Rbi A Manual

A Risk Based
Internal Audit
Manual
This spreadsheet shows the data for an a risk based
internal audit of accounts payable (number 205). It
requires modifying for your organization.
Details for using this risk based audit spreadsheet

are included in Book 4 'Audit Manual ' available on
www.internalaudit.biz
David Griffiths
v1.0
205 Accounts Payable Audit

Introduction
Objective of this spreadsheet
This spreadsheet represents the audit working papers on which the Audit
Manual (Book 4) is based.
The contents are similar to that used for the audit working papers in Book 1An introduction, except the Word documents are included in the manual, not
as separate documents. Worksheets are included for these documents, in
order to provide a complete file
Worksheets are:
A Audit details: The primary function being audited and where it stands in
the organization (see the COSO 'cube')
A Milestones: Important target dates in the audit
A Audit plan: Daily outline plan covering the period of the audit
A Audit diary: Details of the work done each day
B Functions: Some typical functions which might be in a charity. Risks are
linked to these.
B Processes: Some typical processes which might be in a retail company.
Risks are linked to these, which helps group risks together which can be
checked by the same audit.
C Scope: Links to scopes
D Meetings: Links to notes of meetings
E Risk Maturity: Checklist which assists in determining the risk maturity of
the organization.
F Objectives, Risks and Controls Register: The foundation of risk based
internal auditing. The audit is based around this.
F Process risks: Diagram of processes and associated risks
G Tests: Links to test schedules
H Potential Deficiencies: Potential deficiencies noted as they arise
H Deficiencies for discussion: Deficiencies to be discussed with
management
I Draft report: Links to draft reports and follow-up memos
J Final Report: Links to final report and associated memos
K Quality control: Links to review notes and staff targets and appraisals
L Follow up: Links to follow up reports
Summary: Table showing numbers of risks in each assessment category.
Used for the report.
Scoring risks: Gives examples of risk scoring
Version control: Shows changes made for this version and date of issue
Risk based internal auditing by David Griffiths is licensed under a Creative Commons Attribution-NonC
Letters on worksheet tabs refer to the relevant audit manual section
Incont

Audit details
Audit Group
This audit number
Last audit number
Audit name
Accounts payable
205
(This is the first audit)
Accounts payable
Department
Function
Operating unit
Division
Entity
Accounts Payable
Accounting Services
Finance
n/a
The Retail Company

Milestones
Milestones
Resp
Target
Achieved
Set up audit on quarterly plan

Set up computer directories
Set up meetings
Issue draft scope
Final scope signed off.
P Jones
Authorizing signature:
CAE
Auditor
Auditor
Auditor
CAE
1-Nov-X0
16-Dec-X0
16-Dec-X0
17-Dec-X0
12-Jan-X1
2-Nov-X0
16-Dec-X0
16-Dec-X0
18-Dec-X0
12-Jan-X1
Final scope issued

Auditor
Risk maturity confirmed
Auditor
Processes mapped
Auditor
Inherent risks agreed
Auditor
Controls tested
Auditor
Residual risks scored and agreed
Auditor
Deficiencies entered into the database Auditor
Mid-audit file review
CAE
Deficiencies agreed with business
Auditor
Draft report issued
Auditor
Final report signed off.
P Jones CAE
Authorizing signature:
13-Jan-X1
2-Feb-X1
3-Feb-X1
4-Feb-X1
12-Feb-X1
12-Feb-X1
13-Feb-X1
16-Feb-X1
19-Feb-X1
20-Feb-X1
5-Mar-X1
13-Jan-X1
2-Feb-X1
3-Feb-X1
5-Feb-X1
12-Feb-X1
12-Feb-X1
13-Feb-X1
17-Feb-X1
19-Feb-X1
23-Feb-X1
8-Mar-X1
Final report circulated

Auditor
(COSO deficiencies report
Auditor
completed)
End audit file review
CAE
All staff appraised
CAE
Paper files stored in archives
Auditor
Feedback to be obtained from:
Accounts Payable Manager (Mike Khan)
Head of Accounting Services (Anita Smith)
Other Comments:
8-Mar-X1
8-Mar-X1
12-Mar-X1
18-Mar-X1
19-Mar-X1
8-Mar-X1
8-Mar-X1
12-Mar-X1
19-Mar-X1
19-Mar-X1
date
15-Mar-X1
16-Mar-X1

Audit timetable
This audit - 205
Date
M Davis
F Sawyer
15-Dec-X0 Monday 205 Briefing from CAE
16-Dec-X0 Tuesday 205 Set up files/scope
17-Dec-X0 Wednesda205 Issue draft scope
200 Testing
18-Dec-X0 Thursday 204 Testing
204 Testing
200 Testing
19-Dec-X0 Friday
200 Testing
05-Jan-X1 Monday 204 Testing
06-Jan-X1 Tuesday 205 Scope meeting
07-Jan-X1 Wednesda205 Amend scope
200 Testing
08-Jan-X1 Thursday 204 Testing
204 Testing
200 Testing
09-Jan-X1 Friday
12-Jan-X1 Monday 205 CAE approves scope
13-Jan-X1 Tuesday 205 Issue final scope
200 Testing
14-Jan-X1 Wednesda204 Testing
200 Testing
15-Jan-X1 Thursday 204 Testing
204 Testing
200 Testing
16-Jan-X1 Friday
19-Jan-X1 Monday Holiday
20-Jan-X1 Tuesday Holiday
21-Jan-X1 WednesdaHoliday
22-Jan-X1 Thursday Holiday
Holiday
23-Jan-X1 Friday
Course
Course
Course
Course
Course
26-Jan-X1 Monday 204 Testing

27-Jan-X1 Tuesday 204 Testing
28-Jan-X1 Wednesda204 Write report
29-Jan-X1 Thursday 204 Write report
204 Write report
30-Jan-X1 Friday
31-Jan-X1 Saturday
1-Feb-X1 Sunday
02-Feb-X1 Monday 205 Testing
03-Feb-X1 Tuesday 205 Testing
04-Feb-X1 Wednesda205 Testing
05-Feb-X1 Thursday 205 Testing
205 Testing
06-Feb-X1 Friday
07-Feb-X1 Saturday
08-Feb-X1 Sunday
09-Feb-X1 Monday 205 Testing
10-Feb-X1 Tuesday 205 Testing
11-Feb-X1 Wednesda205 Testing
12-Feb-X1 Thursday 205 Testing
200 Testing
200 Testing
200 Write report
200 Write report
200 Write report
205 Testing
205 Testing
205 Testing
205 Testing
205 Testing
205 Testing
205 Testing
205 Testing
205 Testing
P Jones (CAE)
Holiday
Holiday
Holiday
Holiday
Holiday
Out of office
Out of office
205 Testing
205 Testing
13-Feb-X1 Friday
14-Feb-X1 Saturday
15-Feb-X1 Sunday
16-Feb-X1 Monday 205 assemble issues
17-Feb-X1 Tuesday 205 Write draft report
18-Feb-X1 Wednesda205 Close-down meeting Write draft report
19-Feb-X1 Thursday 205 Write draft report
205 Write draft report
20-Feb-X1 Friday
21-Feb-X1 Saturday
22-Feb-X1 Sunday
23-Feb-X1 Monday 205 Issue draft report
24-Feb-X1 Tuesday 210 Briefing from CAE
25-Feb-X1 Wednesda210 Set up files/scope
26-Feb-X1 Thursday 210 Issue draft scope
Write final 204
Write final 200
27-Feb-X1 Friday
28-Feb-X1 Saturday
29-Feb-X1 Sunday
Write final 200
01-Mar-X1 Monday Write final 204
Write final 200
02-Mar-X1 Tuesday Write final 204
03-Mar-X1 Wednesda205 Receive comments
04-Mar-X1 Thursday 205 Write final report
05-Mar-X1 Friday
Final reports sign approval 200, 204, 205
06-Mar-X1 Saturday
07-Mar-X1 Sunday
08-Mar-X1 Monday Issue final reports 200, 204, 205
Out of office
Out of office
Out of office
Out of office
M Khan
Holiday
Holiday
Holiday
Holiday
Holiday
In office
In office
In office
In office
In office
In office
In office
In office
In office
In office
In office
Out of office
Out of office

Audit diary
No.
Title
205 Accounts Payable
Staff 1
Staff 2
Max Davis
Frank Sawyer
Date
Next action
13-Nov Briefing from CAE. Audit Look at documentation,
due early Feb.
including Objectives and Risk
Register and accounts payable
manuals. Prepare draft scope
15-Dec Briefing from CAE. Draft Set up directories and
scope agreed with CAE documentation. Draft scope to be
issued 17 Dec
18-Dec Issued draft scope.
Prepare for Jan 6 meeting
(Additional work on audit
203 delayed the issue)
and agenda for Jan 6
meeting.
6-Jan Met Head of Accounting
Services and AP Manager
Jan-12 Obtained CAE approval.
Jan-13 Final scope issued
Mon Feb Meeting with AP Manager
and Supervisors.
2
Assessment risk maturity
Update draft scope. Obtain

approval. Arrange meeting with
AP
Manager
and Supervisors
Issue
final scope.
Write up notes from meeting.
Finish assessment risk maturity
Feb-03 Assessment risk maturity.
Assess risk scores. Test
Feb-04 Test operation of controls
Follow up JB Associates
invoices.
Draw diagrams of functions operation of controls.

and processes. Decided on
audit approach
Checked invoices with no

order. Mostly legal and
properly approved but one
found for J B Associates.
Properly approved but why
no order? No report
produced.
Feb-05 Pete Cooke wrote an

Write up all details
enquiry program to find
invoices with no order.
Many JB Associates. All
addressed to Jim Higson
(the budget holder) and
signed by him. Checked
with Pat Jones. Meeting
arranged with COO.
Feb-06 Meeting to update Anita Write up notes
and Mike on progress.
Meeting with Chief
Operations Officer about
invoices with no orders.
Feb-09 Continued tests
Feb-13 Issues entered into
Complete file. Write draft report
ORCR. Informal meeting
with Mike Khan to
confirm issues found.
Feb-17 CAE completed file
Draft report
review. (One day late due
to her workload)
Feb-19 Issues agreed with
business
Draft report
23-Feb Draft report issued

3-Mar All comments received.
Draft report updated.
Issue final report

Get CAE approval
8-Mar CAE approved final

AUDIT COMPLTETE
report. (She was not
available on 5Mar) Final
report issued
Timing
Q1 20X1
Man
Pat Jones
Target date
14-Dec
17-Dec
6-Jan
Jan-09
Jan-13
Jan-13
Feb-02
Feb-13
Feb-05
Feb-06
Feb-09
Feb-13
16-Feb
20-Feb
20-Feb
8-Mar
5-Mar

Company organization chart for Accounting Services

Company processes for Accounts Payable
(See Risk and Audit Universe spreadsheet for top-level processes)

Scope
(Hyperlinks to scope documents)
Ref
Document
Hyperlink
Word
Draft scope
Note with draft scope
Final scope
Note with final scope
In manual
In manual
In manual
(not included)

Meetings
Date
Contents
Hyperlink
Agenda for meeting with Head of Accounting Services

and AP Manager
In manual
6-Jan-X1
Notes from meeting with Head of Accounting Services

and AP Manager (6 January)
In manual
2-Feb-X1
Notes from the meeting with AP Manager and

Supervisors (2 Feb) (not included)
(Not included)
6-Feb-X1
Notes from the meeting with the AP Manager and Head (Not included)
of Accounting Services to update them on progress (not
included)
6-Feb-X1
19-Feb-X1
Notes from the meeting between the Chief Operations

Officer, Chief Financial Officer, Head of Accounting
Services CAE and Office Managers (not included)
Notes from the meeting with the AP Manager and Head
of Accounting Services after field work has finished to
discuss issues (not included)
(Not included)
(Not included)

Assessment of risk maturity
From 'An approach to implementing Risk Based Internal Auditing' (IIA-UK and Ireland) - may no longer be availa
Modified by a checklist in Guide to ISO 310000. Hyperlink:
Objective Level 1
Maintain profit of existing business
Risk Level 1
Processes do not support the business
Objective Level 2
Pay suppliers the correct amount at the

time agreed
Risk Level 2
Losses result from inadequate controls
Controls
Establish a risk management framework

to identify risks threatening the
objectives and responses required to
manage the risks. See below for details.
Control ISO31000
Control COSO (attribute)
Risk Architecture
Statement produced that sets out
risk responsibilities and lists the
risk-based matters reserved for the
board
Establishes Responsibility and Accountability for

Executing Policies and Procedures management
establishes responsibility and accountability for control
activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside

board

Executing Policies and Procedures management
establishes responsibility and accountability for control
activities with management (or other designated
personnel) of the operating unit or function in which the
relevant risks reside
Risk management responsibilities Monitoring activities-Assessing and overseeing the

allocated to an appropriate
nature and scope of monitoring activities and the
management committee
management's evaluation and remediation of
deficiencies
Arrangements are in place to

ensure the availability of
appropriate competent advice on
risks and controls
Attracts, Develops, and Retains Individualsthe

organization provides the mentoring and training
needed to attract, develop, and retain sufficient and
competent personnel and outsourced service providers
to support the achievement of objectives
Risk aware culture exists within the Evaluates Performance Measures, Incentives, and
organization and actions are in
Rewards for Ongoing relevancemanagement and the
hand to enhance the level of risk board of directors align incentives and rewards with the
maturity
fulfillment of internal control responsibilities in the
achievement of objectives
Sources of risk assurance for the
Board have been identified and
validated
Defines, assigns and limits authorities and

Responsibilities management and the board of
directors delegate authority, define responsibilities, use
appropriate process and technology to assign
responsibilities and segregate duties as necessary at
the various levels of the organization
Risk Strategy
Risk management policy produced Considers tolerances for risk- Management consider the acceptable
that describes risk appetite, risk
levels of variation relative to the achievement of operations
culture and philosophy
objectives
Key dependencies for success

identified, together with the matters
that should be avoided
Business objectives validated and Reflects Managements ChoicesThe operations objectives reflect
the assumptions underpinning
managements choices about structure, industry considerations, and
those objectives tested
performance of the entity
Business objectives validated and Reflects Managements ChoicesThe operations objectives reflect
the assumptions underpinning
managements choices about structure, industry considerations, and
those objectives tested
performance of the entity
Significant risks faced by the

organization identified, together
with the critical controls required
Includes Entity, Subsidiary, Division, Operating Unit, and Functional

Levelsthe organization identifies and assesses risks at the entity,
subsidiary, division, operating unit, and functional levels relevant to
the achievement of objectives
Risk management action plan

established that includes the use
of key risk indicators, as
appropriate
Estimates Significance of Risks Identifiedmanagement ensures

that identified risks are analyzed through a process that includes
estimating the potential significance of the risk
Necessary resources identified

and provided to support the risk
management activities
Evaluates Performance and Rewards or Disciplines Individuals

management and the board of directors evaluate performance of
internal control responsibilities, including adherence to standards of
conduct and expected levels of competence and provide rewards or
exercise disciplinary action as appropriate
Risk Protocols
Appropriate risk management
Estimates Significance of Risks Identifiedmanagement ensures
framework identified and adopted, that identified risks are analyzed through a process that includes
with modifications as appropriate estimating the potential significance of the risk
Suitable and sufficient risk

assessments completed and the
results recorded in an appropriate
manner
Procedures to include risk as part Assesses Changes in the Business Modelthe organization
of business decision-making
considers the potential impacts of new business lines, dramatically
established and implemented
altered compositions of existing business lines, acquired or divested
business operations on the system of internal control, rapid growth,
changing reliance on foreign geographies and new technologies
Procedures to include risk as part Assesses Changes in the External Environmentthe risk
of business decision-making
identification process consider changes to regulatory, economic,
established and implemented
and the physical environment in which the entity operates
Details of required risk responses Determines How to Respond to Risksmanagement ensures that
recorded, together with
the risk assessment includes considering how the risk should be
arrangements to track risk
managed and whether to accept, avoid, reduce, or share the risk
improvement recommendations
Details of required risk responses Reassesses Policies and Proceduresmanagement periodically
recorded, together with
reviews control activities to determine their continued relevance,
arrangements to track risk
and refresh them when necessary
improvement recommendations
Incident reporting procedures
established to facilitate
identification of risk trends,
together with risk escalation
procedures
Communicates with the Board of Directorscommunication exists

between management and the board of directors so that both have
information needed to fulfill their roles with respect to the entitys
objectives
Business continuity plans and

disaster recovery plans
established and regularly tested
No equivalent
Arrangements in place to audit the Involves Appropriate Levels of ManagementThe organization puts
efficiency and effectiveness of the into place effective risk assessment mechanisms that involve
controls in place for significant
appropriate levels of management
risks
Arrangements in place to audit the Involves Appropriate Levels of ManagementThe organization puts
efficiency and effectiveness of the into place effective risk assessment mechanisms that involve
controls in place for significant
appropriate levels of management
risks
Arrangements in place for

