guide on risk based internal auudit plan

Gui

DISCL

The viCharteexpres

The

ide on R

AIMER:

ews expresseered Accountassed by the au

Institute(Set

Risk Bas

ed in this Guidnts of India mthor(s).

Internal Aude of Chartt up by an

Ne

sed Inte

de are those may not neces

dit Standardtered Acn Act of Pew Delhi

ernal Au

of author(s). ssarily subscri

s Board countant

Parliament

udit Pla

The Institute ibe to the view

ts of Indit)

n

of ws

ia

© The Institute of Chartered Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or otherwise, without prior permission, in writing, from the publisher. Edition : February, 2015 Committee/Department : Internal Audit Standards Board Email : [email protected] Website : www.icai.org Price : ` 250/- (Including CD) ISBN No. : 978-81-8441-776-0 Published by : The Publication Department on behalf of the

Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi - 110 002.

Printed by : Sahitya Bhawan Publications, Hospital Road,

Agra 282 003 February/2015/P1761 (New)

Foreword

Recent economic events and increased regulatory scrutiny have impacted the importance of understanding and managing the risks, which drive uncertainty about the organizational success. Effective risk management helps organizations to understand the risks they are exposed to, put controls in place to counter threats, and also to effectively pursue their objectives. In a nutshell, risk management is an important aspect of an organization’s governance, management and operations.

In such a scenario, internal audit plays a very critical role by providing assurance that all the risks related to the activities of the organization are being identified, monitored and managed effectively. The Institute, from time to time, has issued guidance to help the members enhance their skill base and competencies in the area of risk management. This “Guide on Risk based Internal Audit Plan” is being issued by the Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) to provide guidance on developing and implementing an effective Risk Based Internal Audit Plan.

I would like to congratulate CA. Charanjot Singh Nanda, Chairman, Internal Audit Standards Board and all the other members of the Board on issuance of this publication which provides updated guidance on this important area. The objective is to help internal auditors in embedding risk based approach thereby enabling them to meet stakeholder’s expectations.

I am confident that this Guide would help our members to play a leading role in promoting good risk management practices.

February, 2, 2015 New Delhi

CA. K Raghu President, ICAI

Preface

In today’s complex regulatory and compliance environment, while capitalizing on emerging opportunities, risk management assumes tremendous importance. Risk management systems encompass the policies, culture, processes, systems and other aspects of an organization that, taken together facilitate its effective and efficient operation by enabling it to assess current and emerging risks, respond appropriately to risks and significant control failures and to safeguard it’s assets. Assessment of risks should support better decision-taking, ensure that the board and management respond promptly to risks when they arise, and ensure that shareholders and other stakeholders are well informed about the principal risks and prospects of the organization. Internal auditors undoubtedly play a leading role in helping their organizations achieve an integrated, organization-wide approach to risk management which ultimately helps to create, enhance, and protect stakeholder value.

Considering the above, the Internal Audit Standards Board of the Institute is issuing this “Guide on Risk Based Internal Audit Plan”. Accordingly, the Board is withdrawing its pervious publication “Guide to Implementing Enterprise Risk Management” issued in 2008. Internal auditors can through risk based auditing provide feedback on the adequacy of internal control as well as they can provide a source of information for monitoring risk. Further, the cycle of continually assessing risk, efficiently planning audit activities, and effectively performing, delivering, and reporting audit activities can result in overall lower risk to the organization. This Guide comprehensively explains the concepts of Risk Based Internal Audit Plan and provides a step-wise approach to effectively implement the same in an organization. It includes detailed guidance on risk appetite, understanding business environment, preparing audit universe, risk identification, risk prioritization and rating, assessing control environment, deriving residual risk rating and finally developing internal audit plan. Further, for enhancing the understanding of the readers, an illustrative case study including all the steps to prepare the RBIAP has also been also provided in the guide.

At this juncture, I would like to place on record my sincere gratitude to CA. Amit Gupta, CA. Mohit Gupta, Shri Anurag Agarwal and CA. Sameer Mittal for sharing their experience and knowledge with us and preparing the draft of this Guide.

vi

I would like to express my immense gratitude to CA. K. Raghu, President, ICAI and CA. Manoj Fadnis, Vice President, ICAI for their continuous support and encouragement to the initiatives of the Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board, viz., CA. Shriniwas Y. Joshi, Vice Chairman, IASB, CA. Rajkumar S. Adukia, CA. Prafulla Premsukh Chhajed, CA. Sanjeev K. Maheshwari, CA. Dhinal Ashvinbhai Shah, CA. Shiwaji Bhikaji Zaware, CA. V. Murali, CA. S. Santhanakrishnan, CA. Abhijit Bandyopadhyay, CA. Sanjiv Kumar Chaudhary, CA. Atul Kumar Gupta, CA. Naveen N.D. Gupta, Shri Manoj Kumar, Shri P. Sesh Kumar and Shri R.K. Jain for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board, viz., CA. R. Balakrishnan, CA. N. S. Ayyanagoudar, CA. Sunil H. Talati, CA. J. Vedantha Ramanujam and CA. Milind Vijayvargia and special invitees, CA. Nagesh D. Pinge and CA. Hardik Chokshi for their invaluable guidance as also their dedication and support to various initiatives of the Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary, Internal Audit Standards Board and her team of officers for their efforts and inputs in finalizing this Guide.

I am sure that the members and other interested users will find this publication useful in discharge of their professional obligations.

February 9, 2015 New Delhi

CA. Charanjot Singh Nanda

Chairman, Internal Audit Standards Board

vii

Contents

Foreword ............................................................................................................ iii Preface ................................................................................................................ v Chapter 1: Introduction ...................................................................................... 1

Objective .............................................................................................................. 1 Chapter 2: Need for Risk Based Internal Audit Plan ....................................... 2

Chapter 3: RBIAP Concepts .............................................................................. 5

Chapter 4: Responsibility for Developing RBIAP ............................................ 6

Chapter 5: RBIAP- Development and Implementation ............................... 7-45

Define Objective, Criteria and Risk Appetite ......................................................... 8

Risk Categorization ............................................................................................ 10 Risk Assessment Criteria ................................................................................... 11 Criteria for Assessing Control Environment ........................................................ 11 Understanding the Business Environment and Processes ................................. 11 Prepare Audit Universe ...................................................................................... 13 Risk Assessment ................................................................................................ 19 Risk Identification ............................................................................................... 20 Risk Prioritization ................................................................................................ 20 Assess Control Environment .............................................................................. 27 Develop Internal Audit Plan ................................................................................ 35 Planning and Developing Internal Audit Plan ..................................................... 38 Implement and Update RBIAP ........................................................................... 40 Allocate Resources, Engagement Scheduling and Execution ............................ 42 Reassess Risk and Control Environment and Update RBIAP ............................ 43 Chapter 6: Case Study .............................................................................. 46-197

Chapter 1

Introduction

1.1 Traditionally, internal auditing was understood as one time exercise with limited documentation. Increase in the trend of frauds in the corporate sector over the last couple of decades has shifted the pendulum towards the need of a strong and robust internal auditing and internal control systems. Regulators have also become more vigilant towards the requirement of strong internal control system which resulted in the announcement of statutory obligations viz., Sarbanes Oxley Act in USA, Clause 49 of Listing Agreement as per SEBI and recently notified Companies Act, 2013 and rules thereunder. This has put organizations under increasing pressure to identify all the business risks they face and to explain how they manage them.

1.2 Risk-based Internal Auditing (RBIA) allows internal auditor to provide assurance to the Board of Directors that risk management processes are managing risks effectively, having regards to the risk appetite of the organization. Risk-based internal auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks. The only defence auditors have in instances of corporate failures is sufficient, appropriate audit evidence that proves their innocence. This audit evidence will be the result of a well-planned and performed audit. An audit plan, currently a risk-based audit plan, is therefore a crucial component in the planning of an effective audit.

Objective 1.3 This guide provides guidance on developing and implementing an effective Risk Based Internal Audit Plan in an organization. This guide would be meant for the individuals who are already an internal auditor, preparing to become one or responsible for overseeing and controlling the business function(s).

Chapter 2

Need for Risk Based Internal Audit Plan

2.1 Preface to the Standards on Internal Audit, issued by the Institute of Chartered Accountants of India defines the term “internal audit” as, “Internal Audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with an view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.”

Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, lays down that the internal auditor should, in consultation with those charged with governance, including the audit committee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner.

2.2 Standard on Internal Audit (SIA) 13 “Enterprise Risk Management” mentions that “The internal auditor will normally perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the subsequent period. This plan will be reviewed at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, etc.), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying internal audit key areas and, not for identifying, prioritizing, and managing risks directly for the enterprise. The internal audit plan, which should be approved by the audit committee, should be based on risk assessment as well as on issues highlighted by the audit committee and senior management. The risk assessment process should be of a continuous nature so as to identify not only residual or existing risks, but also emerging risks. The risk assessment should be conducted formally at least annually, but more often in complex enterprises. To serve this objective, the internal auditor should design the audit work plan by aligning it with the objectives and risks of the enterprise and concentrate on those issues where assurance is sought by those charged with governance.”

Need for Risk Based Internal Audit Plan

3

2.3 Internal auditor is expected to review business processes and various transactions to provide comfort to the management whether adequate internal controls are in place considering the nature and size of business operations. Considering the volume of the transaction and complexity of the business processes, it would not be possible to check 100% of the business transactions. The internal auditor usually, adopts sampling and judgment based on past experience and knowledge. However, this leaves a risk of gap in internal controls which may remain undetected. Accordingly, there is a need for auditors to follow risk based internal audit approach.

2.4 There are many challenges being faced by the internal auditors in performance of their duties. The major challenges include:

Mismatch in the expectations from and output of the internal audit function;

Audit risk;

Practical implementation of audit standards; and

Uncertainties due to changing environment – internal as well as external.

2.5 The internal audit function is, normally, expected to focus on areas of high risk, including both inherent and residual risk. The internal audit activity needs to identify areas of high inherent risk, high residual risks, and the key control systems upon which the organization is most reliant.

Audit risk – Audit risk refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR).

Inherent risk – These risks are “all pervasive in nature” meaning they are inherent in all business activities. Inherent risk is a risk in ‘raw form’ before any risk treatment/ mitigation activity has been applied to it.

Residual risk – Residual risk is the level of risk that would remain untreated despite all mitigation efforts.

Guide o

The figresidua

2.6 managplanninof the acceptdeveloallocatauditabactivity

on Risk Based

gure below dal risk.

Internal audit gement procesng an engageactivity and thable level. Thping the intering internal able units and sy’s plan that ha

d Internal Audit

depicts the re

planning neess, where it hament, the inte

he means by whe internal aurnal audit activaudit resourceselect areas foave the greate

t Plan

4

elationship be

eds to make uas been deveernal auditor cwhich manageuditor uses risvity’s plan anes. Risk asseor review to beest risk exposu

tween the in

use of the orgeloped by the considers the ement mitigatesk assessmend in determin

essment is use included in ture.

herent risk a

ganizational riorganization. significant ris

es the risk to nt techniques ing priorities fsed to examihe internal au

nd

isk In

sks an in

for ne dit

Chapter 3

RBIAP Concepts

3.1 Risk Based Internal Audit Plan (RBIAP) is an important tool that helps internal auditor to respond to the challenges being faced by the internal auditor, and also enhances the quality of the services that the internal audit function provides. By following the structured approach for planning the internal audit, it could be easily concluded that:

A proper evaluation has been done to identify and assess the risk vis-a-vis risk appetite of the company.

Plan to respond to the risks are effective in managing inherent risks within the risk appetite.

Increased focus and rigorous response to risks where residual risks are not in line with the risk appetite.

3.2 RBIAP is an approach to develop the internal audit plan in such a manner that all the business processes covering both financial as well as operational activities are reviewed by internal audit function within a defined time cycle, generally, varying from 3 to 5 years. Also, ensuring that appropriate consideration is made and adequate balance is ensured to the following:

Risk underlying the business process.

Value that the internal audit can provide to the organization.

Effort involved in conducting the internal audit for a particular business process.

Risk appetite of the organization.

Coverage of all auditable areas within the defined time range.

Chapter 4

Responsibility for Developing RBIAP

4.1 The need to manage risks has become recognised as an essential part of good corporate governance practice. This has put organisations under increasing pressure to identify all the business risks they face and to explain how they manage them. In fact, the activities involved in managing risks have been recognised as playing a central and essential role in maintaining a sound system of internal control. While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed.

The Chief Internal Auditor, as designated by the audit committee, must establish a risk-based plan to determine the priorities and focus areas of the internal audit activity which are aligned to the business objectives and organization’s goals. The prime responsibility of developing the Risk Based Internal Audit Plan is with the Chief Internal Auditor. The Chief Internal Auditor must prepare the RBIAP and review the same on annual basis in the light of changing business environment, processes, technology, etc. having impact on the prevailing risk for the Company and its control environment.

4.2 The RBAIP, thus, prepared by the Chief Internal Auditor must be approved by the Audit Committee. Audit Committee assesses the appropriateness of the process followed for development of the RBIAP to ensure that due consideration is given to the following:

Consideration of all major risk for the company

Business objectives

Risk appetite of the company

Inputs from the key managerial persons of the company

Changes in the operational and regulatory environment.

7

Chapter 5

RBIAP — Development and Implementation

5.1 The internal auditor takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the internal auditor uses his/her own judgment of risks after consideration of input from senior management and the board. The internal auditor must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

5.2 Risk based internal audit planning includes formal annual planning, updating the plan before audit segments begin and periodic feedback from management and the audit committee regarding report content expectations. The internal audit scope is adjusted based on all of these factors and gives the internal auditor a keen ability to understand and react quickly to management and audit committee concerns regarding risk and audit coverage. Thus, there are two phases of successful implementation of the RBIAP. These include the following:

Develop and approve RBIAP Implement and update RBIAP

5.3 Methodology for development of risk based internal audit plan can be divided into following steps:

I Develop and Approve RBIAP

(i) Define objective, criteria and risk appetite

(ii) Understanding the business environment and processes

(iii) Prepare audit universe

(iv) Risk assessment

(a) Risk identification (b) Risk prioritization and rating

Guide on Risk Based Internal Audit Plan

8

(v) Assess control environment

(vi) Derive residual risk rating

(vii) Develop internal audit plan.

II Implement and update RBIAP

(i) Derive Annual Internal Audit plan (ii) Allocate resources, engagement scheduling and execution (iii) Re-assess risk and control environment (iv) Update RBIAP.

Process of Risk Based Internal Audit Planning

Define Objective, Criteria and Risk Appetite 5.4 Internal Auditor need to first define the objective of preparing the risk based internal audit plan for a particular organization. There are varied factors that need to be considered while defining the objective of the exercise, these may include:

Size and nature of business

Complexity of the business process

Resource constraint

Define objective, criteria and risk

appetite

Understanding the Business

Environment and processes

Prepare Audit Universe

Risk identificationFilter Risks (Acceptable Risks, under

tolerance limit)

Categorise Risks and link to Audit

Areas

Risk Prioritisation and Rating

Summarise Risks for each audit

areaAssess control environment

Derive Residual Risk Rating

Derive Frequency of

Audit

Develop Audit Plan

Approval from Audit Committee

Allocate Resources, engagement

scheduling and execution

Re-assess risk and control environment

Update RBIAP


9

Time horizon which the organization considers appropriate for review of all the business processes.

5.5 Internal auditor need to define the criteria that would be used for developing the internal audit plan. It would include the following:

Risk categorization

Risk assessment criteria

Criteria for assessing the control environment

Criteria to priorities and decide the frequency of audit. 5.6 It is very critical that the criteria for developing the RBIAP are documented in advance and approved to avoid any subjectivity on the outcome of the exercise. The key factors that need to be kept in mind while finalizing these criteria include the following:

Inherent risks – ensure all inherent risks are identified and assessed.

Residual risks – ensure all residual risks are identified and assessed.

Mitigating controls– ensure elements of control environment (e.g., level of automation, governance structure, etc.) are identified that could be linked to the individual events and/ or risks.

5.7 Internal auditor need to interact with the senior management and take a view on the risk appetite of the organization. Risk appetite of the organization can significantly impact the criteria that need to be used for the development of RBIAP. A Risk Based Internal Audit Plan should ensure that it covers all unacceptable current risks where management action is required. These would be the areas with high residual risks, i.e., high inherent risk and minimal key controls or mitigating factors. These would be the areas that senior management should get audited immediately. Identification, assessment and prioritization of the audit areas is dependent on the residual risk for the organization, which is monitored and evaluated in the light of risk appetite of the organization.

Risk rating depends on the criteria set by the organization to assess and prioritise its risk. Depending on the risk appetite of the organization, it could mean financial loss of ` 1 Lac could be ‘minor’ for a large PSU with annual profit of ` 500 crores but it could be major for an organization with annual profit of ` 50 Lacs.


10

Risk Categorization 5.8 According to the Internal Control Framework issued by The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, risk can be categorized as under: Operational – Risks that impact the efficiency and effectiveness of the

operations of the organization are categorized as operational risk. E.g., process delays in completing the activity, customer dissatisfaction, inadequate fund management, excess payment, etc. Some companies further categories operational risk into financial risk and non-financial risk depending on the direct impact of risk.

Reporting – Risk of incorrect financial reporting. Internal control weaknesses which may result into incorrect financial reporting are categorized at reporting risk, e.g., inadequate cutoff procedures, lack of senior management review of financial statements, etc.

Compliance – Risk that may result in non-compliance to the applicable regulatory requirements. E.g., delay in submission of taxes and returns, operating without obtaining the required licenses, etc. These may result into possible fines and penalties being imposed on the organization.

5.9 Organizations also classify the risk under the additional category depending on the nature of the business, e.g., a company operating in energy sector could categories the risk as under: Operational Financial Health, Safety and Environment Compliance Reporting Company operating in the technology intensive sector could categories the risk as under: Operational Financial Technology Compliance Reporting


11

Risk Assessment Criteria 5.10 Risk need to be assessed in terms of severity of the impact that may come to the organization in the event of risk occurrence. Assigning the rating to the risk depending on the assessed severity is termed as risk prioritization. The typical risk prioritization is done on the scale of 1 to 5 as mentioned below:

Score 1 - Insignificant

Score 2 – Minor

Score 3 – Moderate

Score 4 – Major

Score 5 - Critical

Criteria for Assessing Control Environment 5.11 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility; organizes and develops its people; and the attention and direction provided by the board of directors. The typical control environment assessment is done on the scale of 1 to 5 as mentioned below:

Score 1 – Very strong

Score 2 – Strong


Score 4 – Weak

Score 5 – Almost missing.

Understanding the Business Environment and Processes 5.12 As per the requirement of Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, The internal audit plan should be comprehensive enough to ensure that it helps in achieving of the above overall


12

objectives of an internal audit. The internal audit plan should, generally, also be consistent with the goals and objectives of the internal audit function as listed out in the internal audit charter, as well as the goals and objectives of the organisation.

5.13 The key to effective risk-based auditing is for the internal auditor to begin the planning process with a thorough understanding of the business process for the area under review. In combination with feedback from management and the audit committee, business objectives are reviewed, specific risks that could cause management not to meet those business objectives are identified, and controls established by management to mitigate these risks are evaluated. These business objectives, risks and controls should also be reviewed in relationship to the entity wide business objectives, risks, and controls to assist in developing comprehensive corporate decisions.

Below mentioned is a simple framework that can assist in understanding the business environment:

(i) Understand where the company is: Really understand. Taking complete stock of a company’s current situation – as regard to product innovation, customer buying patterns, PR branding, what are you selling and what you can sell.

(ii) Compare the company with the leader in the business: A critical comparison with the market leader will bring out the areas where most attention needs to be paid, because most often, the leading business has read the business environment right.

(iii) Engage with stakeholders: Constant dialogue with all stakeholders will lead to understanding the company’s niche and positioning in the competitive market.

5.14 SIA 1 further defines the steps that could be followed for obtaining the knowledge of the business. The internal auditor should obtain a level of knowledge of the entity sufficient to enable him to identify events, transactions, policies and practices that may have a significant effect on the financial information. Following are some of the sources wherefrom the internal auditor can obtain such knowledge:

Previous experience, if any, with the entity and the industry.

Legislation and regulations that significantly affect the entity.

Entity’s policy and procedures manual.


13

Minutes of the meetings of the shareholders, board of directors, and important committees of the board such as, audit committee, remuneration committee, shareholders’ grievances committee.

Management reports/ internal audit reports of prior periods.

Newspaper/ industry journals.

Discussion with client’s management and staff.

Visits to entity’s plant facilities, etc., to obtain first hand information regarding the production processes of the entity.

Visits to the entity’s department where the accounting and other documents are generated, maintained, and the administrative procedures followed.

Prepare Audit Universe 5.15 The first important step towards putting the RBIAP on papers is the documentation of the Audit Universe. The Audit Universe is to be prepared on the basis of the business understanding obtained under previous step.

SIA1 defines audit universe as “Audit universe comprises the activities, operations, units etc., to be subjected to audit during the planning period. The audit universe is designed to reflect the overall business objectives and therefore includes components from the strategic plan of the entity. Thus, the audit universe is affected by the risk management process of the client. The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc.”

Professor Brian Cox writing in the Wall Street Journal in April 2013 explained “Quantum theory tells us that the universe we experience emerges from a bewildering, counterintuitive maelstrom of interactions between an infinity of recalcitrant sub-atomic particles.” Defining the internal audit universe is much simpler than that, although the principles may well be similar.

5.16 In simple terms, audit universe can be termed as the set of all auditable units/ departments/ business process and audit areas, collectively called as auditable entities. Preparation of audit universe and selection of auditable entities in the audit universe is the most critical activity which lays the foundation for developing a robust and effective Risk Based Internal Audit Plan.


