expense purchases

23
Audit: Purchase of expense goods and services 5:03 AM 4/5/2014 Audit: Purchasing and payment of expense goods and services Introduction Last updated 21 August 2004 Purpose The purpose of this spreadsheet is to show typical risks, expected controls and example tests for processes related to the purchasing and payment of expense goods and services, (excluding personal expenses) Full details of how to complete and use the database are in the manual which can be downloaded from www.internalaudit.biz The database is not complete - it must be changed to suit your organisation To see how this database fits into the audit universe, download the Risk and Audit Database from www.internalaudit.biz Auditing is not about carrying out tests taken from an audit programme, it is about understanding the objectives of the processes you are auditing, the risks which treaten them and the controls which actually operate to mitigate them. The database (Audit programme) The audit programme is in the form of an Excel database. It can be treated just like a large "Word" table but can also be sorted and filtered. The database covers those processes which might be involved in purchases and payments using a computerised system. Thus it covers not only ordering and invoice approval, but also staff management and computer controls Rows with processes which are split down into more detailed processes are coloured and do not have data in some columns The processes are only intended as an example. You must change them to those in your organisation If you construct audit databases please make them available to other auditors through AuditNet® (http://www.auditnet.org/) For a full explanation of the content of the columns, go to the "Column key" worksheet The example controls and monitoring These examples are suggestions only. They cannot possibly apply to every size of organisation who might use this database. You must decide on the controls which mitigate the risks to accepatable levels in your organisation Remember that the examples are general and therefore rather vague. Your entries should be much more specific, in particular, noting the names of staff carrying out the checks Worksheets There are 7 worksheets in this spreadsheet: Introduction Scope Process map Expense purchases database Copyright D M Griffiths Introduction Page1 of 23

Upload: usmanca

Post on 29-May-2017

222 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Expense Purchases

Audit: Purchase of expense goods and services 5:03 AM 4/5/2014

Audit: Purchasing and payment of expense goods and services

IntroductionLast updated 21 August 2004

PurposeThe purpose of this spreadsheet is to show typical risks, expected controls and

example tests for processes related to the purchasing and payment of expense goods

and services, (excluding personal expenses)

Full details of how to complete and use the database are in the manual which can be

downloaded from www.internalaudit.biz

The database is not complete - it must be changed to suit your organisation

To see how this database fits into the audit universe, download the Risk and Audit

Database from www.internalaudit.biz

Auditing is not about carrying out tests taken from an audit programme, it is about

understanding the objectives of the processes you are auditing, the risks which

treaten them and the controls which actually operate to mitigate them.

The database (Audit programme)

The audit programme is in the form of an Excel database. It can be treated just like a

large "Word" table but can also be sorted and filtered.

The database covers those processes which might be involved in purchases and

payments using a computerised system. Thus it covers not only ordering and invoice

approval, but also staff management and computer controls

Rows with processes which are split down into more detailed processes are coloured and

do not have data in some columns

The processes are only intended as an example. You must change them to those in your

organisation

If you construct audit databases please make them available to other auditors through

AuditNet® (http://www.auditnet.org/)

For a full explanation of the content of the columns, go to the "Column key" worksheet

The example controls and monitoring

These examples are suggestions only. They cannot possibly apply to every size of

organisation who might use this database. You must decide on the controls which

mitigate the risks to accepatable levels in your organisation

Remember that the examples are general and therefore rather vague. Your entries

should be much more specific, in particular, noting the names of staff carrying out the

checks

Worksheets

There are 7 worksheets in this spreadsheet:

Introduction

Scope

Process map

Expense purchases database

Copyright D M Griffiths Introduction Page1 of 23

Page 2: Expense Purchases

Audit: Purchase of expense goods and services 5:03 AM 4/5/2014

Column key

Scoring risks

Allocating conclusions

LanguageI have used UK english for the risk register. Variations from US english include:

Supplier = Vendor

Purchase = Procure

Cheque = Check

I have used the term "accounts payable" for purchase ledger, since this is now common

in the UK.

All sheets copyright David M Griffiths

Not to be copied or distributed without acknowledging the author, or in conjunction with a

commercial product

Copyright D M Griffiths Introduction Page2 of 23

Page 3: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Scope of the audit

Reasons for the auditThe organisation’s risk analysis has identified significant risks to its objectives from the

processes involved in the purchase of expense goods and services. The audit will

conclude on whether:

Risks threatening the objectives of the processes have been properly identified,

evaluated and managed.

Internal controls are operating properly to mitigate these risks to levels defined as

acceptable by board policy.

Action is being taken to improve controls, where risks are not being properly mitigated

More monitoring, by management, is necessary to ensure proper internal controls into the

future.

A sound system of internal control is maintained for the processes audited

Objectives of the processes being auditedThe overall objective of the process (4.5) is to purchase expense goods and services for

the organisation. (That is goods which are not for resale)

The processes covered by this audit are:

Define the objectives for purchasing expenses

Set up suppliers on the computer file

Set up items for purchase on the computer file

Raising requistions

Raising orders

Receive goods/services

Returning of unsatisfactory goods

In addition, the following support functions are covered:

Invoice processing

Payment to suppliers

Accounting for expense purchases

Key risks of the processes being auditedExpense goods/services requested are not needed or are not for the benefit of the

company

Orders are placed with suppliers who do not provide best value (quality/price/delivery)

Payment is made for goods or services which have not been received

Transactions are not correctly entered in the books of account

The processes concerned are not operated efficiently and effectively

Audit work plan

In order to carry out this audit the auditors will:Take into account any previous audits, noting particularly the issues raised

Obtain organisation charts, procedure manuals, training documentation and any other

documentation which should be being used by the departments involved in the audit

Obtain budgets, actual figures and any other relevant financial information

If appropriate, meet the external auditors and any other parties with an interest in the

processes being auditing

Meet with staff at all levels to understand their responsibilities and concerns

Page 4: Expense Purchases

Visit all locations which affect the risks involved (warehouses, factories, outsource

suppliers)

Carry out walkthrough tests to understand the processes involved, including monitoring

controls

Understand the changes made since the last audit

Obtain relevant risk registers, noting when they were last updated

Carry out interviews and risk workshops, as necessary, to ensure all risks have been

identified

Add to the risks in the risk register

Score the inherent risks, according to the risk appetite of the organisation, which have

been approved by the board. (Examples are shown in the "Scoring risks" worksheet)

Carry out the tests necessary to confirm that the controls are operating properly

Score the residual risks, according to the risk appetite of the organisation, which have

been approved by the board. (Examples are shown in the "Scoring risks" worksheet)

Draw conclusions as to whether each risk is properly controlled (see the example)

Submit a report

Page 5: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Diagram of processes with key risks

This diagram shows the key processes for purchasing expenses and is the next level down from the risk register

