expense purchases
TRANSCRIPT
Audit: Purchase of expense goods and services 5:03 AM 4/5/2014
Audit: Purchasing and payment of expense goods and services
IntroductionLast updated 21 August 2004
PurposeThe purpose of this spreadsheet is to show typical risks, expected controls and
example tests for processes related to the purchasing and payment of expense goods
and services, (excluding personal expenses)
Full details of how to complete and use the database are in the manual which can be
downloaded from www.internalaudit.biz
The database is not complete - it must be changed to suit your organisation
To see how this database fits into the audit universe, download the Risk and Audit
Database from www.internalaudit.biz
Auditing is not about carrying out tests taken from an audit programme, it is about
understanding the objectives of the processes you are auditing, the risks which
treaten them and the controls which actually operate to mitigate them.
The database (Audit programme)
The audit programme is in the form of an Excel database. It can be treated just like a
large "Word" table but can also be sorted and filtered.
The database covers those processes which might be involved in purchases and
payments using a computerised system. Thus it covers not only ordering and invoice
approval, but also staff management and computer controls
Rows with processes which are split down into more detailed processes are coloured and
do not have data in some columns
The processes are only intended as an example. You must change them to those in your
organisation
If you construct audit databases please make them available to other auditors through
AuditNet® (http://www.auditnet.org/)
For a full explanation of the content of the columns, go to the "Column key" worksheet
The example controls and monitoring
These examples are suggestions only. They cannot possibly apply to every size of
organisation who might use this database. You must decide on the controls which
mitigate the risks to accepatable levels in your organisation
Remember that the examples are general and therefore rather vague. Your entries
should be much more specific, in particular, noting the names of staff carrying out the
checks
Worksheets
There are 7 worksheets in this spreadsheet:
Introduction
Scope
Process map
Expense purchases database
Copyright D M Griffiths Introduction Page1 of 23
Audit: Purchase of expense goods and services 5:03 AM 4/5/2014
Column key
Scoring risks
Allocating conclusions
LanguageI have used UK english for the risk register. Variations from US english include:
Supplier = Vendor
Purchase = Procure
Cheque = Check
I have used the term "accounts payable" for purchase ledger, since this is now common
in the UK.
All sheets copyright David M Griffiths
Not to be copied or distributed without acknowledging the author, or in conjunction with a
commercial product
Copyright D M Griffiths Introduction Page2 of 23
Audit: Purchasing and payment of expense goods and services
Scope of the audit
Reasons for the auditThe organisation’s risk analysis has identified significant risks to its objectives from the
processes involved in the purchase of expense goods and services. The audit will
conclude on whether:
Risks threatening the objectives of the processes have been properly identified,
evaluated and managed.
Internal controls are operating properly to mitigate these risks to levels defined as
acceptable by board policy.
Action is being taken to improve controls, where risks are not being properly mitigated
More monitoring, by management, is necessary to ensure proper internal controls into the
future.
A sound system of internal control is maintained for the processes audited
Objectives of the processes being auditedThe overall objective of the process (4.5) is to purchase expense goods and services for
the organisation. (That is goods which are not for resale)
The processes covered by this audit are:
Define the objectives for purchasing expenses
Set up suppliers on the computer file
Set up items for purchase on the computer file
Raising requistions
Raising orders
Receive goods/services
Returning of unsatisfactory goods
In addition, the following support functions are covered:
Invoice processing
Payment to suppliers
Accounting for expense purchases
Key risks of the processes being auditedExpense goods/services requested are not needed or are not for the benefit of the
company
Orders are placed with suppliers who do not provide best value (quality/price/delivery)
Payment is made for goods or services which have not been received
Transactions are not correctly entered in the books of account
The processes concerned are not operated efficiently and effectively
Audit work plan
In order to carry out this audit the auditors will:Take into account any previous audits, noting particularly the issues raised
Obtain organisation charts, procedure manuals, training documentation and any other
documentation which should be being used by the departments involved in the audit
Obtain budgets, actual figures and any other relevant financial information
If appropriate, meet the external auditors and any other parties with an interest in the
processes being auditing
Meet with staff at all levels to understand their responsibilities and concerns
Visit all locations which affect the risks involved (warehouses, factories, outsource
suppliers)
Carry out walkthrough tests to understand the processes involved, including monitoring
controls
Understand the changes made since the last audit
Obtain relevant risk registers, noting when they were last updated
Carry out interviews and risk workshops, as necessary, to ensure all risks have been
identified
Add to the risks in the risk register
Score the inherent risks, according to the risk appetite of the organisation, which have
been approved by the board. (Examples are shown in the "Scoring risks" worksheet)
Carry out the tests necessary to confirm that the controls are operating properly
Score the residual risks, according to the risk appetite of the organisation, which have
been approved by the board. (Examples are shown in the "Scoring risks" worksheet)
Draw conclusions as to whether each risk is properly controlled (see the example)
Submit a report
Audit: Purchasing and payment of expense goods and services
Diagram of processes with key risks
This diagram shows the key processes for purchasing expenses and is the next level down from the risk register
Key risks are collected in the boxes, prior to putting them on the audit database
It is used to drive the main audit database
Risks
Supplier of vital services/goodsmay go out of business Supplier details are not correctly input/modified New suppliers improperly set up
Item details are not correctly input/modified
Goods/services are not what was ordered Incorrect quantities received are input
The order is placed with a supplier not providing the best value The order is incorrect
The requistion may be for goods and services not required The requistion may be incorrect
Purchase expense goods
Set up items
Set up suppliers
Place order
Requistion goods and services
Define objectives
Receive goods
Return goods
Credit is not obtained for goods returned
The strategy is not consistent with the overall strategy The strategy has not been communicated
Support purchase expense goods
Return goods
Payment is made when goods/services have not been received Settlement discount is not correctly deducted Payment is not made on the due date
This diagram shows the key processes for purchasing expenses and is the next level down from the risk register
Audit: Purchasing and payment of expense goods and services
Audit databaseL1 L2 L3 L4 L5 L Ref Process Process Description Risk to process Risk source IRC IRL IRS Example control Example monitoring Tests Ref RRC RRL RRS Cont
score
Issue Action By whom Conclusion
Risks
Conclusion
Controls
Conclusion
Action
Conclusion
Monitoring
Report
ref
Follow-up
Risks
Follow-up
Controls
Follow-up
Action
Follow-up
Monitoring
4 5 2 4.5 Purchase expense
goods
Purchase goods and services for the
organisation
(Summary level) Not applicable
4 5 1 3 4.5.1 Define objectives Define the strategy for expense purchases,
communicate and deliver it
(Summary level) Not applicable
4 5 1 1 4 4.5.1.1 Define the strategy for
expense purchasing
Set down targets for the year(s) ahead, for example,
meeting the budget, improving staff efficiency, handling
more orders
The strategy does not maximise efficiency and
effectiveness and is not consistent with the
organisation's strategy
The strategy for purchasing expense goods and
services is updated each year, prior to setting targets
and budgets for the areas concerned. These targets
and budgets are approved by management finance.