14

The important factor which could affect the selection of an auditable entity under the audit universe are:

(i) Organization vision, mission and objectives: The audit universe can include components from the organization’s strategic plan. By incorporating components of the organization’s strategic plan, the audit universe will consider and reflect the overall business objectives. Inputs from senior management and board should be obtained and assessment of risk and exposure affecting the organization should be carried out.

(ii) Expectations from the internal audit function: Audit universe need to factor all the expectations from the internal audit function. The internal audit plan, audit execution and the outcome of the internal audit process depends on the quality and comprehensiveness of the audit universe to gather all the expectations, focus areas and results expected from the performance of the internal audit activities.

(iii) Organization structure and set up: Organisation structure need to be understood while identifying the auditable entities. In case of highly centralized operations, more attention should be given to the auditable units at corporate, while in case of decentralized operations separate auditable entity need to be identified for plant/ branch/ regional office locations as applicable.

(iv) Geographical location of the organisation: Geographical location of the business set up also plays a key role in selection of units. Every location need to have a consideration and some place in the audit universe, however the identification of auditable unit need to be evaluated in consideration with other points. E.g., in case of regional office with smaller size of operations and lesser number of transactions, regional office can be considered as one auditable entity and all the business processes can be reviewed at that particular regional office together. However, if the scale of operations are larger, locations would need to be split into further functional areas e.g., Procurement - RO, Sales & Marketing – RO, HR and Payroll – RO, etc.

(v) Scalability of the operations: Scale of business operations should also be factored while deciding an auditable entity. Auditing an entity with very low scale may not be cost effective to be audited separately and may not give the actionable results as it would fall in the comfort range of the risk appetite of the organization.


15

(vi) Organic linkage between the business process/ sub processes: It is becoming increasingly important, to perform the objective study and conduct end to end review of a business process so that organization level impact on the identified gaps can be assessed and more objective decisions could be taken by the management on the basis of result of the internal audit activities. Hence, it is vital to study the linkage between business process and sub process. E.g., it is more effective to review the complete process of Procure to Pay (P2P) so that financial implication and complete process gaps could be identified. Review of the procurement process or payment process in isolation would not provide effective root causing and implication assessment of the internal audit gaps noted during the review.

(vii) Sufficiency to justify cost of control: Internal audit function acts as a control activity and keeps the regular check on the functioning of the business activities. Internal audit requires a team of qualified professionals with expert knowledge on the subject matter. With the increase in the expectations from and responsibilities of internal audit professional, the cost of the internal audit function is also increasing. It is important to keep the adequate balance in the cost of the internal audit review and benefit envisaged to realize from the review. Hence, cost of internal audit should be kept in mind while identifying the auditable entities.

5.17 It is important to understand that it’s not the size of the audit universe that matters rather it is the extent of the focus for the internal audit plan in strategic and operational terms. Having understood the key factors to be kept in mind and the objective of preparing the audit universe, let’s have a quick glance at the steps that need to be followed for developing the audit universe. (i) Discussion with Management: Perform detailed discussion at all the

level of senior and top management including the board members to understand their expectation, objectives and key focus areas.

(ii) Sketch Audit Universe: Prepare the initial sketch of the audit universe containing the list of identified business process and auditable entities that need to be audited by the internal audit function.

(iii) Assess objectives for identified auditable entities: Align the objective of the internal audit with the objectives of the business and assess the objectivity of reviewing the identified auditable entities. The category of such objective could be:


16

(a) Reliability and integrity of financial and operational Information (b) Effectiveness and efficiency of operations (c) Safeguarding of assets (d) Compliance with laws, regulations, and contracts

(iv) Re-validate Audit Universe: The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus. It is advisable to assess the audit universe on at least an annual basis to reflect the most current strategies and direction of the organization. The validation exercise is pervasive and continuous in nature until the annual plan is finalized and approved by the audit committee/ board.

Steps for Developing the Audit Universe

Discussion with Management

Draft initial sketch of audit universe

Assess objective of auditable entities

Re-validate audit universe

Finalize audit universe

Develop RBIAP

Approve RBIAP


17

5.18 Following are some illustrative audit universe:

(i) Illustrative Audit Universe of a Manufacturing Company:

Sr. no.

Department Business Locations Corporate

Office Plant Branch

Office 1

Branch Office

2 1 Order to Cash 2 Procure to Pay 3 Human Resource and Payroll 4 Finance and Accounts 5 Production 6 Logistics and Distribution 7 Capital Expenditure 8 Plant Maintenance 9 Information Technology 10 Warehouse Management 11 Statutory Compliances

(ii) Illustrative Audit Universe of a Oil and Gas Company:

D. Sr. no.

Department P. Sr. No.

Process Business Locations Corporate

Office Plant Depot

1 Contracts 1.1 Tendering and RFQ

1 Contracts 1.2 Contracting and Ordering

2 Plant Operations

2.1 Production and Distribution

2 Plant Operations

2.2 Operation and Maintenance


18

D. Sr. no.



Office Plant Depot

2 Plant Operations

2.3 Safety and Environment

3 Drilling 3.1 Drilling 4 Information

Technology 4.1 IT Security

4 Information Technology

4.2 ERP and other applications

5 Geology & Reservoir

5.1 Geology & Reservoir

6 Research and Development

6.1 Research and Development

7 Material Management

7.1 MM - Planning & Receiving


7.2 MM - Depot


7.3 MM - Inventory Handling and Storage

8 Well Logging 8.1 Well Logging 9 Finance and

Accounts 9.1 Financial

Planning and Analysis

9 Finance and Accounts

9.2 Treasury


9.3 Financial Reporting


9.4 Asset Management


9.5 Payables


19

D. Sr. no.



Office Plant Depot


9.6 Invoicing and Receivables


9.7 JV Operations


9.8 Taxation

10 Human Resource

10.1 Recruitment

10 Human Resource

10.2 Learning and Development

10 Human Resource

10.3 Separations

10 Human Resource

10.4 Payroll Process

11 Projects 11.1 Planning and Investment

11 Projects 11.2 Execution and handover

12 Business Development

12.1 Business Development

13 Exploration & development

13.1 Exploration & development

Risk Assessment 5.19 The objective of the risk assessment is to assess the level of risk in the various business processes. Risk assessment focuses on the business environment, regulatory environment, organisation structure, organizational and business environmental changes and specific concerns of management and the audit committee to determine the areas of greatest risk. It also serves to aid the internal auditor in evaluating the control design to determine


20

the desired audit scope. Risk assessment includes risk identification and then risk prioritization based on defined criteria.

Risk Identification 5.20 Risk identification is the process to identify all possible risk in the auditable entities identified at the time of preparation of the audit universe. This includes evaluation of ‘what can go wrong’ in the particular process attached with the identified auditable entity which can have any adverse impact on the organization. The adverse impact could be in the form of possible financial loss, operational inefficiency and ineffectiveness, statutory non-compliance, incorrect reporting, etc. The quality and effectiveness of the risk assessment depends on the comprehensiveness and completeness of the risk identification exercise.

5.21 The first step in the risk identification exercise is to identify the event which may affect the entity positively or negatively in achieving its objectives. Such events may be classified as risk and opportunities depending on its impact on the organization. Risk identification is followed by risk filtration steps. Risk can be all pervading; they can surface from the most obscure to the most obvious (but overlooked) areas. Similarly, their outcomes can also be from the immaterial to highly significant. These are the matters which are quite difficult to appreciate or evaluate at the time of risk identification and are therefore best left for the next state (Risk Prioritization). Nevertheless, given the practical limitations, some level of judgment will have to be applied in deciding what to include and what to exclude at the identification stage. Here, to ensure that no important matters are overlooked, it is always safer to begin by initially including all the risk and then filtering out everything which appears to be obviously insignificant and with remote probability of occurrence.

Risk Prioritization 5.22 The identified risk need to the prioritized based on the pre-defined criteria (Refer step 1 - Define objective, criteria and risk appetite). The typical risk periodization is done on the scale of 1 to 5 as mentioned below:

Score 1 - Insignificant

Score 2 – Minor



21

Score 4 – Major

Score 5 - Critical

5.23 There are various factors that could affect the risk prioritization and rating. Following factors need to be kept in mind while performing the risk prioritization exercise:

(i) “Auditable” risks associated with/ mapped to the business process, entity or location

(ii) Risk of non compliance (penalty, etc.)

(iii) Magnitude of Financial Loss

(iv) Significance of threat to Health, Safety & Environment (HSE)

(v) Risk to reputation of organisation

(vi) Possibility of fraud/ misappropriation

(vii) History of frauds or irregularity

(viii) Management’s assertion on impact

(ix) Magnitude of impact on organisational profitability

(x) Stability of IT systems

(xi) Complexity (volume of business, nature of business)

(xii) Results of earlier audits external/ internal

Risk Rating Pyramid

Insignificant (1)

Minor (2)

Moderate (3)

Major (4)

Critical (5)


22

5.24 The preliminary risk rating can be assessed and interpreted using the below mentioned methodology.

Preliminary Risk Rating

Description Illustrative parameters for Assessing

1 Insignificant Process risks with insignificant risk on the organization.

Non-compliance with minor penalties.

Impact of very low financial loss. No major threat to Health, Safety &

Environment. No history of fraud/ misappropriation Minor impact on organizational

profitability. Stable IT and ERP systems.

2 Minor

Process risks with minor risk on the organization.

Non-compliance with minor penalties.

Impact of minor Financial Loss. No significant threat to Health,

Safety & Environment. Minor fraud/ misappropriation. Minor impact on organizational

profitability. Stable IT and ERP systems.

3 Moderate Process risks with tolerable risk on the organization.

Non-compliance with major financial penalties.

Impact of significant financial loss. Possible threat to Health, Safety &

Environment. Possible fraud/ misappropriation. Tolerable impact on organizational

profitability.


23

Preliminary Risk Rating

Description Illustrative parameters for Assessing

Stable IT and ERP systems. 4 Major Process risks with major risk on the

organization. Risk of reputational impact to

organization. Non-compliance with major financial

penalties or prosecutions. Impact of Major Financial Loss. Significant threat to Health, Safety &

Environment. Repeated fraud/ misappropriation. Major impact on organizational

profitability. Deficient IT and ERP systems.

5 Critical Process risks with critical risk on the organization.

Risk of high reputational impact to organization.

Risk with impact on going concern of the organization.

Non-compliance with major financial penalties and prosecutions.

Impact of High Financial Loss. Significant threat to Health, Safety &

Environment. Repeated fraud/ misappropriation

with major financial or reputational consequences.

High impact on organizational profitability.

Missing IT and ERP systems.

5.25 Some techniques of risk assessment are explained below:

Interviews: Internal auditor need to conduct interviews at all levels of management to identify the possible risk that could occur in the


24

particular process as per the experience of the management personnel. Internal auditor can assess the level of understanding of the organization’s process, policies, systems used and controls in place during these interviews. This would help them in assessing the control environment around the particular auditable entity. We would discuss more about the control environment later in this chapter.

Surveys: Internal auditor can perform surveys to identify and assess the gravity of the risk and its possible impact on the organization. An important aspect of the survey is to prepare a qualitative questionnaire that would help in identification of the qualitative risk and its impact. The target audience need to be selected carefully while performing the survey so that results are not biased.

Workshops: The Internal auditor can also perform workshops with the selected managerial persons to identify the risk in the particular process and ask them to rate them based on the defined methodology. There are many tools that may be used to perform these workshops effectively.

Past events: The activities performed by the internal auditor during the business understating stage can also give lot of information to the auditor to identify the possible risks for the organization. This could include past events, annual report and directors statement, past internal audit reports, risk register, etc.

Internal auditors experience: Experience of the internal auditor also plays a key role in identifying the possible risks in the particular process of the organization. The gravity of the risk identified by the auditor from his experience can be moderated by using the techniques specified in the above mentioned bullets.

Prepare Risk Register 5.26 The consolidated form of all risks is referred to as “Risk Registers” since all such identified risks most often get listed in the form of a register. The typical contents of the risk register are listed below. Contents applicable and filled till the stage of risk assessment are as follows:

(i) Auditable Entity

(ii) Sub Process

(iii) Risk Description


25

(iv) Risk Category

(v) Risk Rating

Illustrative format of the Risk Register is as follows:

Sr. no.

Auditable Entity

Sub Process Risk Description Risk Category

Risk Rating

1 Order to Cash

2 Procure to Pay

Procurement Planning

Procurement be-yond the defined budgetary limits.

Financial Loss

4

3 Vendor Selection

Inadequate ve-ndor selection due to non-compliance to procurement policies and procedures (incl. tendering)

Financial Loss

4

4 Ordering Increased cost of procurement due to ineffective negotiation/comparison of commercial bid submitted

Financial Loss

5

5 Receiving 6 Quality check 7 Invoicing 8 Accounts

payables

9 Payment processing

* Information included in the above format is illustrative.

The next step toward documentation of risk based internal audit plan is to document the detailed risk register containing the list of all the risks identified and the preliminary risk rating.


26

5.27 The next step is to prepare the summarized risk register. The objective of preparing the summarized register is to arrive at the consolidated risk rating for an auditable entity and assess the overall inherent risk in the auditable entity. There are two techniques which may be used for arriving at the summarized risk register:

(i) Arithmetic mean of preliminary risk rating: In this method, arithmetic mean of all the identified risk ratings are is calculated to arrive at the consolidated risk rating. Considering the simplicity of the technique, this is the most widely used technique to arrive at the summarized risk register.

(ii) Weighted average of preliminary risk rating: In this method, weights are assigned to all the identified risk on the basis of statistical computation of the probability and quantification of possible risk on the organisation. Weighted average of all the identified risk ratings is then calculated to arrive at the consolidated risk rating.

Illustrative Format of Summarized Risk Register

Sr. no.

Auditable Entity

Sub Process

Risk Description Risk Category

Risk Score

Consolidated Risk Rating

1 Procure to Pay


Procurement beyond the defined budgetary limits.

Financial Loss

4 3.25

2 Vendor Selection

Inadequate vendor selection due to non-compliance to procurement policies and procedures (incl. tendering)

Financial Loss

4

3 Ordering Increased cost of procurement due to ineffective negotiation/comparison of commercial bid submitted

Financial Loss

5

4 Receiving Risk of receiving more than the ordered quantity

Financial Loss

3

5 Quality Risk of accepting the Operation 4


27

Sr. no.

Auditable Entity

Sub Process

Risk Description Risk Category

Risk Score

Consolidated Risk Rating

check inferior quality of material

al/ Financial

6 Invoicing Risk of delay in invoice processing

Operational

2

7 Accounts payables Duplicate vendor

codes

Operational/ Financial

3

8 Payment processing

Risk of delay in payment processing

Operational/ Financial

1

Assess Control Environment 5.28 Preliminary assessment of the risk provides the understanding and evaluation of inherent risk. Assessment of inherent risk alone is not sufficient to identify the audit areas requiring the larger focus from the internal audit function. The inherent risk need to be factored with the mitigating controls and the control environment around the underlying processes that could reduce the level of residual risk. Hence, it is vital to perform the assessment of control environment around the identified risks. The control environment thus assessed provides the assessment of the ‘likelihood’ factor of the identified risk.

Assessing likelihood of the happening of an event comes with its own challenges. It is relatively easy to put in place a pre-set methodology for the actual measurement of the rating by taking some percentages and assigning them on 1 to 10 rating. However, what’s most difficult is the foresight required to actually determining the probability of the risk. One technique used commonly is the history of past occurrence and the periodicity of those occurrences, which can help to get a better grasp over the probability.


28

5.29 Some of the examples of situations that might influence the assessment of control environment are as below:

Inappropriate pay, reward and incentive structures which contribute to inappropriate behavior or excessive risk-taking.

Increasing employee turnover leading to insufficient experience and less reliable execution of controls. This may be the result of a number of failures in the control environment.

The absence of a defined code of conduct and ethics and/ or a whistleblower policy, absence of a process to evaluate the effectiveness of the code of conduct and ethics policy, a high number of reported frauds, or management over-ride of controls which can lead to inappropriate activity that is not detected and addressed timely.

Board’s capability and structure for effective governance. Key managers making business decisions without considering the

related risks; management may not exhibit risk and control consciousness in its decision making.

Processes relating to defining job descriptions for key positions may be weak, background checks and/ or reference checks are not consistently performed, or the organization has difficulty hiring and retaining qualified individuals.

5.30 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the updated Internal Control – Integrated Framework in 2013. The framework states “The control environment is the set of standards, processes and structures that provide the basis for carryign out internal control across the organisation. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. The control environment comprises the integrity and ethical values of the organsation; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organisational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigour around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.”

5.31 There are various factors that could affect the assessment of control environment and its rating.


29

Following factors need to be kept in mind while performing the assessment of control environment as mentioned below:

(i) Existence of preventive or detective control to mitigate risks associated with/ mapped to the business process, entity or location.

(ii) Legal compliance framework (iii) Appropriate and established IT Control environment (iv) Governance structure/ monitoring Mechanism (v) Documented policy and procedures (vi) Past incidents/ trend (vii) Organization’s sensitivity towards Health, Safety & Environment (viii) Fraud detection (ix) Balance of centralized versus decentralized operations within the

organization

Control Environment Rating Pyramid

5.32 Internal auditor need to assess and consider the level of effectiveness of control environment activities and the risk of deficiencies in the control environment, while defining the audit universe and RBIAP.

Very Strong (1)

Strong (2)

Moderate (3)

Weak (4)

Almost missing (5)


30

The control environment rating can be assessed and interpreted using the below mentioned methodology.

Control Environment

Rating

Description Illustrative Parameters for Assessing

1 Very Strong Existence of strong preventive or detective control with mechanism for continuous monitoring and update the same

Strong legal compliance framework Well established ERP system and IT

security measures Well defined and implemented policy

and procedures Consistent organisation growth with rare

surprises Balance of centralized versus

decentralized operations within the organization

2 Strong Defined preventive or detective control Strong legal compliance framework Established ERP system and IT security

measures Well defined policy and procedures and

minor deviations Consistent organisation growth with

unlikely losses Balance of centralized versus

decentralized operations within the organization

3 Moderate Defined preventive or detective control but unlikely monitoring and update exercise.

Legal compliance framework with minor deviations

Established ERP system and IT security measures

Defined policy and procedures but insufficient control on implementation and compliance to same.


31

Control Environment

Rating

Description Illustrative Parameters for Assessing

Consistent organisation growth with possible losses

4 Weak Preventive or detective controls not identified or defined

Missing legal compliance framework with alternative measure to monitor legal compliance

Moderate IT environment with missing automated controls.

Policy and procedures not formally defined and there may be possible deviations

Consistent organisation growth with frequent losses

Inadequate board monitoring and governance structure

5 Almost Missing

Missing preventive or detective controls Missing legal compliance framework

with no alternative measure to monitor legal compliance.

Insufficient IT environment with missing automated controls.

Policy and procedures not defined Inconsistent organisation growth with

major losses Inadequate board monitoring and

governance structure Inadequate decentralisation of decision

making

Update Summarized Risk Register

5.33 The next step is to update the summarized risk register. The summarized risk register needs to be updated with the following information:

(i) Factor Affecting Control Environment (ii) Control Environment Rating


32

At this stage, the detailed risk register is replaced with the summarized risk register to contain the following information: (i) Auditable Entity (ii) Sub-process (iii) Initial Risk Rating for each sub process (i.e., the consolidated risk

rating arrived in previous step) (iv) Rationale for initial risk rating (v) Control environment rating (vi) Rationale for control environment rating

Illustrative Updated Risk Register

Derive Residual Risk Rating 5.34 As referred earlier, preliminary assessment of the risk provides the understanding and evaluation of inherent risk. The inherent risk needs to be factored with the mitigating controls and the control environment around the underlying processes that could reduce the level of residual risk.

Sr. no.

Auditable

Entity

Sub Process Initial Risk

Rating

Rationale for initial risk

rating

Control environment rating

Rationale for control

environment rating

1 Procure to Pay


3.25 High risk of financial loss and procurement at high prices

4 Weak IT system and Manual controls. Policies and procedures not defined and ineffective monitoring by management.

Vendor Selection

Ordering

Receiving

Quality check

Invoicing

Accounts payables

Payment processing


33

There are two elements of a risk:

Impact Rating or Preliminary Risk Assessment Rating.

Likelihood Rating (also called probability) or Control Environment Rating.

Consequence and likelihood can be multiplied together to give a single measure of the significance of a risk, or a residual risk. For example, take a risk that purchases prices are not competitive. Assuming it has high impact on the organization’s cost of purchase, the impactrating could be major (scores 4) but the likelihood could be 3 due to moderate control environment. Table below describes the illustrative examples of calculating the residual risk scores.

Illustrative Risk Preliminary Risk Rating

(A)

Control Environment

Rating (B)

Residual Risk Score

(C)

Inadequate objectives and strategy

5 1 5

Inappropriate stocking of goods

5 1 5

Ineffective assessment of competition

5 3 15

Ineffective Pricing 5 2 10 Inadequate store layout 4 4 16 Incorrect Invoicing 4 1 4 Stock Outs 5 1 5

Thus, this can be concluded that :

Residual Risk Rating Score = Preliminary Risk Assessment x Control Environment Rating


5.35 The next step is to update the summarized risk register. The summarized risk register need to be updated with the residual Risk Rating.


34

At this stage, the summarized risk register would contain the following information:

(i) Auditable entity

(ii) Sub process

(iii) Initial risk rating for each sub process

(iv) Rationale for initial risk rating

(v) Control environment rating

(vi) Rationale for control environment rating

(vii) Residual risk rating score


Sr. no.

