Risks in purchasing and paying for expensed goods and services

Audit: Purchase of expense goods and services 2:23 PM 8/14/2008 Audit: Purchasing and payment of expense goods and services Introduction Last updated 21 August 2004 Purpose The purpose of this spreadsheet is to show typical risks, expected controls and example tests for processes related to the purchasing and payment of expense goods and services, (excluding personal expenses) Full details of how to complete and use the database are in the manual which can be downloaded from www.internalaudit.biz The database is not complete - it must be changed to suit your organisation To see how this database fits into the audit universe, download the Risk and Audit Database from www.internalaudit.biz Auditing is not about carrying out tests taken from an audit programme, it is about understanding the objectives of the processes you are auditing, the risks which treaten them and the controls which actually operate to mitigate them. The database (Audit programme) The audit programme is in the form of an Excel database. It can be treated just like a large "Word" table but can also be sorted and filtered. The database covers those processes which might be involved in purchases and payments using a computerised system. Thus it covers not only ordering and invoice approval, but also staff management and computer controls Rows with processes which are split down into more detailed processes are coloured and do not have data in some columns The processes are only intended as an example. You must change them to those in your organisation If you construct audit databases please make them available to other auditors through AuditNet® (http://www.auditnet.org/) For a full explanation of the content of the columns, go to the "Column key" worksheet The example controls and monitoring These examples are suggestions only. They cannot possibly apply to every size of organisation who might use this database. You must decide on the controls which mitigate the risks to accepatable levels in your organisation Remember that the examples are general and therefore rather vague. Your entries should be much more specific, in particular, noting the names of staff carrying out the checks Worksheets There are 7 worksheets in this spreadsheet: Introduction Scope Process map Expense purchases database Copyright D M Griffiths Introduction Page1 of 23 Audit: Purchase of expense goods and services 2:23 PM 8/14/2008 Column key Scoring risks Allocating conclusions Language I have used UK english for the risk register. Variations from US english include: Supplier = Vendor Purchase = Procure Cheque = Check I have used the term "accounts payable" for purchase ledger, since this is now common in the UK. All sheets copyright David M Griffiths Not to be copied or distributed without acknowledging the author, or in conjunction with a commercial product Copyright D M Griffiths Introduction Page2 of 23 Audit: Purchasing and payment of expense goods and services Scope of the audit Reasons for the audit The organisation’s risk analysis has identified significant risks to its objectives from the processes involved in the purchase of expense goods and services. The audit will conclude on whether: Risks threatening the objectives of the processes have been properly identified, evaluated and managed. Internal controls are operating properly to mitigate these risks to levels defined as acceptable by board policy. Action is being taken to improve controls, where risks are not being properly mitigated More monitoring, by management, is necessary to ensure proper internal controls into the future. A sound system of internal control is maintained for the processes audited Objectives of the processes being audited The overall objective of the process (4.5) is to purchase expense goods and services for the organisation. (That is goods which are not for resale) The processes covered by this audit are: Define the objectives for purchasing expenses Set up suppliers on the computer file Set up items for purchase on the computer file Raising requistions Raising orders Receive goods/services Returning of unsatisfactory goods In addition, the following support functions are covered: Invoice processing Payment to suppliers Accounting for expense purchases Key risks of the processes being audited Expense goods/services requested are not needed or are not for the benefit of the company Orders are placed with suppliers who do not provide best value (quality/price/delivery) Payment is made for goods or services which have not been received Transactions are not correctly entered in the books of account The processes concerned are not operated efficiently and effectively Audit work plan In order to carry out this audit the auditors will: Take into account any previous audits, noting particularly the issues raised Obtain organisation charts, procedure manuals, training documentation and any other documentation which should be being used by the departments involved in the audit Obtain budgets, actual figures and any other relevant financial information If appropriate, meet the external auditors and any other parties with an interest in the processes being auditing Meet with staff at all levels to understand their responsibilities and concerns Visit all locations which affect the risks involved (warehouses, factories, outsource suppliers) Carry out walkthrough tests to understand the processes involved, including monitoring controls Understand the changes made since the last audit Obtain relevant risk registers, noting when they were last updated Carry out interviews and risk workshops, as necessary, to ensure all risks have been identified Add to the risks in the risk register Score the inherent risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet) Carry out the tests necessary to confirm that the controls are operating properly Score the residual risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet) Draw conclusions as to whether each risk is properly controlled (see the example) Submit a report Audit: Purchasing and payment of expense goods and services Diagram of processes with key risks This diagram shows the key processes for purchasing expenses and is the next level down from the risk register Key risks are collected in the boxes, prior to putting them on the audit database It is used to drive the main audit database Risks Purchase expense goods Define objectives The strategy is not consistent with the overall strategy The strategy has not been communicated Set up suppliers Supplier of vital services/goodsmay go