Directors check the strategy for
departments under their control. The
overall budget is approved by the
board
Examine the latest strategy document Not applicable
4 5 1 1 4 4.5.1.1 Define the strategy for
expense purchasing
Set down targets for the year(s) ahead, for example,
meeting the budget, improving staff efficiency, handling
more orders
The strategy has not been updated The strategy for purchasing expense goods and
services is updated each year, prior to setting targets
and budgets for the areas concerned
Directors check the strategy for
departments under their control
Examine the latest strategy document. Check that the
budget forms part of the organisation's overall budget.
Examine variances for the current year and ensure
adequate explanations have been made for excessive
Not applicable
4 5 1 2 4 4.5.1.2 Communicate the
strategy
Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice
boards and the intranet
Ask staff to confirm they have been briefed. Determine
the date of the briefing and attendees
Not applicable
4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the
budgeting process
Directors check the action plan for
departments under their control
Examine the action plan Check for progress to
implement it.
Not applicable
4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
The strategy is not built into individuals' targets Individuals are given their targets based on those of the
department
Directors, or senior managers, check
the staff targets for departments under
their control
Examine staff targets for a selection of staff Not applicable
4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
Any member of staff can authorise the purchase of any
goods or services
Rights to place requisitions and orders are in a written
policy
The policy is checked every year to
ensure it is correct
Examine the policy. Check it is up-to-date, appropriate
staff have a copy and know how to use it. As part of
other tests, ensure adherence to the policy
Not applicable
4 5 1 3 4 4.5.1.3 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
Any member of staff can requisition any goods or
services
Rights to authorise requisitions and orders are in a
written policy
The policy is checked every year to
ensure it is correct
Examine the policy. Check it is up-to-date, appropriate
staff have a copy and know how to use it. As part of
other tests, ensure adherence to the policy
Not applicable
4 5 2 3 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or
modify existing details. Includes addresses and
payment terms
Supplier details are not correctly input/modified Details of all changes to the Supplier master file are
printed on a report which is checked to supporting
documentation by staff who are not involved in
changing Supplier details
Details of Suppliers and the amount
spent with them are printed out every
six months for authorisation by the
Purchasing Director
Check individual reports over the last six months for
evidence of checking. Observe the process in action.
Not applicable
4 5 2 3 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or
modify existing details. Includes addresses and
payment terms
False Suppliers are set up and paid Details of all changes to the Supplier master file are
printed on a report which is checked to supporting
documentation by staff who are not involved in
changing Supplier details
Details of Suppliers and the amount
spent with them are printed out every
six months for authorisation by the
Purchasing Director
Check individual reports over the last six months for
evidence of checking. Observe the process in action.
Not applicable
4 5 2 3 4.5.2 Set up Suppliers Set up new Suppliers on the computer system, or
modify existing details. Includes addresses and
payment terms
No settlement discount, or other discounts, are
negotiated
Details of all changes to the Supplier master file are
printed on a report which is checked to supporting
documentation by staff who are not involved in
changing Supplier details
Details of Suppliers and the amount
spent with them are printed out every
six months for authorisation by the
Purchasing Director
Check individual reports over the last six months for
evidence of checking. Observe the process in action.
Not applicable
4 5 4 3 4.5.4 Departments requisition
goods/services
Raise a request (may be on the computer system, but
could be an e-mail or manual form) for goods or
services to be ordered
Expense goods/services requested are not needed or
are not for the benefit of the company
Requisitions are authorised by an appropriate manager Budgets are maintained for all
expenses with monthly monitoring
against actual
Observe the procedure for electronically authorising
requisitions. If possible, have the computer controls
checked by a competent auditor.
Not applicable
4 5 4 3 4.5.4 Departments requisition
goods/services
Raise a request (may be on the computer system, but
could be an e-mail or manual form) for goods or
services to be ordered
Details on the requisition are incorrect Requisitions are authorised by an appropriate manager Budgets are maintained for all
expenses with monthly monitoring
against actual
Observe the procedure for electronically authorising
requisitions. If possible, have the computer controls
checked by a competent auditor.
Not applicable
4 5 5 3 4.5.5 Purchasing order raised
for goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
The order is incorrect, that is does not agree to the
approved requisition
Confirmation is required on the order screen before the
order is sent or printed
The requisitioner will query any
difference
Observe the process and try submitting without
confirmation
Not applicable
4 5 5 3 4.5.5 Purchasing order raised
for goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
The price on the order does not give the organisation
maximum value
The order is placed by trained purchasing staff using
prices on the computer, or negotiated with the supplier.
Budgets are maintained for all
expenses with monthly monitoring
against actual
Examine a report which shows the access rights of each
person in purchasing and payables. Confirm that proper
division of duties exists.