Assesses Resultsmanagement and the board of directors, as
mandatory reporting on risk,
appropriate, assess results of ongoing and separate evaluations
including reports on at least the
following: Risk appetite, tolerance
and constraints; Risk architecture
and risk escalation procedures;
Risk aware culture currently in
place; Risk assessment
arrangements and protocols;
Significant risks and key risk
indicators; Critical controls and
control weaknesses; Sources of
assurance available to the Board
d) - may no longer be available

http://www.ferma.eu/risk-management/standards/iso-standard
Overall Conclusion:
Internal audit action:
Control IIA with

amendments
AP Control

board.
The organization's intranet shows a statement

from the board setting out the risk management
framework and the responsibilities of the board
and management.
Risks been allocated to specific job The ORCR shows risks allocated to specific job
titles
titles
Risk management responsibilities There is no Risk Management Committee but a

allocated to an appropriate
Head of Risk Management
management committee or
department
Management have been trained to All levels of staff have had risk awareness training
understand what risks are, and
their responsibility for them.
Managers are assessed on their

risk management performance,
which may require improvements
to the level of risk maturity
The Head of Accounting Services takes into

account risk management performance (including
internal audit reports) in her annual appraisal of
the AP manager
Sources of risk assurance for the

Board have been identified and
validated
The Board has identified in its intranet statement

that the Head of Risk Management is responsible
for assuring them that the ORCR accurately
reflects objectives, risks and control and that the
CAE is responsible for providing an opinion that all
the significant risks threatening the organization's
objectives are operating to bring the risks to within
the risk appetite set by the board.
The risk appetite of the

organization has been defined in
terms of the scoring system.
Risk Management have issued details of the risk

appetite, which are available on the company
intranet. The Board statement contains the
statements on risk culture and philosophy.
No equivalent
n/a
The organization's objectives are

defined
There is an annual meeting of senior management

to hear and discuss the organization's objectives
for the next year. The Head of Accounting Services
attends this meeting before having a meeting with
her Managers.
The organization's objectives are

defined
The Head of Accounting Services and AP Manager

meet to determine the objectives specifically for
AP. The results of this meeting are communicated
to all staff
Processes have been defined to

determine risks, and these have
been followed.
Risks threatening the objectives have been

identified using a risk workshop and interviews,
and the Objectives and Risk Register completed
A scoring system for assessing

risks has been defined.
Risk Management have issued standards for

scoring risks, which is available on the company
intranet
Responsibility for the

Job descriptions and targets include the need to
determination, assessment, and
determine, assess and operate controls, as
management of risks is included in appropriate to the job.
job descriptions and targets
All risks been assessed in

accordance with the defined
scoring system.
The ORCR shows risk scores based on the

standards set by Risk Management
All risks and controls have been

collected into one list.
Risk Management collect all risks into the ORCR
All significant new projects are

routinely assessed for risk
The AP manager is responsible for ensuring that

projects are assessed for risks
Risks are identified when functions New risks are notified to the keeper of the risk
and processes change due to
register - Risk Management
changes in the business or
external changes
Responses to the risks (e.g.
controls) have been selected and
implemented.
The AP Manager ensures all risks have

appropriate controls which should be operating
Risks are regularly reviewed by the Risk Management notify AP of significant risk
organization.
changes, for example resulting from new laws
Management have reported risks

to directors where responses are
not managing the risks to a level
acceptable to the board.
The AP manager meets the Head of Accounting

Services every month and highlights any risks
exceeding the risk appetite. The HoAS takes
action as appropriate
No equivalent
Management have set up controls Management have identified monitoring controls

to monitor the proper operation of for all risks listed in the ORCR for all risks with an
key controls.
inherent score of over 15
Management have set up controls AP operating manuals, which are used for training
to monitor the proper operation of and on-going reference, contain all the tasks which
key controls.
are responses to risks
Managers provide assurance on

the effectiveness of their risk
management
Annual check for all functions, who receive a report

of the objectives, risks and controls for which they
are responsible. This is signed and returned to
Risk Management.
Risk Managed
Audit risk management

Assume controls are as stated in
processes and use management the ORCR. Check that they are
assessment of risk as
an adequate response to the
appropriate
risks. Test controls over high
inherent risks
Audit test
Test result
Monitoring Control
Ensured the intranet statement is

easily accessible.
The statement is accessible and

comprehensive
Risk Management department

ensures all risks are allocated
Ensured risks are allocated to

managers.
Examined ORCR and confirmed all Risk Management department

risks allocated to appropriate
ensures all risks are allocated
people
Discussed this with Head of Risk

Management.
The Audit Committee have

discussed the need for a Risk
Management Committee but don't
consider it necessary
Interviewed managers to confirm

their understanding of risk and the
extent to which they manage it.
Head of Accounting Services and

AP Manager clearly understood
risks and their responsibility for
them (Meeting date: 6 Jan 20X1)
Examine a sample of appraisals for Risk management is included in

evidence that risks management
appraisals
was properly assessed for
performance.
Head of Accounting Services

checks that staff have been trained
The Chief Financial Officer checks

targets for the AP manager. The
Head of Accounting Services signs
off targets for all AP staff
Checked the intranet and examined

quarterly returns to the Audit
Committee from the Head of Risk
Management and CAE
Intranet statement seen. Quarterly The Audit Committee requires

assurance from the Head of Risk
quarterly returns
Management and opinion from the
CAE verified
Checked the document on which

the Board has approved the risk
appetite. Ensured it is consistent
with the scoring system and has
been communicated.
The risk appetite is consistent with None - except that managers would
the scoring system
complain if the risk appetite details
were not present
Checked the organization's

objectives have been determined
by the board and have been
communicated to all staff, by
examining the agendas from all
meetings.
Agendas for the meetings, and

The Head of Accounting Services
notes distributed after the meetings signs off targets for all AP staff,
show all the objectives
which should show evidence of the
need to achieve company and AP
objectives
Check other objectives and targets Agendas for the meetings, and
The Head of Accounting Services
are consistent with the
notes distributed after the meetings signs off targets for all AP staff,
organization's objectives.
show all the objectives
which should show evidence of the
need to achieve company and AP
objectives
Examined the processes to ensure
they are sufficient to ensure
identification of all risks. Checked
they are in use, by examining the
output from any workshops.
Risk Management held risk

workshops and included the results off ORCR
in the Objectives, Risks and
Controls Register (ORCR)
Checked the scoring system has

The standards are on the intranet
been approved, communicated and
is used.
Examined job descriptions and
targets.
None - except that managers would

complain if the standards were not
present
Job descriptions and targets include AP manager has set up a monthly

risk management and control tasks 'critical controls' checklist which
as necessary.
requires supervisors to confirm the
operation of key controls
Checked the scoring applied to a

The scoring is consistent
selection of risks is consistent with
the policy. Look for consistency
(that is, similar risks have similar
scores).

ensures all risks are scored
consistently
Examined theORCR. Ensured it is

complete, regularly reviewed,
assessed and used to manage
risks.
ORCR is complete, reviewed,

assessed and manages risks,
based on these audit results
None
Examine project proposals for an

analysis of the risks which might
threaten them.
Currently no new projects
Determined the process used to

update the register when external
or internal changes result in new
risks
There is no formal procedure to

notify Risk Management of new
risks, although e-mails have been
seen which notify Risk
Management

contacts all functions every quarter
to update the ORCR
Examined the risk register to

As part of this audit, checks of
ensure proper controls should be in responses will be made
place.

ensures all risks have responses
Met with Risk Management and

examined their procedures.
Quarterly meeting between Risk

Manager, Head of Tax, Chief Legal
Officer and CFO to discuss
emerging risks
Procedures are good. RM liaise

with Legal and Tax department to
ensure new risks are identified
For risks above the risk appetite,

No risks are above the risk appetite Risk Management check for any
check that the board has been
inherent risks above the risk
formally informed of their existence.
appetite
For significant risks, examined the

control(s) treating it and ensure
management would know if the
control failed.
As part of this audit, checks of

responses will be made
Examined operating manuals.

As part of this audit, checks of the
Checked a sample of high risks to manual will be made
the manual to ensure controls were
included

off Objective and Risk Register
AP manager approves the manual

before it is issued
Examine the assurance provided.

For key risks, check that controls
and the management system of
monitoring, are operating.
The annual check for AP was

properly approved
Internal Audit examine all returns
Audit Test
Test Result
Risk
enabled
Not considered necessary
YES
YES
Risk
managed
YES
Risk
defined
YES
Head of Accounting Services

Notes show that HoAS does
asks about staff training for risks check
at monthly meetings. Checked
notes from these meetings
YES
YES
YES
Examined targets for a selection All contained targets

of staff.
reflecting AP and company
objectives (including the
need for integrity).
YES
Examined targets for a selection All contained targets

of staff.
reflecting AP and company
objectives (including the
need for integrity).
YES
Checked ORCR for signature
No evidence of check
(note as Deficiency 2)
n/a
n/a
Examined checklists for

All checklist present and
November and December 20X0. properly completed
YES
YES
YES
YES
n/a
Examined the replies
YES
Many were missing and

not followed up (note
as Deficiency 1)
YES
Examined notes from meetings
Meeting cover important

areas for new risks
YES
Examined the ORCR
No risks above the risk

appetite
YES
Checked ORCR for signature
No evidence of check (note

in ISSUE 2)
YES
YES
YES
Risk aware Risk nave

Risk enabled
Risk managed
Risk defined
Risk aware
Risk nave
Characteristics
Internal audit action

-risks
Risk management and internal controls fully Audit risk management

embedded into the operations
processes and use
management assessment of
Enterprise approach to risk management
Audit
management
risk asrisk
appropriate
developed and communicated
processes and use
risk as appropriate
Strategy and policies in place and

communicated. Risk appetite defined
Facilitate risk
management/liaise with risk
management and use
risk where appropriate
Scattered silo based approach to risk

management
Promote enterprise-wide
approach to risk management
and rely on audit risk
assessment
No formal approach developed for risk

management
Promote risk management

and rely on audit risk
assessment
Internal audit action

-controls
Assume controls are as stated in
the ORCR. Check that they are
Assume
controls
as stated
risks. Test
a smallare
selection
of in
the
ORCR.
Check
that
they
are
controls over high inherent risks
risks. Test controls over high
inherent risks
Where controls are included in
the ORCR check that they are an
adequate response to the risks.
Facilitate the determination of
controls required to manage other
risks. Test controls over high and
medium inherent risks
Determine the risks and controls
necessary by holding workshops
with appropriate managers and
staff. Check controls over all risks
considered unacceptable
Determine the risks and controls

necessary by holding workshops
with appropriate managers and
staff, otherwise use internal
audit's assessment. Use
specialists if necessary. Check
controls over all risks considered
unacceptable.

Objectives, Risks and Controls Register (Incomplete)
No
L1obj
L1 Objectives
L1risk
L1 Risks
Maintain profit of existing

business
Processes do not support the

business

business

business

business

business

business

business

business

business

business

business

business

business

business

business

business

business
L2obj
10

business

business
11

business

business
12

business

business
13

business

business
14

business

business
15

business

business
16

business

business
17

business

business
18

business

business
19

business

business
20

business

business
21

business

business
22

business

business
23

business

business
24

business

business
25

business

business
26

business

business
27

business

business
28

business

business
29

business

business
30

business

business
31

business

business
32

business

business
33

business

business
34

business

business
35

business

business
36

business

business
37

business

business
38

business

business
39

business

business
40

business

business
41

business

business
42

business

business
43

business

business
44

business

business
45

business

business
46

business

business
47

business

business
48

business

business
49

business

business
50

business

business
51

business

business
52

business

business
53

business

business
54

business

business
55

business

business
56

business

business
57

business

business
58

business

business
59

business

business
60

business

business
61

business

business
62

business

business
63

business

business
64

business

business
65

business

business
66

business

business
67

business

business
68

business

business
69

business

business
70

business

business
71

business

business
72

business

business
73

business

business
74

business

business
75

business

business
76

business

business
77

business

business
78

business

business
79

business

business
80

business

business
81

business

business
82

business

business
83

business

business
84

business

business
85

business

business
86

business

business
87

business

business
88

business

business
89

business

business
90

business

business
91

business

business
92

business

business
93

business

business
94

business

business
95

business

business
96

business

business
97

business

business
98

business

business
99

business

business
100

business

business
101

business

business
102

business

business
103

business

business
104

business

business
105

business

business
106

business

business
107

business

business
108

business

business
109

business

business
110

business

business
111

business

business
112

business

business
113

business

business
114

business

business
115

business

business
116

business

business
117

business

business
118

business

business
119

business

business
120

business

business
121

business

business
122

business

business
123

business

business
124

business

business
125

business

business
126

business

business
127

business

business
128

business

business
129

business

business
130

business

business
131

business

business
132

business

business
133

business

business
134

business

business
135

business

business
136

business

business
137

business

business
138

business

business
139

business

business
140

business

business
141

business

business
142

business

business
143

business

business
144

business

business
145

business

business
146

business

business
147

business

business
148

business

business
149

business

business
150

business

business
151

business

business
152

business

business
153

business

business
154

business

business
155

business

business
156

business

business
157

business

business
158

business

business
159

business

business
160

business

business
161

business

business
162

business

business
163

business

business
164

business

business
165

business

business
166

business

business
167

business

business
168

business

business
169

business

business
170

business

business
171

business

business
172

business

business
173

business

business
174

business

business
175

business

business
176

business

business
177

business

business
178

business

business
179

business

business
180

business

business
181

business

business
182

business

business
183

business

business
184

business

business
185

business

business
186

business

business
187

business

business
188

business

business
189

business

business
190

business

business
191

business

business
192

business

business
193

business

business
194

business

business
195

business

business
196

business

business
197

business

business
198

business

business
199

business

business
200

business

business
201

business

business
202

business

business
203

business

business
204

business

business
205

business

business
206

business

business
207

business

business
208

business

business
209

business

business
210

business

business
211

business

business
212

business

business
213

business

business
214

business

business
215

business

business
216

business

business
217

business

business
218

business

business
219

business

business
220

business

business
221

business

business
222

business

business
223

business

business
224

business

business
225

business

business
226

business

business
227

business

business
228

business

business
229

business

business
230

business

business
231

business

business
232

business

business
233

business

business
234

business

business
235

business

business
236

business

business
237

business

business
238

business

business
239

business

business
240

business

business
241

business

business
242

business

business
243

business

business
244

business

business
245

business

business
246

business

business
247

business

business
248

business

business
249

business

business
250

business

business
251

business

business
252

business

business
253

business

business
254

business

business
255

business

business
256

business

business
258
Establish strategies for

delivering the objectives
Company does not achieve

stakeholder objectives
259


260


261


262


263


264


257
265


266


267


268


269


270


271


272


273


274


275


276


277


278


279


280


281


282


283


284


285


286


287


288


289


290


291


292


293


294


295


296


297


298


299


300


301


302


303


304


305


306


307


308


309


310


311


312


313


314


315


316


317


L2 Objectives
L2risk L2
Risks
Pay suppliers the correct

amount at the time agreed
Processes are not fit for purpose or

will not remain fit for purpose
















L3obj





























Losses result from inadequate

controls


controls


controls


controls


controls


controls

Incorrect set up data





Incorrect standing data

















Suppliers paid incorrect amount

and/or at wrong time















Incorrect supplier data




Transaction data used to update

balances is incorrect





































































































































































Payment (possibly fraudulent) is

made when no goods or services
have been properly received













































Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect balances

Incorrect output

Incorrect output

Incorrect output

Incorrect output

Incorrect output

Incorrect output

Incorrect output

Incorrect output

The databases are corrupted or

destroyed (The audit covering these
risks may be a separate IT audit)





















































Incorrect accounting of goods-and

services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services


services

Resources do not support the

objective


objective


objective


objective


objective


objective


objective


objective


objective


objective


objective


objective
Establish an internal
control framework (US COSO)
No foundation for controls (Control

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)

Environment)
Risks not identified (Risk Assessment)
Controls not implemented (Control

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)

Activities)
Controls not operated (Information

and Communication)

and Communication)

and Communication)

and Communication)

and Communication)

and Communication)

and Communication)

and Communication)
Control deficiencies not corrected

(Monitoring Activities)








L3 Objectives
L3risk
L3 Risks
Maintain a strategy which ensures the process

achieves maximum efficiency and effectiveness
now and in the future
1 The strategy does not contain clear

objectives, is not financially justified or
documented


documented


documented


documented

2 Strategy does not address all the significant

risks

3 Objectives within the strategy are not

achieved

3 Objectives within the strategy are not

achieved

4 The strategy is not communicated to relevant

staff
Maintain processes to ensure that tax, disclosure

and other legal requirements are followed
5 Information relating to specific accounting or

taxation requirements may not be obtainable,
or may be open to misinterpretation.






