Download - Implementation v1.0
-
8/12/2019 Implementation v1.0
1/264
Introduction
Risk Based Internal Aud
Three views on implemLast updated 15 January 2006
Copyright D M Griffiths
RAU basics
Appendix A Scoring risks
Appendix B Risk Register
Appendix C Assessing risk maturity
Appendix D Process map
Appendix E Audit Universe
Appendix F Risk and audit universe
Appendix G Column key
Appendix H Audit plan
Appendix I Process map - purchases
Appendix J Expense purchases
database
Appendix K Conclusions
Figure 1 Risk reduction diagram
Figure 2 Risk significance
Figure 3 Stages of RBIA
Figure 4 Stage 2 Audit planning
Figure 5 Frequency of work
Figure 6 Stage 3 Individual audits
Figure 7 Audit trail
The spreadsheets are:
The spreadsheets in the Excel workbook supp
which can be downloaded from:
www.internalaudit.b iz
For reasons of time, none of the spreadsheets
http://www.internalaudit.biz/http://www.internalaudit.biz/ -
8/12/2019 Implementation v1.0
2/264
-
8/12/2019 Implementation v1.0
3/264
Risk register and audit plan
Risks register and audit Universe (RAU) basics
PurposeThe purpose of this spreadsheetis to demonstrate how a list of risks can be used to
generate an audit plan. The IIA standards (2010.A1) states, "The internal audit activity's plan of
engagements should be based on a risk assessment, undertaken at least annually. The input
of senior management and the board should be considered in this process."
The starting point: lists of risks from many people in the organisation at various levels
The end point: a list of all the audits (the "audit universe") necessary to check that all risks are
mitigated by internal controls . These audits to be scored in order to indicate their priority
To understand the way this risk register is used, you need to visit www.internalaudit.biz
This is not a "Best Practice" guide but an example, which you must change to fit your
organisation
The process mapIn order to produce an audit plan from a list of risks, the first task is to group the risks. I believe
this is best done by linking them to the processes which any organisation has to fulfill itsDo not confuse this approach with 'Process based' or 'Systems based' auditing. Processes in
risk based auditing are used only for convenience. Risks drive the audit plan and individualaudits. If you have a risk with no process, go and set up a new process!
Processes are the means to achieve the organisation's objectives. They do not necessarily
represent actual departments and could be outsourced. It is important to concentrate on the
theoretical processes required, since the actual processes may have weaknesses or
ommmissions.
Processes are arranged in a hierarchy (like an organisation chart), with each process being
split into more detail. The first level of processes is known as level 1 and these are split into
more detailed processes at level 2. It's usually possible to plan audits at this level. Processes
are split further in the audit and the more detailed risks and controls are linked to these. The
advantage of this approach is that it avoids having a huge database.
Each level has "Define objectives" at the start and "Support" at the end. There is a need to
define the objectives of any set of processes - even if it only to set targets. "Support" refers to
the support directly required by the processes at that level. The example will give you more of
an idea.
The processes in this spreadsheet are for a company which manufactures goods and sells
them through its own shops, to resellers (wholesalers) or direct to the public.
The risk registerThe process maps are used to set up the risk register, where risks are linked to processes.
Each box on the process map has a row. This enables risks to be attached to processes at
each level, and for each level to have a risk score. This is useful in summarising the risk
scores for levels 1 & 2. (This format is slightly different to that used in www.internalaudit.biz)
David M Griffiths RAU basics
http://www.internalaudit.biz/http://www.internalaudit.biz/ -
8/12/2019 Implementation v1.0
4/264
Risk register and audit plan
Several risks may be linked to one process or several processes to one risk. If you have a
process with no risks, you may need to ask management if risks do exist in this area. If you
have risks but no process - you need to add a process. Do NOT drop risks because they don't
fit neatly into your map!
The risk register will be constantly updated with new risks, as they occur to me, or as my
researches reveal. It can never be complete. The important point for yourrisk register is that it
gives you a complete "audit universe". It is these audits which need to identify all the key risks
in order to assess the controls which mitigate themThe last columns in the register show details of the last audit of that risk and the next audit
planned. This enables the register to be used as an audit planning tool. By sorting and filtering
the database an annual audit plan can be produced. A calculation at the end of the "next audit
budget" column will show if sufficient resources are available.
The register has one line of titles, so that it can be used as a database (sorted, filtered, reports
produced)
I intend to produce example audit databases (audit programmes) for many of the audits in the
risk register. See www.internalaudit.biz for more details
Some audit work may be duplicated. For example; "Transaction processing - purchasing goods
for resale" may have some audit work which appears in the support processes for "Purchase of
goods for resale". This is not necessarily bad, as it may cover important areas in slightly
different ways
You may have many risks against one process at level 2. If this is the case split the process to
give processes at level 3. See 9.6 - Process Transactions
Certain major areas of risk, such as health & safety, the environment and quality control only
have one entry each. The level of detail will depend on the responsibilities of the internal audit
department. It is assumed that these areas are covered by other specialists and the audit
would be concerned with the proper operation and reporting of these functions
The following notes are tips when considering risks:When wording risks, try not to make them just the failure to deliver a process. For example if
the process is, "Pay invoices", the risk is not, "Fail to pay invoices". However, one risk would be
"Invoices not selected for payment"
More importantly risks should not be the absence of a control. For example, the risk Invoices
are not authorised presupposes a control. The riskis Invoices may be paid for goods or
services not required; the control is All invoices are authorised by a senior manager.
LanguageI have used UK english for the risk register. Variations from US english include:
Supplier = Vendor
Purchase = Procure
Cheque = Check
I have used the term "accounts payable" for purchase ledger, since this is now common in the
UK.
All sheets copyright David M Griffiths
Not to be copied or distributed without acknowledging the author, or in conjunction with a
commercial product
David M Griffiths RAU basics
-
8/12/2019 Implementation v1.0
5/264
Appendix A
Advice on scoring risks (inherent and resid
1 to 5 scale
If the consequence when therisk occurs is:
ORthe likelihood ofthe risk occurring is:
A catastrophic impact on the
organisation, threatening its
existence
Almost certain
Cash at risk> 1,000,000
To prevent the organisation
achieving all, or a major part, of its
objectives for a long time.
Probable
Cash at risk 100,000
To stop the organisation achieving
its objectives for a limited period.
Possible
Cash at risk 30,000
To stop the organisation achieving
its objectives for a limited period.
