Anda di halaman 1dari 124

Title

Risk Based
Internal Auditing
- An Introduction
Risk Based Internal Auditing - An introductio
Introduction
Risk Based Internal Auditing - An introduction
Introduction
© D M Griffiths
www.internalaudit.biz
This group of worksheets are intended for use with Book 1 'Risk based internal auditing - an
introduction' which can be downloaded from www.internalaudit.biz. The letters refer to
appendices in this book.

The worksheets in this file illustrate how risk-based methods are used to build up audit
plans and then detailed audit programs. They are only simplified examples. In practice the
charity would have many more risks and processes than I have included. It is your
responsibility to determine these for your organization.

The tabs for the worksheets are shown at the bottom of the page. The letters at the start
of the title are those for the appendices used in www.internalaudit.biz
The numbered tabs refer to the figures used in Book 1.

The worksheets are:


D Objectives and risks: Shows an example hierarchy of a sample of objectives and their
related risks
Mind map: This can be the starting document to map out objectives, risks, controls and
tests. It is only an example and lacks many of the objectives, risks and controls which
would be found in a charity.
Functions: Some typical functions which might be in a charity. Risks are linked to these.
Processes: Some typical processes which might be in a charity. Risks are linked to these,
which helps group risks together which can be checked by the same audit.
E Objectives, Risks and Controls Register: The foundation of risk based internal auditing.
Audit planning is based around this.
F Risk Maturity: Checklist which assists in determining the risk maturity of the organization.

G: The risk and audit universe (RAU) - This is the ORCR with the risks linked to audits and
the results of previous audits added in order to calculate an adjusted inherent risk score.

H Audit plan 20X1: Appendix G with full details of the last and planned audits added, to
provide an audit plan for 2014. This is the working risk and audit universe which is regularly
updated. (When sorting this database use row 6 for the column titles.)
Column key: provides a description about the contents of each column
I The quarterly plan for the internal audit activity. In practice the Quarterly plan would be a
rolling 13 week plan, not a fixed quarter as shown
J The database for an individual audit, in order of the processes included.

This is an example database only. It took me only a few hours to compile! In practice it
would take several months of interviews and meetings to compile, and score, a database of
this sort. In addition it would have to be updated at least once a quarter.

Note that the risk database (appendix J) has not been updated as a result of the "Transport
of food to camps" audit (146). See the manual for details.
See www.internalaudit.biz for other resources
ntroduction

Book1 (Risk based internal audit - an introduction) and the two spreadsheets
(rbiaintroduction and 146workingpapers) are based on a charity supplying food to
famine relief areas in central Africa. It has a head office in the UK and offices in the
countries it serves.
This spreadsheet shows how head office plans audits.
The other spreadsheet shows the working papers for the audit of transport in
Kinshasa, in the Democratic Republic of the Congo. It is responsible for a fleet of
lorries to deliver food. This fleet is the subject of audt 146.
s
ood to
s in the

n
eet of
Risk Based Internal Auditing - An introductio
Objectives and risks
(Appendix D in Book 1)

Objective level 1 Relieve famine in


central Africa
Risks level 1

No clear Unable to
Unable to
strategy as to predict where
Unable to deliver the
how to and when
obtain food food to the
achieve our famines will
starving
objective occur

Objective level 2
Devise a Establish a
Set up a Set up
strategy for supply chain to
system which agreements
the next five ensure prompt
enables us to with donors
years to delivery of food
predict to obtain to the highest
deliver our
famine areas food priority area
objectives

Don't distribute food


Risks Level 2 efficiently and
effectively
Arrange land
Objective level 3 transport

Routes
Labor to
Insufficient become Fuel not Lorries
load lorries
drivers impassable available break
not
due to the for lorries down
available
weather

Internal controls
List of
Work with
drivers Fuel is The Two
other
available for mechanics
agencies stored in warehouse
hire is kept are on the
and the the provides
by the permanent
military to compound loaders
compound staff
plan routes
office
ntroduction

Unable to Inadequate
deliver the resources to
food to the deliver the
starving objectives

Establish a Establish
supply chain to
functions to
ensure prompt
support the
delivery of food
to the highest field
priority area operations

on't distribute food


efficiently and
effectively

Do not know
Lorries
where food is
break required most
down urgently

Charity has
Two established a
mechanics network of
are on the reliable local
permanent people with
staff access to
mobile phones
Risk Based Internal Auditing - An introduction
Mind Map
This mind map shows part of the objectives, risk and controls for the organization.
ntroduction
Risk Based Internal Auditing - An introduction
Charity organization chart (part)
roduction
Risk Based Internal Auditing - An introduction
Charity processes chart (part)
roduction
Risk Based Internal Auditing - An introductio
The Objectives, Risks and Controls Register
(unhide row 7 to see the database column titles)

Level 1 objective: Relieve famine in central Africa

No. L1 Risk Level 2 objective L2 Risk

No clear strategy as to how to Devise a strategy for the next five


1 achieve our objective years to deliver our objectives
Board do not define a strategy

No clear strategy as to how to Devise a strategy for the next five


2 achieve our objective years to deliver our objectives
Board do not define a strategy

No clear strategy as to how to Devise a strategy for the next five


3 achieve our objective years to deliver our objectives
Strategy not communicated

No clear strategy as to how to Devise a strategy for the next five


4 achieve our objective years to deliver our objectives
Strategy not put into action

No clear strategy as to how to Devise a strategy for the next five


5 achieve our objective years to deliver our objectives
Strategy not put into action

No clear strategy as to how to Devise a strategy for the next five


6 achieve our objective years to deliver our objectives
Strategy becomes out-of-date

Unable to predict where and


7 when famines will occur
Predict famine areas Poor rainfall

Unable to predict where and


8 when famines will occur
Predict famine areas Inadequate planting

Unable to predict where and


9 when famines will occur
Predict famine areas Crops grow badly

Set up agreements with donors to


10 Unable to obtain food
obtain food
No food available

Set up agreements with donors to No orders placed for food to be


11 Unable to obtain food
obtain food delivered when required
Set up agreements with donors to No orders placed for food to be
12 Unable to obtain food
obtain food delivered when required

13 Unable to obtain food Order food on open market Pay too much for the food

14 Unable to obtain food Order food on open market Do not have sufficient funds

Establish a supply chain to ensure


Unable to deliver the food to Can't deliver food to nearest
15 the starving
prompt delivery of food to the
distribution point
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Can't deliver food to nearest
16 the starving
prompt delivery of food to the
distribution point
highest priority area

©David M Griffiths E ORCR


Establish a supply chain to ensure
Unable to deliver the food to Can't deliver food to nearest
17 the starving
prompt delivery of food to the
docks
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
22 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
23 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
24 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
20 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
18 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
19 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
21 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
25 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
26 the starving
prompt delivery of food to the
and effectively
highest priority area
Inadequate resources to fund Raise money by all possible
27 the operation means
No donors have been identified

Inadequate resources to fund Raise money by all possible


28 the operation means
Public unaware of need

Inadequate resources to fund Raise money by all possible


29 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


30 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


31 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


32 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


33 the operation means
No collection mechanism

Inadequate resources to deliver Employ sufficient, suitably qualified


34 the objectives staff using sufficient resources
Break laws and regulations

Inadequate resources to deliver Employ sufficient, suitably qualified


35 the objectives staff using sufficient resources
Operate irresponsibly

Inadequate resources to deliver Employ sufficient, suitably qualified


36 the objectives staff using sufficient resources
Lose assets

Inadequate resources to deliver Employ sufficient, suitably qualified


37 the objectives staff using sufficient resources
Lose assets

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
38 the objectives staff using sufficient resources transactions

©David M Griffiths E ORCR


Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
39 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
40 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
41 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
42 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
43 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
44 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
45 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
46 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
47 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Insufficient staff with required
the objectives staff using sufficient resources qualifications

Inadequate resources to deliver Employ sufficient, suitably qualified


48 the objectives staff using sufficient resources
Computer failure

Inadequate resources to deliver Employ sufficient, suitably qualified


49 the objectives staff using sufficient resources
Destruction of infrastructure

Inadequate resources to deliver Employ sufficient, suitably qualified Country offices lack sufficient
50 the objectives staff using sufficient resources qualified staff and resources

©David M Griffiths E ORCR


g - An introduction
As at 31 March 20X1

tral Africa
Objective
Level 3 objective Level 3 Risk Type
(COSO)
Operations,
reporting or
compliance

Management do not support the strategy


The board of the charity define the
with the result that it does not achieve its Operations
future aims and plans
aims

The board of the charity define the Strategy might not be the best to achieve
Operations
future aims and plans our objectives

The strategy is converted into targets People in the organization are unaware of
Operations
and action for all staff the strategy

The strategy is converted into targets Charities aims not achieved effectively
Operations
and action for all staff and efficiently. Possible loss of funds

The strategy is converted into targets


New projects do not add value Operations
and action for all staff

Aims and plans to be regularly updated Charity does not achieve its objectives
Operations
as circumstance change because strategy not updated

Receive weather reports and assess


Reliable weather reports not available Operations
their long term impact
Understand how much planting has
Planting reports not available or reliable Operations
been carried out

Understand what harvest is likely to be,


Do not correctly predict harvest Operations
using weather and planting reports

Information on food stocks is not


Monitor availability Operations
available

Order food from donors Donor countries will not provide food Operations

Order food from donors Do not know quantities to order Operations

Negotiate best rates possible No negotiation skills Operations

See 'Inadequate resources' risks Operations

Arrange sea transport No ships available Operations

No suitable docking facilities near to


Arrange sea transport Operations
famine area

©David M Griffiths E ORCR


Arrange sea transport Do not negotiate best rates Operations

Arrange land transport Insufficient drivers available Operations

Routes become impassable due to the


Arrange land transport Operations
weather

Routes become impassable due to


Arrange land transport Operations
bandits

Arrange land transport Fuel not available for lorries Operations

Arrange land transport Labor to load lorries not available Operations

Arrange land transport Insufficient lorries to move food inland Operations

Arrange land transport Lorries break down Operations

Arrange land transport Do not know where camps are Operations

Do not know where food is required most


Arrange land transport Operations
urgently

Identify potential donors Donors are not willing to give Operations

Advertise for funds Don't get best value for money Operations

Organize street collections Insufficient collectors Operations

Organize street collections Money is lost or stolen Operations

Organize door-to-door collections Insufficient collectors Operations

Organize door-to-door collections Money is lost or stolen Operations

Organize mail collections Wrong database used Operations

Operate organization according to legal Current requirement for Corporate


Compliance
requirements Governance are not understood

Operate organization according to No policy on Corporate Social


Compliance
social responsibility requirements Responsibility (CSR) set up

Safeguard money Money is lost or stolen Operations

Safeguard assets Loss of the Charity's physical assets Operations

Provide transaction processing Money may be fraudulently removed Operations

©David M Griffiths E ORCR


Transactions posted to incorrect general
Provide transaction processing Operations
ledger accounts

Purchase goods and services which are


Provide purchasing services Operations
not required

Goods and services not purchased at


Provide purchasing services Operations
optimum cost

Provide purchasing services Goods and services are not received Operations

Provide purchasing services Goods and services are of poor quality Operations

Invoices paid when no goods of services


Provide transaction processing Operations
are received

Additions and disposals of fixed assets


Provide transaction processing Operations
are not recorded

Provide transaction processing Depreciation incorrectly calculated Operations

Quantities and/or values of stock are mis-


Provide transaction processing Operations
stated

Fail to recruit staff with the right


Provide an HR department Operations
qualifications

Provisions of the Data Protection Act not


Provide information technology Operations
followed

Provide continuity Head office destroyed Operations

(See individual ORCRs for more details)

©David M Griffiths E ORCR


Inherent
Risk source Control Function
risks

Cons.Like. Sig. (See worksheet)

All new board members are carefully


Risk workshop with directors 15-Dec- recruited to ensure they support the
5 5 25 Board
20XX aims and ethics of the charity. They
have induction training when starting.

The strategy is set after careful


Risk workshop with directors 15-Dec-
5 5 25 discussion, and a risk analysis by the Board
20XX
board

Managers brief all staff yearly. The


Risk workshop with directors 15-Dec-
5 5 25 strategy is on the intranet. New staff Board
20XX
have an induction course.