or may be open to misinterpretation for
example payments to bank accounts in 'tax
havens'

7 Legislation may not be followed or

understood.
Maintain processes to ensure that company

policies are established and communicated
8 Company policy may not be clear. (Company

policy includes that defined in: Code of
Conduct; staff manual and AP manual)

9 Company policies are not adhered to.

9 Company policies are not adhered to.

10 Policy may not include the allocation of

capital and expense expenditure

11 Policy may not take account of latest

accepted best practice or accounting
standards

12 Examination and review of actual policies

followed may not be done on a regular basis.
Maintain the structure, authority and responsibility

of the functions involved to pay suppliers
efficiently and effectively
13 Structure of the function will not deliver the

processes efficiently and effectively

14 The authority given to individual staff in the

function will not enable them to effectively
achieve the objectives

15 The responsibilities allocated to staff will not

cover all the responsibilities required to
deliver the objectives

16 Responsibilities allocated to staff results in

fraud due to inadequate segregation of duties
Establish a risk management framework to

identify risks threatening the objectives and
responses required to manage the risks
17 Risks to the processes are not identified

18 Risks to the processes are not identified as

part of routine processes

19 Risks to the processes are not identified

when functions and processes change due to
changes in the business or external changes

20 Risks to the processes are not identified and

their response checked

21 Responses to bring risks to below the risk

appetite are not present

22 Responses to bring risks to below the risk

appetite are not operating
Data used for set up was complete, accurate and

complied with regulations
23 Data supplied was incorrect

23 Data supplied was incorrect

24 Data was input incorrectly


Data used for standing data, including suppliers,

was relevant, complete, accurate and complied
with regulations
25 Data supplied was inaccurate

with regulations

with regulations
Data being used to update standing data, such

as tax rates, is relevant, complete, accurate,
timely and complies with regulations
27 Data supplied is inaccurate

28 Data supplied is incomplete or not supplied



29 Data is input incorrectly

29 Data is input incorrectly

30 Data is input at the wrong time, or not at all

30 Data is input at the wrong time, or not at all

31 Data does not conform to regulations



32 Malicious/fraudulent data set up


Data being used to update suppliers using orders

is complete and accurate
33 Supplier data is incorrect

34 Supplier data is input incorrectly



36 Data is input at the wrong time





Data being used to update suppliers NOT using

orders is complete and accurate
39 Standing data is input incorrectly
Data being used to update suppliers NOT using

orders is complete and accurate
39 Standing data is input incorrectly
Supplier discount is recorded
40 Supplier discount not agreed
40 Supplier discount not agreed
41 Supplier discount incorrectly recorded
41 Supplier discount incorrectly recorded
Invoices with/without an order number:

Invoice and credit note transaction data being
used to update balances is relevant, complete,
accurate, timely and complies with regulations
42 Invoices don't reach Accounts Payable
Invoices with/without an order number:

Invoice and credit note transaction data being
used to update balances is relevant, complete,
accurate, timely and complies with regulations
43 Batch total calculated incorrectly
Invoices with an order number: Invoice and

credit note transaction data being used to update
balances is relevant, complete, accurate, timely
and complies with regulations
44 Incorrect supplier selected on input

45 Incorrect order number entered

46 Incorrect/incomplete data on invoice

47 Account coding for invoice is incorrect

48 Invoice total is incorrectly calculated


49 Invoice tax incorrectly calculated

50 Invoice tax incorrectly calculated or

incorrectly input

51 Goods not received

51 Goods not received

52 Services not received

53 Goods/services priced incorrectly/Incorrect

costs input

53 Invoice payment delayed if queries from

mismatching not promptly cleared
Invoices with an order: Invoice and credit note

transaction data being used to update balances
is relevant, complete, accurate, timely and
complies with regulations
54 Duplicate invoices posted

55 Invoice not sent or received

55 Invoice not sent or received

56 Invoices are input before the charge

becomes due, that is before goods/services
are delivered
Credit notes: Invoice and credit note transaction

data being used to update balances is relevant,
complete, accurate, timely and complies with
regulations
57 Credit note data input incorrectly
Credit notes: Invoice and credit note transaction

data being used to update balances is relevant,
complete, accurate, timely and complies with
regulations
57 Credit note data input incorrectly
Invoices with no order: Invoice and credit note

58 Invoices are lost in the approval process
Invoices without an order: Invoice and credit

note transaction data being used to update
59 Incorrect supplier selected on input

60 Incorrect/incomplete data on invoice

61 Account coding for invoice is incorrect

62 Excessive prices are paid to untrustworthy

suppliers.



64 Invoice tax incorrectly calculated

65 Invoice tax incorrectly calculated or

incorrectly input

66 Goods or services not received

67 Invoice recorded for which company has

received no benefits or deficient
goods/services

68 Goods/services priced incorrectly/Incorrect

costs input
Invoices with/without an order: Invoice and

69 Standing data is overridden during input

69 Standing data is overridden during input

70 Data on invoice supplied is not completely

input


becomes due


becomes due

72 Invoices held as a result of matching queries

or awaiting approval are not cleared for
payment promptly- e-mails not sent, not
received or reports not actioned.

73 Invoice recorded for which company has

received no benefits or deficient
goods/services




75 Incorrect treatment of invoice for taxation

purposes (for example VAT reclaimed on an
entertainment invoice for customers)


purposes


purposes


purposes


purposes


purposes


purposes

77 Malicious/fraudulent data input



Cash is available to pay suppliers
78 Insufficient funds in the bank
All payments made are only for goods which go

onto be sold or used
79 Payment made for goods delivered late or

otherwise not meeting contract terms

79 Payment made for goods delivered late or

otherwise not meeting contract terms

80 Credit not demanded from suppliers for

defective goods


defective goods


defective goods


defective goods

9 Amount paid is incorrect








Payment made on time to correct bank account
82 Payments made early or late
83 Payment made to wrong supplier account
84 Payment made to wrong bank account
All deductions are taken
85 Discounts available not taken
86 Credit from suppliers not taken
87 Discounts/rebates not taken or taken at

wrong time

wrong time

wrong time
Payments are checked
88 Checking procedure not thorough
88 Checking procedure not thorough
89 A large single fraudulent payment is made
89 A large single fraudulent payment is made
90 Payment not put through checking

procedures

procedures

procedures
Payments are properly authorized
91 Payments authorized by wrong person
On-line payments are secure
92 Fraudulent payment made
Check (cheque) payments are secured
93 Cheque machine signature plates are stolen

and misused
93 Cheque machine signature plates are stolen

and misused
94 Checks/checks (cheques) are altered after

printing
95 Blank checks/checks (cheques) are stolen
Bank transfer documents are secure
96 Widely available bank transfer documents

are used to fraudulently transfer payments
Bank transfer documents are secure
96 Widely available bank transfer documents

are used to fraudulently transfer payments
The balance total agrees with that in the general

ledger
97 Data input directly into GL without a system

transaction

ledger
97 Data input directly into GL without a system

transaction

ledger
98 Data not transferred from system to GL

ledger

ledger

ledger

ledger
99 Timing differences between system and GL

input
All balances are comprised of transactions which

are identifiable, authorized and valid
100 Items making up the balance cannot be

identified with authorized transactions






identified with independent data


identified with independent data

101 Items making up the balance are overdue

102 Items making up the balance don't comply

with regulations
Output data is relevant, complete, accurate,

103 Output data is not relevant

103 Output data is not relevant

103 Output data is incorrect

104 Output data is incorrect

104 Output data is incomplete

105 Data is output at the wrong time

106 Output data does not conform to regulations

106 Output data does not conform to regulations
The database is secured against alteration, other

than by permitted transactions
107 Unauthorized alterations occur







108 Unauthorized alterations not detected


Malicious corruption is prevented
109 Computer viruses or other 'malware' corrupts

databases and programs




Corruption by malfunctioning IT systems is

prevented
110 Malfunctioning hardware or software corrupts

data

prevented

data

prevented

data

prevented

data

prevented
111 Incorrect IT procedures result in incorrect

restoration of files

prevented


prevented

Physical damage to hardware is prevented
112 Hard drives and other storage media

damaged

damaged

damaged
113 Hard drives and other storage media stolen
113 Hard drives and other storage media stolen
All transactions should be accounted for in the

correct period
114 Transactions posted in the wrong period

correct period
115 Accruals and pre-payments are incorrect

correct period

correct period

correct period

correct period
All transactions should be posted to the correct

accounts
117 Transactions are incorrectly coded

accounts
118 Incorrect adjustments made

accounts

accounts
Transactions should be classified correctly for tax

and regulatory purposes
119 Invoices not identified for special tax

treatment


treatment


treatment


treatment


treatment


treatment


treatment


treatment

120 Invoices not identified for special reporting

purposes


purposes


purposes


purposes
Maintain the IT systems which support the

existing business
121 Function does not achieve maximum

efficiency

existing business
122 IT systems lose data

existing business
123 IT systems fail

existing business
124 Programs miscalculate data

existing business

existing business
Recruit and train staff to maintain existing

business
125 Insufficient staff to maintain business

operations

business
126 Insufficient staff to maintain business

operations

business
127 Business operations fail due to lack of staff

knowledge

business
127 Business operations fail due to lack of staff

knowledge
Important documents are secured
128 Documents stolen or damaged
Important documents are secured
128 Documents stolen or damaged
1. Demonstrates Commitment to Integrity and

Ethical ValuesThe organization demonstrates a
commitment to integrity and ethical value
Employees (including board members)

damage the reputation of the entity
1. Demonstrates Commitment to Integrity and

Ethical ValuesThe organization demonstrates a
commitment to integrity and ethical value
Employees (including board members)

damage the reputation of the entity
2. Exercises Oversight ResponsibilityThe board

of directors demonstrates independence from
management and exercises oversight for the
development and performance of internal control
Failure of internal control due to lack of

oversight responsibility from directors






3. Establishes Structure, Authority, and

ResponsibilityManagement establishes, with
board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the
pursuit of objectives
Failure to achieve objectives due to lack of

clear accountability




4. Demonstrates Commitment to Competence

The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives
Insufficient qualified staff available to deliver

objectives
4. Demonstrates Commitment to Competence

The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives
Insufficient qualified staff available to deliver

objectives
5. Enforces AccountabilityThe organization

holds individuals accountable for their internal
control responsibilities in the pursuit of objectives
No performance measures for individuals
6. Specifies Suitable ObjectivesThe

organization specifies objectives with sufficient
clarity to enable the identification and
assessment of risks relating to objectives
External Non-Financial Reporting objectives

not defined

Internal reporting objectives not defined


7. Identifies and Analyzes RiskThe organization

identifies risks to the achievement of its
objectives across the entity and analyses risks as
a basis for determining how the risks should be
managed.
All risks threatening objectives are not

identified or managed

managed.


managed.


managed.


managed.

8. Assess Fraud RiskThe organization

considers the potential for fraud in assessing
risks to the achievement of objectives.
The opportunities for fraud are not

completely analyzed


completely analyzed


completely analyzed
9. Identifies and Analyzes Significant Change

The organization identifies and assesses
changes that could significantly impact the
system of internal control
Risks and associated controls not updated to

reflect changes to the business and its
environment
10. Selects and Develops Control ActivitiesThe

organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.
Controls are inappropriate to the risks

levels.

levels.

levels.

levels.

levels.

levels.
11. Selects and Develops General Controls over

TechnologyThe organization selects and
develops general control activities over
technology to support the achievement of
objectives.
Risks from technology are uncontrolled
11. Selects and Develops General Controls over

TechnologyThe organization selects and
develops general control activities over
technology to support the achievement of
objectives.
Risks from technology are uncontrolled
12. Deploys through Policies and Procedures

The organization deploys control activities
through policies that establish what is expected
and procedures that put the policies into action..
Systems and responsibilities for risks and

internal controls not defined
















13. Uses Relevant InformationThe organization

obtains or generates and uses relevant, quality
information to support the functioning of other
components of internal control.
Poor quality information produced






14. Communicates InternallyThe organization

internally communicates information, including
objectives and responsibilities for internal control,
necessary to support the functioning of other
components of internal control
Inadequate internal communication
16. Conducts Ongoing and/or Separate

EvaluationsThe organization selects, develops,
and performs ongoing and/or separate
evaluations to ascertain whether the components
of internal control are present and functioning
Components of internal control not operated







17. Evaluates and Communicates Deficiencies

The organization evaluates and communicates
internal control deficiencies in a timely manner to
those parties responsible for taking corrective
action, including senior management and the
board of directors, as appropriate
Failures of internal controls not detected or

remedied
Consequence of risk
Risk source
An inadequate strategy could result in

poor decisions with the failure to seize
opportunities and ultimately result in
inefficiencies
Risk applies to all

objective hierarchies

inefficiencies
Risk applies to all


inefficiencies
Risk applies to all

IRC IRL
IRS
Process
Accounts Payable - define

strategy
20
strategy
20
strategy
20
inefficiencies
Risk applies to all


strategy
20
The strategy fails due to unforseen risks
occuring
Risk applies to all

Failure to achieve the strategy will result

in efficiencies
Risk applies to all


in efficiencies
Risk applies to all


strategy
20
strategy
20
strategy
20
in efficiencies
Risk applies to all

Risk applies to all


strategy
20
Accounts Payable comply with legislation
20
Risk applies to all

Risk applies to all

Risk applies to all

Risk applies to all

20
20
20
20
Risk applies to all
Accounts Payable comply with company

policies
Risk applies to all

Risk applies to all


20 policies
Risk applies to all


20 policies
Risk applies to all


20 policies
Risk applies to all


policies
20
policies
20
20
4
Establish structure,
authority and
20 responsibility
20
20
4
20
Risk applies to all

Risk applies to all

Establish control
environment
20
Establish control
environment
20
Risk applies to all
Risk applies to all

Establish control
environment
20
Establish control
environment
20
20
4
20
Accounts Payable
Department
Accounts Payable - set up

system
20
Accounts Payable
Department
Accounts Payable
Department

system
20
system
20
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

system
20
standing data
20
standing data
20
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

standing data
20
standing data
20
Accounts Payable maintain standing data
20
20
Accounts Payable
Department
Accounts Payable
Department
20
20
Accounts Payable
Department
Accounts Payable
Department
20
20
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
20
20
20
20
20
Accounts Payable
Department
Accounts Payable
Department
20
20
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
20
Accounts Payable maintain supplier data
15
15
Accounts Payable
Department
Accounts Payable
Department
15
15
Accounts Payable
Department
15
Accounts Payable
Department
Accounts Payable
Department
15
15
Accounts Payable
Department
Accounts Payable
Department
15
15
Accounts Payable
Department
15
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
Accounts Payable
Department
15
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
15
15
Accounts Payable - input
invoices
15
5
0
5
0
5
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
Accounts Payable
Department

invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
Accounts Payable
Department

invoices
15
3
15
Pay too much for goods or services
Accounts Payable
Department
Pay too much for goods or services
Accounts Payable
Department
Accounts Payable
Department

invoices
20
invoices
20
invoices
15
Accounts Payable
Department

invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
Accounts Payable
Department

invoices
15
Payment of invoice delayed with supplier Accounts Payable
possibly refusing to supply more
Department
goods/services. Discount may be lost.
May be unable to reclaim the incorrect

payment. Payment of invoice delayed
with supplier possibly refusing to supply
more goods/services. Discount may be
lost.
Accounts Payable
Department
Delay in processing invoice
Accounts Payable
Department

invoices
10
invoices
10
invoices
15
Possible incorrect tax calculation and/or
accounting misstatement with danger of
fines
Accounts Payable
Department
Fraudulent payments made to suppliers, Accounts Payable

possibly false.
Department

invoices
15
invoices
15
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
Accounts Payable
Department

invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
Accounts Payable
Department

invoices
15
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department

invoices
15
invoices
15
invoices
15
Accounts Payable
Department

invoices
15
Accounts Payable
Department

invoices
15
Accounts Payable
Department
Accounts Payable
Department

invoices
15
Accounts Payable generate payment
15
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
Accounts Payable account for transactions
0
Accounts Payable
Department
0
Accounts Payable
Department
0
Accounts Payable
Department
Accounts Payable maintain accounts

0 payable ledger
Accounts Payable
Department

payable ledger
0
Accounts Payable
Department

0 payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department

payable ledger
Accounts Payable
Department
Accounts Payable produce reports
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable secure databases
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable support processes- IT
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable support processes- HR
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable
Department
Accounts Payable support processessecurity
Accounts Payable
Department
Accounts Payable support processessecurity
COSO Internal Control Integrated Framework