Unlikely
Cash at risk 5,000
To cause minor inconvenience, not
affecting the achievement of
objectives
Rare
Cash at risk
-
8/12/2019 Implementation v1.0
6/264
Rare(1)
Unlik
Insigni ficant (1) Minor (2) Moderate (3) Ma
Li
Consequence of r
3
Acceptable
2
Acceptable
1
Acceptable Acc
Issue
I
Rare(1)
Unlik
Insigni ficant (1) Minor (2) Moderate (3) Ma
Li
Consequence of r
3
Acceptable
2
Acceptable
1
Acceptable Acc
Issue
I
-
8/12/2019 Implementation v1.0
7/264
al)
Then the measure isdefined to be:
ined by the board of the organisation concerned
Insignificant (1)
Moderate (3)
Minor (2)
Catatrophic (5)
Major (4)
16ceptable
8lementary
12
ssue
10
20ceptable
15Unacceptable
20Unacceptable
25Unacceptable
16ceptable
8lementary
12
ssue
10
20ceptable
15Unacceptable
20Unacceptable
25Unacceptable
-
8/12/2019 Implementation v1.0
8/264
jor (4) Catastrophic (5)
isk
5
Issue
4
eptable
Issue
jor (4) Catastrophic (5)
isk
5
Issue
4
eptable
Issue
-
8/12/2019 Implementation v1.0
9/264
Appendix B
Risks re ister
L1 Level 1 process L2 Level 2 process L3 Level 3 process
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
2 Communicate strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
ob ectives
3 Deliver strategy
1 Define
organisation's
objectives
4 Maintain strategy
1 Define
organisation's
ob ectives
4 Maintain strategy
1 Define
organisation'sob ectives
5 Support strategy
2 Research new
business
o ortunities
1 Define objectives
2 Research new
business
o ortunities
2 Research products
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
10/264
2 Research new
business
o ortunities
3 Research markets
2 Research new
business
opportunities
4 Research customers
2 Research new
business
o ortunities
5 Research locations
2 Research new
business
o ortunities
6 Support research
3 Obtain, and fit
out, premises
1 Define objectives
3 Obtain, and fit
out, premises
2 Obtain offices
3 Obtain, and fitout, premises
3 Obtain factories
3 Obtain, and fit
out, premises
4 Obtain warehousing
3 Obtain, and fit
out, premises
5 Obtain retail premises
3 Obtain, and fit
out, premises
6 Maintain premises
3 Obtain, and fitout, premises
7 Support obtaining premises
4 Purchase ggods
and services
1 Define objectives
4 Purchase ggods
and services
2 Purchase raw materials
4 Purchase ggods
and services
2 Purchase raw materials
4 Purchase ggods
and services
3 Purchase assets
4 Purchase ggods
and services
4 Purchase finished goods
4 Purchase ggods
and services
5 Purchase expense goods and
services
4 Purchase ggods
and services
5 Purchase expense goods and
services
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
11/264
4 Purchase ggods
and services
6 Support purchasing
5 Manufacture 1 Define objectives
5 Manufacture 2 Design products
5 Manufacture 3 Specify manufacturing
5 Manufacture 4 Plan manufacturing
5 Manufacture 5 Manufacture
5 Manufacture 5 Manufacture
5 Manufacture 6 Support manufacturing
6 Advertise andpromote
1 Define objectives forpromotion
6 Advertise and
promote
2 Promote in-store
6 Advertise and
promote
3 Promote to customers
6 Advertise and
promote
4 Advertise in papers
6 Advertise and
promote
5 Advertise on TV
6 Advertise and
promote
6 Support promotions
7 Store and
distribute goods
1 Define objectives for
supplying goods
7 Store and
distribute goods
2 Store goods
7 Store and
distribute goods
3 Distribute goods
7 Store and
distribute goods
4 Support supply
8 Sell goods 1 Define objectives for selling
goods
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
12/264
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 3 Sell to resellers
8 Sell goods 3 Sell to resellers
8 Sell goods 3 Sell to resellers
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 5 Support selling
9 Support the
organisation in
achieving its
ob ectives
1 Define objectives for
supporting the organisation
9 Support the
organisation in
achieving its
ob ectives
2 Prepare management
accounts
9 Support the
organisation in
achieving its
ob ectives
3 Prepare financial accounts
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
13/264
9 Support the
organisation in
achieving its
ob ectives
3 Prepare financial accounts
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
9 Support theorganisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
6 Process transactions 1 Process transactions -
purchases
9 Support the
organisation in
achieving its
ob ectives
6 Process transactions 2 Process transactions -
retail sales
9 Support the
organisation in
achieving its
ob ectives
6 Process transactions 3 Process transactions -
wholesale sales
9 Support the
organisation in
achieving its
ob ectives
6 Process transactions 4 Process transactions -
direct sales
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
14/264
9 Support the
organisation in
achieving its
objectives
6 Process transactions 5 Process transactions -
manufacturing stock
9 Support the
organisation in
achieving its
objectives
6 Process transactions 6 Process transactions -
wholesale stock
9 Support the
organisation in
achieving its
objectives
6 Process transactions 7 Process transactions -
store stock
9 Support the
organisation in
achieving its
ob ectives
6 Process transactions 8 Process transactions -
payroll
9 Support the
organisation inachieving its
ob ectives
6 Process transactions 9 Process transactions -
personal expenses
9 Support the
organisation in
achieving its
ob ectives
6 Process transactions 10 Process transactions -
fixed assets
9 Support the
organisation in
achieving its
objectives
6 Process transactions 11 Process transactions -
cash and bank
9 Support the
organisation in
achieving its
ob ectives
7 Provide legal services
9 Support the
organisation in
achieving its
ob ectives
8 Provide tax services
9 Support the
organisation in
achieving its
ob ectives
9 Ensure quality
9 Support the
organisation in
achieving itsob ectives
10 Ensure health & safety
9 Support the
organisation in
achieving its
ob ectives
11 Manage the environment
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
15/264
9 Support the
organisation in
achieving its
objectives
12 Ensure security
9 Support the
organisation in
achieving its
objectives
12 Ensure security
9 Support the
organisation in
achieving its
ob ectives
13 Communicate
9 Support the
organisation in
achieving its
objectives
14 Manage risks
9 Support the
organisation inachieving its
ob ectives
15 Manage the assets
9 Support the
organisation in
achieving its
ob ectives
15 Manage the assets
9 Support the
organisation in
achieving its
ob ectives
16 Support the support functions
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
16/264
Reference Business unit Process Process Description
1.1 The board Decide strategy The most senior management group (the
"board") decide on the objectives of the
organisation
1.1 The board Decide strategy The most senior management group (the
"board") decide on the objectives of the
organisation
1.1 The board Decide strategy The most senior management group (the
"board") decide on the objectives of the
organisation
1.2 The board Communicate
strategy
The objectives are communicated to all
staff in a comprehensible form
1.3 The board Deliver strategy An action plan is devised, at high level,
which will deliver the objectives
1.3 The board Deliver strategy An action plan is devised, at high level,
which will deliver the objectives
1.3 The board Deliver strategy An action plan is devised, at high level,
which will deliver the objectives
1.4 The board Maintain strategy The strategy is regularly updated to take
account of changing business conditions
1.4 The board Maintain strategy The strategy is regularly updated to take
account of changing business conditions
1.5 The board Support strategy Resources are made available to carry
out the above processes
2.1 Research and
development
Define
objectives
The objectives of the research processes
are defined
2.2 Research and
development
Research
products
Research the products, to be
manufactured or purchased, which will
