Risk Based
Internal Auditing
- An Introduction
Risk Based Internal Auditing - An introductio
Introduction
Risk Based Internal Auditing - An introduction
Introduction
© D M Griffiths
www.internalaudit.biz
This group of worksheets are intended for use with Book 1 'Risk based internal auditing - an
introduction' which can be downloaded from www.internalaudit.biz. The letters refer to
appendices in this book.
The worksheets in this file illustrate how risk-based methods are used to build up audit
plans and then detailed audit programs. They are only simplified examples. In practice the
charity would have many more risks and processes than I have included. It is your
responsibility to determine these for your organization.
The tabs for the worksheets are shown at the bottom of the page. The letters at the start
of the title are those for the appendices used in www.internalaudit.biz
The numbered tabs refer to the figures used in Book 1.
G: The risk and audit universe (RAU) - This is the ORCR with the risks linked to audits and
the results of previous audits added in order to calculate an adjusted inherent risk score.
H Audit plan 20X1: Appendix G with full details of the last and planned audits added, to
provide an audit plan for 2014. This is the working risk and audit universe which is regularly
updated. (When sorting this database use row 6 for the column titles.)
Column key: provides a description about the contents of each column
I The quarterly plan for the internal audit activity. In practice the Quarterly plan would be a
rolling 13 week plan, not a fixed quarter as shown
J The database for an individual audit, in order of the processes included.
This is an example database only. It took me only a few hours to compile! In practice it
would take several months of interviews and meetings to compile, and score, a database of
this sort. In addition it would have to be updated at least once a quarter.
Note that the risk database (appendix J) has not been updated as a result of the "Transport
of food to camps" audit (146). See the manual for details.
See www.internalaudit.biz for other resources
ntroduction
Book1 (Risk based internal audit - an introduction) and the two spreadsheets
(rbiaintroduction and 146workingpapers) are based on a charity supplying food to
famine relief areas in central Africa. It has a head office in the UK and offices in the
countries it serves.
This spreadsheet shows how head office plans audits.
The other spreadsheet shows the working papers for the audit of transport in
Kinshasa, in the Democratic Republic of the Congo. It is responsible for a fleet of
lorries to deliver food. This fleet is the subject of audt 146.
s
ood to
s in the
n
eet of
Risk Based Internal Auditing - An introductio
Objectives and risks
(Appendix D in Book 1)
No clear Unable to
Unable to
strategy as to predict where
Unable to deliver the
how to and when
obtain food food to the
achieve our famines will
starving
objective occur
Objective level 2
Devise a Establish a
Set up a Set up
strategy for supply chain to
system which agreements
the next five ensure prompt
enables us to with donors
years to delivery of food
predict to obtain to the highest
deliver our
famine areas food priority area
objectives
Routes
Labor to
Insufficient become Fuel not Lorries
load lorries
drivers impassable available break
not
due to the for lorries down
available
weather
Internal controls
List of
Work with
drivers Fuel is The Two
other
available for mechanics
agencies stored in warehouse
hire is kept are on the
and the the provides
by the permanent
military to compound loaders
compound staff
plan routes
office
ntroduction
Unable to Inadequate
deliver the resources to
food to the deliver the
starving objectives
Establish a Establish
supply chain to
functions to
ensure prompt
support the
delivery of food
to the highest field
priority area operations
Do not know
Lorries
where food is
break required most
down urgently
Charity has
Two established a
mechanics network of
are on the reliable local
permanent people with
staff access to
mobile phones
Risk Based Internal Auditing - An introduction
Mind Map
This mind map shows part of the objectives, risk and controls for the organization.
ntroduction
Risk Based Internal Auditing - An introduction
Charity organization chart (part)
roduction
Risk Based Internal Auditing - An introduction
Charity processes chart (part)
roduction
Risk Based Internal Auditing - An introductio
The Objectives, Risks and Controls Register
(unhide row 7 to see the database column titles)
13 Unable to obtain food Order food on open market Pay too much for the food
14 Unable to obtain food Order food on open market Do not have sufficient funds
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
38 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
40 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
41 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
42 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
43 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
44 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
45 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
46 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
47 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Insufficient staff with required
the objectives staff using sufficient resources qualifications
Inadequate resources to deliver Employ sufficient, suitably qualified Country offices lack sufficient
50 the objectives staff using sufficient resources qualified staff and resources
tral Africa
Objective
Level 3 objective Level 3 Risk Type
(COSO)
Operations,
reporting or
compliance
The board of the charity define the Strategy might not be the best to achieve
Operations
future aims and plans our objectives
The strategy is converted into targets People in the organization are unaware of
Operations
and action for all staff the strategy
The strategy is converted into targets Charities aims not achieved effectively
Operations
and action for all staff and efficiently. Possible loss of funds
Aims and plans to be regularly updated Charity does not achieve its objectives
Operations
as circumstance change because strategy not updated
Order food from donors Donor countries will not provide food Operations
Advertise for funds Don't get best value for money Operations
Provide purchasing services Goods and services are not received Operations
Provide purchasing services Goods and services are of poor quality Operations
Risk workshop with directors 15-Dec- Board discuss and update strategy at
4 5 20 Board
20XX their October meeting
Risk workshop with Finance Director and Invoices checked to orders and receipts
2 4 8 Finance
her staff 25-Jan-20XX before input
Risk workshop with HR Director, IT Job descriptions written for all jobs and
3 4 12 Human Resources
manager and their staff 28-Jan-20XX candidates CV checked against this
(See
Cons. Like. Sig.