Not applicable
4 5 5 3 4.5.5 Purchasing order raised
for goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
Orders are placed with suppliers who do not provide
best value (quality/price/delivery)
Orders can only be placed with suppliers previously set
up on the computer
Half-yearly report listing suppliers and
spend which is approved by the
Purchasing Director
Examine the input of orders. Try and set up a new
supplier from the order screen
Not applicable
4 5 5 3 4.5.5 Purchasing order raised
for goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
Orders are placed late Computer report showing requisitions not turned into
orders within 2 days is checked by the supervisor
Requistioners will complain if orders
are received late
Examine this report for items older than 2 days Not applicable
4 5 5 3 4.5.5 Purchasing order raised
for goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
Orders have incorrect account codes input The requisitioner supplies the codes. The computer
checks these exist but cannot check if they are correct.
Budget holders check their expenses
each month for incorrect items
Examine accounts journals and other documentation
used to correct coding errors to judge how frequent they
are
Not applicable
4 5 5 3 4.5.5 Purchasing order raised
for goods/services
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
Orders are placed for goods not required, without
approved requisitions
All orders have to be placed through the computer.
Orders can only be raised by purchasing staff. Orders
without requisitions must be approved by a senior
manager
Budget holders check their expenses
each month for incorrect items
Check access to order screens is limited to approved
purchasing staff. Check orders raised without approved
requisitions are approved
Not applicable
4 5 6 3 4.5.6 Contracts raised for
continuing services or
supply of materials
Suitable suppliers are identified to supply
goods/services. Sealed tenders (quotes) are called for
and opened in the presence of an independent person.
The cheapest tender is chosen, if all conditions have
been complied with
Contracts are not negotiated to ensure the best prices
for ongoing services such as maintenance
Expenditure on services is constantly monitored to
check if contracts should be raised to ensure best
prices and service. Contracts are tendered, as
necessary, to ensure best prices.
Senior purchasing management
monitor expenses, and check all
tenders to confirm the process
Check expenditure over £X to see if contracts have been
raised. Examine the tendering process, and last
contracts signed, to ensure the process is operating.
(This could done as a separate audit)
4 5 7 3 4.5.7 Goods/services received.
Quantity received input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Goods/services vital to the organisation's operation
become unavailable or too expensive
If possible, have two, or more, sources of supply. Hold
sufficient stocks of vital spares. Have contingency plans
for failure of vital supplies
Continuity of supply is written into
managers' targets, on which they are
assessed
Check for the existence of recent, tested contingency
plans
Not applicable
4 5 7 3 4.5.7 Goods/services received.
Quantity received input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Quantities, or service, is not what was ordered Computer report showing where quantities received
differ from the order
Requistioners should complain if the
goods/services differ from the order
Examine this report and check on the action taken. Note
items which may be old and uncorrected
Not applicable
4 5 7 3 4.5.7 Goods/services received.
Quantity received input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Quantities incorrectly input The computer warns if the quantity received is different
from that ordered
Requistioners should complain if the
goods/services differ from the order
Observe the process and try submitting a different
quantity
Not applicable
4 5 7 3 4.5.7 Goods/services received.
Quantity received input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Stock records (for example engineers' spares) not
updated
Automatic update with exception reports where this has
not occurred
Periodic physical checks to stock
records
Check a sample of items received through to the stock
system
Not applicable
4 5 7 3 4.5.7 Goods/services received.
Quantity received input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Receipt details input when no goods or services have
been received
Division of duties between requisitioners, purchasing
staff and receivers
Budget holders check their expenses
each month for incorrect items
Examine a report which shows the access rights of each
person in purchasing and payables. Confirm that proper
division of duties exists.
Not applicable
4 5 7 3 4.5.7 Goods/services received.
Date of receipt input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Quality is not up to standard Responsibility of the person receiving the
goods/services to complain of poor quality to the
ordering department
No formal monitoring Ask a sample of staff their opinions on the quality of
goods received
Not applicable
4 5 7 3 4.5.7 Goods/services received.
Date of receipt input
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt
keyed into the computer. Some type of confirmation
should be required for the receipt of services
Goods are lost All goods are received at one, secure, location, which
inputs their receipt against the order
Requisitioner will complain if goods are
not received
Visit the receiving area. Check security and observe the
receipt of goods.
Not applicable
4 5 8 3 4.5.8 Goods/services returned If the goods are not those ordered, are damaged, or
too many are delivered, they will be returned to the
Supplier. If they are found to be faulty after the
processing of an invoice, or payment, a credit note will
be required
Credit is not obtained from the supplier Goods can only be returned on the authority of the
buyer, who raises a "Goods Return Note". One copy
goes with the goods, the other is keyed into the
computer as a debit note. This automatically reduced
the next payment.