achieve the organisation's objectives
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
17/264
2.3 Marketing Research
markets
Research the market segments which will
achieve the organisation's objectives
2.4 Marketing Research
customers
Research the customer profile which will
achieve the organisation's objectives
2.5 Property Research
locations
Research the locations, in-country and
abroad, which will achieve the
organisation's objectives
2.6 Administration Support
research
Resources are made available to carry
out the above processes
3.1 Property Define
objectives
The objectives of the processes for
obtaining premises are defined
3.2 Property Obtain offices Decide on the best locations for offices to
house the support staff
3.3 Property Obtain factories Decide on the best locations for factoriesto manufacture products
3.4 Property Obtain
warehousing
Decide on the best location for premises
to store goods
3.5 Property Obtain retail
premises
Decide on the best location for shops
3.6 Facilities management Maintain
premises
Premises are maintained to ensure safety,
effectiveness and efficiency at all times
3.7 Administration Supportobtaining
premises
Resources are made available to carryout the above processes
4.1 Purchasing Define
objectives
The objectives of the processes for
purchasing are defined
4.2 Purchasing Purchase raw
materials
Purchase items to manufacture goods
4.2 Purchasing Purchase raw
materials
Purchase items to manufacture goods
4.3 Purchasing Purchase assets Purchase fixed assets
4.4 Purchasing Purchase
finished goods
Purchase goods for resale
4.5 Purchasing Purchase
expense goods
and services
Purchase goods and services for the
organisation
4.5 Purchasing Purchase
expense goods
and services
Purchase utilities for the organisation
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
18/264
4.6 Administration Support
purchasing
Resources are made available to carry
out the above processes
5.1 Factory Define
objectives
The objectives of the processes for
manufacturing are defined
5.2 Factory Design products Products to be manufactured are
designed
5.3 Factory Specify
manufacturing
Specify how the products are to be
manufactured
5.4 Factory Plan
manufacturing
Plan the manufacturing schedule
5.5 Factory Manufacture Make the goods
5.5 Factory Manufacture Make the goods
5.6 Administration Support
manufacturing
Resources are made available to carry
out the above processes
6.1 Advertising Defineobjectives for
promotion
The objectives of the processes forpromoting sales are defined
6.2 Advertising Promote in-store Promote goods in the retail stores through
various offers
6.3 Advertising Promote to
customers
Promote goods to resellers using offers
6.4 Advertising Advertise in
papers
Advertise goods in newspapers and
magazines
6.5 Advertising Advertise on TV Advertise on television
6.6 Administration Support
promotions
Resources are made available to carry
out the above processes
7.1 Logistics Define
objectives for
supplying goods
The objectives of the processes for
supplying goods are defined
7.2 Logistics Store goods Store goods in warehouses at stages of
the supply chain
7.3 Logistics Distribute goods Distribute goods between factories,
warehouses, stores and customers
7.4 Administration Support supply Resources are made available to carry
out the above processes
8.1 Merchandising Define
objectives for
selling goods
The objectives of the processes for selling
are defined
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
19/264
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.2 Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
8.3 Marketing Sell to resellers Sell goods to customers who will resell
them
8.3 Marketing Sell to resellers Sell goods to customers who will resell
them
8.3 Marketing Sell to resellers Sell goods to customers who will resell
them
8.4 Internet sales Sell direct Sell direct to the public. For example,
through the internet
8.4 Internet sales Sell direct Sell direct to the public. For example,
through the internet
8.4 Internet sales Sell direct Sell direct to the public. For example,
through the internet
8.4 Internet sales Sell direct Sell direct to the public. For example,
through the internet
8.4 Internet sales Sell direct Sell direct to the public. For example,
through the internet
8.5 Administration Support selling Resources are made available to carry
out the above processes
9.1 Administration Define
objectives for
supporting the
organisation
The objectives of the processes for
supporting the organisation are defined
9.2 Management accounts Prepare
management
accounts
Collect the data from processed
transactions into accounts for
management to make decisions
9.3 Financial accounts Prepare financial
accounts
Collect the data from processed
transactions into accounts for statutory or
tax purposes
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
20/264
9.3 Financial accounts Prepare financial
accounts
Collect the data from processed
transactions into accounts for statutory or
tax purposes
9.4 Human resources Provide staff Recruit staff and manage staff policies
9.4 Human resources Provide staff Recruit staff and manage staff policies
9.4 Human resources Provide staff Recruit staff and manage staff policies
9.4 Human resources Provide staff Recruit staff and manage staff policies
9.5 Information systems Provide systems Provide systems, including computersystems to support the organisations
operations
9.5 Information systems Provide systems Provide systems, including computer
systems to support the organisations
operations
9.5 Information systems Provide systems Provide systems, including computer
systems to support the organisations
operations
9.5 Information systems Provide systems Provide systems, including computer
systems to support the organisations
operations
9.5 Information systems Provide systems Provide systems, including computer
systems to support the organisations
operations
9.6.1 Purchase accounting
services
Process
transactions -
purchases
Receive invoices, obtain approval for
payment, pay for goods and services
9.6.2 Retail accounting
services
Process
transactions -
retail sales
Receive cash and cash equivalents at the
till, bank them and check all money is
received
9.6.3 Sales accounting
services
Process
transactions -
wholesale sales
Carry out credit checks before goods are
despatched, issue invoices and receive
payment for goods
9.6.4 Sales accounting
services
Process
transactions -
direct sales
Process the credit card payments before
authorising despatch of the goods
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
21/264
9.6.5 Factory Process
transactions -
manufacturing
stock
Receive goods against the order, update
stock records, issue the goods to
manufacture, manage stock levels,
minimise stock losses, account for stock
9.6.6 Logistics Process
transactions -
wholesale stock
Receive goods from the factory, or
supplier,, update stock records, issue the
goods to manufacture, manage stock
levels, minimise stock losses, account for
stock
9.6.7 Stock accounting
services
Process
transactions -
store stock
Receive goods from the warehouse,
update store stock records, sell the goods
to customers, manage stock levels,
minimise stock losses, account for stock
9.6.8 Payroll accounting
services
Process
transactions -
payroll
Receive details of employees, their salary
and working hours. Calculate pay based
on these, less deductions. Pay over
deductions
9.6.9 Expense accounting
services
Process
transactions -personal
expenses
Personal expenses (for travelling) are
claimed, authorised and paid
9.6.10 Fixed asset accounting
services
Process
transactions -
fixed assets
Receive invoice details. Decide on
whether to capitalise costs. Add assets to
register. Attach depreciation data and
calculate.
9.6.11 Cashiers accounting
services
Process
transactions -
cash and bank
Receive cash transaction data for
purchases, sales, payroll, personal
expenses and other transactions.