out of business Supplier details are not correctly input/modified New suppliers improperly set up Item details are not correctly input/modified Set up items Requistion goods and services The requistion may be for goods and services not required The requistion may be incorrect Place order The order is placed with a supplier not providing the best value The order is incorrect Receive goods Goods/services are not what was ordered Incorrect quantities received are input Credit is not obtained for goods returned Return goods Return goods Support purchase expense goods Payment is made when goods/services have not been received Settlement discount is not correctly deducted Payment is not made on the due date el down from the risk register Audit: Purchasing and payment of expense goods and services Audit database L1 4 L2 5 L3 L4 L5 Last follow-up results (date) Process Description Purchase goods and services for the organisation Define the strategy for expense purchases, communicate and deliver it L Ref 2 4.5 Process Purchase expense goods Define objectives Risk to process (Summary level) Risk source IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont score Issue Action By whom Conclusion Risks Not applicable Conclusion Controls Conclusion Action Conclusion Monitoring Report ref Follow-up Risks Follow-up Controls Follow-up Action Follow-up Monitoring 4 5 1 3 4.5.1 (Summary level) Not applicable 4 5 1 1 4 4.5.1.1 Define the strategy for expense purchasing Define the strategy for expense purchasing Communicate the strategy Deliver the strategy Set down targets for the year(s) ahead, for example, The strategy does not maximise efficiency and meeting the budget, improving staff efficiency, handling effectiveness and is not consistent with the more orders organisation's strategy Set down targets for the year(s) ahead, for example, The strategy has not been updated meeting the budget, improving staff efficiency, handling more orders Inform the staff about the targets Staff are unaware of the strategy 4 5 1 1 4 4.5.1.1 The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned. These targets and budgets are purchasing expense goods finance. The strategy for approved by management and services is updated each year, prior to setting targets and budgets for the areas concerned Staff are briefed by their managers Directors check the strategy for departments under their control. The overall budget is approved by the board Directors check the strategy for departments under their control The strategy is available on notice boards and the intranet Directors check the action plan for departments under their control Examine the latest strategy document Not applicable 4 5 1 2 4 4.5.1.2 Examine the latest strategy document. Check that the budget forms part of the organisation's overall budget. Examine variances for the current year and ensure adequate explanations have been made for Determine Ask staff to confirm they have been briefed. excessive the date of the briefing and attendees Examine the action plan Check for progress to implement it. Not applicable Not applicable 4 5 1 3 4 4.5.1.3 Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Set up new Suppliers on the computer system, or modify existing details. Includes addresses and payment terms Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Raise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be ordered Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Based on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new Supplier Suitable suppliers are identified to supply goods/services. Sealed tenders (quotes) are called for and opened in the presence of an independent person. The cheapest tender is chosen, if all conditions have been complied with Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services Receive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of services If the goods are not those ordered, are damaged, or too many are delivered, they will be returned to the Supplier. If they are found to be faulty after the processing of an invoice, or payment, a credit note will be required No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the budgeting process Not applicable 4 5 1 3 4 4.5.1.3 Deliver the strategy The strategy is not built into individuals' targets Individuals are given their targets based on those of the Directors, or senior managers, check Examine staff targets for a selection of staff department the staff targets for departments under their control Rights to place requisitions and orders are in a written policy Rights to authorise requisitions and orders are in a written policy Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Details of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier details Requisitions are authorised by an appropriate manager The policy is checked every year to ensure it is correct The policy is checked every year to ensure it is correct Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Details of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing Director Budgets are maintained for all expenses with monthly monitoring against actual Budgets are maintained for all expenses with monthly monitoring against actual The requisitioner will query any difference Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Check individual reports over the last six months for evidence of checking. Observe the process in action. Not applicable 4 5 1 3 4 4.5.1.3 Deliver the strategy Any member of staff can authorise the purchase of any goods or services Any member of staff can requisition any goods or services Supplier details are not correctly input/modified Not applicable 4 5 1 3 4 4.5.1.3 3 4.5.2 Deliver the strategy Not applicable 4 5 2 Set up Suppliers Not applicable 4 5 2 3 4.5.2 Set up Suppliers False Suppliers are set up and paid Check individual reports over the last six months for evidence of checking. Observe the process in action. Not applicable 4 5 2 3 4.5.2 Set up Suppliers No settlement discount, or other discounts, are negotiated Check individual reports over the last six months for evidence of checking. Observe the process in action. Not applicable 4 5 4 3 4.5.4 3 4.5.4 3 4.5.5 Departments requisition goods/services Departments requisition goods/services Purchasing order raised for goods/services Expense goods/services requested are not needed or are not for the benefit of the company Details on the requisition are incorrect 4 5 4 Requisitions are authorised by an appropriate manager 4 5 5 The order is incorrect, that is does not agree to the approved requisition Confirmation is required on the