Auditable

Entity

Sub Process

Initial Risk

RatingA

Rationale for initial

risk rating

Control environm

ent rating

B

Rationale for control

environment rating

Residual Risk

Rating Score

C = A X B

1 Procure to Pay


3.25 High risk of financial loss and procurement at high prices

4 Weak IT system and Manual controls. Policies and procedures not defined and ineffective monitoring by management.

13

Vendor Selection Ordering Receiving Quality check Invoicing Accounts payables Payment processing


35

The Matrix below describes the residual risk rating score for all combinations of the Preliminary Risk Assessment and Control Environment Rating.

Develop Internal Audit Plan 5.36 Business environment is very dynamic, typically three to five years internal audit plan is developed, considering the nature of business, business environment, stability of the business processes, changes in the objective of the management and expectations from the internal audit.

With certain adjustments based on management and audit committee input or regulatory requirements, low- risk areas would be audited every three years, moderate-risk areas audited every other year, and high-risk areas audited every year. The three-year audit plan should be revisited each year during the update phase of the risk assessment process and adjustments should be made based on new or changed risk factors. This methodology allows the internal auditor flexibility in a changing risk environment. Further consideration should be given to the following aspect while deriving the annual internal audit plan.

Availability of audit resources over the 3 year period;

Very Strong

(1)

Strong (2)

Moder-ate (3)

Weak (4)

Almost Missing (5)

2

Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)

Con

trol

Env

ironm

ent R

atin

g

Preliminary Risk Assessment

16

3 2 1 5

3

5

4

4

4

6

6

9

12 8

8

12

10

10 15 20

15

20

25


36

Feasibility of conducting an audit; Conduct of other reviews providing oversight; Mandated audit projects; Management requests; Audit and Evaluation Committee direction. 5.37 New priorities are determined based on these considerations; audits are defined for the top priorities. The outcome is a short-list of audit projects and activities to be conducted during the coming three-year planning horizon. An analysis of the proposed audit coverage of the organization is conducted in order to ensure an appropriately balanced audit plan. The project team considered the number of corporate risks covered by the plan, the number of priorities covered, and how the allocation of audit resources aligns with the organization’s expenditures.

Acceptable Range of Risks 5.38 At this stage it is important to understand and define the organisation’s ‘risk appetite’. One method of deciding which risks to accept is to place them on a grid of Risk and Control Environment rating. This enables the board/ audit committee to define the action it requires internal audit function to take for each likelihood/ consequence combination. The boundary between the acceptable risks and those which require managing is known as the ‘risk appetite’. If inherent risks cannot be managed below this line by ‘treatment’ then they will have to be terminated, transferred or tolerated.

Selection of Risks 5.39 At this point, the risk and audit universe shows risks, their scores and the audits linked to them. There will be a range of scores and, in drawing up the audit plan, a policy will have to be established about which risks to cover and how often. It is unlikely that the board, or audit committee, will require assurance on the management of every risk above the risk appetite, every year. They may require assurance on the risks with a high likelihood of significant/ critical losses every year but other risks above the risk appetite every two or three years. Note the audit action to be taken and the next audit year in the appropriate columns. The diagram below shows a possible method of assessing the type of work and frequency. The thick line represents the risk appetite (the equation of the line is control risk = inherent risk – risk appetite).

5.40 Tfall in appropderived

Zone Considrange attentiomaximconsult

Zone 2also veauditedthe risk

Zone 3moderaaudited

Zone 4missingthree y

F

The various aany of the Z

priate audit plad as per below

1: These are dering the factof the organison. For these um. These atancy work an

2: Areas wherery strong, thed every year ak is high.

3: Areas wherate, the residd every two ye

4: Areas wheg, the residua

year as the pos

Frequency of

auditable entitiZone 1 to 4

an for the variow explanation:

the areas bet that they arsation, these areas contro

areas require d develop the

re inherent riske residual risk as the control i

re inherent risdual risk scoreears.

ere inherent ril risk score is ssible impact

RBIAP — Dev

37

Audit and its

es can be ploas mentione

ous auditable

elow the risk e well within does not reql score is minmanagement

control enviro

k is near maxiscore remain is considered

k is moderatee remain med

isk is minor alow. These aron the organis

velopment and

Selection

otted on a mated in the aboentities in thes

appetite of ththe tolerance

quire immediatnimal and the t attention toonment.

imum and the high. These ato be very effe

and the contdium. These

and the controreas need to bsation is low.

d Implementati

trix which wouove graph. Tse zones can

he organisatio(Risk Appetit

te internal auinherent risk

o carry out t

control scoreareas need to ective as well

rol score is alareas could

ol score is albe audited eve

ion

uld he be

on. te) dit is

he

is be as

so be

so ery


38

Planning and Developing Internal Audit Plan 5.41 At this stage, the risk and audit universe shows risks, their scores and the audits linked to them. Internal audit function needs to plot the auditable entities in the following zones based on the residual risk ratings and the immediate objective of the management and audit committee. (i) High Risk: This is said to be the unacceptable zone, where the

residual risk score is more than 12. These are the areas with high inherent risk and low control environment. These areas need to be audited every year until the residual risk are reduced and brought in the manageable zone.

(ii) Medium Risk: This is said to be the manageable zone, where the residual risk score is more than 8 and less than or equal to 12. These are the areas with minor to critical risk and varying control environment. These areas need to be audited once in every two year until the residual risk are reduced to advisable zone.

(iii) Low Risk: This is said to be the advisable zone, where the residual risk score is more than 4 and less than or equal to 8. These are the areas with insignificant to Major risk and strong to almost missing control environment. These areas need to be audited once in every three year until the residual risk are reduced acceptable zone.

(iv) Insignificant Risk: This is said to be the acceptable zone, where the residual risk score is less than or equal to 4. These are the areas with low risk and strong control environment. These areas need not be audited unless Board/ Management/ Audit Committee directs considering the recent changes or business objectives. This is the zone which contains the areas within the risk appetite of the organisation.

Update Risk Register and Audit Universe 5.42 The risk register containing all identified and assessed risk need to be updated with following: (i) Factors Affecting Control Environment (ii) Control Environment Rating (iii) Risk Category (iv) Risk Rating


39


5.43 The next step is to update the summarized risk register. The summarized risk register need to be updated with the frequency of internal audit.

At this stage, the summarized risk register would contain the following information:

(i) Auditable entity

(ii) Sub-Process

(iii) Initial Risk Rating for each sub process

(iv) Rationale for initial risk rating

(v) Control environment rating

(vi) Rationale for control environment rating

(vii) Residual Risk Rating Score

(viii) Frequency of Audit


Sr. no

Auditable

Entity

Sub Process

Initial Risk

RatingA

Rationale for initial

risk rating

Control environ

ment rating

B

Rationale for control environment rating

Residual Risk Rating Score

C = A X B

Frequency

of Audit

1 Procure to Pay


3.25 High risk offinancial loss andprocurement at highprices

4 Weak ITsystem and Manual controls. Policies and proceduresnot defined and ineffective monitoring by management.

13 Once in ayear Vendor

Selection Ordering Receiving Quality check Invoicing Accounts payables Payment processing


40

The Matrix below describes the residual risk rating score for all combinations of the Preliminary Risk Assessment and Control Environment Rating and the corresponding audit frequency.

Matrix of Residual Risk Scores and Audit Frequency

Implement and Update RBIAP 5.44 Once the three year risk based internal audit plan is developed, the same needs to be implemented in the organisation for ensuring effective conduct of the internal audit activities. For effective implementation of the RBIAP, the following stages are involved.

(i) Prepare audit scope (ii) Allocate resources, engagement scheduling and execution (iii) Re-assess risk and control environment (iv) Update RBIAP

Very Strong

(1)

Strong (2)

Moderate (3)

Weak (4)

Almost Missing

(5) Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)

Con

trol

Env

ironm

ent R

atin

g

Preliminary Risk Assessment

2 Acceptable

16

3 Acceptable

2 Acceptable

1 Acceptable 5

3 Acceptable

5

4 Acceptable

4 Acceptable

4 Acceptable

6

6

9

12 8

8

12

10

10 15 20

15

20

25


41

Prepare Internal Audit Scope

5.45 As per the SIA 1, “Planning an Internal Audit” issued by The Institute of Chartered Accountant of India:

“15. The next stage in planning an internal audit is establishing the scope of the engagement. The scope of the engagement should be sufficient in coverage so as to meet the objectives of the engagement. The internal auditor should consider the information gathered during the preliminary review stage to determine the scope of his audit procedures. The nature and extent of the internal auditor’s procedures would also be affected by the terms of the engagement. In case the internal auditor is of the view that circumstances exist which would restrict the auditor from carrying out the procedures, including any alternative procedures, considered necessary by him, he should discuss the matter with the client to reach a conclusion whether or not to continue the engagement. The scope of his engagement should documented comprehensively to avoid misunderstanding on the areas covered for audit. The internal auditors are often confronted with a situation where client denies access to certain information or has a negative list of areas where internal audit is not desired. There are also situations where while the client requires internal audit procedures to be carried but findings are not to form part of the reportbut to be reported separately.

16. Further, in case of information technology based environment, the scope of engagement would include the extent to which internal auditor are permitted to access the system and reports which can be viewed and those which can be exported. Further, system based audit tools that an internal auditor can use to draw and analyze the data should be clearly understood in the scope of his engagement.”

5.46 The annual internal audit plan need to be approved by the board/ audit committee and should be developed on the basis of the three year RBIAP and the following additional factors:

Changes in the business environment Changes in the organisation structure


42

Changes in the business processes Changes in the regulatory environment Time of last audit engagement Availability of the skilled resources Management’s feedback and expectation from internal audit Changes in employee and government relations Recent change in accounting system Recent change in key personnel

5.47 The audit scope for the year need to be developed considering the above mentioned factors. The scope, thus, prepared would be finalized for an year and approved by the board/ audit committee. The audit scope comprises of the following:

Auditable entities Locations to be covered Tentative schedule of the audit Key objective of the audit Factors which define the limits of the audit including processes

specifically excluded Any special considerations, such as management requests, provided

they are acceptable Personnel carrying out the audit, including any special responsibilities

Allocate Resources, Engagement Scheduling and Execution 5.48 We can decide on the staff resources required to deliver the internal audit plan by deciding on the number of days each level of auditor is required for each audit, adding these up, and comparing them with the total days available. Note that audits will vary in length, even those which are high risk could be done very quickly. It may only take logging into organisation’s intranet to confirm that it has a strategy, and this is being communicated. The resource requirements should be regularly updated to ensure the plan can be completed, especially, if audits are added and staff leave.

Next step is to perform the detailed engagement scheduling based in the


43

allocated resources, availability of the auditee, target date to finalise the report and criticality and extent of audit required. The schedule need to be agreed with the auditee before execution. The schedule need to be realistic to ensure adequate coverage of the work plan, assessment of all the identified risks and testing of all the controls. This is followed by the execution of the internal audit as per the defined approach and methodology of the internal audit function of the organisation and the relevant auditing standards.

Steps for Audit Scheduling, Resource Allocation and Execution

Re-assess Risk and Control Environment and Update RBIAP 5.49 SIA 1 “Planning as Internal Audit” defines audit universe as “Audit universe comprises the activities, operations, units, etc., to be subjected to audit during the planning period. The audit universe is designed to reflect the overall business objectives and therefore includes components from the strategic plan of the entity. Thus, the audit universe is affected by the risk management process of the client. The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc.”

Develop and approve Risk Based Internal Audit Plan

Derive Annual Audit Plan Audit Schedule

Resource AllocationConduct AuditUpdate Risk

Registers and RBIAP

Report to Audit Committee


44

Planning involves developing an overall plan for the expected scope and conduct of audit and developing an audit programme showing the nature, timing and extent of audit procedures. Planning is a continuous exercise. A plan once prepared should be continuously reviewed by the internal auditor to identify any modifications required to bring the same in line with the changes, if any, in the audit environment. However, any major modification to the internal audit plan should be done in consultation with those charged with governance. Further, the internal auditor should also document the changes to the internal audit plan.

Therefore, the preparation of the risk based internal audit plan is based on the defined methodology to be followed and the various steps as described earlier. It is vital to note that the entire exercise of the risk identification, prioritization and development of audit plan is not scientific and some level of judgement and past experience is involved while preparing the risk based internal audit plan. The risk registers prepared should be reviewed periodically and updated while performing the actual internal audit.

5.50 As discussed earlier, risk identification is the process to identify all possible risk in the auditable entities identified at the time of preparation of the audit universe. This includes evaluation of ‘what can go wrong’ in the particular process attached with the identified auditable entity which can have any adverse impact on the organization. The adverse impact could be in the form of possible financial loss, operational inefficiency and ineffectiveness, statutory non-compliance, incorrect reporting etc. The quality and effectiveness of the risk assessment depends on the comprehensiveness and completeness of the risk identification exercise. The risk identification can be more comprehensive and complete by the exercise of continuous exercise of re-validating the risk along with the audit execution.

The risk based internal audit plan should be evaluated every year by repeating the steps involved in development of risk based internal audit plan to identify if there are some auditable entities for which residual risk score has increased or decreased and that is required to be audited more often, or the same be brought down to the manageable/ acceptable zone to reduce the frequency of internal audit.


45

Steps for Developing the Audit Universe

Draft initial sketch of audit universe

Develop RBIAP

Allocate Resources, engagement scheduling and execution

Re-assess risk and control environment

Updated RBIAP

Revalidate RBIAP

Approve RBIAP

46

Chapter 6

Case Study

Situation Company is involved in upstream and midstream business of oil and gas with wide spread business across the country having a Corporate Office, Plant Operations and Depots. Internal audit function of the Company comprises of a small team who needs to complete the internal audit for the Company as per the annual charter approved by the Audit Committee of the Company. The IA function is headed by an Internal Audit Head who is reporting to the Audit Committee. Audit Committee directs the IA head to prepare the Risk Based Internal Audit Plan (RBIAP) of the Company for a period of 3 years.

Solution

IA head forms a team of 4 members comprising of Accounting and Technical professionals. The team which has follows the following steps to prepare the RBIAP:

(a) Define objective, criteria and risk appetite

(b) Understanding the business environment and processes

(c) Prepare audit universe

(d) Risk identification

(e) Risk prioritization and rating

(f) Assess control environment

(g) Derive residual risk rating

(h) Develop internal audit plan

Steps (a) and (b) equips the team with the relevant knowledge and information required for the purpose of developing the RBIAP (Refer Chapter 5 for steps). The illustrative deliverables of the steps (c) to (h) are summarized below:

Case Study

47

Step

1: P

repa

re A

udit

Uni

vers

e

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

Cor

pora

te O

ffic

e Pl

ant

Dep

ot

1 Co

ntra

cts

1.1

Tend

ering

and

RFQ

1

Cont

racts

1.

2 Co

ntra

cting

and

Ord

ering

2 Pl

ant O

pera

tions

2.

1 Pr

oduc

tion

and

Distr

ibutio

n

2

Plan

t Ope

ratio

ns

2.2

Oper

ation

and

Main

tena

nce

2 Pl

ant O

pera

tions

2.

3 Sa

fety

and

Envir

onm

ent

3 Dr

illing

3.

1 Dr

illing

Prep

are

Aud

it U

nive

rse

Risk

Ide

ntific

ation

Risk

pr

ioritiz

ation

an

d rati

ng

Asse

ss

contr

ol en

viron

ment

Deriv

e Re

sidua

l Ri

sk R

ating

Deve

lop

Inter

nal

Audit

plan


48

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

Cor

pora

te O

ffic

e Pl

ant

Dep

ot

4 In

form

ation

Tec

hnolo

gy

4.1

IT S

ecur

ity

4

Info

rmat

ion T

echn

ology

4.

2 ER

P an

d ot

her a

pplic

ation

s

5

Geolo

gy &

Res

ervo

ir 5.

1 Ge

ology

& R

eser

voir

6 Re

sear

ch a

nd D

evelo

pmen

t 6.

1 Re

sear

ch a

nd D

evelo

pmen

t

7

Mat

erial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

7

Mat

erial

Man

agem

ent

7.2

MM

- De

pot

7

Mat

erial

Man

agem

ent

7.3

MM

- In

vent

ory H

andli

ng a

nd

Stor

age

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

9

Fina

nce

and

Acco

unts

9.1

Fina

ncial

Plan

ning

and

Analy

sis

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

9 Fi

nanc

e an

d Ac

coun

ts 9.

3 Fi

nanc

ial R

epor

ting

9

Fina

nce

and

Acco

unts

9.4

Asse

t Man

agem

ent

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

9

Fina

nce

and

Acco

unts

9.6

Invo

icing

and

Rec

eivab

les

9

Fina

nce

and

Acco

unts

9.7

JV O

pera

tions

Case Study

49

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

Cor

pora

te O

ffic

e Pl

ant

Dep

ot

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

10

Hu

man

Res

ourc

e 10

.1

Recr

uitm

ent

10

Hum

an R

esou

rce

10.2

Le

arnin

g an

d De

velop

men

t

10

Hu

man

Res

ourc

e 10

.3

Sepa

ratio

ns

10

Hum

an R

esou

rce

10.4

Pa

yroll

Pro

cess

11

Pr

ojects

11

.1

Plan

ning

and

Inve

stmen

t

11

Pr

ojects

11

.2

Exec

ution

and

han

dove

r

12

Bu

sines

s Dev

elopm

ent

12.1

Bu

sines

s Dev

elopm

ent

13

Explo

ratio

n &

Deve

lopm

ent

13.1

Ex

plora

tion

& De

velop

men

t

14

M

ainte

nanc

e 14

.1

Pipe

line

Main

tena

nce

14

Main

tena

nce

14.2

Eq

uipm

ent M

ainte

nanc

e


50

Step

2: R

isk

Iden

tific

atio

n

D

. Sr.

N

o.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Cor

pora

te

Off

ice

Plan

t D

epot

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

Pr

ocur

emen

t be

yond

the

de

fined

bud

geta

ry lim

its.

Fina

ncial

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

In

adeq

uate

ve

ndor

se

lectio

n du

e to

no

n-co

mpli

ance

to

pr

ocur

emen

t poli

cies

and

proc

edur

es

(incl.

te

nder

ing)

Fina

ncial

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

In

crea

sed

cost

of

proc

urem

ent

due

to

ineffe

ctive

ne

gotia

tion/

Fina

ncial

Prep

are

Audit

Un

iverse

Risk

Ide

ntific

ation

Risk

pr

ioritiz

ation

an

d rati

ng

Asse

ss

contr

ol en

viron

ment

Deriv

e Re

sidua

l Ri

sk R

ating

Deve

lop

Inter

nal A

udit

plan

Case Study

51

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

com

paris

on

of

com

mer

cial b

id su

bmitte

d 1

Cont

racts

1.

1 Te

nder

ing

and

RFQ

Unfa

vour

able

RFQ

term

s an

d co

nditio

ns.

Fina

ncial

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

Ri

sk

of

favo

ritism

to

ve

ndor

. Fi

nanc

ial

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

In

appr

opria

te

tech

nical

evalu

ation

pro

cedu

res.

Fina

ncial

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

In

adeq

uate

pr

oced

ures

fo

r pr

ocur

emen

t in

case

of

pro

priet

ary i

tem

s.

Fina

ncial

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

Fi

ctitio

us v

endo

rs i

n th

e sy

stem

Fi

nanc

ial

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

Cont

ract

term

s an

d co

nditio

ns n

ot fa

vour

able

to th

e Co

mpa

ny

Fina

ncial

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

Delay

in

cont

racti

ng o

r or

derin

g Op

erat

ional

1 Co

ntra

cts

1.2

Cont

racti

ng

Risk

of

iss

ue

of

Fina

ncial


52

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

and

Orde

ring

unau

thor

ised

orde

r.

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

Inad

equa

te

cont

ract

com

plian

ce p

roce

dure

s. Op

erat

ional

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

Wor

k sta

rted

befo

re

com

pletio

n of

con

tracti

ng

proc

edur

es.

Oper

ation

al

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Regu

lar

upda

tion

and

revie

w of

th

e ac

tual

prod

uctio

n ag

ainst

the

plann

ed

prod

uctio

n no

t do

ne.

Fina

ncial

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Prod

uctio

n lev

els m

ay n

ot

have

be

en

mon

itore

d re

gular

ly on

a

Cent

ral

Tank

Far

m (

CTF)

, GG

S an

d we

ll-wi

se b

asis

for

the

level

of o

il pro

ducti

on

Fina

ncial

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Prod

uctio

n ta

rget

s ar

e no

t be

ing c

omm

unica

ted

Fina

ncial

Case Study

53

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

Distr

ibutio

n an

d m

onito

red

by

the

Grou

p Ga

ther

ing S

tatio

ns

(GGS

).

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Crud

e Oi

l pil

fera

ges

/ lea

kage

s wh

ile

trans

porta

tion

Fina

ncial

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Inco

rrect

certi

ficat

ion

of

bills

Fina

ncial

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Inad

equa

te

testi

ng

of

mat

erial

use

d lea

ding

to

well

issue

s lat

er a

ffecti

ng

prod

uctio

n

Fina

ncial

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Non-

utiliz

ation

of

th

e as

sets

Fina

ncial

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Inad

equa

te

fire

safe

ty ar

rang

emen

t at s

ite

Healt

h, S

afet

y &

Envir

onm

ent

2 Pl

ant

2.1

Prod

uctio

n an

d

W

rong

fina

ncial

repo

rting

du

e to

ina

dequ

ate

Inco

rrect

Fina

ncial


54

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

Oper

ation

s Di

stribu

tion

cont

rols

on

prod

uctio

n re

cord

ing

Repo

rting

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Inad

equa

te

QA

/ QC

pr

oces

s du

ring

Prod

uctio

n

Fina

ncial

Los

s

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Prod

uctio

n los

s du

e to

ina

dequ

ate

brea

kdow

n an

alysis

and

com

plian

ce

Fina

ncial

Los

s

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

Sche

duled

m

ainte

nanc

e an

d wo

rk o

ver o

pera

tions

fo

r va

rious

we

lls

not

plann

ed in

adv

ance

.

