Audit Plan

Risk register and audit plan



8/12/2008 6:59 PM



Risks register and audit Universe (RAU)

Last updated 21 November 2005



Purpose

The purpose of this spreadsheet is to demonstrate how a list of risks can be used to generate an audit plan. The IIA standards (2010.A1) states, "The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process." The starting point: lists of risks from many people in the organisation at various levels The end point: a list of all the audits (the "audit universe") necessary to check that all risks are mitigated by internal controls . These audits to be scored in order to indicate their priority To understand the way this risk register is used, you need to visit www.internalaudit.biz This is not a "Best Practice" guide but an example, which you must change to fit your organisation



The process map

In order to produce an audit plan from a list of risks, the first task is to group the risks. I believe this is best done by linking them to the processes which any organisation has to fulfill its objectives. The advantage of linking risks to processes is that audits also involve processes. Hence by identifying all important processes, it should be possible to ensure a complete list of audits required (the "audit universe"). Do not confuse this approach with 'Process based' or 'Systems based' auditing. Processes in risk based auditing are used only for convenience. Risks drive the audit plan and individual audits. If you have a risk with no process, go and set up a new process! Processes are the means to achieve the organisation's objectives. They do not necessarily represent actual departments and could be outsourced. It is important to concentrate on the theoretical processes required, since the actual processes may have weaknesses or ommmissions.



©David M Griffiths



Introduction



1 of 85



Risk register and audit plan

Processes are arranged in a hierarchy (like an organisation chart), with each process being split into more detail. The first level of processes is known as level 1 and these are split into more detailed processes at level 2. It's usually possible to plan audits at this level. Processes are split further in the audit and the more detailed risks and controls are linked to these. The advantage of this approach is that it avoids having a huge database. Each level has "Define objectives" at the start and "Support" at the end. There is a need to define the objectives of any set of processes - even if it only to set targets. "Support" refers to the support directly required by the processes at that level. The example will give you more of an idea. The processes in this spreadsheet are for a company which manufactures goods and sells them through its own shops, to resellers (wholesalers) or direct to the public.



8/12/2008 6:59 PM



The risk register

The process maps are used to set up the risk register, where risks are linked to processes. Each box on the process map has a row. This enables risks to be attached to processes at each level, and for each level to have a risk score. This is useful in summarising the risk scores for levels 1 & 2. (This format is slightly different to that used in www.internalaudit.biz) Several risks may be linked to one process or several processes to one risk. If you have a process with no risks, you may need to ask management if risks do exist in this area. If you have risks but no process - you need to add a process. Do NOT drop risks because they don't fit neatly into your map! The risk register will be constantly updated with new risks, as they occur to me, or as my researches reveal. It can never be complete. The important point for your risk register is that it gives you a complete "audit universe". It is these audits which need to identify all the key risks in order to assess the controls which mitigate them The last columns in the register show details of the last audit of that risk and the next audit planned. This enables the register to be used as an audit planning tool. By sorting and filtering the database an annual audit plan can be produced. A calculation at the end of the "next audit budget" column will show if sufficient resources are available. The register has one line of titles, so that it can be used as a database (sorted, filtered, reports produced) I intend to produce example audit databases (audit programmes) for many of the audits in the risk register. See www.internalaudit.biz for more details



©David M Griffiths



Introduction



2 of 85



Risk register and audit plan

Some audit work may be duplicated. For example; "Transaction processing - purchasing goods for resale" may have some audit work which appears in the support processes for "Purchase of goods for resale". This is not necessarily bad, as it may cover important areas in slightly different ways You may have many risks against one process at level 2. If this is the case split the process to give processes at level 3. See 9.6 - Process Transactions Certain major areas of risk, such as health & safety, the environment and quality control only have one entry each. The level of detail will depend on the responsibilities of the internal audit department. It is assumed that these areas are covered by other specialists and the audit would be concerned with the proper operation and reporting of these functions



8/12/2008 6:59 PM



The following notes are tips when considering risks:

When wording risks, try not to make them just the failure to deliver a process. For example if the process is, "Pay invoices", the risk is not, "Fail to pay invoices". However, one risk would be "Invoices not selected for payment" More importantly risks should not be the absence of a control. For example, the risk “Invoices are not authorised” presupposes a control. The risk is “Invoices may be paid for goods or services not required”; the control is “All invoices are authorised by a senior manager”.