worksheet)
Communicate
HR Director None None 5 3 15 10
strategy
HR Director
HR director signs off all staff targets HR director 5 2 10 15 Set targets
and managers
Logistics
To be determined 0 10 Deliver food
Director
Logistics
To be determined 0 15 Deliver food
Director
None
Logistics
5 3 15 10 Distribute food
Director
None
Logistics
5 1 5 10 Distribute food
Director
None
Logistics
5 1 5 10 Distribute food
Director
Marketing
To be determined 0 12 Contact donors
Director
Marketing
To be determined 0 6 Advertise
Director
Marketing
None n/a 3 3 9 6 Street collections
Director
Marketing
None n/a 2 2 4 4 Street collections
Director
Marketing Door-to door
None n/a 3 2 6 9
Director collections
Marketing Door-to door
None n/a 2 2 4 4
Director collections
Marketing
None n/a 3 3 9 0 Mail appeals
Director
Audit
Establish integrity
Committee To be determined 0 25
and ethical values
Chairman
Establish corporate
Managing
To be determined 0 25 social responsibility
Director
policy
Finance
To be determined 0 20 Account for cash
Director
Finance
To be determined 0 12 Account for cash
Director
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Accounts
Budgets set and variances Departmental
Payable 2 2 4 4 Pay suppliers
explained Managers
Manager
Assistant
To be determined 2 2 4 4 Account for stock
Accountant
Risk Architecture
Statement produced that sets out Establishes Responsibility and Accountability for
risk responsibilities and lists the Executing Policies and Procedures — management
risk-based matters reserved for the establishes responsibility and accountability for control
board activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside
Statement produced that sets out Establishes Responsibility and Accountability for
risk responsibilities and lists the Executing Policies and Procedures — management
risk-based matters reserved for the establishes responsibility and accountability for control
board activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside
Risk aware culture exists within the Evaluates Performance Measures, Incentives, and
organization and actions are in Rewards for Ongoing relevance—management and the
hand to enhance the level of risk board of directors align incentives and rewards with the
maturity fulfillment of internal control responsibilities in the
achievement of objectives
Sources of risk assurance for the Defines, assigns and limits authorities and
Board have been identified and Responsibilities— management and the board of
validated directors delegate authority, define responsibilities, use
appropriate process and technology to assign
responsibilities and segregate duties as necessary at the
various levels of the organization
Risk Strategy
Risk management policy produced Considers tolerances for risk- Management consider the
that describes risk appetite, risk acceptable levels of variation relative to the achievement
culture and philosophy of operations objectives
Significant risks faced by the Includes Entity, Subsidiary, Division, Operating Unit, and
organization identified, together Functional Levels—the organization identifies and
with the critical controls required assesses risks at the entity, subsidiary, division, operating
unit, and functional levels relevant to the achievement of
objectives
Risk Protocols
Appropriate risk management Estimates Significance of Risks Identified—management
framework identified and adopted, ensures that identified risks are analyzed through a
with modifications as appropriate process that includes estimating the potential significance
of the risk
Procedures to include risk as part of Assesses Changes in the External Environment—the risk
business decision-making identification process consider changes to regulatory,
established and implemented economic, and the physical environment in which the
entity operates
Details of required risk responses Determines How to Respond to Risks—management
recorded, together with ensures that the risk assessment includes considering
arrangements to track risk how the risk should be managed and whether to accept,
improvement recommendations avoid, reduce, or share the risk
Details of required risk responses Reassesses Policies and Procedures—management
recorded, together with periodically reviews control activities to determine their
arrangements to track risk continued relevance, and refresh them when necessary
improvement recommendations
Incident reporting procedures Communicates with the Board of Directors—
established to facilitate identification communication exists between management and the
of risk trends, together with risk board of directors so that both have information needed
escalation procedures to fulfill their roles with respect to the entity’s objectives
Statement produced that sets out The organization's intranet shows a statement from
risk responsibilities and lists the the board setting out the risk management
risk-based matters reserved for the framework and the responsibilities of the board and
board. management.
Risks been allocated to specific job The ORCR shows risks allocated to specific job titles
titles
Management have been trained to All levels of staff have had risk awareness training
understand what risks are, and their
responsibility for them.
Managers are assessed on their The Directors and managers take into account risk
risk management performance, management performance (including internal audit
which may require improvements to reports) in their annual appraisals.
the level of risk maturity
Sources of risk assurance for the The Board has identified in its intranet statement
Board have been identified and that the Finance Director is responsible for assuring
validated them that the ORCR accurately reflects objectives,
risks and control and that the Internal Audit Manager
is responsible for providing an opinion that all the
significant risks threatening the charity's objectives
are operating to bring the risks to within the risk
appetite set by the board.
The risk appetite of the organization The Finance Director has issued details of the risk
has been defined in terms of the appetite, which are available on the company
scoring system. intranet. The Board statement contains the
statements on risk culture and philosophy.
No equivalent n/a
The organization's objectives are There is an annual meeting of all staff to hear and
defined discuss the charity's objectives for the next year. .
