An Introduction to Risk Based Internal Auditing - spreadsheet

Risk based internal auditing - an introduction This file last updated 15 January 2006 © D M Griffiths 2005-2006 www.internalaudit.biz This group of databases, in spreadsheet format, are intended for use with the book 'Risk based internal auditing - an introduction' which can be downloaded from www.internalaudit.biz. The letters refer to appendices in this book. Because of the work involved I haven't managed to complete all of the fields in the database, but sufficient to provide an example. The databases are: F: The organisation's risk register as prepared by the management. It is in the order of the processes needed to deliver the organisation's objectives. G: The risk and audit universe (RAU) - planning, which is the risk register with the risks linked to audits and the results of previous audits added in order to calculate and an adjusted inherent risk score. H: Appendix G with full details of the last and planned audits added, sorted by the adjusted inherent risk score to provide an audit plan for 2006. This is the working risk and audit universe which is regularly updated. (When sorting this database use row 6 for the column titles.) I: The quarterly plan for the internal audit activity K: The database for an individual audit, in order of the processes included In addition, spreadsheets also included: Column key: provides a description about the contents of each column Risk identification: Hints about determining risks See www.internalaudit.biz for other resources, including an internal audit manual for RBIA L1 Level 1 process L2 Level 2 process 1.1 Agree a strategy L3 Level 3 process Process Description The trustee's of the charity define the future aims and plans The trustee's of the charity define the future aims and plans Tell all staff about the strategy and its importance to them The strategy is converted into targets and action for all staff The strategy is converted into targets and action for all staff The strategy is converted into targets and action for all staff Aims and plans regularly updated Receive weather reports and assess their long term impact Understand how much planting has been carried out Risk Management team do not unanimously support it Consequence of Risk source risk Strategy not actioned with the Risk workshop with result that it does not achieve its directors 15-Dec-2005 aims Charities aims not achieved effectively and efficiently. Possible loss of funds Charities aims not achieved effectively and efficiently. Possible loss of funds Charity does not achieve its objectives Charity does not achieve its objectives. Loss of morale, staff leave Loss of funds Charity does not achieve its objectives Do not foresee the effects of drought Risk workshop with directors 15-Dec-2006 Risk workshop with directors 15-Dec-2005 Risk workshop with directors 15-Dec-2005 Risk workshop with directors 15-Dec-2005 Risk workshop with directors 15-Dec-2005 Risk workshop with directors 15-Dec-2005 Risk workshop with Aid directors and her staff 10Jan-2006 Inherent risks Cons. Like. 5 5 1 Establish a strategy 1 Establish a strategy 1.1 Agree a strategy Strategy might not be the best to achieve our objectives People in the organisation are unaware of the strategy Strategy not converted into action People in the organisation do not have personal targets linked delivering the strategy New projects do not add value Strategy not updated to take account of changing circumstances Reliable rainfall figures for Central Africa are unavailable Information on successful planting for next year's harvest is not available 5 5 1 Establish a strategy 1.2 Communicate strategy 5 5 1 Establish a strategy 1 Establish a strategy 1.3 Deliver strategy 1.3 Deliver strategy 5 5 5 5 1 Establish a strategy 1 Establish a strategy 2 Locate famine areas 1.3 Deliver strategy 1.4 Update strategy 2.1 Monitor rainfall 5 5 4 5 5 2 2 Locate famine areas 2.2 Monitor planting Do not anticipate food shortage Risk workshop with Aid director and her staff 10Jan-2006 Do not anticipate food shortage Risk workshop with Aid director and her staff 10Jan-2006 Risk workshop with Aid director and her staff 10Jan-2006 Risk workshop with Aid director and her staff 10Jan-2006 Risk workshop with Aid director and her staff 10Jan-2006 Risk workshop with Aid director and her staff 10Jan-2006 Risk workshop with Aid director and her staff 10Jan-2006 3 3 2 Locate famine areas 2.3 Monitor crop forecasts Understand what harvest is likely to be, using Information predicting next year's harvest is not weather and planting reports available Information on food stocks is not available 3 3 3 Obtain food 3.1 Monitor availability 5 1 3 Obtain food 3.2 Order food from donors Donor countries will not provide food 5 5 3 Obtain food 3.2 Order food from donors Do not know quantities to order 3 4 3 Obtain food 3.3 Order food on open market Pay too much for the food 5 5 3 Obtain food 3.3 Order food on open market Do not have sufficient funds 5 1 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4.1 Arrange sea transport 4.1 Arrange sea transport 4.1 Arrange sea transport 4.2 Arrange land transport 4.2 Arrange land transport 4.2 Arrange land transport 4.3 Maintain lorries 4.3 Maintain lorries 4.3 Maintain lorries 4.4 Recruit drivers 4.5 Plan passable routes 4.5 Plan passable routes 4.5 Plan passable routes 4.6 Prioritise camps 4.6 Prioritise camps No ships available No suitable docking facilities near to famine area Do not negotiate best rates Labour to load lorries not available Lorries not available to move food inland Fuel not available for lorries Lorries break down Spares not available Mechanics not available Drivers not available Routes become impassable due to the weather Routes become impassable due to bandits Fail to plan passable routes to the camps Do not know where camps are Do not know where the people in most need are 5 5 3 5 5 5 3 3 3 3 5 5 3 5 5 1 3 4 1 3 3 3 4 4 4 5 3 4 5 5 ©David M Griffiths F Risk register 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 6 Support the operation 5.1 Identify potential donors 5.2 Advertise for funds 5.3 Organise street collections 5.3 Organise street collections 5.4 Organise door-to-door collections 5.4 Organise