Reconcile these to transactions passing
through the bank account. Follow-up
differences
9.7 Company Secretary Provide legal
services
Advise all areas of the company
concerning action to be taken onlegislation
9.8 Taxation Provide tax
services
Advise all areas of the company
concerning action to be taken on tax
legislation
9.9 Quality Control Ensure quality Ensure all goods sold meet the quality
standards set by legislation and the
organisation
9.10 Health and safety Ensure health &
safety
Ensure the organisation complies with
legislation and good practice to ensure
the safety of staff and customers
9.11 Health and safety Manage the
environment
Ensure the operations of the organisation
obey all environmental laws and good
practice
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
22/264
9.12 Security Ensure security The physical security of tangible and
intangible assets, and staff and
customers, is maintained at all times to
ensure the continued operation of the
organisation
9.12 Security Ensure security The physical security of tangible and
intangible assets, and staff and
customers, is maintained at all times to
ensure the continued operation of the
organisation
9.13 Public relations Communicate Inform internal and external stakeholders
of the organisation's policies and
intentions
9.14 Risk manager Manage risks Identify, evaluate and manage risks down
to the level considered acceptable by the
organisation
9.15 Treasury Manage the
assets
Ensure that assets of the organisation,
particularly cash, are maintained atoptimum levels to achieve the objectives
9.15 Treasury Manage the
assets
Ensure that assets of the organisation,
particularly cash, are maintained at
optimum levels to achieve the objectives
9.16 Administration Support the
support
functions
Resources are made available to carry
out the above processes
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
23/264
Key risk to process Risk Source Processowner
Cons Like
The strategy does not anticipate
customer demands
Managing
Director
5 5
The strategy is too risk-averse Managing
Director
5 5
The objectives within the strategy
are not clearly defined, financially
justified or documented
Managing
Director
5 5
Staff do not understand the
objectives in relation to their own
jobs
Managing
Director
5 5
The action plan does not cover all
objectives and does not consist of
SMART targets addressed to senior
management
Managing
Director
5 5
The organisation has not got the
resources to deliver the strategy
Managing
Director
5 5
Major projects intended to deliver
the strategy are late and/or over
budget
Managing
Director
5 5
All staff, including the Board, fail to
maintain high ethical standards,
which undermine the controls
necessary to achieve the
organisation's objectives, including
that of ensuring compliance with
laws and standards
Managing
Director
5 5
Internal and external influences are
not monitored to assess their impact
on the strategy
Managing
Director
5 5
The resources required are not
understood or are not sufficient todeliver the strategy
5 5
The objectives will not deliver the
organisation's objectives effectively
and efficiently
The research does not identify the
most effective products for
achieving the objectives
Inherent ri
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
24/264
The research does not identify the
most effective market segments for
achieving the objectives
The research does not identify the
most effective customer segments
for achieving the objectives
The research does not identify the
most effective locations for
achieving the objectives
The resources required are not
understood or are not sufficient to
deliver the strategy
The objectives will not deliver the
organisation's objectives effectively
and efficiently
The locations are not cost-effective,
have insufficient staff in the vicinity
and has poor communications
The environment is not suitable fora factory, insufficient trained labour
is available, property costs are too
high
The buildings are not suitable for
storing products, costs are too high
and labour is not available
The locations are not cost-effective,
have insufficient staff in the vicinity
and are not near our target
customers
Poor maintenance results in injury
to staff or customers
The resources required are notunderstood are not sufficient to
deliver the strategy
The objectives will not deliver the
organisation's objectives effectively
and efficiently
The purchased items are
unsuitable, too expensive or
delivered late
A major supplier of a vital raw
material, not obtainable elsewhere,
is not able to deliver
Assets are not required, not suitable
or too expensiveGoods are not suitable, too
expensive or delivered late
Goods or services are not suitable,
too expensive or delivered late
Minimum prices for utilities are not
negotiated
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
25/264
The resources required are not
understood or are not sufficient to
deliver the strategy
The objectives will not deliver the
organisation's objectives effectively
and efficiently
There is no market for the product.
The product is too expensive to
produce
The method of manufacturing
specified is inefficient
The schedule produces the wrong
goods at the wrong time
The goods are made inefficiently
New environmental legislation
makes manufacturing process
uneconomic
The resources required are not
understood or are not sufficient to
deliver the strategy
The objectives will not deliver theorganisation's objectives effectively
and efficiently
Promotions do not make a profit
Promotions do not make a profit
Promotions do not make a profit
Promotions do not make a profit
The resources required are not
understood or are not sufficient to
deliver the strategy
The objectives will not deliver the
organisation's objectives effectively
and efficiently
Goods are damaged, or lost
A strike of fuel suppliers brings
transport in the UK to a stop
The resources required are not
understood or are not sufficient to
deliver the strategy
The objectives will not deliver the
organisation's objectives effectively
and efficiently
Board risk workshop Merchandis
e Director
5 5
Fail to stock goods which the
customers want to buy
Board risk workshop Merchandis
e Director
5 5
Fail to anticipate the competitions'
initiatives to take a bigger market
share
Board risk workshop Merchandis
e Director
5 5
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
26/264
Prices are not competitive Board risk workshop Merchandis
e Director
5 5
Store layout confuses customers Board risk workshop Merchandis
e Director
4 4
Prices are incorrect Board risk workshop Merchandis
e Director
4 5
No stock for customers to buy Board risk workshop Merchandis
e Director
5 5
Higher minimum wage legislation
makes some stores unprofitable
Board risk workshop Merchandis
e Director
5 5
Poor service/quality of goods
leading to customer complaints
Board risk workshop Merchandis
e Director
5 5
A major customer goes bankrupt Board risk workshop Marketing
Director
4 4
No stock for customers to buy Board risk workshop Marketing
Director
5 5
Poor service/quality of goods
leading to customer complaints
Board risk workshop Marketing
Director
5 5
Poor service/quality of goods
leading to customer complaints
Board risk workshop Merchandis
e Director
4 5
Fraudulent credit cards used Finance Director interview Merchandis
e Director
4 5
No stock for customers to buy Logistics Director interview Merchandis
e Director
4 5
Internet sites unavailable Board risk workshop Merchandis
e Director
4 5
Goods are lost Board risk workshop Merchandis
e Director
4 5
The resources required are not
understood or are not sufficient to
deliver the strategy
Board risk workshop Merchandis
e Director
5 5
The objectives will not deliver the
organisation's objectives effectively
and efficiently
Management accounts do not
provide timely information on which
to make decisions
Financial accounts are issued which
do not comply with UK law
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
27/264
The organisation is not prepared for
the International Accounting
Standards (IAS)
High-calibre staff are not recruited
and retained
Properly qualified staff are not
available to take vacancies
Staff are not properly trained
Staff successfully claim unfair
dismissal
A virus brings down all computersystems for a week
Data is lost
Data or programs are corrupted
Major hardware failure
Major network failure
Payment is made where the
organisation has not received the
goods or services at the price and
quality ordered
Cash taken at the till is not banked
Goods are sold to customers who
cannot pay for them
Fail to pass transaction details to
the credit card company
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
28/264
Stock is incorrectly valued
Stock is incorrectly valued
Stock is incorrectly valued
Receive incorrect data from stores
on hours worked and new
employees
Expenses were not incurred
Revenue expenditure capitalised, or
capital expenditure put to revenue
Differences not cleared
The impact of legislation is not
anticipated which results inconsiderable costs
Schemes to minimise tax are not
used
Poor quality goods harms the
organisation's reputation
A failure in H & S occurs which
results in bad publicity and law suits
An environmental disaster occurs at
one of the organisation's premises
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
29/264
Confidential information is stolen
Offices are destroyed by fire
The London Stock Exchange is
given information which cannot be
substantiated
The external and internal risks
threatening the objectives, and
related processes, of the
organisation are not understood or
mitigated
Financial contracts are set up which
open the company to significantlosses
Working capital is not optimised
The resources required are not
understood or are not sufficient to
deliver the strategy
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
30/264
Score Response Control (examples)
25 The board received a quarterly report from outside
consultants which forecasts likely trends in customer
demand for the next year
25 The quarterly meeting with consultants considers all
possible strategy options which are analysed objectively
to ensure all are properly considered
25 The strategy is written and published on the intranet. All
elements are financially justified and subject to risk
modelling
25 The Company Secretary is charged with ensuring all non-
sensitive information relating to company objectives and
strategy is published on the intranet
25
25
25
25
25
25
0
0
sks
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
31/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
32/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
25 treat Overall targets for sales and profits are set by the board
in the annual budget. As part of the budget package the
Merchandise Director outlines the action to be taken toachieve the targets. See also strategy controls
25 treat Regular visists by Merchandising Director and staff to
markets which anticipate ours eg the US. Attendence at
trade shows. Focus Groups
25 treat All competitors' advertising campaigns are monitored,
with a weekly report to the Merchandising Director.
