Beruflich Dokumente
Kultur Dokumente
A CORPORATE
1 Leadership Risks
2 Operational Risks
3 Communication Risks
4 HR Risks
5 Marketing Risks
B FINANCE AND ACCOUNTS
1 Receivables and Accounting Management Process
2 Payables Accounting & Management Process
3 General Financial Closure System
4 Fund and Cash Management
C HR Process
1 HR Planning Process
2 Recruitment Process
3 Induction
4 Attendance Management
5 Payroll Processing
6 Performance Appraisal
7 Training & Development
8 Separation
9 Statutory Compliances
D Inventory Risks
1 Receipt System
2 Material Stacking Procedure
3 Issues Management
4 Stock Reconciliation Process
E Information Security Review
1 Receipt System
2 IT Assets Management
3 Human Resources Security
4 Physical and Environment Security Process
5 Information Security department responsibilities Review
Leadership Risks
Risk Listing: Risks that the leadership of the firm does not have direction, customer focus, motivation to perform, cred
1 Does the Company have a Standard Operating Procedure document for each
processes
2 Is the SOP implemented successfully
3 Is there a review of SOP at pre-specified intervals for incorporating changes
Communication Ri
Risk Listing: Inability of the company to capture and institutionalize learning across the firm
HR Risks
Risk Listing: Appraisal processes for the employees not linked with the company's objective
1 Are Key Performance Indicators designed for each function and each person
in the organization
2 Are the expectations communicated to the employee
Risk Listing: Inadequate skill set and knowledge with firm's key people
Information Key performance indicators
required from
Auditee
Information Quality Documents (ISO certificates, Quality assurance and quality control documents)
required from
Auditee
2 Has the company implemented quality standards such as Six Sigma or ISO
for maintaining quality and thereby customer satisfaction
Risk Listing: Possibility of product getting obsolete or not meeting the budget requirements
1 Has the company done a risk assessment exercise to identify key areas of
risk
2 Does the company have a adequate business continuity and disaster
recovery plans
Risk Listing: Risk from choosing wrong business partners, inadequate commitment, poor execution
Prepared by:
Reviewed by:
Leadership Risks
stomer focus, motivation to perform, credibility, trust and alignment od self objectives with organizational goals
ainty
Operational Risks
Communication Risks
across the firm
transition
HR Risks
any's objective
Marketing Risks
y control documents)
t requirements
s
<<Name of your fir
Finance and Accounts R
Name of the 0
Client:
Period: 0
1 Check if credit notes are posted accurately and are authorized by the
designated personnel
2 Generate receivables ageing report (Debtors ageing Report) and ascertain
reasons for long pending outstanding and check the procedure for follow up
of outstanding. Calculate the average
number of days of delay and the cash flow loss due to non receipt of funds
on time.
4 Obtain the bad debts list and check if authorization is obtained for write off
of bad debts. Check the procedure for resolution of unreconciled debts
5 What are the procedures for initiating legal actions on written off debts and
follow-up of such cases?
6 Does the collection process involve placing restrictive endorsements on
cheques as soon as it is received? (ie crossing cheques if these are bearer
cheques / Cash cheques)
2 Whether Payment entry is made accurately and completely for all the
GRN/Service notes
3 Payment is made as per the terms and conditions entered into with the
vendor
4 Calculate the delays in posting of payment entries with reasons as well as
ageing analysis
5 Check if debit notes are posted accurately and are authorized by the
designated personnel. Ensure that the rejections are authorized by
designated personnel
6 Verify the process of reconciliation of debit/credit notes and accounts
payable
7 Ensure that all dues are settled at the time of the full and final settlement
and there is adequate follow up. In addition, calculate the interest charged
by the Vendors on account of late payments.
1 Check the procedure for closure of books and accounts and ensure that the
closures are done on a timely basis.