door-to-door collections 5.5 Organise mail collections 6.1 Operate organisation according to legal requirements 6.2 Operate organisation according to social responsibility requirements 6.3 Provide financial advice 6.4 Provide purchasing services 6.4 Provide purchasing services 6.4 Provide purchasing services 6.4 Provide purchasing services 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.6 Provide information technology 6.8 Provide security 6.9 Provide continuity 6.9 Provide continuity 6.5.1 6.5.2 6.5.2 6.5.3 6.5.4 6.5.5 Pay invoices Account for fixed assets Account for fixed assets Account for stock Account for cash and bank balances Update the general ledger Donors are not willing to give Don't get best value for money Insufficient collectors Money is lost or stolen Insufficient collectors Money is lost or stolen Wrong database used Current requirement for Corporate Governance are not understood No policy on Corporate Social Responsibility (CSR) set up Lose money through failure of high risk investments Purchase goods and services which are not required Purchase goods and services at optimum cost Goods and services are not received Goods and services are of poor quality Invoices paid when no goods of services are received Additions and disposals of fixed assets are not recorded Depreciation incorrectly calculated Quantities and/or values of stock are mis-stated Money may be fraudulently removed Transactions posted to incorrect general ledger accounts Provisions of the Data Protect Act not followed Loss of the Charity's assets Head office destroyed Head office destroyed 3 3 2 3 2 3 2 3 5 3 3 3 4 3 4 3 5 6 Support the operation 5 5 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 5 2 2 2 2 2 2 2 2 3 3 3 5 5 2 5 4 4 4 4 4 4 4 4 4 4 4 5 3 6 ©David M Griffiths F Risk register Risk and audit universe planning (unhide row 6 to see the database column titles) as at 7 April 2006 L1 Level 1 process 1 Establish a strategy L2 Level 2 process L3 Level 3 process Process Description The trustee's of the charity define the future aims and plans The trustee's of the charity define the future aims and plans Tell all staff about the strategy and its importance to them The strategy is converted into targets and action for all staff The strategy is converted into targets and action for all staff The strategy is converted into targets and action for all staff Aims and plans regularly updated Receive weather reports and assess their long term impact Understand how much planting has been carried out Understand what harvest is likely to be, using weather and planting reports 1.1 Agree a strategy 1 Establish a strategy 1.1 Agree a strategy 1 Establish a strategy 1.2 Communicate strategy 1 Establish a strategy 1.3 Deliver strategy 1 Establish a strategy 1.3 Deliver strategy 1 Establish a strategy 1.3 Deliver strategy 1 Establish a strategy 2 Locate famine areas 1.4 Update strategy 2.1 Monitor rainfall 2 Locate famine areas 2.2 Monitor planting 2 Locate famine areas 2.3 Monitor crop forecasts 3 Obtain food 3 Obtain food 3 Obtain food 3 Obtain food 3 Obtain food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 3.1 Monitor availability 3.2 Order food from donors 3.2 Order food from donors 3.3 Order food on open market 3.3 Order food on open market 4.1 Arrange sea transport 4.1 Arrange sea transport 4.1 Arrange sea transport 4.2 Arrange land transport 4.2 Arrange land transport ©David M Griffiths G RAU planning 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 6 Support the operation 4.2 Arrange land transport 4.3 Maintain lorries 4.3 Maintain lorries 4.3 Maintain lorries 4.4 Recruit drivers 4.5 Plan passable routes 4.5 Plan passable routes 4.5 Plan passable routes 4.6 Prioritise camps 4.6 Prioritise camps 5.1 Identify potential donors 5.2 Advertise for funds 5.3 Organise street collections 5.3 Organise street collections 5.4 Organise door-to-door collections 5.4 Organise door-to-door collections 5.5 Organise mail collections 6.1 Operate organisation according to legal requirements 6.2 Operate organisation according to social responsibility requirements 6.3 Provide financial advice 6.4 Provide purchasing services 6.4 Provide purchasing services 6.4 Provide purchasing services 6.4 Provide purchasing services 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6.5.1 Pay invoices 6.5.2 Account for fixed assets 6.5.2 Account for fixed assets 6.5.3 Account for stock 6.5.4 Account for cash and bank balances 6.5.5 Update the general ledger ©David M Griffiths G RAU planning 6 Support the operation 6 Support the operation 6 Support the operation 6.6 Provide information technology 6.8 Provide security 6.9 Provide continuity ©David M Griffiths G RAU planning Risk Consequence of risk Risk source Inherent risks Cons. 5 Management team do not unanimously support it Strategy not actioned with the result that Risk workshop with directors 15-Decit does not achieve its aims 2005 Strategy might not be the best to achieve our objectives Charities aims not achieved effectively and efficiently. Possible loss of funds Risk workshop with directors 15-Dec2006 5 People in the organisation are unaware Charities aims not achieved effectively of the strategy and efficiently. Possible loss of funds Risk workshop with directors 15-Dec2005 5 Strategy not converted into action Charity does not achieve its objectives Risk workshop with directors 15-Dec2005 5 People in the organisation do not have personal targets linked delivering the strategy New projects do not add value Charity does not achieve its objectives. Risk workshop with directors 15-DecLoss of morale, staff leave 2005 Loss of funds Risk workshop with directors 15-Dec2005 Risk workshop with directors 15-Dec2005 Risk workshop with Aid directors and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 Risk workshop with Aid director staff 10-Jan-2006 Risk workshop with Aid director staff 10-Jan-2006 Risk workshop with Aid director staff 10-Jan-2006 Risk workshop with Aid director staff 10-Jan-2006 Risk workshop with Aid director staff 10-Jan-2006 and her and her and her and her and her 5 5 Strategy not updated to take account of Charity does not achieve its objectives changing circumstances Reliable rainfall figures for Central Do not foresee the