Oper

ation

al

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

Trac

k of

tota

l am

ount

of

wate

r pu

mpe

d int

o ea

ch

well

is no

t bein

g tra

cked

ca

using

ove

r pu

mpin

g of

wa

ter.

Oper

ation

al

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

Appr

opria

te r

ecor

ds a

re

not

being

main

taine

d in

resp

ect

of t

he c

ollec

tion

of o

il an

d ga

s fro

m t

he

Oper

ation

al

Case Study

55

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

wells

2

Plan

t Op

erat

ions

2.2

Oper

ation

an

d M

ainte

nanc

e

Flow

met

ers

at C

TF a

re

not

prop

erly

calib

rate

d an

d th

e ca

libra

tion

is no

t be

ing

perio

dicall

y ch

ecke

d.

Pum

ping

reco

rds

of t

he

exte

nt o

f oil

pum

ped

to

the

custo

mer

ar

e no

t pr

oper

ly ke

pt

and

main

taine

d.

Oper

ation

al

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

Prod

uctio

n fa

ilure

/ los

s du

e to

ina

dequ

ate

prev

entiv

e m

ainte

nanc

e sc

hedu

le or

lac

k of

co

mpli

ance

of s

ched

ule.

Fina

ncial

Los

s

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

Delay

s in

main

tena

nce

Fi

nanc

ial L

oss

2 Pl

ant

Oper

ation

s 2.

3 Sa

fety

and

Envir

onm

ent

Regu

lar v

isits

of t

he o

il we

ll ar

e no

t co

nduc

ted

Oper

ation

al


56

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

and

all

oil

well

insta

llatio

ns a

re n

ot b

eing

inspe

cted

2 Pl

ant

Oper

ation

s 2.

3 Sa

fety

and

Envir

onm

ent

HSE

non-

com

plian

ces

by

cont

racto

rs

Stat

utor

y Non

co

mpli

ance

3

Drilli

ng

3.1

Drilli

ng

The

cost

bene

fit an

alysis

fo

r dr

illing

no

t do

ne

resu

lting

into

exce

ss c

ost

of o

pera

tions

.

Fina

ncial

3 Dr

illing

3.

1 Dr

illing

Ri

sk o

f acc

ident

s du

e to

ina

dequ

ate

traini

ng a

nd

mis-

hand

ling.

Healt

h, S

afet

y an

d En

viron

men

t 3

Drilli

ng

3.1

Drilli

ng

Inad

equa

te

HSE

com

plian

ce a

t the

dril

ling

sites

.

Healt

h, S

afet

y an

d En

viron

men

t 3

Drilli

ng

3.1

Drilli

ng

Dam

age

to

the

equip

men

t du

e to

ina

dequ

ate

secu

rity

at

the

drilli

ng si

te.

Fina

ncial

3 Dr

illing

3.

1 Dr

illing

Su

b-op

timal

utiliz

ation

of

rigs

and

othe

r dr

illing

Fi

nanc

ial

Case Study

57

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

equip

men

t. 3

Drilli

ng

3.1

Drilli

ng

Delay

s in

oper

ation

due

to

ina

dequ

ate

co-

ordin

ation

and

dela

ys i

n eq

uipm

ent a

vaila

bility

.

Oper

ation

al

3 Dr

illing

3.

1 Dr

illing

M

is-ali

gnm

ent

of

the

drilli

ng

plan

with

th

e ov

erall

wor

k pro

gram

Fina

ncial

3 Dr

illing

3.

1 Dr

illing

W

rong

fina

ncial

repo

rting

du

e to

ina

ppro

priat

e inp

uts

for

cost

alloc

ation

pr

oces

s, we

ll co

st re

conc

iliatio

n pr

oces

s

Repo

rting

3 Dr

illing

3.

1 Dr

illing

La

ck

of

plann

ing

and

mon

itorin

g of

co

st an

d ef

fort

involv

ed i

n dr

illing

of

well

s (re

cord

ing a

nd

mon

itorin

g ag

ainst

KPIs

/ Ta

rget

s)

Fina

ncial

3 Dr

illing

3.

1 Dr

illing

In

effe

ctive

/ In

effic

ient

func

tionin

g of

the

proc

ess

Fina

ncial


58

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

due

to n

on-c

ompli

ance

to

polic

ies a

nd p

roce

dure

s de

fined

4

Info

rmat

ion

Tech

nolog

y 4.

1 IT

Sec

urity

Unau

thor

ized

syste

m

acce

ss

due

to

weak

log

ical

acce

ss

cont

rol

right

s, pa

sswo

rd c

ontro

ls,

etc.

Oper

ation

al

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

In

adeq

uate

en

viron

men

t co

ntro

ls.

Oper

ation

al

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

In

adeq

uate

ac

cess

co

ntro

ls to

dat

a ce

ntre

. Op

erat

ional

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Un

auth

orise

d ac

cess

to

data

cent

re.

Oper

ation

al

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Pe

nal c

onse

quen

ces

due

to u

sage

on

unlic

ense

d so

ftwar

es.

Fina

ncial

Los

s

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Di

saste

r re

cove

ry p

olicy

an

d pr

oced

ures

to

ide

ntify

crit

ical

busin

ess

appli

catio

ns/

data

no

t

Fina

ncial

Los

s

Case Study

59

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

defin

ed

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

In

crea

sed

vulne

rabil

ity o

f th

e ne

twor

k to

intru

sions

- e

xtern

al or

inte

rnal.

Fina

ncial

Los

s

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Le

akag

e/

loss

of

sens

itive

infor

mat

ion/

corru

pted

an

d ins

ecur

e da

ta

Fina

ncial

Los

s

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Corru

pt/ l

oss

of d

ata

due

to

inade

quat

e co

nfigu

ratio

n an

d log

ical

cont

rols

with

in SA

P

Inco

rrect

Fina

ncial

Re

porti

ng

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Unau

thor

ized

trans

actio

ns

due

to

inade

quat

e se

greg

ation

of

dut

ies

Fina

ncial

Los

s

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Inac

cura

te

mas

ter

data

du

e to

ina

dequ

ate

cont

rols

on m

aste

r da

ta

main

tena

nce

and

chan

ges

Fina

ncial

Los

s


60

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Abse

nce

of a

n au

dit tr

ail

in ca

se o

f un

auth

orize

d ac

cess

/ us

ers.

Fina

ncial

Los

s

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Inad

equa

te s

yste

m l

ogic

cont

rols

to

prev

ent

unau

thor

ized/

inc

orre

ct tra

nsac

tion

proc

essin

g th

roug

h SA

P.

Fina

ncial

Los

s

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Inad

equa

te

user

m

anag

emen

t Fi

nanc

ial L

oss

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Acce

ss

and

ID

of

the

sepa

rate

d em

ploye

es n

ot

rem

oved

.

Fina

ncial

Los

s

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Ex

isting

wor

k be

ing d

one

with

in th

e de

partm

ent

is no

t ba

cked

up

by

a

phys

ical p

lan.

Oper

ation

al

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Pr

oper

pro

cedu

re d

o no

t ex

ists

or a

re n

ot fo

llowe

d wh

ile d

ecidi

ng th

e typ

e of

Oper

ation

al

Case Study

61

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

surv

ey (

2D,

3D o

r 4D

su

rvey

). 5

Geolo

gy &

Re

serv

oir

5.1

Geolo

gy &

Re

serv

oir

Cost

repo

rt no

t pre

pare

d Fi

nanc

ial

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Su

rvey

s do

ne

are

not

prop

erly

reco

rded

. Op

erat

ional

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Ad

equa

te

phys

ical

secu

rity

does

not

exis

t of

the

reco

rded

dat

a

Healt

h, S

afet

y an

d En

viron

men

t 5

Geolo

gy &

Re

serv

oir

5.1

Geolo

gy &

Re

serv

oir

Unav

ailab

ility

of

adeq

uate

tec

hnica

l da

ta

used

fo

r pr

opos

ing

explo

rato

ry lo

catio

ns

Oper

ation

al

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

In

abilit

y to

op

timize

/ ac

tuali

ze

expe

cted

retu

rns

from

exp

lorat

ion

block

s

Fina

ncial

Los

s

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

De

lays

in m

onito

ring

the

rese

rves

Fi

nanc

ial L

oss

5 Ge

ology

&

5.1

Geolo

gy &

In

accu

rate

esti

mat

ion o

f In

corre

ct


62

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

Rese

rvoir

Re

serv

oir

rese

rves

Fi

nanc

ial

Repo

rting

5

Geolo

gy &

Re

serv

oir

5.1

Geolo

gy &

Re

serv

oir

Inco

rrect

inter

pret

ation

du

e to

no

quali

ty re

view

proc

ess

of v

alida

ting

the

inter

pret

ation

wor

kflow

/

cycle

follo

wed

Fina

ncial

Los

s

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

De

lay

in se

ismic

data

pr

oces

sing

due

to

ineffe

ctive

sche

dulin

g

Fina

ncial

Los

s

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

an

d De

velop

men

t

Inad

equa

te c

alibr

ation

of

R&D

tools

an

d eq

uipm

ents

caus

ing

incor

rect

resu

lts.

Fina

ncial

Los

s

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

an

d De

velop

men

t

High

co

st of

op

erat

ion

due

to

obso

lete

tech

nolog

y.

Fina

ncial

Los

s

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

an

d De

velop

men

t

Delay

in p

rocu

rem

ent

of

lab e

quipm

ents

caus

ing

delay

in

com

pletio

n of

R&

D ac

tivitie

s

Fina

ncial

Los

s

Case Study

63

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

Risk

of

rece

iving

mor

e th

an th

e or

dere

d qu

antit

y Fi

nanc

ial

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

Risk

of

ac

cept

ing

the

infer

ior q

uality

of m

ater

ial

Fina

ncial

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

Prop

er q

uality

ass

uran

ce

testi

ng

of

all

raw

mat

erial

s is

not

done

wh

en it

is re

ceive

d.

Fina

ncial

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

Un

auth

orize

d dis

posa

l of

scra

p Fi

nanc

ial L

oss

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

In

adeq

uate

se

greg

ation

of

du

ties

betw

een

pers

onne

l res

pons

ible

for

orde

ring,

re

ceivi

ng

and

issue

of m

ater

ial

Fina

ncial

Los

s

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

In

vent

ory

loss

due

to

weak

sto

rage

/ sta

cking

an

d se

greg

ation

gu

idelin

es.

Fina

ncial

Los

s


64

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

Fi

nanc

ial

loss

due

to

inade

quat

e se

curit

y pr

oced

ures

at

th

e wa

reho

use

Fina

ncial

Los

s

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

Lo

ss

of

life/

reso

urce

s du

e to

non

-com

plian

ce to

re

gulat

ory

laws

and

regu

lation

s

Healt

h, S

afet

y &

Envir

onm

ent

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

De

lay

in re

newa

l or

ex

piry o

f var

ious l

icens

es

Stat

utor

y Non

co

mpli

ance

7

Mat

erial

M

anag

emen

t 7.

3 M

M -

Inve

ntor

y Ha

ndlin

g an

d St

orag

e

Un

auth

orize

d an

d ina

ppro

priat

e ind

entin

g Fi

nanc

ial L

oss

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

In

adeq

uate

mon

itorin

g of

slo

w/

non-

mov

ing

inven

tory

Fina

ncial

Los

s

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

Da

mag

e to

spa

res

and

mat

erial

du

e to

ina

dequ

ate

stora

ge.

Fina

ncial

Los

s

Case Study

65

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

and

Stor

age

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

Cr

itical

spar

es

not

ident

ified

and

main

taine

d Fi

nanc

ial L

oss

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

Un

auth

orise

d iss

ue

of

mat

erial

Fi

nanc

ial L

oss

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Ab

senc

e of

mon

itorin

g of

th

e tim

e ta

ken

to in

terp

ret

the

data

giv

en

to

the

inter

pret

ation

te

am

and

revie

w th

e re

cord

s m

ainta

ined

in th

is re

spec

t to

asc

erta

in m

ajor d

elays

.

Oper

ation

al

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

In

adeq

uate

re

cord

s m

ainta

ined

to d

ocum

ent

discu

ssion

s an

d co

nclus

ions

of

inter

pret

ation

team

.

Oper

ation

al


66

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Da

taba

se/

infor

mat

ion

not

main

taine

d ab

out

unsu

cces

sful

wells

an

d th

e sa

me

is us

ed d

uring

su

bseq

uent

dec

ision

s.

Oper

ation

al

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Exist

ing w

ork

being

don

e wi

thin

the

Depa

rtmen

t is

not b

acke

d up

by a

plan

.

Oper

ation

al

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

Delay

s in

prep

arat

ion a

nd

com

mun

icatio

n of

ann

ual

plans

.

Oper

ation

al

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

Inap

prop

riate

bas

is an

d inp

uts f

or p

lannin

g Op

erat

ional

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

Man

agem

ent

Info

rmat

ion

Syste

m

inade

quat

ely

align

ed

with

str

ateg

ic ob

jectiv

es

Inco

rrect

Fina

ncial

Re

porti

ng

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

Delay

s in

finan

cial

repo

rting

and

clos

ing

Oper

ation

al

Case Study

67

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

Adve

rse

fluctu

ation

in

fore

ign e

xcha

nge

rate

s Fi

nanc

ial L

oss

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

Inad

equa

te

work

ing

capit

al m

anag

emen

t Fi

nanc

ial L

oss

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

Inad

equa

te m

onito

ring

of

cash

and

ban

k bala

nces

Fi

nanc

ial L

oss

9 Fi

nanc

e an

d Ac

coun

ts 9.

3 Fi

nanc

ial

Repo

rting

Inad

equa

te

finan

cial

repo

rting

syste

ms

Inco

rrect

Fina

ncial

Re

porti

ng

9 Fi

nanc

e an

d Ac

coun

ts 9.

3 Fi

nanc

ial

Repo

rting

Mis-

repr

esen

tatio

n in

finan

cial

state

men

ts an

d re

ports

Inco

rrect

Fina

ncial

Re

porti

ng

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set

Man

agem

ent

Inco

rrect

capit

aliza

tion

of

asse

ts In

corre

ct Fi

nanc

ial

Repo

rting

9

Fina

nce

and

Acco

unts

9.4

Asse

t M

anag

emen

t

Ph

ysica

l ve

rifica

tion

of

asse

ts no

t don

e In

corre

ct Fi

nanc

ial

Repo

rting

9

Fina

nce

and

Acco

unts

9.4

Asse

t M

anag

emen

t

De

prec

iation

& D

eplet

ion

char

ges

have

not

bee

n In

corre

ct Fi

nanc

ial


68

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

accu

rate

ly ca

lculat

ed a

nd

reco

rded

in

the

appr

opria

te p

eriod

.

Repo

rting

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Ri

sk o

f de

lay i

n inv

oice

proc

essin

g Fi

nanc

ial

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Du

plica

te ve

ndor

code

s Fi

nanc

ial

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Ri

sk o

f dela

y in

paym

ent

proc

essin

g Fi

nanc

ial

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Ro

yalty

no

t pa

id as

sp

ecifie

d in

Prod

uctio

n Sh

aring

Con

tract.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Ri

sk o

f exc

ess p

aym

ent

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

Th

e ac

coun

ting

polic

ies

for

acco

untin

g of

sale

s es

pecia

lly t

ake

or p

ay,

unde

rlifts/

ov

erlift

s, co

ntra

ctual

liabil

ities

etc.

not

in co

mpli

ance

wi

th

Repo

rting

Case Study

69

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

the

Acco

untin

g St

anda

rds.

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

Delay

in in

voici

ng.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

Inco

rrect

and

unau

thor

ised

invoic

ing.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

Qu

antita

tive

reco

ncilia

tion

not d

one

to

ident

ify e

xces

sive

losse

s.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

Ro

yalty

no

t pa

id as

sp

ecifie

d Pr

oduc

tion

Shar

ing C

ontra

ct.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

In

accu

rate

calc

ulatio

ns o

f th

e we

llhea

d va

lue.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

In

vestm

ent

mult

iple

not

calcu

lated

in th

e m

anne

r as

pr

ovide

d in

the

Fina

ncial


70

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

Prod

uctio

n Sh

aring

Co

ntra

ct.

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng

and

Rece

ivable

s

In

adeq

uate

mon

itorin

g of

re

ceiva

ble a

nd f

ollow

up

for c

ollec

tions

.

Fina

ncial

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Op

erat

ions

In

accu

rate

wo

rking

of

co

st all

ocat

ed

by

oper

ating

par

tner

s fo

r JV

Non

Oper

ated

Inco

rrect

Fina

ncial

Re

porti

ng

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Op

erat

ions

No

n ra

ising

/ de

layed

re

cove

ry o

f cas

h ca

ll fro

m

JV p

artn

er.

Fina

ncial

Los

s

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Op

erat

ions

W

rong

allo

catio

ns t

o JV

du

e to

ina

dequ

ate

proc

ess

of c

ostin

g an

d ide

ntific

ation

of

alloc

able

costs

.

Fina

ncial

Los

s

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Op

erat

ions

In

adeq

uate

con

trol

over

ex

pens

es in

cas

e of

non

op

erat

ing b

locks

Fina

ncial

Los

s

Case Study

71

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

Risk

of

re

gulat

ory

pena

lties

due

to

non

com

plian

ce

with

TD

S,

Serv

ice

Tax

and

othe

r re

levan

t acts

Risk

of

Regu

lator

y No

n-Co

mpli

ance

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

Tax

paym

ents

and

tax

retu

rns

are

not

mad

e or

file

d wi

thin

perm

issibl

e tim

e lim

its

Stat

utor

y Non

co

mpli

ance

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

Inad

equa

te

mon

itorin

g m

echa

nism

fo

r pe

nding

de

man

ds o

r as

sess

men

t ca

ses,

etc.

Fina

ncial

Los

s

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

De

lay in

hirin

g im

pacti

ng

oper

ation

dela

ys

Oper

ation

al

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

Hi

ring

inapp

ropr

iate

pers

onne

l Op

erat

ional

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

In

com

plete

do

cum

enta

tion

in em

ploye

e re

cord

s/ file

s

Oper

ation

al


72

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

In

adeq

uate

ba

ckgr

ound

an

d re

fere

nce

chec

ks

Oper

ation

al

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

In

adeq

uate

pla

nning

of

tra

ining

requ

irem

ents

Oper

ation

al

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

Tr

aining

ne

eds

not

ident

ified

Oper

ation

al

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

Tr

aining

pr

ogra

ms

not

cond

ucte

d in

timely

m

anne

r

Oper

ation

al

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

Fe

edba

ck p

roce

dure

s no

t es

tabli

shed

Op

erat

ional

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

De

lay in

Full

and

Fina

l Fi

nanc

ial

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

In

adeq

uate

cle

aran

ce

proc

edur

es

Fina

ncial

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

In

adeq

uate

waiv

ers

Fina

ncial

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

Ol

d loa

n an

d ad

vanc

es

not

settl

ed

befo

re

relei

ving.

Fina

ncial

Case Study

73

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

Ex

it fo

rmali

ties

not

com

plete

d in

timely

m

anne

r.

Oper

ation

al

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct pr

oces

sing

of

salar

y Fi

nanc

ial L

oss

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct pr

oces

sing

and

settle

men

t of

va

rious

em

ploye

e cla

ims

Fina

ncial

Los

s

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct at

tend

ance

m

onito

ring

and

acco

untin

g of

leav

es.

Fina

ncial

Los

s

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct pr

ovisi

oning

an

d ac

coun

ting

of

retir

emen

t fu

nds

man

agem

ent

by

the

com

pany

.

Fina

ncial

Los

s

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

De

lay

in dis

burs

emen

t/ tra

nsfe

r of s

alary

. Fi

nanc

ial L

oss

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

In

adeq

uate

plan

ning

and

budg

eting

of P

rojec

ts Fi

nanc

ial L

oss


74

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

Ap

prop

riate

fe

asibi

lity

studie

s not

cond

ucte

d Fi

nanc

ial

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

Re

quire

d cle

aran

ces

not

obta

ining

on

timely

bas

is Co

mpli

ance

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

In

adeq

uate

as

sess

men

t of

Ret

urn

on In

vestm

ents

Fina

ncial

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

Ti

me

and

Cost

over

runs

in

the

proje

cts

due

to

weak

pro

ject

mon

itorin

g an

d/ o

r exe

cutio

n.

Fina

ncial

Los

s

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

Op

erat

ional

delay

s due

to

delay

in

obta

ining

/ re

newa

l of

sta

tuto

ry

clear

ance

s

Fina

ncial

Los

s

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

No

n co

mpli

ance

to

va

rious

sta

tuto

ry

prov

ision

s an

d re

quire

men

ts.

Stat

utor

y Non

co

mpli

ance

Case Study

75

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

De

lay

in pr

ocur

emen

t/ or

derin

g.