Requisition will complain if credit is not
received
Take a sample of Goods Returned Notes and check that
the correct credit has been received
Not applicable
4 5 8 3 4.5.8 Support purchasing of
expenses
(Summary level) Not applicable
4 5 8 1 4 4.5.8.1 Define objectives for
supporting expense
purchasing
(Summary level) Not applicable
4 5 8 1 1 5 Define the strategy Set down targets for the year's) ahead, for example,
meeting the budget, improving staff efficiency, handling
more orders
The strategy has not been updated The strategy for purchasing expense goods and
services is updated each year, prior to setting targets
and budgets for the areas concerned
Directors check the strategy for
departments under their control
Examine the latest strategy document Not applicable
4 5 8 1 2 5 Communicate the
strategy
Inform the staff about the targets Staff are unaware of the strategy Staff are briefed by their managers The strategy is available on notice
boards and the intranet
Ask staff to confirm they have been briefed. Determine
the date of the briefing and attendees
Not applicable
4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
No action plan exists to deliver the strategy An action plan to deliver the strategy is part of the
budgeting process
Directors check the action plan for
departments under their control
Examine the action plan Not applicable
4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
The strategy is not built into individuals' targets Individuals are given their targets based on those of the
department
Directors, or senior managers, check
the staff targets for departments under
their control
Examine staff targets for a selection of staff Not applicable
4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
No limitation is set on the authority of staff to commit
the organisation
Rights to place requisitions and orders are in a written
policy
The policy is checked every year to
ensure it is correct
Examine the policy. Check it is up-to-date, appropriate
staff have a copy and know how to use it. As part of
other tests, ensure adherence to the policy
Not applicable
4 5 8 1 3 5 Deliver the strategy Form an action plan, with the staff involved, to deliver
the strategy
No limitation is set on the authority of staff to commit
the organisation
Rights to authorise requisitions and orders are in a
written policy
The policy is checked every year to
ensure it is correct
Examine the policy. Check it is up-to-date, appropriate
staff have a copy and know how to use it. As part of
other tests, ensure adherence to the policy
Not applicable
4 5 8 2 4 4.5.8.2 Process transactions Process transactions resulting from the purchase of
expenses
Transactions are not processed completely and
accurately
Not applicable
4 5 8 2 1 5 4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Invoice input against incorrect supplier Most invoices are input against an order and the
supplier details are checked. If no order exists there is
no control
The supplier will send a reminder to
pay
Examine transactions which correct mis-postings Not applicable
4 5 8 2 1 5 4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Incorrect values input Where the invoice is matched to an order, an exception
report is produced for invoices not matching and these
are held until purchasing approve the difference.
Invoices without orders are batch totalled
Monthly check, by management, of the
report showing invoices held in query.
Follow-up of invoices over one month
old
Examine the query report to ensure no queries are
outstanding for an excessive period of time, and that all
are being actively persued
Not applicable
4 5 8 2 1 5 4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Invoices are input twice Where the invoice is matched to an order the computer
will not allow the input of another invoice. Invoices are
stamped "input"
Budget holders should check the
actual expenditure against their
budget each month
Ask a sample of budget holders to provide evidence that
they have checked the expenses for the previous month
Not applicable
4 5 8 2 1 5 4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Duplicate invoices are input Where the invoice is matched to an order the computer
will not allow the input of another invoice. If copy
invoices are received, where no orders exist, they are
checked to the supplier account before processing. The
computer will not accept duplicate invoice numbers
Budget holders should check the
actual expenditure against their
budget each month
Examine transactions which correct mis-postings Not applicable
4 5 8 2 1 5 4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Invoice input where no goods or services have been
received.
Most invoices are matched against approved orders.
Other invoices must be approved by a senior manager
and accountant, who writes the account code on.
Invoices can only be paid to suppliers set up on the
system, for which separate checks apply. Duties are
divided to ensure staff who input invoices do not set up
suppliers or payments
Budget holders should check the
actual expenditure against their
budget each month
Check a sample of items received through to the stock
system, or other evidence, to prove that the
goods/services were received Check the access to
computer screens to ensure division of duties is
enforced
Not applicable
4 5 8 2 1 5 4.5.8.2.
1
Purchasing expenses -
Invoice input
Receive an invoice from the Supplier for the goods and
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
The tax analysis of invoices is incorrect, for example
"Business entertainment"
All purchasing and transaction processing staff have
specific training on the analysis of Value added tax
(VAT). Detailed guidelines are available. The computer
checks for incorrect calculations
Tax department scrutinise certain
nominal codes for exceptional items
Check a sample of invoices to ensure that the tax
treatment is correct
Not applicable
4 5 8 2 2 5 4.5.8.2.
2
Purchasing expenses -
Invoice filed
After input of the invoice, it is sent for microfiching and
the paper copy destroyed
Invoices are not filed and microfiched Invoices are sequentially numbered on input. When
microfiching, the continuity of these numbers is checked
The fiche are checked by staff when
received back from the microfiching
department
Check a selection of fiche to ensure no numbers are
missing
Not applicable
4 5 8 2 3 5 4.5.8.2.
3
Purchasing expenses -
no invoice received, for
example tax
Receive a properly approved cheque requistion, with
supporting documentation
Incorrect payments may be made Computer payments can only be made against invoices
matched to orders, or authorised invoices. Payments
can only be generated by staff who do not have access
to order, invoice or supplier master data input. Manual
payments cheques must be supported by the cheque
requistion and signed by two senior managers
Budget holders should check the
actual expenditure against their
budget each month
Check a sample of cheque requistions, to ensure this
type of transaction should have been used (that is no
invoice is available) nad it was properly approved.
Check that the item being paid for is genuine
Not applicable
4 5 8 2 4 5 4.5.8.2.
4
Purchasing expenses -
payment
The computer automatically schedules payments
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by
entering details in the computer, or by paying with a
manual cheque.
Computer payment is made for goods or services
which have not been received
Computer payments can only be made against invoices
matched to orders, or authorised invoices. Payments
can only be generated by staff who do not have access
to order, invoice or supplier master data input. Manual
payments cheques must be supported by the original
invoices and signed by two senior managers
Budget holders should check the
actual expenditure against their
budget each month
Check a sample of payments taken from the cash sheets
to proof that the goods/services paid for were received
Not applicable
4 5 8 2 4 5 4.5.8.2.
4
Purchasing expenses -
payment
The computer automatically schedules payments
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by
entering details in the computer, or by paying with a
manual cheque.
Incorrect settlement discount is taken Payment terms are set up on the supplier account.
They can only be changed on written instructions for a
buyer. Settlement discount can be overidden for a
specific order, but only a manager
Payment terms are checked by buyers
every 6 months
For the sample of payments used in the above test,
check that the correct settlement discount has been
taken
Not applicable
4 5 8 2 4 5 4.5.8.2.
4
Purchasing expenses -
payment
The computer automatically schedules payments
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by
entering details in the computer, or by paying with a
manual cheque.
Payment is not made on the due date Payment terms are set up on the supplier account.