effects of drought Africa are unavailable Information on successful planting for next year's harvest is not available Information predicting next year's harvest is not available Information on food stocks is not available Donor countries will not provide food Do not know quantities to order Pay too much for the food Do not have sufficient funds No ships available No suitable docking facilities near to famine area Do not negotiate best rates Labour to load lorries not available Lorries not available to move food inland Do not anticipate food shortage 5 4 3 Do not anticipate food shortage 3 5 5 3 5 5 5 5 3 5 5 ©David M Griffiths G RAU planning Fuel not available for lorries Lorries break down Spares not available Mechanics not available Drivers not available Routes become impassable due to the weather Routes become impassable due to bandits Fail to plan passable routes to the camps Do not know where camps are Do not know where the people in most need are Donors are not willing to give Don't get best value for money Insufficient collectors Money is lost or stolen Insufficient collectors Money is lost or stolen Wrong database used Current requirement for Corporate Governance are not understood No policy on Corporate Social Responsibility (CSR) set up 5 3 3 3 3 5 5 3 5 5 3 2 3 2 3 2 3 5 5 Lose money through failure of high risk investments Purchase goods and services which are not required Purchase goods and services at optimum cost Goods and services are not received Goods and services are of poor quality Invoices paid when no goods of services are received Additions and disposals of fixed assets are not recorded Depreciation incorrectly calculated Quantities and/or values of stock are mis-stated Money may be fraudulently removed Transactions posted to incorrect general ledger accounts 5 2 2 2 2 2 2 2 2 3 3 ©David M Griffiths G RAU planning Provisions of the Data Protect Act not followed Loss of the Charity's assets Head office destroyed 3 5 5 ©David M Griffiths G RAU planning Inherent risks 5 25 Last Audit Year 2003 Process Adjusted inherent score owner Audit Group Control Like. Sig. Opinion green Gap Factor Sig 3 0.75 18.75 Chairman of Trustees A Care taken when recruiting trustees to ensure new members will become part of the team The strategy is set after careful discussion, and a risk analysis by the board Managers brief all staff yearly. The strategy is on the intranet. New staff have an induction course. 5 25 amber 2005 1 0.5 12.5 Chairman of Trustees B 5 25 red 2005 1 0.75 18.75 Personnel Director C 5 25 n/a never done never done never done never done 2004 n/a 1 25 Chairman of Trustees Personnel Director Chairman of Trustees Chairman of Trustees Aid Director D C E D F F F G G H I I J J J K K 5 25 n/a n/a 1 25 5 25 n/a n/a 1 25 5 2 25 8 n/a green n/a 2 0.75 0.5 18.75 4 3 9 green 2004 2 0.5 4.5 Aid Director 3 9 green 2004 2 0.5 4.5 Aid Director 1 5 4 5 1 1 3 4 1 3 5 25 12 25 5 5 15 12 5 15 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a never done never done never done never done never done never done never done never done never done never done n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 1 1 1 1 1 1 1 1 1 1 5 25 12 25 5 5 15 12 5 15 Aid Director Aid Director Aid Director Aid Director Finance Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director ©David M Griffiths G RAU planning 3 3 4 4 4 5 3 4 5 5 3 3 3 4 3 4 3 5 15 9 12 12 12 25 15 12 25 25 9 6 9 8 9 8 9 25 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a green n/a green green green green green n/a never done never done never done never done never done never done never done never done never done never done 2004 never done 2004 2004 2004 2004 2004 never done never done n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 2 n/a 2 2 2 2 2 n/a 1 1 1 1 1 1 1 1 1 1 0.5 1 0.5 0.5 0.5 0.5 0.5 1 15 9 12 12 12 25 15 12 25 25 4.5 6 4.5 4 4.5 4 4.5 25 Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Aid Director Aid Director Marketing Director Marketing Director Finance Director Finance Director Finance Director Finance Director Finance Director Audit Committee Chairman Chairman of Trustees K K K K K L L L L L M N O O P P P Q R 5 25 n/a n/a 1 25 5 4 4 4 4 4 4 4 4 4 4 25 8 8 8 8 8 8 8 8 12 12 n/a n/a n/a n/a n/a amber green green n/a n/a n/a never done never done never done never done never done 2005 2004 2004 never done never done never done n/a n/a n/a n/a n/a 1 2 2 n/a n/a n/a 1 1 1 1 1 0.5 0.5 0.5 1 1 1 25 8 8 8 8 4 4 4 8 12 12 Finance Director Head of Procurement Head of Procurement Head of Procurement Head of Procurement Finance Director Finance Director Finance Director Finance Director Finance Director Finance Director S T T T T U V V X Y Z ©David M Griffiths G RAU planning 4 5 3 12 25 15 green n/a green 2004 never done 2004 2 n/a 2 0.5 1 0.5 6 25 7.5 IS Director Various Various AA AB AC ©David M Griffiths G RAU planning Last audit details Monitoring control Chairman works to ensure any disagreements are resolved Residual risks Cons. Like. Sig. 5 2 10 Last Audit audit name number 46 Last Last audit audit Budget actual Last timing The strategy is turned into a forecast and targets, which are scrutinised by the board every month None 5 2 10 46 5 3 15 46 0 never done 0 never done 0 never done 0 0 0 0 0 0 never done 0 0 never done 0 0 0 0 0 0 ©David M Griffiths G RAU planning 0 0 0 0 0 0 never done 0 0 0 never done 0 never done 0 0 0 0 0 0 0 0 never done 0 never done 0 never done 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths G RAU planning 0 0 never done 0 ©David M Griffiths G RAU planning Last audit details Last Last auditor final report Target Final Last report result achieve d Next audit number Next audit name Current / Next audit details Next audit Budget Next timing Next auditor Days ©David M Griffiths G RAU planning ©David M Griffiths G RAU planning TOTAL Available (3 auditors) Weekdays Holidays Training Projects Secondments 0 Available for other audits ©David M Griffiths G RAU planning rent / Next audit details Status Next final report Target Next final report Achieved 2006 opinion on risk Target Achieved ©David M Griffiths G RAU planning Risk and audit universe ongoing (with 2006 plan) (unhide row 6 to see the database column titles) as at 7 April 2006 L1 Level 1 process