(Draft). Illustrative tools
for assessing
effectiveness (2012)

policies

for assessing

policies

for assessing
Accounts Payable establish control

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing
Accounts Payable establish structure,

authority and
responsibility

for assessing

authority and
responsibility

for assessing

authority and
responsibility

for assessing

for assessing

for assessing

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

environment

for assessing

for assessing

for assessing

for assessing

for assessing

for assessing

for assessing

for assessing

environment

for assessing
Accounts Payable Monitoring

for assessing

for assessing

for assessing

for assessing

for assessing

for assessing

for assessing

for assessing
Internal control
Function
Internal
control owner
The strategy for AP is revised every year by the

Accounts Payable
Accounts Payable Manager and Head of Accounting
Services, as part of the budgeting exercise. It is
presented to the Chief Financial Officer who
approves it after any necessary amendments.
Chief Financial Officer

Accounts Payable

Accounts Payable

Accounts Payable
The Chief Financial Officer will only approve

strategies with risks clearly stated
Accounts Payable
The Head of Accounting Services sets targets for the Accounts Payable
AP manager at the start of the year, which include
targets to deliver the strategy. The AP manager sets
targets for the AP staff.
Head of Accounting
Services/ AP Manager
The Head of Accounting Services sets targets for the Accounts Payable
AP manager at the start of the year, which include
targets to deliver the strategy. The AP manager sets
targets for the AP staff.
Head of Accounting
Services/ AP Manager
AP staff are briefed at the beginning of each year

about the strategy
Accounts Payable
manager
Accounts Payable
Control
number
The company accounting manual sets out specific

Financial Accounts Heads of Financial
reporting requirements and is readily available to all and Taxation
Accounts and Taxation
businesses. A copy is available on the company
Departments
Departments
intranet.
5
6
7
8
9
The specification for the accounts payable system

included necessary accounting and taxation
requirements
Accounts Payable
External Audit are involved for statutory audit

purposes.
Accounts Payable
Accounts Payable
manager
Accounts Payable
manager
10
11
Checked payments made to bank accounts outside Accounts Payable

the 'home' country could not be an attempt to evade
taxation, since this may be an offence. For example
payments for goods are always sent to the country
exporting them.
Accounts Payable
manager
All staff are trained when the manual is updated
Accounts Payable
Accounts Payable
manager
13
The company code of conduct, staff manual and

accounting manual contains detailed requirements,
policies and procedures, including requirements for
integrity and ethical values, and is readily available
to all departments on the intranet.
HR and other
functions
responsible for
policy
Chiefs of HR and
other departments
responsible for policy
14
12
The accounts payable section of the finance manual Accounts Payable

exists and is regularly updated for new legislation.
Staff have training on induction and when the
manual is updated
Accounts Payable
manager
Clear policy on payment terms defined
Accounts Payable
manager
Accounts Payable
15
16
Company finance and tax departments monitor

capital expenditure issues and keep others informed and Taxation
through regular bulletins.
Departments
Departments
17
Company finance and tax departments monitor

expenditure issues and keep others informed

and Taxation
Departments
Departments
18
Monthly management account figures are prepared

and large variations against budget and expected
forecast figures are followed up by finance
department

and Taxation
Departments
Departments
The structure of the AP function is reviewed by the

Accounts Payable
AP manager and Head of Accounting Services when
any staff member leaves
Accounts Payable
manager
The Head of Accounting Services and AP Manager Accounts Payable

meet every month with the Supervisors when matters
of authority and responsibility can be discussed
Accounts Payable
manager
The Head of Accounting Services and AP Manager Accounts Payable

meet every month with the Supervisors when matters
of authority and responsibility can be discussed
Accounts Payable
manager
The AP manager is aware of the need to keep

certain responsibilities separate
Accounts Payable
manager
Accounts Payable
19
20
21
22
23
Risks threatening the objectives have been identified Accounts Payable

using a risk workshop and interviews, and the
Objectives and Risk Register completed
Accounts Payable
manager
24
Staff have had risk awareness training
Risk Management Head of Risk

Management
New risks are notified to the keeper of the risk

register - Risk Management
Accounts Payable
Risk Management notify Internal Audit of significant

risk changes
Risk Management Head of Risk

Management
Management have identified responses for all risks

listed in the Objectives and Risk Register which
reduce the risk score to below the risk appetite
Accounts Payable
Accounts Payable
manager
28
AP operating manuals, which are used for training

and on-going reference, contain all the tasks which
are responses to risks
Accounts Payable
Accounts Payable
manager
29
Accounts Payable
manager
25
26
27
Data was supplied by Finance and Tax departments Financial Accounts Heads of Financial
and Taxation
Departments
Departments
30
Set up data was determined by discussions with

Merchandising,
Managers involved
Merchandising, Purchasing, AP and other interested Purchasing, AP etc
parties
31
Check data on system to data on source
Accounts Payable
Accounts Payable
manager
32
Run tests to check set up data is correct
Accounts Payable
Accounts Payable
manager
33
Run tests to check set up data is correct
Accounts Payable
Accounts Payable
manager
34
Supplier data was extracted from files of previous

system and checked by Purchasing and AP staff
before transfer to the new system
Accounts Payable
Accounts Payable
manager
Checked data on system to data on source
Accounts Payable
Accounts Payable
manager
36
Ran tests to check set up data is correct, as part of

system testing
Accounts Payable
Accounts Payable
manager
37
Data from a trusted sources such as Merchandising, Accounts Payable

Finance, Taxation is on an approved form which is
checked before input
Accounts Payable
Input Supervisor
38
System checks all required data fields on system are Accounts Payable
completed
Accounts Payable
Input Supervisor
39
35
Where possible exception reports highlight incorrect Accounts Payable

or missing data
Accounts Payable
Input Supervisor
40
Where possible exception reports highlight incorrect Accounts Payable

or missing data
Accounts Payable
Input Supervisor
41
Data on input screen is checked to source data

before actioning
Accounts Payable
Accounts Payable
Input Supervisor
42
An output report is produced which is checked to the Accounts Payable

input document
Accounts Payable
Input Supervisor
43
A checklist and timetable are used to ensure data,

such as foreign currency rates are input at the
correct time
Accounts Payable
Accounts Payable
Input Supervisor
44
A checklist and timetable are used to ensure data,

such as foreign currency rates are input at the
correct time
Accounts Payable
Accounts Payable
Input Supervisor
45
Check data source conforms to regulations (both

company and legislation)
Accounts Payable
Accounts Payable
Input Supervisor
46
Set up computer edit checks to highlight suspect

data, such as incorrect tax calculations)
Accounts Payable
Accounts Payable
Input Supervisor
47
Data to be approved by tax or legal specialists, if

necessary
Accounts Payable
Accounts Payable
Input Supervisor
48
Restrict access to input screens
Accounts Payable
Accounts Payable
Input Supervisor
49
Duties for updating data are divided so as to ensure Accounts Payable

no-one has responsibility for the entire transaction
cycle
Accounts Payable
Input Supervisor
50
Training of staff to include notifying senior

management of any suspicious activity
Accounts Payable
Input Supervisor
51
Accounts Payable
Assistant buyer is responsible for obtaining correct Merchandising or

standing data from suppliers, such as bank account, Purchasing
payment terms and address and completing the
input form
Assistant Buyer
Assistant buyer is responsible for inputting data

correctly from the input form
Merchandising or
Purchasing
Buyer
System checks all required data fields on system are Merchandising or

completed
Purchasing
Buyer
System checks all required data fields on system are Merchandising or

completed
Purchasing
Buyer
Buyer is responsible for ensuring data is input when Merchandising or

required
Purchasing
Buyer
52
53
54
55
56
Assistant Buyer is responsible for completing the

input form, which specifies data required
Merchandising or
Purchasing
Assistant Buyer
57
Buyers are instructed to refer data to be approved by Merchandising or

tax or legal specialists, if necessary
Purchasing
Buyer
Staff only have access to those input screens

necessary to fulfill their responsibilities
Accounts Payable
Accounts Payable
Manager
59

cycle
Accounts Payable
Manager
60
Training of staff includes notifying senior

Accounts Payable
Accounts Payable
Manager
Expense supplier data is independently checked to

invoices and other supporting documentation
Accounts Payable
Accounts Payable
manager
62
Expense supplier data is independently checked to

invoices and other supporting documentation
Accounts Payable
Accounts Payable
manager
63
Suppliers sign a formal agreement, or discount terms Accounts Payable

on invoice used
Accounts Payable
manager
64
Suppliers sign a formal agreement, or discount terms Accounts Payable

on invoice used
Accounts Payable
manager
65
New and amended suppliers details printed out and Accounts Payable
independently checked to supporting documentation
Accounts Payable
manager
66
New and amended suppliers details printed out and Accounts Payable
independently checked to supporting documentation
Accounts Payable
manager
67
Suppliers requested to send invoices to a central

location, stating order number
Accounts Payable
Accounts Payable
manager
Computer calculates total at end of batch input and

will not allow batch closure until totals agree
Accounts Payable
Order number and invoice details will not match
Accounts Payable
Invoice details (items, price, quantity) will not match
Accounts Payable
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
58
61
68
69
70
71
Supplier is expected to ensure invoice has all the

Accounts Payable
correct data. If any is found to be missing during the
input process the invoice is returned to the supplier
for correction
Accounts Payable
manager
The invoice picks up the account code from the

purchase order
Accounts Payable
manager
Accounts Payable
Edit checks report incorrect invoice additions. Invoice Accounts Payable

is removed from batch (batch total amended) and
returned to supplier
Accounts Payable
manager

Accounts Payable
manager
Edit checks report incorrect tax calculation. Invoice is Accounts Payable

removed from batch (batch total amended) and
Accounts Payable
manager

Accounts Payable
manager
Invoice matched with receipt quantity (input by

warehouse) to confirm goods received. Queries
generated if receipt quantities do not match.
Accounts Payable
Accounts Payable
manager
Invoice matched with receipt quantity to confirm

goods received
Accounts Payable
A query is generated and e-mailed to the function

receiving the service
Accounts Payable
Invoice costs matched with purchase order to

confirm correct price and coding
Accounts Payable
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
A report is available on screen which buyers should Accounts Payable

regularly access to clear queries, either by agreeing
the invoice price or by requesting a credit note.
Accounts Payable
manager
Invoices should be matched to orders and receiving Accounts Payable

notes which should have checks to warn against
duplicate posting
Accounts Payable
manager
Outstanding 'Goods received notes' are followed up Accounts Payable
Accounts Payable
manager
72
73
74
75
76
77
78
79
80
81
82
83
84
Examination of supplier statements and letters to

detect missing documents
Accounts Payable
Invoices input before goods arrive will fail matching

and will not be charged until the receipt is input
Accounts Payable
Credit note matched with appropriate invoice queries Accounts Payable
Credit note matched with appropriate invoice queries Accounts Payable
All invoices received are logged in before sending

out for approval, if necessary
Accounts Payable
Input clerk checks name on screen against name on Accounts Payable

invoice
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
85
86
87
88
89
Accounts Payable
manager
90
Supplier is expected to ensure invoice has all the

Accounts Payable
correct data. If any is found to be missing during the
input process the invoice is returned to the supplier
for correction
The invoice is coded by the authorizing manager
Computer warning if the account code is one where

an order is required (e.g. Goods for resale, capital
items, expense items ordered by Purchasing)
Accounts Payable
manager
91
Function which
Manager of function
initiates the charge which initiates the
charge
Function which
Manager of function
charge

Accounts Payable
manager

Accounts Payable
manager
92
93
94
95

Accounts Payable
manager

Accounts Payable
manager
Invoice must be authorized by the manager of the

person who requested the goods or services
96
97
Function which
Manager of function
charge
98
Suppliers are required to supply only on the basis of Merchandising,

Appropriate buyer or
an order
Purchasing or
manager
approving function
99
Invoice must be authorized by the manager of the

person who requested the goods or services
Function which
Manager of function
charge
Don't allow overriding of sensitive fields without

approval
Accounts Payable
Don't allow overriding of sensitive fields without

approval
Accounts Payable
Computer edit checks ensure all required data is

input
Accounts Payable
Edit checks detect data input into wrong period or

with incorrect dates, including dates in the future
Accounts Payable
Edit checks to detect data input into wrong period or Accounts Payable
with incorrect dates
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Exception reports to highlight invoices held on

Merchandising,
matching or approval queries are sent to the function Purchasing or
manager
concerned
approving function
Stock or other goods and services failing quality

checks generate a credit request (Returned goods
are a separate process not recorded as part of this
example)
Accounts Payable
Accounts Payable
manager
100
101
102
103
104
105
106
107
Invoices marked to evidence that they have been

processed
Accounts Payable
Invoices marked to evidence that they have been

processed
Accounts Payable
Duplicate invoice number check
Accounts Payable
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Staff are trained and experienced in appropriate tax Accounts Payable

treatment
Accounts Payable
manager
Staff are trained and experienced in appropriate tax Accounts Payable

treatment
Accounts Payable
manager
All items should have passed through procedures

Accounts Payable
which checked they complied with tax, company and
statutory regulations
Accounts Payable
manager
Set up computer edit checks to highlight suspect

Accounts Payable
Accounts Payable
manager
Data to be approved by tax or legal specialists, if

necessary
Accounts Payable
Invoices which might represent 'benefits-in-kind' or

other required tax adjustments are referred to tax
department/senior management
Accounts Payable
Detailed guidelines are available and used setting

out details of disallowable expenditure, and
appropriate treatment
Accounts Payable
Staff only have access to those input screens

necessary to fulfill their responsibilities
Accounts Payable
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
manager
Accounts Payable
Manager

cycle
Accounts Payable
Manager
Training of staff to include notifying senior

Accounts Payable
manager
Accounts Payable
108
109
110
111
112
113
114
115
116
117
118
119
120
All capital and expense costs posted to accounts

Accounts Payable
with budgets which are assigned to a manager, who
investigates variances
Accounts Payable
manager
121
Cash flow forecasts are prepared and monitored
Financial Accounts Head of Financial

Accounts
Warehouse will not receive obviously late goods,

resulting in a mismatch and the invoice being held
Merchandising,
Purchasing or
manager
approving function
123
Buyer will arrange return of goods and a credit for

late deliveries and goods outside terms of contract
Merchandising,
Purchasing or
manager
approving function
124
Adjustments to warehouse and store stocks for

Merchandising,
defective goods automatically generate a request for Purchasing or
manager
credit
approving function
125
Adjustments to warehouse and store stocks for

Merchandising,
defective goods automatically generate a request for Purchasing or
manager
credit
approving function
126
Stores must request a credit where a customer

returns defective goods. Buyer must then request a
credit from the supplier
Merchandising,
Purchasing or
manager
approving function
127
Users inform buyers of goods or services not

Merchandising,
meeting expected standards for a credit to be raised Purchasing or
manager
approving function
128
Amount to be paid should be generated by computer Accounts Payable

based on standing and transaction data
Accounts Payable
manager
Amount to be paid should be generated by computer Accounts Payable

based on standing and transaction data
Accounts Payable
manager
122
129
130
Manual payments (on line, check/cheque or bank
Accounts Payable
transfer) made from properly authorized documents
and independently checked
Accounts Payable
manager
For computer checks/checks (cheques) or direct

bank transfer payments, a payment proposal listing
is produced which requires formal authorization
before payments can be made
Accounts Payable
manager
Accounts Payable
131
132
After production of cheque/bank payment list, details Accounts Payable

are compared to payment proposal listing (and for
large/unusual amounts) to ensure amount and
recipient are correct
Accounts Payable
manager
Debit balances on the purchase ledger are regularly Accounts Payable

followed up and investigated
Accounts Payable
manager
134
Duplicate payment checks are conducted
Accounts Payable
manager
135
Accounts Payable
133
Accounts Payable
Accounts Payable
manager
136
Accounts Payable
Accounts Payable
manager
137
Payment dates are set by the payment terms in the

standing data, which can only be changed by a
supervisor
Accounts Payable
Accounts Payable
manager
138
Automatic payments are made to the account linked Accounts Payable

to the invoices being paid
Accounts Payable
manager
139
Manual payments have to be approved by a

supervisor who checks the account details
Accounts Payable
manager
Accounts Payable
140
Debit balances on the purchase ledger are regularly Accounts Payable

followed up and investigated
Accounts Payable
manager
141
Automatic payments are made to the bank account

listed in the standing data
Accounts Payable
Accounts Payable
manager
142
The buyer is responsible for ensuring that volume

discounts are taken when they apply
Merchandising,
Purchasing or
manager
approving function
Settlement discount is set up in the standing data

and is taken automatically
Accounts Payable
Accounts Payable
manager
System is able to record date by which invoices must Accounts Payable

be paid to qualify for early payment discount, and is
able to ensure invoices are selected for payment at
the appropriate time
Accounts Payable
manager
Facility operates for express invoice processing,

although this should be strictly controlled and only
used as exception rather than rule
Accounts Payable
Accounts Payable
manager
146
Suppliers' statements are checked for outstanding

credits
Accounts Payable
Accounts Payable
manager
147
Up to date register of all discounts/rebates is