Fina

ncial

Los

s

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

Co

mm

ission

ing

with

out

adeq

uate

qua

lity c

heck

s an

d te

sting

pro

cedu

res

Fina

ncial

Los

s

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

La

ck

of

mon

itorin

g of

HS

E co

mpli

ance

by

co

ntra

ctors

/ int

erna

l sta

ff du

ring

exec

ution

Healt

h, S

afet

y &

Envir

onm

ent

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

Inad

equa

te

post

acqu

isitio

n te

chno

-co

mm

ercia

l re

view

for

over

seas

acq

uisitio

ns

Fina

ncial

Los

s

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

Delay

s in

float

ing

of

Tend

ers

Fina

ncial

Los

s

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

Fina

ncial

hea

lth c

heck

up

analy

sis

not

perfo

rmed

fo

r acq

uired

ass

ets

Fina

ncial

Los

s


76

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

13

Explo

ratio

n &

deve

lopm

ent

13.1

Ex

plora

tion

& deve

lopm

ent

In

abilit

y to

op

timize

/ ac

tuali

ze

expe

cted

retu

rns

from

exp

lorat

ion

block

s

Fina

ncial

Los

s

13

Explo

ratio

n &

deve

lopm

ent

13.1

Ex

plora

tion

& deve

lopm

ent

No

n fu

lfillm

ent

to

mini

mum

wo

rk

prog

ram

sp

ecial

ly wi

th r

espe

ct to

tim

eline

ss

Fina

ncial

Los

s

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

All

Flow

lin

es

are

not

being

re

gular

ly te

sted

and

inspe

cted

for

any

block

age

Oper

ation

al

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Delay

s in

prov

iding

m

ainte

nanc

e se

rvice

s im

pacti

ng

oper

ation

al ef

ficien

cy.

Fina

ncial

Los

s

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Inad

equa

te

plann

ing

of

main

tena

nce

activ

ities

Oper

ation

al

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Prev

entiv

e m

ainte

nanc

e no

t ca

rried

on

tim

ely

basis

.

Oper

ation

al

Case Study

77

D. S

r.

No.

D

epar

tmen

t P.

Sr.

N

o.

Proc

ess

Bus

ines

s Lo

catio

ns

Ris

k D

escr

iptio

n R

isk

Cat

egor

y C

orpo

rate

O

ffic

e Pl

ant

Dep

ot

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Inad

equa

te

traini

ng

to

man

powe

r Fi

nanc

ial L

oss

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Safe

ty ris

k of

wor

king

in ru

nning

pipe

lines

He

alth,

Saf

ety

& En

viron

men

t 14

M

ainte

nanc

e 14

.2

Equip

men

t M

ainte

nanc

e

Delay

s in

prov

iding

m

ainte

nanc

e se

rvice

s im

pacti

ng

oper

ation

al ef

ficien

cy.

Fina

ncial

Los

s

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

In

adeq

uate

pla

nning

of

m

ainte

nanc

e ac

tivitie

s Op

erat

ional

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Pr

even

tive

main

tena

nce

not

carri

ed

on

timely

ba

sis.

Oper

ation

al

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

In

adeq

uate

tra

ining

to

m

anpo

wer

Fina

ncial

Los

s

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Sa

fety

risk

of w

orkin

g in

runn

ing p

ipelin

es

Healt

h, S

afet

y &

Envir

onm

ent

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Fr

eque

nt

brea

kdow

ns

due

to n

on-p

erfo

rman

ce

of ro

ot ca

use

analy

sis

Fina

ncial

Los

s


78

Step

3: R

isk

Prio

ritiz

atio

n an

d R

atin

g

(a

) As

sign

Risk

Sco

re to

eac

h of

the

risk i

dent

ified

unde

r risk

iden

tifica

tion

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

Pr

ocur

emen

t be

yond

th

e de

fined

bud

geta

ry

limits

.

Fina

ncial

4

Prep

are

Aud

it U

nive

rse

Ris

k Id

entif

icat

ion

Ris

k pr

iorit

izat

ion

and

ra

ting

Ass

ess

cont

rol

envi

ronm

ent

Der

ive

Res

idua

l R

isk

Rat

ing

Dev

elop

In

tern

al

Aud

it pl

an

Case Study

79

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

In

adeq

uate

ve

ndor

se

lectio

n du

e to

non

-co

mpli

ance

to

pr

ocur

emen

t po

licies

an

d pr

oced

ures

(in

cl.

tend

ering

)

Fina

ncial

5

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

In

crea

sed

cost

of

proc

urem

ent

due

to

ineffe

ctive

ne

gotia

tion/

com

paris

on

of

com

mer

cial

bid

subm

itted

Fina

ncial

4

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

Unfa

vour

able

RFQ

term

s and

cond

itions

. Fi

nanc

ial

5

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

Risk

of

fa

vorit

ism

to

vend

or.

Fina

ncial

5

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

Inap

prop

riate

te

chnic

al ev

aluat

ion p

roce

dure

s. Fi

nanc

ial

4

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

Inad

equa

te p

roce

dure

s fo

r pro

cure

men

t in

case

of

pro

priet

ary i

tem

s.

Fina

ncial

2


80

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

1 Co

ntra

cts

1.1

Tend

ering

and

RF

Q

Fi

ctitio

us v

endo

rs in

the

syste

m

Fina

ncial

3

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

Co

ntra

ct te

rms

and

cond

itions

no

t fa

vour

able

to

the

Com

pany

Fina

ncial

4

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

De

lay in

con

tracti

ng o

r or

derin

g Op

erat

ional

3

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

Ri

sk

of

issue

of

un

auth

orise

d or

der.

Fina

ncial

5

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

In

adeq

uate

co

ntra

ct co

mpli

ance

pro

cedu

res.

Oper

ation

al 4

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

W

ork

starte

d be

fore

co

mple

tion

of

cont

racti

ng p

roce

dure

s.

Oper

ation

al 3

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Re

gular

up

datio

n an

d re

view

of

the

actu

al pr

oduc

tion

again

st th

e pla

nned

pro

ducti

on n

ot

done

.

Fina

ncial

3

Case Study

81

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Pr

oduc

tion

levels

may

no

t ha

ve

been

m

onito

red

regu

larly

on

a Ce

ntra

l Ta

nk F

arm

(C

TF),

GGS

and

well-

wise

bas

is fo

r the

leve

l of

oil p

rodu

ction

Fina

ncial

3

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Pr

oduc

tion

targ

ets

are

not

being

co

mm

unica

ted

and

mon

itore

d by

the

Grou

p Ga

ther

ing

Stat

ions

(GGS

).

Fina

ncial

3

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Cr

ude

Oil

pilfe

rage

s /

leaka

ges

while

tra

nspo

rtatio

n

Fina

ncial

4

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

In

corre

ct ce

rtific

ation

of

bills

Fina

ncial

4

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

In

adeq

uate

te

sting

of

m

ater

ial u

sed

leadin

g to

Fi

nanc

ial

5


82

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

Distr

ibutio

n we

ll iss

ues

later

af

fecti

ng p

rodu

ction

2

Plan

t Op

erat

ions

2.1

Prod

uctio

n an

d Di

stribu

tion

No

n-ut

ilizat

ion

of

the

asse

ts Fi

nanc

ial

4

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

In

adeq

uate

fire

saf

ety

arra

ngem

ent a

t site

He

alth,

Sa

fety

& En

viron

men

t

5

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

W

rong

fin

ancia

l re

porti

ng

due

to

inade

quat

e co

ntro

ls on

pr

oduc

tion

reco

rding

Inco

rrect

Fina

ncial

Re

porti

ng

4

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

In

adeq

uate

QA

/

QC

proc

ess

durin

g Pr

oduc

tion

Fina

ncial

Lo

ss

4

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

Pr

oduc

tion

loss

due

to

inade

quat

e br

eakd

own

analy

sis

and

com

plian

ce

Fina

ncial

Lo

ss

4

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion a

nd

Main

tena

nce

Sc

hedu

led

main

tena

nce

and

work

Op

erat

ional

4

Case Study

83

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

over

op

erat

ions

for

vario

us

wells

no

t pla

nned

in a

dvan

ce.

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion a

nd

Main

tena

nce

Tr

ack

of to

tal a

mou

nt o

f wa

ter p

umpe

d int

o ea

ch

well

is no

t be

ing

track

ed

caus

ing

over

pu

mpin

g of

wat

er.

Oper

ation

al 3

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion a

nd

Main

tena

nce

Ap

prop

riate

reco

rds

are

not b

eing

main

taine

d in

resp

ect o

f the

coll

ectio

n of

oil

and

gas

from

the

wells

Oper

ation

al 3

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion a

nd

Main

tena

nce

Fl

ow m

eter

s at

CTF

are

no

t pr

oper

ly ca

libra

ted

and

the

calib

ratio

n is

not

being

pe

riodic

ally

chec

ked.

Pu

mpin

g re

cord

s of

the

exte

nt o

f oil

pum

ped

to

the

custo

mer

are

not

Oper

ation

al 4


84

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

prop

erly

kept

an

d m

ainta

ined.

2

Plan

t Op

erat

ions

2.2

Oper

ation

and

M

ainte

nanc

e

Pr

oduc

tion

failu

re/

loss

due

to

inade

quat

e pr

even

tive

main

tena

nce

sche

dule

or

lack

of

com

plian

ce

of

sche

dule.

Fina

ncial

Lo

ss

5

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion a

nd

Main

tena

nce

Delay

s in

main

tena

nce

Fina

ncial

Lo

ss

4

2 Pl

ant

Oper

ation

s 2.

3 Sa

fety

and

Envir

onm

ent

Regu

lar v

isits

of th

e oil

we

ll ar

e no

t con

ducte

d an

d all

oil

we

ll ins

talla

tions

ar

e no

t be

ing in

spec

ted

Oper

ation

al 4

2 Pl

ant

Oper

ation

s 2.

3 Sa

fety

and

Envir

onm

ent

HSE

non

com

plian

ces

by co

ntra

ctors

St

atut

ory N

on

com

plian

ce

5

3 Dr

illing

3.

1 Dr

illing

Th

e co

st be

nefit

analy

sis fo

r dr

illing

not

do

ne

resu

lting

into

Fina

ncial

4

Case Study

85

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

exce

ss

cost

of

oper

ation

s. 3

Drilli

ng

3.1

Drilli

ng

Ri

sk o

f acc

ident

s due

to

inade

quat

e tra

ining

and

m

is-ha

ndlin

g.

Healt

h,

Safe

ty an

d En

viron

men

t

5

3 Dr

illing

3.

1 Dr

illing

Inad

equa

te

HSE

com

plian

ce

at

the

drilli

ng si

tes.

Healt

h,

Safe

ty an

d En

viron

men

t

5

3 Dr

illing

3.

1 Dr

illing

Dam

age

to

the

equip

men

t du

e to

ina

dequ

ate

secu

rity

at

the

drilli

ng si

te.

Fina

ncial

4

3 Dr

illing

3.

1 Dr

illing

Sub-

optim

al ut

ilizat

ion

of ri

gs a

nd o

ther

drill

ing

equip

men

t.

Fina

ncial

4

3 Dr

illing

3.

1 Dr

illing

Delay

s in

oper

ation

due

to

ina

dequ

ate

co-

ordin

ation

and

dela

ys in

eq

uipm

ent a

vaila

bility

.

Oper

ation

al 3

3 Dr

illing

3.

1 Dr

illing

Mis-

align

men

t of

th

e Fi

nanc

ial

3


86

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

drilli

ng

plan

with

th

e ov

erall

wor

k pro

gram

3

Drilli

ng

3.1

Drilli

ng

W

rong

fin

ancia

l re

porti

ng

due

to

inapp

ropr

iate

input

s fo

r co

st all

ocat

ion p

roce

ss,

well

cost

reco

ncilia

tion

proc

ess

Repo

rting

4

3 Dr

illing

3.

1 Dr

illing

Lack

of

plann

ing a

nd

mon

itorin

g of

co

st &

effo

rt inv

olved

in d

rillin

g of

well

s (re

cord

ing a

nd

mon

itorin

g ag

ainst

KPIs/

Tar

gets)

Fina

ncial

3

3 Dr

illing

3.

1 Dr

illing

Inef

fecti

ve/

Inef

ficien

t fu

nctio

ning

of

the

proc

ess

due

to

non-

com

plian

ce t

o po

licies

an

d pr

oced

ures

def

ined

Fina

ncial

3

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Un

auth

orize

d sy

stem

ac

cess

du

e to

we

ak

Oper

ation

al 5

Case Study

87

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

logica

l ac

cess

co

ntro

l rig

hts,

pass

word

co

ntro

ls, e

tc.

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

In

adeq

uate

en

viron

men

t con

trols.

Op

erat

ional

4

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

In

adeq

uate

ac

cess

co

ntro

ls to

dat

a ce

ntre

. Op

erat

ional

4

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Un

auth

orise

d ac

cess

to

data

cent

re.

Oper

ation

al 4

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Pe

nal

cons

eque

nces

du

e to

us

age

on

unlic

ense

d so

ftwar

es.

Fina

ncial

Lo

ss

5

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Di

saste

r rec

over

y poli

cy

and

proc

edur

es

to

ident

ify c

ritica

l bus

iness

ap

plica

tions

/ da

ta

not

defin

ed

Fina

ncial

Lo

ss

3

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

In

crea

sed

vulne

rabil

ity

of

the

netw

ork

to

intru

sions

- E

xtern

al or

In

tern

al.

Fina

ncial

Lo

ss

4


88

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

Le

akag

e /

loss

of

sens

itive

infor

mat

ion/

corru

pted

and

inse

cure

da

ta

Fina

ncial

Lo

ss

4

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Co

rrupt

/ los

s of

da

ta

due

to

inade

quat

e co

nfigu

ratio

n an

d log

ical

cont

rols

with

in SA

P

Inco

rrect

Fina

ncial

Re

porti

ng

3

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Un

auth

orize

d tra

nsac

tions

du

e to

ina

dequ

ate

segr

egat

ion

of d

uties

Fina

ncial

Lo

ss

3

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

In

accu

rate

mas

ter

data

du

e to

ina

dequ

ate

cont

rols

on m

aste

r dat

a m

ainte

nanc

e an

d ch

ange

s

Fina

ncial

Lo

ss

4

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Ab

senc

e of

an

au

dit

trail

in ca

se

of

unau

thor

ized

acce

ss /

us

ers.

Fina

ncial

Lo

ss

2

Case Study

89

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

In

adeq

uate

sy

stem

log

ic co

ntro

ls to

pre

vent

un

auth

orize

d/ i

ncor

rect

trans

actio

n pr

oces

sing

thro

ugh

SAP.

Fina

ncial

Lo

ss

4

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

In

adeq

uate

us

er

man

agem

ent

Fina

ncial

Lo

ss

4

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

Ac

cess

and

ID

of t

he

sepa

rate

d em

ploye

es

not r

emov

ed.

Fina

ncial

Lo

ss

4

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Exist

ing

work

be

ing

done

wi

thin

the

depa

rtmen

t is

not

back

ed u

p by

a p

hysic

al pla

n.

Oper

ation

al 3

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Prop

er

proc

edur

e do

no

t ex

ists

or a

re n

ot

follo

wed

while

dec

iding

th

e typ

e of

sur

vey

(2D,

3D

or 4

D su

rvey

).

Oper

ation

al 4


90

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Cost

repo

rt no

t pr

epar

ed

Fina

ncial

3

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Surv

eys

done

are

not

pr

oper

ly re

cord

ed.

Oper

ation

al 3

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Adeq

uate

ph

ysica

l se

curit

y do

es n

ot e

xist

of th

e re

cord

ed d

ata

Healt

h,

Safe

ty an

d En

viron

men

t

4

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Unav

ailab

ility

of

adeq

uate

tech

nical

data

us

ed

for

prop

osing

ex

plora

tory

loca

tions

Oper

ation

al 4

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Inab

ility

to

optim

ize/

actu

alize

ex

pecte

d re

turn

s fro

m e

xplor

ation

blo

cks

Fina

ncial

Lo

ss

4

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Delay

s in

mon

itorin

g th

e re

serv

es

Fina

ncial

Lo

ss

3

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Inac

cura

te e

stim

ation

of

rese

rves

In

corre

ct Fi

nanc

ial

Repo

rting

4

Case Study

91

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Inco

rrect

inter

pret

ation

du

e to

no

quali

ty re

view

proc

ess

of

valid

ating

th

e int

erpr

etat

ion

work

flow

/ cy

cle

follo

wed

Fina

ncial

Lo

ss

5

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

Delay

in

seism

ic da

tapr

oces

sing

due

to

ineffe

ctive

sche

dulin

g

Fina

ncial

Lo

ss

3

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

and

De

velop

men

t

Inad

equa

te

calib

ratio

n of

R&

D to

ols

and

equip

men

ts ca

using

inc

orre

ct re

sults

.

Fina

ncial

Lo

ss

2

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

and

De

velop

men

t

High

cos

t of

ope

ratio

n du

e to

ob

solet

e te

chno

logy.

Fina

ncial

Lo

ss

3

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

and

De

velop

men

t

Delay

in p

rocu

rem

ent o

f lab

equ

ipmen

ts ca

using

de

lay i

n co

mple

tion

of

R&D

activ

ities

Fina

ncial

Lo

ss

2


92

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

Risk

of

rece

iving

mor

e th

an

the

orde

red

quan

tity

Fina

ncial

3

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

Risk

of

acce

pting

the

inf

erior

qu

ality

of

mat

erial

Fina

ncial

3

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

Prop

er

quali

ty as

sura

nce

testi

ng o

f all

raw

mat

erial

s is

not

done

wh

en

it is

rece

ived.

Fina

ncial

4

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

Un

auth

orize

d dis

posa

l of

scra

p Fi

nanc

ial

Loss

2

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

In

adeq

uate

seg

rega

tion

of

dutie

s be

twee

n pe

rson

nel

resp

onsib

le fo

r or

derin

g, r

eceiv

ing

and

issue

of m

ater

ial

Fina

ncial

Lo

ss

2

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

In

vent

ory

loss

due

to

weak

sto

rage

/ sta

cking

Fi

nanc

ial

Loss

2

Case Study

93

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

and

segr

egat

ion

guide

lines

. 7

Mat

erial

M

anag

emen

t 7.

2 M

M -

Depo

t

Fina

ncial

los

s du

e to

ina

dequ

ate

secu

rity

proc

edur

es

at

the

ware

hous

e

Fina

ncial

Lo

ss

2

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

Lo

ss o

f life

/ re

sour

ces

due

to n

on-c

ompli

ance

to

reg

ulato

ry l

aws

and

regu

lation

s

Healt

h,

Safe

ty &

Envir

onm

ent

4

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

De

lay

in re

newa

l or

ex

piry

of

vario

us

licen

ses

Stat

utor

y Non

co

mpli

ance

5

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

Un

auth

orize

d an

d ina

ppro

priat

e ind

entin

g Fi

nanc

ial

Loss

1

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

In

adeq

uate

m

onito

ring

of

slow/

no

n m

oving

inv

ento

ry

Fina

ncial

Lo

ss

4


94

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

Da

mag

e to

spa

res

and

mat

erial

du

e to

ina

dequ

ate

stora

ge.

Fina

ncial

Lo

ss

4

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

Cr

itical

spar

es

not

ident

ified

and

main

taine

d

Fina

ncial

Lo

ss

4

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

Un

auth

orise

d iss

ue o

f m

ater

ial

Fina

ncial

Lo

ss

3

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Abse

nce

of m

onito

ring

of

the

time

take

n to

int

erpr

et th

e da

ta g

iven

to

the

inter

pret

ation

te

am

and

revie

w th

e re

cord

s m

ainta

ined

in th

is re

spec

t to

asce

rtain

majo

r dela

ys.

Oper

ation

al 3

Case Study

95

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Inad

equa

te

reco

rds

main

taine

d to

doc

umen

t dis

cuss

ions

and

conc

lusion

s of

int

erpr

etat

ion te

am.

Oper

ation

al 3

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Data

base

/ inf

orm

ation

no

t m

ainta

ined

abou

t un

succ

essfu

l well

s an

d th

e sa

me

is us

ed d

uring

su

bseq

uent

dec

ision

s.

Oper

ation

al 3

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

Exist

ing

work

be

ing

done

wi

thin

the

Depa

rtmen

t is

not

back

ed u

p by

a p

lan.

Oper

ation

al 3

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

De

lays

in pr

epar

ation

an

d co

mm

unica

tion

of

annu

al pla

ns.

Oper

ation

al 3

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

In

appr

opria

te b

asis

and

input

s for

plan

ning

Oper

ation

al 4


96

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

M

anag

emen

t In

form

ation

Sy

stem

ina

dequ

ately

ali

gned

wi

th st

rate

gic o

bjecti

ves

Inco

rrect

Fina

ncial

Re

porti

ng

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

De

lays

in fin

ancia

l re

porti

ng a

nd cl

osing

Op

erat

ional

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

Ad

vers

e flu

ctuat

ion

in fo

reign

exc

hang

e ra

tes

Fina

ncial

Lo

ss

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

In

adeq

uate

wo

rking

ca

pital

man

agem

ent

Fina

ncial

Lo

ss

5

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

In

adeq

uate

m

onito

ring

of

cash

an

d ba

nk

balan

ces

Fina

ncial

Lo

ss

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

3 Fi

nanc

ial

Repo

rting

Inad

equa

te

finan

cial

repo

rting

syste

ms

Inco

rrect

Fina

ncial

Re

porti

ng

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

3 Fi

nanc

ial

Repo

rting

Mis-

repr

esen

tatio

n in

finan

cial

state

men

ts an

d re

ports

Inco

rrect

Fina

ncial

Re

porti

ng

3

Case Study

97

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set

Man

agem

ent

In

corre

ct ca

pitali

zatio

n of

ass

ets

Inco

rrect

Fina

ncial

Re

porti

ng

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set

Man

agem

ent

Ph

ysica

l ve

rifica

tion

of

asse

ts no

t don

e In

corre

ct Fi

nanc

ial

Repo

rting

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set

Man

agem

ent

De

prec

iation

&

Deple

tion

char

ges

have

no

t be

en

accu

rate

ly ca

lculat

ed a

nd re

cord

ed

in th

e ap

prop

riate

pe

riod.