Worksheets

There are 6 worksheets in this spreadsheet: Introduction Process map Risk register Column key Scoring risks Process map for purchases



Language

I have used UK english for the risk register. Variations from US english include: Supplier = Vendor Purchase = Procure Cheque = Check



©David M Griffiths



Introduction



3 of 85



Risk register and audit plan



8/12/2008 6:59 PM



I have used the term "accounts payable" for purchase ledger, since this is now common in the UK. All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product



©David M Griffiths



Introduction



4 of 85



Risks register and audit plan



Level 1 and 2 processes



Define objectives



Research



Obtain premises



Decide strategy



Define objectives



Define objectives



Communicate strategy



Research products



Obtain offices



Deliver strategy



Research markets



Obtain factories



Maintain strategy



Research customers



Obtain warehousing



Purchase finished



Support strategy



Research locations



Obtain retail premises



Purchase expense



Support research



Support obtaining premises



Organisation's objectives



Purchase



Manufacture



Promote



Supply



Define objectives



Define objectives



Define objectives



Define objectives



Purchase raw materials



Design products



Promote in-store



Store goods



Purchase assets



Specify manufacturing



Promote to customers



Distribute goods



Purchase finished goods



Plan manufacturing



Advertise in papers



Support distribution



Purchase expense goods



Manufacture



Advertise on TV



Support purchasing



Support manufacturing



Support promotions



Sell



Support



Define objectives



Define objectives



Sell in stores



Process transactions



Sell to resellers



Provide systems



Sell direct



Prepare management accounts



Support sales



Prepare financial accounts



Provide staff



Provide legal services



Provide tax services



Ensure quality



Ensure health & safety



Manage the environment



Ensure security



Communicate



Manage risks



Manage assets



Support the support services



Risks register and audit plan



Risks register and audit plan

L1 L2 L3 L4 L



Ref



Process



L1



L2



L3



L4



L



Ref



Process



1 1 1 1 1



1 1 1 2 3



2 2 2 2 2



1.1 Decide strategy 1.1 Decide strategy 1.1 Decide strategy 1.2 Communicate strategy 1.3 Deliver strategy



1 1



3 3



2 2



1.3 Deliver strategy 1.3 Deliver strategy



1



3



2



1.4 Maintain strategy



1 1 2 2 2



4 5 0 1 2



2 2 1 2 2



1.4 Maintain strategy 1.5 Support strategy 2 Research 2.1 Define objectives 2.2 Research products



2 2 2 2 3 3 3



3 4 5 6 0 1 2



2 2 2 2 1 2 2



2.3 Research markets 2.4 Research customers 2.5 Research locations 2.6 Support research 3 Obtain, and fit out, premises 3.1 Define objectives 3.2 Obtain offices



©David M Griffiths



Risk Register



3



3



2



3.3 Obtain factories



3 3



4 5



2 2



3.4 Obtain warehousing 3.5 Obtain retail premises



3 3 4 4 4 4 4 4 4



6 7 0 1 2 2 3 4 5



2 2 1 2 2 2 2 2 2



3.6 Maintain premises 3.7 Support obtaining premises 4 Purchase 4.1 Define objectives 4.2 Purchase raw materials 4.2 Purchase raw materials 4.3 Purchase assets 4.4 Purchase finished goods 4.5 Purchase expense goods and services 4.5 Purchase expense goods and services 4.6 Support purchasing 5 Manufacture 5.1 Define objectives 5.2 Design products 5.3 Specify manufacturing 5.4 Plan manufacturing 5.5 Manufacture 5.5 Manufacture 5.6 Support manufacturing 6 Promote 6.1 Define objectives for promotion 6.2 Promote in-store 6.3 Promote to customers