Key risks are collected in the boxes, prior to putting them on the audit database

It is used to drive the main audit database

Risks

Supplier of vital services/goodsmay go out of business Supplier details are not correctly input/modified New suppliers improperly set up

Item details are not correctly input/modified

Goods/services are not what was ordered Incorrect quantities received are input

The order is placed with a supplier not providing the best value The order is incorrect

The requistion may be for goods and services not required The requistion may be incorrect

Purchase expense goods

Set up items

Set up suppliers

Place order

Requistion goods and services

Define objectives

Receive goods

Return goods

Credit is not obtained for goods returned

The strategy is not consistent with the overall strategy The strategy has not been communicated

Page 6: Expense Purchases

Support purchase expense goods

Return goods

Payment is made when goods/services have not been received Settlement discount is not correctly deducted Payment is not made on the due date

Page 7: Expense Purchases

This diagram shows the key processes for purchasing expenses and is the next level down from the risk register

Page 8: Expense Purchases
Page 9: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Audit databaseL1 L2 L3 L4 L5 L Ref Process Process Description Risk to process Risk source IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont

score

Issue Action By whom Conclusion

Risks

Conclusion

Controls

Conclusion

Action

Conclusion

Monitoring

Report

ref

Follow-up

Risks

Follow-up

Controls

Follow-up

Action

Follow-up

Monitoring

4 5 2 4.5 Purchase expense

goods

Purchase goods and services for the

organisation

(Summary level) Not applicable

4 5 1 3 4.5.1 Define objectives Define the strategy for expense purchases,

communicate and deliver it

(Summary level) Not applicable

4 5 1 1 4 4.5.1.1 Define the strategy for

expense purchasing

Set down targets for the year(s) ahead, for example,

meeting the budget, improving staff efficiency, handling

more orders

The strategy does not maximise efficiency and

effectiveness and is not consistent with the

organisation's strategy

The strategy for purchasing expense goods and

services is updated each year, prior to setting targets

and budgets for the areas concerned. These targets

and budgets are approved by management finance.

Directors check the strategy for

departments under their control. The

overall budget is approved by the

board

Examine the latest strategy document Not applicable

4 5 1 1 4 4.5.1.1 Define the strategy for

expense purchasing

Set down targets for the year(s) ahead, for example,

meeting the budget, improving staff efficiency, handling

more orders

The strategy has not been updated The strategy for purchasing expense goods and

services is updated each year, prior to setting targets

and budgets for the areas concerned

Directors check the strategy for

departments under their control

Examine the latest strategy document. Check that the

budget forms part of the organisation's overall budget.

Examine variances for the current year and ensure

adequate explanations have been made for excessive

Not applicable

4 5 1 2 4 4.5.1.2 Communicate the

strategy

Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice

boards and the intranet

Ask staff to confirm they have been briefed. Determine

the date of the briefing and attendees

Not applicable

4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the

budgeting process

Directors check the action plan for

departments under their control

Examine the action plan Check for progress to

implement it.

Not applicable

4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

The strategy is not built into individuals' targets Individuals are given their targets based on those of the

department

Directors, or senior managers, check

the staff targets for departments under

their control

Examine staff targets for a selection of staff Not applicable

4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

Any member of staff can authorise the purchase of any

goods or services

Rights to place requisitions and orders are in a written

policy

The policy is checked every year to

ensure it is correct

Examine the policy. Check it is up-to-date, appropriate

staff have a copy and know how to use it. As part of

other tests, ensure adherence to the policy

Not applicable

4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

Any member of staff can requisition any goods or

services

Rights to authorise requisitions and orders are in a

written policy

The policy is checked every year to

ensure it is correct

Examine the policy. Check it is up-to-date, appropriate

staff have a copy and know how to use it. As part of

other tests, ensure adherence to the policy

Not applicable

4 5 2 3 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or

modify existing details. Includes addresses and

payment terms

Supplier details are not correctly input/modified Details of all changes to the Supplier master file are

printed on a report which is checked to supporting

documentation by staff who are not involved in

changing Supplier details

Details of Suppliers and the amount

spent with them are printed out every

six months for authorisation by the

Purchasing Director

Check individual reports over the last six months for

evidence of checking. Observe the process in action.

Not applicable

4 5 2 3 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or

modify existing details. Includes addresses and

payment terms

False Suppliers are set up and paid Details of all changes to the Supplier master file are

printed on a report which is checked to supporting

documentation by staff who are not involved in

changing Supplier details

Details of Suppliers and the amount

spent with them are printed out every

six months for authorisation by the

Purchasing Director

Check individual reports over the last six months for

evidence of checking. Observe the process in action.

Not applicable

4 5 2 3 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or

modify existing details. Includes addresses and

payment terms

No settlement discount, or other discounts, are

negotiated

Details of all changes to the Supplier master file are

printed on a report which is checked to supporting

documentation by staff who are not involved in

changing Supplier details

Details of Suppliers and the amount

spent with them are printed out every

six months for authorisation by the

Purchasing Director

Check individual reports over the last six months for

evidence of checking. Observe the process in action.

Not applicable

4 5 4 3 4.5.4 Departments requisition

goods/services

Raise a request (may be on the computer system, but

could be an e-mail or manual form) for goods or

services to be ordered

Expense goods/services requested are not needed or

are not for the benefit of the company

Requisitions are authorised by an appropriate manager Budgets are maintained for all

expenses with monthly monitoring

against actual

Observe the procedure for electronically authorising

requisitions. If possible, have the computer controls

checked by a competent auditor.

Not applicable

4 5 4 3 4.5.4 Departments requisition

goods/services

Raise a request (may be on the computer system, but

could be an e-mail or manual form) for goods or

services to be ordered

Details on the requisition are incorrect Requisitions are authorised by an appropriate manager Budgets are maintained for all

expenses with monthly monitoring

against actual

Observe the procedure for electronically authorising

requisitions. If possible, have the computer controls

checked by a competent auditor.

Not applicable

4 5 5 3 4.5.5 Purchasing order raised

for goods/services

Based on the authorised requisition, purchasing

department raise an order. This may be on an existing

Supplier but might require negotiations with a new

Supplier

The order is incorrect, that is does not agree to the

approved requisition

Confirmation is required on the order screen before the

order is sent or printed

The requisitioner will query any

difference

Observe the process and try submitting without

confirmation

Not applicable

4 5 5 3 4.5.5 Purchasing order raised

for goods/services

Based on the authorised requisition, purchasing

department raise an order. This may be on an existing

Supplier but might require negotiations with a new

Supplier

The price on the order does not give the organisation

maximum value

The order is placed by trained purchasing staff using

prices on the computer, or negotiated with the supplier.

Budgets are maintained for all

expenses with monthly monitoring

against actual

Examine a report which shows the access rights of each

person in purchasing and payables. Confirm that proper

division of duties exists.