Processes have been defined to Risks threatening the objectives have been
determine risks, and these have identified using a risk workshop and interviews, and
been followed. the Objectives, Risk and Controls Register
completed
A scoring system for assessing Internal Audit have issued standards for scoring
risks has been defined. risks, which is available on the company intranet
Responsibility for the determination, Job descriptions and targets include the need to
assessment, and management of determine, assess and operate controls, as
risks is included in job descriptions appropriate to the job.
and targets
All risks been assessed in The ORCR shows risk scores based on the
accordance with the defined scoring standards set by Internal Audit
system.
All risks and controls have been Internal Audit collects all risks into the ORCR
collected into one list.
All significant new projects are The Internal Audit manager is responsible for
routinely assessed for risk ensuring that projects are assessed for risks
Risks are identified when functions New risks are notified to the keeper of the risk
and processes change due to register - Internal Audit
changes in the business or external
changes
Responses to the risks (e.g. The Departmental Manager ensures all risks have
controls) have been selected and appropriate controls which should be operating
implemented.
Risks are regularly reviewed by the The Finance Director, Company Secretary and
organization. Internal Audit Manager meet every three months to
review risks
Management have reported risks to The Internal Audit Manager meets directors every
directors where responses are not month and highlights any risks exceeding the risk
managing the risks to a level appetite. The Internal Audit Manager takes action as
acceptable to the board. appropriate
No equivalent
Management have set up controls Management have identified monitoring controls for
to monitor the proper operation of all risks listed in the ORCR for all risks with an
key controls. inherent score of over 15
Management have set up controls Standard operating manuals, which are used for
to monitor the proper operation of training and on-going reference, contain all the tasks
key controls. which are responses to risks
Managers provide assurance on the Annual check for all functions, who receive a report
effectiveness of their risk of the objectives, risks and controls for which they
management are responsible. This is signed and returned to
Internal Audit.
Audit test Test result
Checked the document on which the The risk appetite is consistent with
Board has approved the risk the scoring system
appetite. Ensured it is consistent with
the scoring system and has been
communicated.
Checked the charity's objectives Agendas for the meetings, and notes
have been determined by the board distributed after the meetings show
and have been communicated to all all the objectives
staff, by examining the agendas from
all meetings.
Checked the scoring system has The standards are on the intranet
been approved, communicated and
is used.
Reviewed notes and action from the Thorough review with new risks
meeting notes in the ORCR
For risks above the risk appetite, No risks are above the risk appetite
check that the board has been
formally informed of their existence.
Finance Director signs off ORCR Checked ORCR for signature ORCR signed
None
Internal Audit department contacts all Examined the replies
functions every quarter to update the
ORCR
YES
YES
YES
YES
YES
YES
YES
YES
n/a
YES
YES
YES
YES
YES
YES
YES
Characteristics Internal audit action
-risks
Risk management and internal controls fully Audit risk management
embedded into the operations processes and use
management assessment of
Enterprise approach to risk management Audit
risk asrisk management
appropriate
developed and communicated processes and use
management assessment of
risk as appropriate
13 Unable to obtain food Order food on open market Pay too much for the food
14 Unable to obtain food Order food on open market Do not have sufficient funds
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
38 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
39 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
40 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
41 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
42 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
43 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
44 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
45 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
46 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
47 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Insufficient staff with required
the objectives staff using sufficient resources qualifications
Inadequate resources to deliver Employ sufficient, suitably qualified Country offices lack sufficient
50 the objectives staff using sufficient resources qualified staff and resources
tral Africa
Objective
Level 3 objective Level 3 Risk Type
(COSO)
Operations,
reporting or
compliance
The board of the charity define the Strategy might not be the best to achieve
Operations
future aims and plans our objectives
The strategy is converted into targets People in the organization are unaware of
Operations
and action for all staff the strategy
The strategy is converted into targets Charities aims not achieved effectively
Operations
and action for all staff and efficiently. Possible loss of funds
Aims and plans to be regularly updated Charity does not achieve its objectives
Operations
as circumstance change because strategy not updated
Order food from donors Donor countries will not provide food Operations
Advertise for funds Don't get best value for money Operations
Provide purchasing services Goods and services are not received Operations
Provide purchasing services Goods and services are of poor quality Operations
Risk workshop with directors 15-Dec- Board discuss and update strategy at
4 5 20 Board
20XX their October meeting
Risk workshop with Aid directors and her Check web for information available
4 2 8 Aid Provision
staff 10-Jan-20XX about rainfall
Risk workshop with Aid directors and her
3 3 9 Visit areas involved to talk to farmers Aid Provision
staff 10-Jan-20XX
Risk workshop with Finance Director and Invoices checked to orders and receipts
2 4 8 Finance
her staff 25-Jan-20XX before input
Risk workshop with HR Director, IT Job descriptions written for all jobs and
3 4 12 Human Resources
manager and their staff 28-Jan-20XX candidates CV checked against this
(See
Cons. Like. Sig.