2 Check if the following are closed:
a. Ledger Accounts
b. P&L Account
c. Balance Sheet
d. Cash Flow Statements
e. Debtors ageing
f. Creditors ageing
g. Bank Reconciliation
h. Statutory remittances
3 Ascertain delay in closure of Books and examine the reasons for the delay
Prepared by:
Reviewed by:
HR Planning Pr
Risk Listing: HR Plan not meeting the objectives of the Company
2 Compare actual vis- vis the plan and check for major deviations if
any
3 Verify if any action taken, which is deviating from the plan has got the
approval of the concerned person as per the Delegation of
Authority defined by the company
Recruitment Pr
Risk Listing: Selection of Candidate not as per the requirements of the Company
Information 1. Requisition form wherein the requirement of the candidate and the expectations are filled in
required from 2. Interview/Assessment form
Auditee 3. Candidate's resume
4. Offer letter
1 5. Recruitment
Verify policy
the process and out
carried Operating Procedure
for selection (ifcandidate.
of the available) Ensure
if it is in-house or outsourced to recruitment agency
2 If it is outsourced to a recruitment agency verify if the process
carried out for selection of the agency is done after proper evaluation
6 Check if adequate background verification has been done for the candidate
selected. If the selection is through the recruitment agency, check if the
agency has carried out adequate background check for the candidate
selected2
1 Check the personnel files and ensure if the induction formalities checklist is
signed and completed on time
2 Check if the new joinee has been made aware of the key personnel policies
of the company
Attendance Mana
Risk Listing: Inadequate procedures for monitoring attendance of the employees
2 In case of leave as selected above, check if the leave has been sanctioned by
the concerned personnel as defined in the Delegation of Authority.
3 Check if the leave records of the employees is complete with respect of
updation of various types of leave (CL/SL/PL) and verify if the balance leave
calculation is done accurately.
Payroll Proces
Risk Listing: 1. Inadequate segregation of duties
2. Inaccurate Payroll database
3. Statutory Non - Compliance
1 Check that the person capturing the attendance and the person processing
the payroll is different, to ensure adequate segregation of
duty.
2 Compare the employee details as per the attendance register and employee
details as per Payroll register and check for any dummy names in the payroll
register
3 Obtain list of new joinees for the last three months and verify that in
case of new joinees the date of updation of the entry in employee list is on
the date as mentioned in the offer letter
4 Obtain list of resignees for the last three months and check if any names still
appear in the payroll employee list
5 Obtain the salary details from the payroll register and select a sample of
employees and check if the salary details updated are as per the offer letter
6 Obtain list of employees who have been transferred/promoted in
the last three months and check if their salary details have been
modified as per the transfer order/promotion letter
Performance Ap
Risk Listing: Appraisal not aligned to performance
1 Obtain the Key Performance Indicators (KPIs) defined for each role if available
2 Obtain the appraisal sheets and check if the appraisal is done based
on the KPIs defined
3 In case of non availability of standard KPIs, ensure the following:
a. Appraisal is done by the concerned functional head to whom the
employee reports
1 Obtain the list of training programs conducted during the past six months
2 Verify the attendance register capturing the training information and
also check the training feedback forms
5 Check if the cost is within the training budget or approval is obtained in case
of deviations if any
Separation
Risk Listing: Inadequate Exit Formalities
Statutory Compl
Risk Listing: Statutory Non Compliance
Prepared by:
Reviewed by:
HR Planning Process
Impact Analysis: 1. Positions recruited not adequately justified resulting in increasin
Costs.
2. Number of persons recruited in excess/short thereby resulting in
inadequate HR sizing
3. Approval not assigned for deviations resulting in non compliance
policy and inadequate control effectiveness
Recruitment Process
Impact Analysis: 1. Improper selection of recruitment agency resulting in recruitmen
flaws.