Not applicable

4 5 5 3 4.5.5 Purchasing order raised

for goods/services

Based on the authorised requisition, purchasing

department raise an order. This may be on an existing

Supplier but might require negotiations with a new

Supplier

Orders are placed with suppliers who do not provide

best value (quality/price/delivery)

Orders can only be placed with suppliers previously set

up on the computer

Half-yearly report listing suppliers and

spend which is approved by the

Purchasing Director

Examine the input of orders. Try and set up a new

supplier from the order screen

Not applicable

4 5 5 3 4.5.5 Purchasing order raised

for goods/services

Based on the authorised requisition, purchasing

department raise an order. This may be on an existing

Supplier but might require negotiations with a new

Supplier

Orders are placed late Computer report showing requisitions not turned into

orders within 2 days is checked by the supervisor

Requistioners will complain if orders

are received late

Examine this report for items older than 2 days Not applicable

4 5 5 3 4.5.5 Purchasing order raised

for goods/services

Based on the authorised requisition, purchasing

department raise an order. This may be on an existing

Supplier but might require negotiations with a new

Supplier

Orders have incorrect account codes input The requisitioner supplies the codes. The computer

checks these exist but cannot check if they are correct.

Budget holders check their expenses

each month for incorrect items

Examine accounts journals and other documentation

used to correct coding errors to judge how frequent they

are

Not applicable

4 5 5 3 4.5.5 Purchasing order raised

for goods/services

Based on the authorised requisition, purchasing

department raise an order. This may be on an existing

Supplier but might require negotiations with a new

Supplier

Orders are placed for goods not required, without

approved requisitions

All orders have to be placed through the computer.

Orders can only be raised by purchasing staff. Orders

without requisitions must be approved by a senior

manager

Budget holders check their expenses

each month for incorrect items

Check access to order screens is limited to approved

purchasing staff. Check orders raised without approved

requisitions are approved

Not applicable

4 5 6 3 4.5.6 Contracts raised for

continuing services or

supply of materials

Suitable suppliers are identified to supply

goods/services. Sealed tenders (quotes) are called for

and opened in the presence of an independent person.

The cheapest tender is chosen, if all conditions have

been complied with

Contracts are not negotiated to ensure the best prices

for ongoing services such as maintenance

Expenditure on services is constantly monitored to

check if contracts should be raised to ensure best

prices and service. Contracts are tendered, as

necessary, to ensure best prices.

Senior purchasing management

monitor expenses, and check all

tenders to confirm the process

Check expenditure over £X to see if contracts have been

raised. Examine the tendering process, and last

contracts signed, to ensure the process is operating.

(This could done as a separate audit)

4 5 7 3 4.5.7 Goods/services received.

Quantity received input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Goods/services vital to the organisation's operation

become unavailable or too expensive

If possible, have two, or more, sources of supply. Hold

sufficient stocks of vital spares. Have contingency plans

for failure of vital supplies

Continuity of supply is written into

managers' targets, on which they are

assessed

Check for the existence of recent, tested contingency

plans

Not applicable

4 5 7 3 4.5.7 Goods/services received.

Quantity received input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Quantities, or service, is not what was ordered Computer report showing where quantities received

differ from the order

Requistioners should complain if the

goods/services differ from the order

Examine this report and check on the action taken. Note

items which may be old and uncorrected

Not applicable

4 5 7 3 4.5.7 Goods/services received.

Quantity received input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Quantities incorrectly input The computer warns if the quantity received is different

from that ordered

Requistioners should complain if the

goods/services differ from the order

Observe the process and try submitting a different

quantity

Not applicable

4 5 7 3 4.5.7 Goods/services received.

Quantity received input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Stock records (for example engineers' spares) not

updated

Automatic update with exception reports where this has

not occurred

Periodic physical checks to stock

records

Check a sample of items received through to the stock

system

Not applicable

4 5 7 3 4.5.7 Goods/services received.

Quantity received input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Receipt details input when no goods or services have

been received

Division of duties between requisitioners, purchasing

staff and receivers

Budget holders check their expenses

each month for incorrect items

Examine a report which shows the access rights of each

person in purchasing and payables. Confirm that proper

division of duties exists.

Not applicable

4 5 7 3 4.5.7 Goods/services received.

Date of receipt input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Quality is not up to standard Responsibility of the person receiving the

goods/services to complain of poor quality to the

ordering department

No formal monitoring Ask a sample of staff their opinions on the quality of

goods received

Not applicable

4 5 7 3 4.5.7 Goods/services received.

Date of receipt input

Receive the goods and services ordered. Goods may

be received at a central location, and their receipt

keyed into the computer. Some type of confirmation

should be required for the receipt of services

Goods are lost All goods are received at one, secure, location, which

inputs their receipt against the order

Requisitioner will complain if goods are

not received

Visit the receiving area. Check security and observe the

receipt of goods.

Not applicable

4 5 8 3 4.5.8 Goods/services returned If the goods are not those ordered, are damaged, or

too many are delivered, they will be returned to the

Supplier. If they are found to be faulty after the

processing of an invoice, or payment, a credit note will

be required

Credit is not obtained from the supplier Goods can only be returned on the authority of the

buyer, who raises a "Goods Return Note". One copy

goes with the goods, the other is keyed into the

computer as a debit note. This automatically reduced

the next payment.

Requisition will complain if credit is not

received

Take a sample of Goods Returned Notes and check that

the correct credit has been received

Not applicable

4 5 8 3 4.5.8 Support purchasing of

expenses

(Summary level) Not applicable

4 5 8 1 4 4.5.8.1 Define objectives for

supporting expense

purchasing

(Summary level) Not applicable

4 5 8 1 1 5 Define the strategy Set down targets for the year's) ahead, for example,

meeting the budget, improving staff efficiency, handling

more orders

The strategy has not been updated The strategy for purchasing expense goods and

services is updated each year, prior to setting targets

and budgets for the areas concerned

Directors check the strategy for

departments under their control

Examine the latest strategy document Not applicable

4 5 8 1 2 5 Communicate the

strategy

Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice

boards and the intranet

Ask staff to confirm they have been briefed. Determine

the date of the briefing and attendees

Not applicable

4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the

budgeting process

Directors check the action plan for

departments under their control

Examine the action plan Not applicable

4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

The strategy is not built into individuals' targets Individuals are given their targets based on those of the

department

Directors, or senior managers, check

the staff targets for departments under

their control

Examine staff targets for a selection of staff Not applicable

4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

No limitation is set on the authority of staff to commit

the organisation

Rights to place requisitions and orders are in a written

policy

The policy is checked every year to

ensure it is correct

Examine the policy. Check it is up-to-date, appropriate

staff have a copy and know how to use it. As part of

other tests, ensure adherence to the policy

Not applicable

4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver

the strategy

No limitation is set on the authority of staff to commit

the organisation

Rights to authorise requisitions and orders are in a

written policy

The policy is checked every year to

ensure it is correct

Examine the policy. Check it is up-to-date, appropriate

staff have a copy and know how to use it. As part of

other tests, ensure adherence to the policy

Not applicable

4 5 8 2 4 4.5.8.2 Process transactions Process transactions resulting from the purchase of

expenses

Transactions are not processed completely and

accurately

Not applicable

4 5 8 2 1 5 4.5.8.2.