worksheet)
Communicate
HR Director None None 5 3 15 10
strategy
HR Director
HR director signs off all staff targets HR director 5 2 10 15 Set targets
and managers
Logistics
To be determined 0 10 Deliver food
Director
Logistics
To be determined 0 15 Deliver food
Director
None
Logistics
5 3 15 10 Distribute food
Director
None
Logistics
5 1 5 10 Distribute food
Director
None
Logistics
5 1 5 10 Distribute food
Director
Marketing
To be determined 0 12 Contact donors
Director
Marketing
To be determined 0 6 Advertise
Director
Marketing
None n/a 3 3 9 6 Street collections
Director
Marketing
None n/a 2 2 4 4 Street collections
Director
Marketing
None n/a 3 3 9 0 Mail appeals
Director
Audit
Establish integrity
Committee To be determined 0 25
and ethical values
Chairman
Establish corporate
Managing
To be determined 0 25 social responsibility
Director
policy
Finance
To be determined 0 20 Account for cash
Director
Finance
To be determined 0 12 Account for cash
Director
General ledger
Accountant To be determined 0 12
update
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Accounts
Budgets set and variances Departmental
Payable 2 2 4 4 Pay suppliers
explained Managers
Manager
Assistant
To be determined 2 2 4 4 Account for stock
Accountant
never
F Famine predicting To be decided never done n/a
done
never
F Famine predicting To be decided never done n/a
done
never
F Famine predicting To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done
L Donor never
To be decided never done n/a
communication done
never
M Publicity To be decided never done n/a
done
N Funding through Checked existence of list held on a Street
147/G2 Red 20X0 147
street collections spreadsheet. Collections
N Funding through Checked returns from last street Street
147/G4 Amber 20X0 147
street collections collection to list Collections
O Funding through
Checked existence of list held on a Door-to-door
door-to-door 148/G2 green 20X0 148
spreadsheet. collections
collections
O Funding through
Checked returns from last door-to- Door-to-door
door-to-door 148/G4 green 20X0 148
door collection to list collections
collections
Q Governance
never
requirements To be decided never done n/a
done
(e.g.COSO)
never
S Bank and cash To be decided never done n/a
done
never
S Bank and cash To be decided never done n/a
done
never
V General ledger To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
Y Stock To be decided never done n/a
done
AA Information never
To be decided never done n/a
Technology done
AB Contingency never
To be decided never done n/a
planning done
Gap
July 20
5 5 June 20X0 Khan July 20 20X0 130F October 20X0 green 1
20X0
July 20
June 20X0 Khan July 20 20X0 131F October 20X0 green 1
20X0
August 20 November
5 5 July 20X0 Smith July 20 20X0 131F green 1
20X0 20X0
July 20
June 20X0 Khan July 20 20X0 130F October 20X0 green 1
20X0
8 June November
10 10 May 20X0 Doe 8 June 20X0 149F green
20X0 20X0
10 August 10 August
10 10 July 20X0 July 20X0 n/a n/a
20X0 20X0
10 August 10 August
July 20X0 July 20X0 n/a n/a
20X0 20X0
0 202
0 203
0.25 5 200
0 No audit
0 No audit
0 No audit
0 204
0 204
0 204
0 205
0 205
0 206
0 206
1 25 20X2
1 25 20X2
1 15 20X2
1 15 20X2
0.5 12.5
0.5 12.5
TOTAL (days)
Available (3 auditors)
Weekdays 780
Holidays (90)
Training (15)
Projects (200)
Secondments (50)
425
Achieved
13 Unable to obtain food Order food on open market Pay too much for the food
14 Unable to obtain food Order food on open market Do not have sufficient funds
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
38 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
39 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
40 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
41 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
42 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
43 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
44 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
45 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
46 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
47 the objectives staff using sufficient resources transactions
Inadequate resources to deliver Employ sufficient, suitably qualified Insufficient staff with required
the objectives staff using sufficient resources qualifications
tral Africa
Objective
Level 3 objective Level 3 Risk Type
(COSO)
Operations,
reporting or
compliance
The board of the charity define the Strategy might not be the best to achieve
Operations
future aims and plans our objectives
The strategy is converted into targets People in the organization are unaware of
Operations
and action for all staff the strategy
The strategy is converted into targets Charities aims not achieved effectively
Operations
and action for all staff and efficiently. Possible loss of funds
Aims and plans to be regularly updated Charity does not achieve its objectives
Operations
as circumstance change because strategy not updated
Order food from donors Donor countries will not provide food Operations
Advertise for funds Don't get best value for money Operations
Provide purchasing services Goods and services are not received Operations
Provide purchasing services Goods and services are of poor quality Operations
Risk workshop with directors 15-Dec- Board discuss and update strategy at
4 5 20 Board
20XX their October meeting
Risk workshop with Aid directors and her Check web for information available
4 2 8 Aid Provision
staff 10-Jan-20XX about rainfall
Risk workshop with Aid directors and her
3 3 9 Visit areas involved to talk to farmers Aid Provision
staff 10-Jan-20XX
Risk workshop with Finance Director and Invoices checked to orders and receipts
2 4 8 Finance
her staff 25-Jan-20XX before input
Risk workshop with HR Director, IT Job descriptions written for all jobs and
3 4 12 Human Resources
manager and their staff 28-Jan-20XX candidates CV checked against this
(See
Cons. Like. Sig.