4



5



2



4 5 5 5 5 5 5 5 5 6 6



6 0 1 2 3 4 5 5 6 0 1



2 1 2 2 2 2 2 2 2 1 2



6 6



2 3



2 2



©David M Griffiths



Risk Register



6 6 6 7 7 7 7 7 8 8



4 5 6 0 1 2 3 4 0 1



2 2 2 1 2 2 2 2 1 2



6.4 Advertise in papers 6.5 Advertise on TV 6.7 Support promotions 7 Supply 7.1 Define objectives for supplying goods 7.2 Store goods 7.3 Distribute goods 7.4 Support supply 8 Sell 8.1 Define objectives for selling goods 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.2 Sell in stores 8.3 Sell to resellers 8.3 Sell to resellers 8.3 Sell to resellers 8.4 Sell direct 8.4 Sell direct 8.4 Sell direct 8.4 Sell direct 8.4 Sell direct 8.5 Support selling



8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8



2 2 2 2 2 2 2 2 3 3 3 4 4 4 4 4 5



2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2



©David M Griffiths



Risk Register



9 9



0 1



1 2



9 Support 9.1 Define objectives for supporting the organisation 9.2 Prepare management accounts 9.3 Prepare financial accounts 9.3 Prepare financial accounts 9.4 Provide staff 9.4 Provide staff 9.4 Provide staff 9.4 Provide staff 9.5 Provide systems 9.5 Provide systems 9.5 Provide systems 9.5 Provide systems 9.5 Provide systems



9



2



2



9 9 9 9 9 9 9 9 9 9 9



3 3 4 4 4 4 5 5 5 5 5



2 2 2 2 2 2 2 2 2 2 2



9



6



2



9.6 Process transactions



9



6



1



3



9.6.1 Process transactions purchases 9.6.2 Process transactions retail sales 9.6.3 Process transactions wholesale sales 9.6.4 Process transactions direct sales 9.6.5 Process transactions manufacturing stock



9



6



2



3



9



6



3



3



9



6



4



3



9



6



5



3



9



6



6



3



9.6.6 Process transactions wholesale stock



©David M Griffiths



Risk Register



9



6



7



3



9.6.7 Process transactions store stock



9



6



8



3



9.6.8 Process transactions payroll 9.6.9 Process transactions personal expenses



9



6



9



9



6



10



3



9.6.10 Process transactions fixed assets 9.6.11 Process transactions cash and bank



9



6



11



3



9



7



2



9.7 Provide legal services



9



8



2



9.8 Provide tax services



9



9



2



9.9 Ensure quality



9



10



2



9.10 Ensure health & safety



9



11



2



9.11 Manage the environment



9



12



2



9.12 Ensure security



9



12



2



9.12 Ensure security



9 9



13 14



2 2



9.13 Communicate 9.14 Manage risks



9



15



2



9.15 Manage the assets



©David M Griffiths



Risk Register



9



15



2



9.15 Manage the assets



9



16



2



9.16 Support the support functions



©David M Griffiths



Risk Register



egister and audit plan

Process Description Key risk to process



Process Description



Key risk to process



The most senior management group (the "board") decide on the objectives of the organisation The most senior management group (the "board") decide on the objectives of the organisation The most senior management group (the "board") decide on the objectives of the organisation The objectives are communicated to all staff in a comprehensible form An action plan is devised, at high level, which will deliver the objectives An action plan is devised, at high level, which will deliver the objectives An action plan is devised, at high level, which will deliver the objectives The strategy is regularly updated to take account of changing business conditions



