A manual for risk based internal auditing - spreadsheets

146 Transport of food to famine relief camps - Outline plan Date 15-Dec-03 16-Dec-03 17-Dec-03 18-Dec-03 19-Dec-03 20-Dec-03 21-Dec-03 22-Dec-03 23-Dec-03 24-Dec-03 25-Dec-03 26-Dec-03 27-Dec-03 28-Dec-03 29-Dec-03 30-Dec-03 31-Dec-03 1-Jan-04 2-Jan-04 3-Jan-04 4-Jan-04 5-Jan-04 6-Jan-04 7-Jan-04 8-Jan-04 9-Jan-04 10-Jan-04 11-Jan-04 12-Jan-04 13-Jan-04 14-Jan-04 15-Jan-04 16-Jan-04 17-Jan-04 18-Jan-04 19-Jan-04 20-Jan-04 21-Jan-04 22-Jan-04 23-Jan-04 24-Jan-04 25-Jan-04 26-Jan-04 27-Jan-04 28-Jan-04 29-Jan-04 30-Jan-04 Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday J Smith I Khan P Jones (CAE) F Higson Briefing from CAE Set up files/scope Issue draft scope Testing Testing audit 142 audit 144 Key: Audit 146 Other audits Out of office Holidays Weekend Christmas holidays Testing Testing audit 142 audit 144 New year's day Scope meeting Amend scope Testing Testing audit 142 audit 144 Holiday Holiday Holiday Holiday Holiday meeting CAE approves scope Issue final scope Complete Complete Out of office audit 142 audit 144 Out of office Holiday Holiday Holiday Holiday Holiday Course Course Course Course Course Complete Complete audit 142 audit 144 Prepare for overseas visit 31-Jan-04 1-Feb-04 2-Feb-04 3-Feb-04 4-Feb-04 5-Feb-04 6-Feb-04 7-Feb-04 8-Feb-04 9-Feb-04 10-Feb-04 11-Feb-04 12-Feb-04 13-Feb-04 14-Feb-04 15-Feb-04 16-Feb-04 17-Feb-04 18-Feb-04 19-Feb-04 20-Feb-04 21-Feb-04 22-Feb-04 23-Feb-04 24-Feb-04 25-Feb-04 26-Feb-04 27-Feb-04 28-Feb-04 29-Feb-04 1-Mar-04 2-Mar-04 3-Mar-04 4-Mar-04 5-Mar-04 6-Mar-04 7-Mar-04 8-Mar-04 9-Mar-04 10-Mar-04 11-Mar-04 12-Mar-04 Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Fly to Kinshasa Audit 146 Audit of Kinshasa office Discuss draft report Fly back to UK Write draft reports Write draft reports Write draft reports Write draft reports Issue draft report Receive comments Write final report Final report sign approval Out of office Out of office Out of office Issue final report s - Outline plan Other audits Out of office 146 Transport of food to famine relief camps - Audit Database Level 2 process Identify risks Follow-up July 2004 Monitoring None Risk on register (appendix H) Risks are not known Level 3 process Risk for this audit Risks are not known Inherent risks Control Tests Examine processes to set up the risk register and examine the register Examine the process to score the risks Check controls - below Ref Residual risks Control Issue 0 No register Action A risk assessment will be carried out as part of the contracting process (see below) As above As above By whom Logistics Director Cons. Like. Sig. 3 3 9 Cons. Like. Sig. 3 3 9 Conclusion Risks Conclusion Controls n/a Conclusion Action Conclusion Report Conclusion Monitoring Reference Risks Conclusion Controls n/a Conclusion Action Conclusion Monitoring 2 As above As above n/a n/a n/a n/a n/a Evaluate risks Manage risks 4.2 Arrange land transport Significant risks are not understood Significant risks are not controlled 4.2.1 Receive instructions from country office Receive instructions from country office Significant risks are not understood Significant risks are not controlled Instructions not received 3 3 3 3 3 3 9 9 9 Country office confirms receipt. No controls at HQ to ensure instructions are sent on time None None HQ chases if no confirmation received None 3 3 3 3 3 1 9 9 3 0 0 6 None 2 2 n/a n/a n/a 4.2 Arrange land transport 4.2.1 Instructions are late 3 3 9 Checked all instructions and n/a confirmations for 2003. All satisfactory n/a n/a n/a 3 1 3 6 No controls at HQ to ensure instructions are sent on time Drivers may not be available Documents could be forged HQ also tries to plan routes Country Director to assume responsibility for notifying the country office The use of contractors is to be considered The use of contractors is to be considered Country Director n/a n/a 4 Logistics Director n/a n/a 4.4 Recruit drivers Drivers not available 4.2.2 Hire drivers Drivers not available 3 3 9 4.2 Arrange land transport 4.2.1 Hire drivers Drivers not properly qualified 2 3 6 List of drivers available for None hire is kept by the compound office Drivers documents are None checked and copies made Work with other agencies and the military to plan routes The army escorts convoys HQ arrange for food to available in the warehouses Fuel is stored in the compound None Checked list. It is not regularly updated Checked copies exist. G3 3 3 9 0 1 Logistics Director n/a n/a n/a G4 2 1 2 4 4.2 Arrange land transport 4.2.2 Plan route Route is blocked 3 2 6 4.2 Arrange land transport 4.2 Arrange land transport 4.2.3 Plan route Route is dangerous No food available! 