2. Non availability of supporting documents for selected candidate
resulting in inadequate justification for candidate selected
3. Candidate selected not meeting the requirements of the departm
resulting in inefficiency in the functional area
4. Delay in recruitment resulting in positions not filled up within th
required time leading to inefficiency and overtime costs for the
existing employees
5. Inadequate background verification resulting in selection of
candidate not suitable for the related vacancy
6. Selection not as per the requirements of the company
Attendance Management
Impact Analysis: 1. Inadequate attendance captured resulting in inability to compare
the salary paid to number of days worked
2. Leave not sanctioned by the designated authority resulting in cont
lapses and inaccurate payroll processing
3. Inaccurate calculation of leave resulting in inaccurate payroll
processing and salary payment
4. Possibility for modifications in records resulting in non reliability o
data
5. Incorrect logic in the system resulting in incorrect payouts
Payroll Processing
Impact Analysis: 1. Inadequate Segregation of Duty resulting in unauthorized access t
records increasing the possibility for manipulation
2. Fictitious employees in the payroll resulting in higher salary costs f
the company
3. Payment made in excess to new joinees
4. Salary paid to resignees resulting in higher salary costs
5. Salary paid not as per the terms and conditions resulting in higher
payouts
6. Salary paid not as per the terms and conditions resulting in higher
payouts
7. Program logic inaccurate resulting in wrong salary processing and
inaccurate payouts
8. Inadequate authorization for document authenticity
9. Statutory non compliances resulting in penalties and offences as
defined under the concerned Statutory Regulation
Performance Appraisal
Impact Analysis: 1. Non definition of Key Result Areas resulting in inadequate
communication of role profile and non alignment of role to the
company's objectives
2. Appraisal not aligned to performance resulting in mismatch betwe
the position and the person
3. Appraisal not aligned to performance resulting in mismatch betwe
the position and the person
4. Non confidentiality of appraisal records resulting in employee
dissatisfaction and unrest
5. Non compliance with Company's policy resulting in inefficiency
Separation
Impact Analysis: 1. Non compliance with Company's policy resulting in inefficiency
2. Increasing attrition due to dissatisfaction
3. Unauthorized access to company's assets resulting in loss of
information or resource
Statutory Compliances
Impact Analysis: Statutory non compliances resulting in penalties and offences as defi
under the concerned Statutory Regulation
Remarks
Receipt Syste
Risk Listing: Inadequate gate entry controls for material receipts
3 Does the security ensure that before giving entry there is no hazardous/
injurious/ prohibited material in the vehicle
4 Are there clearly defined timings during which the vehicles can enter/leave
the factory. If yes, what happens if the vehicles
come at some other time
5 Record the missing entries and trace the material. Also check if
payment has been made for material not received.
6 Check if there is any delay in posting receipt notes by calculating the number
of days of delay between the gate entry and receipts
entry
1 Analyse the goods in transit and record if there are inordinate delays in
receipt of material
Material Stacking P
Risk Listing: Unauthorized access to storage area
1 Check the adequacy of insurance cover for the premises and the
material
2 Does the inventory have earmarked places for storage material. Are
damaged material /material that have not cleared quality/line
defects are placed separately from the good quality material
3 Are bin cards maintained and all receipts and issues are accurately updated
Issues Manage
Risk Listing: Inadequate system for issue of material from the warehouse
3 Check for material returns from the line duet to wrong issues.
4 Check if the issues are updated accurately in the bin card and in the stock
register for each of the issue requests
Stock Reconciliatio
Risk Listing: Inadequate process for reconciliation of stock
Physically verify certain sample cases to ensure that the stock are
physically available
Risk Listing: Inadequate Monitoring of non moving, damaged stock
Prepared by:
Reviewed by:
Receipt System
Impact Analysis: 1. Inadequate control over men/material entering the premises
2. Inadequate confirmation of purpose of visit thereby resulting in
unauthorized access to the information and facilities at the premi
3. Threat of explosions resulting in damage to men and material
4. Unauthorized entry during non office hours
e order
Impact Analysis: 1. Receipt of sub standard material thereby affecting the production
process
2. Delays in quality verification resulting in delays in production
Impact Analysis: 1. Calculate the number of days of delay between the order date
and receipt date. Analyse the average time to be taken and record
transactions where there is inordinate delay.
Impact Analysis: 1. The average amount held in stock at any point of time and the
cost for setting up the warehouse after damages resulting in
financial burden, in the event of any catastrophe
2. Mixing up of goods resulting in inaccurate issues and inefficiencies
production
3. Non maintenance of bin cards and stock register results in
inaccurate knowledge on material availability leading to excess
purchases.