The strategy does not anticipate customer demands The strategy is too risk-averse The objectives within the strategy are not clearly defined, financially justified or documented Staff do not understand the objectives in relation to their own jobs The action plan does not cover all objectives and does not consist of SMART targets addressed to senior management The organisation has not got the resources to deliver the strategy Major projects intended to deliver the strategy are late and/or over budget All staff, including the Board, fail to maintain high ethical standards, which undermine the controls necessary to achieve the organisation's objectives, including that of ensuring compliance with laws and standards Internal and external influences are not monitored to assess their impact on the strategy The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives will not deliver the organisation's objectives effectively and efficiently The research does not identify the most effective products for achieving the objectives The research does not identify the most effective market segments for achieving the objectives The research does not identify the most effective customer segments for achieving the objectives The research does not identify the most effective locations for achieving the objectives The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives will not deliver the organisation's objectives effectively and efficiently The locations are not cost-effective, have insufficient staff in the vicinity and has poor communications



The strategy is regularly updated to take account of changing business conditions Resources are made available to carry out the above processes The objectives of the research processes are defined Research the products, to be manufactured or purchased, which will achieve the organisation's objectives Research the market segments which will achieve the organisation's objectives Research the customer profile which will achieve the organisation's objectives Research the locations, in-country and abroad, which will achieve the organisation's objectives Resources are made available to carry out the above processes



The objectives of the processes for obtaining premises are defined Decide on the best locations for offices to house the support staff



©David M Griffiths



Risk Register



Decide on the best locations for factories to manufacture products Decide on the best location for premises to store goods Decide on the best location for shops



The environment is not suitable for a factory, insufficient trained labour is available, property costs are too high The buildings are not suitable for storing products, costs are too high and labour is not available The locations are not cost-effective, have insufficient staff in the vicinity and are not near our target customers Poor maintenance results in injury to staff or customers



Premises are maintained to ensure safety, effectiveness and efficiency at all times Resources are made available to carry out the above processes



The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives of the processes for purchasing are The objectives will not deliver the organisation's defined objectives effectively and efficiently Purchase items to manufacture goods The purchased items are unsuitable, too expensive or delivered late Purchase items to manufacture goods A major supplier of a vital raw material, not obtainable elsewhere, is not able to deliver Purchase fixed assets Assets are not required, not suitable or too expensive Purchase goods for resale Purchase goods and services for the organisation Goods are not suitable, too expensive or delivered late Goods or services are not suitable, too expensive or delivered late Minimum prices for utilities are not negotiated



Purchase utilities for the organisation



The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives of the processes for manufacturing The objectives will not deliver the organisation's are defined objectives effectively and efficiently Products to be manufactured are designed There is no market for the product. The product is too expensive to produce Specify how the products are to be manufactured The method of manufacturing specified is inefficient Plan the manufacturing schedule Make the goods Make the goods Resources are made available to carry out the above processes The objectives of the processes for promoting sales are defined The schedule produces the wrong goods at the wrong time The goods are made inefficiently New environmental legislation makes manufacturing process uneconomic The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives will not deliver the organisation's objectives effectively and efficiently



Resources are made available to carry out the above processes



Promote goods in the retail stores through various Promotions do not make a profit offers Promote goods to resellers using offers Promotions do not make a profit



©David M Griffiths



Risk Register



Advertise goods in newspapers and magazines Advertise on television Resources are made available to carry out the above processes