worksheet)
Communicate
HR Director None None 5 3 15 10
strategy
HR Director
HR director signs off all staff targets HR director 5 2 10 15 Set targets
and managers
Logistics
To be determined 0 10 Deliver food
Director
Logistics
To be determined 0 15 Deliver food
Director
None
Logistics
5 3 15 10 Distribute food
Director
None
Logistics
5 1 5 10 Distribute food
Director
None
Logistics
5 1 5 10 Distribute food
Director
Marketing
To be determined 0 12 Contact donors
Director
Marketing
To be determined 0 6 Advertise
Director
Marketing
None n/a 3 3 9 6 Street collections
Director
Marketing
None n/a 2 2 4 4 Street collections
Director
Marketing
None n/a 3 3 9 0 Mail appeals
Director
Audit
Establish integrity
Committee To be determined 0 25
and ethical values
Chairman
Establish corporate
Managing
To be determined 0 25 social responsibility
Director
policy
Finance
To be determined 0 20 Account for cash
Director
Finance
To be determined 0 12 Account for cash
Director
General ledger
Accountant To be determined 0 12
update
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Purchasing
To be determined 0 8 Purchasing
Manager
Accounts
Budgets set and variances Departmental
Payable 2 2 4 4 Pay suppliers
explained Managers
Manager
Assistant
To be determined 2 2 4 4 Account for stock
Accountant
never
F Famine predicting To be decided never done n/a
done
never
F Famine predicting To be decided never done n/a
done
never
F Famine predicting To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done
L Donor never
To be decided never done n/a
communication done
never
M Publicity To be decided never done n/a
done
N Funding through Checked existence of list held on a no Street
147/G2 20X0 147
street collections spreadsheet. Collections
N Funding through Checked returns from last street Street
147/G4 exception 20X0 147
street collections collection to list Collections
O Funding through
Checked existence of list held on a Door-to-door
door-to-door 148/G2 yes 20X0 148
spreadsheet. collections
collections
O Funding through
Checked returns from last door-to- Door-to-door
door-to-door 148/G4 yes 20X0 148
door collection to list collections
collections
no
Check the mailing list to ensure
P Funding through another spreadsheet cannot be
149/G6 20X0 149 Mail appeals
mail appeals used as the basis for the mailing
instead of the correct list
Q Governance
never
requirements To be decided never done n/a
done
(e.g.COSO)
never
S Bank and cash To be decided never done n/a
done
never
S Bank and cash To be decided never done n/a
done
never
V General ledger To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
W Purchasing To be decided never done n/a
done
never
Y Stock To be decided never done n/a
done
AA Information never
To be decided never done n/a
Technology done
AB Contingency never
To be decided never done n/a
planning done
Gap
July 20
5 5 June 20X0 Khan July 20 20X0 130F October 20X0 yes 1
20X0
July 20
June 20X0 Khan July 20 20X0 131F October 20X0 yes 1
20X0
August 20 November
5 5 July 20X0 Smith July 20 20X0 131F yes 1
20X0 20X0
July 20
June 20X0 Khan July 20 20X0 130F October 20X0 yes 1
20X0
8 June November
10 10 May 20X0 Doe 8 June 20X0 149F yes
20X0 20X0
10 August 10 August
10 10 July 20X0 July 20X0 n/a n/a
20X0 20X0
10 August 10 August
July 20X0 July 20X0 n/a n/a
20X0 20X0
20 March
0 202 Staff targets 10 Q1 Complete
20X1
0 No audit
0 No audit
0 No audit
1 25 No audit
1 25 No audit
1 15 No audit
1 15 No audit
No audit
No audit
0 No audit
0 No audit
0 No audit
0 No audit
Corporate Social
0 208 30 Q1 Doe report 18 April 20X1
Responsibility
21 September
0 211 Bank and cash 20 Q3 Doe To start
20X1
0 No audit
0 No audit
0 No audit
0 No audit
0 No audit
0 No audit
0 No audit
0 No audit
0 No audit
0 No audit
Annual budget
(days)
TOTAL audits 310
Available (3 auditors)
Weekdays 780
Holidays (90)
Training (15)
Projects (50) (Projects includes systems developments and unplanned secondments)
Secondments (100)
Total available 525
Available for other audits
215
Q3 and Q4
Achieved
21 March
20X1
8 March
200X1
8 March
200X1
No
L1 Risks
L2 Objectives
L2 Risks
L3 Objectives
L3 Risks
Objective type (COSO)
Risk source
IRC
IRL
IRS
Internal control
Function
Internal control owner
Monitoring control
Audit Group
Test
Test schedule ref.
Last audit opinion
Audit name
Last audit Budget
Gap
Adj factor
Adj IRS
Next timing
Next auditor
Status
Next final report target
Next final report Achieved
20X1 opinion on risk
Auditing - An introduction
Line number. Needs resetting after each change. Used to sort spreadsheet.
Risk threatening top level objective
Level 2 objective which aims to control the level 1 risk to which it is attached
Risk threatening level 2 objective
Level 3 objective which aims to control the level 2 risk to which it is attached
Risk threatening level 3 objective
Operations, reporting or compliance
Who identified the risk (management, risk workshop, auditor, meeting)
Inherent risk consequence score
Inherent risk likelihood score
Inherent risk scores multiplied. (Inherent Risk Significance score )
The control managing the risk
The function affected by the risk (may be the division/operating unit/function)
The job title of the person responsible for operating the control
The control which checks that the internal control is operating - may not always be
such a control
The person responsible for operating the monitoring control
Residual risk consequence score.