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
33/264
25 treat Competitors' prices are monitored every week, with
reports going to appropriate Heads of Merchandise
Departments
16 treat None
20 treat Retail prices are input by an assisatant buyer and
checked by a supervisor. Prices are downloaded onto
the EPOS system overnight
25 treat Each store has automatic replenishment, based on sales
and PI counts in store
25 treat Monthly profitability report of each store, checked by
stores accountant
25 treat All customer complaints logged on a database. Monthly
report to the Merchandise Managers, with comments on
action being taken
16 transfer with
insurance
Credit control procedures prevent orders being sent to
customers who pay late. Overseas debts are insured.
25 treat Computer report produced which estimates stock holding
and orders necessary to ensure 3 weeks stock holding.
Report checked by Senior Buyer
25 treat All customer complaints logged on a database. Monthly
report to the Merchandise Managers, with comments on
action being taken
20 treat All customer complaints logged on a database. Monthly
report to the Merchandise Managers, with comments on
action being taken
20 treat Credit card details checked to external database of
fraudulent cards
20 treat Computer report produced which estimates stock holding
and orders necessary to ensure 3 weeks stock holding.Report checked by Senior Buyer
20 tolerate An external internet provide is used who has back-up
computers available in the event of hardware and
comms failure
20 tolerate Reputable carrier used. Value of goods is relatively low
and missing goods are replaced without question
25 treat Various reports (Out of stock, late deliveries) will indicate
if insufficient staff are available
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
34/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
35/264
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
36/264
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
37/264
Monitoring (examples) Potential issue Cons Like Score
The role of the non-executive directors
is defined to ensure they challenge
board strategy to ensure it is robust
5 1 5
The role of the non-executive directors
is defined to ensure they challenge
board strategy to ensure it is robust
5 1 5
The role of the non-executive directors
is defined to ensure they challenge
board strategy to ensure it is robust
5 1 5
A staff council exists to feed back
concerns on communication to the
board
4 1 4
5 2 10
5 2 10
5 2 10
5 2 10
5 2 10
5 2 10
0
0
Residual risks
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
38/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
39/264
-
8/12/2019 Implementation v1.0
40/264
None No checks to ensure reports are
issued and acted upon
5 2 10
None No customer groups to report on
their opinions of store layouts
4 4 16
A gross profit exception report is
generated for any changes to GP >5%.
This should pick up any incorrect input
of retail prices. The report is signed off
bu a buyer.
4 1 4
Computer report to buyer reports zero
stocks in stores
5 1 5
None Stores accountant is not
required to report exceptions to
senior management
5 4 20
Copy of report sent to Merchandising
Director and summaries are put on the
intranet
5 1 5
Head of Accounting Services examines
Aged Trial Balance each month andfollows up overdue debts
4 1 4
Head of Production also receives
report and ensures orders have been
received where necessary.
5 1 5
Copy of report sent to Marketing
Director and summaries are put on the
intranet
5 1 5
Copy of report sent to Merchandising
Director and summaries are put on the
intranet
5 1 5
Report of fraudulent transactions sent
to Head of Security.
4 1 4
Computer report to buyer reports zero
stocks in warehouse
4 1 4
Sevice agreement with provider
commits to 99% availability or
compensation
4 1 4
Report of lost goods sent to Head of
Security.
4 1 4
Failure to achieve targets may indicate
shortage of staff
There is no sucession plan, or
any attempt to anticipate staff
required in the future
5 3 15
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
41/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
42/264
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
43/264
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
44/264
Control
score20
20
20
21
15
15
15
15
15
15
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
45/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
46/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
20
20
10
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
47/264
15
0
16
20
5
20
12
20
20
15
16
16
16
16
10
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
48/264
0
0
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
49/264
0
0
0
0
0
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
50/264
0
0
0
0
0
0
0
David M Griffiths B Risk Register
-
8/12/2019 Implementation v1.0
51/264
Appendix C
Assessing the organisations risk maturity(A more detailed matrix is included in the IIA Guidance Note An Approach to I
Risk nave Risk aware
Key characteristics (See IIAstatement Risk Based Internal
Auditing)
No formal approachdeveloped for risk
management
Scattered silo basedapproach to risk
management
ProcessAre the organisation's objectives defined?
Have management have been trained to
understand what risks are, and their
responsibility for them?
Has a scoring system for assessing risks
been defined?
Have processes been defined to
determine risks, and these have been
followed?
Have all risks been collected into one list?
Have risks been allocated to specific job
titles?
Have all risks been assessed in
accordance with the defined scoring
system?
Have responses to the risks (e.g. controls)
been selected and implemented?
Have management set up controls to
monitor the proper operation of key
controls?
Are risks regularly reviewed by the
organisation?
Has the risk appetite of the organisation
been defined in terms of the scoring
system?
No
-
8/12/2019 Implementation v1.0
52/264
Have management reported risks to
directors where responses are not
managing the risks to a level acceptable to
the board?
Are all significant new projects routinely
assessed for risk?
Is responsibility for the determination,
assessment, and management of risks
included in job descriptions?
Do managers provide assurance on the
effectiveness of their risk management?
Are managers assessed on their risk
management performance?
Internal Audit approach Promote riskmanagement and
rely on audit risk
assessment
Promote enterprise-
wide approach to
risk management
and rely on audit
risk assessment
-
8/12/2019 Implementation v1.0
53/264
mplementing Risk Based Internal Auditing)
Risk defined Risk managed Risk enabled
Strategy and policiesin place and
communicated. Risk
appetite defined
Enterprise approachto risk management
developed and
communicated
Risk managementand internal controls
fully embedded into
the operations
Inart
Yes
-
8/12/2019 Implementation v1.0
54/264
Facilitate risk
management/liaise
with risk management
and use management
assessment of risk
where appropriate
Audit risk
management
processes and use
management
assessment of risk
as appropriate
Audit risk
management
processes and use
management
assessment of risk
as appropriate
-
8/12/2019 Implementation v1.0
55/264
Audit test
Core IA roles are in brackets - see IIA statementThe Role of Internal Audit in Enterprise-wide Risk
Management
Check the organisation's objectives are determined by
the board and have been communicated to all staff.