HR director meets with all management


Risk workshop with directors 15-Dec- prior to the setting of targets to discuss
5 5 25 Board
20XX the targets which will achieve the
objectives

All new projects must have a clear


Risk workshop with directors 15-Dec-
5 5 25 purpose, a risk analysis, financial Board
20XX
justification using @RISK

Risk workshop with directors 15-Dec- Board discuss and update strategy at
4 5 20 Board
20XX their October meeting

Risk workshop with Aid directors and her


4 2 8 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
3 3 9 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Aid directors and her


3 3 9 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Aid directors and her


3 3 9 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 5 25 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 5 25 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 1 5 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
3 4 12 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Logistics director and


5 2 10 To be determined Logistics
his staff 15-Jan-20XX

Risk workshop with Logistics director and


5 3 15 To be determined Logistics
his staff 15-Jan-20XX

©David M Griffiths E ORCR


Risk workshop with Logistics director and
5 3 15 To be determined Logistics
his staff 15-Jan-20XX

List of drivers available for hire is kept


Risk workshop with Logistics director and by the compound office
5 5 25 Logistics
his staff 15-Jan-20XX

Work with other agencies and the


Risk workshop with Logistics director and military to plan routes
5 3 15 Logistics
his staff 15-Jan-20XX

The army escorts convoys


Risk workshop with Logistics director and
5 3 15 Logistics
his staff 15-Jan-20XX

Fuel is stored in the compound


Risk workshop with Logistics director and
5 5 25 Logistics
his staff 15-Jan-20XX

The warehouse provides loaders


Risk workshop with Logistics director and
5 1 5 Logistics
his staff 15-Jan-20XX

Lorries are serviced and tested


Risk workshop with Logistics director and
5 3 15 Logistics
his staff 15-Jan-20XX

Two mechanics are on the permanent


Risk workshop with Logistics director and staff
3 5 15 Logistics
his staff 15-Jan-20XX

Charity has established a network of


Risk workshop with Logistics director and reliable local people with access to
5 5 25 Logistics
his staff 15-Jan-20XX mobile phones
Charity has established a network of
Risk workshop with Logistics director and reliable local people with access to
5 5 25 Logistics
his staff 15-Jan-20XX mobile phones

Risk workshop with Marketing Director


4 3 12 To be determined Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
2 3 6 To be determined Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
3 5 15 List maintained of all street collectors Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
2 4 8 Use established street collectors Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director List maintained of all door-to-door
3 5 15 Funding
and her staff 25-Jan-20XX collectors
Risk workshop with Marketing Director
2 4 8 Use established door-to-door collectors Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
3 3 9 None Funding
and her staff 25-Jan-20XX

Risk workshop with directors 15-Dec-


5 5 25 To be determined Board
20XX

Risk workshop with directors 15-Dec-


5 5 25 To be determined Board
20XX

Risk workshop with Finance Director and


4 5 20 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


4 5 20 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


3 4 12 To be determined Board
her staff 25-Jan-20XX

©David M Griffiths E ORCR


Risk workshop with Finance Director and
3 4 12 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and Invoices checked to orders and receipts
2 4 8 Finance
her staff 25-Jan-20XX before input

Additions recorded from AP system.


Risk workshop with Finance Director and
2 4 8 Disposals recorded from forms sent by Finance
her staff 25-Jan-20XX
managers

Risk workshop with Finance Director and Depreciation calculated by computer


2 4 8 Finance
her staff 25-Jan-20XX based on fixed asset categories

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with HR Director, IT Job descriptions written for all jobs and
3 4 12 Human Resources
manager and their staff 28-Jan-20XX candidates CV checked against this

Risk workshop with HR Director, IT


3 4 12 To be determined Finance
manager and their staff 28-Jan-20XX

Risk workshop with HR Director, IT


5 3 15 To be determined Human Resources
manager and their staff 28-Jan-20XX

©David M Griffiths E ORCR


Internal Monitoring
Control
control Monitoring control control Residual risks score Process
owner owner

(See
Cons. Like. Sig.
worksheet)

Managing MD works to ensure any


Board 5 3 15 10 Set strategy
Director disagreements are resolved

The strategy is turned into a


Managing forecast and targets, which are
Board 5 2 10 15 Set strategy
Director scrutinized by the board every
month

Communicate
HR Director None None 5 3 15 10
strategy

HR Director
HR director signs off all staff targets HR director 5 2 10 15 Set targets
and managers

Managing Finance Director approves all Finance


5 2 10 15 New projects
Director proposals before board meeting Director

MD's secretary checks agenda


Managing
before sending to outsourced Legal Legal Advisor 4 2 8 12 Update strategy
Director
Advisor for final approval

Aid Director To be determined 0 8 Predict famines

Aid Director To be determined 0 9 Predict famines

Aid Director To be determined 9 Predict famines

Obtain food from


Aid Director To be determined 0 9
donors
Obtain food from
Aid Director To be determined 0 25
donors
Obtain food from
Aid Director To be determined 0 25
donors

Aid Director To be determined 0 5 Buy food

Aid Director To be determined 0 12 Buy food

Logistics
To be determined 0 10 Deliver food
Director

Logistics
To be determined 0 15 Deliver food
Director

©David M Griffiths E ORCR


Logistics
To be determined 0 15 Deliver food
Director

None
Logistics
5 3 15 10 Distribute food
Director

None
Logistics
5 1 5 10 Distribute food
Director

None
Logistics
5 1 5 10 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 5 3 15 10 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 4 1 4 1 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 5 2 10 5 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 3 3 9 6 Distribute food
Director

Country manager maintains contact


Logistics with local people Supervisor 5 2 10 15 Distribute food
Director

Country manager maintains contact


Logistics with local people Supervisor 5 2 10 15 Distribute food
Director

Marketing
To be determined 0 12 Contact donors
Director
Marketing
To be determined 0 6 Advertise
Director
Marketing
None n/a 3 3 9 6 Street collections
Director
Marketing
None n/a 2 2 4 4 Street collections
Director
Marketing Door-to door
None n/a 3 2 6 9
Director collections
Marketing Door-to door
None n/a 2 2 4 4
Director collections
Marketing
None n/a 3 3 9 0 Mail appeals
Director
Audit
Establish integrity
Committee To be determined 0 25
and ethical values
Chairman
Establish corporate
Managing
To be determined 0 25 social responsibility
Director
policy

Finance
To be determined 0 20 Account for cash
Director

Account for fixed


Various To be determined 0 20
assets

Finance
To be determined 0 12 Account for cash
Director

©David M Griffiths E ORCR


General ledger
Accountant To be determined 0 12
update

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Accounts
Budgets set and variances Departmental
Payable 2 2 4 4 Pay suppliers
explained Managers
Manager

Assistant Account for fixed


Physical inventory checks Internal Audit 2 2 4 4
Accountant assets

Assistant Budgets set and variances Departmental Account for fixed


2 2 4 4
Accountant explained Managers assets

Assistant
To be determined 2 2 4 4 Account for stock
Accountant

HR attend interviews and approve


HR Director HR Director 2 2 4 8 Recruit staff
offer letters

IT Manager To be determined 2 2 4 8 Provide IT

Various To be determined 2 2 4 11 Contingency planning

©David M Griffiths E ORCR


Risk Based Internal Auditing - An introductio
Assessment of risk maturity
From 'An approach to implementing Risk Based Internal Auditing' (IIA-UK and Ireland) - may no longer be availa
Modified by a checklist in Guide to ISO 310000. Hyperlink:

Overall Conclusion: Risk Managed

Internal audit action: Audit risk management processes and use


management assessment of risk as appropriate

Control ISO31000 Control COSO (attribute)

Risk Architecture

Statement produced that sets out Establishes Responsibility and Accountability for
risk responsibilities and lists the Executing Policies and Procedures — management
risk-based matters reserved for the establishes responsibility and accountability for control
board activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside

Statement produced that sets out Establishes Responsibility and Accountability for
risk responsibilities and lists the Executing Policies and Procedures — management
risk-based matters reserved for the establishes responsibility and accountability for control
board activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside

Risk management responsibilities Monitoring activities-Assessing and overseeing the


allocated to an appropriate nature and scope of monitoring activities and the
management committee management's evaluation and remediation of deficiencies

Arrangements are in place to Attracts, Develops, and Retains Individuals—the


ensure the availability of organization provides the mentoring and training needed
appropriate competent advice on to attract, develop, and retain sufficient and competent
risks and controls personnel and outsourced service providers to support
the achievement of objectives

Risk aware culture exists within the Evaluates Performance Measures, Incentives, and
organization and actions are in Rewards for Ongoing relevance—management and the
hand to enhance the level of risk board of directors align incentives and rewards with the
maturity fulfillment of internal control responsibilities in the
achievement of objectives
Sources of risk assurance for the Defines, assigns and limits authorities and
Board have been identified and Responsibilities— management and the board of
validated directors delegate authority, define responsibilities, use
appropriate process and technology to assign
responsibilities and segregate duties as necessary at the
various levels of the organization

Risk Strategy
Risk management policy produced Considers tolerances for risk- Management consider the
that describes risk appetite, risk acceptable levels of variation relative to the achievement
culture and philosophy of operations objectives

Key dependencies for success


identified, together with the matters
that should be avoided
Business objectives validated and Reflects Management’s Choices—The operations
the assumptions underpinning objectives reflect management’s choices about structure,
those objectives tested industry considerations, and performance of the entity

Significant risks faced by the Includes Entity, Subsidiary, Division, Operating Unit, and
organization identified, together Functional Levels—the organization identifies and
with the critical controls required assesses risks at the entity, subsidiary, division, operating
unit, and functional levels relevant to the achievement of
objectives

Risk management action plan Estimates Significance of Risks Identified—management


established that includes the use of ensures that identified risks are analyzed through a
key risk indicators, as appropriate process that includes estimating the potential significance
of the risk
Necessary resources identified and Evaluates Performance and Rewards or Disciplines
provided to support the risk Individuals—management and the board of directors
management activities evaluate performance of internal control responsibilities,
including adherence to standards of conduct and
expected levels of competence and provide rewards or
exercise disciplinary action as appropriate

Risk Protocols
Appropriate risk management Estimates Significance of Risks Identified—management
framework identified and adopted, ensures that identified risks are analyzed through a
with modifications as appropriate process that includes estimating the potential significance
of the risk

Suitable and sufficient risk


assessments completed and the
results recorded in an appropriate
manner
Procedures to include risk as part of Assesses Changes in the Business Model—the
business decision-making organization considers the potential impacts of new
established and implemented business lines, dramatically altered compositions of
existing business lines, acquired or divested business
operations on the system of internal control, rapid growth,
changing reliance on foreign geographies and new
technologies

Procedures to include risk as part of Assesses Changes in the External Environment—the risk
business decision-making identification process consider changes to regulatory,
established and implemented economic, and the physical environment in which the
entity operates
Details of required risk responses Determines How to Respond to Risks—management
recorded, together with ensures that the risk assessment includes considering
arrangements to track risk how the risk should be managed and whether to accept,
improvement recommendations avoid, reduce, or share the risk
Details of required risk responses Reassesses Policies and Procedures—management
recorded, together with periodically reviews control activities to determine their
arrangements to track risk continued relevance, and refresh them when necessary
improvement recommendations
Incident reporting procedures Communicates with the Board of Directors—
established to facilitate identification communication exists between management and the
of risk trends, together with risk board of directors so that both have information needed
escalation procedures to fulfill their roles with respect to the entity’s objectives

Business continuity plans and No equivalent


disaster recovery plans established
and regularly tested
Arrangements in place to audit the Involves Appropriate Levels of Management—The
efficiency and effectiveness of the organization puts into place effective risk assessment
controls in place for significant risks mechanisms that involve appropriate levels of
management
Arrangements in place to audit the Involves Appropriate Levels of Management—The
efficiency and effectiveness of the organization puts into place effective risk assessment
controls in place for significant risks mechanisms that involve appropriate levels of
management
Arrangements in place for Assesses Results—management and the board of
mandatory reporting on risk, directors, as appropriate, assess results of ongoing and
including reports on at least the separate evaluations
following: Risk appetite, tolerance
and constraints; Risk architecture
and risk escalation procedures;
Risk aware culture currently in
place; Risk assessment
arrangements and protocols;
Significant risks and key risk
indicators; Critical controls and
control weaknesses; Sources of
assurance available to the Board
ntroduction
may no longer be available
http://www.ferma.eu/risk-management/standards/iso-standard

Assume controls are as stated in


the ORCR. Check that they are
an adequate response to the
risks. Test controls over high
inherent risks

Control IIA with Charity's Control


amendments

Statement produced that sets out The organization's intranet shows a statement from
risk responsibilities and lists the the board setting out the risk management
risk-based matters reserved for the framework and the responsibilities of the board and
board. management.

Risks been allocated to specific job The ORCR shows risks allocated to specific job titles
titles

Risk management responsibilities There is no Risk Management Committee, since the


allocated to an appropriate charity is small.
management committee or
department

Management have been trained to All levels of staff have had risk awareness training
understand what risks are, and their
responsibility for them.

Managers are assessed on their The Directors and managers take into account risk
risk management performance, management performance (including internal audit
which may require improvements to reports) in their annual appraisals.
the level of risk maturity
Sources of risk assurance for the The Board has identified in its intranet statement
Board have been identified and that the Finance Director is responsible for assuring
validated them that the ORCR accurately reflects objectives,
risks and control and that the Internal Audit Manager
is responsible for providing an opinion that all the
significant risks threatening the charity's objectives
are operating to bring the risks to within the risk
appetite set by the board.