They can only be changed on written instructions for a
buyer
Payment terms are checked by buyers
every 6 months
For the sample of payments used in the above test,
check that the payment was made on the correct date
Not applicable
Last follow-up results (date)
©David M Griffiths Expense purchases database
4 5 8 2 4 5 4.5.8.2.
4
Purchasing expenses -
payment
The computer automatically schedules payments
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by
entering details in the computer, or by paying with a
manual cheque.
Manual payments made are fraudulent Cheques are kept in a locked cupboard to prevent theft
and subsequent forgery. Overseas payment
instructions are signed by two directors. The bank has
instructions to telephone the Chief Financial Officer if
payments are over an agreed amount.
Bank reconciliation will detect
payments made not correctly entered
in the books of account
For a sample of manual and overseas payments, ensure
that goods/services were received. Check the bank
understands its instructions to phone the CFO. If
appropriate, carry out a separate audit on foreign
payments
Not applicable
4 5 8 2 4 5 4.5.8.2.
4
Purchasing expenses -
payment
The computer automatically schedules payments
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by
entering details in the computer, or by paying with a
manual cheque.
Cheques are altered or forged Cheque signing signatures are embossed. Cheques are
printed by specialist printers with the latest security
features
Bank reconciliation will detect
payments made not correctly entered
in the books of account
Observe the cheque printing process to ensure it is
physically secure. Check that the signature plates are
stored in a safe with limited access
Not applicable
4 5 8 2 4 5 4.5.8.2.
4
Purchasing expenses -
payment
The computer automatically schedules payments
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by
entering details in the computer, or by paying with a
manual cheque.
The payment output file is altered. (This file holds
payment data to be transmitted to the bank, or used to
print cheques)
Access controls on the computer to prevent alteration Exception reports, checked by
management, which detail exceptional
alterations to files
Obtain details of those staff with access to the computer
files. They should only be senior IT staff with no access
to accounting systems
Not applicable
4 5 8 2 5 5 4.5.8.2.
5
Purchase expense
invoices / credit notes
posted to accounts
Invoices and payments are posted to the general
(nominal) ledger in the same accounting period
Invoice / credit notes are posted to incorrect accounts Invoices are posted to the cost centre and nominal
account set up on the requisition. The computer verifies
that these exist and prevents certain combinations of
cost centre and nominal codes
Budget holders check their expenses
each month for incorrect items. Plus
Financial Accounts check balances to
the previous month's and investigate
significant discrepancies
For a sample of invoices, check the coding is correct Not applicable
4 5 8 2 6 5 4.5.8.2.
6
Accounts Payable month-
end processes
In order to compile month-end accounts, the value of
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable
ledger is reconciled to the accounts payable control
account in the general ledger
Accruals not calculated The value of all goods received not invoiced is
calculated by the computer
Comparison made with previous
month's figure. Major differences
investigated
Check the report providing the accruals figure. Check
that large variances from the previous month have been
explained
Not applicable
4 5 8 2 6 5 4.5.8.2.
6
Accounts Payable month-
end processes
In order to compile month-end accounts, the value of
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable
ledger is reconciled to the accounts payable control
account in the general ledger
Accruals not calculated correctly In major expense service functions (for example
advertising) managers must detail services provided
which have not been invoiced
Major variances from budget are
investigated
Check the composition of the accruals figure. For a
sample of recepts on the report, ensure they are recent
and obtain expalnations why old receipts have not had
invoices processed
Not applicable
4 5 8 2 6 5 4.5.8.2.
6
Accounts Payable month-
end processes
In order to compile month-end accounts, the value of
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable
ledger is reconciled to the accounts payable control
account in the general ledger
Accounts payable ledger total does not represent all
liabilities
Total of supplier balances reconciled to Accounts
Payable control account in the General ledger
Reconciliation is signed by a senior
manager
For a number of months, check this reconciliation has
been properly carried out
Not applicable
4 5 8 2 7 5 4.5.8.2.
7
Manage the accounts
payable ledger
Ensure the accounts payable ledger is correctly
updated, properly represents amounts owed to
creditors and is correctly included in the accounts of
the organisation
Accounts payable ledger total does not represent all
liabilities
Sample check reconciliation of Supplier statements to
the Accounts Payable balance
The check is noted and scrutinised by
a senior manager at month-end
Scrutinise the reconciliations carried out to ensure they
contain no unusual items. If necessary, reperform some
reconciliations to ensure they are correct
Not applicable
4 5 8 2 7 5 4.5.8.2.
7
Manage the accounts
payable ledger
Ensure the accounts payable ledger is correctly
updated, properly represents amounts owed to
creditors and is correctly included in the accounts of
the organisation
Supplier with a debit balance, due to credits issued,
goes out of business
Exception report highlighting large debit balances.
Payment stop put on the account. Systems in place to
request repayment of the amount owing
Management scrutiny of large debit
balances each month, with a progress
report on their recovery
Check the accounts payable list of balances for debit
balances. For a sample of balances, determine why they
arose and the action being taken to recover them
Not applicable
4 5 8 3 4 4.5.8.3 Provide systems Provide systems, including computer systems to
support the organisations operations
(Summary level) n/a Not applicable
4 5 8 3 1 5 4.5.8.3.
1
Maintain central systems The proper operation of applications is maintained by a
central IT department
Data lost through main computer failure, systems
unavailable for a prolonged period
Range of controls maintained by the IT department Users monitor their output, such as
reconciling the accounts payable
balance with the general ledger
Covered by audits of the IT processes Not applicable
4 5 8 3 2 5 4.5.8.3.
2
Maintain user systems Users set up their own computer systems (for example
spreadsheets) to produce data
User-maintained systems lose data Data is kept on the network which is backed-up daily IT management should monitor system
reports
Ensure data is backed-up - try retrieving yesterday's
files. If a stand-alone computer, check back-up to discs
Not applicable
4 5 8 3 2 5 4.5.8.3.