order screen before the order is sent or printed Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. Observe the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor. Observe the process and try submitting without confirmation Not applicable Not applicable Not applicable 4 5 5 3 4.5.5 Purchasing order raised for goods/services The price on the order does not give the organisation maximum value The order is placed by trained purchasing staff using prices on the computer, or negotiated with the supplier. Budgets are maintained for all expenses with monthly monitoring against actual Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. Examine the input of orders. Try and set up a new supplier from the order screen Not applicable 4 5 5 3 4.5.5 Purchasing order raised for goods/services Orders are placed with suppliers who do not provide best value (quality/price/delivery) Orders can only be placed with suppliers previously set Half-yearly report listing suppliers and up on the computer spend which is approved by the Purchasing Director Computer report showing requisitions not turned into orders within 2 days is checked by the supervisor Requistioners will complain if orders are received late Not applicable 4 5 5 3 4.5.5 Purchasing order raised for goods/services Orders are placed late Examine this report for items older than 2 days Not applicable 4 5 5 3 4.5.5 Purchasing order raised for goods/services Orders have incorrect account codes input The requisitioner supplies the codes. The computer checks these exist but cannot check if they are correct. Budget holders check their expenses each month for incorrect items Examine accounts journals and other documentation used to correct coding errors to judge how frequent they are Check access to order screens is limited to approved purchasing staff. Check orders raised without approved requisitions are approved Check expenditure over £X to see if contracts have been raised. Examine the tendering process, and last contracts signed, to ensure the process is operating. (This could done as a separate audit) Check for the existence of recent, tested contingency plans Not applicable 4 5 5 3 4.5.5 Purchasing order raised for goods/services Orders are placed for goods not required, without approved requisitions 4 5 6 3 4.5.6 Contracts raised for continuing services or supply of materials Contracts are not negotiated to ensure the best prices for ongoing services such as maintenance All orders have to be placed through the computer. Orders can only be raised by purchasing staff. Orders without requisitions must be approved by a senior manager Expenditure on services is constantly monitored to check if contracts should be raised to ensure best prices and service. Contracts are tendered, as necessary, to ensure best prices. Budget holders check their expenses each month for incorrect items Not applicable Senior purchasing management monitor expenses, and check all tenders to confirm the process 4 5 7 3 4.5.7 Goods/services received. Quantity received input Goods/services vital to the organisation's operation become unavailable or too expensive If possible, have two, or more, sources of supply. Hold Continuity of supply is written into sufficient stocks of vital spares. Have contingency plans managers' targets, on which they are for failure of vital supplies assessed Computer report showing where quantities received differ from the order Requistioners should complain if the goods/services differ from the order Not applicable 4 5 7 3 4.5.7 Goods/services received. Quantity received input Quantities, or service, is not what was ordered Examine this report and check on the action taken. Note items which may be old and uncorrected Not applicable 4 5 7 3 4.5.7 Goods/services received. Quantity received input Quantities incorrectly input The computer warns if the quantity received is different from that ordered Requistioners should complain if the goods/services differ from the order Observe the process and try submitting a different quantity Not applicable 4 5 7 3 4.5.7 Goods/services received. Quantity received input Stock records (for example engineers' spares) not updated Automatic update with exception reports where this has not occurred Periodic physical checks to stock records Check a sample of items received through to the stock system Not applicable 4 5 7 3 4.5.7 Goods/services received. Quantity received input Receipt details input when no goods or services have been received Division of duties between requisitioners, purchasing staff and receivers Budget holders check their expenses each month for incorrect items Examine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists. Ask a sample of staff their opinions on the quality of goods received Not applicable 4 5 7 3 4.5.7 Goods/services received. Date of receipt input Quality is not up to standard Responsibility of the person receiving the goods/services to complain of poor quality to the ordering department All goods are received at one, secure, location, which inputs their receipt against the order No formal monitoring Not applicable 4 5 7 3 4.5.7 Goods/services received. Date of receipt input Goods are lost Requisitioner will complain if goods are Visit the receiving area. Check security and observe the not received receipt of goods. Not applicable 4 5 8 3 4.5.8 Goods/services returned Credit is not obtained from the supplier Goods can only be returned on the authority of the buyer, who raises a "Goods Return Note". One copy goes with the goods, the other is keyed into the computer as a debit note. This automatically reduced the next payment. Requisition will complain if credit is not received Take a sample of Goods Returned Notes and check that the correct credit has been received Not applicable 4 5 8 3 4.5.8 1 Support purchasing of expenses Define objectives for supporting expense purchasing Define the strategy (Summary level) Not applicable 4 5 8 4 4.5.8.1 1 (Summary level) Not applicable 4 5 8 1 5 Set down targets for the year's) ahead, for example, The strategy has not been updated meeting the budget, improving staff efficiency, handling more orders Inform the staff about the targets Staff are unaware of the strategy The strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned Staff are briefed by their managers Directors check the strategy for departments under their control The strategy is available on notice boards and the intranet Directors check the action plan for departments under their control Examine the latest strategy document Not applicable 4 5 8 1 2 5 Communicate the strategy Deliver the