guide on risk based internal auudit plan
TRANSCRIPT
Gui
DISCL
The viCharteexpres
The
ide on R
AIMER:
ews expresseered Accountassed by the au
Institute(Set
Risk Bas
ed in this Guidnts of India mthor(s).
Internal Aude of Chartt up by an
Ne
sed Inte
de are those may not neces
dit Standardtered Acn Act of Pew Delhi
ernal Au
of author(s). ssarily subscri
s Board countant
Parliament
udit Pla
The Institute ibe to the view
ts of Indit)
n
of ws
ia
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or otherwise, without prior permission, in writing, from the publisher. Edition : February, 2015 Committee/Department : Internal Audit Standards Board Email : [email protected] Website : www.icai.org Price : ` 250/- (Including CD) ISBN No. : 978-81-8441-776-0 Published by : The Publication Department on behalf of the
Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi - 110 002.
Printed by : Sahitya Bhawan Publications, Hospital Road,
Agra 282 003 February/2015/P1761 (New)
Foreword
Recent economic events and increased regulatory scrutiny have impacted the importance of understanding and managing the risks, which drive uncertainty about the organizational success. Effective risk management helps organizations to understand the risks they are exposed to, put controls in place to counter threats, and also to effectively pursue their objectives. In a nutshell, risk management is an important aspect of an organization’s governance, management and operations.
In such a scenario, internal audit plays a very critical role by providing assurance that all the risks related to the activities of the organization are being identified, monitored and managed effectively. The Institute, from time to time, has issued guidance to help the members enhance their skill base and competencies in the area of risk management. This “Guide on Risk based Internal Audit Plan” is being issued by the Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) to provide guidance on developing and implementing an effective Risk Based Internal Audit Plan.
I would like to congratulate CA. Charanjot Singh Nanda, Chairman, Internal Audit Standards Board and all the other members of the Board on issuance of this publication which provides updated guidance on this important area. The objective is to help internal auditors in embedding risk based approach thereby enabling them to meet stakeholder’s expectations.
I am confident that this Guide would help our members to play a leading role in promoting good risk management practices.
February, 2, 2015 New Delhi
CA. K Raghu President, ICAI
Preface
In today’s complex regulatory and compliance environment, while capitalizing on emerging opportunities, risk management assumes tremendous importance. Risk management systems encompass the policies, culture, processes, systems and other aspects of an organization that, taken together facilitate its effective and efficient operation by enabling it to assess current and emerging risks, respond appropriately to risks and significant control failures and to safeguard it’s assets. Assessment of risks should support better decision-taking, ensure that the board and management respond promptly to risks when they arise, and ensure that shareholders and other stakeholders are well informed about the principal risks and prospects of the organization. Internal auditors undoubtedly play a leading role in helping their organizations achieve an integrated, organization-wide approach to risk management which ultimately helps to create, enhance, and protect stakeholder value.
Considering the above, the Internal Audit Standards Board of the Institute is issuing this “Guide on Risk Based Internal Audit Plan”. Accordingly, the Board is withdrawing its pervious publication “Guide to Implementing Enterprise Risk Management” issued in 2008. Internal auditors can through risk based auditing provide feedback on the adequacy of internal control as well as they can provide a source of information for monitoring risk. Further, the cycle of continually assessing risk, efficiently planning audit activities, and effectively performing, delivering, and reporting audit activities can result in overall lower risk to the organization. This Guide comprehensively explains the concepts of Risk Based Internal Audit Plan and provides a step-wise approach to effectively implement the same in an organization. It includes detailed guidance on risk appetite, understanding business environment, preparing audit universe, risk identification, risk prioritization and rating, assessing control environment, deriving residual risk rating and finally developing internal audit plan. Further, for enhancing the understanding of the readers, an illustrative case study including all the steps to prepare the RBIAP has also been also provided in the guide.
At this juncture, I would like to place on record my sincere gratitude to CA. Amit Gupta, CA. Mohit Gupta, Shri Anurag Agarwal and CA. Sameer Mittal for sharing their experience and knowledge with us and preparing the draft of this Guide.
vi
I would like to express my immense gratitude to CA. K. Raghu, President, ICAI and CA. Manoj Fadnis, Vice President, ICAI for their continuous support and encouragement to the initiatives of the Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board, viz., CA. Shriniwas Y. Joshi, Vice Chairman, IASB, CA. Rajkumar S. Adukia, CA. Prafulla Premsukh Chhajed, CA. Sanjeev K. Maheshwari, CA. Dhinal Ashvinbhai Shah, CA. Shiwaji Bhikaji Zaware, CA. V. Murali, CA. S. Santhanakrishnan, CA. Abhijit Bandyopadhyay, CA. Sanjiv Kumar Chaudhary, CA. Atul Kumar Gupta, CA. Naveen N.D. Gupta, Shri Manoj Kumar, Shri P. Sesh Kumar and Shri R.K. Jain for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board, viz., CA. R. Balakrishnan, CA. N. S. Ayyanagoudar, CA. Sunil H. Talati, CA. J. Vedantha Ramanujam and CA. Milind Vijayvargia and special invitees, CA. Nagesh D. Pinge and CA. Hardik Chokshi for their invaluable guidance as also their dedication and support to various initiatives of the Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary, Internal Audit Standards Board and her team of officers for their efforts and inputs in finalizing this Guide.
I am sure that the members and other interested users will find this publication useful in discharge of their professional obligations.
February 9, 2015 New Delhi
CA. Charanjot Singh Nanda
Chairman, Internal Audit Standards Board
vii
Contents
Foreword ............................................................................................................ iii Preface ................................................................................................................ v Chapter 1: Introduction ...................................................................................... 1
Objective .............................................................................................................. 1 Chapter 2: Need for Risk Based Internal Audit Plan ....................................... 2
Chapter 3: RBIAP Concepts .............................................................................. 5
Chapter 4: Responsibility for Developing RBIAP ............................................ 6
Chapter 5: RBIAP- Development and Implementation ............................... 7-45
Define Objective, Criteria and Risk Appetite ......................................................... 8
Risk Categorization ............................................................................................ 10 Risk Assessment Criteria ................................................................................... 11 Criteria for Assessing Control Environment ........................................................ 11 Understanding the Business Environment and Processes ................................. 11 Prepare Audit Universe ...................................................................................... 13 Risk Assessment ................................................................................................ 19 Risk Identification ............................................................................................... 20 Risk Prioritization ................................................................................................ 20 Assess Control Environment .............................................................................. 27 Develop Internal Audit Plan ................................................................................ 35 Planning and Developing Internal Audit Plan ..................................................... 38 Implement and Update RBIAP ........................................................................... 40 Allocate Resources, Engagement Scheduling and Execution ............................ 42 Reassess Risk and Control Environment and Update RBIAP ............................ 43 Chapter 6: Case Study .............................................................................. 46-197
viii
Chapter 1
Introduction
1.1 Traditionally, internal auditing was understood as one time exercise with limited documentation. Increase in the trend of frauds in the corporate sector over the last couple of decades has shifted the pendulum towards the need of a strong and robust internal auditing and internal control systems. Regulators have also become more vigilant towards the requirement of strong internal control system which resulted in the announcement of statutory obligations viz., Sarbanes Oxley Act in USA, Clause 49 of Listing Agreement as per SEBI and recently notified Companies Act, 2013 and rules thereunder. This has put organizations under increasing pressure to identify all the business risks they face and to explain how they manage them.
1.2 Risk-based Internal Auditing (RBIA) allows internal auditor to provide assurance to the Board of Directors that risk management processes are managing risks effectively, having regards to the risk appetite of the organization. Risk-based internal auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks. The only defence auditors have in instances of corporate failures is sufficient, appropriate audit evidence that proves their innocence. This audit evidence will be the result of a well-planned and performed audit. An audit plan, currently a risk-based audit plan, is therefore a crucial component in the planning of an effective audit.
Objective 1.3 This guide provides guidance on developing and implementing an effective Risk Based Internal Audit Plan in an organization. This guide would be meant for the individuals who are already an internal auditor, preparing to become one or responsible for overseeing and controlling the business function(s).
Chapter 2
Need for Risk Based Internal Audit Plan
2.1 Preface to the Standards on Internal Audit, issued by the Institute of Chartered Accountants of India defines the term “internal audit” as, “Internal Audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with an view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.”
Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, lays down that the internal auditor should, in consultation with those charged with governance, including the audit committee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner.
2.2 Standard on Internal Audit (SIA) 13 “Enterprise Risk Management” mentions that “The internal auditor will normally perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the subsequent period. This plan will be reviewed at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, etc.), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying internal audit key areas and, not for identifying, prioritizing, and managing risks directly for the enterprise. The internal audit plan, which should be approved by the audit committee, should be based on risk assessment as well as on issues highlighted by the audit committee and senior management. The risk assessment process should be of a continuous nature so as to identify not only residual or existing risks, but also emerging risks. The risk assessment should be conducted formally at least annually, but more often in complex enterprises. To serve this objective, the internal auditor should design the audit work plan by aligning it with the objectives and risks of the enterprise and concentrate on those issues where assurance is sought by those charged with governance.”
Need for Risk Based Internal Audit Plan
3
2.3 Internal auditor is expected to review business processes and various transactions to provide comfort to the management whether adequate internal controls are in place considering the nature and size of business operations. Considering the volume of the transaction and complexity of the business processes, it would not be possible to check 100% of the business transactions. The internal auditor usually, adopts sampling and judgment based on past experience and knowledge. However, this leaves a risk of gap in internal controls which may remain undetected. Accordingly, there is a need for auditors to follow risk based internal audit approach.
2.4 There are many challenges being faced by the internal auditors in performance of their duties. The major challenges include:
Mismatch in the expectations from and output of the internal audit function;
Audit risk;
Practical implementation of audit standards; and
Uncertainties due to changing environment – internal as well as external.
2.5 The internal audit function is, normally, expected to focus on areas of high risk, including both inherent and residual risk. The internal audit activity needs to identify areas of high inherent risk, high residual risks, and the key control systems upon which the organization is most reliant.
Audit risk – Audit risk refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR).
Inherent risk – These risks are “all pervasive in nature” meaning they are inherent in all business activities. Inherent risk is a risk in ‘raw form’ before any risk treatment/ mitigation activity has been applied to it.
Residual risk – Residual risk is the level of risk that would remain untreated despite all mitigation efforts.
Guide o
The figresidua
2.6 managplanninof the acceptdeveloallocatauditabactivity
on Risk Based
gure below dal risk.
Internal audit gement procesng an engageactivity and thable level. Thping the intering internal able units and sy’s plan that ha
d Internal Audit
depicts the re
planning neess, where it hament, the inte
he means by whe internal aurnal audit activaudit resourceselect areas foave the greate
t Plan
4
elationship be
eds to make uas been deveernal auditor cwhich manageuditor uses risvity’s plan anes. Risk asseor review to beest risk exposu
tween the in
use of the orgeloped by the considers the ement mitigatesk assessmend in determin
essment is use included in ture.
herent risk a
ganizational riorganization. significant ris
es the risk to nt techniques ing priorities fsed to examihe internal au
nd
isk In
sks an in
for ne dit
Chapter 3
RBIAP Concepts
3.1 Risk Based Internal Audit Plan (RBIAP) is an important tool that helps internal auditor to respond to the challenges being faced by the internal auditor, and also enhances the quality of the services that the internal audit function provides. By following the structured approach for planning the internal audit, it could be easily concluded that:
A proper evaluation has been done to identify and assess the risk vis-a-vis risk appetite of the company.
Plan to respond to the risks are effective in managing inherent risks within the risk appetite.
Increased focus and rigorous response to risks where residual risks are not in line with the risk appetite.
3.2 RBIAP is an approach to develop the internal audit plan in such a manner that all the business processes covering both financial as well as operational activities are reviewed by internal audit function within a defined time cycle, generally, varying from 3 to 5 years. Also, ensuring that appropriate consideration is made and adequate balance is ensured to the following:
Risk underlying the business process.
Value that the internal audit can provide to the organization.
Effort involved in conducting the internal audit for a particular business process.
Risk appetite of the organization.
Coverage of all auditable areas within the defined time range.
Chapter 4
Responsibility for Developing RBIAP
4.1 The need to manage risks has become recognised as an essential part of good corporate governance practice. This has put organisations under increasing pressure to identify all the business risks they face and to explain how they manage them. In fact, the activities involved in managing risks have been recognised as playing a central and essential role in maintaining a sound system of internal control. While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed.
The Chief Internal Auditor, as designated by the audit committee, must establish a risk-based plan to determine the priorities and focus areas of the internal audit activity which are aligned to the business objectives and organization’s goals. The prime responsibility of developing the Risk Based Internal Audit Plan is with the Chief Internal Auditor. The Chief Internal Auditor must prepare the RBIAP and review the same on annual basis in the light of changing business environment, processes, technology, etc. having impact on the prevailing risk for the Company and its control environment.
4.2 The RBAIP, thus, prepared by the Chief Internal Auditor must be approved by the Audit Committee. Audit Committee assesses the appropriateness of the process followed for development of the RBIAP to ensure that due consideration is given to the following:
Consideration of all major risk for the company
Business objectives
Risk appetite of the company
Inputs from the key managerial persons of the company
Changes in the operational and regulatory environment.
7
Chapter 5
RBIAP — Development and Implementation
5.1 The internal auditor takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the internal auditor uses his/her own judgment of risks after consideration of input from senior management and the board. The internal auditor must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
5.2 Risk based internal audit planning includes formal annual planning, updating the plan before audit segments begin and periodic feedback from management and the audit committee regarding report content expectations. The internal audit scope is adjusted based on all of these factors and gives the internal auditor a keen ability to understand and react quickly to management and audit committee concerns regarding risk and audit coverage. Thus, there are two phases of successful implementation of the RBIAP. These include the following:
Develop and approve RBIAP Implement and update RBIAP
5.3 Methodology for development of risk based internal audit plan can be divided into following steps:
I Develop and Approve RBIAP
(i) Define objective, criteria and risk appetite
(ii) Understanding the business environment and processes
(iii) Prepare audit universe
(iv) Risk assessment
(a) Risk identification (b) Risk prioritization and rating
Guide on Risk Based Internal Audit Plan
8
(v) Assess control environment
(vi) Derive residual risk rating
(vii) Develop internal audit plan.
II Implement and update RBIAP
(i) Derive Annual Internal Audit plan (ii) Allocate resources, engagement scheduling and execution (iii) Re-assess risk and control environment (iv) Update RBIAP.
Process of Risk Based Internal Audit Planning
Define Objective, Criteria and Risk Appetite 5.4 Internal Auditor need to first define the objective of preparing the risk based internal audit plan for a particular organization. There are varied factors that need to be considered while defining the objective of the exercise, these may include:
Size and nature of business
Complexity of the business process
Resource constraint
Define objective, criteria and risk
appetite
Understanding the Business
Environment and processes
Prepare Audit Universe
Risk identificationFilter Risks (Acceptable Risks, under
tolerance limit)
Categorise Risks and link to Audit
Areas
Risk Prioritisation and Rating
Summarise Risks for each audit
areaAssess control environment
Derive Residual Risk Rating
Derive Frequency of
Audit
Develop Audit Plan
Approval from Audit Committee
Allocate Resources, engagement
scheduling and execution
Re-assess risk and control environment
Update RBIAP
RBIAP — Development and Implementation
9
Time horizon which the organization considers appropriate for review of all the business processes.
5.5 Internal auditor need to define the criteria that would be used for developing the internal audit plan. It would include the following:
Risk categorization
Risk assessment criteria
Criteria for assessing the control environment
Criteria to priorities and decide the frequency of audit. 5.6 It is very critical that the criteria for developing the RBIAP are documented in advance and approved to avoid any subjectivity on the outcome of the exercise. The key factors that need to be kept in mind while finalizing these criteria include the following:
Inherent risks – ensure all inherent risks are identified and assessed.
Residual risks – ensure all residual risks are identified and assessed.
Mitigating controls– ensure elements of control environment (e.g., level of automation, governance structure, etc.) are identified that could be linked to the individual events and/ or risks.
5.7 Internal auditor need to interact with the senior management and take a view on the risk appetite of the organization. Risk appetite of the organization can significantly impact the criteria that need to be used for the development of RBIAP. A Risk Based Internal Audit Plan should ensure that it covers all unacceptable current risks where management action is required. These would be the areas with high residual risks, i.e., high inherent risk and minimal key controls or mitigating factors. These would be the areas that senior management should get audited immediately. Identification, assessment and prioritization of the audit areas is dependent on the residual risk for the organization, which is monitored and evaluated in the light of risk appetite of the organization.
Risk rating depends on the criteria set by the organization to assess and prioritise its risk. Depending on the risk appetite of the organization, it could mean financial loss of ` 1 Lac could be ‘minor’ for a large PSU with annual profit of ` 500 crores but it could be major for an organization with annual profit of ` 50 Lacs.
Guide on Risk Based Internal Audit Plan
10
Risk Categorization 5.8 According to the Internal Control Framework issued by The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, risk can be categorized as under: Operational – Risks that impact the efficiency and effectiveness of the
operations of the organization are categorized as operational risk. E.g., process delays in completing the activity, customer dissatisfaction, inadequate fund management, excess payment, etc. Some companies further categories operational risk into financial risk and non-financial risk depending on the direct impact of risk.
Reporting – Risk of incorrect financial reporting. Internal control weaknesses which may result into incorrect financial reporting are categorized at reporting risk, e.g., inadequate cutoff procedures, lack of senior management review of financial statements, etc.
Compliance – Risk that may result in non-compliance to the applicable regulatory requirements. E.g., delay in submission of taxes and returns, operating without obtaining the required licenses, etc. These may result into possible fines and penalties being imposed on the organization.
5.9 Organizations also classify the risk under the additional category depending on the nature of the business, e.g., a company operating in energy sector could categories the risk as under: Operational Financial Health, Safety and Environment Compliance Reporting Company operating in the technology intensive sector could categories the risk as under: Operational Financial Technology Compliance Reporting
RBIAP — Development and Implementation
11
Risk Assessment Criteria 5.10 Risk need to be assessed in terms of severity of the impact that may come to the organization in the event of risk occurrence. Assigning the rating to the risk depending on the assessed severity is termed as risk prioritization. The typical risk prioritization is done on the scale of 1 to 5 as mentioned below:
Score 1 - Insignificant
Score 2 – Minor
Score 3 – Moderate
Score 4 – Major
Score 5 - Critical
Criteria for Assessing Control Environment 5.11 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility; organizes and develops its people; and the attention and direction provided by the board of directors. The typical control environment assessment is done on the scale of 1 to 5 as mentioned below:
Score 1 – Very strong
Score 2 – Strong
Score 3 – Moderate
Score 4 – Weak
Score 5 – Almost missing.
Understanding the Business Environment and Processes 5.12 As per the requirement of Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, The internal audit plan should be comprehensive enough to ensure that it helps in achieving of the above overall
Guide on Risk Based Internal Audit Plan
12
objectives of an internal audit. The internal audit plan should, generally, also be consistent with the goals and objectives of the internal audit function as listed out in the internal audit charter, as well as the goals and objectives of the organisation.
5.13 The key to effective risk-based auditing is for the internal auditor to begin the planning process with a thorough understanding of the business process for the area under review. In combination with feedback from management and the audit committee, business objectives are reviewed, specific risks that could cause management not to meet those business objectives are identified, and controls established by management to mitigate these risks are evaluated. These business objectives, risks and controls should also be reviewed in relationship to the entity wide business objectives, risks, and controls to assist in developing comprehensive corporate decisions.
Below mentioned is a simple framework that can assist in understanding the business environment:
(i) Understand where the company is: Really understand. Taking complete stock of a company’s current situation – as regard to product innovation, customer buying patterns, PR branding, what are you selling and what you can sell.
(ii) Compare the company with the leader in the business: A critical comparison with the market leader will bring out the areas where most attention needs to be paid, because most often, the leading business has read the business environment right.
(iii) Engage with stakeholders: Constant dialogue with all stakeholders will lead to understanding the company’s niche and positioning in the competitive market.
5.14 SIA 1 further defines the steps that could be followed for obtaining the knowledge of the business. The internal auditor should obtain a level of knowledge of the entity sufficient to enable him to identify events, transactions, policies and practices that may have a significant effect on the financial information. Following are some of the sources wherefrom the internal auditor can obtain such knowledge:
Previous experience, if any, with the entity and the industry.
Legislation and regulations that significantly affect the entity.
Entity’s policy and procedures manual.
RBIAP — Development and Implementation
13
Minutes of the meetings of the shareholders, board of directors, and important committees of the board such as, audit committee, remuneration committee, shareholders’ grievances committee.
Management reports/ internal audit reports of prior periods.
Newspaper/ industry journals.
Discussion with client’s management and staff.
Visits to entity’s plant facilities, etc., to obtain first hand information regarding the production processes of the entity.
Visits to the entity’s department where the accounting and other documents are generated, maintained, and the administrative procedures followed.
Prepare Audit Universe 5.15 The first important step towards putting the RBIAP on papers is the documentation of the Audit Universe. The Audit Universe is to be prepared on the basis of the business understanding obtained under previous step.
SIA1 defines audit universe as “Audit universe comprises the activities, operations, units etc., to be subjected to audit during the planning period. The audit universe is designed to reflect the overall business objectives and therefore includes components from the strategic plan of the entity. Thus, the audit universe is affected by the risk management process of the client. The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc.”
Professor Brian Cox writing in the Wall Street Journal in April 2013 explained “Quantum theory tells us that the universe we experience emerges from a bewildering, counterintuitive maelstrom of interactions between an infinity of recalcitrant sub-atomic particles.” Defining the internal audit universe is much simpler than that, although the principles may well be similar.
5.16 In simple terms, audit universe can be termed as the set of all auditable units/ departments/ business process and audit areas, collectively called as auditable entities. Preparation of audit universe and selection of auditable entities in the audit universe is the most critical activity which lays the foundation for developing a robust and effective Risk Based Internal Audit Plan.
Guide on Risk Based Internal Audit Plan
14
The important factor which could affect the selection of an auditable entity under the audit universe are:
(i) Organization vision, mission and objectives: The audit universe can include components from the organization’s strategic plan. By incorporating components of the organization’s strategic plan, the audit universe will consider and reflect the overall business objectives. Inputs from senior management and board should be obtained and assessment of risk and exposure affecting the organization should be carried out.