The risk appetite of the organization The Finance Director has issued details of the risk
has been defined in terms of the appetite, which are available on the company
scoring system. intranet. The Board statement contains the
statements on risk culture and philosophy.

No equivalent n/a

The organization's objectives are There is an annual meeting of all staff to hear and
defined discuss the charity's objectives for the next year. .

Processes have been defined to Risks threatening the objectives have been
determine risks, and these have identified using a risk workshop and interviews, and
been followed. the Objectives, Risk and Controls Register
completed

A scoring system for assessing Internal Audit have issued standards for scoring
risks has been defined. risks, which is available on the company intranet

Responsibility for the determination, Job descriptions and targets include the need to
assessment, and management of determine, assess and operate controls, as
risks is included in job descriptions appropriate to the job.
and targets

All risks been assessed in The ORCR shows risk scores based on the
accordance with the defined scoring standards set by Internal Audit
system.

All risks and controls have been Internal Audit collects all risks into the ORCR
collected into one list.
All significant new projects are The Internal Audit manager is responsible for
routinely assessed for risk ensuring that projects are assessed for risks

Risks are identified when functions New risks are notified to the keeper of the risk
and processes change due to register - Internal Audit
changes in the business or external
changes
Responses to the risks (e.g. The Departmental Manager ensures all risks have
controls) have been selected and appropriate controls which should be operating
implemented.

Risks are regularly reviewed by the The Finance Director, Company Secretary and
organization. Internal Audit Manager meet every three months to
review risks

Management have reported risks to The Internal Audit Manager meets directors every
directors where responses are not month and highlights any risks exceeding the risk
managing the risks to a level appetite. The Internal Audit Manager takes action as
acceptable to the board. appropriate

No equivalent

Management have set up controls Management have identified monitoring controls for
to monitor the proper operation of all risks listed in the ORCR for all risks with an
key controls. inherent score of over 15

Management have set up controls Standard operating manuals, which are used for
to monitor the proper operation of training and on-going reference, contain all the tasks
key controls. which are responses to risks

Managers provide assurance on the Annual check for all functions, who receive a report
effectiveness of their risk of the objectives, risks and controls for which they
management are responsible. This is signed and returned to
Internal Audit.
Audit test Test result

Ensured the intranet statement is The statement is accessible and


easily accessible. comprehensive

Ensured risks are allocated to Examined ORCR and confirmed all


managers. risks allocated to appropriate people

Interviewed managers to confirm Managers in Head Office do


their understanding of risk and the understand risks and their
extent to which they manage it. responsibilities (Meeting date: 6 Jan
20X1)

Examine a sample of appraisals for Risk management is included in


evidence that risks management was appraisals
properly assessed for performance.
Checked the intranet and examined Intranet statement seen. Quarterly
quarterly returns to the Audit opinion from the Internal Audit
Committee from the Internal Audit Manager verified
Manager

Checked the document on which the The risk appetite is consistent with
Board has approved the risk the scoring system
appetite. Ensured it is consistent with
the scoring system and has been
communicated.

Checked the charity's objectives Agendas for the meetings, and notes
have been determined by the board distributed after the meetings show
and have been communicated to all all the objectives
staff, by examining the agendas from
all meetings.

Examined the processes to ensure Internal Audit held risk workshops


they are sufficient to ensure and included the results in the
identification of all risks. Checked Objectives, Risks and Controls
they are in use, by examining the Register (ORCR)
output from any workshops.

Checked the scoring system has The standards are on the intranet
been approved, communicated and
is used.

Examined job descriptions and Job descriptions and targets include


targets. risk management and control tasks
as necessary.

Checked the scoring applied to a The scoring is consistent


selection of risks is consistent with
the policy. Look for consistency (that
is, similar risks have similar scores).

Examined the ORCR. Ensured it is ORCR is complete, reviewed,


complete, regularly reviewed, assessed and manages risks, based
assessed and used to manage risks. on these audit results
Examine project proposals for an Currently no new projects
analysis of the risks which might
threaten them.

Determined the process used to There is no formal procedure to


update the register when external or notify Internal Audit of new risks,
internal changes result in new risks although e-mails have been seen
which notify Internal Audit
Examined the ORCR to ensure As part of audits, checks of
proper controls should be in place. responses will be made

Reviewed notes and action from the Thorough review with new risks
meeting notes in the ORCR

For risks above the risk appetite, No risks are above the risk appetite
check that the board has been
formally informed of their existence.

For significant risks, examined the As part of this audit, checks of


control(s) treating it and ensure responses will be made
management would know if the
control failed.
Examined operating manuals. As part of this audit, checks of the
Checked a sample of high risks to manual will be made
the manual to ensure controls were
included
Examine the assurance provided. The annual check for a sample of
For key risks, check that controls departments was properly approved
and the management system of
monitoring, are operating.
Monitoring Control Audit Test Test Result

Internal Audit department ensures all Not considered necessary


risks are allocated

Internal Audit department ensures all Not considered necessary


risks are allocated

The Internal Audit Manager checks Not considered necessary


that staff have been trained

The HR Director signs off all Not considered necessary


appraisals and ensures risk
management performance is
included.
The Audit Committee requires Not considered necessary
quarterly returns

None - except that managers would


complain if the risk appetite details
were not present

Finance Director signs off ORCR Checked ORCR for signature ORCR signed

None - except that managers would n/a n/a


complain if the standards were not
present

HR Director signs off all targets Checked a sample of annual


targets. All contained appropriate
requirements to maintain controls

Internal Audit department ensures all Not considered necessary


risks are scored consistently

None
Internal Audit department contacts all Examined the replies
functions every quarter to update the
ORCR

Internal Audit department ensures all Not considered necessary


risks have responses

The Finance Director signs off Checked ORCR for signature


Objective and Risk Register
Risk Risk Risk Risk aware Risk naïve
enabled managed defined
Risk enabled

YES Risk managed

YES Risk defined

YES Risk aware

YES Risk naïve

YES
YES

YES

YES

YES

YES

YES

YES
n/a

YES

YES

YES

YES

YES

YES

YES
Characteristics Internal audit action
-risks
Risk management and internal controls fully Audit risk management
embedded into the operations processes and use
management assessment of
Enterprise approach to risk management Audit
risk asrisk management
appropriate
developed and communicated processes and use
management assessment of
risk as appropriate

Strategy and policies in place and Facilitate risk


communicated. Risk appetite defined management/liaise with risk
management and use
management assessment of
risk where appropriate

Scattered silo based approach to risk Promote enterprise-wide


management approach to risk management
and rely on audit risk
assessment

No formal approach developed for risk Promote risk management and


management rely on audit risk assessment
Internal audit action
-controls
Assume controls are as stated in
the ORCR. Check that they are an
adequate response to the risks.
Assume controls
Test a small are as
selection of stated in
controls
the ORCR. Check that
over high inherent risks they are an
adequate response to the risks.
Test controls over high inherent
risks

Where controls are included in the


ORCR check that they are an
adequate response to the risks.
Facilitate the determination of
controls required to manage other
risks. Test controls over high and
medium inherent risks

Determine the risks and controls


necessary by holding workshops
with appropriate managers and
staff. Check controls over all risks
considered unacceptable

Determine the risks and controls


necessary by holding workshops
with appropriate managers and
staff, otherwise use internal audit's
assessment. Use specialists if
necessary. Check controls over all
risks considered unacceptable.
Risk Based Internal Auditing - An introductio
Risk and Audit Universe - for year 20X1
(unhide row 7 to see the database column titles)

Level 1 objective: Relieve famine in central Africa

No. L1 Risk Level 2 objective L2 Risk

No clear strategy as to how to Devise a strategy for the next five


1 achieve our objective years to deliver our objectives
Board do not define a strategy

No clear strategy as to how to Devise a strategy for the next five


2 achieve our objective years to deliver our objectives
Board do not define a strategy

No clear strategy as to how to Devise a strategy for the next five


3 achieve our objective years to deliver our objectives
Strategy not communicated

No clear strategy as to how to Devise a strategy for the next five


4 achieve our objective years to deliver our objectives
Strategy not put into action

No clear strategy as to how to Devise a strategy for the next five


5 achieve our objective years to deliver our objectives
Strategy not put into action

No clear strategy as to how to Devise a strategy for the next five


6 achieve our objective years to deliver our objectives
Strategy becomes out-of-date

Unable to predict where and


7 when famines will occur
Predict famine areas Poor rainfall

Unable to predict where and


8 when famines will occur
Predict famine areas Inadequate planting

Unable to predict where and


9 when famines will occur
Predict famine areas Crops grow badly

Set up agreements with donors to


10 Unable to obtain food
obtain food
No food available

Set up agreements with donors to No orders placed for food to be


11 Unable to obtain food
obtain food delivered when required
Set up agreements with donors to No orders placed for food to be
12 Unable to obtain food
obtain food delivered when required

13 Unable to obtain food Order food on open market Pay too much for the food

14 Unable to obtain food Order food on open market Do not have sufficient funds

Establish a supply chain to ensure


Unable to deliver the food to Can't deliver food to nearest
15 the starving
prompt delivery of food to the
distribution point
highest priority area

©David M Griffiths G RAU


Establish a supply chain to ensure
Unable to deliver the food to Can't deliver food to nearest
16 the starving
prompt delivery of food to the
distribution point
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Can't deliver food to nearest
17 the starving
prompt delivery of food to the
docks
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
22 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
23 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
24 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
20 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
18 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
19 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
21 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
25 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
26 the starving
prompt delivery of food to the
and effectively
highest priority area
Inadequate resources to fund Raise money by all possible
27 the operation means
No donors have been identified

Inadequate resources to fund Raise money by all possible


28 the operation means
Public unaware of need

Inadequate resources to fund Raise money by all possible


29 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


30 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


31 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


32 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


33 the operation means
No collection mechanism

Inadequate resources to deliver Employ sufficient, suitably qualified


34 the objectives staff using sufficient resources
Break laws and regulations

Inadequate resources to deliver Employ sufficient, suitably qualified


35 the objectives staff using sufficient resources
Operate irresponsibly

Inadequate resources to deliver Employ sufficient, suitably qualified


36 the objectives staff using sufficient resources
Lose assets

©David M Griffiths G RAU


Inadequate resources to deliver Employ sufficient, suitably qualified
37 the objectives staff using sufficient resources
Lose assets

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
38 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
39 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
40 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
41 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
42 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
43 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
44 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
45 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
46 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
47 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Insufficient staff with required
the objectives staff using sufficient resources qualifications

Inadequate resources to deliver Employ sufficient, suitably qualified


48 the objectives staff using sufficient resources
Computer failure

Inadequate resources to deliver Employ sufficient, suitably qualified


49 the objectives staff using sufficient resources
Destruction of infrastructure

Inadequate resources to deliver Employ sufficient, suitably qualified Country offices lack sufficient
50 the objectives staff using sufficient resources qualified staff and resources

©David M Griffiths G RAU


g - An introduction
As at 1 January 20X1

tral Africa
Objective
Level 3 objective Level 3 Risk Type
(COSO)
Operations,
reporting or
compliance

Management do not support the strategy


The board of the charity define the
with the result that it does not achieve its Operations
future aims and plans
aims

The board of the charity define the Strategy might not be the best to achieve
Operations
future aims and plans our objectives

The strategy is converted into targets People in the organization are unaware of
Operations
and action for all staff the strategy

The strategy is converted into targets Charities aims not achieved effectively
Operations
and action for all staff and efficiently. Possible loss of funds

The strategy is converted into targets


New projects do not add value Operations
and action for all staff

Aims and plans to be regularly updated Charity does not achieve its objectives
Operations
as circumstance change because strategy not updated

Receive weather reports and assess


Reliable weather reports not available Operations
their long term impact
Understand how much planting has
Planting reports not available or reliable Operations
been carried out

Understand what harvest is likely to be,


Do not correctly predict harvest Operations
using weather and planting reports

Information on food stocks is not


Monitor availability Operations
available

Order food from donors Donor countries will not provide food Operations

Order food from donors Do not know quantities to order Operations

Negotiate best rates possible No negotiation skills Operations

See 'Inadequate resources' risks Operations

Arrange sea transport No ships available Operations

©David M Griffiths G RAU


No suitable docking facilities near to
Arrange sea transport Operations
famine area