3 3 2 1 6 3 None n/a 4..2.4 Arrange to collect food Check the last plan. Examine dates of collection and delivery Ask drivers and supervisor about escorts Check loading sheets for the lorries Check fuel tanks G5 3 1 3 3 Local office to plan routes Country Director n/a n/a 5 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a G6 3 3 1 1 3 3 3 0 None - escorts are n/a provided None - food was available n/a 4.2 Arrange land transport Fuel not available for lorries Load fuel Fuel not available for lorries 3 3 9 n/a G7 3 3 9 0 Tanks were empty, The use of contractors is although stock records to be considered showed they should be full None n/a Logistics Director n/a n/a 1 n/a n/a n/a n/a n/a n/a n/a n/a n/a 4.2 Arrange land transport 4.2 Arrange land transport 4.2.5 4.2.6 Load food Deliver to camp No loaders Food is stolen 3 2 1 2 3 4 The warehouse provides loaders Army and police provide some protection Lorries are serviced and tested The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control Supervisor said no problem in the past Question staff and other agencies about problem Request a ride in the lorries n/a 3 2 1 2 3 4 0 0 Theft is a problem, but as No extra action possible well controlled as possible 2 lorries were not working The use of contractors is due to lack of to be considered maintenance (bad brakes) Scheduled checks not always carried out due to a lack of mechanics Repairs not always carried out due to a lack of mechanics Only one, inexperienced mechanic on the staff Scheduled checks not always carried out due to a lack of mechanics 1 Lorry was badly damaged No documents exist for requesting spares The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered The use of contractors is to be considered Logistics Director 1 n/a n/a 4.3 Arrange land transport Lorries not available to move food inland 4.3.1 Check lorries are working Lorries are found to be unsuitable for the journey 3 2 6 3 2 6 0 1 Logistics Director n/a n/a 4.2 Arrange land transport 4.3.1 Check lorries Check is not complete 2 2 4 4.2 Arrange land transport 4.3.1 Check lorries Action is not taken on faults 2 2 4 4.3 Maintain lorries 4.3 Maintain lorries Mechanics not available 4.3.1 4.3.2 Check lorries Carry out maintenance checks as per the lorry manual Repair lorries as necessary Repair lorries as necessary Lack of mechanics Maintenance checks not carried out thoroughly Repairs not satisfactory Repairs not necessary 3 2 3 2 9 4 4.3 Maintain lorries 4.3 Maintain lorries 4.3.3 4.3.3 2 2 2 2 4 4 Maintenance schedules are signed by the senior mechanic Maintenance schedules are signed by the senior mechanic Two mechanics are on the permanent staff Maintenance schedules are signed by the senior mechanic Lorries checked by compound supervisor Request for repairs and spare parts is approved by the compound supervisor HQ arrange for spares to be shipped out Not applicable. No computer on site Job descriptions are maintained for all jobs All staff have two appraisals every year The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control The supervisor maintains day-to-day control Check schedules 2 2 4 0 1 Logistics Director n/a n/a Check schedules 2 2 4 0 1 Logistics Director Logistics Director n/a n/a Talk to mechanics. Examine work sheets Check schedules 3 2 3 2 9 4 0 0 1 1 n/a n/a Request a ride in the lorries n/a Check request documents 2 2 2 2 4 4 0 0 Logistics Director Logistics Director n/a n/a 1 1 n/a n/a 4.3 Maintain lorries Spares not available 4.3.3 Repair lorries as necessary Spares not available 2 3 6 The supervisor maintains day-to-day control n/a None 6.6 Provide information technology 6.7 Provide human resources 6.7 Provide human resources 6.6.1 Staff are not competent 6.7.1 Maintain systems Establish job descriptions Data lost through computer failure Staff competencies required have not been identified Actual competencies of the staff have not been matched with required competencies 2 2 3 3 6 6 Talk to supervisor and mechanic. Examine any available documentation n/a Check for job descriptions of all staff levels Check appraisal files 2 3 6 0 Spares can take months to arrive n/a The use of contractors is to be considered n/a Logistics Director n/a n/a 1 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 0 2 3 6 6 0 6.7.2 Carry out regular appraisals 2 3 6 None 2 3 6 0 No job descriptions exist. Job descriptions will be Country Manager written by the end of March 2004 No appraisals are carried Targets will be set by the Country Manager out. end of March and staff will be appraised on these by the end of September Mechanics are not trained - but move on too quickly No courses available The use of contractors is to be considered We will ensure staff are trained as part of the introduction of contractors The use of contractors is to be considered n/a Logistics Director 3 n/a n/a 3 n/a n/a 6.7 Provide human resources 6.7 Provide human resources 6.7.3 Training of staff Training is not provided 2 3 6 Appraisals identify training None needs None None Check appraisal files 2 3 6 0 1 Country Manager n/a n/a 6.7.3 Training of staff Staff not allowed to attend training 