1

Purchasing expenses -

Invoice input

Receive an invoice from the Supplier for the goods and

services supplied. If it has an order number, match it an

the computer system against the receipt and order, for

quantity and price. Differences outside a pre-defined

tolerance are held and cleared by purchasing. Invoices

with no order have to have senior management

authorisation.

Invoice input against incorrect supplier Most invoices are input against an order and the

supplier details are checked. If no order exists there is

no control

The supplier will send a reminder to

pay

Examine transactions which correct mis-postings Not applicable

4 5 8 2 1 5 4.5.8.2.

1

Purchasing expenses -

Invoice input

Receive an invoice from the Supplier for the goods and

services supplied. If it has an order number, match it an

the computer system against the receipt and order, for

quantity and price. Differences outside a pre-defined

tolerance are held and cleared by purchasing. Invoices

with no order have to have senior management

authorisation.

Incorrect values input Where the invoice is matched to an order, an exception

report is produced for invoices not matching and these

are held until purchasing approve the difference.

Invoices without orders are batch totalled

Monthly check, by management, of the

report showing invoices held in query.

Follow-up of invoices over one month

old

Examine the query report to ensure no queries are

outstanding for an excessive period of time, and that all

are being actively persued

Not applicable

4 5 8 2 1 5 4.5.8.2.

1

Purchasing expenses -

Invoice input

Receive an invoice from the Supplier for the goods and

services supplied. If it has an order number, match it an

the computer system against the receipt and order, for

quantity and price. Differences outside a pre-defined

tolerance are held and cleared by purchasing. Invoices

with no order have to have senior management

authorisation.

Invoices are input twice Where the invoice is matched to an order the computer

will not allow the input of another invoice. Invoices are

stamped "input"

Budget holders should check the

actual expenditure against their

budget each month

Ask a sample of budget holders to provide evidence that

they have checked the expenses for the previous month

Not applicable

4 5 8 2 1 5 4.5.8.2.

1

Purchasing expenses -

Invoice input

Receive an invoice from the Supplier for the goods and

services supplied. If it has an order number, match it an

the computer system against the receipt and order, for

quantity and price. Differences outside a pre-defined

tolerance are held and cleared by purchasing. Invoices

with no order have to have senior management

authorisation.

Duplicate invoices are input Where the invoice is matched to an order the computer

will not allow the input of another invoice. If copy

invoices are received, where no orders exist, they are

checked to the supplier account before processing. The

computer will not accept duplicate invoice numbers

Budget holders should check the

actual expenditure against their

budget each month

Examine transactions which correct mis-postings Not applicable

4 5 8 2 1 5 4.5.8.2.

1

Purchasing expenses -

Invoice input

Receive an invoice from the Supplier for the goods and

services supplied. If it has an order number, match it an

the computer system against the receipt and order, for

quantity and price. Differences outside a pre-defined

tolerance are held and cleared by purchasing. Invoices

with no order have to have senior management

authorisation.

Invoice input where no goods or services have been

received.

Most invoices are matched against approved orders.

Other invoices must be approved by a senior manager

and accountant, who writes the account code on.

Invoices can only be paid to suppliers set up on the

system, for which separate checks apply. Duties are

divided to ensure staff who input invoices do not set up

suppliers or payments

Budget holders should check the

actual expenditure against their

budget each month

Check a sample of items received through to the stock

system, or other evidence, to prove that the

goods/services were received Check the access to

computer screens to ensure division of duties is

enforced

Not applicable

4 5 8 2 1 5 4.5.8.2.

1

Purchasing expenses -

Invoice input

Receive an invoice from the Supplier for the goods and

services supplied. If it has an order number, match it an

the computer system against the receipt and order, for

quantity and price. Differences outside a pre-defined

tolerance are held and cleared by purchasing. Invoices

with no order have to have senior management

authorisation.

The tax analysis of invoices is incorrect, for example

"Business entertainment"

All purchasing and transaction processing staff have

specific training on the analysis of Value added tax

(VAT). Detailed guidelines are available. The computer

checks for incorrect calculations

Tax department scrutinise certain

nominal codes for exceptional items

Check a sample of invoices to ensure that the tax

treatment is correct

Not applicable

4 5 8 2 2 5 4.5.8.2.

2

Purchasing expenses -

Invoice filed

After input of the invoice, it is sent for microfiching and

the paper copy destroyed

Invoices are not filed and microfiched Invoices are sequentially numbered on input. When

microfiching, the continuity of these numbers is checked

The fiche are checked by staff when

received back from the microfiching

department

Check a selection of fiche to ensure no numbers are

missing

Not applicable

4 5 8 2 3 5 4.5.8.2.

3

Purchasing expenses -

no invoice received, for

example tax

Receive a properly approved cheque requistion, with

supporting documentation

Incorrect payments may be made Computer payments can only be made against invoices

matched to orders, or authorised invoices. Payments

can only be generated by staff who do not have access

to order, invoice or supplier master data input. Manual

payments cheques must be supported by the cheque

requistion and signed by two senior managers

Budget holders should check the

actual expenditure against their

budget each month

Check a sample of cheque requistions, to ensure this

type of transaction should have been used (that is no

invoice is available) nad it was properly approved.

Check that the item being paid for is genuine

Not applicable

4 5 8 2 4 5 4.5.8.2.

4

Purchasing expenses -

payment

The computer automatically schedules payments

depending on the terms set for each Supplier.

Payments may be made by electronic funds transfer

(home and foreign) or cheque. Non-invoice payments

(for example payments of tax) may be made by

entering details in the computer, or by paying with a

manual cheque.

Computer payment is made for goods or services

which have not been received

Computer payments can only be made against invoices

matched to orders, or authorised invoices. Payments

can only be generated by staff who do not have access

to order, invoice or supplier master data input. Manual

payments cheques must be supported by the original

invoices and signed by two senior managers

Budget holders should check the

actual expenditure against their

budget each month

Check a sample of payments taken from the cash sheets

to proof that the goods/services paid for were received

Not applicable

4 5 8 2 4 5 4.5.8.2.

4

Purchasing expenses -

payment

The computer automatically schedules payments

depending on the terms set for each Supplier.

Payments may be made by electronic funds transfer

(home and foreign) or cheque. Non-invoice payments

(for example payments of tax) may be made by

entering details in the computer, or by paying with a

manual cheque.