Issues Management
Impact Analysis: 1. Issues made without the requests resulting in inaccurate dispatch
of stock leading to misutilization
2. Delay in issues resulting in production delays.
3. Inaccurate issues resulting in production delays. Calculate the
time difference between the issue request and the correct
issue quantity for the delays
4. Inaccurate updation resulting in incorrect stock position. Check th
stock reconciliation records and identify cases where the
reconciliation was necessitated due to inaccurate updation in stoc
records.
Stock Reconciliation Process
Impact Analysis: Difference is any resulting out of stock reconciliation implies the fund
due to inadequate stock handling procedures
Impact Analysis: Holding of stock for a long period, implies blockage of funds.
receipt of material
terial not ordered. Also check if payment has been
same
nces between the quantity ordered and quantity
excess/short payment
t entries resulting in unauthorized movement of
Name of the 0
Client:
Period: 0
Receipt System
Risk Listing: Non definition of Security Policy in accordance with business
requirements and relevant laws and regulations
5 Review the agreement and note the clauses of security. Ensure that
clauses for legal recourse, in case of compromise of confidentiality is
included in the agreement
IT Assets Managem
Risk Listing: Inadequate Maintenance of IT Assets
Human Resources Se
Risk Listing: Allowing access to persons without thorough background check
1 Are back ground checks done on the all candidates, third party
users and contractors
2 Verify in few cases
3 Verify who is responsible for back ground verification
Risk Listing: Lack of awareness about information security in the organization
1 Review the environment hazards and threats and related controls. Eg.
Fire, water logging etc
3 Check the number of days of data that would be lost in case of failure of
backup mechanism
Risk Listing: Inadequate Network Management
3 Review the procedures for deleting the login / access for users who
have resigned.
4 Review whether the parameters are updated for regular password changes,
password restrictions (alphanumeric, symbols etc.), automatic locking
1 Whether there are any security breaches that have taken place in
the last one year (hacking, data theft, web attack etc.)
2 Review the procedure how they are managed
<<Name of your Firm>>
Information Security Review
Prepared by:
Reviewed by:
Receipt System
Impact Analysis: Lack of definition of information security aspects results in risk
of compromise of availability, confidentiality and integrity of data and
information processing assets
IT Assets Management
Impact Analysis: 1. Financial Losses resulting from Loss of Assets
2. Downtime due to repairs and damages
Impact Analysis: Access to information to outsiders due to inadequate disposal
methods
Impact Analysis: Compromise on security due to inadequate network design and network
monitoring
Impact Analysis: Non traceability of actions due to non availability of audit logs
Access Control Review
Impact Analysis: Unauthorized access to data resulting in compromise of
confidentiality, availability and integrity
Target Fixation
Risk Listing: Inaccurate fixation of targets
Marketing Strategies ev
Risk Listing: Inappropriate marketing strategies
1 Are Customer rejections captured separately and actions are effectively taken
on the same. Ensure if reason wise analysis is made and corrective actions
are taken
Monitoring
Risk Listing: Inadequate incentive system
Prepared by:
Reviewed by:
Target Fixation
Impact Analysis: Inaccurate targets result in inadequate plan for the marketing
team.
Monitoring
Impact Analysis: Inadequate monitoring of performance resulting in poor sales and empl
motivation.
Remarks
Indent Raising P
Risk Listing: Inaccurate Indenting System
1 Obtain indents raised for the last one month and check the adequacy,
authenticity and completeness of indents with respect to sanctioning
authorities, desired information, cost benefit analysis, back-papers
etc.,
Purchase Order P
Risk Listing: Inadequate selection of Vendors
1 Generate list of Purchase Order not serviced on time and ascertain the
reasons for the same.