Inco

rrect

Fina

ncial

Re

porti

ng

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Risk

of d

elay

in inv

oice

proc

essin

g Fi

nanc

ial

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Dupli

cate

vend

or co

des

Fina

ncial

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Risk

of

de

lay

in pa

ymen

t pro

cess

ing

Fina

ncial

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Roya

lty

not

paid

as

spec

ified

in Pr

oduc

tion

Shar

ing C

ontra

ct.

Fina

ncial

3


98

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

Risk

of e

xces

s pay

men

tFi

nanc

ial

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

The

acco

untin

g po

licies

fo

r ac

coun

ting

of s

ales

espe

cially

tak

e or

pay

, un

derlif

ts/

over

lifts,

cont

ractu

al lia

bilitie

s et

c. no

t in

com

plian

ce

with

th

e Ac

coun

ting

Stan

dard

s.

Repo

rting

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Delay

in in

voici

ng.

Fina

ncial

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Inco

rrect

and

unau

thor

ised

invoic

ing.

Fina

ncial

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Quan

titativ

e re

conc

iliatio

n no

t do

ne

to

ident

ify

exce

ssive

los

ses.

Fina

ncial

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Roya

lty

not

paid

as

spec

ified

Prod

uctio

n Sh

aring

Con

tract.

Fina

ncial

3

Case Study

99

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Inac

cura

te c

alcula

tions

of

the

wellh

ead

value

. Fi

nanc

ial

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Inve

stmen

t mult

iple

not

calcu

lated

in

the

man

ner

as p

rovid

ed in

th

e Pr

oduc

tion

Shar

ing

Cont

ract.

Fina

ncial

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

Inad

equa

te

mon

itorin

g of

rece

ivable

and

follo

w up

for c

ollec

tions

.

Fina

ncial

3

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Ope

ratio

ns

In

accu

rate

wo

rking

of

co

st all

ocat

ed

by

oper

ating

pa

rtner

s fo

r JV

Non

Ope

rate

d

Inco

rrect

Fina

ncial

Re

porti

ng

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Ope

ratio

ns

No

n ra

ising

/ de

layed

re

cove

ry o

f ca

sh c

all

from

JV p

artn

er.

Fina

ncial

Lo

ss

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Ope

ratio

ns

W

rong

allo

catio

ns to

JV

due

to

inade

quat

e pr

oces

s of

cos

ting

and

Fina

ncial

Lo

ss

4


100

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

ident

ificat

ion

of

alloc

able

costs

. 9

Fina

nce

and

Acco

unts

9.7

JV O

pera

tions

Inad

equa

te c

ontro

l ove

r ex

pens

es

in ca

se

of

non

oper

ating

bloc

ks

Fina

ncial

Lo

ss

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

Risk

of

re

gulat

ory

pena

lties

due

to

non

com

plian

ce w

ith T

DS,

Serv

ice T

ax a

nd o

ther

re

levan

t acts

Risk

of

Regu

lator

y No

n-Co

mpli

ance

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

Tax

paym

ents

and

tax

retu

rns

are

not m

ade

/ file

d wi

thin

perm

issibl

e tim

e lim

its

Stat

utor

y Non

co

mpli

ance

4

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

Inad

equa

te

mon

itorin

g m

echa

nism

for p

endin

g de

man

ds /

asse

ssm

ent

case

s, et

c.

Fina

ncial

Lo

ss

4

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

De

lay

in hir

ing

impa

cting

op

erat

ion

delay

s

Oper

ation

al 3

Case Study

101

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

Hi

ring

inapp

ropr

iate

pers

onne

l Op

erat

ional

4

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

In

com

plete

do

cum

enta

tion

in em

ploye

e re

cord

s/ file

s

Oper

ation

al 2

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

In

adeq

uate

bac

kgro

und

and

refe

renc

e ch

ecks

Op

erat

ional

3

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

In

adeq

uate

plan

ning

of

traini

ng re

quire

men

ts Op

erat

ional

4

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

Tr

aining

ne

eds

not

ident

ified

Oper

ation

al 4

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

Tr

aining

pro

gram

s no

t co

nduc

ted

in tim

ely

man

ner

Oper

ation

al 4

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

Fe

edba

ck

proc

edur

es

not e

stabli

shed

Op

erat

ional

3

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

De

lay in

Full

and

Fina

l Fi

nanc

ial

3

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

In

adeq

uate

cle

aran

ce

proc

edur

es

Fina

ncial

3


102

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

In

adeq

uate

waiv

ers

Fina

ncial

3

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

Ol

d loa

n an

d ad

vanc

es

not

settl

ed

befo

re

relie

ving.

Fina

ncial

3

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

Ex

it fo

rmali

ties

not

com

plete

d tim

ely

man

ner.

Oper

ation

al 3

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct pr

oces

sing

of

salar

y Fi

nanc

ial

Loss

4

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

Inco

rrect

proc

essin

g an

d se

ttlem

ent

of

vario

us

emplo

yee

claim

s

Fina

ncial

Lo

ss

4

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct at

tend

ance

m

onito

ring

and

acco

untin

g of

leav

es.

Fina

ncial

Lo

ss

3

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

In

corre

ct pr

ovisi

oning

an

d ac

coun

ting

of

retir

emen

t fu

nds

Fina

ncial

Lo

ss

3

Case Study

103

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

man

agem

ent

by

the

com

pany

. 10

Hu

man

Re

sour

ce

10.4

Pa

yroll

Pr

oces

s

Delay

in d

isbur

sem

ent/

trans

fer o

f sala

ry.

Fina

ncial

Lo

ss

3

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

In

adeq

uate

pla

nning

an

d bu

dget

ing

of

Proje

cts

Fina

ncial

Lo

ss

4

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

Ap

prop

riate

fe

asibi

lity

studie

s not

cond

ucte

d Fi

nanc

ial

5

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

Re

quire

d cle

aran

ces

not o

btain

ing o

n tim

elyba

sis

Com

plian

ce

5

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

In

adeq

uate

ass

essm

ent

of

Retu

rn

on

Inve

stmen

ts

Fina

ncial

4

11

Proje

cts

11.2

Ex

ecut

ion a

nd

hand

over

Tim

e an

d Co

st ov

erru

ns

in th

e pr

ojects

due

to

weak

pro

ject m

onito

ring

and/

or e

xecu

tion.

Fina

ncial

Lo

ss

4

11

Proje

cts

11.2

Ex

ecut

ion a

nd

hand

over

Oper

ation

al de

lays

due

to d

elay

in ob

taini

ng/

Fina

ncial

Lo

ss

4


104

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

rene

wal

of

statu

tory

cle

aran

ces

11

Proje

cts

11.2

Ex

ecut

ion a

nd

hand

over

Non

com

plian

ce

to

vario

us

statu

tory

pr

ovisi

ons

and

requ

irem

ents.

Stat

utor

y Non

co

mpli

ance

5

11

Proje

cts

11.2

Ex

ecut

ion a

nd

hand

over

Delay

in

proc

urem

ent/

orde

ring.

Fi

nanc

ial

Loss

3

11

Proje

cts

11.2

Ex

ecut

ion a

nd

hand

over

Com

miss

ioning

with

out

adeq

uate

qu

ality

chec

ks

and

testi

ng

proc

edur

es

Fina

ncial

Lo

ss

4

11

Proje

cts

11.2

Ex

ecut

ion a

nd

hand

over

Lack

of

mon

itorin

g of

HS

E co

mpli

ance

by

co

ntra

ctors

/

inter

nal

staff

durin

g ex

ecut

ion

Healt

h,

Safe

ty &

Envir

onm

ent

5

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

Inad

equa

te

post

acqu

isitio

n te

chno

-co

mm

ercia

l re

view

for

over

seas

acq

uisitio

ns

Fina

ncial

Lo

ss

3

Case Study

105

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

Delay

s in

float

ing

of

Tend

ers

Fina

ncial

Lo

ss

2

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

Fi

nanc

ial h

ealth

che

ck

up

analy

sis

not

perfo

rmed

for

acq

uired

as

sets

Fina

ncial

Lo

ss

3

13

Explo

ratio

n &

deve

lopm

ent

13.1

Ex

plora

tion

& de

velop

men

t

In

abilit

y to

op

timize

/ ac

tuali

ze

expe

cted

retu

rns

from

exp

lorat

ion

block

s

Fina

ncial

Lo

ss

4

13

Explo

ratio

n &

deve

lopm

ent

13.1

Ex

plora

tion

& de

velop

men

t

No

n fu

lfillm

ent

to

mini

mum

wor

k pr

ogra

m

spec

ially

with

resp

ect t

o tim

eline

ss

Fina

ncial

Lo

ss

3

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Al

l Fl

ow l

ines

are

not

being

re

gular

ly te

sted

and

inspe

cted

for

any

block

age

Oper

ation

al 4

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

De

lays

in pr

ovidi

ng

main

tena

nce

serv

ices

Fina

ncial

Lo

ss

4


106

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

impa

cting

op

erat

ional

effic

iency

. 14

M

ainte

nanc

e 14

.1

Pipe

line

Main

tena

nce

Inad

equa

te p

lannin

g of

m

ainte

nanc

e ac

tivitie

s Op

erat

ional

3

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Pr

even

tive

main

tena

nce

not

carri

ed o

n tim

ely b

asis.

Oper

ation

al 4

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

In

adeq

uate

tra

ining

to

man

powe

r Fi

nanc

ial

Loss

3

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

Sa

fety

risk o

f wor

king

in ru

nning

pipe

lines

He

alth,

Sa

fety

& En

viron

men

t

4

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Delay

s in

prov

iding

m

ainte

nanc

e se

rvice

s im

pacti

ng

oper

ation

al ef

ficien

cy.

Fina

ncial

Lo

ss

4

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Inad

equa

te p

lannin

g of

m

ainte

nanc

e ac

tivitie

s Op

erat

ional

4

14

Main

tena

nce

14.2

Eq

uipm

ent

Prev

entiv

e Op

erat

ional

3

Case Study

107

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

R

isk

Des

crip

tion

Ris

k C

ateg

ory

Ris

k Sc

ore

Cor

pora

te

Off

ice

Plan

t D

epot

Main

tena

nce

main

tena

nce

not

carri

ed o

n tim

ely b

asis.

14

M

ainte

nanc

e 14

.2

Equip

men

t M

ainte

nanc

e

In

adeq

uate

tra

ining

to

man

powe

r Fi

nanc

ial

Loss

4

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Safe

ty ris

k of w

orkin

g in

runn

ing p

ipelin

es

Healt

h,

Safe

ty &

Envir

onm

ent

3

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

Freq

uent

br

eakd

owns

du

e to

non

per

form

ance

of

root

caus

e an

alysis

Fina

ncial

Lo

ss

4


108

Prep

are

the

sum

mar

ized

Risk

Reg

ister

usin

g th

e ar

ithm

etic

mea

n of

the

Risk

Sco

res

assig

ned

to th

e ris

k ide

ntifie

d un

der

prev

ious s

tep.

Also

, ass

ign th

e ra

tiona

le fo

r pro

viding

the

risk r

ating

s for

eac

h of

the

audit

are

a

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

1 Co

ntra

cts

1.1

Tend

ering

and

RFQ

4.0

0

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Rep

eate

d fra

ud/

misa

ppro

priat

ion

• M

ajor

impa

ct on

or

ganiz

ation

al pr

ofita

bility

1

Cont

racts

1.

2 Co

ntra

cting

and

Or

derin

g

3

.80

•

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• Re

peat

ed

fraud

/ m

isapp

ropr

iation

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

2 Pl

ant O

pera

tions

2.1

Pr

oduc

tion

and

Distr

ibutio

n

3.9

1

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

Case Study

109

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

2 Pl

ant O

pera

tions

2.2

Op

erat

ion a

nd

Main

tena

nce

3

.83

•

Proc

ess

risks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f rep

utat

ional

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

m

ajor

finan

cial

pena

lties

or

pros

ecut

ions.

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Sign

ifican

t th

reat

to

Healt

h,

Safe

ty &

Envir

onm

ent

2 Pl

ant O

pera

tions

2.3

Sa

fety

and

Envir

onm

ent

4

.50

•

Risk

of

hig

h re

puta

tiona

l im

pact

to o

rgan

izatio

n •

Non-

com

plian

ce

with

m

ajor

finan

cial

pena

lties

and

pros

ecut

ions.

• Im

pact

of H

igh F

inanc

ial L

oss


110

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

High

impa

ct on

org

aniza

tiona

l pr

ofita

bility

3

Drilli

ng

3.1

Drilli

ng

3

.80

•

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

4

.13

•

Proc

ess

risks

with

crit

ical r

isk

on th

e or

ganiz

ation

. •

Impa

ct of

High

Fina

ncial

Los

s•

Repe

ated

fra

ud/

misa

ppro

priat

ion w

ith m

ajor

finan

cial

or

repu

tatio

nal

cons

eque

nces

•

Miss

ing IT

and

ERP

syste

ms

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

3.4

3

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Repe

ated

fra

ud/

misa

ppro

priat

ion

Case Study

111

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

• De

ficien

t IT

an

d ER

P sy

stem

s 5

Geolo

gy &

Re

serv

oir

5.1

Geolo

gy &

Re

serv

oir

3

.64

•

Proc

ess

risks

with

majo

r risk

on

the

orga

nizat

ion.

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

6 Re

sear

ch a

nd

Deve

lopm

ent

6.1

Rese

arch

and

De

velop

men

t

2.3

3

• Pr

oces

s ris

ks w

ith t

olera

ble

risk o

n th

e or

ganiz

ation

. •

Toler

able

impa

ct on

or

ganiz

ation

al pr

ofita

bility

7

Mat

erial

M

anag

emen

t 7.

1 M

M -

Plan

ning

& Re

ceivi

ng

3

.33

•

Proc

ess

risks

with

majo

r risk

on

the

orga

nizat

ion.

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Repe

ated

fra

ud/

misa

ppro

priat

ion

• M

ajor

impa

ct on

or

ganiz

ation

al pr

ofita

bility


112

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

2.8

3

• Pr

oces

s ris

ks w

ith t

olera

ble

risk o

n th

e or

ganiz

ation

. •

Poss

ible

thre

at

to

Healt

h,

Safe

ty &

Envir

onm

ent

• Po

ssibl

e fra

ud/

misa

ppro

priat

ion

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

3.2

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• Re

peat

ed

fraud

/ m

isapp

ropr

iation

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

3.0

0

• Pr

oces

s ris

ks w

ith t

olera

ble

risk o

n th

e or

ganiz

ation

. •

Toler

able

impa

ct on

orga

nizat

ional

prof

itabil

ity

Case Study

113

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial P

lannin

g an

d An

alysis

3.5

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• M

ajor

impa

ct on

or

ganiz

ation

al pr

ofita

bility

9

Fina

nce

and

Acco

unts

9.2

Trea

sury

4.0

0

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Repe

ated

fra

ud/

misa

ppro

priat

ion

• M

ajor

impa

ct on

or

ganiz

ation

al pr

ofita

bility

9

Fina

nce

and

Acco

unts

9.3

Fina

ncial

Rep

ortin

g

3.5

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th

majo

r fin

ancia

l pe

naltie

s or

pr

osec

ution

s. •

Repe

ated

fra

ud/

misa

ppro

priat

ion


114

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set M

anag

emen

t

4.0

0

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Repe

ated

fra

ud/

misa

ppro

priat

ion

• M

ajor

impa

ct on

or

ganiz

ation

al pr

ofita

bility

9

Fina

nce

and

Acco

unts

9.5

Paya

bles

3

.40

•

Proc

ess

risks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f rep

utat

ional

impa

ct to

or

ganiz

ation

•

Repe

ated

fra

ud/

misa

ppro

priat

ion

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

3.5

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Repe

ated

fra

ud/

misa

ppro

priat

ion

• M

ajor

impa

ct on

Case Study

115

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

orga

nizat

ional

prof

itabil

ity

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Ope

ratio

ns

4

.00

•

Proc

ess

risks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f rep

utat

ional

impa

ct to

or

ganiz

ation

•

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• Re

peat

ed

fraud

/ m

isapp

ropr

iation

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

4.0

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th

majo

r fin

ancia

l pe

naltie

s or

pr

osec

ution

s. •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity


116

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

10

Hum

an R

esou

rce

10.1

Re

cruit

men

t

3.0

0

• Pr

oces

s ris

ks w

ith t

olera

ble

risk o

n th

e or

ganiz

ation

. •

Non-

com

plian

ce

with

m

ajor

finan

cial p

enalt

ies.

• Po

ssibl

e fra

ud/

misa

ppro

priat

ion

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

10

Hum

an R

esou

rce

10.2

Le

arnin

g an

d De

velop

men

t

3.7

5

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t 10

Hu

man

Res

ourc

e 10

.3

Sepa

ratio

ns

3

.00

•

Proc

ess

risks

with

tole

rable

ris

k on

the

orga

nizat

ion.

• Po

ssibl

e fra

ud/

misa

ppro

priat

ion

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

Case Study

117

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

10

Hum

an R

esou

rce

10.4

Pa

yroll

Pro

cess

3.4

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• Re

peat

ed

fraud

/ m

isapp

ropr

iation

11

Pr

ojects

11

.1

Plan

ning

and

Inve

stmen

t

4.5

0

• Pr

oces

s ris

ks w

ith c

ritica

l risk

on

the

orga

nizat

ion.

• Ri

sk

of

high

repu

tatio

nal

impa

ct to

org

aniza

tion

• No

n-co

mpli

ance

wi

th

majo

r fin

ancia

l pe

naltie

s an

d pr

osec

ution

s. •

Impa

ct of

High

Fina

ncial

Los

s•

High

impa

ct on

org

aniza

tiona

l pr

ofita

bility

11

Pr

ojects

11

.2

Exec

ution

and

ha

ndov

er

4

.17

•

Proc

ess

risks

with

crit

ical r

isk

on th

e or

ganiz

ation

. •

Risk

of

hig

h re

puta

tiona

l im

pact

to o

rgan

izatio

n •

Non-

com

plian

ce

with

m

ajor


118

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

finan

cial

pena

lties

and

pros

ecut

ions.

• Im

pact

of H

igh F

inanc

ial L

oss

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

Repe

ated

fra

ud/

misa

ppro

priat

ion w

ith m

ajor

finan

cial

or

repu

tatio

nal

cons

eque

nces

•

High

impa

ct on

org

aniza

tiona

l pr

ofita

bility

12

Bu

sines

s De

velop

men

t 12

.1

Busin

ess

Deve

lopm

ent

2

.67

•

Impa

ct of

sign

ifican

t Fina

ncial

Lo

ss

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

13

Explo

ratio

n &

deve

lopm

ent

13.1

Ex

plora

tion

& de

velop

men

t

3.5

0

• Pr

oces

s ris

ks w

ith m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of r

eput

ation

al im

pact

to

orga

nizat

ion

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

Case Study

119

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

gC

orpo

rate

O

ffic

e Pl

ant

Dep

ot

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

`

3

.67

•

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

3

.67

•

Impa

ct of

M

ajor

Fina

ncial

Lo

ss

• Si

gnific

ant

thre

at t

o He

alth,

Sa

fety

& En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity


120

Step

4: A

sses

s co

ntro

l env

ironm

ent

As

sign

the

cont

rol e

nviro

nmen

t ra

ting

for

each

of

the

ident

ified

audit

are

a an

d pr

ovide

rat

ional

for

assig

ning

the

cont

rol

envir

onm

ent r

ating

s.

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

4.0

0

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

Prep

are

Audit

Un

iverse

Risk

Ide

ntific

atio

n

Risk

pr

ioritiz

atio

n and

ra

ting

Asse

ss

contr

ol en

viron

ment

Deriv

e Re

sidua

l Ri

sk R

ating

Deve

lop

Inter

nal

Audit

plan

Case Study

121

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

3

.80

•

Impa

ct of

M

ajor

Fina

ncial

Los

s•

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Majo

r im

pact

on

orga

nizat

ional

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.


122

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

prof

itabil

ity

• Po

licy a

nd

Proc

edur

es n

ot

form

ally d

efine

d an

d th

ere

may

be

pos

sible

devia

tions

2

Plan

t Op

erat

ions

2.1

Prod

uctio

n an

d Di

stribu

tion

3

.91

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Le

gal

com

plian

ce

fram

ewor

k with

m

inor

devia

tions

. •

Defin

ed P

olicy

an

d Pr

oced

ures

bu

t ins

uffic

ient

Case Study

123

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

& En

viron

men

t•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

cont

rol o

n im

plem

enta

tion

and

com

plian

ce

to sa

me.

•

Cons

isten

t or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

3

.83

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th m

ajor

finan

cial

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Le

gal

com

plian

ce

fram

ewor

k with

m

inor

devia

tions

. •

Defin

ed P

olicy


124

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

pena

lties o

r pr

osec

ution

s. •

Impa

ct of

M

ajor

Fina

ncial

Los

s•

Sign

ifican

t th

reat

to

Healt

h, S

afet

y &

Envir

onm

ent

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n an

d co

mpli

ance

to

sam

e.

• Co

nsist

ent

Orga

nisat

ion

grow

th w

ith

poss

ible

losse

s 2

Plan

t Op

erat

ions

2.3

Safe

ty an

d En

viron

men

t

4.5

0

• Ri

sk o

f high

re

puta

tiona

l im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th m

ajor

finan

cial

pena

lties a

nd

pros

ecut

ions.