Incorrect settlement discount is taken Payment terms are set up on the supplier account.

They can only be changed on written instructions for a

buyer. Settlement discount can be overidden for a

specific order, but only a manager

Payment terms are checked by buyers

every 6 months

For the sample of payments used in the above test,

check that the correct settlement discount has been

taken

Not applicable

4 5 8 2 4 5 4.5.8.2.

4

Purchasing expenses -

payment

The computer automatically schedules payments

depending on the terms set for each Supplier.

Payments may be made by electronic funds transfer

(home and foreign) or cheque. Non-invoice payments

(for example payments of tax) may be made by

entering details in the computer, or by paying with a

manual cheque.

Payment is not made on the due date Payment terms are set up on the supplier account.

They can only be changed on written instructions for a

buyer

Payment terms are checked by buyers

every 6 months

For the sample of payments used in the above test,

check that the payment was made on the correct date

Not applicable

Last follow-up results (date)

©David M Griffiths Expense purchases database

Page 10: Expense Purchases

4 5 8 2 4 5 4.5.8.2.

4

Purchasing expenses -

payment

The computer automatically schedules payments

depending on the terms set for each Supplier.

Payments may be made by electronic funds transfer

(home and foreign) or cheque. Non-invoice payments

(for example payments of tax) may be made by

entering details in the computer, or by paying with a

manual cheque.

Manual payments made are fraudulent Cheques are kept in a locked cupboard to prevent theft

and subsequent forgery. Overseas payment

instructions are signed by two directors. The bank has

instructions to telephone the Chief Financial Officer if

payments are over an agreed amount.

Bank reconciliation will detect

payments made not correctly entered

in the books of account

For a sample of manual and overseas payments, ensure

that goods/services were received. Check the bank

understands its instructions to phone the CFO. If

appropriate, carry out a separate audit on foreign

payments

Not applicable

4 5 8 2 4 5 4.5.8.2.

4

Purchasing expenses -

payment

The computer automatically schedules payments

depending on the terms set for each Supplier.

Payments may be made by electronic funds transfer

(home and foreign) or cheque. Non-invoice payments

(for example payments of tax) may be made by

entering details in the computer, or by paying with a

manual cheque.

Cheques are altered or forged Cheque signing signatures are embossed. Cheques are

printed by specialist printers with the latest security

features

Bank reconciliation will detect

payments made not correctly entered

in the books of account

Observe the cheque printing process to ensure it is

physically secure. Check that the signature plates are

stored in a safe with limited access

Not applicable

4 5 8 2 4 5 4.5.8.2.

4

Purchasing expenses -

payment

The computer automatically schedules payments

depending on the terms set for each Supplier.

Payments may be made by electronic funds transfer

(home and foreign) or cheque. Non-invoice payments

(for example payments of tax) may be made by

entering details in the computer, or by paying with a

manual cheque.

The payment output file is altered. (This file holds

payment data to be transmitted to the bank, or used to

print cheques)

Access controls on the computer to prevent alteration Exception reports, checked by

management, which detail exceptional

alterations to files

Obtain details of those staff with access to the computer

files. They should only be senior IT staff with no access

to accounting systems

Not applicable

4 5 8 2 5 5 4.5.8.2.

5

Purchase expense

invoices / credit notes

posted to accounts

Invoices and payments are posted to the general

(nominal) ledger in the same accounting period

Invoice / credit notes are posted to incorrect accounts Invoices are posted to the cost centre and nominal

account set up on the requisition. The computer verifies

that these exist and prevents certain combinations of

cost centre and nominal codes

Budget holders check their expenses

each month for incorrect items. Plus

Financial Accounts check balances to

the previous month's and investigate

significant discrepancies

For a sample of invoices, check the coding is correct Not applicable

4 5 8 2 6 5 4.5.8.2.

6

Accounts Payable month-

end processes

In order to compile month-end accounts, the value of

goods received not invoiced is calculated by the

computer , from unmatched receipts. Checks are made

to ensure all services received, but not invoiced, are

also accrued. To ensure details have been correctly

passed from the accounts payable system to the

general ledger, the total of the accounts payable

ledger is reconciled to the accounts payable control

account in the general ledger

Accruals not calculated The value of all goods received not invoiced is

calculated by the computer

Comparison made with previous

month's figure. Major differences

investigated

Check the report providing the accruals figure. Check

that large variances from the previous month have been

explained

Not applicable

4 5 8 2 6 5 4.5.8.2.

6

Accounts Payable month-

end processes

In order to compile month-end accounts, the value of

goods received not invoiced is calculated by the

computer , from unmatched receipts. Checks are made

to ensure all services received, but not invoiced, are

also accrued. To ensure details have been correctly

passed from the accounts payable system to the

general ledger, the total of the accounts payable

ledger is reconciled to the accounts payable control

account in the general ledger

Accruals not calculated correctly In major expense service functions (for example

advertising) managers must detail services provided

which have not been invoiced

Major variances from budget are

investigated

Check the composition of the accruals figure. For a

sample of recepts on the report, ensure they are recent

and obtain expalnations why old receipts have not had

invoices processed

Not applicable

4 5 8 2 6 5 4.5.8.2.

6

Accounts Payable month-

end processes

In order to compile month-end accounts, the value of

goods received not invoiced is calculated by the

computer , from unmatched receipts. Checks are made

to ensure all services received, but not invoiced, are

also accrued. To ensure details have been correctly

passed from the accounts payable system to the

general ledger, the total of the accounts payable

ledger is reconciled to the accounts payable control

account in the general ledger

Accounts payable ledger total does not represent all

liabilities

Total of supplier balances reconciled to Accounts

Payable control account in the General ledger

Reconciliation is signed by a senior

manager

For a number of months, check this reconciliation has

been properly carried out

Not applicable

4 5 8 2 7 5 4.5.8.2.

7

Manage the accounts

payable ledger

Ensure the accounts payable ledger is correctly

updated, properly represents amounts owed to

creditors and is correctly included in the accounts of

the organisation

Accounts payable ledger total does not represent all

liabilities

Sample check reconciliation of Supplier statements to

the Accounts Payable balance

The check is noted and scrutinised by

a senior manager at month-end

Scrutinise the reconciliations carried out to ensure they

contain no unusual items. If necessary, reperform some

reconciliations to ensure they are correct

Not applicable

4 5 8 2 7 5 4.5.8.2.

7

Manage the accounts

payable ledger

Ensure the accounts payable ledger is correctly

updated, properly represents amounts owed to

creditors and is correctly included in the accounts of

the organisation

Supplier with a debit balance, due to credits issued,

goes out of business

Exception report highlighting large debit balances.