Residual risk likelihood score
Residual risk scores multiplied
Control score (=IRS-RRS). Gives a measure of the importance of the control
The process in which the internal control operates (such as marketing, research,
supply chain, accounts payable)
Letter(s) given in order to group several risks into one audit (if necessary). They will
not necessarily be in order, as new risks, with associated audits, will be added and
some may be removed
Example of a test which might be used to confirm the control is operating
Reference number of the document detailing the test, or a link to it
Conclusion of last audit test on effectiveness of controls
(acceptable/issues/unacceptable)
Year of the last audit
Unique number given to each audit. This is the number of the last audit to cover this
risk
Name given to the audit
Approximate number of auditor-days the audit should take. This aids resource
planning
Number of days the last audit actually required
Months/year of last audit
Names of principal auditors
Target date for producing report (from scope)
Date actually achieved for issuing final report
Number of follow-up audit (if applicable)
Date of follow up audit
Conclusion of last audit test on effectiveness of controls
(acceptable/issues/unacceptable)
Years between last audit and next planned audit
Factor applied to the IRS depending on how many years ago the last audit took
place, and the result. ( See www.internalaudit.biz)
IRS X adj factor = adj IRS. Sorting on this score gives the priority order for the
associated audits
Unique number given to each audit. This is the number of the next audit to cover this
risk - if it has been allocated
Audit name. Will usually be the same as for the last audit, but could be different if
this risk has been included in another audit
Approximate number of auditor-days the audit should take - based on last audit's
actual time. This aids resource planning
Expected quarter/year of next audit - if it can be allocated
Name|(s) of auditors - if allocated
Status of audit (Planning/fieldwork/reporting) when it is in progress
Target date for producing report (from scope)
Actual date the final report was issued
The opinion as to whether the risk was being properly managed
(When the final report from "next audit", its details are moved into the "last audit"
columns
Risk Based Internal Auditing - An introductio
Internal Audit Quarterly Plan (20X1 - Q2)
Staff planning
Original Planned 14 15 16 17
Name No Audit Budget now 31-Mar 07-Apr 14-Apr 21-Apr
Smith Annual and Bank holidays 1 1
Smith 204 Food donations 20 15 4 3 3 4
Smith 210 Security of assets 20 18 1 1 1
Smith 201 Strategy Communication 16 21 1
Smith 150 SAP implementation project 7
Total days 65 5 5 5 5
Doe Annual and Bank holidays 5 2 1
Doe 208 Corporate Social Responsibility 30 5 4 1
Doe 205 Purchases 25 18 1 3 2 4
Doe 203 Project approval 17 17 1
Doe 209 Investments 17 17 1
Doe 211 Bank and cash 20 3
Total days 65 5 5 5 5
Khan Annual and Bank holidays 8 5 1
Khan 207 Corporate Governance 30 5 4 1
Khan 200 Strategy setting and update 30 27 1 2 5
Khan 213 Recruitment 20 16 1
Khan 214 Street collections 10 8
Khan Secondment to accounts 1
Total days 65 5 5 5 5
Key to plan scope fieldwork report
5 5 5 5 5 5 5 5 5
1 1
4 3 1
1 4 4 2 4 1
1 1 2 1 4 3 4
1 1 1
5 5 5 5 5 5 5 5 5
1 1
4 5 5 4 1
1 3 4 3 4
1 2 1 4
1
5 5 5 5 5 5 5 5 5
(appendix H) (from audit) Cons. Like. Sig. Cons. Like. Sig. Reference Reference
Identify risks Risks are not known 5 5 None Red Examine processes to set up No register 5 5 0 green green
25 the risk register and examine
the register
25 2 Green 2
Evaluate risks Significant risks are not 5 5 25 None Red Examine the process to score 5 5 25 0 green green
understood the risks 2 Green 2
Manage risks Significant risks are not 5 5 25 None Red Check controls - below 5 5 25 0 green green
controlled 2 Green 2
Arrange land transport Receive instructions from country Instructions not received 5 5 25 Country office confirms receipt. HQ chases if no Checked all instructions and n/a None 4 1 4 21 green green n/a n/a green green n/a
office confirmation received confirmations for 2003. All
satisfactory
Arrange land transport Receive instructions from country Instructions are late 5 5 25 No controls at HQ to ensure None n/a n/a No controls at HQ to ensure 5 1 5 20 amber green n/a green green
office instructions are sent on time instructions are sent on time 4 4
Recruit drivers Insufficient drivers available Hire drivers Drivers not available 5 5 25 List of drivers available for hire is kept None Checked list. It is not G3 Drivers may not be available 5 5 25 0 green n/a green green
by the compound office regularly updated Red 1 1
Arrange land transport Hire drivers Drivers not properly qualified 3 5 15 Drivers documents are checked and None Checked copies exist. G4 Documents could be forged 3 1 3 12 green green n/a n/a green green n/a
copies made
Arrange land transport Plan route Route is blocked 5 3 15 Work with other agencies and the None Check the last plan. Examine G5 HQ also tries to plan routes 4 1 4 11 green green n/a green green
Routes become impassable due to
the weather
military to plan routes dates of collection and
delivery
5 5
Arrange land transport Routes become impassable due to Plan route Route is dangerous 5 3 15 The army escorts convoys None Ask drivers and supervisor n/a None - escorts are provided 4 1 4 11 green n/a n/a green n/a
bandits about escorts
Arrange land transport Arrange to collect food No food available! 5 1 5 HQ arrange for food to available in the n/a Check loading sheets for the G6 None - food was available 4 1 4 1 green n/a n/a green n/a
warehouses lorries
Arrange land transport Fuel not available for lorries Load fuel Fuel not available for lorries 5 5 25 Fuel is stored in the compound n/a Check fuel tanks G7 Tanks were empty, although stock 5 5 25 0 green n/a green green