strategy Ask staff to confirm they have been briefed. Determine the date of the briefing and attendees Examine the action plan Not applicable 4 5 8 1 3 5 Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Form an action plan, with the staff involved, to deliver the strategy Process transactions resulting from the purchase of expenses Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. Receive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation. After input of the invoice, it is sent for microfiching and the paper copy destroyed Receive a properly approved cheque requistion, with supporting documentation No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the budgeting process Not applicable 4 5 8 1 3 5 Deliver the strategy The strategy is not built into individuals' targets Individuals are given their targets based on those of the Directors, or senior managers, check Examine staff targets for a selection of staff department the staff targets for departments under their control Rights to place requisitions and orders are in a written policy Rights to authorise requisitions and orders are in a written policy The policy is checked every year to ensure it is correct The policy is checked every year to ensure it is correct Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Examine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policy Not applicable 4 5 8 1 3 5 Deliver the strategy No limitation is set on the authority of staff to commit the organisation No limitation is set on the authority of staff to commit the organisation Transactions are not processed completely and accurately Invoice input against incorrect supplier Not applicable 4 5 8 1 3 5 4 4.5.8.2 Deliver the strategy Not applicable 4 5 8 2 Process transactions Not applicable 4 5 8 2 1 5 4.5.8.2. Purchasing expenses 1 Invoice input Most invoices are input against an order and the supplier details are checked. If no order exists there is no control The supplier will send a reminder to pay Examine transactions which correct mis-postings Not applicable 4 5 8 2 1 5 4.5.8.2. Purchasing expenses 1 Invoice input Incorrect values input Where the invoice is matched to an order, an exception report is produced for invoices not matching and these are held until purchasing approve the difference. Invoices without orders are batch totalled Monthly check, by management, of the Examine the query report to ensure no queries are report showing invoices held in query. outstanding for an excessive period of time, and that all Follow-up of invoices over one month are being actively persued old Not applicable 4 5 8 2 1 5 4.5.8.2. Purchasing expenses 1 Invoice input Invoices are input twice Where the invoice is matched to an order the computer will not allow the input of another invoice. Invoices are stamped "input" Budget holders should check the actual expenditure against their budget each month Ask a sample of budget holders to provide evidence that they have checked the expenses for the previous month Not applicable 4 5 8 2 1 5 4.5.8.2. Purchasing expenses 1 Invoice input Duplicate invoices are input Where the invoice is matched to an order the computer Budget holders should check the will not allow the input of another invoice. If copy actual expenditure against their invoices are received, where no orders exist, they are budget each month checked to the supplier account before processing. The computer will not accept duplicate invoice numbers Examine transactions which correct mis-postings Not applicable 4 5 8 2 1 5 4.5.8.2. Purchasing expenses 1 Invoice input Invoice input where no goods or services have been received. 4 5 8 2 1 5 4.5.8.2. Purchasing expenses 1 Invoice input The tax analysis of invoices is incorrect, for example "Business entertainment" Most invoices are matched against approved orders. Other invoices must be approved by a senior manager and accountant, who writes the account code on. Invoices can only be paid to suppliers set up on the system, for which separate checks apply. Duties are divided to ensure staff who input invoices do not set up suppliers or payments All purchasing and transaction processing staff have specific training on the analysis of Value added tax (VAT). Detailed guidelines are available. The computer checks for incorrect calculations Budget holders should check the actual expenditure against their budget each month Check a sample of items received through to the stock system, or other evidence, to prove that the goods/services were received Check the access to computer screens to ensure division of duties is enforced Not applicable Tax department scrutinise certain nominal codes for exceptional items Check a sample of invoices to ensure that the tax treatment is correct Not applicable 4 5 8 2 2 5 4.5.8.2. 2 Purchasing expenses Invoice filed Invoices are not filed and microfiched 4 5 8 2 3 5 4.5.8.2. Purchasing expenses 3 no invoice received, for example tax Incorrect payments may be made 4 5 8 2 4 5 4.5.8.2. Purchasing expenses 4 payment 4 5 8 2 4 5 4.5.8.2. Purchasing expenses 4 payment 4 5 8 2 4 5 4.5.8.2. Purchasing expenses 4 payment 4 5 8 2 4 5 4.5.8.2. Purchasing expenses 4 payment The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. Computer payment is made for goods or services which have not been received Invoices are sequentially numbered on input. When The fiche are checked by staff when microfiching, the continuity of these numbers is checked received back from the microfiching department Computer payments can only be made against invoices Budget holders should check the matched to orders, or authorised invoices. Payments actual expenditure against their can only be generated by staff who do not have access budget each month to order, invoice or supplier master data input. Manual payments cheques must be supported by the cheque requistion and signed by two senior managers Computer payments can only be made against invoices Budget holders should check the matched to orders, or authorised invoices. Payments actual expenditure against their can only be generated by staff who do not have access budget each month to order, invoice or supplier master data input. Manual payments cheques must be supported by the original invoices and signed by two senior managers Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer. Settlement discount can be overidden for a specific order, but only a manager Check a selection of fiche to ensure no numbers are missing Check a sample of cheque requistions, to ensure this type of transaction should have been used (that is no invoice is available) nad it was properly