment Succession planning Staff training Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans communications Accounts Ppayable Retail cash takings Accounts receivable Internet sales See above See above Manufacturing stock Wholesale stock ©David M Griffiths Risk Register Retail stock Payroll Personal expenses Fixed assets Bank and cash Provision of legal services Provision of tax services Quality control Health and safety Environmental Site security Contingency planning Communications Risk management Treasury ©David M Griffiths Risk Register Working capital Support resource planning If the audit budget shows only days for th audits due next year, then this calculation wi show if the resources available are sufficient complete all of the audits. ©David M Griffiths Risk Register s Final report achieved Last result Next audit Next audit number name Next audit details Next audit Next Budget timing Next auditor Status Final report achieved Last result Next audit number Next audit name Next audit Budget Next timing Next auditor Current status ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register If the audit budget shows only days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits. TOTAL 0 Available auditors Weekdays (auditors*52*5) Holidays Training Projects Secondments Total available for above audits Surplus/deficit 0 0 0 ©David M Griffiths Risk Register it details Next final report Target Target Next final report Target Next final report Achieved Achieved Next final report Achieved 2006 opinion on risk 2006 opinion on risk ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register ©David M Griffiths Risk Register Risks and audit universe Column key: L1 Level 1 process L2 Level 2 process L3 Level 3 process Process Process Description Risk Risk source IRC IRL IRS Last audit result Last audit date Adj factor Adj IRS Process owner Audit Group Control Monitoring control RRC RRL RRS Last audit number Audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target Last audit Last a Final report achieved Last result Next audit number Current/Next audit Next audit name Next audit Budget Next timing Next auditor Status Next final report target Next final report Achieved 2006 opinion on risk nd audit universe Level 1 risk number. Corresponds to the Risk database Name of process Level 2 risk number. Corresponds to the Risk database Name of process Level 3 risk number Name of process Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Inherent risk consequence score Inherent risk likelihood score Inherent risk scores multiplied. (Inherent Risk Significance score ) Conclusion of last audit (acceptable/issues/unacceptable) Year of the last audit Factor applied to the IRS depending on how many years ago the last audit took place, and the result. ( See www.internalaudit.biz) IRS X adj factor = adj IRS. Sorting on this score gives the priority order for the associated audits Who is (are) responsible for the process. Should be a senior manager/director Letter(s) given in order to group several risks into one audit (if necessary). They will not necessarily be in order, as new risks, with associated audits, will be added and some may be removed Direct response to the risk Management's response to ensure the control is operating properly Residual risk consequence score. Residual risk likelihood score Residual risk scores multiplied Unique number given to each audit. This is the number of the last audit to cover this risk Name given to the audit Approximate number of auditor-days the audit should take. This aids resource planning Number of days the last audit actually required Months/year of last audit Names of principal auditors Target date for producing report (from scope) Date actually achieved for issuing final report Conclusion of last audit (acceptable/issues/unacceptable) Unique number given to each audit. This is the number of the next audit to cover this risk - if it has been allocated Audit name. Will usually be the same as for the last audit, but could be different if this risk has been included in another audit Approximate number of auditor-days the audit should take - based on last audit's actual time. This aids resource planning Expected quarter/year of next audit - if it can be allocated Name|(s) of auditors - if allocated Status of audit (Planning/fieldwork/reporting) when it is in progress Target date for producing report (from scope) Actual date the final report was issued The opinion as to whether the risk was being properly managed (When the final report from "next audit", its details are moved into the "last audit" columns Audit: Purchasing and payment of expense goods and services Advice on scoring risks (inherent and residual) 1 to 3 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is: To prevent the organisation Almost certain achieving all, or a major part, of its objectives for a long time. Cash at risk> £100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <£100,000 >£5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <£5,000 Unlikely Low (1) Then the measure is defined to be: High (3) Medium (2) Values are an example only. They should be agreed at board level as part of setting the risk appetite of the organisation Grading individual risks (residual) High (3) Likelihood of residual risk Supplementary Issue 3 3 Acceptable Low(1) 1 Acceptable 2 Acceptable 3 Acceptable Low(1) Medium (2) High (3) Consequence of residual risk Rare(1) Unlikely (2) Supplementary Issue 3 Possible (3) 2 Acceptable 4 Issue risk 6 Unacceptable risk Likelihood of residual risk 6 Unacceptable risk 9 Unacceptable risk Medium (2) Probable (4) Almost certain (5) Likeliho Likelihood Low(1) 1 Acceptable 2 Acceptable 3 Acceptable Low(1) Medium (2) High (3) Consequence of residual risk Risk score = Likelihood score X C Unacceptable: Immediate action required Issue: Action required to control the risk Supplementary issue: Action is advisable Acceptable: No action required Rare(1) Unlikely (2) Supplementary Issue 3 nd residual) 1 to 5 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is: A catastrophic impact on the organisation, threatening its existence Almost certain Cash at risk> £1,000,000 To prevent the organisation Probable achieving all, or a major part, of its objectives for a long time. Cash at risk <£1,000,000 >£100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <£100,000 >£30,000 To stop the organisation achieving Unlikely its objectives for a limited period. Cash at risk <£30,000 >£5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <£5,000 Rare Probable (4) Almost certain (5) Likelihood of residual risk 9 acceptable risk 5 Supplementary Issue 10 Issue 15 Unacceptable 20 Unacceptable 25 Unacceptable 4 Acceptable 8 Supplementary Issue 12 Issue 16 Unacceptable 20 Unacceptable Possible (3) 6 acceptable risk Supplementary Issue 3 3 Acceptable 6 Supplementary Issue 9 Issue 12 Issue 15 Unacceptable Unlikely (2) 2 Acceptable 4 Acceptable 6 Supplementary Issue 8 Supplementary Issue 10 Issue 3 ptable Rare(1) 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable 5 Supplementary Issue High (3) risk Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood Unlikely (2) Supplementary Issue 3 2 Acceptable 4 Acceptable 6 Supplementary Issue 8 Supplementary Issue 10 Issue 3 ptable Rare(1) 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable 5 Supplementary Issue High (3) risk Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Consequence of residual risk isk score = Likelihood score X Consequence score nacceptable: Immediate action required to control the risk sue: Action required to control the risk upplementary issue: Action is advisable if it is cost-effective cceptable: No action required Then the measure is defined to be: Catatrophic (5) Major (2) Moderate (2) Minor (2) Insignificant (1) 15 20 Unacceptable 25 Unacceptable nacceptable 12 Issue 16 Unacceptable 20 Unacceptable 9 Issue 12 Issue 15 Unacceptable 6 8 Supplementary Issue pplementary Issue 10 Issue 3 cceptable 4 Acceptable 5 Supplementary Issue Moderate (3) Major (4) Catastrophic (5) 6 8 Supplementary Issue pplementary Issue 10 Issue 3 cceptable 4 Acceptable 5 Supplementary Issue Moderate (3) Major (4) Catastrophic (5) e of residual risk Risks register and audit plan Level 2 and 3 processes Purchase Define objectives Purchase raw materials Purchase assets Purchase finished Decide strategy Define objectives Define objectives Communicate strategy Deliver strategy Maintain strategy Support strategy Support purchase raw materials Support purchase assets Support purchase Purchase finished goods Purchase expense goods Support Define objectives Define objectives Define objectives Set up vendors Process transactions Set up items Provide systems Requistion goods and services Prepare management accounts Place order Prepare financial accounts Support purchase finshed goods Receive goods Provide staff Return goods Provide legal services Support purchase expense goods Provide tax services Ensure quality Ensure health & safety Manage the environment Ensure security Communicate