records showed they should be
full
Red 1 1
Arrange land transport Labor to load lorries not available Load food No loaders 5 1 5 The warehouse provides loaders The supervisor maintains Supervisor said no problem n/a None 4 1 4 1 green n/a n/a green n/a
day-to-day control in the past
Arrange land transport Deliver to camp Food is stolen 3 3 9 Army and police provide some The supervisor maintains Question staff and other Theft is a problem, but as well 3 3 9 0 amber green n/a green green
protection day-to-day control agencies about problem controlled as possible
1 1
Arrange land transport Insufficient lorries to move food Three lorries are available Lorries are found to be unsuitable 5 3 15 Lorries are serviced and tested The supervisor maintains Request a ride in the lorries 2 lorries were not working due to 5 3 15 0 green n/a green green
inland for the journey day-to-day control lack of maintenance (bad brakes) Red 1 1
Arrange land transport Check lorries Check is not complete 3 3 9 Maintenance schedules are signed by The supervisor maintains Check schedules Scheduled checks not always 3 3 9 0 amber green n/a green green
the senior mechanic day-to-day control carried out due to a lack of
mechanics
1 1
Arrange land transport Check lorries Action is not taken on faults 3 3 9 Maintenance schedules are signed by The supervisor maintains Check schedules Repairs not always carried out 3 3 9 0 amber green n/a green green
the senior mechanic day-to-day control due to a lack of mechanics
1 1
Arrange land transport Lorries break down Check lorries Lack of mechanics 5 5 25 Two mechanics are on the permanent The supervisor maintains Talk to mechanics. Examine Only one, inexperienced 5 5 25 0 green n/a green green
staff day-to-day control work sheets mechanic on the staff Red 1 1
Arrange land transport Carry out maintenance checks as Maintenance checks not carried 3 3 9 Maintenance schedules are signed by The supervisor maintains Check schedules Scheduled checks not always 3 3 9 0 amber green n/a green green
per the lorry manual out thoroughly the senior mechanic day-to-day control carried out due to a lack of
mechanics
1 1
Arrange land transport Repair lorries as necessary Repairs not satisfactory 3 3 9 Lorries checked by compound The supervisor maintains Request a ride in the lorries n/a 1 Lorry was badly damaged 3 3 9 0 amber green n/a green green
supervisor day-to-day control
1 1
Arrange land transport Repair lorries as necessary Repairs not necessary 3 3 9 Request for repairs and spare parts is The supervisor maintains Check request documents No documents exist for 3 3 9 0 amber green n/a green green
approved by the compound supervisor day-to-day control requesting spares
1 1
Arrange land transport Repair lorries as necessary Spares not available 3 5 15 HQ arrange for spares to be shipped The supervisor maintains Talk to supervisor and Spares can take months to arrive 3 5 15 0 green n/a green green
out day-to-day control mechanic. Examine any
available documentation
Red 1 1
Maintain network of contacts Contacts have no means of 5 5 25 Charity has established a network of Country manager maintains Check list of Country G9 List is up-to-date with reliable 5 2 10 15 green green green green
Arrange land transport Do not know where camps are communication reliable local people with access to contact with local people Manager's local contacts. contacts
mobile phones Phone a sample
Maintain network of contacts Contacts have no means of 5 5 25 Charity has established a network of Country manager maintains Check list of Country G9 List is up-to-date with reliable 5 2 10 15 green green green green
Do not know where food is required communication reliable local people with access to contact with local people Managers local contacts. contacts
Arrange land transport
most urgently mobile phones Phone a sample
Provide information Maintain systems Data lost through computer 3 5 15 Not applicable. No computer on site n/a n/a n/a 0 15 n/a n/a n/a
technology failure
Provide human Establish job descriptions Staff competencies required have 3 5 15 Job descriptions are maintained for all None Check for job descriptions of No job descriptions exist. 3 5 15 0 green n/a green green
resources not been identified jobs all staff levels Red 3 3
Provide human Carry out regular appraisals Actual competencies of the staff 3 5 15 All staff have two appraisals every year None Check appraisal files No appraisals are carried out. 3 5 15 0 green n/a green green
resources have not been matched with
required competencies
Red 3 3
Provide human Training of staff Training is not provided 3 5 15 Appraisals identify training needs None Check appraisal files Mechanics are not trained - but 3 5 15 0 green n/a green green
resources move on too quickly Red 1 1
Provide human Training of staff Staff not allowed to attend 3 5 15 None None Question staff who have No courses available 3 4 12 3 green n/a green
resources training been on courses 3 3
Provide security Provide security Loss of the Charity's assets 5 3 15 The compound is surrounded by a high None Asked staff about security The fence is regularly broken 4 3 12 3 green n/a green
fence down - hence the fuel has been
stolen
1 1
Provide continuity Identify documents required to Documents may not be recorded 1 3 3 None n/a None Not significant 0 3 green n/a n/a green n/a
achieve the objective of these
processes
Provide continuity Decide on arrangements to Level of protection may not be 1 3 3 None n/a None Not significant 0 3 green n/a n/a green n/a
safeguard these sufficient
These
These scores
scores and
and opinions
opinions are
are If the consequence when the
examples.