Level 1 process 1 Establish a strategy L2 Level 2 process Level 2 process L3 Level 3 process Process Description Level 3 process Process Description The strategy is converted into targets and action for all staff Aims and plans regularly updated Tell all staff about the strategy and its importance to them The strategy is converted into targets and action for all staff The strategy is converted into targets and action for all staff L1 L2 L3 1.3 Deliver strategy 1 Establish a strategy 1 Establish a strategy 1.4 Update strategy 1.2 Communicate strategy 1 Establish a strategy 1.3 Deliver strategy 1 Establish a strategy 1.3 Deliver strategy 3 Obtain food 3 Obtain food 3 Obtain food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 6 Support the operation 3.2 Order food from donors 3.3 Order food on open market 3.3 Order food on open market 4.5 Plan passable routes 4.5 Plan passable routes 4.5 Plan passable routes 4.6 Prioritise camps 4.6 Prioritise camps 6.1 Operate organisation according to legal requirements 6.2 Operate organisation according to social responsibility requirements 6.3 Provide financial advice 6.8 Provide security 1.1 Agree a strategy The trustee's of the charity define the future aims and plans 6 Support the operation 6 Support the operation 6 Support the operation 1 Establish a strategy 3 Obtain food 4 Deliver food 4 Deliver food 3.2 Order food from donors 4.1 Arrange sea transport 4.1 Arrange sea transport ©David M Griffiths H RAU ongoing 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 4 Deliver food 6 Support the operation 6 Support the operation 1 Establish a strategy 4.1 Arrange sea transport 4.2 Arrange land transport 4.2 Arrange land transport 4.2 Arrange land transport 4.3 Maintain lorries 4.3 Maintain lorries 4.3 Maintain lorries 4.4 Recruit drivers 6.5 Provide transaction processing 6.5 Provide transaction processing 1.1 Agree a strategy 6.5.4 Account for cash and bank balances 6.5.5 Update the general ledger The trustee's of the charity define the future aims and plans Receive weather reports and assess their long term impact Understand how much planting has been carried out Understand what harvest is likely to be, using weather and planting reports 2 Locate famine areas 2.1 Monitor rainfall 2 Locate famine areas 2.2 Monitor planting 2 Locate famine areas 2.3 Monitor crop forecasts 3 Obtain food 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 5 Obtain funds 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 6 Support the operation 3.1 Monitor availability 5.1 Identify potential donors 5.2 Advertise for funds 5.3 Organise street collections 5.3 Organise street collections 5.4 Organise door-to-door collections 5.4 Organise door-to-door collections 5.5 Organise mail collections 6.4 Provide purchasing services 6.4 Provide purchasing services 6.4 Provide purchasing services 6.4 Provide purchasing services 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5 Provide transaction processing 6.5.1 Pay invoices 6.5.2 Account for fixed assets 6.5.2 Account for fixed assets ©David M Griffiths H RAU ongoing 6 Support the operation 6 Support the operation 6 Support the operation 6.5 Provide transaction processing 6.6 Provide information technology 6.9 Provide continuity 6.5.3 Account for stock ©David M Griffiths H RAU ongoing Risk Consequence of risk Risk source Inherent risks Cons. irc 5 Risk Strategy not converted into action Consequence of risk Charity does not achieve its objectives Risk source Risk workshop with directors 15-Dec2005 Risk workshop with directors 15-Dec2005 Risk workshop with directors 15-Dec2005 Strategy not updated to take account of Charity does not achieve its objectives changing circumstances People in the organisation are unaware Charities aims not achieved effectively of the strategy and efficiently. Possible loss of funds 5 5 People in the organisation do not have personal targets linked delivering the strategy New projects do not add value Charity does not achieve its objectives. Risk workshop with directors 15-DecLoss of morale, staff leave 2005 Loss of funds Risk workshop with directors 15-Dec2005 Risk workshop with Aid director and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 5 5 Donor countries will not provide food Pay too much for the food Do not have sufficient funds Routes become impassable due to the weather Routes become impassable due to bandits Fail to plan passable routes to the camps Do not know where camps are Do not know where the people in most need are Current requirement for Corporate Governance are not understood No policy on Corporate Social Responsibility (CSR) set up 5 5 5 5 5 3 5 5 5 5 Lose money through failure of high risk investments Loss of the Charity's assets Management team do not unanimously support it Strategy not actioned with the result that Risk workshop with directors 15-Decit does not achieve its aims 2005 5 5 5 Do not know quantities to order No ships available No suitable docking facilities near to famine area Risk workshop with Aid director and her staff 10-Jan-2006 3 5 5 ©David M Griffiths H RAU ongoing Do not negotiate best rates Labour to load lorries not available Lorries not available to move food inland Fuel not available for lorries Lorries break down Spares not available Mechanics not available Drivers not available Money may be fraudulently removed Transactions posted to incorrect general ledger accounts Strategy might not be the best to Charities aims not achieved effectively achieve our objectives and efficiently. Possible loss of funds 3 5 5 5 3 3 3 3 3 3 Risk workshop with directors 15-Dec2006 5 Reliable rainfall figures for Central Africa are unavailable Information on successful planting for next year's harvest is not available Information predicting next year's harvest is not available Information on food stocks is not available Donors are not willing to give Don't get best value for money Insufficient collectors Money is lost or stolen Insufficient collectors Money is lost or stolen Wrong database used Purchase goods and services which are not required Purchase goods and services at optimum cost Goods and services are not received Goods and services are of poor quality Invoices paid when no goods of services are received Additions and