Check other objectives and targets are consistent with
the organisation's objectives. (1)
Interview managers to confirm their understanding of risk
and the extent to which they manage it. (1)
Check the scoring system has been approved,
communicated and is used. (2)
Examine the processes to ensure they are sufficient to
ensure identification of all risks. Check they are in use, by
examining the output from any workshops. (1)
Examine the Risk Universe. Ensure it is complete,
regularly reviewed, assessed and used to manage risks.
Risks are allocated to managers. (1)
Check the scoring applied to a selection of risks is
consistent with the policy. Look for consistency (that is,
similar risks have similar scores). (2)
Examine the risk register to ensure proper controls
should be in place. (3)
For significant risks, examine the control(s) treating it and
ensure management would know if the control failed. (5)
Check for evidence that a thorough review process is
regularly carried out. (1)
Check the document on which the controlling body has
approved the risk appetite. Ensure it is consistent with the
scoring system and has been communicated. (1)
-
8/12/2019 Implementation v1.0
56/264
For risks above the risk appetite, check that the board
has been formally informed of there existence. (4)
Examine project proposals for an analysis of the risks
which might threaten them. (1)
Examine job descriptions. Check the instructions for
setting up job descriptions. (1)
Examine the assurance provided. For key risks, check
that controls and the management system of monitoring,
are operating.(4)
Examine a sample of appraisals for evidence that risks
management was properly assessed for performance. (1)
-
8/12/2019 Implementation v1.0
57/264
Appendix D
Process map for an organisation (levels 1 and 2)
Define objectives Obtain premisesResearch
Decide strategy
Maintain strategy
Deliver strategy
Communicatestrategy
Research markets
Research products
Research locations
Researchcustomers
Obtain factories
Obtain offices
Obtain retailpremises
Obtainwarehousing
Define objectives
Support research
Support strategy
Define objectives
Support obtainingpremises
http://localhost/var/www/apps/conversion/tmp/Web%20site/Web%20site%20for%20publication%20v1/files/databases/expense_purchases.xls -
8/12/2019 Implementation v1.0
58/264
-
8/12/2019 Implementation v1.0
59/264
-
8/12/2019 Implementation v1.0
60/264
Manufacture PromotePurchase
Organisation'sobjectives
Purchase assets
Purchase rawmaterials
Purchase expensegoods
Purchase finishedgoods
Specify
manufacturing
Design products
Manufacture
Plan manufacturing
Promote to
customers
Promote in-store
Advertise on TV
Advertise in papers
Define objectives Define objectives Define objectives
Supportpromotions
Supportmanufacturing
Supportpurchasing
http://localhost/var/www/apps/conversion/tmp/Web%20site/Web%20site%20for%20publication%20v1/files/databases/expense_purchases.xlshttp://localhost/var/www/apps/conversion/tmp/Web%20site/Web%20site%20for%20publication%20v1/files/databases/expense_purchases.xlshttp://localhost/var/www/apps/conversion/tmp/Web%20site/Web%20site%20for%20publication%20v1/files/databases/expense_purchases.xls -
8/12/2019 Implementation v1.0
61/264
-
8/12/2019 Implementation v1.0
62/264
-
8/12/2019 Implementation v1.0
63/264
SellSupply Support
Distribute goods
Store goods
Supportdistribution
Sell to resellers
Sell in stores
Support sales
Sell direct
Prepare financialaccounts
Preparemanagement
accounts
Provide systems
Provide staff
Define objectives Define objectives Define objectives
Processtransactions
-
8/12/2019 Implementation v1.0
64/264
Provide legalservices
Provide taxservices
Ensure quality
Ensure health &safety
Manage theenvironment
Ensure security
Communicate
Manage risks
Manage assets
-
8/12/2019 Implementation v1.0
65/264
Support thesupport services
-
8/12/2019 Implementation v1.0
66/264
E Audit Universe
List of all audits, in business unit order
Businessunit Process Process DescriptionLast audit
number
Administration Support manufacturing Resources are made available to carry
out the above processes
Administration Support promotions Resources are made available to carry
out the above processes
Administration Support supply Resources are made available to carry
out the above processes
Administration Support selling Resources are made available to carry
out the above processes
Administration Define objectives for supporting
the organisation
The objectives of the processes for
supporting the organisation are defined
Administration Support the support functions Resources are made available to carry
out the above processesAdministration Support research Resources are made available to carry
out the above processes
Administration Support obtaining premises Resources are made available to carry
out the above processes
Administration Support purchasing Resources are made available to carry
out the above processes
Advertising Define objectives for promotion The objectives of the processes for
promoting sales are defined
Advertising Promote in-store Promote goods in the retail stores through
various offers
Advertising Promote to customers Promote goods to resellers using offers
Advertising Advertise on TV Advertise on television
Advertising Advertise in papers Advertise goods in newspapers andmagazines
Cashiers
accounting
services
Process transactions - cash
and bank
Receive cash transaction data for
purchases, sales, payroll, personal
expenses and other transactions.
Reconcile these to transactions passing
through the bank account. Follow-up
differences
Company
Secretary
Provide legal services Advise all areas of the company
concerning action to be taken on
legislation
Expense
accounting
services
Process transactions - personal
expenses
Personal expenses (for travelling) are
claimed, authorised and paid
Facilitiesmanagement
Maintain premises Premises are maintained to ensuresafety, effectiveness and efficiency at all
times
Factory Plan manufacturing Plan the manufacturing schedule
Factory Manufacture Make the goods
Factory Manufacture Make the goods
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
67/264
Factory Process transactions -
manufacturing stock
Receive goods against the order, update
stock records, issue the goods to
manufacture, manage stock levels,
minimise stock losses, account for stock
Factory Define objectives The objectives of the processes for
manufacturing are defined
Factory Design products Products to be manufactured are
designed
Factory Specify manufacturing Specify how the products are to be
manufactured
Financial
accounts
Prepare financial accounts Collect the data from processed
transactions into accounts for statutory or
tax purposes
Financial
accounts
Prepare financial accounts Collect the data from processed
transactions into accounts for statutory or
tax purposes
Fixed asset
accounting
services
Process transactions - fixed
assets
Receive invoice details. Decide on
whether to capitalise costs. Add assets to
register. Attach depreciation data and
calculate.Health and
safety
Ensure health & safety Ensure the organisation complies with
legislation and good practice to ensure
the safety of staff and customers
Health and
safety
Manage the environment Ensure the operations of the organisation
obey all environmental laws and good
practice
Human
resources
Provide staff Recruit staff and manage staff policies
Human
resources
Provide staff Recruit staff and manage staff policies
Human
resources
Provide staff Recruit staff and manage staff policies
Human
resources
Provide staff Recruit staff and manage staff policies
Information
systems
Provide systems Provide systems, including computer
systems to support the organisations
operations
Information
systems
Provide systems Provide systems, including computer
systems to support the organisations
operations
Information
systems
Provide systems Provide systems, including computer
systems to support the organisations
operations
Information
systems
Provide systems Provide systems, including computer
systems to support the organisations
operations
Informationsystems Provide systems Provide systems, including computersystems to support the organisations
operations