2 3 6 Question staff who have been on courses 2 3 6 0 3 Logistics Director n/a n/a 6.8 Provide security Loss of the Charity's assets 6.8.1 Provide security Loss of the Charity's assets 3 2 6 6.9 Provide continuity Office destroyed 6.9.1 6.9 Provide continuity Office destroyed 6.9.2 Identify documents required to achieve the objective of these processes Decide on arrangements to safeguard these Documents may not be recorded Level of protection may not be sufficient 1 2 2 The compound is surrounded by a high fence None None Asked staff about security 3 2 6 0 n/a None 0 2 The fence is regularly broken down - hence the fuel has been stolen Not significant 1 n/a n/a n/a n/a n/a n/a n/a n/a 1 2 2 None n/a None 0 2 Not significant n/a n/a n/a n/a n/a n/a n/a n/a n/a KEY: n/a = not apllicable Inadequate, or no, processes have been used, to identify risks. Score 9 or 6 This risks is not being mitigated to an acceptable levels and it is probable that some objectives will not be/are not being achieved The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved Score: 4 No action is being taken, OR Insufficient action is being taken to mitigate risks Major improvements are required to the monitoring of controls over this risk Processes have been used, but there are some deficiencies. Score 4 The action being Some additional taken will result in monitoring is some reduction in required risk but not to acceptable levels ©David M Griffiths 146 Audit database Thorough processes have been used and all significant risks should have been identified. Score 3,2,1 or 0 This risk is being mitigated to an acceptable level by the controls Score 3,2,1 or 0 The action being taken will result in this risk being mitigated No more monitoring is necessary than is done at present ©David M Griffiths 146 Audit database Advice on scoring risks (inherent and controlled) If the consequence when the OR the likelihood of risk occurs is: the risk occurring is: To prevent the organisation Almost certain achieving all, or a major part, of its objectives for a long time. Cash at risk> £100,000 To stop the organisation Possible achieving its objectives for a limited period. Cash at risk <£100,000 <£5,000 To cause minor inconvenience, Unlikely not affecting the achievement of objectives Cash at risk <£5,000 Then the measure is defined to be: High (3) Medium (2) Low (1) Grading individual residual risks High (3) Likelihood of residual risk Supplementary Issue 3 3 Acceptable 6 Unacceptable risk 9 Unacceptable risk Medium (2) 2 Acceptable 4 Issue risk 6 Unacceptable risk Supplementary Issue 3 3 Acceptable Low(1) 1 Acceptable 2 Acceptable Low(1) Medium (2) High (3) Consequence of residual risk Low(1) Medium (2) High (3) Consequence of residual risk Risk score = Likelihood score X Consequence score Unacceptable: Immediate action required to control the risk Issue: Action required to control the risk Supplementary issue: Action is advisable if it is cost-effective Acceptable: No action required nd controlled) 9 Unacceptable risk 6 Unacceptable risk Supplementary Issue 3 3 cceptable High (3) al risk High (3) al risk Advice on allocating conclusions Conclusion on: Risks have been identified, evaluated and managed Thorough processes have been used and all significant risks should have been identified Score 0,1,2 or 3 The risk is being mitigated to an acceptable level by the control(s) Criteria Processes have been used, but there are some deficiencies Internal controls reduce risks to acceptable levels Score: 4 The risk is not being mitigated to an acceptable level by the control(s), although the consequence from the risk occurring, or likelihood of the risk occurring, is not considered significant. There is the possibility that some objectives will not be achieved Action being taken to promptly remedy significant failings or weaknesses Current levels of monitoring are sufficient Colour: Grading: Report as Score 0,1,2 or 3 The action being taken will result in all risks being mitigated No more monitoring is necessary than is done at present green Score: 4 (possibly 3) The action being taken will result in some reduction in risk but not to acceptable levels Some additional monitoring is required amber Acceptable Supplementary issue, if cost effective controls can reduce the risk further, otherwise do not report Issues Key issue riteria Inadequate, or no, processes have been used Score: 6 or 9 The risk is not being mitigated to an acceptable level by the control(s) and it is probable that some objectives will not be achieved, with significant (material) results (red) or The risk is not being mitigated to an acceptable level by the control(s) and objectives are not being achieved, with significant results Score: 6 or 9 No action is being taken, OR insufficient action is being taken to mitigate risks Major improvements are required to the monitoring of controls red Unacceptable Key issue