Accounts Payable
maintained. This incorporates a forecast of the final
turnover with the supplier
Accounts Payable
manager
148
Register is reviewed by buyers regularly to ensure it Accounts Payable

is up to date
Accounts Payable
manager
149
Register is reviewed regularly to ensure all

appropriate rebates/discounts have been claimed
and received at the correct time
Accounts Payable
Accounts Payable
manager
150
Payments are independently reviewed and audited,

particularly payments to a new supplier
Accounts Payable
Accounts Payable
manager
151
143
144
145
Manually signed checks (cheques) and foreign

payment instructions are signed with appropriate
back-up documentation.
Accounts Payable
Accounts Payable
manager
Exception reports are produced of individually

significant payments
Accounts Payable
Accounts Payable
manager
153
Exception reports are produced of individually

Accounts Payable
Accounts Payable
manager
154
Bank reconciliations are carried out regularly
Accounts Payable
Accounts Payable
manager
155
Bank reconciliations are independently reviewed and Accounts Payable

authorized
Accounts Payable
manager
156
Items over a month old on the reconciliation are

followed up
Accounts Payable
Accounts Payable
manager
Hierarchy of authority levels is in place and is

formally authorized
Accounts Payable
Accounts Payable
manager
158
Details are made available to all relevant personnel
Accounts Payable
Accounts Payable
manager
159
Specific responsibility is allocated to ensuring the

authorization signatories are up to date
Accounts Payable
Accounts Payable
manager
160
Bank mandate specifies those persons able to sign

checks (cheques)/authorize bank transfers
Accounts Payable
Accounts Payable
manager
161
Authorization limits are in place as to who is able to

sign checks (cheques)/bank transfers
Accounts Payable
Accounts Payable
manager
162
For electronic transfer (US-wire/UK-BACS)

payments, payments listing is compared to
subsequent return from bank
Accounts Payable
Accounts Payable
manager
163
Payments effected through telephone instruction to

the bank are not allowed
Accounts Payable
Accounts Payable
manager
164
Responsibility for recording payments is segregated Accounts Payable

from the payment production
Accounts Payable
manager
165
Check/cheque signing machines/signature plates are Accounts Payable

adequately safeguarded
Accounts Payable
manager
166
Check/cheque signing machines/signature plates are Accounts Payable

adequately safeguarded
Accounts Payable
manager
167
Check/cheque amounts and payee names are

Accounts Payable
printed to avoid alteration (permanent ink/impressed)
Accounts Payable
manager
168
152
157
Cheques are kept in a secure environment and are

issue controlled
Accounts Payable
Accounts Payable
manager
169

issue controlled
Accounts Payable
Accounts Payable
manager
170

issue controlled
Accounts Payable
Accounts Payable
manager
171
Bank has specific instructions to query payments

over a specified amount with a senior manager not
involved in payments
Accounts Payable
Accounts Payable
manager
172
Bank (wire) transfer document amount is imprinted to Accounts Payable

reduce risk of fraudulent documents being submitted
Accounts Payable
manager
173
All data which affects the system balance to be input Accounts Payable
via the system
Accounts Payable
manager
174
Responsibilities for recording cash payment, and

updating the AP ledger are segregated
Accounts Payable
Accounts Payable
manager
175
Month end check of balances formally noted on a

checklist authorized by a senior manager
Accounts Payable
Accounts Payable
manager
176
Daily checklists (or as appropriate) to ensure data is Accounts Payable

transferred
Accounts Payable
manager
177
The reconciliation between the AP ledger and the GL Accounts Payable

control account is prepared and/or approved by an
individual independent of the upkeep / maintenance
of the ledger.
Accounts Payable
manager
The use of suspense accounts is avoided. When

used they are regularly reviewed and cleared.
Accounts Payable
Accounts Payable
manager
179
Month end checklist to ensure all transactions

transferred from subsidiary ledgers to the GL
Accounts Payable
Accounts Payable
manager
180
Only complete transactions to be posted (e.g.

invoices, credit notes payments)
Accounts Payable
Accounts Payable
manager
181
No adjustments (such as journals) should be made

without a clear audit trail to supporting documents
Accounts Payable
Accounts Payable
manager
182
Periodic check of balances to ensure all items are

related to proper transactions
Accounts Payable
Accounts Payable
manager
183
Where possible, carry out regular reconciliations with Accounts Payable

supplier statements
Accounts Payable
manager
184
Adequate audit trail back to supporting documents
Accounts Payable
manager
185
Accounts Payable
178
Exception reports to be produced showing overdue

items
Accounts Payable
Accounts Payable
manager
186
All items should have passed through checking

procedures which checked they complied with tax,
company and statutory regulations
Accounts Payable
Accounts Payable
manager
187
User testing of reports to ensure they achieve their

objectives
Accounts Payable
Accounts Payable
manager
188
The decisions to be made on receiving the report are Accounts Payable

defined
Accounts Payable
manager
189

objectives
Accounts Payable
Accounts Payable
manager
190
Exception reports to highlight data outside expected Accounts Payable

values
Accounts Payable
manager
191

objectives
Accounts Payable
Accounts Payable
manager
192

period
Accounts Payable
manager
193

objectives
Accounts Payable
Accounts Payable
manager
194

values
Accounts Payable
manager
195
Password restricts access to system
IT management
Accounts Payable
196
IT controls prevent direct access to files
Accounts Payable
IT management
Individual's information access and requirements is

continually monitored and updated as necessary including prompt withdrawal of access to specific
areas/individuals when it is no longer required
Accounts Payable
IT management
Individual's information access and requirements is

continually monitored and updated as necessary including prompt withdrawal of access to specific
areas/individuals when it is no longer required
Accounts Payable
Unauthorized accesses are monitored and control

log is reviewed
Accounts Payable
IT management
Access is allocated to staff such that adequate

segregation of duties is maintained
Accounts Payable
IT management
Access to payment files (checks (cheques) to be

printed, on-line payments to be transmitted) are
strictly controlled
Accounts Payable
IT management
197
198
IT management
199
200
201
202
IT system logs access to files
Accounts Payable
IT management
Accounts Payable
IT management
Accounts Payable
IT management
IT apply latest virus databases immediately on

receipt
Accounts Payable
IT management

receipt
Accounts Payable
IT management

receipt
Accounts Payable
IT management
Appropriate firewalls are put in place and are

updated promptly
Accounts Payable
IT management
Appropriate firewalls are put in place and are

updated promptly
Accounts Payable
IT management
Database files are backed up daily and stored offsite
Accounts Payable
IT management
Database files are backed up daily and stored offsite
Accounts Payable
IT management
IT checks warn if databases become corrupted
Accounts Payable
IT management
IT checks warn if databases become corrupted
Accounts Payable
IT management
Procedures to be used for restoring backed up files

are documented
Accounts Payable
IT management
Contingency arrangements are developed and

documented and tested.
Accounts Payable
IT management
Contingency arrangements are developed and

documented and tested.
Accounts Payable
IT management
Computer equipment is in a room with restricted

access
Accounts Payable
IT management

access
Accounts Payable
IT management
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
Computer room has automatic fire extinguishers
Accounts Payable
IT management

access
Accounts Payable
IT management
Computer room is on a site with restricted access
Accounts Payable
IT management
General ledger check to ensure all transactions are

posted in the correct period
Accounts Payable
Accounts Payable
manager
223
Accruals are calculated by the system from receipts Accounts Payable

not invoiced
Accounts Payable
manager
224
Accruals are calculated by the system from receipts Accounts Payable

not invoiced
Accounts Payable
manager
225
Rebates are checked to ensure correct calculation

and timing
Accounts Payable
Accounts Payable
manager
226
Supplier statement reconciliations are carried out

regularly
Accounts Payable
Accounts Payable
manager
227
At cut-off dates, a system operates to collate

information re unrecorded liabilities e.g. invoices
logged centrally on receipt; department managers
are requested to provide required information
Accounts Payable
Accounts Payable
manager
220
221
222
228
Transaction codes for payments are set up as part of Accounts Payable

the systems set up process and can only be
changed by a senior manager
Accounts Payable
manager
229
A full audit trail of all amendments is produced and

independently reviewed.
Accounts Payable
Accounts Payable
manager
230
Appropriate segregation of duties is maintained
Accounts Payable
Accounts Payable
manager
231
Access to the accounting systems is password

restricted
Accounts Payable
Accounts Payable
manager
232
Finance manual sets out specific reporting

requirements and is readily available to all
businesses
Accounts Payable
Accounts Payable
manager
233

businesses
Accounts Payable
Accounts Payable
manager
234

businesses
Accounts Payable
Accounts Payable
manager
235
The requirement to provide the above is considered Accounts Payable

in setting the purchasing procedures
Accounts Payable
manager
236
Group finance and tax departments monitor

Accounts Payable
purchasing issues and keep others informed through
regular bulletins
Accounts Payable
manager
237

Accounts Payable
regular bulletins
Accounts Payable
manager
238
External auditors involved for statutory audit

purposes
Accounts Payable
Accounts Payable
manager
239
The system is approved by the appropriate tax

authorities
Accounts Payable
Accounts Payable
manager
240

businesses
Accounts Payable
Accounts Payable
manager
241
The requirement to provide the above is considered Accounts Payable

in setting the purchasing procedures
Accounts Payable
manager
242

Accounts Payable
regular bulletins
Accounts Payable
manager
243

Accounts Payable
regular bulletins
Accounts Payable
manager
244
IT function is responsible for software, hardware and Accounts Payable

communications are maintained properly
Accounts Payable
manager
245
IT function is responsible for security of data
Accounts Payable
Accounts Payable
manager
246
IT function is responsible for repairing software,

hardware and communications to maintain
operations
Accounts Payable
Accounts Payable
manager
247
Accounts Payable function is responsible for

ensuring data is correct
Accounts Payable
Accounts Payable
manager
248
IT function is responsible for ensuring software is

properly updated
Accounts Payable
Accounts Payable
manager
249
IT function is responsible for ensuring software is

properly updated
Accounts Payable
Accounts Payable
manager
250
Senior managers' responsibility to ensure sufficient Accounts Payable

numbers of staff are available to properly support the
business operations
Accounts Payable
manager
251
HR have a succession plan in place for key staff
Accounts Payable
Accounts Payable
manager
252
Senior managers' responsibility to ensure all staff

have sufficient training and knowledge to properly
discharge their responsibilities
Accounts Payable
Accounts Payable
manager
253
Use of Agency staff is very rare. If they are used,

Accounts Payable
they are interviewed and approved by the AP
manager. They are used for jobs where the risks are
low.
Accounts Payable
manager
Manual cash books and other important documents

are kept in a fireproof safe.
Accounts Payable
Accounts Payable
manager
255
Copies of important documents are kept off-site
Accounts Payable
Accounts Payable
manager
256
254
257
Sets the tone at the top - The board of directors and Accounts Payable
management at all levels of the entity demonstrate
through their directives, actions, and behavior the
importance of integrity and ethical values to support
the functioning of the system of internal control
Board and senior

management
Addresses Deviations in a Timely Manner

deviations of the entitys expected standards of
conduct are identified and remedied in a timely and
consistent manner
Accounts Payable
Board and senior

management
Control EnvironmentEstablishing integrity and

ethical values, oversight structures, authority and
responsibility, expectations of competence, and
accountability to the board.
Accounts Payable
Risk AssessmentOverseeing managements

assessment of risks to the achievement of
objectives, including the potential impact of
significant changes, fraud, and management
override of internal control.
Accounts Payable
Control ActivitiesProviding oversight to senior

management in the development and performance
of control activities.
Accounts Payable
Monitoring activities-Assessing and overseeing the

nature and scope of monitoring activities and the
management's evaluation and remediation of
deficiencies
Accounts Payable
258
259
Board and senior
management
260
Board and senior
management
261
Board and senior
management
262

Accounts Payable
directors delegate authority, define responsibilities,
use appropriate process and technology to assign
the various levels of the organization?
Board and senior

management
263
Board and senior
management
264

Accounts Payable
Board and senior

management

Accounts Payable
Board and senior

management

competent personnel and outsourced service
providers to support the achievement of objectives
Accounts Payable
Management

competent personnel and outsourced service
providers to support the achievement of objectives
Accounts Payable
265
266
267
Management
268
Establishes Performance Measures, Incentives, and Accounts Payable

Rewardsmanagement and the board of directors
establish performance measures, incentives, and
other rewards appropriate for responsibilities at all
levels of the entity, reflecting appropriate dimensions
of performance and expected standards of conduct,
and considering the achievement of both short-term
and longer-term objectives
Board and senior

management
Reflects Entity Activitiesexternal reporting reflects Accounts Payable

the underlying transactions and events within a
range of acceptable limits
Directors and senior

managers of functions
concerned
270
Reflects Managements Choicesinternal reporting Accounts Payable

provides management with accurate and complete
information regarding managements choices and
information needed in managing the entity

concerned
271
Considers the Required Level of Precision

Accounts Payable
management reflects the required level of precision
and accuracy suitable for user needs in non-financial
reporting objectives and materiality within financial
reporting objectives

concerned
272
Reflects Entity Activitiesinternal reporting reflects

the underlying transactions and events within a
range of acceptable limits

concerned
273
Accounts Payable
269
Includes Entity, Subsidiary, Division, Operating Unit, Accounts Payable

and Functional Levelsthe organization identifies
and assesses risks at the entity, subsidiary, division,
operating unit, and functional levels relevant to the
achievement of objectives
Specific to processes
involved
Analyzes Internal and External Factors

Accounts Payable
management ensures that risk identification
considers both internal and external factors and their
impact on the achievement of objectives
involved
Involves Appropriate Levels of ManagementThe

organization puts into place effective risk
assessment mechanisms that involve appropriate
levels of management
involved
Accounts Payable
274
275
276
Estimates Significance of Risks Identified

Accounts Payable
management ensures that identified risks are
analyzed through a process that includes estimating
the potential significance of the risk
involved
Determines How to Respond to Risksmanagement Accounts Payable

ensures that the risk assessment includes
considering how the risk should be managed and
whether to accept, avoid, reduce, or share the risk
involved
Assesses Incentive and Pressuresthe assessment Accounts Payable

of fraud risk considers incentives and pressures
involved
277
278
279
Assesses Opportunitiesthe assessment of fraud
Accounts Payable
risk considers opportunities for unauthorized
acquisition, use, or disposal of assets, altering of the
entitys reporting records, or committing other
inappropriate acts
involved
Assesses Attitudes and Rationalizationsthe

assessment of fraud risk considers how
management and other personnel might engage in
or justify inappropriate actions
Accounts Payable
involved
Assesses Changes in the Business Modelthe

organization considers the potential impacts of new
business lines, dramatically altered compositions of
existing business lines, acquired or divested
business operations on the system of internal
control, rapid growth, changing reliance on foreign
geographies and new technologies
Accounts Payable
Integrates with Risk Assessmentthe control

activities help ensure that responses that address
and mitigate risks are carried out
Accounts Payable
280
281
involved
282
involved
283
Determines Relevant Business Processes

management determines which relevant business
processes require control activities
Accounts Payable
Determines Relevant Business Processes

management determines which relevant business
processes require control activities
Accounts Payable
involved
284
involved
285
Considers Entity-Specific Factorsmanagement

Accounts Payable
considers how the environment, complexity, nature,
and scope of its operations, as well as the specific
characteristics of its organization, affect the selection
and development of control activities
involved
Evaluates a Mix of Control Activity Typesthe

control activities include a range and variety of
controls and a balance of approaches to mitigate
risks, considering both manual and automated
controls, and preventive and detective controls
Accounts Payable
involved
Considers at What Level Activities Are Applied

management considers control activities at various
levels in the entity
Accounts Payable
Addresses Segregation of Dutiesmanagement

segregates incompatible duties, and where such
segregation is not practical, does management
select and develop alternative control activities
Accounts Payable
286
287
involved
288
involved
289
Establishes Relevant Technology Infrastructure

Accounts Payable
Control Activitiesmanagement selects and
develops control activities over the technology
infrastructure, which are designed and implemented
to help ensure the completeness, accuracy, and
availability of technology processing
IT management
Establishes Relevant Security Management Process Accounts Payable

Control Activitiesmanagement selects and
develops control activities that are designed and
implemented to restrict technology access rights to
authorized users commensurate with their job
responsibilities and to protect the entitys assets from
external threats.
involved

Executing Policies and Proceduresmanagement
establishes responsibility and accountability for
control activities with management (or other
designated personnel) of the operating unit or
function in which the relevant risks reside
involved
Accounts Payable
290
291
292