2
Maintain user systems Users set up their own computer systems (for example
spreadsheets) to produce data
User-maintained systems produce inaccurate data All important data is checked, or reconciled, to an
independent source to ensure it is correct. If this is not
possible, some manual reperformance of calculations,
or checks of formulas.
Output should be examined for
"reasonableness"
Check formulas are correct. If possible use a
spreadsheet analyser to detect possible problems.
Reperform manually important calculations, if possible.
Not applicable
4 5 8 3 2 5 4.5.8.3.
2
Maintain user systems Users set up their own computer systems (for example
spreadsheets) to produce data
User-maintained systems understood by only the
programmer
A user guide has been written and independently tested
after each revision
Manager holds a copy Check all programs have a clearly written user guide. Not applicable
4 5 8 4 4 4.5.8.4 Prepare management
accounts
Collect the data from processed transactions into
accounts for management to make decisions
Information is incorrectly analysed and summarised Totals on the management accounts are reconciled to
totals from the accounts payable system
Output should be examined for
"reasonableness"
Trace figures from the accounts payable system through
to totals in the top level management accounts
Not applicable
4 5 8 5 4 4.5.8.5 Prepare financial
accounts
Collect the data from processed transactions into
accounts for statutory or tax purposes
Information is incorrectly analysed and summarised Each month, or more frequently, the accounts payable
ledger total is reconciled to the accounts payable
control account in the general ledger
Manager checks the reconciliation.
Management and financial accounts
are reconciled
Trace figures from the accounts payable system through
to totals in the top level financial accounts
Not applicable
4 5 8 6 4 4.5.8.6 Provide staff Recruit staff and manage staff policies (Summary level) Not applicable
4 5 8 6 1 5 4.5.8.6.
1
Establish job descriptions Job descriptions, in accordance with policy, are written
and approved
Staff competencies required have not been identified All jobs have written job descriptions, which show the
competencies required
HR and manager sign off job
descriptions
Check for job descriptions of all staff levels Not applicable
4 5 8 6 2 5 4.5.8.6.
2
Carry out regular
appraisals
Targets are set for staff with regular appraisals in
accordance with policy
Actual competencies of the staff have not been
matched with required competencies
The targets take into account the competencies
required
HR and manager sign off appraisals Check appraisal files Not applicable
4 5 8 6 3 5 4.5.8.6.
3
Training of staff Staff are trained in order to achieve their targets with
maximum effectiveness and efficiency, within the ethical
guidelines
Training is not provided, or is inadequate. For example
it omits ethical guidance
Training is provided when taking on new responsibilities
and during a job, to ensure the staff member
understand how to do the job and the controls which
must operate
Managers monitor the training their
staff receive to ensure it is appropriate
at all times
Check training materials. Ask staff who have recently
changed jobs about their training
Not applicable
4 5 8 6 3 5 4.5.8.6.
3
Training of staff Staff are trained in order to achieve their targets with
maximum effectiveness and efficiency, within the ethical
guidelines
Staff not allowed to attend training Clear policy from the board that training is important. HR monitor staff not attending training
courses and determine why
Question staff who have been on courses Not applicable
4 5 8 6 4 5 4.5.8.6.
4
Recruit suitable staff Recruit staff to fill vacancies Applicants falsify references All references and qualifications are checked by HR Manager can request references if
required
Take a sample of recent joiners and check that
references were supplied. (Other tests are carried out
as part of the audit of HR)
Not applicable
4 5 8 6 4 5 4.5.8.6.
4
Recruit suitable staff Recruit staff to fill vacancies Insufficient staff are available to carry out all duties,
and maintain division of duties
HR maintain succession plans for senior key staff.
Managers have plans for other key staff
Senior managers should monitor their
managers to ensure succession plans
exist
Examine staff budgets to ensure staff numbers are being
maintained at levels which ensure controls are operated
Not applicable
4 5 8 7 4 4.5.8.7 Provide legal services Advise all areas of the company concerning action to
be taken on legislation
Staff involved in expense purchasing are not aware of
legislation which affects them, thus threatening the
organisation with prosecution
There is a clear, preferably written, understanding that
legal services will update the appropriate managers with
legislation which affects them. The managers will brief
their staff
Senior management check that
important legislation is understood by
the functions under their control
Determine when the last update from legal services was
received and how it was briefed to staff. If you are aware
of any legislation affecting the processes being audited
(for example competition legislation), make sure it has
been briefed in. These processes will also be covered
by audit BS
Not applicable
4 5 8 8 4 4.5.8.8 Provide tax services Advise all areas of the company concerning action to
be taken on tax legislation
Staff involved in expense purchasing are not aware of
tax legislation which affects them, thus threatening the
organisation with fines or the loss of tax credits
Regular briefings from tax department to all staff
concerned. Induction training to include the relevant
aspects of tax
Senior manager to check that new tax
legislation has been briefed to staff
Ask staff about their induction. Do they understand the
tax implications of their work? Check invoices for correct
treatment of taxes (for example VAT)
Not applicable
4 5 8 9 4 4.5.8.9 Ensure health & safety Ensure the organisation complies with legislation and
good practice to ensure the safety of staff and
customers
Suppliers provide services without observing safety
procedures, resulting in injury to staff
Audit of suppliers to ensure they understand health and
safety legislation. Orders and contracts contain clause
to ensure suppliers comply with regulations
Qualified staff check suppliers working Examine documents given to suppliers and their written
agreement. Attend, with qualified staff, the suppliers
working on-site
Not applicable
4 5 8 10 4 4.5.8.10 Manage the environment Ensure the operations of the organisation obey all
environmental laws and good practice
Goods purchased, for example cleaning solvents, may
create an unsafe environment for employees
Purchasing staff have training on general health and
safety topics, with specific training for staff ordering
chemicals and other potentially hazardous items
Periodic audits by health and safety
department
Check training records, and H & S audit documentation Not applicable
4 5 8 12 Ensure security The physical security of tangible and intangible assets,
and staff and customers, is maintained at all times to
ensure the continued operation of the organisation
(Summary level) Not applicable
4 5 8 12 1 5 4.5.8.12
.1
Provide security All assets, including physical assets, stock and
information, are physically secure
Loss of the organisation's assets All buildings have entry restricted by card operated
gates
Periodic audits, by security
department, of the access to buildings
During audit, observe security precautions. Otherwise
the test of physical security are carried out in audit
group BX
Not applicable
4 5 8 12 2 5 4.5.8.12
.2
Identify documents
required to achieve the
objective of these
processes
Decide on the documents, paper or electronic, which
are essential to the operation of expense purchases, or
for tax reasons. These may include paper orders,
supplier invoices, cash sheets and cheques
Documents essential to operations (such as cheques)
may be lost in a fire
Supplies of paper documents, such as orders and
cheques, are stored in a separate building. Documents
which must be kept for tax purposes are microfiched,
and these are stored in a fireproof safe
It is the responsibility of the
departmental manager to ensure
documents are retained and securely
stored for as long as necessary
Check the existence of the paper documents kept off-
site. Check that all microfiche are stored in the fireproof
safe, with none left out at night.