approved. Check that the item being paid for is genuine Not applicable Not applicable Check a sample of payments taken from the cash sheets to proof that the goods/services paid for were received Not applicable Incorrect settlement discount is taken Payment terms are checked by buyers For the sample of payments used in the above test, every 6 months check that the correct settlement discount has been taken Not applicable Payment is not made on the due date Payment terms are set up on the supplier account. They can only be changed on written instructions for a buyer Payment terms are checked by buyers For the sample of payments used in the above test, every 6 months check that the payment was made on the correct date Not applicable Manual payments made are fraudulent Cheques are kept in a locked cupboard to prevent theft and subsequent forgery. Overseas payment instructions are signed by two directors. The bank has instructions to telephone the Chief Financial Officer if payments are over an agreed amount. Bank reconciliation will detect payments made not correctly entered in the books of account For a sample of manual and overseas payments, ensure that goods/services were received. Check the bank understands its instructions to phone the CFO. If appropriate, carry out a separate audit on foreign payments Not applicable ©David M Griffiths Expense purchases database 4 5 8 2 4 5 4.5.8.2. Purchasing expenses 4 payment 4 5 8 2 4 5 4.5.8.2. Purchasing expenses 4 payment 4 5 8 2 5 5 4.5.8.2. Purchase expense 5 invoices / credit notes posted to accounts The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. The computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque. Invoices and payments are posted to the general (nominal) ledger in the same accounting period Cheques are altered or forged Cheque signing signatures are embossed. Cheques are Bank reconciliation will detect printed by specialist printers with the latest security payments made not correctly entered features in the books of account Observe the cheque printing process to ensure it is physically secure. Check that the signature plates are stored in a safe with limited access Not applicable The payment output file is altered. (This file holds payment data to be transmitted to the bank, or used to print cheques) Access controls on the computer to prevent alteration Exception reports, checked by management, which detail exceptional alterations to files Obtain details of those staff with access to the computer files. They should only be senior IT staff with no access to accounting systems Not applicable Invoice / credit notes are posted to incorrect accounts 4 5 8 2 6 5 4.5.8.2. Accounts Payable month- In order to compile month-end accounts, the value of 6 end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Accounts Payable month- In order to compile month-end accounts, the value of end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Accounts Payable month- In order to compile month-end accounts, the value of end processes goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledger Manage the accounts Ensure the accounts payable ledger is correctly payable ledger updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Manage the accounts Ensure the accounts payable ledger is correctly payable ledger updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisation Provide systems Provide systems, including computer systems to support the organisations operations Maintain central systems The proper operation of applications is maintained by a central IT department Users set up their own computer systems (for example spreadsheets) to produce data Users set up their own computer systems (for example spreadsheets) to produce data Accruals not calculated Invoices are posted to the cost centre and nominal Budget holders check their expenses account set up on the requisition. The computer verifies each month for incorrect items. Plus that these exist and prevents certain combinations of Financial Accounts check balances to cost centre and nominal codes the previous month's and investigate significant discrepancies The value of all goods received not invoiced is Comparison made with previous calculated by the computer month's figure. Major differences investigated For a sample of invoices, check the coding is correct Not applicable Check the report providing the accruals figure. Check that large variances from the previous month have been explained Not applicable 4 5 8 2 6 5 4.5.8.2. 6 Accruals not calculated correctly In major expense service functions (for example advertising) managers must detail services provided which have not been invoiced Major variances from budget are investigated Check the composition of the accruals figure. For a sample of recepts on the report, ensure they are recent and obtain expalnations why old receipts have not had invoices processed Not applicable 4 5 8 2 6 5 4.5.8.2. 6 Accounts payable ledger total does not represent all liabilities Total of supplier balances reconciled to Accounts Payable control account in the General ledger Reconciliation is signed by a senior manager For a number of months, check this reconciliation has been properly carried out Not applicable 4 5 8 2 7 5 4.5.8.2. 7 Accounts payable ledger total does not represent all liabilities Sample check reconciliation of Supplier statements to the Accounts Payable balance The check is noted and scrutinised by a senior manager at month-end Scrutinise the reconciliations carried out to ensure they contain no unusual items. If necessary, reperform some reconciliations to ensure they are correct Check the accounts payable list of balances for debit balances. For a sample of balances, determine why they arose and the action being taken to recover them n/a Not applicable 4 5 8 2 7 5 4.5.8.2. 7 Supplier with a debit balance, due to credits issued, goes out of business Exception report highlighting large debit balances. Payment stop put on the account. Systems in place to request repayment of the amount owing Management scrutiny of large debit balances each month, with a progress report on their recovery Not applicable 4 4 5 5 8 8 3 3 1 4 4.5.8.3 5 4.5.8.3. 