Executing Policies and Proceduresmanagement
establishes responsibility and accountability for
control activities with management (or other
designated personnel) of the operating unit or
function in which the relevant risks reside
Accounts Payable
Performs in a Timely Mannerresponsible

personnel perform control activities in a timely
manner as defined by the policies and procedures
Accounts Payable
Takes Corrective Actionresponsible personnel

investigate and act on matters identified as a result
of executing control activities
Accounts Payable
Takes Corrective Actionresponsible personnel

investigate and act on matters identified as a result
of executing control activities
Accounts Payable
Performs Using Competent Personnelcompetent

personnel perform control activities with diligence
and continuing focus
Accounts Payable
Performs Using Competent Personnelcompetent

personnel perform control activities with diligence
and continuing focus
Accounts Payable
involved
293
involved
294
involved
295
involved
296
involved
297
involved
298
Reassesses Policies and Proceduresmanagement Accounts Payable

periodically reviews control activities to determine
their continued relevance, and refresh them when
necessary
involved
Reassesses Policies and Proceduresmanagement Accounts Payable

periodically reviews control activities to determine
their continued relevance, and refresh them when
necessary
involved
Identifies Information Requirementsmanagement

considers if a process is in place to identify the
information required and expected to support the
functioning of the other components of internal
control and the achievement of entitys objectives
involved
Accounts Payable
Captures Internal and External Sources of Datathe Accounts Payable

information systems capture internal and external
sources of data
299
300
301
involved
302
Captures Internal and External Sources of Datathe Accounts Payable

information systems capture internal and external
sources of data
involved
Processes Relevant Data into Informationthe

Accounts Payable
information systems process and transform relevant
data into information
involved
Maintains Quality throughout Processingthe

Accounts Payable
information systems produce information that is
timely, current, accurate, complete, accessible,
protected, and verifiable and retained? Consider if
the information is reviewed to assess its relevance in
supporting the internal control components
involved
Maintains Quality throughout Processingthe

Accounts Payable
information systems produce information that is
timely, current, accurate, complete, accessible,
protected, and verifiable and retained? Consider if
the information is reviewed to assess its relevance in
supporting the internal control components
involved
Considers Costs and Benefitsmanagement

considers if the nature, quantity, and precision of
information communicated are commensurate with
and support the achievement of objectives
Accounts Payable
involved
Communicates Internal Control Information with

Personnelprocess is in place to communicate
required information to enable all personnel to
understand and carry out their internal control
responsibilities
Accounts Payable
Considers a Mix of Ongoing and Separate

Evaluationsmanagement includes a balance of
ongoing and separate evaluations
Accounts Payable

Accounts Payable

Accounts Payable
303
304
305
306
307
involved
308
Board and senior
management
309
Board and senior
management
310
Board and senior
management
311

Accounts Payable
Establishes Baseline Understandingthe design

and current state of an internal control system is
used to establish a baseline for ongoing and
separate evaluations
Accounts Payable
Board and senior

management
312
Board and senior
management
313
Uses Knowledgeable Personnelmanagement

Accounts Payable
helps ensure that the evaluators performing ongoing
and separate evaluations have sufficient knowledge
to understand what is being evaluated
Board and senior

management
Uses Knowledgeable Personnelmanagement

Accounts Payable
helps ensure that the evaluators performing ongoing
and separate evaluations have sufficient knowledge
to understand what is being evaluated
Board and senior

management
Integrates with Business Processesthe ongoing

evaluations built into the business processes adjust
to changing conditions
Accounts Payable
Board and senior

management
Assesses Resultsmanagement and the board of

directors, as appropriate, assess results of ongoing
and separate evaluations
Accounts Payable
314
315
316
Board and senior
management
317
Monitoring control
Monitoring
control owner
Has management has

established risk
management systems?
Budgets and their related strategies are checked Board of Directors

for financial justification and collated by
Management Accounts. The final company
budget is approved by the board
yes
yes
yes
yes
The Head of Risk Management checks for a
proper risk analysis of the strategy.
Head of Risk
Management
yes
The Chief Financial Officer checks targets for the Chief Financial Officer/
AP manager. The Head of Accounting Services Head of Accounting
signs off targets for all AP staff
Services
yes
The Chief Financial Officer checks targets for the Chief Financial Officer/
AP manager. The Head of Accounting Services Head of Accounting
signs off targets for all AP staff
Services
yes
The Head of Accounting Services attends the
briefing meeting to answer any questions
Head of Accounting
Services
yes
Company finance and tax departments monitor Heads of Financial
expenditure for issues and keep others informed Accounts and Taxation
Departments
yes
The specification was checked by finance and

taxation departments
Heads of Financial
Departments
yes
None
yes
None
yes
Head of Accounting Services checks that all
departments affected by new legislation train
their staff in any new procedures
Head of Accounting
Services
As part of daily management the AP manager is

aware of issues concerning staff behavior and
adherence to procedures
Accounts Payable
manager
As part of daily management the AP manager is

aware of issues concerning staff behavior and
adherence to procedures
Accounts Payable
manager
Supplier set-up team check payment terms are

consistent with policy
Accounts Payable
manager
yes
yes
yes
yes
External audit review Company policies as part of External audit
year end work.
yes
External audit review Company policies as part of External audit
year end work.
yes
The Chief Finance Officer reviews the accounts
and ensures larges variances are explained
yes
At each budgeting exercise the Chief Financial
Officer requires the direct reports to review the
structure of their functions
yes
None
yes
None
yes
None
yes
Head of Accounting Services signs off Objective Head of Accounting

and Risk Register
Services
yes
Head of Accounting Services checks that staff
have been trained
Head of Accounting
Services
yes
Risk Management department contacts all
functions every quarter to update the ORCR
Head of Risk
Management
yes
Formal meeting between Internal Audit and Risk Chief Audit Executive
Management every month
yes
Head of Accounting Services signs off Objective Head of Accounting
and Risk Register
Services
yes
AP manager has set up a monthly 'critical
controls' checklist which requires supervisors to
confirm the operation of key controls
Accounts Payable
manager
yes
Data was signed off by AP manager before input Accounts Payable

manager
yes
Data was signed off by appropriate managers
before input
Accounts Payable
manager
yes
User testing, signed off by AP manager as being Accounts Payable
accepted
manager
yes
accepted
manager
yes
accepted
manager
yes
Heads of Merchandising, Capital and Expense
Purchasing and AP manager signed off supplier
lists before transfer
Heads of Merchandising,
Capital and Expense
Purchasing and AP
manager
yes
accepted
manager
yes
accepted
manager
yes
AP Manager approves all changes to standing
data, excluding supplier data, before input and
signs off output report, which is retained
Accounts Payable
manager

Accounts Payable
manager
yes
yes

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager

Accounts Payable
manager
Buyer approves input form
Buyer
Buyer checks input form against a report of the

supplier information
Buyer
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Exception reports to highlight incorrect or missing Buyer
data which may not be a system requirement
(e.g. VAT (tax) number)
yes
Exception reports to highlight incorrect or missing Buyer

data which may not be a system requirement
(e.g. VAT (tax) number)
yes
None
yes
Computer exception checks to highlight suspect

Buyer
yes
None
yes
A computer report is produced showing repeated
attempts to access screens without the correct
username/password
yes
An exception report highlights unusual

transactions
yes
A six-monthly computer report is produced
Buyer
showing suppliers and the turnover for each
buyer. This report has to be checked and signed
by each buyer
yes
Variance report produced showing difference

between total ordered cost and total cost paid
Merchandising or
purchasing departments
A monthly paper report is produced for each

buyer and sent to them by Accounts Payable
Merchandising or
YES
YES
Supplier reconciliations will show difference.

Supplier not paid will complain
Accounts Payable
manager
Supplier reconciliations will show difference.

Supplier not paid will complain
Accounts Payable
manager
None
n/a
NO (Deficiency 3)
YES
Significant coding errors should result in budget Management Accounts
variance which are investigated by management
accounts
YES
Exception report produced of invoices processed Merchandising or
with no order number
YES
Significant value of invoices should result in

budget variance which are investigated by
management accounts. Managers can see
invoices posted to the account codes for which
they are responsible
Advertising and promotional invoices must be

approved by Management Accounts as being for
the period in which the invoice is posted.
An 'Aged invoice report' is produced showing old Accounts Payable

invoices not paid. Where an invoice is held for
manager
more than three weeks on a price query, the
appropriate buyer/authorizer is informed that it
will be paid in 5 days unless they object
Supplier statements examined or reconciled
Record made of all duplicate invoices posted and

reasons determined
An exception report is produced for those general

ledger codes, such as entertainment, which have
VAT reclaimed
A computer report is produced showing repeated

attempts to access screens without the correct
username/password
An exception report highlights unusual
transactions
Significant value of invoices should result in

budget variance which are investigated by
management accounts. Managers can see
invoices posted to the account codes for which
they are responsible

regularly and discrepancies investigated
regularly and discrepancies investigated

regularly and discrepancies are investigated
Internal audits
Audit Committee,
supported by internal
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Internal audits
Audit Committee,
audit
Test of internal controls
Test
schedule ref.
Checked that the strategy clearly states the objectives of

the accounts payable function
n/a
Checked the strategy is up-to-date
n/a
Checked the strategy covers all aspects of AP, including IT n/a

and staffing
Checked the strategy is backed-up by realistic financial

figures
Ensure that risks to the strategy are identified with controls

to manage them
Check that written targets been set for the AP function and
that these are linked to the achievement of the objectives
Examine targets set for individuals. Check that all the top
level targets have been assigned. Check that individuals
have signed as approving their targets
Question the staff during the audit. Ensure they are aware
of the strategy and their part in it
Examine the manual. It should include all items necessary
to ensure the correct accounting for accounts payable
(later tests will confirm this)
n/a
The audit will check that all requirements (legal,

regulatory, company policy etc.) are being followed
Ensure any information provided to the external auditors is

complete and accurate
There is a monthly report of all payments made to

accounts in 'tax havens' (e.g. Switzerland, Cayman
Islands, Channel Islands) which is approved by the AP
manager. This report was checked for his signature.
Ask if staff have been trained in the latest legislation and
procedure changes. Examine a copy of any training
material available
Examine the manual. Check it includes all items
necessary to ensure the correct accounting for accounts
payable (more tests later)
Examine the manual. I should include updates for the

latest legislation
Examine the policy on payment terms
Examine bulletins to ensure they promptly update

appropriate staff with the latest developments
Examine bulletins to ensure they promptly update
appropriate staff with the latest developments
Check monthly management account pack to ensure all
large variances are properly explained
Check the risk register exists for accounts payable
Check staff are aware of the need to consider risk during

the course of their work
At the end of the audit, check that any new risks found
were notified
At the end of the audit, check that any new risks found
were notified
If relevant, check any changes which have been made to

set up data back to an authorized source
Check that tolerance levels for accepting invoices are in
accordance with company policy
If relevant, check any changes which have been made to
set up data back to an authorized source
If possible use CAATs to check set up data is correct
View setup screens to check data
Check a sample of standing data back to source
Run CAATs to check standing data is correct
Confirm computer edit checks (or manual checks) ensure

completeness of data
Run CAATs to check for missing data (or check an output

sample manually)
View standing screens to check data (e.g. foreign currency
rates)
Run CAATs to check output is correct (or check an output

sample manually). E.g. correct foreign currency
calculation
Examine written procedures to ensure correct cut-off (e.g.
foreign currency rates)
Examine checklists and timetables, or other
documentation which ensures objective is achieved
Run CAATs to select data and check this conforms to
legislation (or check an output sample manually)
Observe input of standing data to ensure incorrect input is
rejected, or warnings issued
Where data should have been checked by specialists,
look for evidence of approval
Obtain names of staff, including IT staff, who have access
to the system being audited. Check that access is
appropriate and kept to that which is necessary
Ensure that duties are divided between staff such that noone can set up fraudulent data without it being detected
by a second person
Check that formal procedures exist for notifying senior
management of any suspicious activity and that these are
included in training
Check a sample of suppliers' data back to sources such
as invoices and agreements

Confirm computer edit checks (or manual checks) ensure
completeness of data
View standing screens to check data (e.g. foreign currency
rates)
Examine written procedures to ensure correct cut-off (e.g.
foreign currency rates)
Run CAATs to select data and check this conforms to

legislation (or check an output sample manually)
Where data should have been checked by specialists,
look for evidence of approval
Obtain names of staff, including IT staff, who have access
to the system being audited. Check that access is
appropriate and kept to that which is necessary
Ensure that duties are divided between staff such that noone can set up fraudulent data without it being detected
by a second person
Check that formal procedures exist for notifying senior
management of any suspicious activity and that these are
included in training
Observe expense supplier setup to ensure it is
independent of data entry and payment
Check a selection of supplier discounts back to supporting
documentation
Run a CAAT to list supplier discounts and check those
outside expected ranges
Check a selection of supplier discounts back to supporting
documentation
Run a CAAT to list supplier discounts and check those
outside expected ranges
Enquire, and observe, what procedures are used to inform
suppliers that they must send invoices to a central location
Ensure all transactions entered (invoices, credit notes,

special payments, adjustments) are batched
Check that policies state that data should only be input

from properly approved documents (some tax authorities
require external documents with a tax number)
Check invoices are coded by knowledgeable staff using
published guidelines
If possible, use a test or training system to test the correct

operation of edit checks
Observe the data input process and question the data

entry staff


entry staff
Check that all invoices relating to goods received are

matched to receiving details input by the warehouse or
other receiving point
Examine receipts not matched to ensure none are
outstanding for unreasonable periods
Checked that the majority of invoices result from goods

and services ordered
G1 Test 1
Examined 'Invoices failing match' report to ensure none

are outstanding for unreasonable periods
G4 Test 2

Examine exception reports listing goods received not

invoiced to ensure they are cleared promptly
Examine the statements and letters sorted out from the

mail for old items and demands for payment


entry staff about matching credit notes with invoices under
query
Where available, examine supplier statements for credit
notes not taken
Observe the procedures for opening the mail, sorting

invoices, statements and letters. Follow the procedures
through to logging the invoices, examining/reconciling
statements and acting on letters
Observed input of invoices with no order numbers. Asked
input staff about danger of selecting wrong supplier.
Check that policies state that data should only be input

from properly approved documents (some tax authorities
require external documents with a tax number)
Check invoices are coded by knowledgeable staff using

published guidelines
Observed input of invoices with no order numbers. Asked

input staff about the number of warnings.


entry staff
G1 Test 1


entry staff
Check that all invoices relating to goods received are

matched to receiving details input by the warehouse or
other receiving point
Enquire, and observe, what procedures are used to inform

suppliers that they must provide goods and services only
on the basis of an official order
Confirm that the majority of invoices result from goods and
services ordered


entry staff

entry staff


entry staff
Examine exception reports listing outstanding queries to

ensure they are cleared promptly
Examine the procedures by which goods or services of

inadequate quality are notified to prevent the payment of
the invoice and generate a request for a credit note
Check paper invoices are cancelled in some way to

prevent duplicate posting
Check computer invoices have checks to ensure they

cannot be duplicate posted

Examine training materials and documentation given to

staff which specify tax treatment of transactions

entry staff about their knowledge of tax
When examining the processing of invoices ensure they

are checked for the appropriate tax and statutory
treatment
entry staff
Ensure staff have been instructed how to forward invoices

for specialist advice


Examine IT reports listing access to input screens to

check that no access is allowed outside any jobholder's
responsibilities
Ensure duties are divided such that no one person can do
any two of: set up a supplier; input an invoice; pay a
supplier
Ensure staff have been instructed how to forward invoices
for specialist advice
In the GL system, check that all capital and expense

codes are assigned to cost centers which have budgets,
and which are allocated to a senior manager for checking
transactions posted to the accounts
Check cash flow forecasts are updated regularly and
based on sound principles
Check warehouse procedures for details of which
deliveries to refuse
Check buyers' procedures for claiming credits
Observe procedures at warehouse for correcting stock for

defective goods or short delivery
Check accounts payable procedures to ensure credits are
claimed for these adjustments
Check stores procedures to ensure they request credit
from suppliers for returned goods
Check procedures by which the recipient of goods or
services can report defects to the buyers
Observe process by which invoices are selected for
computer payment to ensure that all invoices due for
payment are selected but no more
Check accounts (use CAAT if possible) to check for 'round
sum' cash payments
On-line payments, manual check/checks (cheques) or

bank transfers (including foreign currency) are generated
from properly authorized documentation and
independently checked
Check that every computer payment run generates a
report of proposed payments and this is authorized before
payments are generated
Check the report listing payments actually made to the
payment proposal report. Ensure there is evidence of
checking and examine it for any payments made that were
not on the original proposal
Use CAAT to produce a report of debit balances. Check
the reasons for each one. Where necessary check that
these have been noted in the 'adjustments' book
Determine, and test if possible, what checks the system
carries out to prevent duplicate payments, for example of
copy invoices
Check that copy documents are only used for payment

when it is certain that the original document has not, or
cannot, be paid
During the above checks ensure that details of any
duplicate payments and other problems are noted in an
'adjustment' book
Examine the procedures for generating payments. Ensure
payment dates can only be changed by an authorized
person
Ensure that supplier payment details cannot be changed
for automatic payments
Use CAAT to produce a report of debit balances. Check
the reasons for each one. Where necessary check that
these have been noted in the 'adjustments' book
Ensure that bank payment details cannot be changed for
automatic payments
If discounts are given for the amount of goods sold, check
that systems are working to ensure the discount is claimed
(may be a separate audit)
Check procedures which ensure settlement discount is set
up in the standing data
Check options in system to record different discount rates
for earlier payment
Check procedures for processing fast payment of invoices

to ensure they must have proper authorization
Check for evidence that supplier statements are
reconciled and discrepancies followed up
If discounts are given for the amount of goods sold, check Test 23
that systems are working to ensure the discount is
received (may be a separate audit)
Check that every computer payment run generates a
Test 23
report of proposed payments and this is authorized before
payments are generated