2 Compare the PO date and GR/service receipt note date and ascertain the
delays
Risk Listing: Statutory Non Compliance
Vendor Database Ma
Risk Listing: Inaccurate vendor database
1 Obtain the dump of vendor database and analyse for the following:
Duplicate vendor codes
Duplicate vendor names
Inaccurate updation of vendor details viz. item /service
supplied, rate, terms of delivery etc by comparing it with the
agreement
Access to the vendor database to unauthorized person
(persons in departments other than procurement department)
<<Name of your firm>>
Process Risks Review
Prepared by:
Reviewed by:
Impact Analysis: Statutory Non compliances resulting in penalties and offences under
various regulations
Production Planning P
Risk Listing: Inadequate Production Plan
7 Check the overtime payments made and analyse the reasons for working
overtime.
8 Check if the overtime was pre planned or was it in the process of production.
10 Is the cycle time from Raw material charging to finished goods calculated
and evaluated
11 Review the minutes of the meeting relating to production reviews
and check if decisions made in the meeting are implemented.
3 Are safety procedures complied with in case of raw material which are of
hazardous nature
Risk Listing: Inadequate quality check
Information 1. Production Plan
required from 2. Raw Material charging check sheet (if any)
Auditee
6 Identify the cases of customer rejection and ensure if it is due to raw material
quality.
7 Compare the production quantity deviations due to low quality of raw
material.
1 Check if the equipment and machinery used in the lines are maintained
adequately.
2 Is there a preventive maintenance schedule evolved and adhered to
by the company
3 Review the instances of machinery breakdown and time taken to rectify the
same and the number of times the instance has recurred
Risk Listing: Non availability of utilities
1 Identify the key utilities required for the production process and
ensure if the company has adequate back up for shortage in supply of
utilities.
3 Identify instances of down time due to non availability of key utilities and the
actions taken for ensuring continuous supply of the same
1
Is the output in the line certified for quality prior to passing it to the next
process or to the finished goods warehouse
2 Check for quality clearance for the output
3
Check the process checklist used by the quality department for
checking the quality parameters at this stage.
4
Verify if the checklist is being filled up accurately and completely for every
input of material
5 Calculate the percentage of rejection and quantify the financial burden
6
Identify the cases of customer rejection and ensure if it is due to processing
quality.
7
Compare the production quantity deviations due to low quality of output
Finished Goods Managem
Risk Listing: Inadequate storage of finished goods
1
Are the finished goods stored in a safe location prior to transferring it to the
warehouse
2
Check for instances of quality rejections due to damage to material after
production and prior to transfer to packing section
Risk Listing: Inadequate procedure for packing and labelling of material
1
Check for controls adopted during the packing and labelling process to
ensure the following:
Containers used for packing are correct
The quantity of material packed is accurate
Tagging of the final product to the batch is made accurately
Labelling is done as per the standards defined
Prices are printed as per the approved price list
Status and Response to the matters arising Working papers Reference
Impact Analysis: Inadequate quality checks in the production line leads to lower quality o
final product leading to customer rejection
Finished Goods Management Process
Impact Analysis: Quality rejections due to improper storage
Impact Analysis: Quality rejections internal and external due to inadequate packing
and labelling.
Remarks
Sales Plan
Risk Listing: Inaccurate fixation of targets
Compare the date of call and date of order and identify reasons
for delays if any
2 Evaluate the monitoring system for customer calls, follow up and closure and
identify points of control lapses leading to non booking of orders.
Information
required from
Auditee
Invoicing
Risk Listing: Inaccurate invoicing
3 Check if there has been any delays invoicing by comparing the order
date and invoice date and ascertain reasons for the same
4 Check if all the orders and deliveries are invoiced
5 Are the invoices authorized by the designated person
Collection Pro
Risk Listing: Inadequate controls in collection process
1 Check if the collection is made by the marketing team. If yes evaluate the
following:
Are adequate controls designed in the collection process to
ensure that there is no leakage at the point of collection and
remitting it to the company
Sales Plan
Impact Analysis: Inaccurate targets result in inadequate plan for the marketing team.