Not applicable
4 5 8 12 3 5 4.5.8.12
.3
Decide on arrangements
to safeguard these
For each document, decide on the appropriate storage
medium
Level of protection may not be sufficient A formal process has been carried out to identify the
documents used and their method of storage
It is the responsibility of the
departmental manager to ensure
documents are retained and securely
stored for as long as necessary
Check for evidence of the formal process, and that it is
being followed
Not applicable
4 5 8 13 4 4.5.8.13 Communicate Inform internal and external stakeholders of the
organisation's policies and intentions
Reputation of the company suffers because the press
are mis-informed about the organisation's policy of not
using suppliers who might use child labour
A documented ethical policy, which includes purchasing
policy
The Ethical Committee ensures a
complete policy is communicated to all
stakeholders
Examine the policy and check specifically for purchasing
policy
Not applicable
4 5 8 14 4 4.5.8.14 Manage risks threatening
expense purchasing
processes
(Summary level) Not applicable
4 5 8 14 1 5 4.5.8.14
.1
Identify risks Risk workshops and interviews are held to determine
the risks threatening the objectives of the expense
purchasing function
Risks are not known Quarterly examination of the risk register by
management, with written confirmation to Internal Audit
of changes, or confirmation that no changes are
necessary
Internal Audit maintain the risk
register, and ensure each function
provides a list of scored risks with
controls
Examine processes to set up the risk register and
examine the register. Ensure all types of risk, including
external risks, have been considered
Not applicable
4 5 8 14 2 5 4.5.8.14
.2
Evaluate risks Score the risks on the organisation's likelihood and
consequence scales
Significant risks are not understood Quarterly examination of the risk register by
management, with written confirmation to Internal Audit
of changes, or confirmation that no changes are
necessary
Internal Audit maintain the risk
register, and ensure each function
provides a list of scored risks with
controls
Examine the process which score the risks Not applicable
4 5 8 14 3 5 4.5.8.14
.3
Control risks For all risks, decide on a cost-effective control to
reduce the risk to the risk appetite of the organisation
Significant risks are not controlled Controls are put into operation which reduce residual
risks to the risk appetite of the organisation
Internal Audit maintain the risk
register, and ensure each function
provides a list of scored risks with
controls
Check controls as part of the audit Not applicable
©David M Griffiths Expense purchases database
©David M Griffiths Expense purchases database
Audit: Purchasing and payment of expense goods and services
Column key:L1
L2
L3
L4
L5
L
Ref
Process
Process Description
Risk to process
Risk source
IRC
IRL
IRS
Example control
Example monitoring
Tests
Ref
RRC
RRL
RRS
Cont score
Issue
Action
By whom
Conclusion Risks
Conclusion Controls
Conclusion Action
Conclusion Monitoring
Report ref
Follow-up Risks
Follow-up Controls
Follow-up Action
Follow-up Monitoring
Audit: Purchasing and payment of expense goods and services
Level 1 risk number. Corresponds to the Risk database
Level 2 risk number. Corresponds to the Risk database
Level 3 risk number
Level 4 risk number
Level 5 risk number
Level of the process on this row (1 to 5)
Reference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this
process throughout the organisation
Title of the process
A brief description of what the process does. Any more details should be filed in the audit file
The threat to the process. There may be several risks to one process, or one risk may
threaten several processes
Who identified the risk (management, risk workshop, auditor, meeting)
Inherent risk consequence score. See "Scoring risks" worksheet
Inherent risk likelihood score score. See "Scoring risks" worksheet
Inherent risk scores multiplied to give significance
An example of a control which might mitigate the risks
An example of a monitoring control which might check the operation of the control
An example of a test which might confirm the operation of the control
Reference to the schedule giving more details of the test
Residula risk consequence score. See "Scoring risks" worksheet
Residual risk likelihood score score. See "Scoring risks" worksheet
Residual risk scores multiplied to give significance
Control score = IRS - RRS. The higher it is the more important the control
Details where the risk is not mitigated to the acceptable level ("Risk appetite")
Action which management is taking to reduce the risk
The job title and name of the person responsible for ensuring the action takes place
Conclusion on risk management (see "Allocating conclusions" worksheet)
Conclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet)
Conclusion on any action required to reduce risks (see "Allocating conclusions" worksheet)
Conclusion on the adequacy of processes to monitor the correct operation of controls(see
"Allocating conclusions" worksheet)
The paragraph number in the report where the issue is reported
Conclusion on risk management from the last follow-up audit (see "Allocating conclusions"
worksheet)
Conclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating
conclusions" worksheet)
Conclusion on any action required to reduce risks from the last follow-up audit (see "Allocating
conclusions" worksheet)
Conclusion on the adequacy of processes to monitor the correct operation of controls from the
last follow-up audit (see "Allocating conclusions" worksheet)
Audit: Purchasing and payment of expense goods and services
Advice on scoring risks (inherent and residual)1 to 3 scale
If the consequence when the
risk occurs is:OR the likelihood of
the risk occurring is:
Then the measure
is defined to be:
To prevent the organisation
achieving all, or a major part, of its
objectives for a long time.