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Leg

al co

mpli

ance

fra

mew

ork w

ith

mino

r

Case Study

125

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

• Im

pact

of H

igh

Fina

ncial

Los

s•

Sign

ifican

t th

reat

to

Healt

h, S

afet

y &

Envir

onm

ent

• Hi

gh im

pact

on

orga

nizat

ional

prof

itabil

ity

devia

tions

. •

Defin

ed P

olicy

an

d Pr

oced

ures

bu

t ins

uffic

ient

cont

rol o

n im

plem

enta

tion

and

com

plian

ce

to sa

me.

•

Cons

isten

t Or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

3 Dr

illing

3.

1 Dr

illing

3.8

0

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& En

viron

men

t•

Majo

r im

pact

4.0

0

• Po

licy a

nd

Proc

edur

es n

ot

form

ally d

efine

d an

d th

ere

may

be

pos

sible

devia

tions

•

Cons

isten

t or

ganis

ation


126

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

on

orga

nizat

ional

prof

itabil

ity

grow

th w

ith

frequ

ent l

osse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

4

Info

rmat

ion

Tech

nolog

y 4.

1 IT

Sec

urity

4.1

3

• Pro

cess

risk

s wi

th cr

itical

risk o

n th

e or

ganiz

ation

. •

Impa

ct of

High

Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on w

ith m

ajor

finan

cial o

r re

puta

tiona

l co

nseq

uenc

es

2.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

• Es

tabli

shed

ERP

sy

stem

and

IT

secu

rity

mea

sure

s •

Well

def

ined

Polic

y and

Pr

oced

ures

and

m

inor d

eviat

ions

Case Study

127

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

• M

issing

IT a

nd

ERP

syste

ms

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

3

.43

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• De

ficien

t IT

and

ERP

syste

ms

2.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

• Es

tabli

shed

ERP

sy

stem

and

IT

secu

rity

mea

sure

s •

Well

def

ined

Polic

y and

Pr

oced

ures

and

m

inor d

eviat

ions

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

3.6

4

• Pr

oces

s risk

s wi

th m

ajor

risk o

n th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

2.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

• W

ell d

efine

d Po

licy a

nd

Proc

edur

es a

nd


128

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

Loss

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

mino

r dev

iation

s•

Cons

isten

t or

ganis

ation

gr

owth

with

un

likely

loss

es.

6 Re

sear

ch

and

Deve

lopm

ent

6.1

Rese

arch

an

d De

velop

men

t

2

.33

•

Proc

ess r

isks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Toler

able

impa

ct on

or

ganiz

ation

al pr

ofita

bility

1.0

0

• Ex

isten

ce o

f str

ong

Prev

entiv

e or

de

tecti

ve co

ntro

l wi

th m

echa

nism

fo

r con

tinuo

us

mon

itorin

g an

d up

date

the

sam

e.

• W

ell e

stabli

shed

ER

P sy

stem

and

IT

secu

rity

mea

sure

s •

Well

def

ined

and

imple

men

ted

Case Study

129

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

Polic

y and

Pr

oced

ures

•

Cons

isten

t or

ganis

ation

gr

owth

with

rare

su

rpris

es

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

3

.33

•

Proc

ess r

isks

with

majo

r ris

k on

the

orga

nizat

ion.

• Im

pact

of

Majo

r Fi

nanc

ial

Loss

•

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Majo

r im

pact

on

5.0

0

• M

issing

pr

even

tive

or

dete

ctive

co

ntro

ls •

Insu

fficie

nt IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• P

olicy

and

Pr

oced

ures

not

de

fined

•

Inco

nsist

ent

orga

nisat

ion


130

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

orga

nizat

ional

prof

itabil

ity

grow

th w

ith

majo

r los

ses

• In

adeq

uate

de

cent

ralis

ation

of

dec

ision

m

aking

7

Mat

erial

M

anag

emen

t 7.

2 M

M -

Depo

t

2.8

3

• Pr

oces

s risk

s wi

th to

lerab

le ris

k on

the

orga

nizat

ion.

• Po

ssibl

e th

reat

to

Healt

h, S

afet

y & En

viron

men

t •

Poss

ible

fraud

/ m

isapp

ropr

iati

on

• To

lerab

le

5.0

0

• M

issing

pr

even

tive

or

dete

ctive

co

ntro

ls •

Insu

fficie

nt IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es n

ot

defin

ed

• In

cons

isten

t or

ganis

ation

Case Study

131

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

impa

ct on

or

ganiz

ation

al pr

ofita

bility

grow

th w

ith

majo

r los

ses

• In

adeq

uate

de

cent

ralis

ation

of

dec

ision

m

aking

7

Mat

erial

M

anag

emen

t 7.

3 M

M -

Inve

ntor

y Ha

ndlin

g an

d St

orag

e

3

.20

•

Proc

ess r

isks

with

majo

r ris

k on

the

orga

nizat

ion.

• Im

pact

of

majo

r Fi

nanc

ial lo

ss•

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Majo

r im

pact

on

orga

nizat

ional

5.0

0

• M

issing

pr

even

tive

or

dete

ctive

co

ntro

ls •

Insu

fficie

nt IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es n

ot

defin

ed

• In

cons

isten

t Or

ganis

ation


132

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

prof

itabil

ity

grow

th w

ith

majo

r los

ses

• In

adeq

uate

de

cent

ralis

ation

of

dec

ision

m

aking

8

Well

Log

ging

8.1

Well

Log

ging

3

.00

•

Proc

ess r

isks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Toler

able

impa

ct on

or

ganiz

ation

al pr

ofita

bility

1.0

0

• Ex

isten

ce o

f str

ong

prev

entiv

e or

de

tecti

ve co

ntro

l wi

th m

echa

nism

fo

r con

tinuo

us

mon

itorin

g an

d up

date

the

sam

e.

• W

ell e

stabli

shed

ER

P sy

stem

and

IT

secu

rity

mea

sure

s •

Well

def

ined

and

Case Study

133

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

imple

men

ted

polic

y and

pr

oced

ures

•

Cons

isten

t or

ganis

ation

gr

owth

with

rare

su

rpris

es

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

3

.50

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Im

pact

of

majo

r fina

ncial

los

s •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Le

gal

com

plian

ce

fram

ewor

k with

m

inor

devia

tions

. •

Esta

blish

ed E

RP

syste

m a

nd IT


134

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

secu

rity

mea

sure

s •

Defin

ed P

olicy

an

d Pr

oced

ures

bu

t ins

uffic

ient

cont

rol o

n im

plem

enta

tion

and

com

plian

ce

to sa

me.

•

Cons

isten

t Or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

4

.00

•

Impa

ct of

M

ajor

Fina

ncial

Los

s•

Repe

ated

fra

ud/

misa

ppro

priat

ion

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Es

tabli

shed

ERP

Case Study

135

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

syste

m a

nd IT

se

curit

y m

easu

res

• De

fined

Poli

cy

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n an

d co

mpli

ance

to

sam

e.

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

poss

ible

losse

s 9

Fina

nce

and

Acco

unts

9.3

Fina

ncial

Re

porti

ng

3

.50

• P

roce

ss ri

sks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Miss

ing le

gal


136

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s or

pros

ecut

ions.

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

com

plian

ce

fram

ewor

k with

alt

erna

tive

mea

sure

to

mon

itor l

egal

com

plian

ce.

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns.

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set

Man

agem

ent

4

.00

•

Impa

ct of

m

ajor f

inanc

ial

loss

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t

Case Study

137

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

ident

ified

or

defin

ed

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

frequ

ent l

osse

s. 9

Fina

nce

and

Acco

unts

9.5

Paya

bles

3

.40

•

Proc

ess r

isks

with

majo

r risk

on

the

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t


138

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• Rep

eate

d fra

ud/

misa

ppro

priat

ion

ident

ified

or

defin

ed

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

3.5

0

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Es

tabli

shed

ERP

Case Study

139

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

orga

nizat

ion

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

syste

m a

nd IT

se

curit

y m

easu

res

• De

fined

Poli

cy

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n an

d co

mpli

ance

to

sam

e.

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

poss

ible

losse

s 9

Fina

nce

and

Acco

unts

9.7

JV

Oper

ation

s

4.0

0

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT


140

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

impa

ct to

or

ganiz

ation

•

Impa

ct of

M

ajor

Fina

ncial

Los

s•

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns

• Co

nsist

ent

Orga

nisat

ion

grow

th w

ith

frequ

ent l

osse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

9

Fina

nce

and

9.8

Taxa

tion

4

.00

•

Proc

ess r

isks

4.0

0

• Pr

even

tive

or

Case Study

141

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

Acco

unts

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th m

ajor

finan

cial

pena

lties o

r pr

osec

ution

s. •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Miss

ing L

egal

com

plian

ce

fram

ewor

k with

alt

erna

tive

mea

sure

to

mon

itor l

egal

com

plian

ce.

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay


142

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

be p

ossib

le de

viatio

ns

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

3

.00

•

Proc

ess r

isks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s. •

Poss

ible

fraud

/ m

isapp

ropr

iati

on

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es n

ot

form

ally d

efine

d an

d th

ere

may

be

pos

sible

devia

tions

•

Cons

isten

t or

ganis

ation

Case Study

143

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

grow

th w

ith

frequ

ent l

osse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

10

Hu

man

Re

sour

ce

10.2

Le

arnin

g an

d De

velop

men

t

3.7

5

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Sign

ifican

t th

reat

to

Healt

h, S

afet

y &

Envir

onm

ent 4

.00

•

Prev

entiv

e or

de

tecti

ve

cont

rols

not

ident

ified

or

defin

ed

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined


144

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

and

ther

e m

ay

be p

ossib

le de

viatio

ns

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

frequ

ent l

osse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

10

Hu

man

Re

sour

ce

10.3

Se

para

tions

3.0

0

• Pr

oces

s risk

s wi

th to

lerab

le ris

k on

the

orga

nizat

ion.

• Po

ssibl

e fra

ud/

misa

ppro

priat

ion

•

Toler

able

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

Case Study

145

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

impa

ct on

or

ganiz

ation

al pr

ofita

bility

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

frequ

ent l

osse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

10

Hu

man

Re

sour

ce

10.4

Pa

yroll

Pr

oces

s

3.4

0

• P

roce

ss ri

sks

with

majo

r risk

on

the

5.0

0

• M

issing

pr

even

tive

or

dete

ctive


146

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

cont

rols

• In

suffi

cient

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

not

de

fined

. 11

Pr

ojects

11

.1

Plan

ning

and

Inve

stmen

t

4.5

0

• Pr

oces

s risk

s wi

th cr

itical

risk o

n th

e or

ganiz

ation

. •

Risk

of h

igh

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• De

fined

Poli

cy

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n

Case Study

147

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

finan

cial

pena

lties a

nd

pros

ecut

ions.

• Im

pact

of H

igh

Fina

ncial

Los

s•

High

impa

ct on

or

ganiz

ation

al pr

ofita

bility

and

com

plian

ce

to sa

me.

•

Cons

isten

t or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

4

.17

•

Proc

ess r

isks

with

critic

al ris

k on

the

orga

nizat

ion.

• Ri

sk o

f high

re

puta

tiona

l im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th m

ajor

finan

cial

4.0

0

• Pr

even

tive

or

dete

ctive

co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Polic

y and

Pr

oced

ures

not

fo

rmall

y def

ined

and

ther

e m

ay

be p

ossib

le de

viatio

ns

• Co

nsist

ent


148

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

pena

lties a

nd

pros

ecut

ions.

• Im

pact

of H

igh

Fina

ncial

Los

s•

Sign

ifican

t th

reat

to

Healt

h, S

afet

y &

Envir

onm

ent

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on w

ith m

ajor

finan

cial o

r re

puta

tiona

l co

nseq

uenc

es•

High

impa

ct on

or

ganiz

ation

al pr

ofita

bility

orga

nisat

ion

grow

th w

ith

frequ

ent l

osse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

.

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

2.6

7

• Im

pact

of

signif

icant

2

.00

•

Defin

ed

Prev

entiv

e or

Case Study

149

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

Fina

ncial

Los

s•

Toler

able

impa

ct on

or

ganiz

ation

al pr

ofita

bility

dete

ctive

cont

rol

• W

ell d

efine

d Po

licy a

nd

Proc

edur

es a

nd

mino

r dev

iation

s•

Cons

isten

t or

ganis

ation

gr

owth

with

un

likely

loss

es.

13

Explo

ratio

n &

deve

lopm

ent

13.1

Ex

plora

tion

& de

velop

men

t

3.5

0

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Impa

ct of

M

ajor

Fina

ncial

Los

s

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Le

gal

com

plian

ce

fram

ewor

k with

m

inor

devia

tions

.


150

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& En

viron

men

t•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

• De

fined

Poli

cy

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n an

d co

mpli

ance

to

sam

e.

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

poss

ible

losse

s 14

M

ainte

nanc

e 14

.1

Pipe

line

Main

tena

nce

3

.67

•

Impa

ct of

M

ajor

Fina

ncial

Los

s•

Sign

ifican

t th

reat

to

Healt

h, S

afet

y &

Envir

onm

ent

• M

ajor i

mpa

ct on

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Le

gal

com

plian

ce

fram

ewor

k with

Case Study

151

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

orga

nizat

ional

prof

itabil

ity

mino

r de

viatio

ns.

• De

fined

Poli

cy

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n an

d co

mpli

ance

to

sam

e.

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

3

.67

•

Impa

ct of

M

ajor

Fina

ncial

Los

s•

Sign

ifican

t th

reat

to

Healt

h, S

afet

y &

Envir

onm

ent

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

3.0

0

• De

fined

Pr

even

tive

or

dete

ctive

cont

rol

but u

nlike

ly m

onito

ring

and

upda

te e

xerc

ise.

• Le

gal

com

plian

ce

fram

ewor

k with

m

inor

devia

tions

.


152

D.

Sr.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

nmen

t R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Cor

pora

te

Off

ice

Plan

t D

epot

• De

fined

Poli

cy

and

Proc

edur

es

but i

nsuf

ficien

t co

ntro

l on

imple

men

tatio

n an

d co

mpli

ance

to

sam

e.

Case Study

153

Step

5: D

eriv

e R

esid

ual R

isk

Rat

ing

De

rive

Resid

ual R

isk R

ating

s fo

r ea

ch o

f the

iden

tified

aud

it ar

ea b

y us

ing th

e pr

oduc

t of I

nitial

Risk

Rat

ings

and

Cont

rol

Envir

onm

ent R

ating

s.

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

4.00

•

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Repe

ated

fra

ud/

misa

ppro

priat

i

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t

16.

00

Prep

are

Audit

Un

iverse

Risk

Ide

ntific

atio

n

Risk

pr

ioritiz

atio

n and

ra

ting

Asse

ss

contr

ol en

viron

ment

Deriv

e Re

sidua

l Ri

sk

Ratin

g

Deve

lop

Inter

nal

Audit

plan


154

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

no

t for

mall

y de

fined

and

th

ere

may

be

pos

sible

devia

tions

1

Cont

racts

1.

2 Co

ntra

cting

an

d Or

derin

g

3.

80

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

16.

00

Case Study

155

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

prof

itabil

ity

• Po

licy a

nd

proc

edur

es

not f

orm

ally

defin

ed a

nd

ther

e m

ay

be p

ossib

le de

viatio

ns

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

3.

91

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Sign

ifican

t th

reat

to

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Lega

l co

mpli

ance

fra

mew

ork

with

mino

r de

viatio

ns.

12.

00


156

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

Healt

h, S

afet

y & En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

• De

fined

Po

licy a

nd

Proc

edur

es

but

insuf

ficien

t co

ntro

l on

imple

men

tat

ion a

nd

com

plian

ce

to sa

me.

•

Cons

isten

t or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

3.83

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

12.

00

Case Study

157

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s or

pros

ecut

ions.

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& Envir

onm

ent

mon

itorin

g an

d up

date

ex

ercis

e.

• Le

gal

com

plian

ce

fram

ewor

k wi

th m

inor

devia

tions

. •

Defin

ed

Polic

y and

Pr

oced

ures

bu

t ins

uffic

ient

cont

rol o

n im

plem

enta

tion

and

co

mpli

ance

to

sam

e.

• Co

nsist

ent

orga

nisat

ion


158

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

grow

th w

ith

poss

ible

losse

s 2

Plan

t Op

erat

ions

2.3

Safe

ty an

d En

viron

men

t

4.

50

• Ri

sk o

f high

re

puta

tiona

l im

pact

to

orga

nizat

ion

• No

n-co

mpli

ance

wi

th m

ajor

finan

cial

pena

lties a

nd

pros

ecut

ions.

• Im

pact

of H

igh

Fina

ncial

Los

s •

Sign

ifican

t th

reat

to

Healt

h, S

afet

y & En

viron

men

t

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Lega

l co

mpli

ance

fra

mew

ork

with

mino

r de

viatio

ns.

• De

fined

Po

licy a

nd

Proc

edur

es

but

14.

00

Case Study

159

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

• Hi

gh im

pact

on

orga

nizat

ional

prof

itabil

ity

insuf

ficien

t co

ntro

l on

imple

men

tat

ion a

nd

com

plian

ce

to sa

me.

•

Cons

isten

t Or

ganis

atio

n gr

owth

wi

th

poss

ible

losse

s 3

Drilli

ng

3.1

Drilli

ng

3.

80

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& Envir

onm

ent

4.00

•

Polic

y and

Pr

oced

ures

no

t for

mall

y de

fined

and

th

ere

may

be

pos

sible

devia

tions

•

Cons

isten

t

16.

00


160

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

Orga

nisat

ion

grow

th

with

fre

quen

t los

ses

• In

adeq

uate

bo

ard

mon

itorin

g an

d go

vern

ance

str

uctu

re

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

4.

13

• Pr

oces

s risk

s wi

th cr

itical

risk o

n th

e or

ganiz

ation

. •

Impa

ct of

High

Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

2.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l •

Esta

blish

ed

ERP

syste

m

and

IT

secu

rity

mea

sure

s

9.0

0

Case Study

161

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

on w

ith m

ajor

finan

cial o

r re

puta

tiona

l co

nseq

uenc

es

• M

issing

IT

and

ERP

syste

ms

• W

ell d

efine

d Po

licy a

nd

Proc

edur

es

and

mino

r de

viatio

ns

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

3.

43

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Defic

ient I

T an

d ER

P sy

stem

s

2.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l •

Esta

blish

ed

ERP

syste

m

and

IT

secu

rity

mea

sure

s •

Well

def

ined

Polic

y and

Pr

oced

ures

an

d m

inor

7.0

0


162

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

devia

tions

5

Geolo

gy &

Re

serv

oir

5.1

Geolo

gy &

Re

serv

oir

3.

64

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

2.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l •

Well

def

ined

Polic

y and

Pr

oced

ures

an

d m

inor

devia

tions

•

Cons

isten

t or

ganis

ation

gr

owth

with

un

likely

los

ses.

8.0

0

6 Re

sear

ch

and

Deve

lopm

ent6.

1 Re

sear

ch

and

Deve

lopm

ent

2.

33

• Pr

oces

s risk

s wi

th to

lerab

le ris

k on

the

orga

nizat

ion.

• To

lerab

le

1.00

•

Exist

ence

of

stron

g Pr

even

tive

or d

etec

tive

cont

rol w

ith

3.0

0

Case Study

163

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

impa

ct on

or

ganiz

ation

al pr

ofita

bility

mec

hanis

m

for

cont

inuou

s m

onito

ring

and

upda

te

the

sam

e.

• W

ell

esta

blish

ed

ERP

syste

m

and

IT

secu

rity

mea

sure

s •

Well

def

ined

and

imple

men

ted

Polic

y and

Pr

oced

ures

•

Cons

isten

t or

ganis

ation

gr

owth

with


164

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

rare

su

rpris

es

7 M

ater

ial

Man

agem

ent7.

1 M

M -

Plan

ning

& Re

ceivi

ng

3.

33

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

5.00

•

Miss

ing

prev

entiv

e or

det

ectiv

e co

ntro

ls •

Insu

fficie

nt

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

no

t def

ined

• In

cons

isten

t or

ganis

ation

gr

owth

with

m

ajor

losse

s

17.

00

Case Study

165

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

• In

adeq

uate

de

cent

ralis

atio

n of

de

cision

m

aking

7

Mat

erial

M

anag

emen

t7.2

MM

- De

pot

2.83

•

Proc

ess r

isks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Poss

ible

thre

at to

He

alth,

Saf

ety

& Envir

onm

ent

• Po

ssibl

e fra

ud/

misa

ppro

priat

ion

•

Toler

able

impa

ct on

5.00

•

Miss

ing

prev

entiv

e or

det

ectiv

e co

ntro

ls •

Insu

fficie

nt

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

no

t def

ined

• In

cons

isten

t or

ganis

ation

15.

00


166

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

orga

nizat

ional

prof

itabil

ity

grow

th w

ith

majo

r los

ses

• In

adeq

uate

de

cent

ralis

atio

n of

de

cision

m

aking

7

Mat

erial

M

anag

emen

t7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

3.

20

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Repe

ated

fra

ud/

misa

ppro

priat

ion

•

Majo

r im

pact

5.00

•

Miss

ing

prev

entiv

e or

det

ectiv

e co

ntro

ls •

Insu

fficie

nt

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

16.