Internet sales Sell direct Sell direct to the public. For example,
through the internet
Internet sales Sell direct Sell direct to the public. For example,
through the internet
130
Internet sales Sell direct Sell direct to the public. For example,
through the internet
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
68/264
Internet sales Sell direct Sell direct to the public. For example,
through the internet
Internet sales Sell direct Sell direct to the public. For example,
through the internet
Logistics Define objectives for supplying
goods
The objectives of the processes for
supplying goods are defined
Logistics Store goods Store goods in warehouses at stages of
the supply chain
Logistics Distribute goods Distribute goods between factories,
warehouses, stores and customers
Logistics Process transactions -
wholesale stock
Receive goods from the factory, or
supplier,, update stock records, issue the
goods to manufacture, manage stock
levels, minimise stock losses, account for
stock
Management
accounts
Prepare management accounts Collect the data from processed
transactions into accounts for
management to make decisions
Marketing Sell to resellers Sell goods to customers who will resell
them
Marketing Sell to resellers Sell goods to customers who will resellthem
Marketing Sell to resellers Sell goods to customers who will resell
them
Marketing Research markets Research the market segments which will
achieve the organisation's objectives
Marketing Research customers Research the customer profile which will
achieve the organisation's objectives
Merchandising Define objectives for selling
goods
The objectives of the processes for selling
are defined
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
Merchandising Sell in stores Sell goods in stores operated by theorganisation, or franchised
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
143
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
Merchandising Sell in stores Sell goods in stores operated by the
organisation, or franchised
Payroll
accounting
services
Process transactions - payroll Receive details of employees, their salary
and working hours. Calculate pay based
on these, less deductions. Pay over
deductions
Property Research locations Research the locations, in-country and
abroad, which will achieve the
organisation's objectives
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
69/264
Property Define objectives The objectives of the processes for
obtaining premises are defined
210
Property Obtain offices Decide on the best locations for offices to
house the support staff
Property Obtain factories Decide on the best locations for factories
to manufacture products
Property Obtain warehousing Decide on the best location for premises
to store goods
Property Obtain retail premises Decide on the best location for shops
Public relations Communicate Inform internal and external stakeholders
of the organisation's policies and
intentions
Purchase
accounting
services
Process transactions -
purchases
Receive invoices, obtain approval for
payment, pay for goods and services
Purchasing Define objectives The objectives of the processes for
purchasing are defined
Purchasing Purchase raw materials Purchase items to manufacture goods
Purchasing Purchase raw materials Purchase items to manufacture goods
Purchasing Purchase assets Purchase fixed assets
Purchasing Purchase finished goods Purchase goods for resale
Purchasing Purchase expense goods and
services
Purchase goods and services for the
organisation
Purchasing Purchase expense goods and
services
Purchase utilities for the organisation
Quality Control Ensure quality Ensure all goods sold meet the quality
standards set by legislation and the
organisation
Research and
development
Define objectives The objectives of the research processes
are defined
Research and
development
Research products Research the products, to be
manufactured or purchased, which will
achieve the organisation's objectives
Retail
accounting
services
Process transactions - retail
sales
Receive cash and cash equivalents at the
till, bank them and check all money is
received
Risk manager Manage risks Identify, evaluate and manage risks down
to the level considered acceptable by the
organisation
Sales
accounting
services
Process transactions -
wholesale sales
Carry out credit checks before goods are
despatched, issue invoices and receive
payment for goods
Sales
accounting
services
Process transactions - direct
sales
Process the credit card payments before
authorising despatch of the goods
Security Ensure security The physical security of tangible and
intangible assets, and staff and
customers, is maintained at all times to
ensure the continued operation of the
organisation
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
70/264
Security Ensure security The physical security of tangible and
intangible assets, and staff and
customers, is maintained at all times to
ensure the continued operation of the
organisation
Stock
accounting
services
Process transactions - store
stock
Receive goods from the warehouse,
update store stock records, sell the goods
to customers, manage stock levels,
minimise stock losses, account for stock
Taxation Provide tax services Advise all areas of the company
concerning action to be taken on tax
legislation
The board Decide strategy The most senior management group (the
"board") decide on the objectives of the
organisation
The board Deliver strategy An action plan is devised, at high level,
which will deliver the objectives
The board Deliver strategy An action plan is devised, at high level,
which will deliver the objectives
The board Deliver strategy An action plan is devised, at high level,which will deliver the objectives
The board Maintain strategy The strategy is regularly updated to take 203
The board Maintain strategy The strategy is regularly updated to take
The board Support strategy Resources are made available to carry
Treasury Manage the assets Ensure that assets of the organisation,
Treasury Manage the assets Ensure that assets of the organisation,
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
71/264
Last audit name Last audit
Budget
Last audit
actual
Last
timing
Last
auditor
Last final
report
Target
Final
report
achieved
Manufacturing resource
planning
Promotions resource
planning
Supply resource planning
Selling resource planning
Support strategy
Support resource planning
Research resource planning
Location resource planning
Purchase resource planning
Selling strategy
Retail promotions
Wholesale promotions
TV advertising
Newspaper advertising
Bank and cash
Provision of legal services
Personal expenses
Maintenance of premises
Scheduling manufacture
Production accounting
Environmental audit
Last audit details
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
72/264
Manufacturing stock
Manufacturing strategy
Product design
Manufacturing specification
Financial accounting
Project - IAS
Fixed assets
Health and safety
Environmental
Recruitment
Succession planning
Staff training
Staff policies
Virus checking
Back-up procedures
Access controls
IS contingency plans -
hardware
IS contingency plans -communications
Stock control
Internet sales 15 14 Mar-05 Heath 5-Apr-05 5-Apr-05
Internet sales
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
73/264
Internet sales See above
Complaints procedures
Supply strategy
Warehouse operations
Distribution
Wholesale stock
Management accounting
Stock control
Accounts receivable
Complaints procedures
Market research
Market research
Selling strategy
Market anticipation
Market anticipation
Store planning
Price file maintenance
Stock control 20 22 Sep-06 Smith 1-Oct-04 3-Oct-04
Store accounts
Pricing policy
Complaints procedures
Payroll
Geographic research
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
74/264
Location strategy 50 45 2004 Murphy 10/28/2004 10/28/2004
Locating offices
Locating factories
Locating warehouses
Locating shops
Communications
Accounts Payable
Purchasing strategy
Purchasing for manufacture
Purchasing for manufacture
Purchase of assets
Purchase of goods for
resale
Purchase of expense goods
and services
Purchase of expense goods
and services
Quality control
Research strategy
Product research