Payment stop put on the account. Systems in place to

request repayment of the amount owing

Management scrutiny of large debit

balances each month, with a progress

report on their recovery

Check the accounts payable list of balances for debit

balances. For a sample of balances, determine why they

arose and the action being taken to recover them

Not applicable

4 5 8 3 4 4.5.8.3 Provide systems Provide systems, including computer systems to

support the organisations operations

(Summary level) n/a Not applicable

4 5 8 3 1 5 4.5.8.3.

1

Maintain central systems The proper operation of applications is maintained by a

central IT department

Data lost through main computer failure, systems

unavailable for a prolonged period

Range of controls maintained by the IT department Users monitor their output, such as

reconciling the accounts payable

balance with the general ledger

Covered by audits of the IT processes Not applicable

4 5 8 3 2 5 4.5.8.3.

2

Maintain user systems Users set up their own computer systems (for example

spreadsheets) to produce data

User-maintained systems lose data Data is kept on the network which is backed-up daily IT management should monitor system

reports

Ensure data is backed-up - try retrieving yesterday's

files. If a stand-alone computer, check back-up to discs

Not applicable

4 5 8 3 2 5 4.5.8.3.

2

Maintain user systems Users set up their own computer systems (for example

spreadsheets) to produce data

User-maintained systems produce inaccurate data All important data is checked, or reconciled, to an

independent source to ensure it is correct. If this is not

possible, some manual reperformance of calculations,

or checks of formulas.

Output should be examined for

"reasonableness"

Check formulas are correct. If possible use a

spreadsheet analyser to detect possible problems.

Reperform manually important calculations, if possible.

Not applicable

4 5 8 3 2 5 4.5.8.3.

2

Maintain user systems Users set up their own computer systems (for example

spreadsheets) to produce data

User-maintained systems understood by only the

programmer

A user guide has been written and independently tested

after each revision

Manager holds a copy Check all programs have a clearly written user guide. Not applicable

4 5 8 4 4 4.5.8.4 Prepare management

accounts

Collect the data from processed transactions into

accounts for management to make decisions

Information is incorrectly analysed and summarised Totals on the management accounts are reconciled to

totals from the accounts payable system

Output should be examined for

"reasonableness"

Trace figures from the accounts payable system through

to totals in the top level management accounts

Not applicable

4 5 8 5 4 4.5.8.5 Prepare financial

accounts

Collect the data from processed transactions into

accounts for statutory or tax purposes

Information is incorrectly analysed and summarised Each month, or more frequently, the accounts payable

ledger total is reconciled to the accounts payable

control account in the general ledger

Manager checks the reconciliation.

Management and financial accounts

are reconciled

Trace figures from the accounts payable system through

to totals in the top level financial accounts

Not applicable

4 5 8 6 4 4.5.8.6 Provide staff Recruit staff and manage staff policies (Summary level) Not applicable

4 5 8 6 1 5 4.5.8.6.

1

Establish job descriptions Job descriptions, in accordance with policy, are written

and approved

Staff competencies required have not been identified All jobs have written job descriptions, which show the

competencies required

HR and manager sign off job

descriptions

Check for job descriptions of all staff levels Not applicable

4 5 8 6 2 5 4.5.8.6.

2

Carry out regular

appraisals

Targets are set for staff with regular appraisals in

accordance with policy

Actual competencies of the staff have not been

matched with required competencies

The targets take into account the competencies

required

HR and manager sign off appraisals Check appraisal files Not applicable

4 5 8 6 3 5 4.5.8.6.

3

Training of staff Staff are trained in order to achieve their targets with

maximum effectiveness and efficiency, within the ethical

guidelines

Training is not provided, or is inadequate. For example

it omits ethical guidance

Training is provided when taking on new responsibilities

and during a job, to ensure the staff member

understand how to do the job and the controls which

must operate

Managers monitor the training their

staff receive to ensure it is appropriate

at all times

Check training materials. Ask staff who have recently

changed jobs about their training

Not applicable

4 5 8 6 3 5 4.5.8.6.

3

Training of staff Staff are trained in order to achieve their targets with

maximum effectiveness and efficiency, within the ethical

guidelines

Staff not allowed to attend training Clear policy from the board that training is important. HR monitor staff not attending training

courses and determine why

Question staff who have been on courses Not applicable

4 5 8 6 4 5 4.5.8.6.

4

Recruit suitable staff Recruit staff to fill vacancies Applicants falsify references All references and qualifications are checked by HR Manager can request references if

required

Take a sample of recent joiners and check that

references were supplied. (Other tests are carried out

as part of the audit of HR)

Not applicable

4 5 8 6 4 5 4.5.8.6.

4

Recruit suitable staff Recruit staff to fill vacancies Insufficient staff are available to carry out all duties,

and maintain division of duties

HR maintain succession plans for senior key staff.

Managers have plans for other key staff

Senior managers should monitor their

managers to ensure succession plans

exist

Examine staff budgets to ensure staff numbers are being

maintained at levels which ensure controls are operated

Not applicable

4 5 8 7 4 4.5.8.7 Provide legal services Advise all areas of the company concerning action to

be taken on legislation

Staff involved in expense purchasing are not aware of

legislation which affects them, thus threatening the

organisation with prosecution

There is a clear, preferably written, understanding that

legal services will update the appropriate managers with

legislation which affects them. The managers will brief

their staff

Senior management check that

important legislation is understood by

the functions under their control

Determine when the last update from legal services was

received and how it was briefed to staff. If you are aware

of any legislation affecting the processes being audited

(for example competition legislation), make sure it has

been briefed in. These processes will also be covered

by audit BS

Not applicable

4 5 8 8 4 4.5.8.8 Provide tax services Advise all areas of the company concerning action to

be taken on tax legislation

Staff involved in expense purchasing are not aware of

tax legislation which affects them, thus threatening the

organisation with fines or the loss of tax credits

Regular briefings from tax department to all staff

concerned. Induction training to include the relevant

aspects of tax

Senior manager to check that new tax

legislation has been briefed to staff

Ask staff about their induction. Do they understand the

tax implications of their work? Check invoices for correct

treatment of taxes (for example VAT)