1 (Summary level) Data lost through main computer failure, systems unavailable for a prolonged period User-maintained systems lose data User-maintained systems produce inaccurate data Range of controls maintained by the IT department Not applicable Not applicable 4 4 5 5 8 8 3 3 2 2 5 4.5.8.3. Maintain user systems 2 Data is kept on the network which is backed-up daily All important data is checked, or reconciled, to an independent source to ensure it is correct. If this is not possible, some manual reperformance of calculations, or checks of formulas. Users monitor their output, such as Covered by audits of the IT processes reconciling the accounts payable balance with the general ledger IT management should monitor system Ensure data is backed-up - try retrieving yesterday's reports files. If a stand-alone computer, check back-up to discs Output should be examined for "reasonableness" Check formulas are correct. If possible use a spreadsheet analyser to detect possible problems. Reperform manually important calculations, if possible. Check all programs have a clearly written user guide. Trace figures from the accounts payable system through to totals in the top level management accounts Trace figures from the accounts payable system through to totals in the top level financial accounts Not applicable 5 4.5.8.3. Maintain user systems 2 Not applicable 4 4 4 5 5 5 8 8 8 3 4 5 2 5 4.5.8.3. Maintain user systems 2 Users set up their own computer systems (for example spreadsheets) to produce data Collect the data from processed transactions into accounts for management to make decisions Collect the data from processed transactions into accounts for statutory or tax purposes User-maintained systems understood by only the programmer Information is incorrectly analysed and summarised Information is incorrectly analysed and summarised A user guide has been written and independently tested Manager holds a copy after each revision Totals on the management accounts are reconciled to totals from the accounts payable system Each month, or more frequently, the accounts payable ledger total is reconciled to the accounts payable control account in the general ledger All jobs have written job descriptions, which show the competencies required The targets take into account the competencies required Training is provided when taking on new responsibilities and during a job, to ensure the staff member understand how to do the job and the controls which must operate Clear policy from the board that training is important. Output should be examined for "reasonableness" Manager checks the reconciliation. Management and financial accounts are reconciled HR and manager sign off job descriptions HR and manager sign off appraisals Not applicable 4 4.5.8.4 4 4.5.8.5 Prepare management accounts Prepare financial accounts Not applicable Not applicable 4 4 4 4 5 5 5 5 8 8 8 8 6 6 6 6 1 2 3 Recruit staff and manage staff policies 4 4.5.8.6 Provide staff 5 4.5.8.6. Establish job descriptions Job descriptions, in accordance with policy, are written 1 (Summary level) Staff competencies required have not been identified Not applicable Check for job descriptions of all staff levels Check appraisal files Not applicable Not applicable Not applicable 5 4.5.8.6. Carry out regular 2 3 appraisals 5 4.5.8.6. Training of staff and approved Targets are set for staff with regular appraisals in Actual competencies of the staff have not been accordance with policy matched with required competencies Staff are trained in order to achieve their targets with Training is not provided, or is inadequate. For example maximum effectiveness and efficiency, within the ethical it omits ethical guidance guidelines Staff are trained in order to achieve their targets with Staff not allowed to attend training maximum effectiveness and efficiency, within the ethical guidelines Recruit staff to fill vacancies Applicants falsify references Managers monitor the training their Check training materials. Ask staff who have recently staff receive to ensure it is appropriate changed jobs about their training at all times HR monitor staff not attending training courses and determine why Manager can request references if required Senior managers should monitor their managers to ensure succession plans exist Question staff who have been on courses 4 5 8 6 3 5 4.5.8.6. Training of staff 3 Not applicable 4 5 8 6 4 5 4.5.8.6. Recruit suitable staff 4 All references and qualifications are checked by HR 4 5 8 6 4 5 4.5.8.6. Recruit suitable staff 4 Recruit staff to fill vacancies Insufficient staff are available to carry out all duties, and maintain division of duties Staff involved in expense purchasing are not aware of legislation which affects them, thus threatening the organisation with prosecution HR maintain succession plans for senior key staff. Managers have plans for other key staff Take a sample of recent joiners and check that references were supplied. (Other tests are carried out as part of the audit of HR) Examine staff budgets to ensure staff numbers are being maintained at levels which ensure controls are operated Determine when the last update from legal services was received and how it was briefed to staff. If you are aware of any legislation affecting the processes being audited (for example competition legislation), make sure it has been briefed in. These processes will also be covered by audit BS Ask staff about their induction. Do they understand the tax implications of their work? Check invoices for correct treatment of taxes (for example VAT) Examine documents given to suppliers and their written agreement. Attend, with qualified staff, the suppliers working on-site Check training records, and H & S audit documentation Not applicable Not applicable 4 5 8 7 4 4.5.8.7 Provide legal services Advise all areas of the company concerning action to be taken on legislation There is a clear, preferably written, understanding that Senior management check that legal services will update the appropriate managers with important legislation is understood by legislation which affects them. The managers will brief the functions under their control their staff Not applicable 4 5 8 8 4 4.5.8.8 Provide tax services Advise all areas of the company concerning action to be taken on tax legislation Ensure the organisation complies with legislation and good practice to ensure the safety of staff and customers Ensure the operations of the organisation obey all environmental laws and good practice The physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation All assets, including physical assets, stock and information, are physically secure Staff involved in expense purchasing are not aware of tax legislation which affects them, thus threatening the organisation with fines or the loss of tax credits Suppliers provide services without observing safety procedures, resulting in injury to staff Goods purchased, for example cleaning solvents, may create an unsafe environment for employees (Summary