(ii) Expectations from the internal audit function: Audit universe need to factor all the expectations from the internal audit function. The internal audit plan, audit execution and the outcome of the internal audit process depends on the quality and comprehensiveness of the audit universe to gather all the expectations, focus areas and results expected from the performance of the internal audit activities.
(iii) Organization structure and set up: Organisation structure need to be understood while identifying the auditable entities. In case of highly centralized operations, more attention should be given to the auditable units at corporate, while in case of decentralized operations separate auditable entity need to be identified for plant/ branch/ regional office locations as applicable.
(iv) Geographical location of the organisation: Geographical location of the business set up also plays a key role in selection of units. Every location need to have a consideration and some place in the audit universe, however the identification of auditable unit need to be evaluated in consideration with other points. E.g., in case of regional office with smaller size of operations and lesser number of transactions, regional office can be considered as one auditable entity and all the business processes can be reviewed at that particular regional office together. However, if the scale of operations are larger, locations would need to be split into further functional areas e.g., Procurement - RO, Sales & Marketing – RO, HR and Payroll – RO, etc.
(v) Scalability of the operations: Scale of business operations should also be factored while deciding an auditable entity. Auditing an entity with very low scale may not be cost effective to be audited separately and may not give the actionable results as it would fall in the comfort range of the risk appetite of the organization.
RBIAP — Development and Implementation
15
(vi) Organic linkage between the business process/ sub processes: It is becoming increasingly important, to perform the objective study and conduct end to end review of a business process so that organization level impact on the identified gaps can be assessed and more objective decisions could be taken by the management on the basis of result of the internal audit activities. Hence, it is vital to study the linkage between business process and sub process. E.g., it is more effective to review the complete process of Procure to Pay (P2P) so that financial implication and complete process gaps could be identified. Review of the procurement process or payment process in isolation would not provide effective root causing and implication assessment of the internal audit gaps noted during the review.
(vii) Sufficiency to justify cost of control: Internal audit function acts as a control activity and keeps the regular check on the functioning of the business activities. Internal audit requires a team of qualified professionals with expert knowledge on the subject matter. With the increase in the expectations from and responsibilities of internal audit professional, the cost of the internal audit function is also increasing. It is important to keep the adequate balance in the cost of the internal audit review and benefit envisaged to realize from the review. Hence, cost of internal audit should be kept in mind while identifying the auditable entities.
5.17 It is important to understand that it’s not the size of the audit universe that matters rather it is the extent of the focus for the internal audit plan in strategic and operational terms. Having understood the key factors to be kept in mind and the objective of preparing the audit universe, let’s have a quick glance at the steps that need to be followed for developing the audit universe. (i) Discussion with Management: Perform detailed discussion at all the
level of senior and top management including the board members to understand their expectation, objectives and key focus areas.
(ii) Sketch Audit Universe: Prepare the initial sketch of the audit universe containing the list of identified business process and auditable entities that need to be audited by the internal audit function.
(iii) Assess objectives for identified auditable entities: Align the objective of the internal audit with the objectives of the business and assess the objectivity of reviewing the identified auditable entities. The category of such objective could be:
Guide on Risk Based Internal Audit Plan
16
(a) Reliability and integrity of financial and operational Information (b) Effectiveness and efficiency of operations (c) Safeguarding of assets (d) Compliance with laws, regulations, and contracts
(iv) Re-validate Audit Universe: The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus. It is advisable to assess the audit universe on at least an annual basis to reflect the most current strategies and direction of the organization. The validation exercise is pervasive and continuous in nature until the annual plan is finalized and approved by the audit committee/ board.
Steps for Developing the Audit Universe
Discussion with Management
Draft initial sketch of audit universe
Assess objective of auditable entities
Re-validate audit universe
Finalize audit universe
Develop RBIAP
Approve RBIAP
RBIAP — Development and Implementation
17
5.18 Following are some illustrative audit universe:
(i) Illustrative Audit Universe of a Manufacturing Company:
Sr. no.
Department Business Locations Corporate
Office Plant Branch
Office 1
Branch Office
2 1 Order to Cash 2 Procure to Pay 3 Human Resource and Payroll 4 Finance and Accounts 5 Production 6 Logistics and Distribution 7 Capital Expenditure 8 Plant Maintenance 9 Information Technology 10 Warehouse Management 11 Statutory Compliances
(ii) Illustrative Audit Universe of a Oil and Gas Company:
D. Sr. no.
Department P. Sr. No.
Process Business Locations Corporate
Office Plant Depot
1 Contracts 1.1 Tendering and RFQ
1 Contracts 1.2 Contracting and Ordering
2 Plant Operations
2.1 Production and Distribution
2 Plant Operations
2.2 Operation and Maintenance
Guide on Risk Based Internal Audit Plan
18
D. Sr. no.
Department P. Sr. No.
Process Business Locations Corporate
Office Plant Depot
2 Plant Operations
2.3 Safety and Environment
3 Drilling 3.1 Drilling 4 Information
Technology 4.1 IT Security
4 Information Technology
4.2 ERP and other applications
5 Geology & Reservoir
5.1 Geology & Reservoir
6 Research and Development
6.1 Research and Development
7 Material Management
7.1 MM - Planning & Receiving
7 Material Management
7.2 MM - Depot
7 Material Management
7.3 MM - Inventory Handling and Storage
8 Well Logging 8.1 Well Logging 9 Finance and
Accounts 9.1 Financial
Planning and Analysis
9 Finance and Accounts
9.2 Treasury
9 Finance and Accounts
9.3 Financial Reporting
9 Finance and Accounts
9.4 Asset Management
9 Finance and Accounts
9.5 Payables
RBIAP — Development and Implementation
19
D. Sr. no.
Department P. Sr. No.
Process Business Locations Corporate
Office Plant Depot
9 Finance and Accounts
9.6 Invoicing and Receivables
9 Finance and Accounts
9.7 JV Operations
9 Finance and Accounts
9.8 Taxation
10 Human Resource
10.1 Recruitment
10 Human Resource
10.2 Learning and Development
10 Human Resource
10.3 Separations
10 Human Resource
10.4 Payroll Process
11 Projects 11.1 Planning and Investment
11 Projects 11.2 Execution and handover
12 Business Development
12.1 Business Development
13 Exploration & development
13.1 Exploration & development
Risk Assessment 5.19 The objective of the risk assessment is to assess the level of risk in the various business processes. Risk assessment focuses on the business environment, regulatory environment, organisation structure, organizational and business environmental changes and specific concerns of management and the audit committee to determine the areas of greatest risk. It also serves to aid the internal auditor in evaluating the control design to determine
Guide on Risk Based Internal Audit Plan
20
the desired audit scope. Risk assessment includes risk identification and then risk prioritization based on defined criteria.
Risk Identification 5.20 Risk identification is the process to identify all possible risk in the auditable entities identified at the time of preparation of the audit universe. This includes evaluation of ‘what can go wrong’ in the particular process attached with the identified auditable entity which can have any adverse impact on the organization. The adverse impact could be in the form of possible financial loss, operational inefficiency and ineffectiveness, statutory non-compliance, incorrect reporting, etc. The quality and effectiveness of the risk assessment depends on the comprehensiveness and completeness of the risk identification exercise.
5.21 The first step in the risk identification exercise is to identify the event which may affect the entity positively or negatively in achieving its objectives. Such events may be classified as risk and opportunities depending on its impact on the organization. Risk identification is followed by risk filtration steps. Risk can be all pervading; they can surface from the most obscure to the most obvious (but overlooked) areas. Similarly, their outcomes can also be from the immaterial to highly significant. These are the matters which are quite difficult to appreciate or evaluate at the time of risk identification and are therefore best left for the next state (Risk Prioritization). Nevertheless, given the practical limitations, some level of judgment will have to be applied in deciding what to include and what to exclude at the identification stage. Here, to ensure that no important matters are overlooked, it is always safer to begin by initially including all the risk and then filtering out everything which appears to be obviously insignificant and with remote probability of occurrence.
Risk Prioritization 5.22 The identified risk need to the prioritized based on the pre-defined criteria (Refer step 1 - Define objective, criteria and risk appetite). The typical risk periodization is done on the scale of 1 to 5 as mentioned below:
Score 1 - Insignificant
Score 2 – Minor
Score 3 – Moderate
RBIAP — Development and Implementation
21
Score 4 – Major
Score 5 - Critical
5.23 There are various factors that could affect the risk prioritization and rating. Following factors need to be kept in mind while performing the risk prioritization exercise:
(i) “Auditable” risks associated with/ mapped to the business process, entity or location
(ii) Risk of non compliance (penalty, etc.)
(iii) Magnitude of Financial Loss
(iv) Significance of threat to Health, Safety & Environment (HSE)
(v) Risk to reputation of organisation
(vi) Possibility of fraud/ misappropriation
(vii) History of frauds or irregularity
(viii) Management’s assertion on impact
(ix) Magnitude of impact on organisational profitability
(x) Stability of IT systems
(xi) Complexity (volume of business, nature of business)
(xii) Results of earlier audits external/ internal
Risk Rating Pyramid
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
Guide on Risk Based Internal Audit Plan
22
5.24 The preliminary risk rating can be assessed and interpreted using the below mentioned methodology.
Preliminary Risk Rating
Description Illustrative parameters for Assessing
1 Insignificant Process risks with insignificant risk on the organization.
Non-compliance with minor penalties.
Impact of very low financial loss. No major threat to Health, Safety &
Environment. No history of fraud/ misappropriation Minor impact on organizational
profitability. Stable IT and ERP systems.
2 Minor
Process risks with minor risk on the organization.
Non-compliance with minor penalties.
Impact of minor Financial Loss. No significant threat to Health,
Safety & Environment. Minor fraud/ misappropriation. Minor impact on organizational
profitability. Stable IT and ERP systems.
3 Moderate Process risks with tolerable risk on the organization.
Non-compliance with major financial penalties.
Impact of significant financial loss. Possible threat to Health, Safety &
Environment. Possible fraud/ misappropriation. Tolerable impact on organizational
profitability.
RBIAP — Development and Implementation
23
Preliminary Risk Rating
Description Illustrative parameters for Assessing
Stable IT and ERP systems. 4 Major Process risks with major risk on the
organization. Risk of reputational impact to
organization. Non-compliance with major financial
penalties or prosecutions. Impact of Major Financial Loss. Significant threat to Health, Safety &
Environment. Repeated fraud/ misappropriation. Major impact on organizational
profitability. Deficient IT and ERP systems.
5 Critical Process risks with critical risk on the organization.
Risk of high reputational impact to organization.
Risk with impact on going concern of the organization.
Non-compliance with major financial penalties and prosecutions.
Impact of High Financial Loss. Significant threat to Health, Safety &
Environment. Repeated fraud/ misappropriation
with major financial or reputational consequences.
High impact on organizational profitability.
Missing IT and ERP systems.
5.25 Some techniques of risk assessment are explained below:
Interviews: Internal auditor need to conduct interviews at all levels of management to identify the possible risk that could occur in the
Guide on Risk Based Internal Audit Plan
24
particular process as per the experience of the management personnel. Internal auditor can assess the level of understanding of the organization’s process, policies, systems used and controls in place during these interviews. This would help them in assessing the control environment around the particular auditable entity. We would discuss more about the control environment later in this chapter.
Surveys: Internal auditor can perform surveys to identify and assess the gravity of the risk and its possible impact on the organization. An important aspect of the survey is to prepare a qualitative questionnaire that would help in identification of the qualitative risk and its impact. The target audience need to be selected carefully while performing the survey so that results are not biased.
Workshops: The Internal auditor can also perform workshops with the selected managerial persons to identify the risk in the particular process and ask them to rate them based on the defined methodology. There are many tools that may be used to perform these workshops effectively.
Past events: The activities performed by the internal auditor during the business understating stage can also give lot of information to the auditor to identify the possible risks for the organization. This could include past events, annual report and directors statement, past internal audit reports, risk register, etc.
Internal auditors experience: Experience of the internal auditor also plays a key role in identifying the possible risks in the particular process of the organization. The gravity of the risk identified by the auditor from his experience can be moderated by using the techniques specified in the above mentioned bullets.
Prepare Risk Register 5.26 The consolidated form of all risks is referred to as “Risk Registers” since all such identified risks most often get listed in the form of a register. The typical contents of the risk register are listed below. Contents applicable and filled till the stage of risk assessment are as follows:
(i) Auditable Entity
(ii) Sub Process
(iii) Risk Description
RBIAP — Development and Implementation
25
(iv) Risk Category
(v) Risk Rating
Illustrative format of the Risk Register is as follows:
Sr. no.
Auditable Entity
Sub Process Risk Description Risk Category
Risk Rating
1 Order to Cash
2 Procure to Pay
Procurement Planning
Procurement be-yond the defined budgetary limits.
Financial Loss
4
3 Vendor Selection
Inadequate ve-ndor selection due to non-compliance to procurement policies and procedures (incl. tendering)
Financial Loss
4
4 Ordering Increased cost of procurement due to ineffective negotiation/comparison of commercial bid submitted
Financial Loss
5
5 Receiving 6 Quality check 7 Invoicing 8 Accounts
payables
9 Payment processing
* Information included in the above format is illustrative.
The next step toward documentation of risk based internal audit plan is to document the detailed risk register containing the list of all the risks identified and the preliminary risk rating.
Guide on Risk Based Internal Audit Plan
26
5.27 The next step is to prepare the summarized risk register. The objective of preparing the summarized register is to arrive at the consolidated risk rating for an auditable entity and assess the overall inherent risk in the auditable entity. There are two techniques which may be used for arriving at the summarized risk register:
(i) Arithmetic mean of preliminary risk rating: In this method, arithmetic mean of all the identified risk ratings are is calculated to arrive at the consolidated risk rating. Considering the simplicity of the technique, this is the most widely used technique to arrive at the summarized risk register.
(ii) Weighted average of preliminary risk rating: In this method, weights are assigned to all the identified risk on the basis of statistical computation of the probability and quantification of possible risk on the organisation. Weighted average of all the identified risk ratings is then calculated to arrive at the consolidated risk rating.
Illustrative Format of Summarized Risk Register
Sr. no.
Auditable Entity
Sub Process
Risk Description Risk Category
Risk Score
Consolidated Risk Rating
1 Procure to Pay
Procurement Planning
Procurement beyond the defined budgetary limits.
Financial Loss
4 3.25
2 Vendor Selection
Inadequate vendor selection due to non-compliance to procurement policies and procedures (incl. tendering)
Financial Loss
4
3 Ordering Increased cost of procurement due to ineffective negotiation/comparison of commercial bid submitted
Financial Loss
5
4 Receiving Risk of receiving more than the ordered quantity
Financial Loss
3
5 Quality Risk of accepting the Operation 4
RBIAP — Development and Implementation
27
Sr. no.
Auditable Entity
Sub Process
Risk Description Risk Category
Risk Score
Consolidated Risk Rating
check inferior quality of material
al/ Financial
6 Invoicing Risk of delay in invoice processing
Operational
2
7 Accounts payables Duplicate vendor
codes
Operational/ Financial
3
8 Payment processing
Risk of delay in payment processing
Operational/ Financial
1
Assess Control Environment 5.28 Preliminary assessment of the risk provides the understanding and evaluation of inherent risk. Assessment of inherent risk alone is not sufficient to identify the audit areas requiring the larger focus from the internal audit function. The inherent risk need to be factored with the mitigating controls and the control environment around the underlying processes that could reduce the level of residual risk. Hence, it is vital to perform the assessment of control environment around the identified risks. The control environment thus assessed provides the assessment of the ‘likelihood’ factor of the identified risk.
Assessing likelihood of the happening of an event comes with its own challenges. It is relatively easy to put in place a pre-set methodology for the actual measurement of the rating by taking some percentages and assigning them on 1 to 10 rating. However, what’s most difficult is the foresight required to actually determining the probability of the risk. One technique used commonly is the history of past occurrence and the periodicity of those occurrences, which can help to get a better grasp over the probability.
Guide on Risk Based Internal Audit Plan
28
5.29 Some of the examples of situations that might influence the assessment of control environment are as below:
Inappropriate pay, reward and incentive structures which contribute to inappropriate behavior or excessive risk-taking.
Increasing employee turnover leading to insufficient experience and less reliable execution of controls. This may be the result of a number of failures in the control environment.
The absence of a defined code of conduct and ethics and/ or a whistleblower policy, absence of a process to evaluate the effectiveness of the code of conduct and ethics policy, a high number of reported frauds, or management over-ride of controls which can lead to inappropriate activity that is not detected and addressed timely.
Board’s capability and structure for effective governance. Key managers making business decisions without considering the
related risks; management may not exhibit risk and control consciousness in its decision making.
Processes relating to defining job descriptions for key positions may be weak, background checks and/ or reference checks are not consistently performed, or the organization has difficulty hiring and retaining qualified individuals.
5.30 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the updated Internal Control – Integrated Framework in 2013. The framework states “The control environment is the set of standards, processes and structures that provide the basis for carryign out internal control across the organisation. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. The control environment comprises the integrity and ethical values of the organsation; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organisational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigour around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.”
5.31 There are various factors that could affect the assessment of control environment and its rating.
RBIAP — Development and Implementation
29
Following factors need to be kept in mind while performing the assessment of control environment as mentioned below:
(i) Existence of preventive or detective control to mitigate risks associated with/ mapped to the business process, entity or location.
(ii) Legal compliance framework (iii) Appropriate and established IT Control environment (iv) Governance structure/ monitoring Mechanism (v) Documented policy and procedures (vi) Past incidents/ trend (vii) Organization’s sensitivity towards Health, Safety & Environment (viii) Fraud detection (ix) Balance of centralized versus decentralized operations within the
organization
Control Environment Rating Pyramid
5.32 Internal auditor need to assess and consider the level of effectiveness of control environment activities and the risk of deficiencies in the control environment, while defining the audit universe and RBIAP.
Very Strong (1)
Strong (2)
Moderate (3)
Weak (4)
Almost missing (5)
Guide on Risk Based Internal Audit Plan
30
The control environment rating can be assessed and interpreted using the below mentioned methodology.
Control Environment
Rating
Description Illustrative Parameters for Assessing
1 Very Strong Existence of strong preventive or detective control with mechanism for continuous monitoring and update the same
Strong legal compliance framework Well established ERP system and IT
security measures Well defined and implemented policy
and procedures Consistent organisation growth with rare
surprises Balance of centralized versus
decentralized operations within the organization
2 Strong Defined preventive or detective control Strong legal compliance framework Established ERP system and IT security
measures Well defined policy and procedures and
minor deviations Consistent organisation growth with
unlikely losses Balance of centralized versus
decentralized operations within the organization
3 Moderate Defined preventive or detective control but unlikely monitoring and update exercise.
Legal compliance framework with minor deviations
Established ERP system and IT security measures
Defined policy and procedures but insufficient control on implementation and compliance to same.
RBIAP — Development and Implementation
31
Control Environment
Rating
Description Illustrative Parameters for Assessing
Consistent organisation growth with possible losses
4 Weak Preventive or detective controls not identified or defined
Missing legal compliance framework with alternative measure to monitor legal compliance
Moderate IT environment with missing automated controls.
Policy and procedures not formally defined and there may be possible deviations
Consistent organisation growth with frequent losses
Inadequate board monitoring and governance structure
5 Almost Missing
Missing preventive or detective controls Missing legal compliance framework
with no alternative measure to monitor legal compliance.
Insufficient IT environment with missing automated controls.
Policy and procedures not defined Inconsistent organisation growth with
major losses Inadequate board monitoring and
governance structure Inadequate decentralisation of decision
making
Update Summarized Risk Register
5.33 The next step is to update the summarized risk register. The summarized risk register needs to be updated with the following information:
(i) Factor Affecting Control Environment (ii) Control Environment Rating
Guide on Risk Based Internal Audit Plan
32
At this stage, the detailed risk register is replaced with the summarized risk register to contain the following information: (i) Auditable Entity (ii) Sub-process (iii) Initial Risk Rating for each sub process (i.e., the consolidated risk
rating arrived in previous step) (iv) Rationale for initial risk rating (v) Control environment rating (vi) Rationale for control environment rating
Illustrative Updated Risk Register
Derive Residual Risk Rating 5.34 As referred earlier, preliminary assessment of the risk provides the understanding and evaluation of inherent risk. The inherent risk needs to be factored with the mitigating controls and the control environment around the underlying processes that could reduce the level of residual risk.
Sr. no.
Auditable
Entity
Sub Process Initial Risk
Rating
Rationale for initial risk
rating
Control environment rating
Rationale for control
environment rating
1 Procure to Pay
Procurement Planning
3.25 High risk of financial loss and procurement at high prices
4 Weak IT system and Manual controls. Policies and procedures not defined and ineffective monitoring by management.
Vendor Selection
Ordering
Receiving
Quality check
Invoicing
Accounts payables
Payment processing
RBIAP — Development and Implementation
33
There are two elements of a risk:
Impact Rating or Preliminary Risk Assessment Rating.
Likelihood Rating (also called probability) or Control Environment Rating.
Consequence and likelihood can be multiplied together to give a single measure of the significance of a risk, or a residual risk. For example, take a risk that purchases prices are not competitive. Assuming it has high impact on the organization’s cost of purchase, the impactrating could be major (scores 4) but the likelihood could be 3 due to moderate control environment. Table below describes the illustrative examples of calculating the residual risk scores.
Illustrative Risk Preliminary Risk Rating
(A)
Control Environment
Rating (B)
Residual Risk Score
(C)
Inadequate objectives and strategy
5 1 5
Inappropriate stocking of goods
5 1 5
Ineffective assessment of competition
5 3 15
Ineffective Pricing 5 2 10 Inadequate store layout 4 4 16 Incorrect Invoicing 4 1 4 Stock Outs 5 1 5
Thus, this can be concluded that :
Residual Risk Rating Score = Preliminary Risk Assessment x Control Environment Rating
Update Summarized Risk Register
5.35 The next step is to update the summarized risk register. The summarized risk register need to be updated with the residual Risk Rating.
Guide on Risk Based Internal Audit Plan
34
At this stage, the summarized risk register would contain the following information:
(i) Auditable entity
(ii) Sub process
(iii) Initial risk rating for each sub process
(iv) Rationale for initial risk rating
(v) Control environment rating
(vi) Rationale for control environment rating
(vii) Residual risk rating score
Illustrative Updated Risk Register
Sr. no.