Test 23
Check the parameters for triggering exception reports for
Test 15
Check that procedures exist for acting on these reports,

including immediately informing senior management
Test 23
Check that bank reconciliations are carried out promptly

every month for frequently used accounts
Test 24
Check that bank reconciliations are signed and dated as

evidence of authorization
Test 24
Examine bank reconciliations to ensure that items over a Test 24

month old are being investigated, there are no
'adjustment' amounts or other amounts not corresponding
to actual payments or receipts
Check the document showing authority levels for
expenditure, has been approved by the board and levels
set are appropriate to the job holder
Test 24
Check that all relevant personnel in the AP department

have the authority list, with example signatures
Test 24
Determine the job holder responsible for ensuring

authorization lists are up-to-date
Test 24
Obtain the latest bank mandate. Check it is up-to-date and Test 24

consistent with the authority list, with proper division of
duties
Check that the authorization levels set for payment
documents agrees with the bank mandate
Test 24
Check that the report from the bank list the total of
Test 24
payments to be made is immediately checked to list of online payments made
Check that the bank mandate does not allow instruction
for payment to be made over the telephone
Check that the recording of payments in the ledger is
separate from the payment processes
Observe that the signature plates for the check/cheque
signing machine are securely locked away when not in
use
Check that access to the locked storage of the signature
plates is limited to the machine operators
Ensure that checks (cheques) are tamper proof so that
amounts and payee names cannot be changed
Ensure that checks (cheques) are locked away (separate

from the signature plates)
Check that a list is kept of all cheque numbers received
and issued
Check the stock of checks (cheques) to ensure it agrees
with the list
Check instructions to the bank requiring them to query any
payments made by a bank transfer over a set amount
Where bank transfer documents are used (particularly for
foreign payments), ensure there are checks to prevent the
presentation of false documents
Check that all entries into the GL AP control account are
from the AP system
Ensure there is a division of duties between recording
payments on the GL and data entry into the AP system
Check the month-end checklist to ensure the AP and GL
balance totals have been agreed and the list is signed and
dated by a senior manager
Determine how the complete transfer of information from
the AP system to the GL control account is confirmed
Confirm the separation of duties updating the ledger and
control account
Ensure that all suspense accounts are cleared by the

month-end
Check the month-end checklist to ensure the AP
transactions have been posted to the GL
Examine the composition of a sample of balances to
ensure they are made up of identifiable transactions
If possible use CAAT to report adjustments to AP balances
and determine the reasons for these
Enquire how the AP department ensures balances always
comprise of identifiable items
Examine evidence that regular reconciliations are carried
out
Examine the composition of a sample of balances to
ensure they are made up of identifiable transactions
Check that regular exception reports are produced

showing old invoices not paid, or old credit notes not taken
or cash payments not applied
During audit tests check the correct treatment of
transactions, for example expense invoices for
entertainment
Check that users are satisfied with the content, accuracy
and timing of the reports they receive
Examine user manuals and training notes to ensure users
know what action to take when they receive reports
Check that exception reports are produced to highlight
data outside expected values
data outside expected period
data outside expected values
Obtain computer report which shows permitted access to
AP screens. Check for appropriate access
Determine who has direct access to files on the computer
(for example, database administrator). Ensure they are
trusted personnel.
Examine reports showing personnel accessing the AP
system. Check for access at unusual times.
Ensure procedures exist for removing a person's access

to the system immediately they leave or become the
subject of an investigation
Check the report listing attempts at gaining unauthorized
access and the action taken
Obtain computer report which shows permitted access to
AP screens. Check for appropriate access
Check that files held pending transmission to banks, or
printing of checks/checks (cheques), cannot be accessed
and changed
Check the report listing attempts at gaining unauthorized

access and the action taken
Consider running CAAT on log files to check for access at
unusual times
Ensure access is only allowed from specified
computers/terminals, not users own devices
Examine procedures which ensure that anti-virus
databases are updated immediately
Examine procedures which ensure that anti-virus
programs are updated when new versions become
available
Ensure latest anti-virus databases and programs are in
use throughout the system
Check that firewalls are in place to prevent unauthorized
access
Check that firewall programs are the latest version
Ensure that databases are backed up at least daily and

preferably more frequently
Ensure that back-up data is stored off-site in a wellprotected environment
Determine what checks exist to ensure databases do not
become corrupted.
Consider checks to ensure opening balances are the
same as closing and opening and closing balances can be
reconciled by posted transactions
Examine the documentation detailing what action to take if
databases have to be restored, and the checks to be
carried out to confirm a successful restoration
Examine the documentation detailing what action to take if
the data centre/computers are damaged
Examine any documentation recording the testing of
contingency plans
Examine the physical location of the computers operating
the AP system to ensure they are secure
Consider if back-up to the 'cloud' is practical and desirable
Examine the fire prevention and detection measures

covering the computer equipment
Examine the physical location of the computers operating
the AP system to ensure they are secure
Examine the physical location of the computer room to
ensure it is secure
Examine procedures which ensure batches from AP are
posted into the correct period
Check the calculation of accruals from goods received not
invoiced
Run a CAAT to report goods received not invoiced, check
this to the accruals list
Check all supplier rebates to ensure they conform to the
agreement and are correctly calculated
On significant supplier accounts sending statements,
check that unreconciled items are considered for accruing
Check the system for determining significant accruals and
prepayments, such as advertising, rents, rates, taxes,
electricity, telecoms.
Check that procedures ensure the correct cost centre and
expense codes are applied to transactions
Examine the GL AP control account for any adjustments.
Ensure the reasons for these are fully documented
Ensure responsibility for maintenance of the GL is
separate from AP responsibilities
Obtain a list of personnel and their permitted access to the
GL to ensure it is appropriate to their responsibilities
Check that a finance manual exists which states the tax
requirements for expenditure
Check the manual is available to staff who need it
Check the manual is used in induction training
Ensure that AP procedures, both manual and computer,

fulfill tax requirements
Check that personnel responsible for tax monitor

expenditure and receive reports of relevant expenditure
Check that the tax department sends out instructions
when requirements change
Check that requirements of external auditors are
considered when designing the AP system
If required, check that the system has been approved by
the tax authorities
Check that a finance manual exists which states the
regulatory requirements for expenditure
Ensure that AP procedures, both manual and computer,
fulfill statutory requirements
Check that personnel responsible for accounting monitor
expenditure and receive reports of relevant expenditure
Check that finance sends out instructions when
requirements change
During the audit, find out from staff if any improvements
can be made to the efficiency of the AP system
During the audit, find out from staff if any data has been
lost
During the course of the audit, gain an understanding of
the reliability of the system
At the end of the audit, consider any evidence that
programs have miscalculated data
Examine IT procedures for updating software promptly,
including testing
Check that the software is the latest version
At the end of the audit, consider if any material

deficiencies have arisen because of staff shortages
Examine the succession plan
At the end of the audit, consider if any material

deficiencies have arisen because of poor staff training
Not tested
Observe that important documents are kept in a fireproof

safe
Check that, where appropriate copies of documents are
stored off-site, for example at a bank
Check if any weaknesses in internal control have resulted

from directors and management's failure to support
integrity and ethical values.
Check the action taken to remedy any deviations found

and discipline where necessary.
Control environment: At the end of the audit work consider

if integrity and ethical values, structure, authority and
responsibility, competence and accountability have been
present in the parts of the organization being audited.
Risk Assessment: Examine evidence that directors have
reviewed and commented on management's assessment
of risks to the achievement of objectives, including the
potential impact of significant changes, fraud and
management override of internal control
Control Activities: Check guidance to senior management
around the selection, development and deployment of
control activities
Monitoring activities: After the audit send information to

the board to assess and oversee the nature and scope of
this audit and management's evaluation and remediation
of deficiencies
Senior ManagementEstablishes directives, guidance,
and control to enable management and other personnel to
understand and carry out their internal control
responsibilities - check that managers have written job
descriptions which clearly detail their responsibilities.
Check other documents which limit their authority to make
accounting adjustments.
ManagementGuides and facilitates the execution of

senior management directives at entity and its subunits examine any instructions issued and confirm they were
implemented
Review the audit work to ensure that risks which might

cause losses due to an individual having responsibilities
which are too extensive are mitigated by appropriate
controls, including that duties are segregated to reduce
the risk of inappropriate conduct.
Check that all managers and staff have had induction
training which clearly set out the responsibilities they have
in delivering the requirements of this COSO Framework
Check that all managers and staff have appropriate

training throughout their career as their needs arise. In
particular, an understanding of the difference between
capital and revenue expenditure, the risks involved in the
use of IT, categorization of assets, tax treatment of assets.
Examine assessments to ensure that staff have targets
set which include the achievement of objectives
Ensure that all external non-financial reporting is subject

to checks that it reliably represents the underlying
transactions.
Examine the processes used by management to

determine the information they need (www.managinginformation.org.uk for ideas). In particular look for reports
on; assets not depreciating; old assets possibly not longer
in use; assets sold with a large loss.
Examine the processes used by management to
determine the accuracy and timeliness of the information
they need (www.managing-information.org.uk for ideas)
Examine the processes used to gather information to

ensure it is relevant, complete and accurate to the
materiality levels required to make decisions. Examine the
reports produced and ensure they meet these criteria.
Check that risks have been properly identified before

commencing audit testing of controls


Check that risks have been properly assessed according

the entity's rules before commencing audit testing of
controls
Check that controls have been established to bring risks

below the risk appetite
Check that risks which might arise from a desire to acquire

incentives have been identified and that appropriate
controls are in place
Ensure that all risks that=threatening cash transactions,

for example the sale of assets, have been identified and
appropriate controls, including monitoring controls are
present
Check that directors, management and staff are not using
their position to benefit from transactions not normally
allowed to employees, or which compromise their integrity
or ability to manage objectively. For example purchasing
assets cheaply.
Check procedures exist to regularly revisit the risk
assessment in order to update it as a result of changes in
the internal or external environments
Check that risks are mitigated by controls, or other

appropriate action, to bring them below the risk appetite.
(The results from this audit will provide this check)
Ensure management have identified all business

processes
Confirm that any business processes identified as not

requiring control activities have no risks
Ensure that all risks resulting from the environment and

operations have suitable controls which are operating to
bring them below the risk appetite
Ensure that risks are mitigated by efficient and effective

controls. (The results from this audit will provide this
check)
Ensure that risks have been determined at all levels of the

entity and are mitigated by controls. (The results from this
audit will provide this check)
Ensure that management have identified alternative

controls where the expected segregation of duties is not
practical
Check that all risks arising from the use of technology

have been identified and suitable controls applied. (The
results from this audit will provide this check).
Check software access controls to ensure they restrict

appropriate access to staff commensurate with their job
responsibilities. (The results from this audit will provide
this check)
Check that management have identified key controls over

their relevant risks. (The results from this audit will
provide this check)
Examine evidence that management are regularly

receiving confirmations that controls are operating. These
would include a monthly balance of the FA ledger with the
general ledger and clearance of any suspense accounts.
Check that controls are operating when necessary. (The

results from this audit will provide this check).
Check that training materials properly record the controls

which should be operated
Examine documentation which records exceptional

matters arising from controls and ensures appropriate
action is taken. Such exceptional matters might include
assets with a negative book value, assets with a positive
NBV not depreciating.
Check that personnel have appropriate induction training
(including the operation of controls)when commencing
new tasks
If audit work detects failures in controls, determine the

underlying reasons
Determine the last time management reviewed controls to

check their relevance
Ensure that controls being operated are still relevant.

(The results from this audit will provide this check).
Check that information required for appropriate monitoring

controls has been identified
Check to ensure that all relevant data sources have been

identified
Check that data extracted from information sources is

relevant (including completeness), timely and to the level
of accuracy required
Check that data from information sources is processed

and transformed into information
Check that the information produced is relevant, timely

and is not spuriously accurate
Check that decisions are made in a timely manner based

on the information received
Check that information results in benefits which outweigh

the costs
Check that personnel (including 3rd party employees)

receive relevant information as soon as it is required
Check that ongoing evaluations (if possible using

computer software) have been established to ensure key
controls are operating. Use CAATs to check that
important control reports are correct.
Check that management have instigated separate

evaluations to ensure controls are operating, such as
monthly checks that the FA balance agrees with the GL.
Check that all control deficiencies found by staff or internal

audit are corrected as soon as possible
Internal audit, and other checking functions, carry out

separate evaluations dependent on the risks involved.
Establish that ongoing and separate evaluations are

based on the current systems in operation
Ensure that all staff and managers have been properly

trained to perform evaluations
Carry out internal audits of other evaluation functions

(such as quality control). Check that staff have sufficient
knowledge to recognize machinery when carrying out
physical verifications.
Ensure that ongoing evaluations are set up to adjust to

changes in the business environment
Check that the underlying reasons for any control

deficiencies are identified. Include these in the internal
audit report
Result
Test of monitoring controls
Yes The strategy incorporates the company's Checked an up-to-date copy of the strategy to ensure it
strategy of a 5% reduction in costs; the need to has been signed by the Head of Management Accounts,
reinforce the company's Code of Ethics;
incorporated into the company's budget and approved by
training in risk management, installation of new the board
PCs.
PCs.
PCs.
PCs.
Check formal procedures exist for the referral of all

appropriate expenditure to relevant specialists
Check external review company policies
Check external review company policies
Run CAATs to check for missing data (or check an output

sample manually)
Observe input of standing data to ensure incorrect input is

rejected, or warnings issued
Obtain exception reports, or run CAATs, to highlight

transactions such as debit balances
Ensure reports covering all suppliers, have been sent to
all buyers. Examine signed copies of the reports.
Scrutinize the reports for large turnovers against suppliers,
especially suppliers of expense items.
Checked that Office managers in the purchasing

departments distribute reports of variances to senior
buyers and obtain explanations
YES - see test 1 for CAAT results

Examined 'Invoices failing match' report for January
20X1to ensure none are outstanding for unreasonable
periods.
NO 'Invoices Failing match' report showed

many overdue invoices
Examined statements from lawyers paid on invoices with
no order numbers
EXCEPTION. There is a danger that an
incorrect supplier could be selected,
although this would only be for invoices for
lawyers. Any other invoices result in a
warning message that the invoice should
have an order number.
YES. Checked AP policy and procedures

manual. It clearly states that the only
documents input should be properly
approved original documents from the
supplier. The manual is used for training.
n/a
Visited management accounts and observed checking
YES. Spoke to Legal Department accounts procedures

manager. Legal invoices are coded by the
authorizing manager and checked by the
accounts manager. Checked coding of
invoices for 20X0. All OK.
Visited Merchandising and Purchasing Departments to

investigate the checking of the report of invoices with no
NO Found invoices with no order number, order.
approved by the manager who had

required the service. See test for details

For accounts with a large number of transactions, which
do not have statements, check the composition of the
balance to ensure there are no old items and that all items
are represented by invoices, credit notes and not
'adjustments'

Note failure on COSO documentation 'Summary of

deficiencies template' and refer to Audit Committee if
necessary

necessary

necessary

necessary

necessary
Check that the board acts on the audit report where

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary

necessary
Monitoring
Test
schedule ref.
Monitoring Result
RRC RRL RRS CS
Do internal controls,
including monitoring
controls, reduce risks to
acceptable levels?
16
16
16
YES The strategy was signed,

incorporated into the budget which
was approved by the board
yes

yes

yes
4
16

yes
4
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
20
20
20
20
20
20
20
20
20
20
20
20
20
20
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
G4 Test 2
G4 Test 2
EXCEPT Not all senior buyers return

reports with explanations. Office
managers are not instructed what
action to take.
NO In the Food and Beverage
Merchandise Departments and the
Expense Purchasing Department 27
invoices (Value $350,457) were not
cleared for six months.
15
15
15
15
15
15
15
15
15
10
10
15
15
15
EXCEPT (Deficiency 5)
NO (Deficiency 6)
15
15
15
15
YES No evidence of incorrect posting

of invoices resulting in delayed
payments
n/a
EXCEPTION
(Deficiency 3)
2
11
YES
2
11
15
YES Management Accounts check

for exceptional variances
GI Test 1
Red. Could not find any evidence that

the report is produced
YES
NO (Deficiency 4)
0
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
Is action being taken

to promptly remedy
deficiency?
Report Follow-up 1
reference Test
Follow-up 1
result
Follow-up 2 Follow-up 2
Test
result
schedule
ref.
Follow-up 3
Test schedule
ref.
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
schedule ref.
n/a
n/a
n/a
n/a
3
YES
YES
2
YES
YES
6
EXCEPTION
(Deficiency 3)
EXCEPTION
(Deficiency 4)
YES
1
YES
Follow-up 3
result
n/a
n/a
n/a
n/a

Column key
No
L1obj
L1 Objectives
L1risk
L1 Risks
L2obj
L2 Objectives
L2risk
L2 Risks
L3obj
L3 Objectives
L3risk
L3 Risks
Consequence of risk
Risk source
IRC
IRL
IRS
Process
Internal control
Function
Internal control owner
Monitoring control
Monitoring control owner
Has management has established risk management systems?
Test of internal controls

Test schedule ref.
Result
Test of monitoring controls
Monitoring Test schedule ref.
Monitoring Result
RRC
RRL
RRS
CS
Do internal controls, including monitoring controls, reduce risks
to acceptable levels?
Is action being taken to promptly remedy deficiency?
Follow-up 1 Test schedule ref.