Promotions do not make a profit Promotions do not make a profit



The resources required are not understood are not sufficient to deliver the strategy (Summary level) The objectives of the processes for supplying The objectives will not deliver the organisation's goods are defined objectives effectively and efficiently Store goods in warehouses at stages of the supply Goods are damaged, or lost chain Distribute goods between factories, warehouses, A strike of fuel suppliers brings transport in the UK to a stores and customers stop Resources are made available to carry out the The resources required are not understood are not above processes sufficient to deliver the strategy (Summary level) The objectives of the processes for selling are The objectives will not deliver the organisation's defined objectives effectively and efficiently Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods in stores operated by the organisation, or franchised Sell goods to customers who will resell them Sell goods to customers who will resell them Sell goods to customers who will resell them Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Sell direct to the public. For example, through the internet Resources are made available to carry out the above processes Fail to stock goods which the customers want to buy Fail to anticipate the competitions' initiatives to take a bigger market share Prices are not competitive Store layout confuses customers Prices are incorrect No stock for customers to buy Higher minimum wage legislation makes some stores unprofitable Poor service/quality of goods leading to customer complaints A major customer goes bankrupt No stock for customers to buy Poor service/quality of goods leading to customer complaints Poor service/quality of goods leading to customer complaints Fraudulent credit cards used No stock for customers to buy Internet sites unavailable Goods are lost The resources required are not understood are not sufficient to deliver the strategy



©David M Griffiths



Risk Register



(Summary level) The objectives of the processes for supporting the The objectives will not deliver the organisation's organisation are defined objectives effectively and efficiently Collect the data from processed transactions into accounts for management to make decisions Collect the data from processed transactions into accounts for statutory or tax purposes Collect the data from processed transactions into accounts for statutory or tax purposes Recruit staff and manage staff policies Recruit staff and manage staff policies Recruit staff and manage staff policies Recruit staff and manage staff policies Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Provide systems, including computer systems to support the organisations operations Process transactions (for example, purchases, payroll, sales) resulting from the organisation's operations Receive invoices, obtain approval for payment, pay for goods and services Management accounts do not provide timely information on which to make decisions Financial accounts are issued which do not comply with UK law The organisation is not prepared for the International Accounting Standards (IAS) High-calibre staff are not recruited and retained Properly qualified staff are not available to take vacancies Staff are not properly trained Staff successfully claim unfair dismissal A virus brings down all computer systems for a week Data is lost Data or programs are corrupted Major hardware failure Major network failure



(Summary level)



Payment is made where the organisation has not received the goods or services at the price and quality ordered



Receive cash and cash equivalents at the till, bank Cash taken at the till is not banked them and check all money is received Carry out credit checks before goods are despatched, issue invoices and receive payment for goods Process the credit card payments before authorising despatch of the goods Goods are sold to customers who cannot pay for them



Fail to pass transaction details to the credit card company



Receive goods against the order, update stock Stock is incorrectly valued records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock Receive goods from the factory, or supplier,, Stock is incorrectly valued update stock records, issue the goods to manufacture, manage stock levels, minimise stock losses, account for stock



©David M Griffiths



Risk Register



Receive goods from the warehouse, update store stock records, sell the goods to customers, manage stock levels, minimise stock losses, account for stock



Stock is incorrectly valued



Receive details of employees, their salary and Receive incorrect data from stores on hours worked and working hours. Calculate pay based on these, less new employees deductions. Pay over deductions Personal expenses (for travelling) are claimed, authorised and paid Receive invoice details. Deceide on whether to capitalise costs. Add assets to register. Attach depreciation data and calculte. Expenses were not incurred



Revenue expendite capitalised, or capital expenditure put to revenue



Receive cash transaction data for purchases, Differences not cleared sales, payroll, personal expenses and other transactions. Reconcile these to transactions passing through the bank account. Follow-up differences Advise all areas of the company concerning action The impact of legislation is not anticipated which results to be taken on legislation in considerable costs Advise all areas of the company concerning action Schemes to minimise tax are not used to be taken on tax legislation Ensure all goods sold meet the quality standards set by legislation and the organisation Poor quality goods harms the organisation's reputation



Ensure the organisation complies with legislation A failure in H & S occurs which results in bad publicity and good practice to ensure the safety of staff and and law suits customers Ensure the operations of the organisation obey all environmental laws and good practice The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation Inform internal and external stakeholders of the organisation's policies and intentions Identify, evaluate and manage risks down to the level considered acceptable by the organisation An environmental disaster occurs at one of the organisation's premises Confidential information is stolen