Auditable
Entity
Sub Process
Initial Risk
RatingA
Rationale for initial
risk rating
Control environm
ent rating
B
Rationale for control
environment rating
Residual Risk
Rating Score
C = A X B
1 Procure to Pay
Procurement Planning
3.25 High risk of financial loss and procurement at high prices
4 Weak IT system and Manual controls. Policies and procedures not defined and ineffective monitoring by management.
13
Vendor Selection Ordering Receiving Quality check Invoicing Accounts payables Payment processing
RBIAP — Development and Implementation
35
The Matrix below describes the residual risk rating score for all combinations of the Preliminary Risk Assessment and Control Environment Rating.
Develop Internal Audit Plan 5.36 Business environment is very dynamic, typically three to five years internal audit plan is developed, considering the nature of business, business environment, stability of the business processes, changes in the objective of the management and expectations from the internal audit.
With certain adjustments based on management and audit committee input or regulatory requirements, low- risk areas would be audited every three years, moderate-risk areas audited every other year, and high-risk areas audited every year. The three-year audit plan should be revisited each year during the update phase of the risk assessment process and adjustments should be made based on new or changed risk factors. This methodology allows the internal auditor flexibility in a changing risk environment. Further consideration should be given to the following aspect while deriving the annual internal audit plan.
Availability of audit resources over the 3 year period;
Very Strong
(1)
Strong (2)
Moder-ate (3)
Weak (4)
Almost Missing (5)
2
Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)
Con
trol
Env
ironm
ent R
atin
g
Preliminary Risk Assessment
16
3 2 1 5
3
5
4
4
4
6
6
9
12 8
8
12
10
10 15 20
15
20
25
Guide on Risk Based Internal Audit Plan
36
Feasibility of conducting an audit; Conduct of other reviews providing oversight; Mandated audit projects; Management requests; Audit and Evaluation Committee direction. 5.37 New priorities are determined based on these considerations; audits are defined for the top priorities. The outcome is a short-list of audit projects and activities to be conducted during the coming three-year planning horizon. An analysis of the proposed audit coverage of the organization is conducted in order to ensure an appropriately balanced audit plan. The project team considered the number of corporate risks covered by the plan, the number of priorities covered, and how the allocation of audit resources aligns with the organization’s expenditures.
Acceptable Range of Risks 5.38 At this stage it is important to understand and define the organisation’s ‘risk appetite’. One method of deciding which risks to accept is to place them on a grid of Risk and Control Environment rating. This enables the board/ audit committee to define the action it requires internal audit function to take for each likelihood/ consequence combination. The boundary between the acceptable risks and those which require managing is known as the ‘risk appetite’. If inherent risks cannot be managed below this line by ‘treatment’ then they will have to be terminated, transferred or tolerated.
Selection of Risks 5.39 At this point, the risk and audit universe shows risks, their scores and the audits linked to them. There will be a range of scores and, in drawing up the audit plan, a policy will have to be established about which risks to cover and how often. It is unlikely that the board, or audit committee, will require assurance on the management of every risk above the risk appetite, every year. They may require assurance on the risks with a high likelihood of significant/ critical losses every year but other risks above the risk appetite every two or three years. Note the audit action to be taken and the next audit year in the appropriate columns. The diagram below shows a possible method of assessing the type of work and frequency. The thick line represents the risk appetite (the equation of the line is control risk = inherent risk – risk appetite).
5.40 Tfall in appropderived
Zone Considrange attentiomaximconsult
Zone 2also veauditedthe risk
Zone 3moderaaudited
Zone 4missingthree y
F
The various aany of the Z
priate audit plad as per below
1: These are dering the factof the organison. For these um. These atancy work an
2: Areas wherery strong, thed every year ak is high.
3: Areas wherate, the residd every two ye
4: Areas wheg, the residua
year as the pos
Frequency of
auditable entitiZone 1 to 4
an for the variow explanation:
the areas bet that they arsation, these areas contro
areas require d develop the
re inherent riske residual risk as the control i
re inherent risdual risk scoreears.
ere inherent ril risk score is ssible impact
RBIAP — Dev
37
Audit and its
es can be ploas mentione
ous auditable
elow the risk e well within does not reql score is minmanagement
control enviro
k is near maxiscore remain is considered
k is moderatee remain med
isk is minor alow. These aron the organis
velopment and
Selection
otted on a mated in the aboentities in thes
appetite of ththe tolerance
quire immediatnimal and the t attention toonment.
imum and the high. These ato be very effe
and the contdium. These
and the controreas need to bsation is low.
d Implementati
trix which wouove graph. Tse zones can
he organisatio(Risk Appetit
te internal auinherent risk
o carry out t
control scoreareas need to ective as well
rol score is alareas could
ol score is albe audited eve
ion
uld he be
on. te) dit is
he
is be as
so be
so ery
Guide on Risk Based Internal Audit Plan
38
Planning and Developing Internal Audit Plan 5.41 At this stage, the risk and audit universe shows risks, their scores and the audits linked to them. Internal audit function needs to plot the auditable entities in the following zones based on the residual risk ratings and the immediate objective of the management and audit committee. (i) High Risk: This is said to be the unacceptable zone, where the
residual risk score is more than 12. These are the areas with high inherent risk and low control environment. These areas need to be audited every year until the residual risk are reduced and brought in the manageable zone.
(ii) Medium Risk: This is said to be the manageable zone, where the residual risk score is more than 8 and less than or equal to 12. These are the areas with minor to critical risk and varying control environment. These areas need to be audited once in every two year until the residual risk are reduced to advisable zone.
(iii) Low Risk: This is said to be the advisable zone, where the residual risk score is more than 4 and less than or equal to 8. These are the areas with insignificant to Major risk and strong to almost missing control environment. These areas need to be audited once in every three year until the residual risk are reduced acceptable zone.
(iv) Insignificant Risk: This is said to be the acceptable zone, where the residual risk score is less than or equal to 4. These are the areas with low risk and strong control environment. These areas need not be audited unless Board/ Management/ Audit Committee directs considering the recent changes or business objectives. This is the zone which contains the areas within the risk appetite of the organisation.
Update Risk Register and Audit Universe 5.42 The risk register containing all identified and assessed risk need to be updated with following: (i) Factors Affecting Control Environment (ii) Control Environment Rating (iii) Risk Category (iv) Risk Rating
RBIAP — Development and Implementation
39
Update Summarized Risk Register
5.43 The next step is to update the summarized risk register. The summarized risk register need to be updated with the frequency of internal audit.
At this stage, the summarized risk register would contain the following information:
(i) Auditable entity
(ii) Sub-Process
(iii) Initial Risk Rating for each sub process
(iv) Rationale for initial risk rating
(v) Control environment rating
(vi) Rationale for control environment rating
(vii) Residual Risk Rating Score
(viii) Frequency of Audit
Illustrative Updated Risk Register
Sr. no
Auditable
Entity
Sub Process
Initial Risk
RatingA
Rationale for initial
risk rating
Control environ
ment rating
B
Rationale for control environment rating
Residual Risk Rating Score
C = A X B
Frequency
of Audit
1 Procure to Pay
Procurement Planning
3.25 High risk offinancial loss andprocurement at highprices
4 Weak ITsystem and Manual controls. Policies and proceduresnot defined and ineffective monitoring by management.
13 Once in ayear Vendor
Selection Ordering Receiving Quality check Invoicing Accounts payables Payment processing
Guide on Risk Based Internal Audit Plan
40
The Matrix below describes the residual risk rating score for all combinations of the Preliminary Risk Assessment and Control Environment Rating and the corresponding audit frequency.
Matrix of Residual Risk Scores and Audit Frequency
Implement and Update RBIAP 5.44 Once the three year risk based internal audit plan is developed, the same needs to be implemented in the organisation for ensuring effective conduct of the internal audit activities. For effective implementation of the RBIAP, the following stages are involved.
(i) Prepare audit scope (ii) Allocate resources, engagement scheduling and execution (iii) Re-assess risk and control environment (iv) Update RBIAP
Very Strong
(1)
Strong (2)
Moderate (3)
Weak (4)
Almost Missing
(5) Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)
Con
trol
Env
ironm
ent R
atin
g
Preliminary Risk Assessment
2 Acceptable
16
3 Acceptable
2 Acceptable
1 Acceptable 5
3 Acceptable
5
4 Acceptable
4 Acceptable
4 Acceptable
6
6
9
12 8
8
12
10
10 15 20
15
20
25
RBIAP — Development and Implementation
41
Prepare Internal Audit Scope
5.45 As per the SIA 1, “Planning an Internal Audit” issued by The Institute of Chartered Accountant of India:
“15. The next stage in planning an internal audit is establishing the scope of the engagement. The scope of the engagement should be sufficient in coverage so as to meet the objectives of the engagement. The internal auditor should consider the information gathered during the preliminary review stage to determine the scope of his audit procedures. The nature and extent of the internal auditor’s procedures would also be affected by the terms of the engagement. In case the internal auditor is of the view that circumstances exist which would restrict the auditor from carrying out the procedures, including any alternative procedures, considered necessary by him, he should discuss the matter with the client to reach a conclusion whether or not to continue the engagement. The scope of his engagement should documented comprehensively to avoid misunderstanding on the areas covered for audit. The internal auditors are often confronted with a situation where client denies access to certain information or has a negative list of areas where internal audit is not desired. There are also situations where while the client requires internal audit procedures to be carried but findings are not to form part of the reportbut to be reported separately.
16. Further, in case of information technology based environment, the scope of engagement would include the extent to which internal auditor are permitted to access the system and reports which can be viewed and those which can be exported. Further, system based audit tools that an internal auditor can use to draw and analyze the data should be clearly understood in the scope of his engagement.”
5.46 The annual internal audit plan need to be approved by the board/ audit committee and should be developed on the basis of the three year RBIAP and the following additional factors:
Changes in the business environment Changes in the organisation structure
Guide on Risk Based Internal Audit Plan
42
Changes in the business processes Changes in the regulatory environment Time of last audit engagement Availability of the skilled resources Management’s feedback and expectation from internal audit Changes in employee and government relations Recent change in accounting system Recent change in key personnel
5.47 The audit scope for the year need to be developed considering the above mentioned factors. The scope, thus, prepared would be finalized for an year and approved by the board/ audit committee. The audit scope comprises of the following:
Auditable entities Locations to be covered Tentative schedule of the audit Key objective of the audit Factors which define the limits of the audit including processes
specifically excluded Any special considerations, such as management requests, provided
they are acceptable Personnel carrying out the audit, including any special responsibilities
Allocate Resources, Engagement Scheduling and Execution 5.48 We can decide on the staff resources required to deliver the internal audit plan by deciding on the number of days each level of auditor is required for each audit, adding these up, and comparing them with the total days available. Note that audits will vary in length, even those which are high risk could be done very quickly. It may only take logging into organisation’s intranet to confirm that it has a strategy, and this is being communicated. The resource requirements should be regularly updated to ensure the plan can be completed, especially, if audits are added and staff leave.
Next step is to perform the detailed engagement scheduling based in the
RBIAP — Development and Implementation
43
allocated resources, availability of the auditee, target date to finalise the report and criticality and extent of audit required. The schedule need to be agreed with the auditee before execution. The schedule need to be realistic to ensure adequate coverage of the work plan, assessment of all the identified risks and testing of all the controls. This is followed by the execution of the internal audit as per the defined approach and methodology of the internal audit function of the organisation and the relevant auditing standards.
Steps for Audit Scheduling, Resource Allocation and Execution
Re-assess Risk and Control Environment and Update RBIAP 5.49 SIA 1 “Planning as Internal Audit” defines audit universe as “Audit universe comprises the activities, operations, units, etc., to be subjected to audit during the planning period. The audit universe is designed to reflect the overall business objectives and therefore includes components from the strategic plan of the entity. Thus, the audit universe is affected by the risk management process of the client. The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc.”
Develop and approve Risk Based Internal Audit Plan
Derive Annual Audit Plan Audit Schedule
Resource AllocationConduct AuditUpdate Risk
Registers and RBIAP
Report to Audit Committee
Guide on Risk Based Internal Audit Plan
44
Planning involves developing an overall plan for the expected scope and conduct of audit and developing an audit programme showing the nature, timing and extent of audit procedures. Planning is a continuous exercise. A plan once prepared should be continuously reviewed by the internal auditor to identify any modifications required to bring the same in line with the changes, if any, in the audit environment. However, any major modification to the internal audit plan should be done in consultation with those charged with governance. Further, the internal auditor should also document the changes to the internal audit plan.
Therefore, the preparation of the risk based internal audit plan is based on the defined methodology to be followed and the various steps as described earlier. It is vital to note that the entire exercise of the risk identification, prioritization and development of audit plan is not scientific and some level of judgement and past experience is involved while preparing the risk based internal audit plan. The risk registers prepared should be reviewed periodically and updated while performing the actual internal audit.
5.50 As discussed earlier, risk identification is the process to identify all possible risk in the auditable entities identified at the time of preparation of the audit universe. This includes evaluation of ‘what can go wrong’ in the particular process attached with the identified auditable entity which can have any adverse impact on the organization. The adverse impact could be in the form of possible financial loss, operational inefficiency and ineffectiveness, statutory non-compliance, incorrect reporting etc. The quality and effectiveness of the risk assessment depends on the comprehensiveness and completeness of the risk identification exercise. The risk identification can be more comprehensive and complete by the exercise of continuous exercise of re-validating the risk along with the audit execution.
The risk based internal audit plan should be evaluated every year by repeating the steps involved in development of risk based internal audit plan to identify if there are some auditable entities for which residual risk score has increased or decreased and that is required to be audited more often, or the same be brought down to the manageable/ acceptable zone to reduce the frequency of internal audit.
RBIAP — Development and Implementation
45
Steps for Developing the Audit Universe
Draft initial sketch of audit universe
Develop RBIAP
Allocate Resources, engagement scheduling and execution
Re-assess risk and control environment
Updated RBIAP
Revalidate RBIAP
Approve RBIAP
46
Chapter 6
Case Study
Situation Company is involved in upstream and midstream business of oil and gas with wide spread business across the country having a Corporate Office, Plant Operations and Depots. Internal audit function of the Company comprises of a small team who needs to complete the internal audit for the Company as per the annual charter approved by the Audit Committee of the Company. The IA function is headed by an Internal Audit Head who is reporting to the Audit Committee. Audit Committee directs the IA head to prepare the Risk Based Internal Audit Plan (RBIAP) of the Company for a period of 3 years.
Solution
IA head forms a team of 4 members comprising of Accounting and Technical professionals. The team which has follows the following steps to prepare the RBIAP:
(a) Define objective, criteria and risk appetite
(b) Understanding the business environment and processes
(c) Prepare audit universe
(d) Risk identification
(e) Risk prioritization and rating
(f) Assess control environment
(g) Derive residual risk rating
(h) Develop internal audit plan
Steps (a) and (b) equips the team with the relevant knowledge and information required for the purpose of developing the RBIAP (Refer Chapter 5 for steps). The illustrative deliverables of the steps (c) to (h) are summarized below:
Case Study
47
Step
1: P
repa
re A
udit
Uni
vers
e
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
Cor
pora
te O
ffic
e Pl
ant
Dep
ot
1 Co
ntra
cts
1.1
Tend
ering
and
RFQ
1
Cont
racts
1.
2 Co
ntra
cting
and
Ord
ering
2 Pl
ant O
pera
tions
2.
1 Pr
oduc
tion
and
Distr
ibutio
n
2
Plan
t Ope
ratio
ns
2.2
Oper
ation
and
Main
tena
nce
2 Pl
ant O
pera
tions
2.
3 Sa
fety
and
Envir
onm
ent
3 Dr
illing
3.
1 Dr
illing
Prep
are
Aud
it U
nive
rse
Risk
Ide
ntific
ation
Risk
pr
ioritiz
ation
an
d rati
ng
Asse
ss
contr
ol en
viron
ment
Deriv
e Re
sidua
l Ri
sk R
ating
Deve
lop
Inter
nal
Audit
plan
Guide on Risk Based Internal Audit Plan
48
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
Cor
pora
te O
ffic
e Pl
ant
Dep
ot
4 In
form
ation
Tec
hnolo
gy
4.1
IT S
ecur
ity
4
Info
rmat
ion T
echn
ology
4.
2 ER
P an
d ot
her a
pplic
ation
s
5
Geolo
gy &
Res
ervo
ir 5.
1 Ge
ology
& R
eser
voir
6 Re
sear
ch a
nd D
evelo
pmen
t 6.
1 Re
sear
ch a
nd D
evelo
pmen
t
7
Mat
erial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
7
Mat
erial
Man
agem
ent
7.2
MM
- De
pot
7
Mat
erial
Man
agem
ent
7.3
MM
- In
vent
ory H
andli
ng a
nd
Stor
age
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
9
Fina
nce
and
Acco
unts
9.1
Fina
ncial
Plan
ning
and
Analy
sis
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
9 Fi
nanc
e an
d Ac
coun
ts 9.
3 Fi
nanc
ial R
epor
ting
9
Fina
nce
and
Acco
unts
9.4
Asse
t Man
agem
ent
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
9
Fina
nce
and
Acco
unts
9.6
Invo
icing
and
Rec
eivab
les
9
Fina
nce
and
Acco
unts
9.7
JV O
pera
tions
Case Study
49
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
Cor
pora
te O
ffic
e Pl
ant
Dep
ot
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
10
Hu
man
Res
ourc
e 10
.1
Recr
uitm
ent
10
Hum
an R
esou
rce
10.2
Le
arnin
g an
d De
velop
men
t
10
Hu
man
Res
ourc
e 10
.3
Sepa
ratio
ns
10
Hum
an R
esou
rce
10.4
Pa
yroll
Pro
cess
11
Pr
ojects
11
.1
Plan
ning
and
Inve
stmen
t
11
Pr
ojects
11
.2
Exec
ution
and
han
dove
r
12
Bu
sines
s Dev
elopm
ent
12.1
Bu
sines
s Dev
elopm
ent
13
Explo
ratio
n &
Deve
lopm
ent
13.1
Ex
plora
tion
& De
velop
men
t
14
M
ainte
nanc
e 14
.1
Pipe
line
Main
tena
nce
14
Main
tena
nce
14.2
Eq
uipm
ent M
ainte
nanc
e
Guide on Risk Based Internal Audit Plan
50
Step
2: R
isk
Iden
tific
atio
n
D
. Sr.
N
o.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Cor
pora
te
Off
ice
Plan
t D
epot
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
Pr
ocur
emen
t be
yond
the
de
fined
bud
geta
ry lim
its.
Fina
ncial
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
In
adeq
uate
ve
ndor
se
lectio
n du
e to
no
n-co
mpli
ance
to
pr
ocur
emen
t poli
cies
and
proc
edur
es
(incl.
te
nder
ing)
Fina
ncial
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
In
crea
sed
cost
of
proc
urem
ent
due
to
ineffe
ctive
ne
gotia
tion/
Fina
ncial
Prep
are
Audit
Un
iverse
Risk
Ide
ntific
ation
Risk
pr
ioritiz
ation
an
d rati
ng
Asse
ss
contr
ol en
viron
ment
Deriv
e Re
sidua
l Ri
sk R
ating
Deve
lop
Inter
nal A
udit
plan
Case Study
51
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
com
paris
on
of
com
mer
cial b
id su
bmitte
d 1
Cont
racts
1.
1 Te
nder
ing
and
RFQ
Unfa
vour
able
RFQ
term
s an
d co
nditio
ns.
Fina
ncial
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
Ri
sk
of
favo
ritism
to
ve
ndor
. Fi
nanc
ial
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
In
appr
opria
te
tech
nical
evalu
ation
pro
cedu
res.
Fina
ncial
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
In
adeq
uate
pr
oced
ures
fo
r pr
ocur
emen
t in
case
of
pro
priet
ary i
tem
s.
Fina
ncial
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
Fi
ctitio
us v
endo
rs i
n th
e sy
stem
Fi
nanc
ial
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
Cont
ract
term
s an
d co
nditio
ns n
ot fa
vour
able
to th
e Co
mpa
ny
Fina
ncial
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
Delay
in
cont
racti
ng o
r or
derin
g Op
erat
ional
1 Co
ntra
cts
1.2
Cont
racti
ng
Risk
of
iss
ue
of
Fina
ncial
Guide on Risk Based Internal Audit Plan
52
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
and
Orde
ring
unau
thor
ised
orde
r.
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
Inad
equa
te
cont
ract
com
plian
ce p
roce
dure
s. Op
erat
ional
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
Wor
k sta
rted
befo
re
com
pletio
n of
con
tracti
ng
proc
edur
es.
Oper
ation
al
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Regu
lar
upda
tion
and
revie
w of
th
e ac
tual
prod
uctio
n ag
ainst
the
plann
ed
prod
uctio
n no
t do
ne.
Fina
ncial
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Prod
uctio
n lev
els m
ay n
ot
have
be
en
mon
itore
d re
gular
ly on
a
Cent
ral
Tank
Far
m (
CTF)
, GG
S an
d we
ll-wi
se b
asis
for
the
level
of o
il pro
ducti
on
Fina
ncial
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Prod
uctio
n ta
rget
s ar
e no
t be
ing c
omm
unica
ted
Fina
ncial
Case Study
53
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
Distr
ibutio
n an
d m
onito
red
by
the
Grou
p Ga
ther
ing S
tatio
ns
(GGS
).
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Crud
e Oi
l pil
fera
ges
/ lea
kage
s wh
ile
trans
porta
tion
Fina
ncial
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Inco
rrect
certi
ficat
ion
of
bills
Fina
ncial
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Inad
equa
te
testi
ng
of
mat
erial
use
d lea
ding
to
well
issue
s lat
er a
ffecti
ng
prod
uctio
n
Fina
ncial
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Non-
utiliz
ation
of
th
e as
sets
Fina
ncial
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Inad
equa
te
fire
safe
ty ar
rang
emen
t at s
ite
Healt
h, S
afet
y &
Envir
onm
ent
2 Pl
ant
2.1
Prod
uctio
n an
d
W
rong
fina
ncial
repo
rting
du
e to
ina
dequ
ate
Inco
rrect
Fina
ncial
Guide on Risk Based Internal Audit Plan
54
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
Oper
ation
s Di
stribu
tion
cont
rols
on
prod
uctio
n re
cord
ing
Repo
rting
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Inad
equa
te
QA
/ QC
pr
oces
s du
ring
Prod
uctio
n
Fina
ncial
Los
s
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Prod
uctio
n los
s du
e to
ina
dequ
ate
brea
kdow
n an
alysis
and
com
plian
ce
Fina
ncial
Los
s
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
Sche
duled
m
ainte
nanc
e an
d wo
rk o
ver o
pera
tions
fo
r va
rious
we
lls
not
plann
ed in
adv
ance
.