Retail cash takings
Risk management
Accounts receivable See above
Internet sales See above
Site security
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
75/264
Contingency planning
Retail stock
Provision of tax services
Organisation's strategy
Delivery of strategy
Delivery of strategy
(Projects are individuallyaudited)
Ethical guidelines 20 23 2003 Smith 6/23/2003 6/28/2003
Monitoring of external
(Carried out within the
Treasury
Working capital
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
76/264
Last result Audit plan
date
Next audit
number
Next audit name Next audit
budget
Next
timing
Manufacturing resource
planning
Promotions resource planning
Supply resource planning
Selling resource planning
Support strategy
Support resource planning
Research resource planning
Location resource planning
Purchase resource planning
Selling strategy
Retail promotions
Wholesale promotions
TV advertising
Newspaper advertising
Bank and cash
Provision of legal services
Personal expenses
Maintenance of premises
Scheduling manufacture
Production accounting
Environmental audit
Next audit detai
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
77/264
Manufacturing stock
Manufacturing strategy
Product design
Manufacturing specification
Financial accounting
Project - IAS
Fixed assets
Health and safety
Environmental
Recruitment
Succession planning
Staff training
Staff policies
Virus checking
Back-up procedures
Access controls
IS contingency plans - hardware
IS contingency plans -communications
Stock control
Issues 2006 201 Internet sales 14 Oct-06
Internet sales
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
78/264
Internet sales
207 Complaints procedures (see above)
Supply strategy
Warehouse operations
Distribution
Wholesale stock
Management accounting
Stock control 20 Oct-06
Accounts receivable 10 Aug-06
207 Complaints procedures (see above)
Market research
Market research
200 Selling strategy 10 Jan-06
201 Market anticipation 20 Jan-06
201 Market anticipation (see above)
203 Store planning 15 Mar-06
204 Price file maintenance 20 Apr-06
Acceptable 2006 205 Stock control 22 Sep-06
206 Store accounts 10 Jun-06
202 Pricing policy 20 Feb-06
207 Complaints procedures 30 Jul-06
Payroll
Geographic research
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
79/264
nacceptable
253
Location strategy
Jones
Locating offices
Locating factories
Locating warehouses
Locating shops
Communications
Accounts Payable
Purchasing strategy
Purchasing for manufacture
Purchasing for manufacture
Purchase of assets
Purchase of goods for resale
Purchase of expense goods and
services
Purchase of expense goods and
services
Quality control
Research strategy
Product research
Retail cash takings
Risk management
Accounts receivable
Internet sales
Site security
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
80/264
Contingency planning
Retail stock
Provision of tax services
Organisation's strategy
Delivery of strategy
Delivery of strategy
(Projects are individuallyaudited)
acceptable 2006 250 Ethical guidelines Q1 2005
Monitoring of external influences
(Carried out within the above
Treasury
Working capital
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
81/264
Next
auditor
Status Next final
report
Target
Next final
report
Achieved
2006
opinion on
risk
ls
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
82/264
Heath To start TBA
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
83/264
Smith To start TBA
Khan To start TBA
Smith To start 18-Jan-06
Khan To start 18-Feb-06
Smith To start 24-Mar-06
Heath To start TBA
Khan To start TBA
Smith To start TBA
Heath To start 27-Feb-06
Heath To start TBA
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
84/264
To start 8/20/2005
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
85/264
Patel To start
David M Griffiths E Audit Universe
-
8/12/2019 Implementation v1.0
86/264
Appendix F
Risk and Audit Universe
L1 Level 1 process L2 Level 2 process L3 Level 3 process
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
objectives
1 Decide strategy
1 Define
organisation's
ob ectives
1 Decide strategy
1 Defineorganisation's
objectives
2 Communicate strategy
1 Define
organisation's
ob ectives
3 Deliver strategy
1 Define
organisation's
objectives
3 Deliver strategy
1 Define
organisation's
ob ectives
3 Deliver strategy
1Defineorganisation's
objectives
4 Maintain strategy
1 Define
organisation's
ob ectives
4 Maintain strategy
1 Define
organisation's
objectives
5 Support strategy
2 Research new
business
opportunities
1 Define objectives
2 Research new
business
opportunities
2 Research products
2 Research new
business
o ortunities
3 Research markets
David M Griffiths F Risk and audit universe
-
8/12/2019 Implementation v1.0
87/264
2 Research new
business
o ortunities
4 Research customers
2 Research new
business
o ortunities
5 Research locations
2 Research new
business
o ortunities
6 Support research
3 Obtain, and fit out,
premises
1 Define objectives
3 Obtain, and fit out,
premises
2 Obtain offices
3 Obtain, and fit out,
premises
3 Obtain factories
3 Obtain, and fit out,
premises
4 Obtain warehousing
3 Obtain, and fit out,premises
5 Obtain retail premises
3 Obtain, and fit out,
premises
6 Maintain premises
3 Obtain, and fit out,
premises
7 Support obtaining
premises
4 Purchase ggods
and services
1 Define objectives
4 Purchase ggods
and services
2 Purchase raw materials
4 Purchase ggods
and services
2 Purchase raw materials
4 Purchase ggods
and services
3 Purchase assets
4 Purchase ggods
and services
4 Purchase finished
goods
4 Purchase ggods
and services
5 Purchase expense
goods and services
4 Purchase ggods
and services
5 Purchase expense
goods and services
4 Purchase ggods
and services
6 Support purchasing
5 Manufacture 1 Define objectives
5 Manufacture 2 Design products
5 Manufacture 3 Specify manufacturing
5 Manufacture 4 Plan manufacturing
5 Manufacture 5 Manufacture
David M Griffiths F Risk and audit universe
-
8/12/2019 Implementation v1.0
88/264
5 Manufacture 5 Manufacture
5 Manufacture 6 Support manufacturing
6 Advertise and
promote
1 Define objectives for
promotion
6 Advertise and
romote
2 Promote in-store
6 Advertise and
promote
3 Promote to customers
6 Advertise and
romote
4 Advertise in papers
6 Advertise and 5 Advertise on TV
6 Advertise and
romote
6 Support promotions
7 Store and distribute
goods
1 Define objectives for
supplying goods
7 Store and distribute
goods
2 Store goods
7 Store and distribute
goods
3 Distribute goods
7 Store and distribute
goods
4 Support supply
8 Sell goods 1 Define objectives for
selling goods
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
8 Sell goods 2 Sell in stores
David M Griffiths F Risk and audit universe
-
8/12/2019 Implementation v1.0
89/264
8 Sell goods 3 Sell to resellers
8 Sell goods 3 Sell to resellers
8 Sell goods 3 Sell to resellers
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 4 Sell direct
8 Sell goods 5 Support selling
9 Support the
organisation in
achieving its
ob ectives
1 Define objectives for
supporting the
organisation
9 Support theorganisation in
achieving its
2 Prepare managementaccounts
9 Support the
organisation in
3 Prepare financial
accounts
9 Support the
organisation in
3 Prepare financial
accounts
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
9 Support the
organisation inachieving its
ob ectives
4 Provide staff
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
David M Griffiths F Risk and audit universe
-
8/12/2019 Implementation v1.0
90/264
9 Support the
organisation in
achieving its
ob ectives
4 Provide staff
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
ob ectives
5 Provide systems
9 Support theorganisation in
achieving its
ob ectives
5 Provide systems
9 Support the
organisation in
achieving its
6 Process transactions 1 Process transactions
- purchases
9 Support the
organisation in
achieving its
6 Process transactions 2 Process transactions
- retail sales
9 Support the
organisation in
achieving its
6 Process transactions 3 Process transactions
- wholesale sales
9 Support the
organisation in
achieving its
6 Process transactions 4 Process transactions
- direct sales
9 Support the
organisation in
achieving its
objectives
6 Pr