disposals of fixed assets are not recorded Depreciation incorrectly calculated Do not foresee the effects of drought Risk workshop with Aid directors and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 Risk workshop with Aid director and her staff 10-Jan-2006 4 Do not anticipate food shortage 3 Do not anticipate food shortage 3 5 3 2 3 2 3 2 3 2 2 2 2 2 2 2 ©David M Griffiths H RAU ongoing Quantities and/or values of stock are mis-stated Provisions of the Data Protect Act not followed Head office destroyed 2 3 5 ©David M Griffiths H RAU ongoing Inherent risks irl 5 irs 25 Last Audit Year LA year never done never done 2005 Process Adjusted inherent score owner Audit Group Control Like. Sig. Opinion LA opinion n/a Gap Factor Sig arc n/a arl 1 ars 25 Owner Chairman of Trustees Chairman of Trustees Personnel Director Audit Group Control D D C Managers brief all staff yearly. The strategy is on the intranet. New staff have an induction course. 5 5 25 25 n/a red n/a 1 0.75 0.75 18.75 18.75 5 25 n/a never done never done never done never done never done never done never done never done never done never done never done never done n/a 1 25 Personnel Director Chairman of Trustees Aid Director Aid Director Finance Director Logistics Director Logistics Director Logistics Director Aid Director Aid Director Audit Committee Chairman Chairman of Trustees C E G I I L L L L L Q R 5 25 n/a n/a 1 25 5 5 1 5 3 4 5 5 5 25 25 5 25 15 12 25 25 25 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 1 1 1 1 1 1 1 1 1 25 25 5 25 15 12 25 25 25 5 25 n/a n/a 1 25 5 5 5 25 25 25 n/a n/a green never done never done 2003 n/a n/a 3 1 1 0.75 25 25 18.75 Finance Director Various Chairman of Trustees S AB A Care taken when recruiting trustees to ensure new members will become part of the team 4 1 3 12 5 15 n/a n/a n/a never done never done never done n/a n/a n/a 1 1 1 12 5 15 Aid Director Logistics Director Logistics Director H J J ©David M Griffiths H RAU ongoing 4 1 3 3 3 4 4 4 4 4 5 12 5 15 15 9 12 12 12 12 12 25 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a amber never done never done never done never done never done never done never done never done never done never done 2005 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 1 1 1 1 1 1 1 1 1 1 1 0.5 12 5 15 15 9 12 12 12 12 12 12.5 Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Logistics Director Finance Director Finance Director Chairman of Trustees J K K K K K K K Y Z B The strategy is set after careful discussion, and a risk analysis by the board 2 8 green 2004 2 0.5 4 Aid Director F F F G M N O O P P P T T T T U V V 3 9 green 2004 2 0.5 4.5 Aid Director 3 9 green 2004 2 0.5 4.5 Aid Director 1 3 3 3 4 3 4 3 4 4 4 4 4 4 4 5 9 6 9 8 9 8 9 8 8 8 8 8 8 8 n/a green n/a green green green green green n/a n/a n/a n/a amber green green never done 2004 never done 2004 2004 2004 2004 2004 never done never done never done never done 2005 2004 2004 n/a 2 n/a 2 2 2 2 2 n/a n/a n/a n/a 1 2 2 1 0.5 1 0.5 0.5 0.5 0.5 0.5 1 1 1 1 0.5 0.5 0.5 5 4.5 6 4.5 4 4.5 4 4.5 8 8 8 8 4 4 4 Aid Director Marketing Director Marketing Director Finance Director Finance Director Finance Director Finance Director Finance Director Head of Procurement Head of Procurement Head of Procurement Head of Procurement Finance Director Finance Director Finance Director ©David M Griffiths H RAU ongoing 4 4 3 8 12 15 n/a green green never done 2004 2004 n/a 2 2 1 0.5 0.5 8 6 7.5 Finance Director IS Director Various X AA AC ©David M Griffiths H RAU ongoing Last audit details Monitoring control Monitoring control Residual risks Cons. Like. Sig. rrc rrl rrs 0 Last Audit audit name number Last Last audit audit Budget actual Last timing Last audit Last audit Last audit Last audit Last timing number name Budget actual never done 0 None 5 3 15 0 never done never done never done never done 0 0 0 0 0 0 0 0 0 0 never done never done never done never done never done 0 0 0 Chairman works to ensure any disagreements are resolved 5 2 10 never done never done 0 0 0 ©David M Griffiths H RAU ongoing 0 0 0 0 0 0 0 0 0 0 The strategy is turned into a forecast and targets, which are scrutinised by the board every month 5 2 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ©David M Griffiths H RAU ongoing 0 0 0 ©David M Griffiths H RAU ongoing Last audit details Last Last auditor final report Target Last auditor Last final report Current / Next audit details Final Last report result achieve d Final report Next audit number Next audit name Next audit Budget Next timing Next auditor Days Next audit name Strategy roll-out Next audit Budget 5 Next timing Q1 Next auditor Smith Last result Next audit number 133 133 134 Strategy roll-out Person target setting Q1 Q2 Smith Khan 134 Person target setting 10 Q2 Khan 135 Project Approval 20 Q3 136 137 137 138 138 138 138 138 139 Obtaining food donation Obtaining food purchase Obtaining food purchase Route planning Route planning Route planning Route planning Route planning Corporate Governance 20 25 Q2 Q2 Q2 Smith Doe Doe Doe Doe Doe Doe Doe Khan 17 Q2 Q2 Q2 Q2 Q2 30 Q1 140 Corporate Social Responsibility 30 Q1 Doe 141 142 143 Investments Security of assets Strategy 20 30 Q2 Q2 Q3 Smith Khan Smith 144 145 145 Forecasting Transport to docks Transport to docks 17 Q2 Q1 Doe Khan Khan 30 Q1 ©David M Griffiths H RAU ongoing 145 146 146 146 146 146 146 146 147 148 149 Transport to docks Transport to camps Transport to camps Transport to camps Transport to camps Transport to camps Transport to camps Transport to camps Bank and cash General ledger Strategy re-think 20 10 20 40 Q1 Q1 Q1 Q1 Q1 Q1 Q1 Q1 Q3 Q1 Q2 Khan Smith / Khan Smith / Khan Smith / Khan Smith / Khan Smith / Khan Smith / Khan Smith / Khan Doe Doe Khan No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit No audit ©David M Griffiths H RAU ongoing No audit No audit No audit TOTAL (days) Available (3 auditors) Weekdays Holidays Training Projects Secondments 339 780 (90) (15) (200) (50) 425 Available for other audits 86 ©David M Griffiths H RAU ongoing rent / Next audit details Status Next final report Target Next final report Achieved 2006 opinion on risk 2006 opinion on risk green Target Current status Next final report Target complete 20-Mar-06 Achieved Next final report 21-Mar-06 complete