Oper
ation
al
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
Trac
k of
tota
l am
ount
of
wate
r pu
mpe
d int
o ea
ch
well
is no
t bein
g tra
cked
ca
using
ove
r pu
mpin
g of
wa
ter.
Oper
ation
al
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
Appr
opria
te r
ecor
ds a
re
not
being
main
taine
d in
resp
ect
of t
he c
ollec
tion
of o
il an
d ga
s fro
m t
he
Oper
ation
al
Case Study
55
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
wells
2
Plan
t Op
erat
ions
2.2
Oper
ation
an
d M
ainte
nanc
e
Flow
met
ers
at C
TF a
re
not
prop
erly
calib
rate
d an
d th
e ca
libra
tion
is no
t be
ing
perio
dicall
y ch
ecke
d.
Pum
ping
reco
rds
of t
he
exte
nt o
f oil
pum
ped
to
the
custo
mer
ar
e no
t pr
oper
ly ke
pt
and
main
taine
d.
Oper
ation
al
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
Prod
uctio
n fa
ilure
/ los
s du
e to
ina
dequ
ate
prev
entiv
e m
ainte
nanc
e sc
hedu
le or
lac
k of
co
mpli
ance
of s
ched
ule.
Fina
ncial
Los
s
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
Delay
s in
main
tena
nce
Fi
nanc
ial L
oss
2 Pl
ant
Oper
ation
s 2.
3 Sa
fety
and
Envir
onm
ent
Regu
lar v
isits
of t
he o
il we
ll ar
e no
t co
nduc
ted
Oper
ation
al
Guide on Risk Based Internal Audit Plan
56
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
and
all
oil
well
insta
llatio
ns a
re n
ot b
eing
inspe
cted
2 Pl
ant
Oper
ation
s 2.
3 Sa
fety
and
Envir
onm
ent
HSE
non-
com
plian
ces
by
cont
racto
rs
Stat
utor
y Non
co
mpli
ance
3
Drilli
ng
3.1
Drilli
ng
The
cost
bene
fit an
alysis
fo
r dr
illing
no
t do
ne
resu
lting
into
exce
ss c
ost
of o
pera
tions
.
Fina
ncial
3 Dr
illing
3.
1 Dr
illing
Ri
sk o
f acc
ident
s du
e to
ina
dequ
ate
traini
ng a
nd
mis-
hand
ling.
Healt
h, S
afet
y an
d En
viron
men
t 3
Drilli
ng
3.1
Drilli
ng
Inad
equa
te
HSE
com
plian
ce a
t the
dril
ling
sites
.
Healt
h, S
afet
y an
d En
viron
men
t 3
Drilli
ng
3.1
Drilli
ng
Dam
age
to
the
equip
men
t du
e to
ina
dequ
ate
secu
rity
at
the
drilli
ng si
te.
Fina
ncial
3 Dr
illing
3.
1 Dr
illing
Su
b-op
timal
utiliz
ation
of
rigs
and
othe
r dr
illing
Fi
nanc
ial
Case Study
57
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
equip
men
t. 3
Drilli
ng
3.1
Drilli
ng
Delay
s in
oper
ation
due
to
ina
dequ
ate
co-
ordin
ation
and
dela
ys i
n eq
uipm
ent a
vaila
bility
.
Oper
ation
al
3 Dr
illing
3.
1 Dr
illing
M
is-ali
gnm
ent
of
the
drilli
ng
plan
with
th
e ov
erall
wor
k pro
gram
Fina
ncial
3 Dr
illing
3.
1 Dr
illing
W
rong
fina
ncial
repo
rting
du
e to
ina
ppro
priat
e inp
uts
for
cost
alloc
ation
pr
oces
s, we
ll co
st re
conc
iliatio
n pr
oces
s
Repo
rting
3 Dr
illing
3.
1 Dr
illing
La
ck
of
plann
ing
and
mon
itorin
g of
co
st an
d ef
fort
involv
ed i
n dr
illing
of
well
s (re
cord
ing a
nd
mon
itorin
g ag
ainst
KPIs
/ Ta
rget
s)
Fina
ncial
3 Dr
illing
3.
1 Dr
illing
In
effe
ctive
/ In
effic
ient
func
tionin
g of
the
proc
ess
Fina
ncial
Guide on Risk Based Internal Audit Plan
58
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
due
to n
on-c
ompli
ance
to
polic
ies a
nd p
roce
dure
s de
fined
4
Info
rmat
ion
Tech
nolog
y 4.
1 IT
Sec
urity
Unau
thor
ized
syste
m
acce
ss
due
to
weak
log
ical
acce
ss
cont
rol
right
s, pa
sswo
rd c
ontro
ls,
etc.
Oper
ation
al
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
In
adeq
uate
en
viron
men
t co
ntro
ls.
Oper
ation
al
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
In
adeq
uate
ac
cess
co
ntro
ls to
dat
a ce
ntre
. Op
erat
ional
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Un
auth
orise
d ac
cess
to
data
cent
re.
Oper
ation
al
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Pe
nal c
onse
quen
ces
due
to u
sage
on
unlic
ense
d so
ftwar
es.
Fina
ncial
Los
s
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Di
saste
r re
cove
ry p
olicy
an
d pr
oced
ures
to
ide
ntify
crit
ical
busin
ess
appli
catio
ns/
data
no
t
Fina
ncial
Los
s
Case Study
59
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
defin
ed
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
In
crea
sed
vulne
rabil
ity o
f th
e ne
twor
k to
intru
sions
- e
xtern
al or
inte
rnal.
Fina
ncial
Los
s
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Le
akag
e/
loss
of
sens
itive
infor
mat
ion/
corru
pted
an
d ins
ecur
e da
ta
Fina
ncial
Los
s
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Corru
pt/ l
oss
of d
ata
due
to
inade
quat
e co
nfigu
ratio
n an
d log
ical
cont
rols
with
in SA
P
Inco
rrect
Fina
ncial
Re
porti
ng
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Unau
thor
ized
trans
actio
ns
due
to
inade
quat
e se
greg
ation
of
dut
ies
Fina
ncial
Los
s
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Inac
cura
te
mas
ter
data
du
e to
ina
dequ
ate
cont
rols
on m
aste
r da
ta
main
tena
nce
and
chan
ges
Fina
ncial
Los
s
Guide on Risk Based Internal Audit Plan
60
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Abse
nce
of a
n au
dit tr
ail
in ca
se o
f un
auth
orize
d ac
cess
/ us
ers.
Fina
ncial
Los
s
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Inad
equa
te s
yste
m l
ogic
cont
rols
to
prev
ent
unau
thor
ized/
inc
orre
ct tra
nsac
tion
proc
essin
g th
roug
h SA
P.
Fina
ncial
Los
s
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Inad
equa
te
user
m
anag
emen
t Fi
nanc
ial L
oss
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Acce
ss
and
ID
of
the
sepa
rate
d em
ploye
es n
ot
rem
oved
.
Fina
ncial
Los
s
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Ex
isting
wor
k be
ing d
one
with
in th
e de
partm
ent
is no
t ba
cked
up
by
a
phys
ical p
lan.
Oper
ation
al
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Pr
oper
pro
cedu
re d
o no
t ex
ists
or a
re n
ot fo
llowe
d wh
ile d
ecidi
ng th
e typ
e of
Oper
ation
al
Case Study
61
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
surv
ey (
2D,
3D o
r 4D
su
rvey
). 5
Geolo
gy &
Re
serv
oir
5.1
Geolo
gy &
Re
serv
oir
Cost
repo
rt no
t pre
pare
d Fi
nanc
ial
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Su
rvey
s do
ne
are
not
prop
erly
reco
rded
. Op
erat
ional
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Ad
equa
te
phys
ical
secu
rity
does
not
exis
t of
the
reco
rded
dat
a
Healt
h, S
afet
y an
d En
viron
men
t 5
Geolo
gy &
Re
serv
oir
5.1
Geolo
gy &
Re
serv
oir
Unav
ailab
ility
of
adeq
uate
tec
hnica
l da
ta
used
fo
r pr
opos
ing
explo
rato
ry lo
catio
ns
Oper
ation
al
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
In
abilit
y to
op
timize
/ ac
tuali
ze
expe
cted
retu
rns
from
exp
lorat
ion
block
s
Fina
ncial
Los
s
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
De
lays
in m
onito
ring
the
rese
rves
Fi
nanc
ial L
oss
5 Ge
ology
&
5.1
Geolo
gy &
In
accu
rate
esti
mat
ion o
f In
corre
ct
Guide on Risk Based Internal Audit Plan
62
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
Rese
rvoir
Re
serv
oir
rese
rves
Fi
nanc
ial
Repo
rting
5
Geolo
gy &
Re
serv
oir
5.1
Geolo
gy &
Re
serv
oir
Inco
rrect
inter
pret
ation
du
e to
no
quali
ty re
view
proc
ess
of v
alida
ting
the
inter
pret
ation
wor
kflow
/
cycle
follo
wed
Fina
ncial
Los
s
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
De
lay
in se
ismic
data
pr
oces
sing
due
to
ineffe
ctive
sche
dulin
g
Fina
ncial
Los
s
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
an
d De
velop
men
t
Inad
equa
te c
alibr
ation
of
R&D
tools
an
d eq
uipm
ents
caus
ing
incor
rect
resu
lts.
Fina
ncial
Los
s
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
an
d De
velop
men
t
High
co
st of
op
erat
ion
due
to
obso
lete
tech
nolog
y.
Fina
ncial
Los
s
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
an
d De
velop
men
t
Delay
in p
rocu
rem
ent
of
lab e
quipm
ents
caus
ing
delay
in
com
pletio
n of
R&
D ac
tivitie
s
Fina
ncial
Los
s
Case Study
63
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
Risk
of
rece
iving
mor
e th
an th
e or
dere
d qu
antit
y Fi
nanc
ial
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
Risk
of
ac
cept
ing
the
infer
ior q
uality
of m
ater
ial
Fina
ncial
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
Prop
er q
uality
ass
uran
ce
testi
ng
of
all
raw
mat
erial
s is
not
done
wh
en it
is re
ceive
d.
Fina
ncial
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
Un
auth
orize
d dis
posa
l of
scra
p Fi
nanc
ial L
oss
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
In
adeq
uate
se
greg
ation
of
du
ties
betw
een
pers
onne
l res
pons
ible
for
orde
ring,
re
ceivi
ng
and
issue
of m
ater
ial
Fina
ncial
Los
s
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
In
vent
ory
loss
due
to
weak
sto
rage
/ sta
cking
an
d se
greg
ation
gu
idelin
es.
Fina
ncial
Los
s
Guide on Risk Based Internal Audit Plan
64
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
Fi
nanc
ial
loss
due
to
inade
quat
e se
curit
y pr
oced
ures
at
th
e wa
reho
use
Fina
ncial
Los
s
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
Lo
ss
of
life/
reso
urce
s du
e to
non
-com
plian
ce to
re
gulat
ory
laws
and
regu
lation
s
Healt
h, S
afet
y &
Envir
onm
ent
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
De
lay
in re
newa
l or
ex
piry o
f var
ious l
icens
es
Stat
utor
y Non
co
mpli
ance
7
Mat
erial
M
anag
emen
t 7.
3 M
M -
Inve
ntor
y Ha
ndlin
g an
d St
orag
e
Un
auth
orize
d an
d ina
ppro
priat
e ind
entin
g Fi
nanc
ial L
oss
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
In
adeq
uate
mon
itorin
g of
slo
w/
non-
mov
ing
inven
tory
Fina
ncial
Los
s
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
Da
mag
e to
spa
res
and
mat
erial
du
e to
ina
dequ
ate
stora
ge.
Fina
ncial
Los
s
Case Study
65
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
and
Stor
age
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
Cr
itical
spar
es
not
ident
ified
and
main
taine
d Fi
nanc
ial L
oss
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
Un
auth
orise
d iss
ue
of
mat
erial
Fi
nanc
ial L
oss
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Ab
senc
e of
mon
itorin
g of
th
e tim
e ta
ken
to in
terp
ret
the
data
giv
en
to
the
inter
pret
ation
te
am
and
revie
w th
e re
cord
s m
ainta
ined
in th
is re
spec
t to
asc
erta
in m
ajor d
elays
.
Oper
ation
al
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
In
adeq
uate
re
cord
s m
ainta
ined
to d
ocum
ent
discu
ssion
s an
d co
nclus
ions
of
inter
pret
ation
team
.
Oper
ation
al
Guide on Risk Based Internal Audit Plan
66
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Da
taba
se/
infor
mat
ion
not
main
taine
d ab
out
unsu
cces
sful
wells
an
d th
e sa
me
is us
ed d
uring
su
bseq
uent
dec
ision
s.
Oper
ation
al
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Exist
ing w
ork
being
don
e wi
thin
the
Depa
rtmen
t is
not b
acke
d up
by a
plan
.
Oper
ation
al
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
Delay
s in
prep
arat
ion a
nd
com
mun
icatio
n of
ann
ual
plans
.
Oper
ation
al
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
Inap
prop
riate
bas
is an
d inp
uts f
or p
lannin
g Op
erat
ional
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
Man
agem
ent
Info
rmat
ion
Syste
m
inade
quat
ely
align
ed
with
str
ateg
ic ob
jectiv
es
Inco
rrect
Fina
ncial
Re
porti
ng
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
Delay
s in
finan
cial
repo
rting
and
clos
ing
Oper
ation
al
Case Study
67
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
Adve
rse
fluctu
ation
in
fore
ign e
xcha
nge
rate
s Fi
nanc
ial L
oss
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
Inad
equa
te
work
ing
capit
al m
anag
emen
t Fi
nanc
ial L
oss
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
Inad
equa
te m
onito
ring
of
cash
and
ban
k bala
nces
Fi
nanc
ial L
oss
9 Fi
nanc
e an
d Ac
coun
ts 9.
3 Fi
nanc
ial
Repo
rting
Inad
equa
te
finan
cial
repo
rting
syste
ms
Inco
rrect
Fina
ncial
Re
porti
ng
9 Fi
nanc
e an
d Ac
coun
ts 9.
3 Fi
nanc
ial
Repo
rting
Mis-
repr
esen
tatio
n in
finan
cial
state
men
ts an
d re
ports
Inco
rrect
Fina
ncial
Re
porti
ng
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set
Man
agem
ent
Inco
rrect
capit
aliza
tion
of
asse
ts In
corre
ct Fi
nanc
ial
Repo
rting
9
Fina
nce
and
Acco
unts
9.4
Asse
t M
anag
emen
t
Ph
ysica
l ve
rifica
tion
of
asse
ts no
t don
e In
corre
ct Fi
nanc
ial
Repo
rting
9
Fina
nce
and
Acco
unts
9.4
Asse
t M
anag
emen
t
De
prec
iation
& D
eplet
ion
char
ges
have
not
bee
n In
corre
ct Fi
nanc
ial
Guide on Risk Based Internal Audit Plan
68
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
accu
rate
ly ca
lculat
ed a
nd
reco
rded
in
the
appr
opria
te p
eriod
.
Repo
rting
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Ri
sk o
f de
lay i
n inv
oice
proc
essin
g Fi
nanc
ial
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Du
plica
te ve
ndor
code
s Fi
nanc
ial
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Ri
sk o
f dela
y in
paym
ent
proc
essin
g Fi
nanc
ial
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Ro
yalty
no
t pa
id as
sp
ecifie
d in
Prod
uctio
n Sh
aring
Con
tract.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Ri
sk o
f exc
ess p
aym
ent
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
Th
e ac
coun
ting
polic
ies
for
acco
untin
g of
sale
s es
pecia
lly t
ake
or p
ay,
unde
rlifts/
ov
erlift
s, co
ntra
ctual
liabil
ities
etc.
not
in co
mpli
ance
wi
th
Repo
rting
Case Study
69
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
the
Acco
untin
g St
anda
rds.
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
Delay
in in
voici
ng.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
Inco
rrect
and
unau
thor
ised
invoic
ing.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
Qu
antita
tive
reco
ncilia
tion
not d
one
to
ident
ify e
xces
sive
losse
s.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
Ro
yalty
no
t pa
id as
sp
ecifie
d Pr
oduc
tion
Shar
ing C
ontra
ct.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
In
accu
rate
calc
ulatio
ns o
f th
e we
llhea
d va
lue.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
In
vestm
ent
mult
iple
not
calcu
lated
in th
e m
anne
r as
pr
ovide
d in
the
Fina
ncial
Guide on Risk Based Internal Audit Plan
70
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
Prod
uctio
n Sh
aring
Co
ntra
ct.
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng
and
Rece
ivable
s
In
adeq
uate
mon
itorin
g of
re
ceiva
ble a
nd f
ollow
up
for c
ollec
tions
.
Fina
ncial
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Op
erat
ions
In
accu
rate
wo
rking
of
co
st all
ocat
ed
by
oper
ating
par
tner
s fo
r JV
Non
Oper
ated
Inco
rrect
Fina
ncial
Re
porti
ng
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Op
erat
ions
No
n ra
ising
/ de
layed
re
cove
ry o
f cas
h ca
ll fro
m
JV p
artn
er.
Fina
ncial
Los
s
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Op
erat
ions
W
rong
allo
catio
ns t
o JV
du
e to
ina
dequ
ate
proc
ess
of c
ostin
g an
d ide
ntific
ation
of
alloc
able
costs
.
Fina
ncial
Los
s
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Op
erat
ions
In
adeq
uate
con
trol
over
ex
pens
es in
cas
e of
non
op
erat
ing b
locks
Fina
ncial
Los
s
Case Study
71
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
Risk
of
re
gulat
ory
pena
lties
due
to
non
com
plian
ce
with
TD
S,
Serv
ice
Tax
and
othe
r re
levan
t acts
Risk
of
Regu
lator
y No
n-Co
mpli
ance
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
Tax
paym
ents
and
tax
retu
rns
are
not
mad
e or
file
d wi
thin
perm
issibl
e tim
e lim
its
Stat
utor
y Non
co
mpli
ance
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
Inad
equa
te
mon
itorin
g m
echa
nism
fo
r pe
nding
de
man
ds o
r as
sess
men
t ca
ses,
etc.
Fina
ncial
Los
s
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
De
lay in
hirin
g im
pacti
ng
oper
ation
dela
ys
Oper
ation
al
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
Hi
ring
inapp
ropr
iate
pers
onne
l Op
erat
ional
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
In
com
plete
do
cum
enta
tion
in em
ploye
e re
cord
s/ file
s
Oper
ation
al
Guide on Risk Based Internal Audit Plan
72
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
In
adeq
uate
ba
ckgr
ound
an
d re
fere
nce
chec
ks
Oper
ation
al
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
In
adeq
uate
pla
nning
of
tra
ining
requ
irem
ents
Oper
ation
al
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
Tr
aining
ne
eds
not
ident
ified
Oper
ation
al
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
Tr
aining
pr
ogra
ms
not
cond
ucte
d in
timely
m
anne
r
Oper
ation
al
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
Fe
edba
ck p
roce
dure
s no
t es
tabli
shed
Op
erat
ional
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
De
lay in
Full
and
Fina
l Fi
nanc
ial
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
In
adeq
uate
cle
aran
ce
proc
edur
es
Fina
ncial
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
In
adeq
uate
waiv
ers
Fina
ncial
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
Ol
d loa
n an
d ad
vanc
es
not
settl
ed
befo
re
relei
ving.
Fina
ncial
Case Study
73
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
Ex
it fo
rmali
ties
not
com
plete
d in
timely
m
anne
r.
Oper
ation
al
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct pr
oces
sing
of
salar
y Fi
nanc
ial L
oss
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct pr
oces
sing
and
settle
men
t of
va
rious
em
ploye
e cla
ims
Fina
ncial
Los
s
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct at
tend
ance
m
onito
ring
and
acco
untin
g of
leav
es.
Fina
ncial
Los
s
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct pr
ovisi
oning
an
d ac
coun
ting
of
retir
emen
t fu
nds
man
agem
ent
by
the
com
pany
.
Fina
ncial
Los
s
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
De
lay
in dis
burs
emen
t/ tra
nsfe
r of s
alary
. Fi
nanc
ial L
oss
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
In
adeq
uate
plan
ning
and
budg
eting
of P
rojec
ts Fi
nanc
ial L
oss
Guide on Risk Based Internal Audit Plan
74
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
Ap
prop
riate
fe
asibi
lity
studie
s not
cond
ucte
d Fi
nanc
ial
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
Re
quire
d cle
aran
ces
not
obta
ining
on
timely
bas
is Co
mpli
ance
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
In
adeq
uate
as
sess
men
t of
Ret
urn
on In
vestm
ents
Fina
ncial
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
Ti
me
and
Cost
over
runs
in
the
proje
cts
due
to
weak
pro
ject
mon
itorin
g an
d/ o
r exe
cutio
n.
Fina
ncial
Los
s
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
Op
erat
ional
delay
s due
to
delay
in
obta
ining
/ re
newa
l of
sta
tuto
ry
clear
ance
s
Fina
ncial
Los
s
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
No
n co
mpli
ance
to
va
rious
sta
tuto
ry
prov
ision
s an
d re
quire
men
ts.
Stat
utor
y Non
co
mpli
ance
Case Study
75
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
De
lay
in pr
ocur
emen
t/ or
derin
g.