00

Case Study

167

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

on

orga

nizat

ional

prof

itabil

ity

not d

efine

d •

Inco

nsist

ent

orga

nisat

ion

grow

th w

ith

majo

r los

ses

• In

adeq

uate

de

cent

ralis

atio

n of

de

cision

m

aking

8

Well

Log

ging8

.1

Well

Lo

gging

3.00

•

Proc

ess r

isks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Toler

able

impa

ct on

or

ganiz

ation

al pr

ofita

bility

1.00

•

Exist

ence

of

stron

g Pr

even

tive

or d

etec

tive

cont

rol w

ith

mec

hanis

m

for

cont

inuou

s m

onito

ring

3.0

0


168

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

and

upda

te

the

sam

e.

• W

ell

esta

blish

ed

ERP

syste

m

and

IT

secu

rity

mea

sure

s •

Well

def

ined

and

imple

men

ted

Polic

y and

Pr

oced

ures

•

Cons

isten

t or

ganis

ation

gr

owth

with

ra

re

surp

rises

9

Fina

nce

and

Acco

unts

9.1

Fina

ncial

Pl

annin

g

3.50

• P

roce

ss ri

sks

with

majo

r risk

3.

00

• De

fined

Pr

even

tive

11.

00

Case Study

169

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

and

Analy

sis

on th

e or

ganiz

ation

. •

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

or d

etec

tive

cont

rol b

ut

unlik

ely

mon

itorin

g an

d up

date

ex

ercis

e.

• Le

gal

com

plian

ce

fram

ewor

k wi

th m

inor

devia

tions

. •

Esta

blish

ed

ERP

syste

m

and

IT

secu

rity

mea

sure

s •

Defin

ed

Polic

y and

Pr

oced

ures

bu

t


170

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

insuf

ficien

t co

ntro

l on

imple

men

tat

ion a

nd

com

plian

ce

to sa

me.

•

Cons

isten

t or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

9 Fi

nanc

e an

d Ac

coun

ts 9.

2 Tr

easu

ry

4.

00

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• M

ajor i

mpa

ct on

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Esta

blish

ed

12.

00

Case Study

171

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

orga

nizat

ional

prof

itabil

ity

ERP

syste

m

and

IT

secu

rity

mea

sure

s •

Defin

ed

Polic

y and

Pr

oced

ures

bu

t ins

uffic

ient

cont

rol o

n im

plem

enta

tion

and

co

mpli

ance

to

sam

e.

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

poss

ible

losse

s 9

Fina

nce

and

9.3

Fina

ncial

3.50

•

Proc

ess r

isks

4.00

•

Prev

entiv

e 1

4.00


172

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

Acco

unts

Repo

rting

wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s or

pros

ecut

ions.

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

or d

etec

tive

cont

rols

not

ident

ified

or

defin

ed

• M

issing

Le

gal

com

plian

ce

fram

ewor

k wi

th

alter

nativ

e m

easu

re to

m

onito

r leg

al co

mpli

ance

. •

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Case Study

173

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

Proc

edur

es

not f

orm

ally

defin

ed a

nd

they

may

be

poss

ible

devia

tions

. 9

Fina

nce

and

Acco

unts

9.4

Asse

t M

anag

eme

nt

4.

00

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es

not f

orm

ally

defin

ed a

nd

16.

00


174

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

they

may

be

poss

ible

devia

tions

•

Cons

isten

t or

ganis

ation

gr

owth

with

fre

quen

t los

ses.

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

3.40

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es

14.

00

Case Study

175

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

not f

orm

ally

defin

ed a

nd

they

may

be

poss

ible

devia

tions

9

Fina

nce

and

Acco

unts

9.6

Invo

icing

an

d Re

ceiva

bles

3.

50

• Pro

cess

risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Repe

ated

fra

ud/

misa

ppro

priat

ion

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Esta

blish

ed

ERP

syste

m

and

IT

secu

rity

mea

sure

s •

Defin

ed

Polic

y and

11.

00


176

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

Proc

edur

es

but

insuf

ficien

t co

ntro

l on

imple

men

tat

ion a

nd

com

plian

ce

to sa

me.

•

Cons

isten

t or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Op

erat

ions

4.

00

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t

16.

00

Case Study

177

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

orga

nizat

ion

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

no

t for

mall

y de

fined

and

th

ey m

ay b

e po

ssibl

e de

viatio

ns

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

frequ

ent

losse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce


178

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

struc

ture

9

Fina

nce

and

Acco

unts

9.8

Taxa

tion

4.

00

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s or

pros

ecut

ions.

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Miss

ing

Lega

l co

mpli

ance

fra

mew

ork

with

alt

erna

tive

mea

sure

to

mon

itor

legal

com

plian

ce.

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

16.

00

Case Study

179

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

cont

rols.

•

Polic

y and

Pr

oced

ures

no

t for

mall

y de

fined

and

th

ere

may

be

pos

sible

devia

tions

10

Hu

man

Re

sour

ce

10.1

Rec

ruitm

ent

3.00

•

Proc

ess r

isks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s. •

Poss

ible

fraud

/ m

isapp

ropr

iati

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es

12.

00


180

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

on

• T

olera

ble

impa

ct on

or

ganiz

ation

al pr

ofita

bility

not f

orm

ally

defin

ed a

nd

ther

e m

ay

be p

ossib

le de

viatio

ns

• Co

nsist

ent

orga

nisat

ion

grow

th w

ith

frequ

ent

losse

s •

Inad

equa

te

boar

d m

onito

ring

and

gove

rnan

ce

struc

ture

10

Hu

man

Re

sour

ce

10.2

Lea

rning

an

d De

velop

me

nt

3.

75

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

.

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

15.

00

Case Study

181

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& Envir

onm

ent

defin

ed

• M

oder

ate

IT

envir

onm

ent

with

miss

ing

auto

mat

ed

cont

rols.

•

Polic

y and

Pr

oced

ures

no

t for

mall

y de

fined

and

th

ere

may

be

pos

sible

devia

tions

•

Cons

isten

t or

ganis

ation

gr

owth

with

fre

quen

t los

ses

• In

adeq

uate

bo

ard


182

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

mon

itorin

g an

d go

vern

ance

str

uctu

re

10

Hum

an

Reso

urce

10

.3 S

epar

ation

s

3.00

• P

roce

ss ri

sks

with

toler

able

risk o

n th

e or

ganiz

ation

. •

Poss

ible

fraud

/ m

isapp

ropr

iati

on

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Mod

erat

e IT

en

viron

men

t wi

th m

issing

au

tom

ated

co

ntro

ls.

• Po

licy a

nd

Proc

edur

es

not f

orm

ally

defin

ed a

nd

ther

e m

ay

be p

ossib

le

12.

00

Case Study

183

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

devia

tions

•

Cons

isten

t or

ganis

ation

gr

owth

with

fre

quen

t los

ses

• In

adeq

uate

bo

ard

mon

itorin

g an

d go

vern

ance

str

uctu

re

10

Hum

an

Reso

urce

10

.4 P

ayro

ll Pr

oces

s

3.40

•

Proc

ess r

isks

with

majo

r risk

on

the

orga

nizat

ion.

• Ri

sk o

f re

puta

tiona

l im

pact

to

orga

nizat

ion

5.00

• M

issing

pr

even

tive

or d

etec

tive

cont

rols

• Ins

uffic

ient

IT

envir

onm

ent

with

miss

ing 1

7.00


184

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

• Re

peat

ed

fraud

/ m

isapp

ropr

iati

on

auto

mat

ed

cont

rols.

• P

olicy

and

Pr

oced

ures

no

t def

ined.

11

Pr

ojects

11

.1 P

lannin

g an

d In

vestm

ent

4.

50

• Pr

oces

s risk

s wi

th cr

itical

risk o

n th

e or

ganiz

ation

. •

Risk

of h

igh

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r fin

ancia

l pe

naltie

s and

pr

osec

ution

s. •

Impa

ct of

High

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Defin

ed

Polic

y and

Pr

oced

ures

bu

t ins

uffic

ient

cont

rol o

n im

plem

enta

t

14.

00

Case Study

185

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

Fina

ncial

Los

s •

High

impa

ct on

or

ganiz

ation

al pr

ofita

bility

ion a

nd

com

plian

ce

to sa

me.

•

Cons

isten

t or

ganis

ation

gr

owth

with

po

ssibl

e los

ses

11

Proje

cts

11.2

Exe

cutio

n an

d ha

ndov

er

4.

17

• Pr

oces

s risk

s wi

th cr

itical

risk o

n th

e or

ganiz

ation

. •

Risk

of h

igh

repu

tatio

nal

impa

ct to

or

ganiz

ation

•

Non-

com

plian

ce

with

majo

r fin

ancia

l

4.00

•

Prev

entiv

e or

det

ectiv

e co

ntro

ls no

t ide

ntifie

d or

de

fined

•

Polic

y and

Pr

oced

ures

no

t for

mall

y de

fined

and

th

ere

may

be

pos

sible

devia

tions

17.

00


186

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

pena

lties a

nd

pros

ecut

ions.

• Im

pact

of H

igh

Fina

ncial

Los

s •

Sign

ifican

t th

reat

to

Healt

h, S

afet

y & En

viron

men

t •

Repe

ated

fra

ud/

misa

ppro

priat

ion

with

majo

r fin

ancia

l or

repu

tatio

nal

cons

eque

nces

•

High

impa

ct on

or

ganiz

ation

al pr

ofita

bility

• Co

nsist

ent

Orga

nisat

ion

grow

th

with

fre

quen

t los

ses

• In

adeq

uate

bo

ard

mon

itorin

g an

d go

vern

ance

str

uctu

re.

Case Study

187

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

12

Busin

ess

Deve

lopm

ent12

.1 B

usine

ss

Deve

lopm

ent

2.

67

• Im

pact

of

signif

icant

Fi

nanc

ial L

oss

• To

lerab

le im

pact

on

orga

nizat

ional

prof

itabil

ity

2.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l •

Well

def

ined

Polic

y and

Pr

oced

ures

an

d m

inor

devia

tions

•

Cons

isten

t Or

ganis

atio

n gr

owth

wi

th u

nlike

ly los

ses.

6.0

0

13

Explo

ratio

n &

deve

lopm

ent 13

.1 E

xplor

ation

& de

velop

me

nt

3.

50

• Pr

oces

s risk

s wi

th m

ajor r

isk

on th

e or

ganiz

ation

. •

Risk

of

repu

tatio

nal

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

11.

00


188

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

impa

ct to

or

ganiz

ation

•

Impa

ct of

M

ajor

Fina

ncial

Los

s •

Sign

ifican

t th

reat

to

Healt

h, S

afet

y & En

viron

men

t •

Majo

r im

pact

on

orga

nizat

ional

prof

itabil

ity

and

upda

te

exer

cise.

•

Lega

l co

mpli

ance

fra

mew

ork

with

mino

r de

viatio

ns.

• De

fined

Po

licy a

nd

Proc

edur

es

but

insuf

ficien

t co

ntro

l on

imple

men

tat

ion a

nd

com

plian

ce

to sa

me.

•

Cons

isten

t Or

ganis

atio

n gr

owth

Case Study

189

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

with

po

ssibl

e los

ses

14

Main

tena

nce 1

4.1

Pipe

line

Main

tena

nce

3.

67

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& Envir

onm

ent

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Lega

l co

mpli

ance

fra

mew

ork

with

mino

r de

viatio

ns.

• De

fined

Po

licy a

nd

Proc

edur

es

but

11.

00


190

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

insuf

ficien

t co

ntro

l on

imple

men

tat

ion a

nd

com

plian

ce

to sa

me.

14

M

ainte

nanc

e 14.

2 Eq

uipm

ent

Main

tena

nce

3.

67

• Im

pact

of

Majo

r Fi

nanc

ial L

oss

• Si

gnific

ant

thre

at to

He

alth,

Saf

ety

& Envir

onm

ent

• M

ajor i

mpa

ct on

or

ganiz

ation

al pr

ofita

bility

3.00

•

Defin

ed

Prev

entiv

e or

det

ectiv

e co

ntro

l but

un

likely

m

onito

ring

and

upda

te

exer

cise.

•

Lega

l co

mpli

ance

fra

mew

ork

with

mino

r de

viatio

ns.

• De

fined

11.

00

Case Study

191

D.

Sr.

No.

Dep

artm

ent

P.

Sr.

No.

Proc

ess

Bus

ines

s Lo

catio

ns

Initi

al

Ris

k R

atin

g

Rat

iona

le fo

r In

itial

Ris

k R

atin

g

Con

trol

En

viro

n-m

ent R

atin

g

Rat

iona

le fo

r C

ontr

ol

Envi

ronm

ent

Rat

ing

Res

idua

l R

isk

Scor

e(R

ound

ed

up)

Cor

pora

te

Off

ice

Plan

tD

epot

Polic

y and

Pr

oced

ures

bu

t ins

uffic

ient

cont

rol o

n im

plem

enta

tion

and

co

mpli

ance

to

sam

e.


192

Step

6: D

evel

op In

tern

al A

udit

Plan

(a

) Ar

rive

at th

e fre

quen

cy o

f the

inte

rnal

audit

usin

g th

e re

sidua

l risk

sco

re c

alcula

ted

in th

e pr

eviou

s ste

ps. T

he fo

llowi

ng

defin

itions

could

be

used

for a

rrivin

g at

the

frequ

ency

of a

udit

in th

e tim

e sp

an o

f 3 ye

ars.

Hi

gh R

isk –

Aud

it ar

eas h

aving

resid

ual r

isk sc

ore

of m

ore

than

12

which

nee

d to

be

audit

ed e

very

year

.

Med

ium R

isk -

Audit

are

as h

aving

resid

ual r

isk s

core

of m

ore

than

or e

qual

to 9

but

less

than

or e

qual

to 1

2 wh

ich

need

to b

e au

dited

twice

in th

ree

year

s.

Lo

w Ri

sk -

Audit

are

as h

aving

resid

ual r

isk s

core

of m

ore

than

or e

qual

to 5

but

less

than

or e

qual

to 8

whic

h ne

ed

to b

e au

dited

onc

e in

thre

e ye

ars.

Acce

ptab

le - A

udit

area

s ha

ving

resid

ual r

isk s

core

of l

ess

than

5 w

hich

could

to b

e au

dited

bas

ed o

n m

anag

emen

t dis

cret

ion.

(b)

Prep

are

the

annu

al au

dit p

lan b

y ide

ntify

ing th

e ar

eas t

hat n

eed

to b

e au

dit in

year

1, y

ear 2

and

year

3.

Prep

are

Aud

it U

nive

rse

Ris

k Id

entif

icat

ion

Ris

k pr

iorit

izat

ion

and

ra

ting

Asse

ss

contr

ol en

viro

nmen

t

Der

ive

Res

idua

l R

isk

Rat

ing

Dev

elop

In

tern

al

Aud

it pl

an

Case Study

193

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Con

trol

En

viro

nmen

t R

atin

g

Res

idua

l R

isk

Scor

e

Freq

uenc

y of

Aud

it A

udit

Plan

Year

- 1

Aud

it Pl

anYe

ar -

2

Aud

it Pl

anYe

ar -

3

Cor

pora

te

Off

ice

Plan

t D

epot

1 Co

ntra

cts

1.1

Tend

ering

an

d RF

Q

4.00

4.

00

16.0

0 Ev

ery Y

ear

1 Co

ntra

cts

1.2

Cont

racti

ng

and

Orde

ring

3.

80

4.00

16

.00

Ever

y Yea

r

2 Pl

ant

Oper

ation

s 2.

1 Pr

oduc

tion

and

Distr

ibutio

n

3.

91

3.00

12

.00

Twice

in 3

ye

ars

2 Pl

ant

Oper

ation

s 2.

2 Op

erat

ion

and

Main

tena

nce

3.

83

3.00

12

.00

Twice

in 3

ye

ars

2 Pl

ant

Oper

ation

s 2.

3 Sa

fety

and

Envir

onm

ent

4.

50

3.00

14

.00

Twice

in 3

ye

ars

3 Dr

illing

3.

1 Dr

illing

3.80

4.

00

16.0

0 Ev

ery Y

ear

4 In

form

ation

Te

chno

logy

4.1

IT S

ecur

ity

4.

13

2.00

9.

00

Twice

in 3

ye

ars

4 In

form

ation

Te

chno

logy

4.2

ERP

and

othe

r ap

plica

tions

3.

43

2.00

7.

00

Once

in 3

ye

ars


194

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Con

trol

En

viro

nmen

t R

atin

g

Res

idua

l R

isk

Scor

e

Freq

uenc

y of

Aud

it A

udit

Plan

Year

- 1

Aud

it Pl

anYe

ar -

2

Aud

it Pl

anYe

ar -

3

Cor

pora

te

Off

ice

Plan

t D

epot

5 Ge

ology

&

Rese

rvoir

5.

1 Ge

ology

&

Rese

rvoir

3.64

2.

00

8.00

On

ce in

3

year

s

6 Re

sear

ch

and

Deve

lopm

ent

6.1

Rese

arch

an

d De

velop

men

t

2.

33

1.00

3.

00

Acce

ptab

le

7 M

ater

ial

Man

agem

ent

7.1

MM

- Pl

annin

g &

Rece

iving

3.

33

5.00

17

.00

Ever

y Yea

r

7 M

ater

ial

Man

agem

ent

7.2

MM

- De

pot

2.

83

5.00

15

.00

Ever

y Yea

r

7 M

ater

ial

Man

agem

ent

7.3

MM

- In

vent

ory

Hand

ling

and

Stor

age

3.

20

5.00

16

.00

Ever

y Yea

r

8 W

ell L

oggin

g 8.

1 W

ell L

oggin

g

3.00

1.

00

3.00

Ac

cept

able

9 Fi

nanc

e an

d Ac

coun

ts 9.

1 Fi

nanc

ial

Plan

ning

and

Analy

sis

3.

50

3.00

11

.00

Twice

in 3

ye

ars

9 Fi

nanc

e an

d 9.

2 Tr

easu

ry

4.

00

3.00

12

.00

Twice

in 3

Case Study

195

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Con

trol

En

viro

nmen

t R

atin

g

Res

idua

l R

isk

Scor

e

Freq

uenc

y of

Aud

it A

udit

Plan

Year

- 1

Aud

it Pl

anYe

ar -

2

Aud

it Pl

anYe

ar -

3

Cor

pora

te

Off

ice

Plan

t D

epot

Acco

unts

year

s

9 Fi

nanc

e an

d Ac

coun

ts 9.

3 Fi

nanc

ial

Repo

rting

3.50

4.

00

14.0

0 Tw

ice in

3

year

s

9 Fi

nanc

e an

d Ac

coun

ts 9.

4 As

set

Man

agem

ent

4.00

4.

00

16.0

0 Ev

ery Y

ear

9 Fi

nanc

e an

d Ac

coun

ts 9.

5 Pa

yable

s

3.40

4.

00

14.0

0 Tw

ice in

3

year

s

9 Fi

nanc

e an

d Ac

coun

ts 9.

6 In

voici

ng a

nd

Rece

ivable

s

3.50

3.

00

11.0

0 Tw

ice in

3

year

s

9 Fi

nanc

e an

d Ac

coun

ts 9.

7 JV

Op

erat

ions

4.

00

4.00

16

.00

Ever

y Yea

r

9 Fi

nanc

e an

d Ac

coun

ts 9.

8 Ta

xatio

n

4.00

4.

00

16.0

0 Ev

ery Y

ear

10

Hum

an

Reso

urce

10

.1

Recr

uitm

ent

3.

00

4.00

12

.00

Twice

in 3

ye

ars

10

Hum

an

Reso

urce

10

.2

Lear

ning

and

Deve

lopm

ent

3.75

4.

00

15.0

0 Ev

ery Y

ear


196

D. S

r.

no.

Dep

artm

ent

P. S

r.

No.

Pr

oces

s B

usin

ess

Loca

tions

In

itial

R

isk

Rat

ing

Con

trol

En

viro

nmen

t R

atin

g

Res

idua

l R

isk

Scor

e

Freq

uenc

y of

Aud

it A

udit

Plan

Year

- 1

Aud

it Pl

anYe

ar -

2

Aud

it Pl

anYe

ar -

3

Cor

pora

te

Off

ice

Plan

t D

epot

10

Hum

an

Reso

urce

10

.3

Sepa

ratio

ns

3.

00

4.00

12

.00

Twice

in 3

ye

ars

10

Hum

an

Reso

urce

10

.4

Payr

oll

Proc

ess

3.

40

5.00

17

.00

Ever

y Yea

r

11

Proje

cts

11.1

Pl

annin

g an

d In

vestm

ent

4.

50

3.00

14

.00

Twice

in 3

ye

ars

11

Proje

cts

11.2

Ex

ecut

ion

and

hand

over

4.

17

4.00

17

.00

Ever

y Yea

r

12

Busin

ess

Deve

lopm

ent

12.1

Bu

sines

s De

velop

men

t

2.67

2.

00

6.00

On

ce in

3

year

s

13

Explo

ratio

n & de

velop

men

t

13.1

Ex

plora

tion

& deve

lopm

ent

3.

50

3.00

11

.00

Twice

in 3

ye

ars

14

Main

tena

nce

14.1

Pi

pelin

e M

ainte

nanc

e

3.67

3.

00

11.0

0 Tw

ice in

3

year

s

14

Main

tena

nce

14.2

Eq

uipm

ent

Main

tena

nce

3.

67

3.00

11

.00

Twice

in 3

ye

ars

PrepRisk

PrepAud

Unive

pare Heat k Based In

pare dit erse

RisIdenti

o

Map – Grnternal Au

sk ificatin

Ripriorit

n arat

197

raphical pudit Plan

sk tizatioand ing

Asscon

envirn

presentat

sess ntrol ronment

DeRes

Risk

Case Stu

ion of the

erive sidual Rating

DevInte

Aud

udy

e

velop ernal it plan

guide on risk based internal auudit plan

Documents