Offices are destroyed by fire



The London Stock Exchange is given information which cannot be substantiated



The external and internal risks threatening the objectives, and related processes, of the organisation are not understood or mitigated Ensure that assets of the organisation, particularly Financial contracts are set up which open the company cash, are maintained at optimum levels to achieve to significant losses the objectives



©David M Griffiths



Risk Register



Ensure that assets of the organisation, particularly Working capital is not optimised cash, are maintained at optimum levels to achieve the objectives Resources are made available to carry out the The resources required are not understood are not above processes sufficient to deliver the strategy



©David M Griffiths



Risk Register



Consequence of risk



Risk source



IRC



IRL



IRS



Last Audit Adjusted inherent

score

Opinio Year Gap n LA LA year arc

opinion



Consequence of risk



Risk source



irc



irl



irs



0 0 0 0 0



0 0



0



0 0



0 0



0 0 0 0



0 0



©David M Griffiths



Risk Register



0



0 0



0 0



0 0 0 0 0 0



0



0



0 0 0 0 0 0 0



0



0 0



©David M Griffiths



Risk Register



0 0 0



0 0 0 0



0



0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0



©David M Griffiths



Risk Register



0



0



0 0 0 0 0 0 0 0 0 0 0



0



0



0



0



0



0



©David M Griffiths



Risk Register



0



0



0



0



0



0



0



0



0



0



0



0 0



0



©David M Griffiths



Risk Register



0



0



©David M Griffiths



Risk Register



Adjusted inherent Process owner score

Factor Sig

arl ars Owner



Audit Group



Control



Monitoring control

Monitoring control



Residual risks

Cons. Like.

rrl



Audit Group



Control



rrc



0 0 0 0 0



Managing Director Managing Director Managing Director



A A A A B



0 0



B C



0



D



0 0



E



0 0



F G



0 0 0 0



G H I J



0 0



K L



©David M Griffiths



Risk Register



0



M



0 0



N O



0 0 P



0 0 0 0 0 0



Q Q R S T U



0



U



0



V



0 0 0 0 0 0 0



X Y Z AA AB AC AD



0



AE



0 0



AF AG



©David M Griffiths



Risk Register



0 0 0



BD

AH AI



0 0 0 0



AJ AK AL AM



0



AN



0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0



AO AO AO AP AQ AR AS AS AT AR AR AU AU AR AU AU AV



©David M Griffiths



Risk Register



0



AW



0



AX



0 0 0 0 0 0 0 0 0 0 0



AY Project audit AZ BA BB BC BE BF BG BH BI



0



BJ



0



BK



0



AT



0



AU



0



BL



0



BM



©David M Griffiths



Risk Register



0



BN



0



BO



0



BP



0



BQ



0



BR



0



BS



0



BT



0



BU



0



BV



0



BW



0



BX



0



BY



0 0



BZ CA



0



CB



©David M Griffiths



Risk Register



0



CC



0



CD



©David M Griffiths



Risk Register



Last audit details Residual risks

Sig.

rrs Last audit number Last audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target



Last audit Audit name number



Last audit Budget



Last audit actual



Last timing



Last auditor



Last final report Target



Organisation's strategy Organisation's strategy Organisation's strategy Organisation's strategy Delivery of strategy Delivery of strategy (Projects are individually audited) Ethical guidelines



Monitoring of external influences (Carried out within the above audits) Research strategy Product research



Market research Market research Geographic research Research resource planning



Location strategy Locating offices



©David M Griffiths



Risk Register



Locating factories



Locating warehouses Locating shops



Maintenance of premises Location resource planning Purchasing strategy Purchasing for manufacture Purchasing for manufacture Purchase of assets Purchase of goods for resale Purchase of expense goods and services Purchase of expense goods and services Purchase resource planning Manufacturing strategy Product design Manufacturing specification Scheduling manufacture Production accounting Environmental audit Manufacturing resource planning Selling strategy