Fina
ncial
Los
s
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
Co
mm
ission
ing
with
out
adeq
uate
qua
lity c
heck
s an
d te
sting
pro
cedu
res
Fina
ncial
Los
s
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
La
ck
of
mon
itorin
g of
HS
E co
mpli
ance
by
co
ntra
ctors
/ int
erna
l sta
ff du
ring
exec
ution
Healt
h, S
afet
y &
Envir
onm
ent
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
Inad
equa
te
post
acqu
isitio
n te
chno
-co
mm
ercia
l re
view
for
over
seas
acq
uisitio
ns
Fina
ncial
Los
s
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
Delay
s in
float
ing
of
Tend
ers
Fina
ncial
Los
s
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
Fina
ncial
hea
lth c
heck
up
analy
sis
not
perfo
rmed
fo
r acq
uired
ass
ets
Fina
ncial
Los
s
Guide on Risk Based Internal Audit Plan
76
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
13
Explo
ratio
n &
deve
lopm
ent
13.1
Ex
plora
tion
& deve
lopm
ent
In
abilit
y to
op
timize
/ ac
tuali
ze
expe
cted
retu
rns
from
exp
lorat
ion
block
s
Fina
ncial
Los
s
13
Explo
ratio
n &
deve
lopm
ent
13.1
Ex
plora
tion
& deve
lopm
ent
No
n fu
lfillm
ent
to
mini
mum
wo
rk
prog
ram
sp
ecial
ly wi
th r
espe
ct to
tim
eline
ss
Fina
ncial
Los
s
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
All
Flow
lin
es
are
not
being
re
gular
ly te
sted
and
inspe
cted
for
any
block
age
Oper
ation
al
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Delay
s in
prov
iding
m
ainte
nanc
e se
rvice
s im
pacti
ng
oper
ation
al ef
ficien
cy.
Fina
ncial
Los
s
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Inad
equa
te
plann
ing
of
main
tena
nce
activ
ities
Oper
ation
al
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Prev
entiv
e m
ainte
nanc
e no
t ca
rried
on
tim
ely
basis
.
Oper
ation
al
Case Study
77
D. S
r.
No.
D
epar
tmen
t P.
Sr.
N
o.
Proc
ess
Bus
ines
s Lo
catio
ns
Ris
k D
escr
iptio
n R
isk
Cat
egor
y C
orpo
rate
O
ffic
e Pl
ant
Dep
ot
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Inad
equa
te
traini
ng
to
man
powe
r Fi
nanc
ial L
oss
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Safe
ty ris
k of
wor
king
in ru
nning
pipe
lines
He
alth,
Saf
ety
& En
viron
men
t 14
M
ainte
nanc
e 14
.2
Equip
men
t M
ainte
nanc
e
Delay
s in
prov
iding
m
ainte
nanc
e se
rvice
s im
pacti
ng
oper
ation
al ef
ficien
cy.
Fina
ncial
Los
s
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
In
adeq
uate
pla
nning
of
m
ainte
nanc
e ac
tivitie
s Op
erat
ional
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Pr
even
tive
main
tena
nce
not
carri
ed
on
timely
ba
sis.
Oper
ation
al
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
In
adeq
uate
tra
ining
to
m
anpo
wer
Fina
ncial
Los
s
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Sa
fety
risk
of w
orkin
g in
runn
ing p
ipelin
es
Healt
h, S
afet
y &
Envir
onm
ent
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Fr
eque
nt
brea
kdow
ns
due
to n
on-p
erfo
rman
ce
of ro
ot ca
use
analy
sis
Fina
ncial
Los
s
Guide on Risk Based Internal Audit Plan
78
Step
3: R
isk
Prio
ritiz
atio
n an
d R
atin
g
(a
) As
sign
Risk
Sco
re to
eac
h of
the
risk i
dent
ified
unde
r risk
iden
tifica
tion
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
Pr
ocur
emen
t be
yond
th
e de
fined
bud
geta
ry
limits
.
Fina
ncial
4
Prep
are
Aud
it U
nive
rse
Ris
k Id
entif
icat
ion
Ris
k pr
iorit
izat
ion
and
ra
ting
Ass
ess
cont
rol
envi
ronm
ent
Der
ive
Res
idua
l R
isk
Rat
ing
Dev
elop
In
tern
al
Aud
it pl
an
Case Study
79
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
In
adeq
uate
ve
ndor
se
lectio
n du
e to
non
-co
mpli
ance
to
pr
ocur
emen
t po
licies
an
d pr
oced
ures
(in
cl.
tend
ering
)
Fina
ncial
5
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
In
crea
sed
cost
of
proc
urem
ent
due
to
ineffe
ctive
ne
gotia
tion/
com
paris
on
of
com
mer
cial
bid
subm
itted
Fina
ncial
4
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
Unfa
vour
able
RFQ
term
s and
cond
itions
. Fi
nanc
ial
5
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
Risk
of
fa
vorit
ism
to
vend
or.
Fina
ncial
5
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
Inap
prop
riate
te
chnic
al ev
aluat
ion p
roce
dure
s. Fi
nanc
ial
4
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
Inad
equa
te p
roce
dure
s fo
r pro
cure
men
t in
case
of
pro
priet
ary i
tem
s.
Fina
ncial
2
Guide on Risk Based Internal Audit Plan
80
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
1 Co
ntra
cts
1.1
Tend
ering
and
RF
Q
Fi
ctitio
us v
endo
rs in
the
syste
m
Fina
ncial
3
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
Co
ntra
ct te
rms
and
cond
itions
no
t fa
vour
able
to
the
Com
pany
Fina
ncial
4
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
De
lay in
con
tracti
ng o
r or
derin
g Op
erat
ional
3
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
Ri
sk
of
issue
of
un
auth
orise
d or
der.
Fina
ncial
5
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
In
adeq
uate
co
ntra
ct co
mpli
ance
pro
cedu
res.
Oper
ation
al 4
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
W
ork
starte
d be
fore
co
mple
tion
of
cont
racti
ng p
roce
dure
s.
Oper
ation
al 3
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Re
gular
up
datio
n an
d re
view
of
the
actu
al pr
oduc
tion
again
st th
e pla
nned
pro
ducti
on n
ot
done
.
Fina
ncial
3
Case Study
81
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Pr
oduc
tion
levels
may
no
t ha
ve
been
m
onito
red
regu
larly
on
a Ce
ntra
l Ta
nk F
arm
(C
TF),
GGS
and
well-
wise
bas
is fo
r the
leve
l of
oil p
rodu
ction
Fina
ncial
3
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Pr
oduc
tion
targ
ets
are
not
being
co
mm
unica
ted
and
mon
itore
d by
the
Grou
p Ga
ther
ing
Stat
ions
(GGS
).
Fina
ncial
3
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Cr
ude
Oil
pilfe
rage
s /
leaka
ges
while
tra
nspo
rtatio
n
Fina
ncial
4
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
In
corre
ct ce
rtific
ation
of
bills
Fina
ncial
4
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
In
adeq
uate
te
sting
of
m
ater
ial u
sed
leadin
g to
Fi
nanc
ial
5
Guide on Risk Based Internal Audit Plan
82
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
Distr
ibutio
n we
ll iss
ues
later
af
fecti
ng p
rodu
ction
2
Plan
t Op
erat
ions
2.1
Prod
uctio
n an
d Di
stribu
tion
No
n-ut
ilizat
ion
of
the
asse
ts Fi
nanc
ial
4
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
In
adeq
uate
fire
saf
ety
arra
ngem
ent a
t site
He
alth,
Sa
fety
& En
viron
men
t
5
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
W
rong
fin
ancia
l re
porti
ng
due
to
inade
quat
e co
ntro
ls on
pr
oduc
tion
reco
rding
Inco
rrect
Fina
ncial
Re
porti
ng
4
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
In
adeq
uate
QA
/
QC
proc
ess
durin
g Pr
oduc
tion
Fina
ncial
Lo
ss
4
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
Pr
oduc
tion
loss
due
to
inade
quat
e br
eakd
own
analy
sis
and
com
plian
ce
Fina
ncial
Lo
ss
4
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion a
nd
Main
tena
nce
Sc
hedu
led
main
tena
nce
and
work
Op
erat
ional
4
Case Study
83
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
over
op
erat
ions
for
vario
us
wells
no
t pla
nned
in a
dvan
ce.
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion a
nd
Main
tena
nce
Tr
ack
of to
tal a
mou
nt o
f wa
ter p
umpe
d int
o ea
ch
well
is no
t be
ing
track
ed
caus
ing
over
pu
mpin
g of
wat
er.
Oper
ation
al 3
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion a
nd
Main
tena
nce
Ap
prop
riate
reco
rds
are
not b
eing
main
taine
d in
resp
ect o
f the
coll
ectio
n of
oil
and
gas
from
the
wells
Oper
ation
al 3
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion a
nd
Main
tena
nce
Fl
ow m
eter
s at
CTF
are
no
t pr
oper
ly ca
libra
ted
and
the
calib
ratio
n is
not
being
pe
riodic
ally
chec
ked.
Pu
mpin
g re
cord
s of
the
exte
nt o
f oil
pum
ped
to
the
custo
mer
are
not
Oper
ation
al 4
Guide on Risk Based Internal Audit Plan
84
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
prop
erly
kept
an
d m
ainta
ined.
2
Plan
t Op
erat
ions
2.2
Oper
ation
and
M
ainte
nanc
e
Pr
oduc
tion
failu
re/
loss
due
to
inade
quat
e pr
even
tive
main
tena
nce
sche
dule
or
lack
of
com
plian
ce
of
sche
dule.
Fina
ncial
Lo
ss
5
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion a
nd
Main
tena
nce
Delay
s in
main
tena
nce
Fina
ncial
Lo
ss
4
2 Pl
ant
Oper
ation
s 2.
3 Sa
fety
and
Envir
onm
ent
Regu
lar v
isits
of th
e oil
we
ll ar
e no
t con
ducte
d an
d all
oil
we
ll ins
talla
tions
ar
e no
t be
ing in
spec
ted
Oper
ation
al 4
2 Pl
ant
Oper
ation
s 2.
3 Sa
fety
and
Envir
onm
ent
HSE
non
com
plian
ces
by co
ntra
ctors
St
atut
ory N
on
com
plian
ce
5
3 Dr
illing
3.
1 Dr
illing
Th
e co
st be
nefit
analy
sis fo
r dr
illing
not
do
ne
resu
lting
into
Fina
ncial
4
Case Study
85
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
exce
ss
cost
of
oper
ation
s. 3
Drilli
ng
3.1
Drilli
ng
Ri
sk o
f acc
ident
s due
to
inade
quat
e tra
ining
and
m
is-ha
ndlin
g.
Healt
h,
Safe
ty an
d En
viron
men
t
5
3 Dr
illing
3.
1 Dr
illing
Inad
equa
te
HSE
com
plian
ce
at
the
drilli
ng si
tes.
Healt
h,
Safe
ty an
d En
viron
men
t
5
3 Dr
illing
3.
1 Dr
illing
Dam
age
to
the
equip
men
t du
e to
ina
dequ
ate
secu
rity
at
the
drilli
ng si
te.
Fina
ncial
4
3 Dr
illing
3.
1 Dr
illing
Sub-
optim
al ut
ilizat
ion
of ri
gs a
nd o
ther
drill
ing
equip
men
t.
Fina
ncial
4
3 Dr
illing
3.
1 Dr
illing
Delay
s in
oper
ation
due
to
ina
dequ
ate
co-
ordin
ation
and
dela
ys in
eq
uipm
ent a
vaila
bility
.
Oper
ation
al 3
3 Dr
illing
3.
1 Dr
illing
Mis-
align
men
t of
th
e Fi
nanc
ial
3
Guide on Risk Based Internal Audit Plan
86
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
drilli
ng
plan
with
th
e ov
erall
wor
k pro
gram
3
Drilli
ng
3.1
Drilli
ng
W
rong
fin
ancia
l re
porti
ng
due
to
inapp
ropr
iate
input
s fo
r co
st all
ocat
ion p
roce
ss,
well
cost
reco
ncilia
tion
proc
ess
Repo
rting
4
3 Dr
illing
3.
1 Dr
illing
Lack
of
plann
ing a
nd
mon
itorin
g of
co
st &
effo
rt inv
olved
in d
rillin
g of
well
s (re
cord
ing a
nd
mon
itorin
g ag
ainst
KPIs/
Tar
gets)
Fina
ncial
3
3 Dr
illing
3.
1 Dr
illing
Inef
fecti
ve/
Inef
ficien
t fu
nctio
ning
of
the
proc
ess
due
to
non-
com
plian
ce t
o po
licies
an
d pr
oced
ures
def
ined
Fina
ncial
3
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Un
auth
orize
d sy
stem
ac
cess
du
e to
we
ak
Oper
ation
al 5
Case Study
87
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
logica
l ac
cess
co
ntro
l rig
hts,
pass
word
co
ntro
ls, e
tc.
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
In
adeq
uate
en
viron
men
t con
trols.
Op
erat
ional
4
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
In
adeq
uate
ac
cess
co
ntro
ls to
dat
a ce
ntre
. Op
erat
ional
4
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Un
auth
orise
d ac
cess
to
data
cent
re.
Oper
ation
al 4
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Pe
nal
cons
eque
nces
du
e to
us
age
on
unlic
ense
d so
ftwar
es.
Fina
ncial
Lo
ss
5
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Di
saste
r rec
over
y poli
cy
and
proc
edur
es
to
ident
ify c
ritica
l bus
iness
ap
plica
tions
/ da
ta
not
defin
ed
Fina
ncial
Lo
ss
3
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
In
crea
sed
vulne
rabil
ity
of
the
netw
ork
to
intru
sions
- E
xtern
al or
In
tern
al.
Fina
ncial
Lo
ss
4
Guide on Risk Based Internal Audit Plan
88
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
Le
akag
e /
loss
of
sens
itive
infor
mat
ion/
corru
pted
and
inse
cure
da
ta
Fina
ncial
Lo
ss
4
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Co
rrupt
/ los
s of
da
ta
due
to
inade
quat
e co
nfigu
ratio
n an
d log
ical
cont
rols
with
in SA
P
Inco
rrect
Fina
ncial
Re
porti
ng
3
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Un
auth
orize
d tra
nsac
tions
du
e to
ina
dequ
ate
segr
egat
ion
of d
uties
Fina
ncial
Lo
ss
3
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
In
accu
rate
mas
ter
data
du
e to
ina
dequ
ate
cont
rols
on m
aste
r dat
a m
ainte
nanc
e an
d ch
ange
s
Fina
ncial
Lo
ss
4
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Ab
senc
e of
an
au
dit
trail
in ca
se
of
unau
thor
ized
acce
ss /
us
ers.
Fina
ncial
Lo
ss
2
Case Study
89
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
In
adeq
uate
sy
stem
log
ic co
ntro
ls to
pre
vent
un
auth
orize
d/ i
ncor
rect
trans
actio
n pr
oces
sing
thro
ugh
SAP.
Fina
ncial
Lo
ss
4
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
In
adeq
uate
us
er
man
agem
ent
Fina
ncial
Lo
ss
4
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
Ac
cess
and
ID
of t
he
sepa
rate
d em
ploye
es
not r
emov
ed.
Fina
ncial
Lo
ss
4
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Exist
ing
work
be
ing
done
wi
thin
the
depa
rtmen
t is
not
back
ed u
p by
a p
hysic
al pla
n.
Oper
ation
al 3
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Prop
er
proc
edur
e do
no
t ex
ists
or a
re n
ot
follo
wed
while
dec
iding
th
e typ
e of
sur
vey
(2D,
3D
or 4
D su
rvey
).
Oper
ation
al 4
Guide on Risk Based Internal Audit Plan
90
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Cost
repo
rt no
t pr
epar
ed
Fina
ncial
3
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Surv
eys
done
are
not
pr
oper
ly re
cord
ed.
Oper
ation
al 3
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Adeq
uate
ph
ysica
l se
curit
y do
es n
ot e
xist
of th
e re
cord
ed d
ata
Healt
h,
Safe
ty an
d En
viron
men
t
4
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Unav
ailab
ility
of
adeq
uate
tech
nical
data
us
ed
for
prop
osing
ex
plora
tory
loca
tions
Oper
ation
al 4
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Inab
ility
to
optim
ize/
actu
alize
ex
pecte
d re
turn
s fro
m e
xplor
ation
blo
cks
Fina
ncial
Lo
ss
4
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Delay
s in
mon
itorin
g th
e re
serv
es
Fina
ncial
Lo
ss
3
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Inac
cura
te e
stim
ation
of
rese
rves
In
corre
ct Fi
nanc
ial
Repo
rting
4
Case Study
91
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Inco
rrect
inter
pret
ation
du
e to
no
quali
ty re
view
proc
ess
of
valid
ating
th
e int
erpr
etat
ion
work
flow
/ cy
cle
follo
wed
Fina
ncial
Lo
ss
5
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
Delay
in
seism
ic da
tapr
oces
sing
due
to
ineffe
ctive
sche
dulin
g
Fina
ncial
Lo
ss
3
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
and
De
velop
men
t
Inad
equa
te
calib
ratio
n of
R&
D to
ols
and
equip
men
ts ca
using
inc
orre
ct re
sults
.
Fina
ncial
Lo
ss
2
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
and
De
velop
men
t
High
cos
t of
ope
ratio
n du
e to
ob
solet
e te
chno
logy.
Fina
ncial
Lo
ss
3
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
and
De
velop
men
t
Delay
in p
rocu
rem
ent o
f lab
equ
ipmen
ts ca
using
de
lay i
n co
mple
tion
of
R&D
activ
ities
Fina
ncial
Lo
ss
2
Guide on Risk Based Internal Audit Plan
92
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
Risk
of
rece
iving
mor
e th
an
the
orde
red
quan
tity
Fina
ncial
3
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
Risk
of
acce
pting
the
inf
erior
qu
ality
of
mat
erial
Fina
ncial
3
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
Prop
er
quali
ty as
sura
nce
testi
ng o
f all
raw
mat
erial
s is
not
done
wh
en
it is
rece
ived.
Fina
ncial
4
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
Un
auth
orize
d dis
posa
l of
scra
p Fi
nanc
ial
Loss
2
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
In
adeq
uate
seg
rega
tion
of
dutie
s be
twee
n pe
rson
nel
resp
onsib
le fo
r or
derin
g, r
eceiv
ing
and
issue
of m
ater
ial
Fina
ncial
Lo
ss
2
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
In
vent
ory
loss
due
to
weak
sto
rage
/ sta
cking
Fi
nanc
ial
Loss
2
Case Study
93
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
and
segr
egat
ion
guide
lines
. 7
Mat
erial
M
anag
emen
t 7.
2 M
M -
Depo
t
Fina
ncial
los
s du
e to
ina
dequ
ate
secu
rity
proc
edur
es
at
the
ware
hous
e
Fina
ncial
Lo
ss
2
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
Lo
ss o
f life
/ re
sour
ces
due
to n
on-c
ompli
ance
to
reg
ulato
ry l
aws
and
regu
lation
s
Healt
h,
Safe
ty &
Envir
onm
ent
4
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
De
lay
in re
newa
l or
ex
piry
of
vario
us
licen
ses
Stat
utor
y Non
co
mpli
ance
5
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
Un
auth
orize
d an
d ina
ppro
priat
e ind
entin
g Fi
nanc
ial
Loss
1
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
In
adeq
uate
m
onito
ring
of
slow/
no
n m
oving
inv
ento
ry
Fina
ncial
Lo
ss
4
Guide on Risk Based Internal Audit Plan
94
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
Da
mag
e to
spa
res
and
mat
erial
du
e to
ina
dequ
ate
stora
ge.
Fina
ncial
Lo
ss
4
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
Cr
itical
spar
es
not
ident
ified
and
main
taine
d
Fina
ncial
Lo
ss
4
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
Un
auth
orise
d iss
ue o
f m
ater
ial
Fina
ncial
Lo
ss
3
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Abse
nce
of m
onito
ring
of
the
time
take
n to
int
erpr
et th
e da
ta g
iven
to
the
inter
pret
ation
te
am
and
revie
w th
e re
cord
s m
ainta
ined
in th
is re
spec
t to
asce
rtain
majo
r dela
ys.
Oper
ation
al 3
Case Study
95
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Inad
equa
te
reco
rds
main
taine
d to
doc
umen
t dis
cuss
ions
and
conc
lusion
s of
int
erpr
etat
ion te
am.
Oper
ation
al 3
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Data
base
/ inf
orm
ation
no
t m
ainta
ined
abou
t un
succ
essfu
l well
s an
d th
e sa
me
is us
ed d
uring
su
bseq
uent
dec
ision
s.
Oper
ation
al 3
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
Exist
ing
work
be
ing
done
wi
thin
the
Depa
rtmen
t is
not
back
ed u
p by
a p
lan.
Oper
ation
al 3
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
De
lays
in pr
epar
ation
an
d co
mm
unica
tion
of
annu
al pla
ns.
Oper
ation
al 3
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
In
appr
opria
te b
asis
and
input
s for
plan
ning
Oper
ation
al 4
Guide on Risk Based Internal Audit Plan
96
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
M
anag
emen
t In
form
ation
Sy
stem
ina
dequ
ately
ali
gned
wi
th st
rate
gic o
bjecti
ves
Inco
rrect
Fina
ncial
Re
porti
ng
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
De
lays
in fin
ancia
l re
porti
ng a
nd cl
osing
Op
erat
ional
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
Ad
vers
e flu
ctuat
ion
in fo
reign
exc
hang
e ra
tes
Fina
ncial
Lo
ss
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
In
adeq
uate
wo
rking
ca
pital
man
agem
ent
Fina
ncial
Lo
ss
5
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
In
adeq
uate
m
onito
ring
of
cash
an
d ba
nk
balan
ces
Fina
ncial
Lo
ss
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
3 Fi
nanc
ial
Repo
rting
Inad
equa
te
finan
cial
repo
rting
syste
ms
Inco
rrect
Fina
ncial
Re
porti
ng
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
3 Fi
nanc
ial
Repo
rting
Mis-
repr
esen
tatio
n in
finan
cial
state
men
ts an
d re
ports
Inco
rrect
Fina
ncial
Re
porti
ng
3
Case Study
97
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set
Man
agem
ent
In
corre
ct ca
pitali
zatio
n of
ass
ets
Inco
rrect
Fina
ncial
Re
porti
ng
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set
Man
agem
ent
Ph
ysica
l ve
rifica
tion
of
asse
ts no
t don
e In
corre
ct Fi
nanc
ial
Repo
rting
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set
Man
agem
ent
De
prec
iation
&
Deple
tion
char
ges
have
no
t be
en
accu
rate
ly ca
lculat
ed a
nd re
cord
ed
in th
e ap
prop
riate
pe
riod.