Follow-up 1 result
Follow-up 2 result
Follow-up 3 result
Audit
Line number. Needs resetting after each change. Used to sort spreadsheet.
Level 1 objective number
Level 1 objective
Level 1 risk number
Risk threatening top level objective
Level 2 objective which aims to control the level 1 risk to which it is attached
Level 2 risk number
Risk threatening level 2 objective
Level 3 objective which aims to control the level 2 risk to which it is attached
Level 3 risk number
Risk threatening level 3 objective
The effect when the risk occurs. Should ideally be quantified in cost terms.
Who identified the risk (management, risk workshop, auditor, meeting)
Inherent risk consequence score
Inherent risk likelihood score
Inherent risk scores multiplied. (Inherent Risk Significance score )
The process in which the internal control operates. See separate mind map of
processes.
The control managing the risk
The function affected by the risk (may be the division/operating unit/function)
The job title of the person responsible for operating the control
The control which checks that the internal control is operating - may not always be
such a control
The person responsible for operating the monitoring control
Was the risk identified by management? (Yes/yes with exception/No)
Example of a test which might be used to confirm the control is operating
Reference number of the document detailing the test, or a link to it
Conclusion test (acceptable/issues/unacceptable)
Example of a test which might be used to confirm the control is operating
Residual risk consequence score.
Residual risk likelihood score
Residual risk scores multiplied
Control score (=IRS-RRS). Gives a measure of the importance of the control
(Yes/yes with exception/No)
(Yes/yes with exception/No)


Flowchart for - Input invoices with an order
Note that these are only
example flowcharts to
illustrate how they
might be used to
determine risks.
Other flowcharts are
necessary to document
all the processes on the
'Processes' hierarchy
OBJECTIVE
Invoice and credit note
transaction data being
used to update balances
is relevant, complete,
accurate, timely and
complies with
regulations
Receive and
sort mail
Statements
Invoices
No order
See
separate
chart (not
drawn)
Invoices
Order number
Batched
RISKS
Mismatch does not appear
on report
No action taken on
mismatch
Generate buyer
query
Input batch
details
Price or
quantity
delivered
mismatch
Input invoice
Close batch
Receive and
sort mail
RISKS
Invoices lost
Invoices delayed
RISKS
Batch total incorrect
Invoices
Order number
Batched
RISKS
Incorrect supplier selected
Order number incorrect
Incorrect/incomplete data on invoice
Incorrect order coding
Invoice total incorrectly calculated
Invoice tax incorrectly calculated/Incorrect tax
input
Goods not received/Incorrect quantities input
Goods/services priced incorrectly/Incorrect costs
input
Incomplete input
Input batch
details
Input invoice
Close batch
Order matches
Requires
receipt
confirmation
e-mail receipt
confirmation
RISKS
e-mail not sent
e-mail not received
Reply not sent/received

Flow chart
Set up
data
Purchas
e
ordering
system
Purchase
ordering
database
s
Standing
data
Transactio
n data
Reports
Set up
data
AP system
AP
database
s
Standing
data
Transactio
n data
Reports
General
ledger
database
Checks/
checks
(cheque
s)
Bank
transfer
s
General
Ledger
system
Set up
data
Standing
data
General
Ledger
system
General
ledger
database
Transactio
n data
Reports
This flowchart only shows the main elements of the accounts

payable process and surrounding processes. Although it
applies to computer systems, it is applicable to manual
systems, since both have the common elements of data ,
processes and databases.
Flowcharts should be drawn up, as part of the walkthrough
tests, in order to understand the risk involved in the input,
manipulation, storage and output of data. Typical controls will
include those to ensure the accuracy, completeness and
timeliness of input and output data and data passing
between computer systems.
Accounting
calendar
Foreign currency
rates
Supplier data
Invoices
Credit notes
Payments

Potential deficiencies
Date
Source reference
Control Potential deficiency

number
6-Jan-X1 Scope meeting

4-Feb-X1
Observing input of
invoices with no order
5-Feb-X1
Visit to purchasing
departments
Queries on unmatched invoices are overdue

93
Noted most invoices without an order were for

legal expenses. However, some from JB
Associates for competitor review work also
had no order. Follow this up.
81, 82, 93 These departments don't seem to receive

monitoring reports for invoices with no orders,
variance reports and unmatched invoices
Resolution
See test 2
Test 1
See tests 1 and 2
Potential issues are noted on this schedule when they arise, for
example during site visits and before they are identified on the ORCR.
They would ideally be noted on a mobile phone (for example using
'Evernotes') or even a piece of paper!

Deficiencies for discussion
ISSUE
No
H1
Control
Number
n/a
Date
Source
reference
2-Feb-X1
Risk Maturity
testing (E)
Control
opinion
NO
H2
n/a
2-Feb-X1
Risk Maturity
testing (E)
EXCEPTIO
N
H3
90
4-Feb-X1
ORCR
EXCEPTIO
N
H4
93
4-Feb-X1
ORCR Test 1
H5
81
5-Feb-X1
ORCR Test 2
NO
EXCEPTIO
N
H6
82
5-Feb-X1
ORCR Test 2
NO
Deficiency and cause
Implication

contacts all functions every
quarter to update the ORCR.
Not all replies are received.
Important risks are missed and

managers get the impression
that risk management is
unimportant
No evidence that the Head of

Accounting Services signs off
Objectives, Risks and Controls
Register
May be some objectives, risks

or controls missing.
Risk not identified. Can select

wrong supplier on input of
invoices without an order
number
Payment to incorrect supplier,

which it may not be possible to
recover
No monitoring of invoices
processed with no order.
Monitoring report not checked.
Possible collusion with a

supplier to authorize invoices
where value not received.
Some variance reports not

checked
Where buyers fail to act on price

queries and they are overridden,
prices paid may be too high
Queries on unmatched invoices Supplier stops deliveries

not cleared quickly
Action
Action by
The Head of Risk Management will contact Head of Risk

all managers not replying to insist on a reply Management
Meeting date Action

opinion
Phone call 13Feb-X1
YES
Head of Accounting Services will sign off the Head of Accounting
Objectives, Risks and Controls Register
Services
18-Feb-X1
YES
None but likelihood is very low
n/a
18-Feb-X1
EXCEPTION
See test 1
Chief Operations
Officer
6-Feb-X1
Office Managers will check the variance

reports for unusual items and check these
with the appropriate buyers
Office Managers
6-Feb-X1
Office Managers will improve the training of Office Managers

buyers to include the clearance of queries
and prompt update of supplier prices.
6-Feb-X1
EXCEPTION
YES
YES
Report
reference
Report point 4
Report point 5
Report point 6
Report point 1
Report point 3
Report point 2

Draft report
Ref
Document
Hyperlink
Word
Draft report
Letter with draft report
Comment on draft report Logistics
Director
In manual
In manual
(not included)
Comment on draft report Country

Director
(not included)
Letter detailing changes as a result of

comments
(not included)

Final report
Ref
Document
Hyperlink
Word
Final report
Letter with final report
Letter from Finance Director
(not included)
In manual
(not included)

Quality control
Ref
Document
Review notes after risks scored
Review notes - prior to closedown meeting
Review notes draft report
Review notes final report
Review notes file before filing
Proof reading
Feedback - J Mulonja
Feedback - F Higson
Individual targets J Smith
Individual targets I Khan
Individual appraisal J Smith
Individual appraisal I Khan
Hyperlink
Word
(not included)
In manual
(not included)
(not included)
(not included)
In manual
In manual
(not included)
In manual
(not included)
In manual
(not included)
Document filed in personnel file


Follow-up
Ref
Document
Hyperlink
Word
Follow-up letter July 20X0

Meeting Logistics Director and DR Congo Country
Director to determine the action taken to-date
(not included)
(not included)
Record of phone conversations with charities in DR (not included)

Congo, who use our transport contractors
Follow-up report July 20X0
Letter with follow-up report
In manual
(not included)

Summary
Objective
Total number of risks
Pay suppliers the correct amount at the time agreed

128
Red
No
Objective, risk and controls were

identified, evaluated and
managed
Internal controls, including
monitoring controls, reduce risks
to acceptable levels
Action being taken to promptly
remedy deficiency
Amber
No
%
Green
No

Scoring risks, opinion on risk scores and guidance on conclusions
Advice on scoring risks (inherent a

1 to 5 scale
If the consequence when the
risk occurs is:
A catastrophic impact on the
organization, threatening its
existence
Cash at risk> $100,000
To prevent the organization
achieving all, or a major part, of its
objectives for a long time.
Cash at risk <$100,000>$10,000
To stop the organization achieving
its objectives for a limited period.
Cash at risk <$10,000 >$3,000
To stop the organization achieving
its objectives for a limited period.
Cash at risk <$3,000 >$1000
To cause minor inconvenience, not
affecting the achievement of
objectives
Cash at risk <$100
Guidance for conclusions against e

Opinion on
Has management established a
proper control framework? That
is, has management: specified
their objectives, identified the
risks threatening these
objectives and established
controls which should reduce
the risks to acceptable levels?
Definition
Thorough processes have been
used with the result that necessary
controls to risks have been
established. The objective will be
achieved if the controls are
operating.
Are these controls sufficient and

operating to bring the risks to
below the risk appetite and
ensure the achievement of the
related objective?
Controls are sufficient and are

operating to bring risks to below
the risk appetite. (although some
action may be required note in
Supplementary issues.) No more
monitoring is necessary than is
done at present. The objective is
being achieved.
Is action being taken which will The action being taken will result
bring the risks to below the risk in all risks being mitigated to below
appetite and ensure the
the risk appetite.
achievement of the objective?
Opinion:
YES
Report as:
No deficiency
dance on conclusions
Almost certain
Catastrophic (5)
Probable
Major (4)
Possible
Moderate (3)
Unlikely
Minor (2)
Rare
Insignificant (1)
or conclusions against each risk

Definition
Processes have been
used, but there are some
deficiencies which are not
judged sufficient to prevent
the achievement of the
objective.
Inadequate, or no,
processes have been used
and, it is probable that the
objective will not be, OR is
not being achieved
Likelihood of residual risk
the risk occurring is:
Then the measure is

defined to be:
Rare(1) Unlikely (2)
OR the likelihood of
Possible (3) Probable (4) Almost certain (5)
coring risks (inherent and residual)
Controls are sufficient and Controls are not sufficient

are operating to bring most and/or are not operating to
risks to below the risk
bring risks to below the risk
appetite. However, some appetite. It is probable that
risks are not below the risk the objective will not be, OR
appetite but are not judged is not being achieved. Major
sufficient to prevent the
improvements are required
achievement of the
to the monitoring of controls
objective. Some additional
monitoring may be required
(see the report for details)
The action being taken will No action is being taken, OR
still leave some risks above Insufficient action is being
the risk appetite but these taken to mitigate risks to
are not judged sufficient to below the risk appetite.
prevent the achievement of
the objective.
YES WITH
EXCEPTIONS
NO
Deficiency
Major deficiency
Rare(1) Unlikely (2)
Possible (3) Probable (4) Almost certain (5)
Control opinion on risk scores

Are controls sufficient and operating to bring the risk to below the risk
appetite and ensure the achievement of the related objective?
10
15
Unacceptable
Issue
NO
EXCEPTION
Unacceptable
NO
8
4
12
Supplementary
Acceptable
Issue
Issue
YES
EXCEPTION
EXCEPTION
Unacceptable
NO
Unacceptable
NO
6
3
9
12
Supplementary
Acceptable
Issue
Issue
Issue
YES
EXCEPTION
EXCEPTION EXCEPTION
Unacceptable
NO
Supplementary
Issue
EXCEPTION
20
16
25
Unacceptable
NO
20
15
2
Acceptable
YES
6
8
4
10
Supplementary Supplementary
Acceptable
Issue
EXCEPTION
EXCEPTION
EXCEPTION
YES
Issue
Issue
1
Acceptable
YES
2
Acceptable
YES
3
Acceptable
YES
Minor (2)
Moderate (3)
Insignificant (1)
5
4
Supplementary
EXCEPTION
Acceptable
YES
Issue
Major (4)
Catastrophic (5)
Consequence of residual risk

Risk score = Likelihood score X Consequence score
NO:
the risk
EXCEPTION:
YES:
Major deficiency - immediate action required to control

Deficiency - action required to control the risk
No action required
Guide to reporting residual risks
Residual risk
score
Report control
opinion (see
chapter 2)
Greater than15 No
Report as
Action
Major deficiency
Immediate action
required to bring
risk below the risk
appetite
Less than 15
greater than 4
Yes with exceptions Deficiency
Action required to
bring risk below the
risk appetite
Less than 4
Yes
No action required
No deficiency

Version Control
Date
25-May-15
Version
V1.0
Notes
First issue

Rbi A Manual

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Rbi A Manual

Hochgeladen von

Copyright:

Verfügbare Formate

A Risk Based

Details for using this risk based audit spreadsheet

205 Accounts Payable Audit

Letters on worksheet tabs refer to the relevant audit manual section

205 Accounts Payable Audit

205 Accounts Payable Audit

Set up audit on quarterly plan

Final scope issued

Final report circulated

205 Accounts Payable Audit

26-Jan-X1 Monday 204 Testing

205 Accounts Payable Audit

Update draft scope. Obtain

Feb-03 Assessment risk maturity.

Assess risk scores. Test

Feb-04 Test operation of controls

Draw diagrams of functions operation of controls.

Checked invoices with no

Feb-05 Pete Cooke wrote an

23-Feb Draft report issued

Issue final report

8-Mar CAE approved final

205 Accounts Payable Audit

205 Accounts Payable Audit

205 Accounts Payable Audit

205 Accounts Payable Audit

Agenda for meeting with Head of Accounting Services

Notes from meeting with Head of Accounting Services

Notes from the meeting with AP Manager and

Notes from the meeting between the Chief Operations

205 Accounts Payable Audit

Maintain profit of existing business

Processes do not support the business

Pay suppliers the correct amount at the

Losses result from inadequate controls

Establish a risk management framework

Control COSO (attribute)

Establishes Responsibility and Accountability for

Statement produced that sets out

Establishes Responsibility and Accountability for

Risk management responsibilities Monitoring activities-Assessing and overseeing the

Arrangements are in place to

Attracts, Develops, and Retains Individualsthe

Defines, assigns and limits authorities and

Key dependencies for success

Significant risks faced by the

Includes Entity, Subsidiary, Division, Operating Unit, and Functional

Risk management action plan

Estimates Significance of Risks Identifiedmanagement ensures

Necessary resources identified

Evaluates Performance and Rewards or Disciplines Individuals

Suitable and sufficient risk

Communicates with the Board of Directorscommunication exists

Business continuity plans and

Arrangements in place for

d) - may no longer be available

Internal audit action:

Control IIA with

Statement produced that sets out

The organization's intranet shows a statement

Risk management responsibilities There is no Risk Management Committee but a

Managers are assessed on their

The Head of Accounting Services takes into