Not applicable

4 5 8 9 4 4.5.8.9 Ensure health & safety Ensure the organisation complies with legislation and

good practice to ensure the safety of staff and

customers

Suppliers provide services without observing safety

procedures, resulting in injury to staff

Audit of suppliers to ensure they understand health and

safety legislation. Orders and contracts contain clause

to ensure suppliers comply with regulations

Qualified staff check suppliers working Examine documents given to suppliers and their written

agreement. Attend, with qualified staff, the suppliers

working on-site

Not applicable

4 5 8 10 4 4.5.8.10 Manage the environment Ensure the operations of the organisation obey all

environmental laws and good practice

Goods purchased, for example cleaning solvents, may

create an unsafe environment for employees

Purchasing staff have training on general health and

safety topics, with specific training for staff ordering

chemicals and other potentially hazardous items

Periodic audits by health and safety

department

Check training records, and H & S audit documentation Not applicable

4 5 8 12 Ensure security The physical security of tangible and intangible assets,

and staff and customers, is maintained at all times to

ensure the continued operation of the organisation

(Summary level) Not applicable

4 5 8 12 1 5 4.5.8.12

.1

Provide security All assets, including physical assets, stock and

information, are physically secure

Loss of the organisation's assets All buildings have entry restricted by card operated

gates

Periodic audits, by security

department, of the access to buildings

During audit, observe security precautions. Otherwise

the test of physical security are carried out in audit

group BX

Not applicable

4 5 8 12 2 5 4.5.8.12

.2

Identify documents

required to achieve the

objective of these

processes

Decide on the documents, paper or electronic, which

are essential to the operation of expense purchases, or

for tax reasons. These may include paper orders,

supplier invoices, cash sheets and cheques

Documents essential to operations (such as cheques)

may be lost in a fire

Supplies of paper documents, such as orders and

cheques, are stored in a separate building. Documents

which must be kept for tax purposes are microfiched,

and these are stored in a fireproof safe

It is the responsibility of the

departmental manager to ensure

documents are retained and securely

stored for as long as necessary

Check the existence of the paper documents kept off-

site. Check that all microfiche are stored in the fireproof

safe, with none left out at night.

Not applicable

4 5 8 12 3 5 4.5.8.12

.3

Decide on arrangements

to safeguard these

For each document, decide on the appropriate storage

medium

Level of protection may not be sufficient A formal process has been carried out to identify the

documents used and their method of storage

It is the responsibility of the

departmental manager to ensure

documents are retained and securely

stored for as long as necessary

Check for evidence of the formal process, and that it is

being followed

Not applicable

4 5 8 13 4 4.5.8.13 Communicate Inform internal and external stakeholders of the

organisation's policies and intentions

Reputation of the company suffers because the press

are mis-informed about the organisation's policy of not

using suppliers who might use child labour

A documented ethical policy, which includes purchasing

policy

The Ethical Committee ensures a

complete policy is communicated to all

stakeholders

Examine the policy and check specifically for purchasing

policy

Not applicable

4 5 8 14 4 4.5.8.14 Manage risks threatening

expense purchasing

processes

(Summary level) Not applicable

4 5 8 14 1 5 4.5.8.14

.1

Identify risks Risk workshops and interviews are held to determine

the risks threatening the objectives of the expense

purchasing function

Risks are not known Quarterly examination of the risk register by

management, with written confirmation to Internal Audit

of changes, or confirmation that no changes are

necessary

Internal Audit maintain the risk

register, and ensure each function

provides a list of scored risks with

controls

Examine processes to set up the risk register and

examine the register. Ensure all types of risk, including

external risks, have been considered

Not applicable

4 5 8 14 2 5 4.5.8.14

.2

Evaluate risks Score the risks on the organisation's likelihood and

consequence scales

Significant risks are not understood Quarterly examination of the risk register by

management, with written confirmation to Internal Audit

of changes, or confirmation that no changes are

necessary

Internal Audit maintain the risk

register, and ensure each function

provides a list of scored risks with

controls

Examine the process which score the risks Not applicable

4 5 8 14 3 5 4.5.8.14

.3

Control risks For all risks, decide on a cost-effective control to

reduce the risk to the risk appetite of the organisation

Significant risks are not controlled Controls are put into operation which reduce residual

risks to the risk appetite of the organisation

Internal Audit maintain the risk

register, and ensure each function

provides a list of scored risks with

controls

Check controls as part of the audit Not applicable

©David M Griffiths Expense purchases database

Page 11: Expense Purchases

©David M Griffiths Expense purchases database

Page 12: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Column key:L1

L2

L3

L4

L5

L

Ref

Process

Process Description

Risk to process

Risk source

IRC

IRL

IRS

Example control

Example monitoring

Tests

Ref

RRC

RRL

RRS

Cont score

Issue

Action

By whom

Conclusion Risks

Conclusion Controls

Conclusion Action

Conclusion Monitoring

Report ref

Follow-up Risks

Follow-up Controls

Follow-up Action

Follow-up Monitoring

Page 13: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Level 1 risk number. Corresponds to the Risk database

Level 2 risk number. Corresponds to the Risk database

Level 3 risk number

Level 4 risk number

Level 5 risk number

Level of the process on this row (1 to 5)

Reference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this

process throughout the organisation

Title of the process

A brief description of what the process does. Any more details should be filed in the audit file

The threat to the process. There may be several risks to one process, or one risk may

threaten several processes

Who identified the risk (management, risk workshop, auditor, meeting)

Inherent risk consequence score. See "Scoring risks" worksheet

Inherent risk likelihood score score. See "Scoring risks" worksheet

Inherent risk scores multiplied to give significance

An example of a control which might mitigate the risks

An example of a monitoring control which might check the operation of the control

An example of a test which might confirm the operation of the control

Reference to the schedule giving more details of the test

Residula risk consequence score. See "Scoring risks" worksheet

Residual risk likelihood score score. See "Scoring risks" worksheet

Residual risk scores multiplied to give significance

Control score = IRS - RRS. The higher it is the more important the control

Details where the risk is not mitigated to the acceptable level ("Risk appetite")

Action which management is taking to reduce the risk

The job title and name of the person responsible for ensuring the action takes place

Conclusion on risk management (see "Allocating conclusions" worksheet)

Conclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet)

Conclusion on any action required to reduce risks (see "Allocating conclusions" worksheet)

Conclusion on the adequacy of processes to monitor the correct operation of controls(see

"Allocating conclusions" worksheet)

The paragraph number in the report where the issue is reported

Conclusion on risk management from the last follow-up audit (see "Allocating conclusions"

worksheet)

Conclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating

conclusions" worksheet)

Conclusion on any action required to reduce risks from the last follow-up audit (see "Allocating

conclusions" worksheet)

Conclusion on the adequacy of processes to monitor the correct operation of controls from the

last follow-up audit (see "Allocating conclusions" worksheet)

Page 14: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Advice on scoring risks (inherent and residual)1 to 3 scale

If the consequence when the

risk occurs is:OR the likelihood of

the risk occurring is:

Then the measure

is defined to be:

To prevent the organisation

achieving all, or a major part, of its

objectives for a long time.

Cash at risk> £100,000

To stop the organisation achieving

its objectives for a limited period.