level) Regular briefings from tax department to all staff concerned. Induction training to include the relevant aspects of tax Senior manager to check that new tax legislation has been briefed to staff Not applicable 4 5 8 9 4 4.5.8.9 Ensure health & safety 4 5 8 10 4 4.5.8.10 Manage the environment Ensure security Audit of suppliers to ensure they understand health and Qualified staff check suppliers working safety legislation. Orders and contracts contain clause to ensure suppliers comply with regulations Purchasing staff have training on general health and Periodic audits by health and safety safety topics, with specific training for staff ordering department chemicals and other potentially hazardous items Not applicable Not applicable 4 5 8 12 Not applicable 4 5 8 12 1 5 4.5.8.12 Provide security .1 Loss of the organisation's assets All buildings have entry restricted by card operated gates Supplies of paper documents, such as orders and cheques, are stored in a separate building. Documents which must be kept for tax purposes are microfiched, and these are stored in a fireproof safe A formal process has been carried out to identify the documents used and their method of storage Periodic audits, by security department, of the access to buildings It is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessary It is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessary The Ethical Committee ensures a complete policy is communicated to all stakeholders 4 5 8 12 2 5 4.5.8.12 Identify documents required to achieve the objective of these processes 4.5.8.12 Decide on arrangements .3 to safeguard these .2 4 5 8 12 3 5 Decide on the documents, paper or electronic, which Documents essential to operations (such as cheques) are essential to the operation of expense purchases, or may be lost in a fire for tax reasons. These may include paper orders, supplier invoices, cash sheets and cheques For each document, decide on the appropriate storage Level of protection may not be sufficient medium During audit, observe security precautions. Otherwise the test of physical security are carried out in audit group BX Check the existence of the paper documents kept offsite. Check that all microfiche are stored in the fireproof safe, with none left out at night. Check for evidence of the formal process, and that it is being followed Not applicable Not applicable Not applicable 4 5 8 13 4 4.5.8.13 Communicate 4 4.5.8.14 Manage risks threatening expense purchasing processes 1 Inform internal and external stakeholders of the organisation's policies and intentions 4 5 8 14 Reputation of the company suffers because the press are mis-informed about the organisation's policy of not using suppliers who might use child labour (Summary level) A documented ethical policy, which includes purchasing policy Examine the policy and check specifically for purchasing policy Not applicable Not applicable 4 5 8 14 5 4.5.8.14 Identify risks .1 Risk workshops and interviews are held to determine the risks threatening the objectives of the expense purchasing function Score the risks on the organisation's likelihood and consequence scales Risks are not known 4 5 8 14 2 5 4.5.8.14 Evaluate risks .2 Significant risks are not understood 4 5 8 14 3 5 4.5.8.14 Control risks .3 For all risks, decide on a cost-effective control to reduce the risk to the risk appetite of the organisation Significant risks are not controlled Quarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessary Quarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessary Controls are put into operation which reduce residual risks to the risk appetite of the organisation Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Internal Audit maintain the risk register, and ensure each function provides a list of scored risks with controls Examine processes to set up the risk register and examine the register. Ensure all types of risk, including external risks, have been considered Examine the process which score the risks Not applicable Not applicable Check controls as part of the audit Not applicable ©David M Griffiths Expense purchases database ©David M Griffiths Expense purchases database Audit: Purchasing and payment of expense goods and services Column key: L1 L2 L3 L4 L5 L Ref Process Process Description Risk to process Risk source IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont score Issue Action By whom Conclusion Risks Conclusion Controls Conclusion Action Conclusion Monitoring Report ref Follow-up Risks Follow-up Controls Follow-up Action Follow-up Monitoring nd payment of expense goods and services Level 1 risk number. Corresponds to the Risk database Level 2 risk number. Corresponds to the Risk database Level 3 risk number Level 4 risk number Level 5 risk number Level of the process on this row (1 to 5) Reference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this process throughout the organisation Title of the process A brief description of what the process does. Any more details should be filed in the audit file The threat to the process. There may be several risks to one process, or one risk may threaten several processes Who identified the risk (management, risk workshop, auditor, meeting) Inherent risk consequence score. See "Scoring risks" worksheet Inherent risk likelihood score score. See "Scoring risks" worksheet Inherent risk scores multiplied to give significance An example of a control which might mitigate the risks An example of a monitoring control which might check the operation of the control An example of a test which might confirm the operation of the control Reference to the schedule giving more details of the test Residula risk consequence score. See "Scoring risks" worksheet Residual risk likelihood score score. See "Scoring risks" worksheet Residual risk scores multiplied to give significance Control score = IRS - RRS. The higher it is the more important the control Details where the risk is not mitigated to the acceptable level ("Risk appetite") Action which management is taking to reduce the risk The job title and name of the person responsible for ensuring the action takes place Conclusion on risk management (see "Allocating conclusions" worksheet) Conclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet) Conclusion on any action required to reduce risks (see "Allocating conclusions" worksheet) Conclusion on the adequacy of processes to monitor the correct operation of controls(see "Allocating conclusions" worksheet) The paragraph number in the report where the issue is reported Conclusion on risk management