Arrange sea transport Do not negotiate best rates Operations

Arrange land transport Insufficient drivers available Operations

Routes become impassable due to the


Arrange land transport Operations
weather

Routes become impassable due to


Arrange land transport Operations
bandits

Arrange land transport Fuel not available for lorries Operations

Arrange land transport Labor to load lorries not available Operations

Arrange land transport Insufficient lorries to move food inland Operations

Lorries break down


Arrange land transport Operations

Arrange land transport Do not know where camps are Operations

Do not know where food is required most


Arrange land transport Operations
urgently

Identify potential donors Donors are not willing to give Operations

Advertise for funds Don't get best value for money Operations

Organize street collections Insufficient collectors Operations

Organize street collections Money is lost or stolen Operations

Organize door-to-door collections Insufficient collectors Operations

Organize door-to-door collections Money is lost or stolen Operations

Organize mail collections Wrong database used Operations

Operate organization according to legal Current requirement for Corporate


Compliance
requirements Governance are not understood

Operate organization according to No policy on Corporate Social


Compliance
social responsibility requirements Responsibility (CSR) set up

Safeguard money Money is lost or stolen Operations

©David M Griffiths G RAU


Safeguard assets Loss of the Charity's physical assets Operations

Provide transaction processing Money may be fraudulently removed Operations

Transactions posted to incorrect general


Provide transaction processing Operations
ledger accounts

Purchase goods and services which are


Provide purchasing services Operations
not required

Goods and services not purchased at


Provide purchasing services Operations
optimum cost

Provide purchasing services Goods and services are not received Operations

Provide purchasing services Goods and services are of poor quality Operations

Invoices paid when no goods of services


Provide transaction processing Operations
are received

Additions and disposals of fixed assets


Provide transaction processing Operations
are not recorded

Provide transaction processing Depreciation incorrectly calculated Operations

Quantities and/or values of stock are mis-


Provide transaction processing Operations
stated

Fail to recruit staff with the right


Provide an HR department Operations
qualifications

Provisions of the Data Protection Act not


Provide information technology Operations
followed

Provide continuity Head office destroyed Operations

(See individual ORCRs for more details)

©David M Griffiths G RAU


Inherent
Risk source Control Function
risks

Cons.Like. Sig. (See worksheet)

All new board members are carefully


Risk workshop with directors 15-Dec- recruited to ensure they support the
5 5 25 Board
20XX aims and ethics of the charity. They
have induction training when starting.

The strategy is set after careful


Risk workshop with directors 15-Dec-
5 5 25 discussion, and a risk analysis by the Board
20XX
board

Managers brief all staff yearly. The


Risk workshop with directors 15-Dec-
5 5 25 strategy is on the intranet. New staff Board
20XX
have an induction course.

HR director meets with all management


Risk workshop with directors 15-Dec- prior to the setting of targets to discuss
5 5 25 Board
20XX the targets which will achieve the
objectives

All new projects must have a clear


Risk workshop with directors 15-Dec-
5 5 25 purpose, a risk analysis, financial Board
20XX
justification using @RISK

Risk workshop with directors 15-Dec- Board discuss and update strategy at
4 5 20 Board
20XX their October meeting

Risk workshop with Aid directors and her Check web for information available
4 2 8 Aid Provision
staff 10-Jan-20XX about rainfall
Risk workshop with Aid directors and her
3 3 9 Visit areas involved to talk to farmers Aid Provision
staff 10-Jan-20XX

Risk workshop with Aid directors and her


3 3 9 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Aid directors and her


3 3 9 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 5 25 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 5 25 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 1 5 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
3 4 12 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Logistics director and


5 2 10 To be determined Logistics
his staff 15-Jan-20XX

©David M Griffiths G RAU


Risk workshop with Logistics director and
5 3 15 To be determined Logistics
his staff 15-Jan-20XX

Risk workshop with Logistics director and


5 3 15 To be determined Logistics
his staff 15-Jan-20XX

List of drivers available for hire is kept


Risk workshop with Logistics director and by the compound office
5 5 25 Logistics
his staff 15-Jan-20XX

Work with other agencies and the


Risk workshop with Logistics director and military to plan routes
5 3 15 Logistics
his staff 15-Jan-20XX

The army escorts convoys


Risk workshop with Logistics director and
5 3 15 Logistics
his staff 15-Jan-20XX

Fuel is stored in the compound


Risk workshop with Logistics director and
5 5 25 Logistics
his staff 15-Jan-20XX

The warehouse provides loaders


Risk workshop with Logistics director and
5 1 5 Logistics
his staff 15-Jan-20XX

Lorries are serviced and tested


Risk workshop with Logistics director and
5 3 15 Logistics
his staff 15-Jan-20XX

Two mechanics are on the permanent


Risk workshop with Logistics director and staff
3 5 15 Logistics
his staff 15-Jan-20XX

Charity has established a network of


Risk workshop with Logistics director and reliable local people with access to
5 5 25 Logistics
his staff 15-Jan-20XX mobile phones
Charity has established a network of
Risk workshop with Logistics director and reliable local people with access to
5 5 25 Logistics
his staff 15-Jan-20XX mobile phones

Risk workshop with Marketing Director


4 3 12 To be determined Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
2 3 6 To be determined Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
3 5 15 List maintained of all street collectors Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
2 4 8 Use established street collectors Funding
and her staff 25-Jan-20XX

Risk workshop with Marketing Director List maintained of all door-to-door


3 5 15 Funding
and her staff 25-Jan-20XX collectors

Risk workshop with Marketing Director


2 4 8 Use established door-to-door collectors Funding
and her staff 25-Jan-20XX

Risk workshop with Marketing Director


3 3 9 None Funding
and her staff 25-Jan-20XX

Risk workshop with directors 15-Dec-


5 5 25 To be determined Board
20XX

Risk workshop with directors 15-Dec-


5 5 25 To be determined Board
20XX

Risk workshop with Finance Director and


4 5 20 To be determined Board
her staff 25-Jan-20XX

©David M Griffiths G RAU


Risk workshop with Finance Director and
4 5 20 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


3 4 12 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


3 4 12 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and Invoices checked to orders and receipts
2 4 8 Finance
her staff 25-Jan-20XX before input

Additions recorded from AP system.


Risk workshop with Finance Director and
2 4 8 Disposals recorded from forms sent by Finance
her staff 25-Jan-20XX
managers

Risk workshop with Finance Director and Depreciation calculated by computer


2 4 8 Finance
her staff 25-Jan-20XX based on fixed asset categories

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with HR Director, IT Job descriptions written for all jobs and
3 4 12 Human Resources
manager and their staff 28-Jan-20XX candidates CV checked against this

Risk workshop with HR Director, IT


3 4 12 To be determined Finance
manager and their staff 28-Jan-20XX

Risk workshop with HR Director, IT


5 3 15 To be determined Human Resources
manager and their staff 28-Jan-20XX

©David M Griffiths G RAU


Internal Monitoring
Control
control Monitoring control control Residual risks score Process
owner owner

(See
Cons. Like. Sig.
worksheet)

Managing MD works to ensure any


Board 5 3 15 10 Set strategy
Director disagreements are resolved

The strategy is turned into a


Managing forecast and targets, which are
Board 5 2 10 15 Set strategy
Director scrutinized by the board every
month

Communicate
HR Director None None 5 3 15 10
strategy

HR Director
HR director signs off all staff targets HR director 5 2 10 15 Set targets
and managers

Managing Finance Director approves all Finance


5 2 10 15 New projects
Director proposals before board meeting Director

MD's secretary checks agenda


Managing
before sending to outsourced Legal Legal Advisor 4 2 8 12 Update strategy
Director
Advisor for final approval

Aid Director To be determined 0 8 Predict famines

Aid Director To be determined 0 9 Predict famines

Aid Director To be determined 9 Predict famines

Obtain food from


Aid Director To be determined 0 9
donors
Obtain food from
Aid Director To be determined 0 25
donors
Obtain food from
Aid Director To be determined 0 25
donors

Aid Director To be determined 0 5 Buy food

Aid Director To be determined 0 12 Buy food

Logistics
To be determined 0 10 Deliver food
Director

©David M Griffiths G RAU


Logistics
To be determined 0 15 Deliver food
Director

Logistics
To be determined 0 15 Deliver food
Director

None
Logistics
5 3 15 10 Distribute food
Director

None
Logistics
5 1 5 10 Distribute food
Director

None
Logistics
5 1 5 10 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 5 3 15 10 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 4 1 4 1 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 5 2 10 5 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 3 3 9 6 Distribute food
Director

Country manager maintains contact


Logistics with local people Supervisor 5 2 10 15 Distribute food
Director

Country manager maintains contact


Logistics with local people Supervisor 5 2 10 15 Distribute food
Director

Marketing
To be determined 0 12 Contact donors
Director
Marketing
To be determined 0 6 Advertise
Director
Marketing
None n/a 3 3 9 6 Street collections
Director
Marketing
None n/a 2 2 4 4 Street collections
Director

Marketing Door-to door


None n/a 3 2 6 9
Director collections

Marketing Door-to door


None n/a 2 2 4 4
Director collections

Marketing
None n/a 3 3 9 0 Mail appeals
Director

Audit
Establish integrity
Committee To be determined 0 25
and ethical values
Chairman
Establish corporate
Managing
To be determined 0 25 social responsibility
Director
policy

Finance
To be determined 0 20 Account for cash
Director

©David M Griffiths G RAU


Account for fixed
Various To be determined 0 20
assets

Finance
To be determined 0 12 Account for cash
Director

General ledger
Accountant To be determined 0 12
update

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Accounts
Budgets set and variances Departmental
Payable 2 2 4 4 Pay suppliers
explained Managers
Manager

Assistant Account for fixed


Physical inventory checks Internal Audit 2 2 4 4
Accountant assets

Assistant Budgets set and variances Departmental Account for fixed


2 2 4 4
Accountant explained Managers assets

Assistant
To be determined 2 2 4 4 Account for stock
Accountant

HR attend interviews and approve


HR Director HR Director 2 2 4 8 Recruit staff
offer letters

IT Manager To be determined 2 2 4 8 Provide IT

Various To be determined 2 2 4 11 Contingency planning

©David M Griffiths G RAU


Last audit d
Test Last
Audit Group Test schedule Last Audit audit Audit name
ref. number

Are the risks being


managed to Year
acceptable levels?

Strategy examined to ensure it is


A Strategy setting up-to-date. Board members Strategy setting
130/G8 green 20X0 130
and update interviewed about their support for and update
the strategy and training.

Risk analysis of the latest strategy Strategy setting


A Strategy setting 131/G10 amber 20X0 131
examined and update

Interviewed staff about their


B Strategy knowledge of the strategy. Looked Strategy
131/G2 red 20X0 131
Communication at the intranet. And induction Communication
course contents.

Examine staff targets for HR never


C Staff targets never done n/a
director approval done

Examine all new proposals for FD never


D Project Approval never done n/a
approval and use of @RISK done

A Strategy setting Examine October board minutes Strategy setting


130/G15 green 20X0 130
and update for director update of strategy. and update

never
F Famine predicting To be decided never done n/a
done
never
F Famine predicting To be decided never done n/a
done

never
F Famine predicting To be decided never done n/a
done

never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done

J Transport of food never


To be decided never done n/a
to country done

©David M Griffiths G RAU


J Transport of food never
To be decided never done n/a
to country done

J Transport of food never


To be decided never done n/a
to country done

Checked list. It is not regularly Transport of


K Transport of food updated food to camps
146/G3 red 20X0 146
to camps

Checked the last plan. Examine Transport of


K Transport of food dates of collection and delivery food to camps
146/G5 green 20X0 146
to camps

Asked drivers and supervisor about Transport of


K Transport of food escorts food to camps
green 20X0 146
to camps

Checked fuel tanks Transport of


K Transport of food food to camps
146/G7 red 20X0 146
to camps

Supervisor said no problem in the Transport of


K Transport of food past food to camps
n/a green 20X0 146
to camps

Requested a ride in the lorries Transport of


K Transport of food food to camps
red 20X0 146
to camps

Talked to mechanics. Examine Transport of


K Transport of food work sheets food to camps
Red 20X0 146
to camps

Checked list of Country Manager's Transport of


K Transport of food local contacts. Phoned a sample food to camps
146/G9 Green 20X0 146
to camps

Checked list of Country Manager's Transport of


K Transport of food local contacts. Phoned a sample food to camps
146/G9 Green 20X0 146
to camps

L Donor never
To be decided never done n/a
communication done
never
M Publicity To be decided never done n/a
done
N Funding through Checked existence of list held on a Street
147/G2 Red 20X0 147
street collections spreadsheet. Collections
N Funding through Checked returns from last street Street
147/G4 Amber 20X0 147
street collections collection to list Collections
O Funding through
Checked existence of list held on a Door-to-door
door-to-door 148/G2 green 20X0 148
spreadsheet. collections
collections
O Funding through
Checked returns from last door-to- Door-to-door
door-to-door 148/G4 green 20X0 148
door collection to list collections
collections

Check the mailing list to ensure


P Funding through another spreadsheet cannot be
149/G6 Red 20X0 149 Mail appeals
mail appeals used as the basis for the mailing
instead of the correct list