Inco
rrect
Fina
ncial
Re
porti
ng
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Risk
of d
elay
in inv
oice
proc
essin
g Fi
nanc
ial
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Dupli
cate
vend
or co
des
Fina
ncial
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Risk
of
de
lay
in pa
ymen
t pro
cess
ing
Fina
ncial
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Roya
lty
not
paid
as
spec
ified
in Pr
oduc
tion
Shar
ing C
ontra
ct.
Fina
ncial
3
Guide on Risk Based Internal Audit Plan
98
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
Risk
of e
xces
s pay
men
tFi
nanc
ial
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
The
acco
untin
g po
licies
fo
r ac
coun
ting
of s
ales
espe
cially
tak
e or
pay
, un
derlif
ts/
over
lifts,
cont
ractu
al lia
bilitie
s et
c. no
t in
com
plian
ce
with
th
e Ac
coun
ting
Stan
dard
s.
Repo
rting
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Delay
in in
voici
ng.
Fina
ncial
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Inco
rrect
and
unau
thor
ised
invoic
ing.
Fina
ncial
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Quan
titativ
e re
conc
iliatio
n no
t do
ne
to
ident
ify
exce
ssive
los
ses.
Fina
ncial
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Roya
lty
not
paid
as
spec
ified
Prod
uctio
n Sh
aring
Con
tract.
Fina
ncial
3
Case Study
99
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Inac
cura
te c
alcula
tions
of
the
wellh
ead
value
. Fi
nanc
ial
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Inve
stmen
t mult
iple
not
calcu
lated
in
the
man
ner
as p
rovid
ed in
th
e Pr
oduc
tion
Shar
ing
Cont
ract.
Fina
ncial
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
Inad
equa
te
mon
itorin
g of
rece
ivable
and
follo
w up
for c
ollec
tions
.
Fina
ncial
3
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Ope
ratio
ns
In
accu
rate
wo
rking
of
co
st all
ocat
ed
by
oper
ating
pa
rtner
s fo
r JV
Non
Ope
rate
d
Inco
rrect
Fina
ncial
Re
porti
ng
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Ope
ratio
ns
No
n ra
ising
/ de
layed
re
cove
ry o
f ca
sh c
all
from
JV p
artn
er.
Fina
ncial
Lo
ss
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Ope
ratio
ns
W
rong
allo
catio
ns to
JV
due
to
inade
quat
e pr
oces
s of
cos
ting
and
Fina
ncial
Lo
ss
4
Guide on Risk Based Internal Audit Plan
100
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
ident
ificat
ion
of
alloc
able
costs
. 9
Fina
nce
and
Acco
unts
9.7
JV O
pera
tions
Inad
equa
te c
ontro
l ove
r ex
pens
es
in ca
se
of
non
oper
ating
bloc
ks
Fina
ncial
Lo
ss
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
Risk
of
re
gulat
ory
pena
lties
due
to
non
com
plian
ce w
ith T
DS,
Serv
ice T
ax a
nd o
ther
re
levan
t acts
Risk
of
Regu
lator
y No
n-Co
mpli
ance
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
Tax
paym
ents
and
tax
retu
rns
are
not m
ade
/ file
d wi
thin
perm
issibl
e tim
e lim
its
Stat
utor
y Non
co
mpli
ance
4
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
Inad
equa
te
mon
itorin
g m
echa
nism
for p
endin
g de
man
ds /
asse
ssm
ent
case
s, et
c.
Fina
ncial
Lo
ss
4
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
De
lay
in hir
ing
impa
cting
op
erat
ion
delay
s
Oper
ation
al 3
Case Study
101
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
Hi
ring
inapp
ropr
iate
pers
onne
l Op
erat
ional
4
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
In
com
plete
do
cum
enta
tion
in em
ploye
e re
cord
s/ file
s
Oper
ation
al 2
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
In
adeq
uate
bac
kgro
und
and
refe
renc
e ch
ecks
Op
erat
ional
3
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
In
adeq
uate
plan
ning
of
traini
ng re
quire
men
ts Op
erat
ional
4
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
Tr
aining
ne
eds
not
ident
ified
Oper
ation
al 4
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
Tr
aining
pro
gram
s no
t co
nduc
ted
in tim
ely
man
ner
Oper
ation
al 4
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
Fe
edba
ck
proc
edur
es
not e
stabli
shed
Op
erat
ional
3
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
De
lay in
Full
and
Fina
l Fi
nanc
ial
3
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
In
adeq
uate
cle
aran
ce
proc
edur
es
Fina
ncial
3
Guide on Risk Based Internal Audit Plan
102
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
In
adeq
uate
waiv
ers
Fina
ncial
3
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
Ol
d loa
n an
d ad
vanc
es
not
settl
ed
befo
re
relie
ving.
Fina
ncial
3
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
Ex
it fo
rmali
ties
not
com
plete
d tim
ely
man
ner.
Oper
ation
al 3
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct pr
oces
sing
of
salar
y Fi
nanc
ial
Loss
4
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
Inco
rrect
proc
essin
g an
d se
ttlem
ent
of
vario
us
emplo
yee
claim
s
Fina
ncial
Lo
ss
4
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct at
tend
ance
m
onito
ring
and
acco
untin
g of
leav
es.
Fina
ncial
Lo
ss
3
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
In
corre
ct pr
ovisi
oning
an
d ac
coun
ting
of
retir
emen
t fu
nds
Fina
ncial
Lo
ss
3
Case Study
103
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
man
agem
ent
by
the
com
pany
. 10
Hu
man
Re
sour
ce
10.4
Pa
yroll
Pr
oces
s
Delay
in d
isbur
sem
ent/
trans
fer o
f sala
ry.
Fina
ncial
Lo
ss
3
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
In
adeq
uate
pla
nning
an
d bu
dget
ing
of
Proje
cts
Fina
ncial
Lo
ss
4
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
Ap
prop
riate
fe
asibi
lity
studie
s not
cond
ucte
d Fi
nanc
ial
5
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
Re
quire
d cle
aran
ces
not o
btain
ing o
n tim
elyba
sis
Com
plian
ce
5
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
In
adeq
uate
ass
essm
ent
of
Retu
rn
on
Inve
stmen
ts
Fina
ncial
4
11
Proje
cts
11.2
Ex
ecut
ion a
nd
hand
over
Tim
e an
d Co
st ov
erru
ns
in th
e pr
ojects
due
to
weak
pro
ject m
onito
ring
and/
or e
xecu
tion.
Fina
ncial
Lo
ss
4
11
Proje
cts
11.2
Ex
ecut
ion a
nd
hand
over
Oper
ation
al de
lays
due
to d
elay
in ob
taini
ng/
Fina
ncial
Lo
ss
4
Guide on Risk Based Internal Audit Plan
104
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
rene
wal
of
statu
tory
cle
aran
ces
11
Proje
cts
11.2
Ex
ecut
ion a
nd
hand
over
Non
com
plian
ce
to
vario
us
statu
tory
pr
ovisi
ons
and
requ
irem
ents.
Stat
utor
y Non
co
mpli
ance
5
11
Proje
cts
11.2
Ex
ecut
ion a
nd
hand
over
Delay
in
proc
urem
ent/
orde
ring.
Fi
nanc
ial
Loss
3
11
Proje
cts
11.2
Ex
ecut
ion a
nd
hand
over
Com
miss
ioning
with
out
adeq
uate
qu
ality
chec
ks
and
testi
ng
proc
edur
es
Fina
ncial
Lo
ss
4
11
Proje
cts
11.2
Ex
ecut
ion a
nd
hand
over
Lack
of
mon
itorin
g of
HS
E co
mpli
ance
by
co
ntra
ctors
/
inter
nal
staff
durin
g ex
ecut
ion
Healt
h,
Safe
ty &
Envir
onm
ent
5
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
Inad
equa
te
post
acqu
isitio
n te
chno
-co
mm
ercia
l re
view
for
over
seas
acq
uisitio
ns
Fina
ncial
Lo
ss
3
Case Study
105
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
Delay
s in
float
ing
of
Tend
ers
Fina
ncial
Lo
ss
2
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
Fi
nanc
ial h
ealth
che
ck
up
analy
sis
not
perfo
rmed
for
acq
uired
as
sets
Fina
ncial
Lo
ss
3
13
Explo
ratio
n &
deve
lopm
ent
13.1
Ex
plora
tion
& de
velop
men
t
In
abilit
y to
op
timize
/ ac
tuali
ze
expe
cted
retu
rns
from
exp
lorat
ion
block
s
Fina
ncial
Lo
ss
4
13
Explo
ratio
n &
deve
lopm
ent
13.1
Ex
plora
tion
& de
velop
men
t
No
n fu
lfillm
ent
to
mini
mum
wor
k pr
ogra
m
spec
ially
with
resp
ect t
o tim
eline
ss
Fina
ncial
Lo
ss
3
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Al
l Fl
ow l
ines
are
not
being
re
gular
ly te
sted
and
inspe
cted
for
any
block
age
Oper
ation
al 4
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
De
lays
in pr
ovidi
ng
main
tena
nce
serv
ices
Fina
ncial
Lo
ss
4
Guide on Risk Based Internal Audit Plan
106
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
impa
cting
op
erat
ional
effic
iency
. 14
M
ainte
nanc
e 14
.1
Pipe
line
Main
tena
nce
Inad
equa
te p
lannin
g of
m
ainte
nanc
e ac
tivitie
s Op
erat
ional
3
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Pr
even
tive
main
tena
nce
not
carri
ed o
n tim
ely b
asis.
Oper
ation
al 4
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
In
adeq
uate
tra
ining
to
man
powe
r Fi
nanc
ial
Loss
3
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
Sa
fety
risk o
f wor
king
in ru
nning
pipe
lines
He
alth,
Sa
fety
& En
viron
men
t
4
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Delay
s in
prov
iding
m
ainte
nanc
e se
rvice
s im
pacti
ng
oper
ation
al ef
ficien
cy.
Fina
ncial
Lo
ss
4
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Inad
equa
te p
lannin
g of
m
ainte
nanc
e ac
tivitie
s Op
erat
ional
4
14
Main
tena
nce
14.2
Eq
uipm
ent
Prev
entiv
e Op
erat
ional
3
Case Study
107
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
R
isk
Des
crip
tion
Ris
k C
ateg
ory
Ris
k Sc
ore
Cor
pora
te
Off
ice
Plan
t D
epot
Main
tena
nce
main
tena
nce
not
carri
ed o
n tim
ely b
asis.
14
M
ainte
nanc
e 14
.2
Equip
men
t M
ainte
nanc
e
In
adeq
uate
tra
ining
to
man
powe
r Fi
nanc
ial
Loss
4
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Safe
ty ris
k of w
orkin
g in
runn
ing p
ipelin
es
Healt
h,
Safe
ty &
Envir
onm
ent
3
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
Freq
uent
br
eakd
owns
du
e to
non
per
form
ance
of
root
caus
e an
alysis
Fina
ncial
Lo
ss
4
Guide on Risk Based Internal Audit Plan
108
Prep
are
the
sum
mar
ized
Risk
Reg
ister
usin
g th
e ar
ithm
etic
mea
n of
the
Risk
Sco
res
assig
ned
to th
e ris
k ide
ntifie
d un
der
prev
ious s
tep.
Also
, ass
ign th
e ra
tiona
le fo
r pro
viding
the
risk r
ating
s for
eac
h of
the
audit
are
a
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
1 Co
ntra
cts
1.1
Tend
ering
and
RFQ
4.0
0
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Rep
eate
d fra
ud/
misa
ppro
priat
ion
• M
ajor
impa
ct on
or
ganiz
ation
al pr
ofita
bility
1
Cont
racts
1.
2 Co
ntra
cting
and
Or
derin
g
3
.80
•
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• Re
peat
ed
fraud
/ m
isapp
ropr
iation
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
2 Pl
ant O
pera
tions
2.1
Pr
oduc
tion
and
Distr
ibutio
n
3.9
1
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
Case Study
109
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
2 Pl
ant O
pera
tions
2.2
Op
erat
ion a
nd
Main
tena
nce
3
.83
•
Proc
ess
risks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f rep
utat
ional
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
m
ajor
finan
cial
pena
lties
or
pros
ecut
ions.
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Sign
ifican
t th
reat
to
Healt
h,
Safe
ty &
Envir
onm
ent
2 Pl
ant O
pera
tions
2.3
Sa
fety
and
Envir
onm
ent
4
.50
•
Risk
of
hig
h re
puta
tiona
l im
pact
to o
rgan
izatio
n •
Non-
com
plian
ce
with
m
ajor
finan
cial
pena
lties
and
pros
ecut
ions.
• Im
pact
of H
igh F
inanc
ial L
oss
Guide on Risk Based Internal Audit Plan
110
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
High
impa
ct on
org
aniza
tiona
l pr
ofita
bility
3
Drilli
ng
3.1
Drilli
ng
3
.80
•
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
4
.13
•
Proc
ess
risks
with
crit
ical r
isk
on th
e or
ganiz
ation
. •
Impa
ct of
High
Fina
ncial
Los
s•
Repe
ated
fra
ud/
misa
ppro
priat
ion w
ith m
ajor
finan
cial
or
repu
tatio
nal
cons
eque
nces
•
Miss
ing IT
and
ERP
syste
ms
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
3.4
3
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Repe
ated
fra
ud/
misa
ppro
priat
ion
Case Study
111
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
• De
ficien
t IT
an
d ER
P sy
stem
s 5
Geolo
gy &
Re
serv
oir
5.1
Geolo
gy &
Re
serv
oir
3
.64
•
Proc
ess
risks
with
majo
r risk
on
the
orga
nizat
ion.
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
6 Re
sear
ch a
nd
Deve
lopm
ent
6.1
Rese
arch
and
De
velop
men
t
2.3
3
• Pr
oces
s ris
ks w
ith t
olera
ble
risk o
n th
e or
ganiz
ation
. •
Toler
able
impa
ct on
or
ganiz
ation
al pr
ofita
bility
7
Mat
erial
M
anag
emen
t 7.
1 M
M -
Plan
ning
& Re
ceivi
ng
3
.33
•
Proc
ess
risks
with
majo
r risk
on
the
orga
nizat
ion.
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Repe
ated
fra
ud/
misa
ppro
priat
ion
• M
ajor
impa
ct on
or
ganiz
ation
al pr
ofita
bility
Guide on Risk Based Internal Audit Plan
112
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
2.8
3
• Pr
oces
s ris
ks w
ith t
olera
ble
risk o
n th
e or
ganiz
ation
. •
Poss
ible
thre
at
to
Healt
h,
Safe
ty &
Envir
onm
ent
• Po
ssibl
e fra
ud/
misa
ppro
priat
ion
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
3.2
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• Re
peat
ed
fraud
/ m
isapp
ropr
iation
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
3.0
0
• Pr
oces
s ris
ks w
ith t
olera
ble
risk o
n th
e or
ganiz
ation
. •
Toler
able
impa
ct on
orga
nizat
ional
prof
itabil
ity
Case Study
113
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial P
lannin
g an
d An
alysis
3.5
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• M
ajor
impa
ct on
or
ganiz
ation
al pr
ofita
bility
9
Fina
nce
and
Acco
unts
9.2
Trea
sury
4.0
0
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Repe
ated
fra
ud/
misa
ppro
priat
ion
• M
ajor
impa
ct on
or
ganiz
ation
al pr
ofita
bility
9
Fina
nce
and
Acco
unts
9.3
Fina
ncial
Rep
ortin
g
3.5
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th
majo
r fin
ancia
l pe
naltie
s or
pr
osec
ution
s. •
Repe
ated
fra
ud/
misa
ppro
priat
ion
Guide on Risk Based Internal Audit Plan
114
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set M
anag
emen
t
4.0
0
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Repe
ated
fra
ud/
misa
ppro
priat
ion
• M
ajor
impa
ct on
or
ganiz
ation
al pr
ofita
bility
9
Fina
nce
and
Acco
unts
9.5
Paya
bles
3
.40
•
Proc
ess
risks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f rep
utat
ional
impa
ct to
or
ganiz
ation
•
Repe
ated
fra
ud/
misa
ppro
priat
ion
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
3.5
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Repe
ated
fra
ud/
misa
ppro
priat
ion
• M
ajor
impa
ct on
Case Study
115
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
orga
nizat
ional
prof
itabil
ity
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Ope
ratio
ns
4
.00
•
Proc
ess
risks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f rep
utat
ional
impa
ct to
or
ganiz
ation
•
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• Re
peat
ed
fraud
/ m
isapp
ropr
iation
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
4.0
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th
majo
r fin
ancia
l pe
naltie
s or
pr
osec
ution
s. •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
Guide on Risk Based Internal Audit Plan
116
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
10
Hum
an R
esou
rce
10.1
Re
cruit
men
t
3.0
0
• Pr
oces
s ris
ks w
ith t
olera
ble
risk o
n th
e or
ganiz
ation
. •
Non-
com
plian
ce
with
m
ajor
finan
cial p
enalt
ies.
• Po
ssibl
e fra
ud/
misa
ppro
priat
ion
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
10
Hum
an R
esou
rce
10.2
Le
arnin
g an
d De
velop
men
t
3.7
5
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t 10
Hu
man
Res
ourc
e 10
.3
Sepa
ratio
ns
3
.00
•
Proc
ess
risks
with
tole
rable
ris
k on
the
orga
nizat
ion.
• Po
ssibl
e fra
ud/
misa
ppro
priat
ion
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
Case Study
117
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
10
Hum
an R
esou
rce
10.4
Pa
yroll
Pro
cess
3.4
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• Re
peat
ed
fraud
/ m
isapp
ropr
iation
11
Pr
ojects
11
.1
Plan
ning
and
Inve
stmen
t
4.5
0
• Pr
oces
s ris
ks w
ith c
ritica
l risk
on
the
orga
nizat
ion.
• Ri
sk
of
high
repu
tatio
nal
impa
ct to
org
aniza
tion
• No
n-co
mpli
ance
wi
th
majo
r fin
ancia
l pe
naltie
s an
d pr
osec
ution
s. •
Impa
ct of
High
Fina
ncial
Los
s•
High
impa
ct on
org
aniza
tiona
l pr
ofita
bility
11
Pr
ojects
11
.2
Exec
ution
and
ha
ndov
er
4
.17
•
Proc
ess
risks
with
crit
ical r
isk
on th
e or
ganiz
ation
. •
Risk
of
hig
h re
puta
tiona
l im
pact
to o
rgan
izatio
n •
Non-
com
plian
ce
with
m
ajor
Guide on Risk Based Internal Audit Plan
118
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
finan
cial
pena
lties
and
pros
ecut
ions.
• Im
pact
of H
igh F
inanc
ial L
oss
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
Repe
ated
fra
ud/
misa
ppro
priat
ion w
ith m
ajor
finan
cial
or
repu
tatio
nal
cons
eque
nces
•
High
impa
ct on
org
aniza
tiona
l pr
ofita
bility
12
Bu
sines
s De
velop
men
t 12
.1
Busin
ess
Deve
lopm
ent
2
.67
•
Impa
ct of
sign
ifican
t Fina
ncial
Lo
ss
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
13
Explo
ratio
n &
deve
lopm
ent
13.1
Ex
plora
tion
& de
velop
men
t
3.5
0
• Pr
oces
s ris
ks w
ith m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of r
eput
ation
al im
pact
to
orga
nizat
ion
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
Case Study
119
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
gC
orpo
rate
O
ffic
e Pl
ant
Dep
ot
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
`
3
.67
•
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
3
.67
•
Impa
ct of
M
ajor
Fina
ncial
Lo
ss
• Si
gnific
ant
thre
at t
o He
alth,
Sa
fety
& En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
Guide on Risk Based Internal Audit Plan
120
Step
4: A
sses
s co
ntro
l env
ironm
ent
As
sign
the
cont
rol e
nviro
nmen
t ra
ting
for
each
of
the
ident
ified
audit
are
a an
d pr
ovide
rat
ional
for
assig
ning
the
cont
rol
envir
onm
ent r
ating
s.
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
4.0
0
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
Prep
are
Audit
Un
iverse
Risk
Ide
ntific
atio
n
Risk
pr
ioritiz
atio
n and
ra
ting
Asse
ss
contr
ol en
viron
ment
Deriv
e Re
sidua
l Ri
sk R
ating
Deve
lop
Inter
nal
Audit
plan
Case Study
121
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
3
.80
•
Impa
ct of
M
ajor
Fina
ncial
Los
s•
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Majo
r im
pact
on
orga
nizat
ional
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
Guide on Risk Based Internal Audit Plan
122
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
prof
itabil
ity
• Po
licy a
nd
Proc
edur
es n
ot
form
ally d
efine
d an
d th
ere
may
be
pos
sible
devia
tions
2
Plan
t Op
erat
ions
2.1
Prod
uctio
n an
d Di
stribu
tion
3
.91
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Le
gal
com
plian
ce
fram
ewor
k with
m
inor
devia
tions
. •
Defin
ed P
olicy
an
d Pr
oced
ures
bu
t ins
uffic
ient
Case Study
123
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
& En
viron
men
t•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
cont
rol o
n im
plem
enta
tion
and
com
plian
ce
to sa
me.
•
Cons
isten
t or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
3
.83
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th m
ajor
finan
cial
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Le
gal
com
plian
ce
fram
ewor
k with
m
inor
devia
tions
. •
Defin
ed P
olicy
Guide on Risk Based Internal Audit Plan
124
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
pena
lties o
r pr
osec
ution
s. •
Impa
ct of
M
ajor
Fina
ncial
Los
s•
Sign
ifican
t th
reat
to
Healt
h, S
afet
y &
Envir
onm
ent
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n an
d co
mpli
ance
to
sam
e.
• Co
nsist
ent
Orga
nisat
ion
grow
th w
ith
poss
ible
losse
s 2
Plan
t Op
erat
ions
2.3
Safe
ty an
d En
viron
men
t
4.5
0
• Ri
sk o
f high
re
puta
tiona
l im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th m
ajor
finan
cial
pena
lties a
nd
pros
ecut
ions.