from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on any action required to reduce risks from the last follow-up audit (see "Allocating conclusions" worksheet) Conclusion on the adequacy of processes to monitor the correct operation of controls from the last follow-up audit (see "Allocating conclusions" worksheet) Audit: Purchasing and payment of expense goods and services Advice on scoring risks (inherent and residual) 1 to 3 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is: To prevent the organisation Almost certain achieving all, or a major part, of its objectives for a long time. Cash at risk> £100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <£100,000 >£5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <£5,000 Unlikely Low (1) Then the measure is defined to be: High (3) Medium (2) Values are an example only. They should be agreed at board level as part of setting the risk appetite of the organisation Grading individual risks (residual) High (3) Likelihood of residual risk Supplementary Issue 3 3 Acceptable Low(1) 1 Acceptable 2 Acceptable 3 Acceptable Low(1) Medium (2) High (3) Consequence of residual risk Rare(1) Unlikely (2) Supplementary Issue 3 Possible (3) 2 Acceptable 4 Issue risk 6 Unacceptable risk Likelihood of residual risk 6 Unacceptable risk 9 Unacceptable risk Medium (2) Probable (4) Almost certain (5) Likeliho Likelihood Low(1) 1 Acceptable 2 Acceptable 3 Acceptable Low(1) Medium (2) High (3) Consequence of residual risk Risk score = Likelihood score X C Unacceptable: Immediate action required Issue: Action required to control the risk Supplementary issue: Action is advisable Acceptable: No action required Rare(1) Unlikely (2) Supplementary Issue 3 nd residual) 1 to 5 scale If the consequence when the OR the likelihood of risk occurs is: the risk occurring is: A catastrophic impact on the organisation, threatening its existence Almost certain Cash at risk> £1,000,000 To prevent the organisation Probable achieving all, or a major part, of its objectives for a long time. Cash at risk <£1,000,000 >£100,000 To stop the organisation achieving Possible its objectives for a limited period. Cash at risk <£100,000 >£30,000 To stop the organisation achieving Unlikely its objectives for a limited period. Cash at risk <£30,000 >£5,000 To cause minor inconvenience, not affecting the achievement of objectives Cash at risk <£5,000 Rare Probable (4) Almost certain (5) Likelihood of residual risk 9 acceptable risk 5 Supplementary Issue 10 Issue 15 Unacceptable 20 Unacceptable 25 Unacceptable 4 Acceptable 8 Supplementary Issue 12 Issue 16 Unacceptable 20 Unacceptable Possible (3) 6 acceptable risk Supplementary Issue 3 3 Acceptable 6 Supplementary Issue 9 Issue 12 Issue 15 Unacceptable Unlikely (2) 2 Acceptable 4 Acceptable 6 Supplementary Issue 8 Supplementary Issue 10 Issue 3 ptable Rare(1) 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable 5 Supplementary Issue High (3) risk Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood Unlikely (2) Supplementary Issue 3 2 Acceptable 4 Acceptable 6 Supplementary Issue 8 Supplementary Issue 10 Issue 3 ptable Rare(1) 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable 5 Supplementary Issue High (3) risk Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Consequence of residual risk isk score = Likelihood score X Consequence score nacceptable: Immediate action required to control the risk sue: Action required to control the risk upplementary issue: Action is advisable if it is cost-effective cceptable: No action required Then the measure is defined to be: Catatrophic (5) Major (2) Moderate (2) Minor (2) Insignificant (1) 15 20 Unacceptable 25 Unacceptable nacceptable 12 Issue 16 Unacceptable 20 Unacceptable 9 Issue 12 Issue 15 Unacceptable 6 8 Supplementary Issue pplementary Issue 10 Issue 3 cceptable 4 Acceptable 5 Supplementary Issue Moderate (3) Major (4) Catastrophic (5) 6 8 Supplementary Issue pplementary Issue 10 Issue 3 cceptable 4 Acceptable 5 Supplementary Issue Moderate (3) Major (4) Catastrophic (5) e of residual risk Audit: Purchasing and payment of expense goods and services Advice on allocating conclusions Conclusion on: Thorough processes have been used and all significant risks should have been identified Internal controls reduce The risk is being mitigated to risks to acceptable levels an acceptable level by the control(s) Risks have been identified, evaluated and managed Criteria Processes have been used, but there are some deficiencies The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved Action being taken to promptly remedy significant failings or weaknesses The action being taken will result in all risks being mitigated The action being taken will result in some reduction in risk but not to acceptable levels Current levels of monitoring are sufficient No more monitoring is necessary than is done at present Some additional monitoring is required Score (1 to 3 scale) Score (1 to 5 scale) Colour: Grading: Report as Score 0,1,2 or 3 Score =<8 green Acceptable Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report Score: 4 (possibly 3) Score: >9 <14 amber Issues Key issue Looking at it another way: Criteria Inadequate, or no, processes have been used Score (1 Score (1 Colour to 3 to 5 Grading scale) scale) Score Score 0,1,2 or 3 =<8 green acceptable The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results No action is being taken, OR insufficient action is being taken to mitigate risks Score: 4 Score: (possibly >9 <14 3) amber issue Major improvements are required to the monitoring of controls Score: 6 or 9 Score:>1 red 4 unacceptable Score: 6 or 9 Score:>14 red Unacceptable Key issue g at it another way: Risks have been identified, Internal controls reduce Action being taken to evaluated and managed risks to acceptable promptly remedy levels significant failings or weaknesses Thorough processes have The risk is being mitigated The action being taken been used and all significant to an acceptable level by will result in all risks risks should have been the control(s) being mitigated identified Current levels of monitoring are sufficient No more monitoring is necessary than is done at present The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results The action being taken Some additional will result in some monitoring is reduction in risk but not required to acceptable levels No action is being taken, OR insufficient action is being taken to mitigate risks Major improvements are required to the monitoring of controls Report as Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report Key issue Key issue