Q Governance
never
requirements To be decided never done n/a
done
(e.g.COSO)

R Corporate social never


To be decided never done n/a
responsibility done

never
S Bank and cash To be decided never done n/a
done

©David M Griffiths G RAU


never
T Fixed assets To be decided never done n/a
done

never
S Bank and cash To be decided never done n/a
done

never
V General ledger To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

Sample of invoices checked for Accounts


X Accounts Payable amber 20X0 150
appropriate approval Payable

Checked FA suspense account


T Fixed assets balance is zero at month-end. green 20X0 151 Fixed assets
Carried out physical inventories

Checked depreciation rates for


T Fixed assets green 20X0 152 Fixed assets
asset categories

never
Y Stock To be decided never done n/a
done

Select some recent appointments


Z Human never
and check CVs of interviewed never done n/a
Resources done
candidates against job description

AA Information never
To be decided never done n/a
Technology done

AB Contingency never
To be decided never done n/a
planning done

©David M Griffiths G RAU


Last audit details 20X0 and before
Last
Last Last Final Follow-up Follow-up
Last Last final Follow-up Adjusted
audit audit report audit audit
Budget actual
timing auditor report
achieved number
audit date
result inherent score
Target

Gap

July 20
5 5 June 20X0 Khan July 20 20X0 130F October 20X0 green 1
20X0

July 20
June 20X0 Khan July 20 20X0 131F October 20X0 green 1
20X0

August 20 November
5 5 July 20X0 Smith July 20 20X0 131F green 1
20X0 20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

July 20
June 20X0 Khan July 20 20X0 130F October 20X0 green 1
20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

©David M Griffiths G RAU


n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

50 52 Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 Green 2

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

6 June 10 June November


10 10 May 20X0 Smith 147F Red
20X0 20X0 20X0
6 June 10 June November
May 20X0 Smith 147F Amber
20X0 20X0 20X0

16 June 16 June November


10 10 May 20X0 Khan 148F green
20X0 20X0 20X0

16 June 16 June November


May 20X0 Khan 148F green
20X0 20X0 20X0

8 June November
10 10 May 20X0 Doe 8 June 20X0 149F green
20X0 20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

©David M Griffiths G RAU


n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

10 August 10 August December


20 20 July 20X0 July 20X0 150F green
20X0 20X0 20X0

10 August 10 August
10 10 July 20X0 July 20X0 n/a n/a
20X0 20X0

10 August 10 August
July 20X0 July 20X0 n/a n/a
20X0 20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

©David M Griffiths G RAU


Current / Next audit details for 20X1
Next Next final
Adjusted Next audit Next Next
audit Next audit name Status report
inherent score number
Budget timing auditor
Target

FactorSig or year Days Target

0.25 6.25 200

0.5 12.5 200

0.75 18.75 201

0 202

0 203

0.25 5 200

0 No audit

0 No audit

0 No audit

0 204

0 204

0 204

0 205

0 205

0 206

©David M Griffiths G RAU


0 206

0 206

1 25 20X2

0.5 7.5 20X2

0.5 7.5 20X2

1 25 20X2

0.5 2.5 20X2

1 15 20X2

1 15 20X2

0.5 12.5

0.5 12.5

©David M Griffiths G RAU


0

TOTAL (days)

Available (3 auditors)

Weekdays 780
Holidays (90)
Training (15)
Projects (200)
Secondments (50)
425

©David M Griffiths G RAU


Available for other audits 425

©David M Griffiths G RAU


Next final 20X1
report opinion on
Achieved risk

Achieved

©David M Griffiths G RAU


Risk Based Internal Auditing - An introductio
Audit plan for year 20X1
(unhide row 7 to see the database column titles)

Level 1 objective: Relieve famine in central Africa

No. L1 Risk Level 2 objective L2 Risk

No clear strategy as to how to Devise a strategy for the next five


1 achieve our objective years to deliver our objectives
Board do not define a strategy

No clear strategy as to how to Devise a strategy for the next five


2 achieve our objective years to deliver our objectives
Board do not define a strategy

No clear strategy as to how to Devise a strategy for the next five


3 achieve our objective years to deliver our objectives
Strategy not communicated

No clear strategy as to how to Devise a strategy for the next five


4 achieve our objective years to deliver our objectives
Strategy not put into action

No clear strategy as to how to Devise a strategy for the next five


5 achieve our objective years to deliver our objectives
Strategy not put into action

No clear strategy as to how to Devise a strategy for the next five


6 achieve our objective years to deliver our objectives
Strategy becomes out-of-date

Unable to predict where and


7 when famines will occur
Predict famine areas Poor rainfall

Unable to predict where and


8 when famines will occur
Predict famine areas Inadequate planting

Unable to predict where and


9 when famines will occur
Predict famine areas Crops grow badly

Set up agreements with donors to


10 Unable to obtain food
obtain food
No food available

Set up agreements with donors to No orders placed for food to be


11 Unable to obtain food
obtain food delivered when required
Set up agreements with donors to No orders placed for food to be
12 Unable to obtain food
obtain food delivered when required

13 Unable to obtain food Order food on open market Pay too much for the food

14 Unable to obtain food Order food on open market Do not have sufficient funds

Establish a supply chain to ensure


Unable to deliver the food to Can't deliver food to nearest
15 the starving
prompt delivery of food to the
distribution point
highest priority area

©David M Griffiths H Audit plan 20X1


Establish a supply chain to ensure
Unable to deliver the food to Can't deliver food to nearest
16 the starving
prompt delivery of food to the
distribution point
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Can't deliver food to nearest
17 the starving
prompt delivery of food to the
docks
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
22 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
23 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
24 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
20 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
18 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
19 the starving
prompt delivery of food to the
and effectively
highest priority area

Establish a supply chain to ensure


Unable to deliver the food to Don't distribute food efficiently
21 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
25 the starving
prompt delivery of food to the
and effectively
highest priority area
Establish a supply chain to ensure
Unable to deliver the food to Don't distribute food efficiently
26 the starving
prompt delivery of food to the
and effectively
highest priority area
Inadequate resources to fund Raise money by all possible
27 the operation means
No donors have been identified

Inadequate resources to fund Raise money by all possible


28 the operation means
Public unaware of need

Inadequate resources to fund Raise money by all possible


29 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


30 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


31 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


32 the operation means
No collection mechanism

Inadequate resources to fund Raise money by all possible


33 the operation means
No collection mechanism

Inadequate resources to deliver Employ sufficient, suitably qualified


34 the objectives staff using sufficient resources
Break laws and regulations

Inadequate resources to deliver Employ sufficient, suitably qualified


35 the objectives staff using sufficient resources
Operate irresponsibly

Inadequate resources to deliver Employ sufficient, suitably qualified


36 the objectives staff using sufficient resources
Lose assets

©David M Griffiths H Audit plan 20X1


Inadequate resources to deliver Employ sufficient, suitably qualified
37 the objectives staff using sufficient resources
Lose assets

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
38 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
39 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
40 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
41 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
42 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
43 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
44 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
45 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
46 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Account incorrectly for
47 the objectives staff using sufficient resources transactions

Inadequate resources to deliver Employ sufficient, suitably qualified Insufficient staff with required
the objectives staff using sufficient resources qualifications

Inadequate resources to deliver Employ sufficient, suitably qualified


48 the objectives staff using sufficient resources
Computer failure

Inadequate resources to deliver Employ sufficient, suitably qualified


49 the objectives staff using sufficient resources
Destruction of infrastructure

©David M Griffiths H Audit plan 20X1


g - An introduction
As at 31 March 20X1

tral Africa
Objective
Level 3 objective Level 3 Risk Type
(COSO)

Operations,
reporting or
compliance

Management do not support the strategy


The board of the charity define the
with the result that it does not achieve its Operations
future aims and plans
aims

The board of the charity define the Strategy might not be the best to achieve
Operations
future aims and plans our objectives

The strategy is converted into targets People in the organization are unaware of
Operations
and action for all staff the strategy

The strategy is converted into targets Charities aims not achieved effectively
Operations
and action for all staff and efficiently. Possible loss of funds

The strategy is converted into targets


New projects do not add value Operations
and action for all staff

Aims and plans to be regularly updated Charity does not achieve its objectives
Operations
as circumstance change because strategy not updated

Receive weather reports and assess


Reliable weather reports not available Operations
their long term impact
Understand how much planting has
Planting reports not available or reliable Operations
been carried out

Understand what harvest is likely to be,


Do not correctly predict harvest Operations
using weather and planting reports

Information on food stocks is not


Monitor availability Operations
available

Order food from donors Donor countries will not provide food Operations

Order food from donors Do not know quantities to order Operations

Negotiate best rates possible No negotiation skills Operations

See 'Inadequate resources' risks Operations

Arrange sea transport No ships available Operations

©David M Griffiths H Audit plan 20X1


No suitable docking facilities near to
Arrange sea transport Operations
famine area

Arrange sea transport Do not negotiate best rates Operations

Arrange land transport Insufficient drivers available Operations

Routes become impassable due to the


Arrange land transport Operations
weather

Routes become impassable due to


Arrange land transport Operations
bandits

Arrange land transport Fuel not available for lorries Operations

Arrange land transport Labor to load lorries not available Operations

Arrange land transport Insufficient lorries to move food inland Operations

Lorries break down


Arrange land transport Operations

Arrange land transport Do not know where camps are Operations

Do not know where food is required most


Arrange land transport Operations
urgently

Identify potential donors Donors are not willing to give Operations

Advertise for funds Don't get best value for money Operations

Organize street collections Insufficient collectors Operations

Organize street collections Money is lost or stolen Operations

Organize door-to-door collections Insufficient collectors Operations

Organize door-to-door collections Money is lost or stolen Operations

Organize mail collections Wrong database used Operations

Operate organization according to legal Current requirement for Corporate


Compliance
requirements Governance are not understood

Operate organization according to No policy on Corporate Social


Compliance
social responsibility requirements Responsibility (CSR) set up

Safeguard money Money is lost or stolen Operations

©David M Griffiths H Audit plan 20X1


Safeguard assets Loss of the Charity's physical assets Operations

Provide transaction processing Money may be fraudulently removed Operations

Transactions posted to incorrect general


Provide transaction processing Operations
ledger accounts

Purchase goods and services which are


Provide purchasing services Operations
not required

Goods and services not purchased at


Provide purchasing services Operations
optimum cost

Provide purchasing services Goods and services are not received Operations

Provide purchasing services Goods and services are of poor quality Operations

Invoices paid when no goods of services


Provide transaction processing Operations
are received

Additions and disposals of fixed assets


Provide transaction processing Operations
are not recorded

Provide transaction processing Depreciation incorrectly calculated Operations

Quantities and/or values of stock are mis-


Provide transaction processing Operations
stated

Fail to recruit staff with the right


Provide an HR department Operations
qualifications

Provisions of the Data Protection Act not


Provide information technology Operations
followed

Provide continuity Head office destroyed Operations

©David M Griffiths H Audit plan 20X1


Inherent
Risk source Control Function
risks

Cons.Like. Sig. (See worksheet)

All new board members are carefully


Risk workshop with directors 15-Dec- recruited to ensure they support the
5 5 25 Board
20XX aims and ethics of the charity. They
have induction training when starting.

The strategy is set after careful


Risk workshop with directors 15-Dec-
5 5 25 discussion, and a risk analysis by the Board
20XX
board

Managers brief all staff yearly. The


Risk workshop with directors 15-Dec-
5 5 25 strategy is on the intranet. New staff Board
20XX
have an induction course.