examples. Your
Your organization
organization will
will risk occurs is:
have
have to
to decide
decide on
on its
its own
own A catastrophic impact on the
requirements.
requirements. organization, threatening its
existence
Is action being taken which will The action being taken will result in
bring the risks to below the risk all risks being mitigated to below
appetite and ensure the the risk appetite.
achievement of the objective?
Opinion: YES
YES WITH NO
EXCEPTIONS
5
Likelihood of residual risk
Supplementary
10 15 20 25
Issue
EXCEPTION Issue
EXCEPTION
Unacceptable
NO Unacceptable
NO Unacceptable
NO
4 8 12 16 20
Supplementary
Acceptable
YES EXCEPTION
Issue Issue
EXCEPTION Unacceptable
NO Unacceptable
NO
3 6 9 12 15
Supplementary
Acceptable
YES EXCEPTION
Issue Issue Issue
EXCEPTION EXCEPTION Unacceptable
NO
2 4 6 8 10
Rare(1) Unlikely (2)
Supplementary Supplementary
Acceptable
YES Acceptable
YES EXCEPTION
Issue EXCEPTION
Issue Issue
EXCEPTION
1 2 3 4 5
Supplementary
Acceptable
YES Acceptable
YES Acceptable
YES Acceptable
YES EXCEPTION
Issue
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Unacceptable
Unacceptable
Unacceptable
EXCEPTION
Supplementary
EXCEPTION
Catastrophic (5)
o control the
Risk Based Internal Auditing - An introduction
The elements of internal auditing
An
internal control
is a process which
manages a risk
A
risk
is a set of
circumstances
that hinder the
achievement of
objectives
ntroduction
ng
t and
nization’s
its risks
eptable
Risk Based Internal Auditing - An introduction
Scoring risks and risk factors
See Book 1 for an explanation
Probable (4) Almost certain (5)
5
Supplementary
10 15 IR 20 25
Issue Issue Unacceptable Unacceptable Unacceptable
4 8 12 16 20
Likelihood of risk
Supplementary
Internal control
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)
3 6 9 12 15
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)
2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue
1 2 3 4 5
Rare(1)
Acceptable Acceptable
RR
Acceptable Acceptable Issue
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Consequence of risk
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required
Internal
Internal audit
audit Internal audit
management
management processes
Establish
Establish Objective,
Objective, Risk
Risk and
and
Control Plan audit
Control Register (1)
Register (1)
Evaluate
Evaluate risk
risk maturity
maturity
(Risk
(Risk management opinion
management opinion on
on
Organization)
Organization) (2)
(2)
Scope audit
Compile
Compile risk
risk and
and audit
audit universe
universe
(3)
(3)
Evaluate risk maturity
(Risk management opinion
on audit area)
Set
Set up
up annual
annual plan
plan (4)
(4)
Provide
Provide internal
internal audit
audit opinion
opinion (6)
(6) Test controls and confirm
(as
(as part
part of
of audit
audit report)
report) residual risks
(Control opinion)
Report
Report annually
annually to
to Board
Board or
orAudit
Audit
Committee
Committee
Discuss issues
(Action opinion)
Report
Report annually
annually to
to Stakeholders
Stakeholders
Report
Report annually
annually to
to Stakeholders
Stakeholders
ntroduction
nal audit
cesses
an audit
ope audit
e risk maturity
agement opinion
udit area)
ks and controls
management
pinion)
uss issues
on opinion)
Risk Based Internal Auditing - An introduction
The risk based internal audit
hich an opinion
ed by others
ch will be
ated
Risk Based Internal Auditing - An introduction
Audit documentation
Objectives Objectives
Risks Risks
Controls Controls
5 10 15 20 25
Every three Every two
Every year Every year Every year
Likelihood of inherent risk
years years
4 8 12 16 20
Every three Every two
Never years years
Every year Every year
Possible (3)
3 6 9 12 15
Every three Every two Every two
Never years years years
Every year
Unlikely (2)
2 4 6 8 10
Every three Every three Every two
Never Never years years years
1 2 3 4 5
Every three
Rare(1)
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
25
Every year
3 years
Time since last audit 0.75 1 1
20
Every year
2 years
15
Every year
0.5 0.75 1
10
1 year
Every two
years
0.25 0.5 0.75
5
Every three
years
0.75
Red
4-May-15 4
12-May-15 4.1
sed Internal Auditing - An introduction
Changes
Issued after changes to include objectives as starting point for RAU
Changes made to include mind mapping. Made Version 3.1 to align it with Book 1.
Added Process and Functions worksheet. Added more data into RAU. Updated mind
map
Added diagrams which were in PowerPoint. Added columns to audit database and
made changes based on report opinions
Changes made to 'Scoring risks' as a result of changes made to Book 1. Minor
corrections.