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Leg
al co
mpli
ance
fra
mew
ork w
ith
mino
r
Case Study
125
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
• Im
pact
of H
igh
Fina
ncial
Los
s•
Sign
ifican
t th
reat
to
Healt
h, S
afet
y &
Envir
onm
ent
• Hi
gh im
pact
on
orga
nizat
ional
prof
itabil
ity
devia
tions
. •
Defin
ed P
olicy
an
d Pr
oced
ures
bu
t ins
uffic
ient
cont
rol o
n im
plem
enta
tion
and
com
plian
ce
to sa
me.
•
Cons
isten
t Or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
3 Dr
illing
3.
1 Dr
illing
3.8
0
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& En
viron
men
t•
Majo
r im
pact
4.0
0
• Po
licy a
nd
Proc
edur
es n
ot
form
ally d
efine
d an
d th
ere
may
be
pos
sible
devia
tions
•
Cons
isten
t or
ganis
ation
Guide on Risk Based Internal Audit Plan
126
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
on
orga
nizat
ional
prof
itabil
ity
grow
th w
ith
frequ
ent l
osse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
4
Info
rmat
ion
Tech
nolog
y 4.
1 IT
Sec
urity
4.1
3
• Pro
cess
risk
s wi
th cr
itical
risk o
n th
e or
ganiz
ation
. •
Impa
ct of
High
Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on w
ith m
ajor
finan
cial o
r re
puta
tiona
l co
nseq
uenc
es
2.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
• Es
tabli
shed
ERP
sy
stem
and
IT
secu
rity
mea
sure
s •
Well
def
ined
Polic
y and
Pr
oced
ures
and
m
inor d
eviat
ions
Case Study
127
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
• M
issing
IT a
nd
ERP
syste
ms
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
3
.43
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• De
ficien
t IT
and
ERP
syste
ms
2.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
• Es
tabli
shed
ERP
sy
stem
and
IT
secu
rity
mea
sure
s •
Well
def
ined
Polic
y and
Pr
oced
ures
and
m
inor d
eviat
ions
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
3.6
4
• Pr
oces
s risk
s wi
th m
ajor
risk o
n th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
2.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
• W
ell d
efine
d Po
licy a
nd
Proc
edur
es a
nd
Guide on Risk Based Internal Audit Plan
128
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
Loss
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
mino
r dev
iation
s•
Cons
isten
t or
ganis
ation
gr
owth
with
un
likely
loss
es.
6 Re
sear
ch
and
Deve
lopm
ent
6.1
Rese
arch
an
d De
velop
men
t
2
.33
•
Proc
ess r
isks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Toler
able
impa
ct on
or
ganiz
ation
al pr
ofita
bility
1.0
0
• Ex
isten
ce o
f str
ong
Prev
entiv
e or
de
tecti
ve co
ntro
l wi
th m
echa
nism
fo
r con
tinuo
us
mon
itorin
g an
d up
date
the
sam
e.
• W
ell e
stabli
shed
ER
P sy
stem
and
IT
secu
rity
mea
sure
s •
Well
def
ined
and
imple
men
ted
Case Study
129
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
Polic
y and
Pr
oced
ures
•
Cons
isten
t or
ganis
ation
gr
owth
with
rare
su
rpris
es
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
3
.33
•
Proc
ess r
isks
with
majo
r ris
k on
the
orga
nizat
ion.
• Im
pact
of
Majo
r Fi
nanc
ial
Loss
•
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Majo
r im
pact
on
5.0
0
• M
issing
pr
even
tive
or
dete
ctive
co
ntro
ls •
Insu
fficie
nt IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• P
olicy
and
Pr
oced
ures
not
de
fined
•
Inco
nsist
ent
orga
nisat
ion
Guide on Risk Based Internal Audit Plan
130
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
orga
nizat
ional
prof
itabil
ity
grow
th w
ith
majo
r los
ses
• In
adeq
uate
de
cent
ralis
ation
of
dec
ision
m
aking
7
Mat
erial
M
anag
emen
t 7.
2 M
M -
Depo
t
2.8
3
• Pr
oces
s risk
s wi
th to
lerab
le ris
k on
the
orga
nizat
ion.
• Po
ssibl
e th
reat
to
Healt
h, S
afet
y & En
viron
men
t •
Poss
ible
fraud
/ m
isapp
ropr
iati
on
• To
lerab
le
5.0
0
• M
issing
pr
even
tive
or
dete
ctive
co
ntro
ls •
Insu
fficie
nt IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es n
ot
defin
ed
• In
cons
isten
t or
ganis
ation
Case Study
131
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
impa
ct on
or
ganiz
ation
al pr
ofita
bility
grow
th w
ith
majo
r los
ses
• In
adeq
uate
de
cent
ralis
ation
of
dec
ision
m
aking
7
Mat
erial
M
anag
emen
t 7.
3 M
M -
Inve
ntor
y Ha
ndlin
g an
d St
orag
e
3
.20
•
Proc
ess r
isks
with
majo
r ris
k on
the
orga
nizat
ion.
• Im
pact
of
majo
r Fi
nanc
ial lo
ss•
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Majo
r im
pact
on
orga
nizat
ional
5.0
0
• M
issing
pr
even
tive
or
dete
ctive
co
ntro
ls •
Insu
fficie
nt IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es n
ot
defin
ed
• In
cons
isten
t Or
ganis
ation
Guide on Risk Based Internal Audit Plan
132
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
prof
itabil
ity
grow
th w
ith
majo
r los
ses
• In
adeq
uate
de
cent
ralis
ation
of
dec
ision
m
aking
8
Well
Log
ging
8.1
Well
Log
ging
3
.00
•
Proc
ess r
isks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Toler
able
impa
ct on
or
ganiz
ation
al pr
ofita
bility
1.0
0
• Ex
isten
ce o
f str
ong
prev
entiv
e or
de
tecti
ve co
ntro
l wi
th m
echa
nism
fo
r con
tinuo
us
mon
itorin
g an
d up
date
the
sam
e.
• W
ell e
stabli
shed
ER
P sy
stem
and
IT
secu
rity
mea
sure
s •
Well
def
ined
and
Case Study
133
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
imple
men
ted
polic
y and
pr
oced
ures
•
Cons
isten
t or
ganis
ation
gr
owth
with
rare
su
rpris
es
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
3
.50
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Im
pact
of
majo
r fina
ncial
los
s •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Le
gal
com
plian
ce
fram
ewor
k with
m
inor
devia
tions
. •
Esta
blish
ed E
RP
syste
m a
nd IT
Guide on Risk Based Internal Audit Plan
134
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
secu
rity
mea
sure
s •
Defin
ed P
olicy
an
d Pr
oced
ures
bu
t ins
uffic
ient
cont
rol o
n im
plem
enta
tion
and
com
plian
ce
to sa
me.
•
Cons
isten
t Or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
4
.00
•
Impa
ct of
M
ajor
Fina
ncial
Los
s•
Repe
ated
fra
ud/
misa
ppro
priat
ion
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Es
tabli
shed
ERP
Case Study
135
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
syste
m a
nd IT
se
curit
y m
easu
res
• De
fined
Poli
cy
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n an
d co
mpli
ance
to
sam
e.
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
poss
ible
losse
s 9
Fina
nce
and
Acco
unts
9.3
Fina
ncial
Re
porti
ng
3
.50
• P
roce
ss ri
sks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Miss
ing le
gal
Guide on Risk Based Internal Audit Plan
136
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s or
pros
ecut
ions.
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
com
plian
ce
fram
ewor
k with
alt
erna
tive
mea
sure
to
mon
itor l
egal
com
plian
ce.
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns.
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set
Man
agem
ent
4
.00
•
Impa
ct of
m
ajor f
inanc
ial
loss
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t
Case Study
137
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
ident
ified
or
defin
ed
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
frequ
ent l
osse
s. 9
Fina
nce
and
Acco
unts
9.5
Paya
bles
3
.40
•
Proc
ess r
isks
with
majo
r risk
on
the
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t
Guide on Risk Based Internal Audit Plan
138
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• Rep
eate
d fra
ud/
misa
ppro
priat
ion
ident
ified
or
defin
ed
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
3.5
0
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Es
tabli
shed
ERP
Case Study
139
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
orga
nizat
ion
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
syste
m a
nd IT
se
curit
y m
easu
res
• De
fined
Poli
cy
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n an
d co
mpli
ance
to
sam
e.
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
poss
ible
losse
s 9
Fina
nce
and
Acco
unts
9.7
JV
Oper
ation
s
4.0
0
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
Guide on Risk Based Internal Audit Plan
140
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
impa
ct to
or
ganiz
ation
•
Impa
ct of
M
ajor
Fina
ncial
Los
s•
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns
• Co
nsist
ent
Orga
nisat
ion
grow
th w
ith
frequ
ent l
osse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
9
Fina
nce
and
9.8
Taxa
tion
4
.00
•
Proc
ess r
isks
4.0
0
• Pr
even
tive
or
Case Study
141
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
Acco
unts
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th m
ajor
finan
cial
pena
lties o
r pr
osec
ution
s. •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Miss
ing L
egal
com
plian
ce
fram
ewor
k with
alt
erna
tive
mea
sure
to
mon
itor l
egal
com
plian
ce.
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
Guide on Risk Based Internal Audit Plan
142
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
be p
ossib
le de
viatio
ns
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
3
.00
•
Proc
ess r
isks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s. •
Poss
ible
fraud
/ m
isapp
ropr
iati
on
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es n
ot
form
ally d
efine
d an
d th
ere
may
be
pos
sible
devia
tions
•
Cons
isten
t or
ganis
ation
Case Study
143
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
grow
th w
ith
frequ
ent l
osse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
10
Hu
man
Re
sour
ce
10.2
Le
arnin
g an
d De
velop
men
t
3.7
5
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Sign
ifican
t th
reat
to
Healt
h, S
afet
y &
Envir
onm
ent 4
.00
•
Prev
entiv
e or
de
tecti
ve
cont
rols
not
ident
ified
or
defin
ed
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
Guide on Risk Based Internal Audit Plan
144
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
and
ther
e m
ay
be p
ossib
le de
viatio
ns
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
frequ
ent l
osse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
10
Hu
man
Re
sour
ce
10.3
Se
para
tions
3.0
0
• Pr
oces
s risk
s wi
th to
lerab
le ris
k on
the
orga
nizat
ion.
• Po
ssibl
e fra
ud/
misa
ppro
priat
ion
•
Toler
able
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
Case Study
145
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
impa
ct on
or
ganiz
ation
al pr
ofita
bility
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
frequ
ent l
osse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
10
Hu
man
Re
sour
ce
10.4
Pa
yroll
Pr
oces
s
3.4
0
• P
roce
ss ri
sks
with
majo
r risk
on
the
5.0
0
• M
issing
pr
even
tive
or
dete
ctive
Guide on Risk Based Internal Audit Plan
146
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
cont
rols
• In
suffi
cient
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
not
de
fined
. 11
Pr
ojects
11
.1
Plan
ning
and
Inve
stmen
t
4.5
0
• Pr
oces
s risk
s wi
th cr
itical
risk o
n th
e or
ganiz
ation
. •
Risk
of h
igh
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• De
fined
Poli
cy
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n
Case Study
147
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
finan
cial
pena
lties a
nd
pros
ecut
ions.
• Im
pact
of H
igh
Fina
ncial
Los
s•
High
impa
ct on
or
ganiz
ation
al pr
ofita
bility
and
com
plian
ce
to sa
me.
•
Cons
isten
t or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
4
.17
•
Proc
ess r
isks
with
critic
al ris
k on
the
orga
nizat
ion.
• Ri
sk o
f high
re
puta
tiona
l im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th m
ajor
finan
cial
4.0
0
• Pr
even
tive
or
dete
ctive
co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Polic
y and
Pr
oced
ures
not
fo
rmall
y def
ined
and
ther
e m
ay
be p
ossib
le de
viatio
ns
• Co
nsist
ent
Guide on Risk Based Internal Audit Plan
148
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
pena
lties a
nd
pros
ecut
ions.
• Im
pact
of H
igh
Fina
ncial
Los
s•
Sign
ifican
t th
reat
to
Healt
h, S
afet
y &
Envir
onm
ent
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on w
ith m
ajor
finan
cial o
r re
puta
tiona
l co
nseq
uenc
es•
High
impa
ct on
or
ganiz
ation
al pr
ofita
bility
orga
nisat
ion
grow
th w
ith
frequ
ent l
osse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
.
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
2.6
7
• Im
pact
of
signif
icant
2
.00
•
Defin
ed
Prev
entiv
e or
Case Study
149
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
Fina
ncial
Los
s•
Toler
able
impa
ct on
or
ganiz
ation
al pr
ofita
bility
dete
ctive
cont
rol
• W
ell d
efine
d Po
licy a
nd
Proc
edur
es a
nd
mino
r dev
iation
s•
Cons
isten
t or
ganis
ation
gr
owth
with
un
likely
loss
es.
13
Explo
ratio
n &
deve
lopm
ent
13.1
Ex
plora
tion
& de
velop
men
t
3.5
0
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Impa
ct of
M
ajor
Fina
ncial
Los
s
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Le
gal
com
plian
ce
fram
ewor
k with
m
inor
devia
tions
.
Guide on Risk Based Internal Audit Plan
150
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& En
viron
men
t•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
• De
fined
Poli
cy
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n an
d co
mpli
ance
to
sam
e.
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
poss
ible
losse
s 14
M
ainte
nanc
e 14
.1
Pipe
line
Main
tena
nce
3
.67
•
Impa
ct of
M
ajor
Fina
ncial
Los
s•
Sign
ifican
t th
reat
to
Healt
h, S
afet
y &
Envir
onm
ent
• M
ajor i
mpa
ct on
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Le
gal
com
plian
ce
fram
ewor
k with
Case Study
151
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
orga
nizat
ional
prof
itabil
ity
mino
r de
viatio
ns.
• De
fined
Poli
cy
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n an
d co
mpli
ance
to
sam
e.
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
3
.67
•
Impa
ct of
M
ajor
Fina
ncial
Los
s•
Sign
ifican
t th
reat
to
Healt
h, S
afet
y &
Envir
onm
ent
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
3.0
0
• De
fined
Pr
even
tive
or
dete
ctive
cont
rol
but u
nlike
ly m
onito
ring
and
upda
te e
xerc
ise.
• Le
gal
com
plian
ce
fram
ewor
k with
m
inor
devia
tions
.
Guide on Risk Based Internal Audit Plan
152
D.
Sr.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
nmen
t R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Cor
pora
te
Off
ice
Plan
t D
epot
• De
fined
Poli
cy
and
Proc
edur
es
but i
nsuf
ficien
t co
ntro
l on
imple
men
tatio
n an
d co
mpli
ance
to
sam
e.
Case Study
153
Step
5: D
eriv
e R
esid
ual R
isk
Rat
ing
De
rive
Resid
ual R
isk R
ating
s fo
r ea
ch o
f the
iden
tified
aud
it ar
ea b
y us
ing th
e pr
oduc
t of I
nitial
Risk
Rat
ings
and
Cont
rol
Envir
onm
ent R
ating
s.
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
4.00
•
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Repe
ated
fra
ud/
misa
ppro
priat
i
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t
16.
00
Prep
are
Audit
Un
iverse
Risk
Ide
ntific
atio
n
Risk
pr
ioritiz
atio
n and
ra
ting
Asse
ss
contr
ol en
viron
ment
Deriv
e Re
sidua
l Ri
sk
Ratin
g
Deve
lop
Inter
nal
Audit
plan
Guide on Risk Based Internal Audit Plan
154
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
no
t for
mall
y de
fined
and
th
ere
may
be
pos
sible
devia
tions
1
Cont
racts
1.
2 Co
ntra
cting
an
d Or
derin
g
3.
80
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
16.
00
Case Study
155
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
prof
itabil
ity
• Po
licy a
nd
proc
edur
es
not f
orm
ally
defin
ed a
nd
ther
e m
ay
be p
ossib
le de
viatio
ns
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
3.
91
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Sign
ifican
t th
reat
to
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Lega
l co
mpli
ance
fra
mew
ork
with
mino
r de
viatio
ns.
12.
00
Guide on Risk Based Internal Audit Plan
156
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
Healt
h, S
afet
y & En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
• De
fined
Po
licy a
nd
Proc
edur
es
but
insuf
ficien
t co
ntro
l on
imple
men
tat
ion a
nd
com
plian
ce
to sa
me.
•
Cons
isten
t or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
3.83
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
12.
00
Case Study
157
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s or
pros
ecut
ions.
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& Envir
onm
ent
mon
itorin
g an
d up
date
ex
ercis
e.
• Le
gal
com
plian
ce
fram
ewor
k wi
th m
inor
devia
tions
. •
Defin
ed
Polic
y and
Pr
oced
ures
bu
t ins
uffic
ient
cont
rol o
n im
plem
enta
tion
and
co
mpli
ance
to
sam
e.
• Co
nsist
ent
orga
nisat
ion
Guide on Risk Based Internal Audit Plan
158
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
grow
th w
ith
poss
ible
losse
s 2
Plan
t Op
erat
ions
2.3
Safe
ty an
d En
viron
men
t
4.
50
• Ri
sk o
f high
re
puta
tiona
l im
pact
to
orga
nizat
ion
• No
n-co
mpli
ance
wi
th m
ajor
finan
cial
pena
lties a
nd
pros
ecut
ions.
• Im
pact
of H
igh
Fina
ncial
Los
s •
Sign
ifican
t th
reat
to
Healt
h, S
afet
y & En
viron
men
t
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Lega
l co
mpli
ance
fra
mew
ork
with
mino
r de
viatio
ns.
• De
fined
Po
licy a
nd
Proc
edur
es
but
14.
00
Case Study
159
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
• Hi
gh im
pact
on
orga
nizat
ional
prof
itabil
ity
insuf
ficien
t co
ntro
l on
imple
men
tat
ion a
nd
com
plian
ce
to sa
me.
•
Cons
isten
t Or
ganis
atio
n gr
owth
wi
th
poss
ible
losse
s 3
Drilli
ng
3.1
Drilli
ng
3.
80
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& Envir
onm
ent
4.00
•
Polic
y and
Pr
oced
ures
no
t for
mall
y de
fined
and
th
ere
may
be
pos
sible
devia
tions
•
Cons
isten
t
16.
00
Guide on Risk Based Internal Audit Plan
160
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
Orga
nisat
ion
grow
th
with
fre
quen
t los
ses
• In
adeq
uate
bo
ard
mon
itorin
g an
d go
vern
ance
str
uctu
re
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
4.
13
• Pr
oces
s risk
s wi
th cr
itical
risk o
n th
e or
ganiz
ation
. •
Impa
ct of
High
Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
2.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l •
Esta
blish
ed
ERP
syste
m
and
IT
secu
rity
mea
sure
s
9.0
0
Case Study
161
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
on w
ith m
ajor
finan
cial o
r re
puta
tiona
l co
nseq
uenc
es
• M
issing
IT
and
ERP
syste
ms
• W
ell d
efine
d Po
licy a
nd
Proc
edur
es
and
mino
r de
viatio
ns
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
3.
43
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Defic
ient I
T an
d ER
P sy
stem
s
2.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l •
Esta
blish
ed
ERP
syste
m
and
IT
secu
rity
mea
sure
s •
Well
def
ined
Polic
y and
Pr
oced
ures
an
d m
inor
7.0
0
Guide on Risk Based Internal Audit Plan
162
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
devia
tions
5
Geolo
gy &
Re
serv
oir
5.1
Geolo
gy &
Re
serv
oir
3.
64
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
2.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l •
Well
def
ined
Polic
y and
Pr
oced
ures
an
d m
inor
devia
tions
•
Cons
isten
t or
ganis
ation
gr
owth
with
un
likely
los
ses.
8.0
0
6 Re
sear
ch
and
Deve
lopm
ent6.
1 Re
sear
ch
and
Deve
lopm
ent
2.
33
• Pr
oces
s risk
s wi
th to
lerab
le ris
k on
the
orga
nizat
ion.
• To
lerab
le
1.00
•
Exist
ence
of
stron
g Pr
even
tive
or d
etec
tive
cont
rol w
ith
3.0
0
Case Study
163
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
impa
ct on
or
ganiz
ation
al pr
ofita
bility
mec
hanis
m
for
cont
inuou
s m
onito
ring
and
upda
te
the
sam
e.
• W
ell
esta
blish
ed
ERP
syste
m
and
IT
secu
rity
mea
sure
s •
Well
def
ined
and
imple
men
ted
Polic
y and
Pr
oced
ures
•
Cons
isten
t or
ganis
ation
gr
owth
with
Guide on Risk Based Internal Audit Plan
164
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
rare
su
rpris
es
7 M
ater
ial
Man
agem
ent7.
1 M
M -
Plan
ning
& Re
ceivi
ng
3.
33
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
5.00
•
Miss
ing
prev
entiv
e or
det
ectiv
e co
ntro
ls •
Insu
fficie
nt
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
no
t def
ined
• In
cons
isten
t or
ganis
ation
gr
owth
with
m
ajor
losse
s
17.
00
Case Study
165
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
• In
adeq
uate
de
cent
ralis
atio
n of
de
cision
m
aking
7
Mat
erial
M
anag
emen
t7.2
MM
- De
pot
2.83
•
Proc
ess r
isks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Poss
ible
thre
at to
He
alth,
Saf
ety
& Envir
onm
ent
• Po
ssibl
e fra
ud/
misa
ppro
priat
ion
•
Toler
able
impa
ct on
5.00
•
Miss
ing
prev
entiv
e or
det
ectiv
e co
ntro
ls •
Insu
fficie
nt
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
no
t def
ined
• In
cons
isten
t or
ganis
ation
15.
00
Guide on Risk Based Internal Audit Plan
166
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
orga
nizat
ional
prof
itabil
ity
grow
th w
ith
majo
r los
ses
• In
adeq
uate
de
cent
ralis
atio
n of
de
cision
m
aking
7
Mat
erial
M
anag
emen
t7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
3.
20
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Repe
ated
fra
ud/
misa
ppro
priat
ion
•
Majo
r im
pact
5.00
•
Miss
ing
prev
entiv
e or
det
ectiv
e co
ntro
ls •
Insu
fficie
nt
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
16.