HR director meets with all management


Risk workshop with directors 15-Dec- prior to the setting of targets to discuss
5 5 25 Board
20XX the targets which will achieve the
objectives

All new projects must have a clear


Risk workshop with directors 15-Dec-
5 5 25 purpose, a risk analysis, financial Board
20XX
justification using @RISK

Risk workshop with directors 15-Dec- Board discuss and update strategy at
4 5 20 Board
20XX their October meeting

Risk workshop with Aid directors and her Check web for information available
4 2 8 Aid Provision
staff 10-Jan-20XX about rainfall
Risk workshop with Aid directors and her
3 3 9 Visit areas involved to talk to farmers Aid Provision
staff 10-Jan-20XX

Risk workshop with Aid directors and her


3 3 9 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Aid directors and her


3 3 9 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 5 25 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 5 25 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
5 1 5 To be determined Aid Provision
staff 10-Jan-20XX
Risk workshop with Aid directors and her
3 4 12 To be determined Aid Provision
staff 10-Jan-20XX

Risk workshop with Logistics director and


5 2 10 To be determined Logistics
his staff 15-Jan-20XX

©David M Griffiths H Audit plan 20X1


Risk workshop with Logistics director and
5 3 15 To be determined Logistics
his staff 15-Jan-20XX

Risk workshop with Logistics director and


5 3 15 To be determined Logistics
his staff 15-Jan-20XX

List of drivers available for hire is kept


Risk workshop with Logistics director and by the compound office
5 5 25 Logistics
his staff 15-Jan-20XX

Work with other agencies and the


Risk workshop with Logistics director and military to plan routes
5 3 15 Logistics
his staff 15-Jan-20XX

The army escorts convoys


Risk workshop with Logistics director and
5 3 15 Logistics
his staff 15-Jan-20XX

Fuel is stored in the compound


Risk workshop with Logistics director and
5 5 25 Logistics
his staff 15-Jan-20XX

The warehouse provides loaders


Risk workshop with Logistics director and
5 1 5 Logistics
his staff 15-Jan-20XX

Three lorries are available


Risk workshop with Logistics director and
5 3 15 Logistics
his staff 15-Jan-20XX

Two mechanics are on the permanent


Risk workshop with Logistics director and staff
3 5 15 Logistics
his staff 15-Jan-20XX

Charity has established a network of


Risk workshop with Logistics director and reliable local people with access to
5 5 25 Logistics
his staff 15-Jan-20XX mobile phones
Charity has established a network of
Risk workshop with Logistics director and reliable local people with access to
5 5 25 Logistics
his staff 15-Jan-20XX mobile phones

Risk workshop with Marketing Director


4 3 12 To be determined Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
2 3 6 To be determined Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
3 5 15 List maintained of all street collectors Funding
and her staff 25-Jan-20XX
Risk workshop with Marketing Director
2 4 8 Use established street collectors Funding
and her staff 25-Jan-20XX

Risk workshop with Marketing Director List maintained of all door-to-door


3 5 15 Funding
and her staff 25-Jan-20XX collectors

Risk workshop with Marketing Director


2 4 8 Use established door-to-door collectors Funding
and her staff 25-Jan-20XX

Risk workshop with Marketing Director


3 3 9 None Funding
and her staff 25-Jan-20XX

Risk workshop with directors 15-Dec-


5 5 25 To be determined Board
20XX

Risk workshop with directors 15-Dec-


5 5 25 To be determined Board
20XX

Risk workshop with Finance Director and


4 5 20 To be determined Board
her staff 25-Jan-20XX

©David M Griffiths H Audit plan 20X1


Risk workshop with Finance Director and
4 5 20 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


3 4 12 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


3 4 12 To be determined Board
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with Finance Director and Invoices checked to orders and receipts
2 4 8 Finance
her staff 25-Jan-20XX before input

Additions recorded from AP system.


Risk workshop with Finance Director and
2 4 8 Disposals recorded from forms sent by Finance
her staff 25-Jan-20XX
managers

Risk workshop with Finance Director and Depreciation calculated by computer


2 4 8 Finance
her staff 25-Jan-20XX based on fixed asset categories

Risk workshop with Finance Director and


2 4 8 To be determined Finance
her staff 25-Jan-20XX

Risk workshop with HR Director, IT Job descriptions written for all jobs and
3 4 12 Human Resources
manager and their staff 28-Jan-20XX candidates CV checked against this

Risk workshop with HR Director, IT


3 4 12 To be determined Finance
manager and their staff 28-Jan-20XX

Risk workshop with HR Director, IT


5 3 15 To be determined Human Resources
manager and their staff 28-Jan-20XX

©David M Griffiths H Audit plan 20X1


Internal Monitoring
Control
control Monitoring control control Residual risks score Process
owner owner

(See
Cons. Like. Sig.
worksheet)

Managing MD works to ensure any


Board 5 3 15 10 Set strategy
Director disagreements are resolved

The strategy is turned into a


Managing forecast and targets, which are
Board 5 2 10 15 Set strategy
Director scrutinized by the board every
month

Communicate
HR Director None None 5 3 15 10
strategy

HR Director
HR director signs off all staff targets HR director 5 2 10 15 Set targets
and managers

Managing Finance Director approves all Finance


5 2 10 15 New projects
Director proposals before board meeting Director

MD's secretary checks agenda


Managing
before sending to outsourced Legal Legal Advisor 4 2 8 12 Update strategy
Director
Advisor for final approval

Aid Director To be determined 0 8 Predict famines

Aid Director To be determined 0 9 Predict famines

Aid Director To be determined 9 Predict famines

Obtain food from


Aid Director To be determined 0 9
donors
Obtain food from
Aid Director To be determined 0 25
donors
Obtain food from
Aid Director To be determined 0 25
donors

Aid Director To be determined 0 5 Buy food

Aid Director To be determined 0 12 Buy food

Logistics
To be determined 0 10 Deliver food
Director

©David M Griffiths H Audit plan 20X1


Logistics
To be determined 0 15 Deliver food
Director

Logistics
To be determined 0 15 Deliver food
Director

None
Logistics
5 3 15 10 Distribute food
Director

None
Logistics
5 1 5 10 Distribute food
Director

None
Logistics
5 1 5 10 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 5 3 15 10 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 4 1 4 1 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 5 2 10 5 Distribute food
Director

The supervisor maintains day-to-


Logistics day control Supervisor 3 3 9 6 Distribute food
Director

Country manager maintains contact


Logistics with local people Supervisor 5 2 10 15 Distribute food
Director

Country manager maintains contact


Logistics with local people Supervisor 5 2 10 15 Distribute food
Director

Marketing
To be determined 0 12 Contact donors
Director
Marketing
To be determined 0 6 Advertise
Director
Marketing
None n/a 3 3 9 6 Street collections
Director
Marketing
None n/a 2 2 4 4 Street collections
Director

Marketing Door-to door


None n/a 3 2 6 9
Director collections

Marketing Door-to door


None n/a 2 2 4 4
Director collections

Marketing
None n/a 3 3 9 0 Mail appeals
Director

Audit
Establish integrity
Committee To be determined 0 25
and ethical values
Chairman
Establish corporate
Managing
To be determined 0 25 social responsibility
Director
policy

Finance
To be determined 0 20 Account for cash
Director

©David M Griffiths H Audit plan 20X1


Account for fixed
Various To be determined 0 20
assets

Finance
To be determined 0 12 Account for cash
Director

General ledger
Accountant To be determined 0 12
update

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Purchasing
To be determined 0 8 Purchasing
Manager

Accounts
Budgets set and variances Departmental
Payable 2 2 4 4 Pay suppliers
explained Managers
Manager

Assistant Account for fixed


Physical inventory checks Internal Audit 2 2 4 4
Accountant assets

Assistant Budgets set and variances Departmental Account for fixed


2 2 4 4
Accountant explained Managers assets

Assistant
To be determined 2 2 4 4 Account for stock
Accountant

HR attend interviews and approve


HR Director HR Director 2 2 4 8 Recruit staff
offer letters

IT Manager To be determined 2 2 4 8 Provide IT

Various To be determined 2 2 4 11 Contingency planning

©David M Griffiths H Audit plan 20X1


Last audit de
Test Last
Audit Group Test schedule Last Audit audit Audit name
ref. number

Are the risks


being
managed to Year
acceptable
levels?

Strategy examined to ensure it is


A Strategy setting up-to-date. Board members Strategy setting
130/G8 yes 20X0 130
and update interviewed about their support for and update
the strategy and training.

Risk analysis of the latest strategy Strategy setting


A Strategy setting 131/G10 exception 20X0 130
examined and update

Interviewed staff about their


B Strategy knowledge of the strategy. Looked Strategy
131/G2 no 20X0 131
Communication at the intranet. And induction Communication
course contents.

Examine staff targets for HR never


C Staff targets never done n/a
director approval done

Examine all new proposals for FD never


D Project Approval never done n/a
approval and use of @RISK done

A Strategy setting Examine October board minutes Strategy setting


130/G15 yes 20X0 130
and update for director update of strategy. and update

never
F Famine predicting To be decided never done n/a
done
never
F Famine predicting To be decided never done n/a
done

never
F Famine predicting To be decided never done n/a
done

never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
G Donated food To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done
never
I Purchases To be decided never done n/a
done

J Transport of food never


To be decided never done n/a
to country done

©David M Griffiths H Audit plan 20X1


J Transport of food never
To be decided never done n/a
to country done

J Transport of food never


To be decided never done n/a
to country done

Checked list. It is not regularly no Transport of


K Transport of food updated food to camps
146/G3 20X0 146
to camps

Checked the last plan. Examine Transport of


K Transport of food dates of collection and delivery food to camps
146/G5 yes 20X0 146
to camps

Asked drivers and supervisor about Transport of


K Transport of food escorts food to camps
yes 20X0 146
to camps

Checked fuel tanks no Transport of


K Transport of food food to camps
146/G7 20X0 146
to camps

Supervisor said no problem in the Transport of


K Transport of food past food to camps
n/a yes 20X0 146
to camps

Requested a ride in the lorries no Transport of


K Transport of food food to camps
20X0 146
to camps

Talked to mechanics. Examine no Transport of


K Transport of food work sheets food to camps
20X0 146
to camps

Checked list of Country Manager's Transport of


K Transport of food local contacts. Phoned a sample food to camps
146/G9 Green 20X0 146
to camps

Checked list of Country Manager's Transport of


K Transport of food local contacts. Phoned a sample food to camps
146/G9 Green 20X0 146
to camps

L Donor never
To be decided never done n/a
communication done
never
M Publicity To be decided never done n/a
done
N Funding through Checked existence of list held on a no Street
147/G2 20X0 147
street collections spreadsheet. Collections
N Funding through Checked returns from last street Street
147/G4 exception 20X0 147
street collections collection to list Collections
O Funding through
Checked existence of list held on a Door-to-door
door-to-door 148/G2 yes 20X0 148
spreadsheet. collections
collections
O Funding through
Checked returns from last door-to- Door-to-door
door-to-door 148/G4 yes 20X0 148
door collection to list collections
collections
no
Check the mailing list to ensure
P Funding through another spreadsheet cannot be
149/G6 20X0 149 Mail appeals
mail appeals used as the basis for the mailing
instead of the correct list

Q Governance
never
requirements To be decided never done n/a
done
(e.g.COSO)

R Corporate social never


To be decided never done n/a
responsibility done

never
S Bank and cash To be decided never done n/a
done

©David M Griffiths H Audit plan 20X1


never
T Fixed assets To be decided never done n/a
done

never
S Bank and cash To be decided never done n/a
done

never
V General ledger To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

never
W Purchasing To be decided never done n/a
done

Sample of invoices checked for Accounts


X Accounts Payable exception 20X0 150
appropriate approval Payable

Checked FA suspense account


T Fixed assets balance is zero at month-end. yes 20X0 151 Fixed assets
Carried out physical inventories

Checked depreciation rates for


T Fixed assets yes 20X0 152 Fixed assets
asset categories

never
Y Stock To be decided never done n/a
done

Select some recent appointments


Z Human never
and check CVs of interviewed never done n/a
Resources done
candidates against job description

AA Information never
To be decided never done n/a
Technology done

AB Contingency never
To be decided never done n/a
planning done

©David M Griffiths H Audit plan 20X1


Last audit details 20X0 and before
Last
Last Last Final Follow-up Follow-up
Last Last final Follow-up Adjusted
audit audit report audit audit
Budget actual
timing auditor report
achieved number
audit date
result inherent score
Target

Gap

July 20
5 5 June 20X0 Khan July 20 20X0 130F October 20X0 yes 1
20X0

July 20
June 20X0 Khan July 20 20X0 131F October 20X0 yes 1
20X0

August 20 November
5 5 July 20X0 Smith July 20 20X0 131F yes 1
20X0 20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

July 20
June 20X0 Khan July 20 20X0 130F October 20X0 yes 1
20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

©David M Griffiths H Audit plan 20X1


n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

50 52 Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 yes 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 2

Feb 20X0 Smith/ 8 March 8 March 146F Sept 20X0


Khan 20X0 20X0 2

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

6 June 10 June November no


10 10 May 20X0 Smith 147F
20X0 20X0 20X0
6 June 10 June November
May 20X0 Smith 147F exception
20X0 20X0 20X0

16 June 16 June November


10 10 May 20X0 Khan 148F
20X0 20X0 20X0

16 June 16 June November


May 20X0 Khan 148F
20X0 20X0 20X0

8 June November
10 10 May 20X0 Doe 8 June 20X0 149F yes
20X0 20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

©David M Griffiths H Audit plan 20X1


n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

10 August 10 August December


20 20 July 20X0 July 20X0 150F yes
20X0 20X0 20X0

10 August 10 August
10 10 July 20X0 July 20X0 n/a n/a
20X0 20X0

10 August 10 August
July 20X0 July 20X0 n/a n/a
20X0 20X0

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

©David M Griffiths H Audit plan 20X1


Current / Next audit details for 20X1
Next Next final
Adjusted Next audit Next Next
audit Next audit name Status report
inherent score number
Budget timing auditor
Target