Collection Process
Impact Analysis: Inadequate controls result in revenue leakage
Remarks
Central Excise Ac
Information 1. Excise Registration Certificate
required from 2. RG23D Register
Auditee 3. Excise Returns
3 Has notice of the last change in the unit head been given to Excise
authorities
4 Are the Excise authorities informed about the pre-authenticated serial
nos. of invoices
5 Are duplicate for transporter copies of excise invoices available for all
consignments entered in RG23D register (for receipt of goods from
plants or other locations)
1 Has the unit made any cash payments for expenses above Rs
20000
2 Has the unit paid loans / advances / deposits in cash above Rs 20000
3 Has the unit received loans / advances / deposits in cash above
Rs 20000
4 if yes, then has the unit obtained the PAN number and address of the
party
6 Has TDS remittances and returns made as per the due date
Service Tax
Information 1. TDS Challans
required from 2. TDS returns
Auditee
1 Verify the Registration of the assesse with the Service Tax Commissionerate
5 Check whether the tax invoice is proper and mentions the Regna. No.
of the service provider and Separately mentions the rate of tax
and amount of tax. ( From samples of the bills received by the
assesse from service providers)
8 Check whether the service tax has been deposited with in the due
dates
9 Check Half Yearly returns filed. Tally it with both the monthly
payments and as well as the ledger entries as the relevant dates.
10 Review the return and see whether the return is accurate as to, input
credit, output tax payable, valuation of services, carry forward of credit, etc.
4 Has the unit preserved all ESIC payment challans and returns
5 Has the unit maintained an Accident register (Form 15)
6 Has the unit reported all reportable accidents (i.e. which prevent an
employee to report from duty for a period greater than 48 hours) to the
ESIC authorities vide Accident Report (Form 16 - available in the
Act)
8 Has the unit maintained ESIC Records for previous years (no
maximum limit) as inspection can be carried out by authorities at any
time.
9 Has the unit deposited ESIC monthly contributions (both employer and
employee) before 21st of the next month
10 Has the unit filed ESIC half-yearly return in Form-6 within 42 days of
the half-year ended September 30 or March 31, as the case may be
Workmen's Compensa
Information
required from
Auditee
1 Has the unit filed the annual return under Workmen's compensation Act
within the due dates?
(This act is not applicable to those covered under the ESIC Act)
Minimum Wages A
Information
required from
Auditee
1 Has the unit displayed a copy of the Abstract of the Minimum Wages Act
2 Has the unit displayed the notice containing the minimum rates of
wages applicable
3 Is minimum wages paid to contract labour /security personnel, in the
presence of company employees
4 Has the unit filed the Annual returns under Minimum Wages act
Payment of Wages
Information
required from
Auditee
Professional Tax
Information
required from
Auditee
4 Has the unit submitted notice of weekly holidays and notice of daily
working hours to the Inspector under Shop and Estb Act
5 Has the unit displayed a copy of the notice of daily working hours
submitted to the Inspector under Shops and Estb Act
6 Is the name and address of the local labour inspector displayed as
per Shop and Estb Act
7 Does the unit maintain an inspection book for visit remarks of
the Inspector
8 Does the unit maintain a muster register as per Shop and Estb Act
for all company and contracted employees
9 Are the employee leave cards maintained and updated as on date
Payment of Bonus
Information
required from
Auditee
3 Has the unit intimated any change in the unit head or address of unit to
the Controlling Authority in Form B
Service Tax
Tax Act / Value Added Tax / Central Sales Tax
ESIC Act
Professional Tax
Facilities Plan
Risk Listing: Non availability of administration plan
Security Function
Risk Listing: Inadequate selection and monitoring of security functions
Does the Security stop and check the visitors and understand the
purpose of visit before letting them in
House Keeping
Risk Listing: Inadequate house keeping
Maintenance
Risk Listing: Inadequate Maintenance of facilities
Facilities Plan
Impact Analysis: Inadequate plan resulting in inadequate purchases and
non availability of the relevant facilities on time
Security Functions
Impact Analysis: 1. Compromise to physical security aspects due to wrong selection of
guards
2. Unauthorized entry and exit resulting in unauthorized access to the
company and companys resources.
House Keeping
Impact Analysis: High spending on house keeping without a budget resulting in inefficien
utilization of funds.
Maintenance
Impact Analysis: Inadequate maintenance results in frequent machinery breakdowns.
Remarks