planned 20-Mar-06 17-Jul-06 21-Mar-06 green planned 17-Jul-06 29-Sep-06 fieldwork fieldwork fieldwork planned planned planned planned planned report 12-May-06 25-May-06 25-May-06 23-Jun-06 23-Jun-06 23-Jun-06 23-Jun-06 23-Jun-06 21-Apr-06 report 21-Apr-06 scoping scoping planned 9-Jun-06 9-Jun-06 30-Jun-06 planned complete complete 14-Jul-06 15-Feb-06 15-Feb-06 8-Mar-06 8-Mar-06 green green ©David M Griffiths H RAU ongoing complete complete complete complete complete complete complete complete planned complete planned 15-Feb-06 1-Mar-06 1-Mar-06 1-Mar-06 1-Mar-06 1-Mar-06 1-Mar-06 1-Mar-06 15-Sep-06 31-Mar-06 7-Jul-06 8-Mar-06 2-Mar-06 2-Mar-06 2-Mar-06 2-Mar-06 2-Mar-06 2-Mar-06 2-Mar-06 green amber amber amber green amber red red 23-Mar-06 green ©David M Griffiths H RAU ongoing Internal Audit Quarterly Plan (Q2) Staff planning 2006 Name Smith Smith Smith Smith Smith Doe Doe Doe Doe Doe Doe Khan Khan Khan Khan Khan Khan No 136 141 143 150 Audit Annual and Bank holidays Obtaining food - donation Investments Strategy SAP implementation project Total days 140 137 138 144 147 Annual and Bank holidays 30 Corporate Social Responsibility 25 Obtaining food - purchase Route planning 17 17 Forecasting 20 Bank and cash Total days 139 142 149 134 Annual and Bank holidays Corporate Governance Security of assets Strategy re-think Person target setting Secondment to accounts Total days Key to plan scope 30 30 20 10 Original Planned 14 Budget now 03-Apr 20 20 16 15 18 21 7 65 5 5 18 17 17 3 65 4 1 15 10-Apr 1 3 1 5 4 1 5 2 3 5 1 1 2 1 5 16 17-Apr 1 3 1 17 24-Apr 4 1 Week beg 4 1 5 8 5 4 27 1 16 8 1 65 5 fieldwor k report 5 5 5 1 1 2 1 5 5 5 5 5 ©David M Griffiths I Quarterly plan Week beginning 18 19 20 21 22 01-May 08-May 15-May 22-May 29-May 1 1 1 3 4 3 4 1 2 1 4 5 1 4 3 1 1 5 1 4 5 5 5 5 1 23 05-Jun 24 12-Jun 25 19-Jun 26 26-Jun 1 4 5 4 1 5 3 2 5 1 4 5 4 1 5 2 2 5 1 4 1 5 4 1 5 1 3 1 5 4 1 5 5 1 4 5 5 5 4 1 3 1 5 1 4 3 2 5 4 1 5 4 1 5 5 5 5 5 5 ©David M Griffiths I Quarterly plan 146 Transport of food to famine relief camps - Audit Database Level 2 process Identify risks Follow-up July 2004 Monitoring None Risk on register (appendix H) Risks are not known Level 3 process Risk for this audit Risks are not known Inherent risks Control Tests Examine processes to set up the risk register and examine the register Examine the process to score the risks Check controls - below Ref Residual risks Control Issue 0 No register Action A risk assessment will be carried out as part of the contracting process (see below) As above As above By whom Logistics Director Cons. Like. Sig. 5 5 25 Cons. Like. Sig. 5 5 25 Conclusion Risks Conclusion Controls n/a Conclusion Action Conclusion Report Conclusion Monitoring Reference Risks Conclusion Controls n/a Conclusion Action Conclusion Monitoring 2 As above As above n/a n/a n/a n/a n/a Evaluate risks Manage risks 4.2 Arrange land transport Significant risks are not understood Significant risks are not controlled 4.2.1 Receive instructions from country office Receive instructions from country office Significant risks are not understood Significant risks are not controlled Instructions not received 5 5 5 5 5 5 25 25 25 Country office confirms receipt. No controls at HQ to ensure instructions are sent on time None None HQ chases if no confirmation received None 5 5 4 5 5 1 25 25 4 0 0 21 None 2 2 n/a n/a n/a 4.2 Arrange land transport 4.2.1 Instructions are late 5 5 25 Checked all instructions and n/a confirmations for 2003. All satisfactory n/a n/a n/a 5 1 5 20 No controls at HQ to ensure instructions are sent on time Drivers may not be available Documents could be forged HQ also tries to plan routes Country Director to assume responsibility for notifying the country office The use of contractors is to be considered The use of contractors is to be considered Country Director n/a n/a 4 Logistics Director n/a n/a 4.4 Recruit drivers Drivers not available 4.2.2 Hire drivers Drivers not available 5 5 25 4.2 Arrange land transport 4.2.1 Hire drivers Drivers not properly qualified 3 5 15 List of drivers available for None hire is kept by the compound office Drivers documents are None checked and copies made Work with other agencies and the military to plan routes The army escorts convoys HQ arrange for food to available in the warehouses Fuel is stored in the compound None Checked list. It is not regularly updated Checked copies exist. G3 5 5 25 0 1 Logistics Director n/a n/a n/a G4 3 1 3 12 4.2 Arrange land transport 4.2.2 Plan route Route is blocked 5 3 15 4.2 Arrange land transport 4.2 Arrange land transport 4.2.3 Plan route Route is dangerous No food available! 5 5 3 1 15 5 None n/a 4..2.4 Arrange to collect food Check the last plan. Examine dates of collection and delivery Ask drivers and supervisor about escorts Check loading sheets for the lorries Check fuel tanks G5 4 1 4 11 Local office to plan routes Country Director n/a n/a 5 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a G6 4 4 1 1 4 4 11 1 None - escorts are n/a provided None - food was available n/a 4.2 Arrange land transport Fuel not available for lorries Load fuel Fuel not available for lorries 5 5 25 n/a G7 5 5 25 0 Tanks were empty, The use of contractors is although stock records to be considered showed they should be full None n/a Logistics Director n/a n/a 1 n/a n/a n/a n/a n/a n/a n/a n/a n/a 4.2 Arrange land transport 4.2 Arrange land transport Labour to load lorries not available 4.2.5 4.2.6 Load food Deliver to camp No loaders Food is stolen 5 3 1 3 5 9 The warehouse provides loaders Army and police provide some protection Lorries are serviced and tested The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control Supervisor said no problem in the past Question staff and other agencies about problem Request a ride in the lorries n/a 4 3 1 3 4 9 1 0 Theft is a problem, but as No extra action possible well controlled as possible 2 lorries were not working The use of contractors is due to lack of to be considered maintenance (bad brakes) Scheduled checks not always carried out due to a lack of mechanics Repairs not always carried out due to a lack of mechanics Only one, inexperienced mechanic on the staff Scheduled checks not always carried out due to a lack of mechanics 1 