FactorSig or year Days Target

Strategy setting and


0.25 6.25 200 30 Q2 Khan scope 6 June 20X1
update

Strategy setting and


0.5 12.5 200 Q2 Khan scope 6 June 20X1
update

0.75 18.75 201 Strategy Communication 21 Q2 Smith To start 29 June 20X1

20 March
0 202 Staff targets 10 Q1 Complete
20X1

0 203 Project Approval 17 Q2 Doe To start 20 June 20X1

Strategy setting and


0.25 5 200 Q2 Khan scope 6 June 20X1
update

0 No audit

0 No audit

0 No audit

0 204 Food donations 20 Q2 Smith fieldwork 9 May 20X1

0 204 Food donations Q2 Smith fieldwork 9 May 20X1

0 204 Food donations Q2 Smith fieldwork 9 May 20X1

0 205 Purchases 25 Q2 Doe fieldwork 23 May 20X1

0 205 Purchases Q2 Doe fieldwork 23 May 20X1

J Transport of food to 8 March


0 206 17 Q1
country 200X1

©David M Griffiths H Audit plan 20X1


J Transport of food to 8 March
0 206 Q1
country 200X1

J Transport of food to 8 March


0 206 Q1
country 200X1

1 25 No audit

0.5 7.5 No audit

0.5 7.5 No audit

1 25 No audit

0.5 2.5 No audit

1 15 No audit

1 15 No audit

0.5 12.5 No audit

0.5 12.5 No audit

No audit

No audit

0 214 Street Collections 10 Q2 Khan To start 20 July 20X1

0 No audit

0 No audit

0 No audit

0 No audit

0 207 Corporate Governance 30 Q2 Khan scope 18 April 20X1

Corporate Social
0 208 30 Q1 Doe report 18 April 20X1
Responsibility

0 209 Investments 20 Q2 Doe scope 3 July 20X1

©David M Griffiths H Audit plan 20X1


0 210 Security of assets 30 Q2 Smith 6 June 20X1

21 September
0 211 Bank and cash 20 Q3 Doe To start
20X1

0 212 General ledger 10 Q1 Complete 8 March 20X1

0 No audit

0 No audit

0 No audit

0 No audit

0 No audit

0 No audit

0 No audit

0 No audit

0 213 Recruitment 20 Q2 Khan To start 3 July 20X1

0 No audit

0 No audit

Annual budget
(days)
TOTAL audits 310

Available (3 auditors)

Weekdays 780
Holidays (90)
Training (15)
Projects (50) (Projects includes systems developments and unplanned secondments)
Secondments (100)
Total available 525
Available for other audits
215
Q3 and Q4

©David M Griffiths H Audit plan 20X1


Next final 20X1
report opinion on
Achieved risk

Achieved

21 March
20X1

8 March
200X1

©David M Griffiths H Audit plan 20X1


8 March
200X1

8 March
200X1

©David M Griffiths H Audit plan 20X1


nd unplanned secondments)

©David M Griffiths H Audit plan 20X1


Risk Based Internal Auditing - An introductio
Column Key

No
L1 Risks
L2 Objectives
L2 Risks
L3 Objectives
L3 Risks
Objective type (COSO)
Risk source
IRC
IRL
IRS
Internal control
Function
Internal control owner
Monitoring control

Monitoring control owner


RRC
RRL
RRS
CS
Process

Audit Group

Test
Test schedule ref.
Last audit opinion

Last audit date


Last audit number

Audit name
Last audit Budget

Last audit actual


Last timing
Last auditor
Last final report Target
Final report achieved
Follow up audit number
Follow up audit date
Follow up audit result

Gap
Adj factor

Adj IRS

Next audit number

Next audit name

Next audit Budget

Next timing
Next auditor
Status
Next final report target
Next final report Achieved
20X1 opinion on risk
Auditing - An introduction

Line number. Needs resetting after each change. Used to sort spreadsheet.
Risk threatening top level objective
Level 2 objective which aims to control the level 1 risk to which it is attached
Risk threatening level 2 objective
Level 3 objective which aims to control the level 2 risk to which it is attached
Risk threatening level 3 objective
Operations, reporting or compliance
Who identified the risk (management, risk workshop, auditor, meeting)
Inherent risk consequence score
Inherent risk likelihood score
Inherent risk scores multiplied. (Inherent Risk Significance score )
The control managing the risk
The function affected by the risk (may be the division/operating unit/function)
The job title of the person responsible for operating the control
The control which checks that the internal control is operating - may not always be
such a control
The person responsible for operating the monitoring control
Residual risk consequence score.
Residual risk likelihood score
Residual risk scores multiplied
Control score (=IRS-RRS). Gives a measure of the importance of the control
The process in which the internal control operates (such as marketing, research,
supply chain, accounts payable)
Letter(s) given in order to group several risks into one audit (if necessary). They will
not necessarily be in order, as new risks, with associated audits, will be added and
some may be removed
Example of a test which might be used to confirm the control is operating
Reference number of the document detailing the test, or a link to it
Conclusion of last audit test on effectiveness of controls
(acceptable/issues/unacceptable)
Year of the last audit
Unique number given to each audit. This is the number of the last audit to cover this
risk
Name given to the audit
Approximate number of auditor-days the audit should take. This aids resource
planning
Number of days the last audit actually required
Months/year of last audit
Names of principal auditors
Target date for producing report (from scope)
Date actually achieved for issuing final report
Number of follow-up audit (if applicable)
Date of follow up audit
Conclusion of last audit test on effectiveness of controls
(acceptable/issues/unacceptable)
Years between last audit and next planned audit
Factor applied to the IRS depending on how many years ago the last audit took
place, and the result. ( See www.internalaudit.biz)
IRS X adj factor = adj IRS. Sorting on this score gives the priority order for the
associated audits
Unique number given to each audit. This is the number of the next audit to cover this
risk - if it has been allocated
Audit name. Will usually be the same as for the last audit, but could be different if
this risk has been included in another audit
Approximate number of auditor-days the audit should take - based on last audit's
actual time. This aids resource planning
Expected quarter/year of next audit - if it can be allocated
Name|(s) of auditors - if allocated
Status of audit (Planning/fieldwork/reporting) when it is in progress
Target date for producing report (from scope)
Actual date the final report was issued
The opinion as to whether the risk was being properly managed
(When the final report from "next audit", its details are moved into the "last audit"
columns
Risk Based Internal Auditing - An introductio
Internal Audit Quarterly Plan (20X1 - Q2)
Staff planning
Original Planned 14 15 16 17
Name No Audit Budget now 31-Mar 07-Apr 14-Apr 21-Apr
Smith Annual and Bank holidays 1 1
Smith 204 Food donations 20 15 4 3 3 4
Smith 210 Security of assets 20 18 1 1 1
Smith 201 Strategy Communication 16 21 1
Smith 150 SAP implementation project 7
Total days 65 5 5 5 5
Doe Annual and Bank holidays 5 2 1
Doe 208 Corporate Social Responsibility 30 5 4 1
Doe 205 Purchases 25 18 1 3 2 4
Doe 203 Project approval 17 17 1
Doe 209 Investments 17 17 1
Doe 211 Bank and cash 20 3
Total days 65 5 5 5 5
Khan Annual and Bank holidays 8 5 1
Khan 207 Corporate Governance 30 5 4 1
Khan 200 Strategy setting and update 30 27 1 2 5
Khan 213 Recruitment 20 16 1
Khan 214 Street collections 10 8
Khan Secondment to accounts 1
Total days 65 5 5 5 5
Key to plan scope fieldwork report

©David M Griffiths I Quarterly plan


ntroduction
Week beginning
18 19 20 21 22 23 24 25 26
28-Apr 05-May 12-May 19-May 26-May 02-Jun 09-Jun 16-Jun 23-Jun
1 1
1
3 4 3 4 1
1 2 1 4 4 4 3 1
1 2 4

5 5 5 5 5 5 5 5 5
1 1

4 3 1
1 4 4 2 4 1
1 1 2 1 4 3 4

1 1 1
5 5 5 5 5 5 5 5 5
1 1

4 5 5 4 1
1 3 4 3 4
1 2 1 4

1
5 5 5 5 5 5 5 5 5

©David M Griffiths I Quarterly plan


Risk Based Internal Auditing - An introduction
Audit database (Transport of Food to camps - 146) Follow up
Level 3 objective Level 3 Risk Level 4 Objective Risk for this audit Inherent risks Process Control Function Internal Monitoring Control Monitoring control Has management has Test of internal Ref Result Test of monitoring Monitoring Monitoring Result Residual risks Control Do internal Is action being Report Has management Do internal Is action being Report
established risk Test controls, including taken to promptly has established controls, including taken to promptly
control owner owner controls controls monitoring remedy deficiency? risk management monitoring remedy deficiency?
management systems? schedule ref.
controls, reduce systems? controls, reduce
risks to acceptable risks to acceptable
levels? levels?

(appendix H) (from audit) Cons. Like. Sig. Cons. Like. Sig. Reference Reference
Identify risks Risks are not known 5 5 None Red Examine processes to set up No register 5 5 0 green green
25 the risk register and examine
the register
25 2 Green 2
Evaluate risks Significant risks are not 5 5 25 None Red Examine the process to score 5 5 25 0 green green
understood the risks 2 Green 2
Manage risks Significant risks are not 5 5 25 None Red Check controls - below 5 5 25 0 green green
controlled 2 Green 2
Arrange land transport Receive instructions from country Instructions not received 5 5 25 Country office confirms receipt. HQ chases if no Checked all instructions and n/a None 4 1 4 21 green green n/a n/a green green n/a
office confirmation received confirmations for 2003. All
satisfactory

Arrange land transport Receive instructions from country Instructions are late 5 5 25 No controls at HQ to ensure None n/a n/a No controls at HQ to ensure 5 1 5 20 amber green n/a green green
office instructions are sent on time instructions are sent on time 4 4
Recruit drivers Insufficient drivers available Hire drivers Drivers not available 5 5 25 List of drivers available for hire is kept None Checked list. It is not G3 Drivers may not be available 5 5 25 0 green n/a green green
by the compound office regularly updated Red 1 1
Arrange land transport Hire drivers Drivers not properly qualified 3 5 15 Drivers documents are checked and None Checked copies exist. G4 Documents could be forged 3 1 3 12 green green n/a n/a green green n/a
copies made

Arrange land transport Plan route Route is blocked 5 3 15 Work with other agencies and the None Check the last plan. Examine G5 HQ also tries to plan routes 4 1 4 11 green green n/a green green
Routes become impassable due to
the weather
military to plan routes dates of collection and
delivery
5 5
Arrange land transport Routes become impassable due to Plan route Route is dangerous 5 3 15 The army escorts convoys None Ask drivers and supervisor n/a None - escorts are provided 4 1 4 11 green n/a n/a green n/a
bandits about escorts
Arrange land transport Arrange to collect food No food available! 5 1 5 HQ arrange for food to available in the n/a Check loading sheets for the G6 None - food was available 4 1 4 1 green n/a n/a green n/a
warehouses lorries
Arrange land transport Fuel not available for lorries Load fuel Fuel not available for lorries 5 5 25 Fuel is stored in the compound n/a Check fuel tanks G7 Tanks were empty, although stock 5 5 25 0 green n/a green green
records showed they should be
full
Red 1 1
Arrange land transport Labor to load lorries not available Load food No loaders 5 1 5 The warehouse provides loaders The supervisor maintains Supervisor said no problem n/a None 4 1 4 1 green n/a n/a green n/a
day-to-day control in the past
Arrange land transport Deliver to camp Food is stolen 3 3 9 Army and police provide some The supervisor maintains Question staff and other Theft is a problem, but as well 3 3 9 0 amber green n/a green green
protection day-to-day control agencies about problem controlled as possible
1 1
Arrange land transport Insufficient lorries to move food Three lorries are available Lorries are found to be unsuitable 5 3 15 Lorries are serviced and tested The supervisor maintains Request a ride in the lorries 2 lorries were not working due to 5 3 15 0 green n/a green green
inland for the journey day-to-day control lack of maintenance (bad brakes) Red 1 1
Arrange land transport Check lorries Check is not complete 3 3 9 Maintenance schedules are signed by The supervisor maintains Check schedules Scheduled checks not always 3 3 9 0 amber green n/a green green
the senior mechanic day-to-day control carried out due to a lack of
mechanics
1 1
Arrange land transport Check lorries Action is not taken on faults 3 3 9 Maintenance schedules are signed by The supervisor maintains Check schedules Repairs not always carried out 3 3 9 0 amber green n/a green green
the senior mechanic day-to-day control due to a lack of mechanics
1 1
Arrange land transport Lorries break down Check lorries Lack of mechanics 5 5 25 Two mechanics are on the permanent The supervisor maintains Talk to mechanics. Examine Only one, inexperienced 5 5 25 0 green n/a green green
staff day-to-day control work sheets mechanic on the staff Red 1 1
Arrange land transport Carry out maintenance checks as Maintenance checks not carried 3 3 9 Maintenance schedules are signed by The supervisor maintains Check schedules Scheduled checks not always 3 3 9 0 amber green n/a green green
per the lorry manual out thoroughly the senior mechanic day-to-day control carried out due to a lack of
mechanics
1 1
Arrange land transport Repair lorries as necessary Repairs not satisfactory 3 3 9 Lorries checked by compound The supervisor maintains Request a ride in the lorries n/a 1 Lorry was badly damaged 3 3 9 0 amber green n/a green green
supervisor day-to-day control
1 1
Arrange land transport Repair lorries as necessary Repairs not necessary 3 3 9 Request for repairs and spare parts is The supervisor maintains Check request documents No documents exist for 3 3 9 0 amber green n/a green green
approved by the compound supervisor day-to-day control requesting spares
1 1
Arrange land transport Repair lorries as necessary Spares not available 3 5 15 HQ arrange for spares to be shipped The supervisor maintains Talk to supervisor and Spares can take months to arrive 3 5 15 0 green n/a green green
out day-to-day control mechanic. Examine any
available documentation
Red 1 1
Maintain network of contacts Contacts have no means of 5 5 25 Charity has established a network of Country manager maintains Check list of Country G9 List is up-to-date with reliable 5 2 10 15 green green green green
Arrange land transport Do not know where camps are communication reliable local people with access to contact with local people Manager's local contacts. contacts
mobile phones Phone a sample