Retail promotions Wholesale promotions



©David M Griffiths



Risk Register



Newspaper advertising TV advertising Promotions resource planning Supply strategy Warehouse operations Distribution Supply resource planning Selling strategy



Pricing Pricing Pricing Store planning Price file maintenance Stock control Store accounts Store accounts Accounts receivable Stock control Stock control Internet sales Internet sales Stock control Internet sales Internet sales Selling resource planning See above



©David M Griffiths



Risk Register



Support strategy



Management accounting Financial accounting Project - IAS Recruitment Succession planning Staff training Staff policies Virus checking Back-up procedures Access controls IS contingency plans - hardware IS contingency plans communications



Accounts Ppayable Retail cash takings



Accounts receivable Internet sales



See above



See above



Manufacturing stock



Wholesale stock



©David M Griffiths



Risk Register



Retail stock



Payroll



Personal expenses



Fixed assets



Bank and cash



Provision of legal services Provision of tax services Quality control



Health and safety



Environmental



Site security



Contingency planning



Communications Risk management



Treasury



©David M Griffiths



Risk Register



Working capital



Support resource planning



If the audit budget shows only days for th audits due next year, then this calculation wi show if the resources available are sufficient complete all of the audits.



©David M Griffiths



Risk Register



s

Final report achieved Last result Next audit Next audit number name



Next audit details

Next audit Next Budget timing Next auditor Status



Final report achieved



Last result



Next audit number



Next audit name



Next audit Budget



Next timing



Next auditor



Current status



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



If the audit budget shows only days for the audits due next year, then this calculation will show if the resources available are sufficient to complete all of the audits.



TOTAL



0



Available auditors Weekdays (auditors*52*5) Holidays Training Projects Secondments Total available for above audits Surplus/deficit 0 0 0



©David M Griffiths



Risk Register



it details

Next final report Target Target

Next final report Target



Next final report Achieved Achieved

Next final report Achieved



2006 opinion on risk



2006 opinion on risk



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



©David M Griffiths



Risk Register



Risks and audit universe Column key:

L1 Level 1 process L2 Level 2 process L3 Level 3 process Process Process Description Risk Risk source IRC IRL IRS Last audit result Last audit date Adj factor Adj IRS Process owner Audit Group



Control Monitoring control RRC RRL RRS Last audit number Audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target



Last audit



Last a

Final report achieved Last result Next audit number



Current/Next audit



Next audit name Next audit Budget Next timing Next auditor Status Next final report target Next final report Achieved 2006 opinion on risk



nd audit universe

Level 1 risk number. Corresponds to the Risk database Name of process Level 2 risk number. Corresponds to the Risk database Name of process Level 3 risk number Name of process Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Inherent risk consequence score Inherent risk likelihood score Inherent risk scores multiplied. (Inherent Risk Significance score ) Conclusion of last audit (acceptable/issues/unacceptable) Year of the last audit Factor applied to the IRS depending on how many years ago the last audit took place, and the result. ( See www.internalaudit.biz) IRS X adj factor = adj IRS. Sorting on this score gives the priority order for the associated audits Who is (are) responsible for the process. Should be a senior manager/director Letter(s) given in order to group several risks into one audit (if necessary). They will not necessarily be in order, as new risks, with associated audits, will be added and some may be removed Direct response to the risk Management's response to ensure the control is operating properly Residual risk consequence score. Residual risk likelihood score Residual risk scores multiplied Unique number given to each audit. This is the number of the last audit to cover this risk Name given to the audit Approximate number of auditor-days the audit should take. This aids resource planning Number of days the last audit actually required Months/year of last audit Names of principal auditors Target date for producing report (from scope)