Lorry was badly damaged No documents exist for requesting spares The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered Logistics Director 1 n/a n/a 4.3 Arrange land transport Lorries not available to move food inland 4.3.1 Check lorries are working Lorries are found to be unsuitable for the journey 5 3 15 5 3 15 0 1 Logistics Director n/a n/a 4.2 Arrange land transport 4.3.1 Check lorries Check is not complete 3 3 9 4.2 Arrange land transport 4.3.1 Check lorries Action is not taken on faults 3 3 9 4.3 Maintain lorries 4.3 Maintain lorries Mechanics not available 4.3.1 4.3.2 Check lorries Carry out maintenance checks as per the lorry manual Repair lorries as necessary Repair lorries as necessary Lack of mechanics Maintenance checks not carried out thoroughly Repairs not satisfactory Repairs not necessary 5 3 5 3 25 9 4.3 Maintain lorries 4.3 Maintain lorries 4.3.3 4.3.3 3 3 3 3 9 9 Maintenance schedules are signed by the senior mechanic Maintenance schedules are signed by the senior mechanic Two mechanics are on the permanent staff Maintenance schedules are signed by the senior mechanic Lorries checked by compound supervisor Request for repairs and spare parts is approved by the compound supervisor HQ arrange for spares to be shipped out Not applicable. No computer on site Job descriptions are maintained for all jobs All staff have two appraisals every year The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control Check schedules 3 3 9 0 1 Logistics Director n/a n/a Check schedules 3 3 9 0 1 Logistics Director Logistics Director n/a n/a Talk to mechanics. Examine work sheets Check schedules 5 3 5 3 25 9 0 0 1 1 n/a n/a Request a ride in the lorries n/a Check request documents 3 3 3 3 9 9 0 0 Logistics Director Logistics Director n/a n/a 1 1 n/a n/a 4.3 Maintain lorries Spares not available 4.3.3 Repair lorries as necessary Spares not available 3 5 15 The supervisor maintains day-to-day control n/a None 6.6 Provide information technology 6.7 Provide human resources 6.7 Provide human resources 6.6.1 Staff are not competent 6.7.1 Maintain systems Establish job descriptions Data lost through computer failure Staff competencies required have not been identified Actual competencies of the staff have not been matched with required competencies 3 3 5 5 15 15 Talk to supervisor and mechanic. Examine any available documentation n/a Check for job descriptions of all staff levels Check appraisal files 3 5 15 0 Spares can take months to arrive n/a The use of contractors is to be considered n/a Logistics Director n/a n/a 1 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 0 3 5 15 15 0 6.7.2 Carry out regular appraisals 3 5 15 None 3 5 15 0 No job descriptions exist. Job descriptions will be Country Manager written by the end of March 2004 No appraisals are carried Targets will be set by the Country Manager out. end of March and staff will be appraised on these by the end of September Mechanics are not trained - but move on too quickly No courses available The use of contractors is to be considered We will ensure staff are trained as part of the introduction of contractors The use of contractors is to be considered n/a Logistics Director 3 n/a n/a 3 n/a n/a 6.7 Provide human resources 6.7 Provide human resources 6.7.3 Training of staff Training is not provided 3 5 15 Appraisals identify training None needs None None Check appraisal files 3 5 15 0 1 Country Manager n/a n/a 6.7.3 Training of staff Staff not allowed to attend training 3 5 15 Question staff who have been on courses 3 4 12 3 3 Logistics Director n/a n/a 6.8 Provide security Loss of the Charity's assets 6.8.1 Provide security Loss of the Charity's assets 5 3 15 6.9 Provide continuity Office destroyed 6.9.1 6.9 Provide continuity Office destroyed 6.9.2 Identify documents required to achieve the objective of these processes Decide on arrangements to safeguard these Documents may not be recorded Level of protection may not be sufficient 1 3 3 The compound is surrounded by a high fence None None Asked staff about security 4 3 12 3 n/a None 0 3 The fence is regularly broken down - hence the fuel has been stolen Not significant 1 n/a n/a n/a n/a n/a n/a n/a n/a 1 3 3 None n/a None 0 3 Not significant n/a n/a n/a n/a n/a n/a n/a n/a n/a KEY: n/a = not applicable Inadequate, or no, processes have been used, to identify risks. Score 15 or over This risks is not being mitigated to an acceptable levels and it is probable that some objectives will not be/are not being achieved The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved No action is being taken, OR Insufficient action is being taken to mitigate risks Major improvements are required to the monitoring of controls over this risk Processes have been used, but there are some deficiencies. Score 5 or over The action being Some additional taken will result in monitoring is some reduction in required risk but not to acceptable levels ©David M Griffiths K Audit database Thorough processes have been used and all significant risks should have been identified. Score 4 or under This risk is being mitigated to an acceptable level by the controls Score 3,2,1 or 0 The action being taken will result in this risk being mitigated No more monitoring is necessary than is done at present ©David M Griffiths K Audit database Risks and audit universe Column key: L1 Level 1 process L2 Level 2 process L3 Level 3 process Process Process Description Risk Risk source IRC IRL IRS Last audit result Last audit date Adj factor Adj IRS Process owner Audit Group Control Monitoring control RRC RRL RRS Last audit number Last audit urrent/Next audit Audit name Last audit Budget Last audit actual Last timing Last auditor Last final report Target Final report achieved Last result Next audit number Next audit name Current/Next audit Next audit Budget Next timing Next auditor Status Next final report target Next final report Achieved 2006 opinion on risk and audit universe Level 1 risk number. Corresponds to the Risk database Name of process Level 2 risk number. Corresponds to the Risk database Name of process Level 3 risk number Name of process Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Inherent risk consequence score Inherent risk likelihood score Inherent risk scores