00
Case Study
167
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
on
orga
nizat
ional
prof
itabil
ity
not d
efine
d •
Inco
nsist
ent
orga
nisat
ion
grow
th w
ith
majo
r los
ses
• In
adeq
uate
de
cent
ralis
atio
n of
de
cision
m
aking
8
Well
Log
ging8
.1
Well
Lo
gging
3.00
•
Proc
ess r
isks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Toler
able
impa
ct on
or
ganiz
ation
al pr
ofita
bility
1.00
•
Exist
ence
of
stron
g Pr
even
tive
or d
etec
tive
cont
rol w
ith
mec
hanis
m
for
cont
inuou
s m
onito
ring
3.0
0
Guide on Risk Based Internal Audit Plan
168
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
and
upda
te
the
sam
e.
• W
ell
esta
blish
ed
ERP
syste
m
and
IT
secu
rity
mea
sure
s •
Well
def
ined
and
imple
men
ted
Polic
y and
Pr
oced
ures
•
Cons
isten
t or
ganis
ation
gr
owth
with
ra
re
surp
rises
9
Fina
nce
and
Acco
unts
9.1
Fina
ncial
Pl
annin
g
3.50
• P
roce
ss ri
sks
with
majo
r risk
3.
00
• De
fined
Pr
even
tive
11.
00
Case Study
169
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
and
Analy
sis
on th
e or
ganiz
ation
. •
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
or d
etec
tive
cont
rol b
ut
unlik
ely
mon
itorin
g an
d up
date
ex
ercis
e.
• Le
gal
com
plian
ce
fram
ewor
k wi
th m
inor
devia
tions
. •
Esta
blish
ed
ERP
syste
m
and
IT
secu
rity
mea
sure
s •
Defin
ed
Polic
y and
Pr
oced
ures
bu
t
Guide on Risk Based Internal Audit Plan
170
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
insuf
ficien
t co
ntro
l on
imple
men
tat
ion a
nd
com
plian
ce
to sa
me.
•
Cons
isten
t or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
9 Fi
nanc
e an
d Ac
coun
ts 9.
2 Tr
easu
ry
4.
00
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• M
ajor i
mpa
ct on
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Esta
blish
ed
12.
00
Case Study
171
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
orga
nizat
ional
prof
itabil
ity
ERP
syste
m
and
IT
secu
rity
mea
sure
s •
Defin
ed
Polic
y and
Pr
oced
ures
bu
t ins
uffic
ient
cont
rol o
n im
plem
enta
tion
and
co
mpli
ance
to
sam
e.
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
poss
ible
losse
s 9
Fina
nce
and
9.3
Fina
ncial
3.50
•
Proc
ess r
isks
4.00
•
Prev
entiv
e 1
4.00
Guide on Risk Based Internal Audit Plan
172
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
Acco
unts
Repo
rting
wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s or
pros
ecut
ions.
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
or d
etec
tive
cont
rols
not
ident
ified
or
defin
ed
• M
issing
Le
gal
com
plian
ce
fram
ewor
k wi
th
alter
nativ
e m
easu
re to
m
onito
r leg
al co
mpli
ance
. •
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Case Study
173
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
Proc
edur
es
not f
orm
ally
defin
ed a
nd
they
may
be
poss
ible
devia
tions
. 9
Fina
nce
and
Acco
unts
9.4
Asse
t M
anag
eme
nt
4.
00
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es
not f
orm
ally
defin
ed a
nd
16.
00
Guide on Risk Based Internal Audit Plan
174
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
they
may
be
poss
ible
devia
tions
•
Cons
isten
t or
ganis
ation
gr
owth
with
fre
quen
t los
ses.
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
3.40
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es
14.
00
Case Study
175
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
not f
orm
ally
defin
ed a
nd
they
may
be
poss
ible
devia
tions
9
Fina
nce
and
Acco
unts
9.6
Invo
icing
an
d Re
ceiva
bles
3.
50
• Pro
cess
risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Repe
ated
fra
ud/
misa
ppro
priat
ion
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Esta
blish
ed
ERP
syste
m
and
IT
secu
rity
mea
sure
s •
Defin
ed
Polic
y and
11.
00
Guide on Risk Based Internal Audit Plan
176
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
Proc
edur
es
but
insuf
ficien
t co
ntro
l on
imple
men
tat
ion a
nd
com
plian
ce
to sa
me.
•
Cons
isten
t or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Op
erat
ions
4.
00
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t
16.
00
Case Study
177
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
orga
nizat
ion
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
no
t for
mall
y de
fined
and
th
ey m
ay b
e po
ssibl
e de
viatio
ns
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
frequ
ent
losse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
Guide on Risk Based Internal Audit Plan
178
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
struc
ture
9
Fina
nce
and
Acco
unts
9.8
Taxa
tion
4.
00
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s or
pros
ecut
ions.
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Miss
ing
Lega
l co
mpli
ance
fra
mew
ork
with
alt
erna
tive
mea
sure
to
mon
itor
legal
com
plian
ce.
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
16.
00
Case Study
179
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
cont
rols.
•
Polic
y and
Pr
oced
ures
no
t for
mall
y de
fined
and
th
ere
may
be
pos
sible
devia
tions
10
Hu
man
Re
sour
ce
10.1
Rec
ruitm
ent
3.00
•
Proc
ess r
isks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s. •
Poss
ible
fraud
/ m
isapp
ropr
iati
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es
12.
00
Guide on Risk Based Internal Audit Plan
180
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
on
• T
olera
ble
impa
ct on
or
ganiz
ation
al pr
ofita
bility
not f
orm
ally
defin
ed a
nd
ther
e m
ay
be p
ossib
le de
viatio
ns
• Co
nsist
ent
orga
nisat
ion
grow
th w
ith
frequ
ent
losse
s •
Inad
equa
te
boar
d m
onito
ring
and
gove
rnan
ce
struc
ture
10
Hu
man
Re
sour
ce
10.2
Lea
rning
an
d De
velop
me
nt
3.
75
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
.
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
15.
00
Case Study
181
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& Envir
onm
ent
defin
ed
• M
oder
ate
IT
envir
onm
ent
with
miss
ing
auto
mat
ed
cont
rols.
•
Polic
y and
Pr
oced
ures
no
t for
mall
y de
fined
and
th
ere
may
be
pos
sible
devia
tions
•
Cons
isten
t or
ganis
ation
gr
owth
with
fre
quen
t los
ses
• In
adeq
uate
bo
ard
Guide on Risk Based Internal Audit Plan
182
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
mon
itorin
g an
d go
vern
ance
str
uctu
re
10
Hum
an
Reso
urce
10
.3 S
epar
ation
s
3.00
• P
roce
ss ri
sks
with
toler
able
risk o
n th
e or
ganiz
ation
. •
Poss
ible
fraud
/ m
isapp
ropr
iati
on
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Mod
erat
e IT
en
viron
men
t wi
th m
issing
au
tom
ated
co
ntro
ls.
• Po
licy a
nd
Proc
edur
es
not f
orm
ally
defin
ed a
nd
ther
e m
ay
be p
ossib
le
12.
00
Case Study
183
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
devia
tions
•
Cons
isten
t or
ganis
ation
gr
owth
with
fre
quen
t los
ses
• In
adeq
uate
bo
ard
mon
itorin
g an
d go
vern
ance
str
uctu
re
10
Hum
an
Reso
urce
10
.4 P
ayro
ll Pr
oces
s
3.40
•
Proc
ess r
isks
with
majo
r risk
on
the
orga
nizat
ion.
• Ri
sk o
f re
puta
tiona
l im
pact
to
orga
nizat
ion
5.00
• M
issing
pr
even
tive
or d
etec
tive
cont
rols
• Ins
uffic
ient
IT
envir
onm
ent
with
miss
ing 1
7.00
Guide on Risk Based Internal Audit Plan
184
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
• Re
peat
ed
fraud
/ m
isapp
ropr
iati
on
auto
mat
ed
cont
rols.
• P
olicy
and
Pr
oced
ures
no
t def
ined.
11
Pr
ojects
11
.1 P
lannin
g an
d In
vestm
ent
4.
50
• Pr
oces
s risk
s wi
th cr
itical
risk o
n th
e or
ganiz
ation
. •
Risk
of h
igh
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r fin
ancia
l pe
naltie
s and
pr
osec
ution
s. •
Impa
ct of
High
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Defin
ed
Polic
y and
Pr
oced
ures
bu
t ins
uffic
ient
cont
rol o
n im
plem
enta
t
14.
00
Case Study
185
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
Fina
ncial
Los
s •
High
impa
ct on
or
ganiz
ation
al pr
ofita
bility
ion a
nd
com
plian
ce
to sa
me.
•
Cons
isten
t or
ganis
ation
gr
owth
with
po
ssibl
e los
ses
11
Proje
cts
11.2
Exe
cutio
n an
d ha
ndov
er
4.
17
• Pr
oces
s risk
s wi
th cr
itical
risk o
n th
e or
ganiz
ation
. •
Risk
of h
igh
repu
tatio
nal
impa
ct to
or
ganiz
ation
•
Non-
com
plian
ce
with
majo
r fin
ancia
l
4.00
•
Prev
entiv
e or
det
ectiv
e co
ntro
ls no
t ide
ntifie
d or
de
fined
•
Polic
y and
Pr
oced
ures
no
t for
mall
y de
fined
and
th
ere
may
be
pos
sible
devia
tions
17.
00
Guide on Risk Based Internal Audit Plan
186
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
pena
lties a
nd
pros
ecut
ions.
• Im
pact
of H
igh
Fina
ncial
Los
s •
Sign
ifican
t th
reat
to
Healt
h, S
afet
y & En
viron
men
t •
Repe
ated
fra
ud/
misa
ppro
priat
ion
with
majo
r fin
ancia
l or
repu
tatio
nal
cons
eque
nces
•
High
impa
ct on
or
ganiz
ation
al pr
ofita
bility
• Co
nsist
ent
Orga
nisat
ion
grow
th
with
fre
quen
t los
ses
• In
adeq
uate
bo
ard
mon
itorin
g an
d go
vern
ance
str
uctu
re.
Case Study
187
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
12
Busin
ess
Deve
lopm
ent12
.1 B
usine
ss
Deve
lopm
ent
2.
67
• Im
pact
of
signif
icant
Fi
nanc
ial L
oss
• To
lerab
le im
pact
on
orga
nizat
ional
prof
itabil
ity
2.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l •
Well
def
ined
Polic
y and
Pr
oced
ures
an
d m
inor
devia
tions
•
Cons
isten
t Or
ganis
atio
n gr
owth
wi
th u
nlike
ly los
ses.
6.0
0
13
Explo
ratio
n &
deve
lopm
ent 13
.1 E
xplor
ation
& de
velop
me
nt
3.
50
• Pr
oces
s risk
s wi
th m
ajor r
isk
on th
e or
ganiz
ation
. •
Risk
of
repu
tatio
nal
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
11.
00
Guide on Risk Based Internal Audit Plan
188
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
impa
ct to
or
ganiz
ation
•
Impa
ct of
M
ajor
Fina
ncial
Los
s •
Sign
ifican
t th
reat
to
Healt
h, S
afet
y & En
viron
men
t •
Majo
r im
pact
on
orga
nizat
ional
prof
itabil
ity
and
upda
te
exer
cise.
•
Lega
l co
mpli
ance
fra
mew
ork
with
mino
r de
viatio
ns.
• De
fined
Po
licy a
nd
Proc
edur
es
but
insuf
ficien
t co
ntro
l on
imple
men
tat
ion a
nd
com
plian
ce
to sa
me.
•
Cons
isten
t Or
ganis
atio
n gr
owth
Case Study
189
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
with
po
ssibl
e los
ses
14
Main
tena
nce 1
4.1
Pipe
line
Main
tena
nce
3.
67
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& Envir
onm
ent
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Lega
l co
mpli
ance
fra
mew
ork
with
mino
r de
viatio
ns.
• De
fined
Po
licy a
nd
Proc
edur
es
but
11.
00
Guide on Risk Based Internal Audit Plan
190
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
insuf
ficien
t co
ntro
l on
imple
men
tat
ion a
nd
com
plian
ce
to sa
me.
14
M
ainte
nanc
e 14.
2 Eq
uipm
ent
Main
tena
nce
3.
67
• Im
pact
of
Majo
r Fi
nanc
ial L
oss
• Si
gnific
ant
thre
at to
He
alth,
Saf
ety
& Envir
onm
ent
• M
ajor i
mpa
ct on
or
ganiz
ation
al pr
ofita
bility
3.00
•
Defin
ed
Prev
entiv
e or
det
ectiv
e co
ntro
l but
un
likely
m
onito
ring
and
upda
te
exer
cise.
•
Lega
l co
mpli
ance
fra
mew
ork
with
mino
r de
viatio
ns.
• De
fined
11.
00
Case Study
191
D.
Sr.
No.
Dep
artm
ent
P.
Sr.
No.
Proc
ess
Bus
ines
s Lo
catio
ns
Initi
al
Ris
k R
atin
g
Rat
iona
le fo
r In
itial
Ris
k R
atin
g
Con
trol
En
viro
n-m
ent R
atin
g
Rat
iona
le fo
r C
ontr
ol
Envi
ronm
ent
Rat
ing
Res
idua
l R
isk
Scor
e(R
ound
ed
up)
Cor
pora
te
Off
ice
Plan
tD
epot
Polic
y and
Pr
oced
ures
bu
t ins
uffic
ient
cont
rol o
n im
plem
enta
tion
and
co
mpli
ance
to
sam
e.
Guide on Risk Based Internal Audit Plan
192
Step
6: D
evel
op In
tern
al A
udit
Plan
(a
) Ar
rive
at th
e fre
quen
cy o
f the
inte
rnal
audit
usin
g th
e re
sidua
l risk
sco
re c
alcula
ted
in th
e pr
eviou
s ste
ps. T
he fo
llowi
ng
defin
itions
could
be
used
for a
rrivin
g at
the
frequ
ency
of a
udit
in th
e tim
e sp
an o
f 3 ye
ars.
Hi
gh R
isk –
Aud
it ar
eas h
aving
resid
ual r
isk sc
ore
of m
ore
than
12
which
nee
d to
be
audit
ed e
very
year
.
Med
ium R
isk -
Audit
are
as h
aving
resid
ual r
isk s
core
of m
ore
than
or e
qual
to 9
but
less
than
or e
qual
to 1
2 wh
ich
need
to b
e au
dited
twice
in th
ree
year
s.
Lo
w Ri
sk -
Audit
are
as h
aving
resid
ual r
isk s
core
of m
ore
than
or e
qual
to 5
but
less
than
or e
qual
to 8
whic
h ne
ed
to b
e au
dited
onc
e in
thre
e ye
ars.
Acce
ptab
le - A
udit
area
s ha
ving
resid
ual r
isk s
core
of l
ess
than
5 w
hich
could
to b
e au
dited
bas
ed o
n m
anag
emen
t dis
cret
ion.
(b)
Prep
are
the
annu
al au
dit p
lan b
y ide
ntify
ing th
e ar
eas t
hat n
eed
to b
e au
dit in
year
1, y
ear 2
and
year
3.
Prep
are
Aud
it U
nive
rse
Ris
k Id
entif
icat
ion
Ris
k pr
iorit
izat
ion
and
ra
ting
Asse
ss
contr
ol en
viro
nmen
t
Der
ive
Res
idua
l R
isk
Rat
ing
Dev
elop
In
tern
al
Aud
it pl
an
Case Study
193
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Con
trol
En
viro
nmen
t R
atin
g
Res
idua
l R
isk
Scor
e
Freq
uenc
y of
Aud
it A
udit
Plan
Year
- 1
Aud
it Pl
anYe
ar -
2
Aud
it Pl
anYe
ar -
3
Cor
pora
te
Off
ice
Plan
t D
epot
1 Co
ntra
cts
1.1
Tend
ering
an
d RF
Q
4.00
4.
00
16.0
0 Ev
ery Y
ear
1 Co
ntra
cts
1.2
Cont
racti
ng
and
Orde
ring
3.
80
4.00
16
.00
Ever
y Yea
r
2 Pl
ant
Oper
ation
s 2.
1 Pr
oduc
tion
and
Distr
ibutio
n
3.
91
3.00
12
.00
Twice
in 3
ye
ars
2 Pl
ant
Oper
ation
s 2.
2 Op
erat
ion
and
Main
tena
nce
3.
83
3.00
12
.00
Twice
in 3
ye
ars
2 Pl
ant
Oper
ation
s 2.
3 Sa
fety
and
Envir
onm
ent
4.
50
3.00
14
.00
Twice
in 3
ye
ars
3 Dr
illing
3.
1 Dr
illing
3.80
4.
00
16.0
0 Ev
ery Y
ear
4 In
form
ation
Te
chno
logy
4.1
IT S
ecur
ity
4.
13
2.00
9.
00
Twice
in 3
ye
ars
4 In
form
ation
Te
chno
logy
4.2
ERP
and
othe
r ap
plica
tions
3.
43
2.00
7.
00
Once
in 3
ye
ars
Guide on Risk Based Internal Audit Plan
194
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Con
trol
En
viro
nmen
t R
atin
g
Res
idua
l R
isk
Scor
e
Freq
uenc
y of
Aud
it A
udit
Plan
Year
- 1
Aud
it Pl
anYe
ar -
2
Aud
it Pl
anYe
ar -
3
Cor
pora
te
Off
ice
Plan
t D
epot
5 Ge
ology
&
Rese
rvoir
5.
1 Ge
ology
&
Rese
rvoir
3.64
2.
00
8.00
On
ce in
3
year
s
6 Re
sear
ch
and
Deve
lopm
ent
6.1
Rese
arch
an
d De
velop
men
t
2.
33
1.00
3.
00
Acce
ptab
le
7 M
ater
ial
Man
agem
ent
7.1
MM
- Pl
annin
g &
Rece
iving
3.
33
5.00
17
.00
Ever
y Yea
r
7 M
ater
ial
Man
agem
ent
7.2
MM
- De
pot
2.
83
5.00
15
.00
Ever
y Yea
r
7 M
ater
ial
Man
agem
ent
7.3
MM
- In
vent
ory
Hand
ling
and
Stor
age
3.
20
5.00
16
.00
Ever
y Yea
r
8 W
ell L
oggin
g 8.
1 W
ell L
oggin
g
3.00
1.
00
3.00
Ac
cept
able
9 Fi
nanc
e an
d Ac
coun
ts 9.
1 Fi
nanc
ial
Plan
ning
and
Analy
sis
3.
50
3.00
11
.00
Twice
in 3
ye
ars
9 Fi
nanc
e an
d 9.
2 Tr
easu
ry
4.
00
3.00
12
.00
Twice
in 3
Case Study
195
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Con
trol
En
viro
nmen
t R
atin
g
Res
idua
l R
isk
Scor
e
Freq
uenc
y of
Aud
it A
udit
Plan
Year
- 1
Aud
it Pl
anYe
ar -
2
Aud
it Pl
anYe
ar -
3
Cor
pora
te
Off
ice
Plan
t D
epot
Acco
unts
year
s
9 Fi
nanc
e an
d Ac
coun
ts 9.
3 Fi
nanc
ial
Repo
rting
3.50
4.
00
14.0
0 Tw
ice in
3
year
s
9 Fi
nanc
e an
d Ac
coun
ts 9.
4 As
set
Man
agem
ent
4.00
4.
00
16.0
0 Ev
ery Y
ear
9 Fi
nanc
e an
d Ac
coun
ts 9.
5 Pa
yable
s
3.40
4.
00
14.0
0 Tw
ice in
3
year
s
9 Fi
nanc
e an
d Ac
coun
ts 9.
6 In
voici
ng a
nd
Rece
ivable
s
3.50
3.
00
11.0
0 Tw
ice in
3
year
s
9 Fi
nanc
e an
d Ac
coun
ts 9.
7 JV
Op
erat
ions
4.
00
4.00
16
.00
Ever
y Yea
r
9 Fi
nanc
e an
d Ac
coun
ts 9.
8 Ta
xatio
n
4.00
4.
00
16.0
0 Ev
ery Y
ear
10
Hum
an
Reso
urce
10
.1
Recr
uitm
ent
3.
00
4.00
12
.00
Twice
in 3
ye
ars
10
Hum
an
Reso
urce
10
.2
Lear
ning
and
Deve
lopm
ent
3.75
4.
00
15.0
0 Ev
ery Y
ear
Guide on Risk Based Internal Audit Plan
196
D. S
r.
no.
Dep
artm
ent
P. S
r.
No.
Pr
oces
s B
usin
ess
Loca
tions
In
itial
R
isk
Rat
ing
Con
trol
En
viro
nmen
t R
atin
g
Res
idua
l R
isk
Scor
e
Freq
uenc
y of
Aud
it A
udit
Plan
Year
- 1
Aud
it Pl
anYe
ar -
2
Aud
it Pl
anYe
ar -
3
Cor
pora
te
Off
ice
Plan
t D
epot
10
Hum
an
Reso
urce
10
.3
Sepa
ratio
ns
3.
00
4.00
12
.00
Twice
in 3
ye
ars
10
Hum
an
Reso
urce
10
.4
Payr
oll
Proc
ess
3.
40
5.00
17
.00
Ever
y Yea
r
11
Proje
cts
11.1
Pl
annin
g an
d In
vestm
ent
4.
50
3.00
14
.00
Twice
in 3
ye
ars
11
Proje
cts
11.2
Ex
ecut
ion
and
hand
over
4.
17
4.00
17
.00
Ever
y Yea
r
12
Busin
ess
Deve
lopm
ent
12.1
Bu
sines
s De
velop
men
t
2.67
2.
00
6.00
On
ce in
3
year
s
13
Explo
ratio
n & de
velop
men
t
13.1
Ex
plora
tion
& deve
lopm
ent
3.
50
3.00
11
.00
Twice
in 3
ye
ars
14
Main
tena
nce
14.1
Pi
pelin
e M
ainte
nanc
e
3.67
3.
00
11.0
0 Tw
ice in
3
year
s
14
Main
tena
nce
14.2
Eq
uipm
ent
Main
tena
nce
3.
67
3.00
11
.00
Twice
in 3
ye
ars
PrepRisk
PrepAud
Unive
pare Heat k Based In
pare dit erse
RisIdenti
o
Map – Grnternal Au
sk ificatin
Ripriorit
n arat
197
raphical pudit Plan
sk tizatioand ing
Asscon
envirn
presentat
sess ntrol ronment
DeRes
Risk
Case Stu
ion of the
erive sidual Rating
DevInte
Aud
udy
e
velop ernal it plan