Cash at risk <£100,000 >£5,000

To cause minor inconvenience,

not affecting the achievement of

objectives

Cash at risk <£5,000

Grading individual risks (residual)

Almost certain High (3)

Possible Medium (2)

Values are an example

only. They should be

agreed at board level as

part of setting the risk

appetite of the

organisation

Unlikely Low (1)

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)

Lik

elih

oo

d o

f re

sid

ual

risk

Consequence of residual risk

Low

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)

Lik

elih

oo

d o

f re

sid

ual

risk

Consequence of residual risk

Low

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

Page 15: Expense Purchases

Risk score = Likelihood score X Consequence score

Unacceptable: Immediate action required to control the risk

Issue: Action required to control the risk

Supplementary issue: Action is advisable if it is cost-effective

Acceptable: No action required

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)L

ikelih

oo

d o

f re

sid

ual

risk

Consequence of residual riskLow

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)L

ikelih

oo

d o

f re

sid

ual

risk

Consequence of residual riskLow

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

Page 16: Expense Purchases

Advice on scoring risks (inherent and residual)1 to 5 scale

If the consequence when the

risk occurs is:OR the likelihood of

the risk occurring is:A catastrophic impact on the

organisation, threatening its

existence

Cash at risk> £1,000,000

To prevent the organisation

achieving all, or a major part, of its

objectives for a long time.

Cash at risk <£1,000,000

>£100,000

To stop the organisation achieving

its objectives for a limited period.

Cash at risk <£100,000 >£30,000

To stop the organisation achieving

its objectives for a limited period.

Cash at risk <£30,000 >£5,000

To cause minor inconvenience,

not affecting the achievement of

objectives

Cash at risk <£5,000

Almost certain

Probable

Unlikely

Possible

Rare

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)

Lik

elih

oo

d o

f re

sid

ual

risk

Consequence of residual risk

Low

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)

Lik

elih

oo

d o

f re

sid

ual

risk

Consequence of residual risk

Low

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Lik

elih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Lik

elih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Page 17: Expense Purchases

Risk score = Likelihood score X Consequence score

Unacceptable: Immediate action required to control the risk

Issue: Action required to control the risk

Supplementary issue: Action is advisable if it is cost-effective

Acceptable: No action required

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)

Lik

elih

oo

d o

f re

sid

ual

risk

Consequence of residual risk

Low

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

6

Unacceptable

risk

9

Unacceptable

risk

2

Acceptable

4

Issue

risk

6

Unacceptable

risk

1

Acceptable

2

Acceptable

Low(1) Medium (2) High (3)

Lik

elih

oo

d o

f re

sid

ual

risk

Consequence of residual risk

Low

(1)

M

ed

ium

(2)

Hig

h (

3)

3

Acceptable

3

Acceptable

Supplementary

Issue

3

Supplementary

Issue

3

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)L

ikelih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)L

ikelih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Page 18: Expense Purchases

Then the measure is

defined to be:

Catatrophic (5)

Major (2)

Insignificant (1)

Moderate (2)

Minor (2)

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Lik

elih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Lik

elih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Page 19: Expense Purchases

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Lik

elih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Rare

(1)

U

nlik

ely

(2)

Possib

le (

3)

P

robable

(4

)A

lmost

cert

ain

(5

)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Lik

elih

oo

d o

f re

sid

ual ri

sk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Page 20: Expense Purchases

Audit: Purchasing and payment of expense goods and services

Advice on allocating conclusions

Conclusion on:

Risks have been

identified, evaluated and

managed

Thorough processes have

been used and all significant

risks should have been

identified

Processes have been used, but

there are some deficiencies

Internal controls reduce

risks to acceptable levels

The risk is being mitigated to

an acceptable level by the

control(s)

The risk is not being mitigated to an

acceptable level by the control(s),

although the consequence from the

risk occurring, or likelihood of the

risk occurring, is not considered

significant. There is the possibility

that some objectives will not be

achieved

Action being taken to

promptly remedy

significant failings or

weaknesses

The action being taken will

result in all risks being

mitigated

The action being taken will result in

some reduction in risk but not to

acceptable levels

Current levels of

monitoring are sufficient

No more monitoring is

necessary than is done at

present

Some additional monitoring is

required

Score (1 to 3 scale) Score 0,1,2 or 3 Score: 4 (possibly 3)

Score (1 to 5 scale) Score =<8 Score: >9 <14

Colour: green amber

Grading: Acceptable Issues

Report as Supplementary issue, if cost

effective controls can reduce

the risk further, otherwise do

not report

Key issue

Criteria

Page 21: Expense Purchases

Looking at it another way:

Inadequate, or no, processes have

been used

Score (1

to 3

scale)

Score (1

to 5

scale)

Colour

Grading

The risk is not being mitigated to

an acceptable level by the

control(s) and it is probable that

some objectives will not be

achieved, with significant (material)

results (red) or The risk is not

being mitigated to an acceptable

level by the control(s) and

objectives are not being achieved,

with significant results

Score

0,1,2 or 3

Score

=<8

green

acceptable

No action is being taken, OR

insufficient action is being taken to

mitigate risks

Score: 4

(possibly

3)

Score:

>9 <14

amber issue

Major improvements are required

to the monitoring of controls

Score: 6

or 9

Score:>1

4

red

unacceptable

Score: 6 or 9

Score:>14

red

Unacceptable

Key issue

Criteria

Page 22: Expense Purchases

Looking at it another way:

Risks have been identified,

evaluated and managed

Internal controls reduce

risks to acceptable

levels

Action being taken to

promptly remedy

significant failings or

weaknesses

Current levels of

monitoring are

sufficient

Thorough processes have

been used and all significant

risks should have been

identified

The risk is being mitigated

to an acceptable level by

the control(s)

The action being taken

will result in all risks

being mitigated

No more monitoring

is necessary than is

done at present

The risk is not being

mitigated to an acceptable

level by the control(s),

although the consequence

from the risk occurring, or

likelihood of the risk

occurring, is not considered

significant. There is the

possibility that some

objectives will not be

achieved

The risk is not being

mitigated to an acceptable

level by the control(s),

although the consequence

from the risk occurring, or

likelihood of the risk

occurring, is not

considered significant.

There is the possibility that

some objectives will not be

achieved

The action being taken

will result in some

reduction in risk but not

to acceptable levels

Some additional

monitoring is

required

The risk is not being

mitigated to an acceptable

level by the control(s) and it

is probable that some

objectives will not be

achieved, with significant

(material) results (red) or

The risk is not being

mitigated to an acceptable

level by the control(s) and

objectives are not being

achieved, with significant

results

The risk is not being

mitigated to an acceptable

level by the control(s) and

it is probable that some

objectives will not be

achieved, with significant

(material) results (red) or

The risk is not being

mitigated to an acceptable

level by the control(s) and

objectives are not being

achieved, with significant

results

No action is being

taken, OR insufficient

action is being taken to

mitigate risks

Major

improvements are

required to the

monitoring of

controls

Page 23: Expense Purchases

Report as

Supplementary issue,

if cost effective

controls can reduce

the risk further,

otherwise do not

report

Key issue

Key issue