multiplied. (Inherent Risk Significance score ) Conclusion of last audit (acceptable/issues/unacceptable) Year of the last audit Factor applied to the IRS depending on how many years ago the last audit took place, and the result. ( See www.internalaudit.biz) IRS X adj factor = adj IRS. Sorting on this score gives the priority order for the associated audits Who is (are) responsible for the process. Should be a senior manager/director Letter(s) given in order to group several risks into one audit (if necessary). They will not necessarily be in order, as new risks, with associated audits, will be added and some may be removed Direct response to the risk Management's response to ensure the control is operating properly Residual risk consequence score. Residual risk likelihood score Residual risk scores multiplied Unique number given to each audit. This is the number of the last audit to cover this risk Name given to the audit Approximate number of auditor-days the audit should take. This aids resource planning Number of days the last audit actually required Months/year of last audit Names of principal auditors Target date for producing report (from scope) Date actually achieved for issuing final report Conclusion of last audit (acceptable/issues/unacceptable) Unique number given to each audit. This is the number of the next audit to cover this risk - if it has been allocated Audit name. Will usually be the same as for the last audit, but could be different if this risk has been included in another audit Approximate number of auditor-days the audit should take - based on last audit's actual time. This aids resource planning Expected quarter/year of next audit - if it can be allocated Name|(s) of auditors - if allocated Status of audit (Planning/fieldwork/reporting) when it is in progress Target date for producing report (from scope) Actual date the final report was issued The opinion as to whether the risk was being properly managed (When the final report from "next audit", its details are moved into the "last audit" columns Notes on the risks database File version 1 Date: 18 September 2005 The worksheets in this file illustrate how risk-based methods are used to build up audit plans and then detailed audit programmes. The tabs for the worksheets are shown at the bottom of the page. The letters at the start of the title are those for the appendices used in www.internalaudit.biz The following notes are tips when considering risks: When wording risks, try not to make them just the failure to deliver a process. For example the risk hindering 5.4 “Organise door to door collections” should not be “Fail to organise door to door collections”. More importantly risks should not be the absence of a control. For example, the risk “Invoices are not authorised” presupposes a control. The risk is “Invoices may be paid for goods or services not required”; the control is “All invoices are authorised by a senior manager”. Don’t be surprised if many of our absolute risks are scored as 25. We are looking at significant risks, with no controls. External risks, such as “Information predicting next year's harvest is not available” may have likelihoods less than high. For some risks there is a link between consequence and likelihood. For example take the risk, “lorries may break down”. If we have many lorries, we could score this risk as the possibility of all lorries breaking down at once (consequence = very high, likelihood = low) or the possibility of one lorry breaking down (consequence = low, likelihood = very high). Either way the risk score is the same (10). In these circumstances, the risk should be clearly stated. This is an example database only. It took me only a few hours to compile! In practice it would take several months of interviews and meetings to compile, and score, a database of this sort. In addition it would have to be updated at least once a quarter. In practice the Quarterly plan would be a rolling 13 week plan, not a fixed quarter as shown Note that the risk database (appendix H) has not been updated as a result of the "Transport of food to camps" audit (146). See the manual for details. ©David M Griffiths Risk identification 45 All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product ©David M Griffiths Risk identification 46 Figure 3 Stages of an audit Management's Risk Register (if available) Risk Naive Risk Aware Risk Enabled Assess risk maturity Risk Defined Risk Managed Stage Facilitate risk identification Management's Risk Register (amended) Use organisation's risks Audit universe Assign risks to audits Stage Risk and audit universe (RAU) Audit plan Audit Committee report Individual audit Audit report Stage 3 Feedback results into RAU Fig 3 Stages of an audit Stage 1 Stage 2 Stage 3 Figure 4 Audit documentaion risk and audit universe objectives audit databases objective processes risks scores controls last audits processes risks scores controls tests Audit Committee report Fig 4 Audit documentation audit reports audit databases objectives processes risks scores controls tests audit reports Risk-based internal auditing Stage 2 Audit planning Figure 5 Stage 2 Audit planning Risk Register (audited) Risks within the risk appetite Filter risks Risks not requiring an audit in this period Risks on which assurance is required Categorise risks Audit Universe Link risks to audits Risk and Audit Universe Select risks to be Alllocate resources to audits Audit plan Fig 5 Processes involved in Stage 2 Risks on which assurance is provided by others Risks which will be tolerated Select risks to be covered Audit Committee report Figure 8 Stage 3 Individual audits Audit plan Define draft audit scope Examine the risk management process for the area audited Conclude on risk maturity for the area audited Decide on audit approach Meetings to determine objectives, risks and agree scope Agreed scope Obtain relevant documentation on processes Risk and audit universe Set up an audit database to record the audit details, or update the Risk and Audit Universe Audit database Test the monitoring and proper operation of controls Draw preliminary conclusions and discuss them Audit report Feedback results into risk and audit universe Fig 5 Processes involved in stage 3 Agreed scope Audit database