Maintain network of contacts Contacts have no means of 5 5 25 Charity has established a network of Country manager maintains Check list of Country G9 List is up-to-date with reliable 5 2 10 15 green green green green
Do not know where food is required communication reliable local people with access to contact with local people Managers local contacts. contacts
Arrange land transport
most urgently mobile phones Phone a sample
Provide information Maintain systems Data lost through computer 3 5 15 Not applicable. No computer on site n/a n/a n/a 0 15 n/a n/a n/a
technology failure
Provide human Establish job descriptions Staff competencies required have 3 5 15 Job descriptions are maintained for all None Check for job descriptions of No job descriptions exist. 3 5 15 0 green n/a green green
resources not been identified jobs all staff levels Red 3 3
Provide human Carry out regular appraisals Actual competencies of the staff 3 5 15 All staff have two appraisals every year None Check appraisal files No appraisals are carried out. 3 5 15 0 green n/a green green
resources have not been matched with
required competencies
Red 3 3
Provide human Training of staff Training is not provided 3 5 15 Appraisals identify training needs None Check appraisal files Mechanics are not trained - but 3 5 15 0 green n/a green green
resources move on too quickly Red 1 1
Provide human Training of staff Staff not allowed to attend 3 5 15 None None Question staff who have No courses available 3 4 12 3 green n/a green
resources training been on courses 3 3
Provide security Provide security Loss of the Charity's assets 5 3 15 The compound is surrounded by a high None Asked staff about security The fence is regularly broken 4 3 12 3 green n/a green
fence down - hence the fuel has been
stolen
1 1
Provide continuity Identify documents required to Documents may not be recorded 1 3 3 None n/a None Not significant 0 3 green n/a n/a green n/a
achieve the objective of these
processes

Provide continuity Decide on arrangements to Level of protection may not be 1 3 3 None n/a None Not significant 0 3 green n/a n/a green n/a
safeguard these sufficient

©David M Griffiths J Audit database


Risk Based Internal Auditing - An introductio
Scoring risks, opinion on risk scores and guidance on conclusions
Advice on scoring risks (inherent
1 to 5 scale

These
These scores
scores and
and opinions
opinions are
are If the consequence when the
examples.
examples. Your
Your organization
organization will
will risk occurs is:
have
have to
to decide
decide on
on its
its own
own A catastrophic impact on the
requirements.
requirements. organization, threatening its
existence

Cash at risk> $100,000


To prevent the organization
achieving all, or a major part, of its
objectives for a long time.

Cash at risk <$100,000>$10,000


To stop the organization achieving
its objectives for a limited period.

Cash at risk <$10,000 >$3,000


To stop the organization achieving
its objectives for a limited period.

Cash at risk <$3,000 >$1000

To cause minor inconvenience, not


affecting the achievement of
objectives
Cash at risk <$100

Guidance for conclusions against


Opinion on Assessment
Has management established a Thorough processes have been
proper control framework? That used with the result that necessary
is, has management: specified controls to risks have been
their objectives, identified the established. The objective will be
risks threatening these objectives achieved if the controls are
and established controls which operating.
should reduce the risks to
acceptable levels?
Are these controls sufficient and Controls are sufficient and are
operating to bring the risks to operating to bring risks to below the
below the risk appetite and risk appetite. (although some action
ensure the achievement of the may be required – note in
related objective? “Supplementary issues”.) No more
monitoring is necessary than is
done at present. The objective is
being achieved.

Is action being taken which will The action being taken will result in
bring the risks to below the risk all risks being mitigated to below
appetite and ensure the the risk appetite.
achievement of the objective?

Opinion: YES

Report as: No deficiency


- An introduction
ance on conclusions
coring risks (inherent and residual)

OR the likelihood of Then the measure is


the risk occurring is: defined to be:
Almost certain Catastrophic (5)

Likelihood of residual risk


Probable Major (4)

Possible Moderate (3)

Unlikely Minor (2)

Rare Insignificant (1)

r conclusions against each risk


Assessment
Processes have been used, Inadequate, or no, processes
but there are some have been used and, it is
deficiencies which are not probable that the objective
judged sufficient to prevent will not be, OR is not being
the achievement of the achieved
objective.
Controls are sufficient and Controls are not sufficient
are operating to bring most and/or are not operating to
risks to below the risk bring risks to below the risk
appetite. However, some appetite. It is probable that
risks are not below the risk the objective will not be, OR
appetite but are not judged is not being achieved. Major
sufficient to prevent the improvements are required to
achievement of the the monitoring of controls
objective. Some additional
monitoring may be required
(see the report for details)

The action being taken will No action is being taken, OR


still leave some risks above Insufficient action is being
the risk appetite but these taken to mitigate risks to
are not judged sufficient to below the risk appetite.
prevent the achievement of
the objective.

YES WITH NO
EXCEPTIONS

Deficiency Major deficiency


Control opinion on risk scores
Are controls sufficient and operating to bring the risk to below the risk
Possible (3) Probable (4) Almost certain (5)

appetite and ensure the achievement of the related objective?

5
Likelihood of residual risk

Supplementary
10 15 20 25
Issue
EXCEPTION Issue
EXCEPTION
Unacceptable
NO Unacceptable
NO Unacceptable
NO

4 8 12 16 20
Supplementary
Acceptable
YES EXCEPTION
Issue Issue
EXCEPTION Unacceptable
NO Unacceptable
NO

3 6 9 12 15
Supplementary
Acceptable
YES EXCEPTION
Issue Issue Issue
EXCEPTION EXCEPTION Unacceptable
NO

2 4 6 8 10
Rare(1) Unlikely (2)

Supplementary Supplementary
Acceptable
YES Acceptable
YES EXCEPTION
Issue EXCEPTION
Issue Issue
EXCEPTION

1 2 3 4 5
Supplementary
Acceptable
YES Acceptable
YES Acceptable
YES Acceptable
YES EXCEPTION
Issue

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of residual risk


Risk score = Likelihood score X Consequence score

NO: Major deficiency - immediate action required to control the


risk
EXCEPTION: Deficiency - action required to control the risk
YES: No action required
Guide to reporting residual risks

Residual risk Report control Report as Action


score opinion (see
chapter 2)

Greater than15 No Major deficiency Immediate action


required to bring risk
below the risk
appetite
Less than 15 Yes with exceptions Deficiency Action required to
greater than 4 bring risk below the
risk appetite
Less than 4 Yes No deficiency No action required
e risk

Unacceptable

Unacceptable

Unacceptable

EXCEPTION

Supplementary
EXCEPTION

Catastrophic (5)

o control the
Risk Based Internal Auditing - An introduction
The elements of internal auditing

The Internal auditing


provides an independent and
management objective opinion to an organization’s
of an management as to whether its risks
organization are being managed to acceptable
have levels.

The main aim of internal


auditing is to assist the
Objectives organization to achieve its
objectives

An
internal control
is a process which
manages a risk

A
risk
is a set of
circumstances
that hinder the
achievement of
objectives
ntroduction

ng
t and
nization’s
its risks
eptable
Risk Based Internal Auditing - An introduction
Scoring risks and risk factors
See Book 1 for an explanation
Probable (4) Almost certain (5)

5
Supplementary
10 15 IR 20 25
Issue Issue Unacceptable Unacceptable Unacceptable

4 8 12 16 20
Likelihood of risk

Supplementary

Internal control
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)

3 6 9 12 15
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)

2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue

1 2 3 4 5
Rare(1)

Acceptable Acceptable
RR
Acceptable Acceptable Issue

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of risk
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required

Risk appetite, as defined by the board

IR = Inherent Risk RR = Residual Risk

Fig.2 Grid showing the significance of risks


ntroduction
Risk Based Internal Auditing - An introduction
The risk based internal audit

Internal
Internal audit
audit Internal audit
management
management processes

Establish
Establish Objective,
Objective, Risk
Risk and
and
Control Plan audit
Control Register (1)
Register (1)

Evaluate
Evaluate risk
risk maturity
maturity
(Risk
(Risk management opinion
management opinion on
on
Organization)
Organization) (2)
(2)
Scope audit

Compile
Compile risk
risk and
and audit
audit universe
universe
(3)
(3)
Evaluate risk maturity
(Risk management opinion
on audit area)
Set
Set up
up annual
annual plan
plan (4)
(4)

Verify risks and controls


(Risk management
Plan
Plan 3m
3m audits
audits (5)
(5) opinion)

Provide
Provide internal
internal audit
audit opinion
opinion (6)
(6) Test controls and confirm
(as
(as part
part of
of audit
audit report)
report) residual risks
(Control opinion)

Report
Report annually
annually to
to Board
Board or
orAudit
Audit
Committee
Committee
Discuss issues
(Action opinion)

Report
Report annually
annually to
to Stakeholders
Stakeholders
Report
Report annually
annually to
to Stakeholders
Stakeholders
ntroduction

nal audit
cesses

an audit

ope audit

e risk maturity
agement opinion
udit area)

ks and controls
management
pinion)

ols and confirm


dual risks
rol opinion)

uss issues
on opinion)
Risk Based Internal Auditing - An introduction
The risk based internal audit

Objectives, Risks and


Controls Register

Risk within risk Risks on which an opinion


appetite is provided by others
Filter risks

Risks not requiring Risks which will be


audit in this period tolerated

Risks on which an opinion


is required

Link risks to audits

Risk and Audit Universe


ntroduction

hich an opinion
ed by others

ch will be
ated
Risk Based Internal Auditing - An introduction
Audit documentation

Risk and Audit Universe Audit Databases

Objectives Objectives

Risks Risks

Risk scores Risk scores

Controls Controls

Last audits Tests

Audit Committee report Audit reports


ntroduction
Risk Based Internal Auditing - An introduction
Audit frequency

Probable (4) Almost certain (5)

5 10 15 20 25
Every three Every two
Every year Every year Every year
Likelihood of inherent risk

years years

4 8 12 16 20
Every three Every two
Never years years
Every year Every year
Possible (3)

3 6 9 12 15
Every three Every two Every two
Never years years years
Every year
Unlikely (2)

2 4 6 8 10
Every three Every three Every two
Never Never years years years

1 2 3 4 5
Every three
Rare(1)

Never Never Never Never years

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of inherent risk

Fig. 6 Grid for the frequency of audits


ntroduction

25
Every year

3 years
Time since last audit 0.75 1 1
20
Every year
2 years

15
Every year
0.5 0.75 1

10
1 year

Every two
years
0.25 0.5 0.75
5
Every three
years

Green Amber Red


astrophic (5)
Audit result

Fig. 7 Factors to reduce inherent risk scores


1

0.75

Red

erent risk scores


Risk Based Internal Auditing - An introductio
Version control
Date Version
Oct-13
1-Jan-15 3.1
21-Feb-15 3.2

4-May-15 4

12-May-15 4.1
sed Internal Auditing - An introduction

Changes
Issued after changes to include objectives as starting point for RAU
Changes made to include mind mapping. Made Version 3.1 to align it with Book 1.
Added Process and Functions worksheet. Added more data into RAU. Updated mind
map
Added diagrams which were in PowerPoint. Added columns to audit database and
made changes based on report opinions
Changes made to 'Scoring risks' as a result of changes made to Book 1. Minor
corrections.

Anda mungkin juga menyukai