Date actually achieved for issuing final report Conclusion of last audit (acceptable/issues/unacceptable) Unique number given to each audit. This is the number of the next audit to cover this risk - if it has been allocated Audit name. Will usually be the same as for the last audit, but could be different if this risk has been included in another audit Approximate number of auditor-days the audit should take - based on last audit's actual time. This aids resource planning Expected quarter/year of next audit - if it can be allocated Name|(s) of auditors - if allocated Status of audit (Planning/fieldwork/reporting) when it is in progress Target date for producing report (from scope) Actual date the final report was issued The opinion as to whether the risk was being properly managed (When the final report from "next audit", its details are moved into the "last audit" columns



Audit: Purchasing and payment of expense goods and services



Advice on scoring risks (inherent and residual)

1 to 3 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is:

To prevent the organisation Almost certain achieving all, or a major part, of its objectives for a long time. Cash at risk> £100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk £5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk £1,000,000 To prevent the organisation Probable achieving all, or a major part, of its objectives for a long time. Cash at risk £100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk £30,000 To stop the organisation achieving Unlikely its objectives for a limited period. Cash at risk £5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <£5,000



Rare



Probable (4) Almost certain (5)



Likelihood of residual risk



9 acceptable risk



5

Supplementary Issue



10 Issue



15

Unacceptable



20

Unacceptable



25

Unacceptable



4 Acceptable



8

Supplementary Issue



12 Issue



16

Unacceptable



20

Unacceptable



Possible (3)



6 acceptable risk

Supplementary Issue 3



3 Acceptable



6

Supplementary Issue



9 Issue



12 Issue



15

Unacceptable



Unlikely (2)



2 Acceptable



4 Acceptable



6

Supplementary Issue



8

Supplementary Issue



10 Issue



3 ptable



Rare(1)



1 Acceptable



2 Acceptable



3 Acceptable



4 Acceptable



5

Supplementary Issue



High (3)



risk



Insignificant (1)



Minor (2)



Moderate (3)



Major (4)



Catastrophic (5)



Likelihood



Unlikely (2)



Supplementary Issue 3



2 Acceptable



4 Acceptable



6

Supplementary Issue



8

Supplementary Issue



10 Issue



3 ptable



Rare(1)



1 Acceptable



2 Acceptable



3 Acceptable



4 Acceptable



5

Supplementary Issue



High (3)



risk



Insignificant (1)



Minor (2)



Moderate (3)



Major (4)



Catastrophic (5)



Consequence of residual risk



isk score = Likelihood score X Consequence score



nacceptable: Immediate action required to control the risk sue: Action required to control the risk upplementary issue: Action is advisable if it is cost-effective cceptable: No action required



Then the measure is defined to be:



Catatrophic (5)



Major (2)



Moderate (2)



Minor (2)



Insignificant (1)



15



20

Unacceptable



25

Unacceptable



nacceptable



12 Issue



16

Unacceptable



20

Unacceptable



9 Issue



12 Issue



15

Unacceptable



6



8

Supplementary Issue



pplementary Issue



10 Issue



3 cceptable



4 Acceptable



5

Supplementary Issue



Moderate (3)



Major (4)



Catastrophic (5)



6



8

Supplementary Issue



pplementary Issue



10 Issue



3 cceptable



4 Acceptable



5

Supplementary Issue



Moderate (3)



Major (4)



Catastrophic (5)



e of residual risk



Risks register and audit plan



Level 2 and 3 processes

Purchase



Define objectives



Purchase raw materials



Purchase assets



Purchase finished



Decide strategy



Define objectives



Define objectives



Communicate strategy



Deliver strategy



Maintain strategy



Support strategy



Support purchase raw materials



Support purchase assets



Support purchase



Purchase finished goods



Purchase expense goods



Support



Define objectives



Define objectives



Define objectives



Set up vendors



Process transactions



Set up items



Provide systems



Requistion goods and services



Prepare management accounts



Place order



Prepare financial accounts



Support purchase finshed goods



Receive goods



Provide staff



Return goods



Provide legal services



Support purchase expense goods



Provide tax services



Ensure quality



Ensure health & safety



Manage the environment



Ensure security



Communicate