Cash at risk> £100,000
To stop the organisation achieving
its objectives for a limited period.
Cash at risk <£100,000 >£5,000
To cause minor inconvenience,
not affecting the achievement of
objectives
Cash at risk <£5,000
Grading individual risks (residual)
Almost certain High (3)
Possible Medium (2)
Values are an example
only. They should be
agreed at board level as
part of setting the risk
appetite of the
organisation
Unlikely Low (1)
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)
Lik
elih
oo
d o
f re
sid
ual
risk
Consequence of residual risk
Low
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)
Lik
elih
oo
d o
f re
sid
ual
risk
Consequence of residual risk
Low
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
Risk score = Likelihood score X Consequence score
Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Acceptable: No action required
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)L
ikelih
oo
d o
f re
sid
ual
risk
Consequence of residual riskLow
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)L
ikelih
oo
d o
f re
sid
ual
risk
Consequence of residual riskLow
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
Advice on scoring risks (inherent and residual)1 to 5 scale
If the consequence when the
risk occurs is:OR the likelihood of
the risk occurring is:A catastrophic impact on the
organisation, threatening its
existence
Cash at risk> £1,000,000
To prevent the organisation
achieving all, or a major part, of its
objectives for a long time.
Cash at risk <£1,000,000
>£100,000
To stop the organisation achieving
its objectives for a limited period.
Cash at risk <£100,000 >£30,000
To stop the organisation achieving
its objectives for a limited period.
Cash at risk <£30,000 >£5,000
To cause minor inconvenience,
not affecting the achievement of
objectives
Cash at risk <£5,000
Almost certain
Probable
Unlikely
Possible
Rare
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)
Lik
elih
oo
d o
f re
sid
ual
risk
Consequence of residual risk
Low
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)
Lik
elih
oo
d o
f re
sid
ual
risk
Consequence of residual risk
Low
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Risk score = Likelihood score X Consequence score
Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Acceptable: No action required
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)
Lik
elih
oo
d o
f re
sid
ual
risk
Consequence of residual risk
Low
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
6
Unacceptable
risk
9
Unacceptable
risk
2
Acceptable
4
Issue
risk
6
Unacceptable
risk
1
Acceptable
2
Acceptable
Low(1) Medium (2) High (3)
Lik
elih
oo
d o
f re
sid
ual
risk
Consequence of residual risk
Low
(1)
M
ed
ium
(2)
Hig
h (
3)
3
Acceptable
3
Acceptable
Supplementary
Issue
3
Supplementary
Issue
3
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)L
ikelih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)L
ikelih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Then the measure is
defined to be:
Catatrophic (5)
Major (2)
Insignificant (1)
Moderate (2)
Minor (2)
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Rare
(1)
U
nlik
ely
(2)
Possib
le (
3)
P
robable
(4
)A
lmost
cert
ain
(5
)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ual ri
sk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Audit: Purchasing and payment of expense goods and services
Advice on allocating conclusions
Conclusion on:
Risks have been
identified, evaluated and
managed
Thorough processes have
been used and all significant
risks should have been
identified
Processes have been used, but
there are some deficiencies
Internal controls reduce
risks to acceptable levels
The risk is being mitigated to
an acceptable level by the
control(s)
The risk is not being mitigated to an
acceptable level by the control(s),
although the consequence from the
risk occurring, or likelihood of the
risk occurring, is not considered
significant. There is the possibility
that some objectives will not be
achieved
Action being taken to
promptly remedy
significant failings or
weaknesses
The action being taken will
result in all risks being
mitigated
The action being taken will result in
some reduction in risk but not to
acceptable levels
Current levels of
monitoring are sufficient
No more monitoring is
necessary than is done at
present
Some additional monitoring is
required
Score (1 to 3 scale) Score 0,1,2 or 3 Score: 4 (possibly 3)
Score (1 to 5 scale) Score =<8 Score: >9 <14
Colour: green amber
Grading: Acceptable Issues
Report as Supplementary issue, if cost
effective controls can reduce
the risk further, otherwise do
not report
Key issue
Criteria
Looking at it another way:
Inadequate, or no, processes have
been used
Score (1
to 3
scale)
Score (1
to 5
scale)
Colour
Grading
The risk is not being mitigated to
an acceptable level by the
control(s) and it is probable that
some objectives will not be
achieved, with significant (material)
results (red) or The risk is not
being mitigated to an acceptable
level by the control(s) and
objectives are not being achieved,
with significant results
Score
0,1,2 or 3
Score
=<8
green
acceptable
No action is being taken, OR
insufficient action is being taken to
mitigate risks
Score: 4
(possibly
3)
Score:
>9 <14
amber issue
Major improvements are required
to the monitoring of controls
Score: 6
or 9
Score:>1
4
red
unacceptable
Score: 6 or 9
Score:>14
red
Unacceptable
Key issue
Criteria
Looking at it another way:
Risks have been identified,
evaluated and managed
Internal controls reduce
risks to acceptable
levels
Action being taken to
promptly remedy
significant failings or
weaknesses
Current levels of
monitoring are
sufficient
Thorough processes have
been used and all significant
risks should have been
identified
The risk is being mitigated
to an acceptable level by
the control(s)
The action being taken
will result in all risks
being mitigated
No more monitoring
is necessary than is
done at present
The risk is not being
mitigated to an acceptable
level by the control(s),
although the consequence
from the risk occurring, or
likelihood of the risk
occurring, is not considered
significant. There is the
possibility that some
objectives will not be
achieved
The risk is not being
mitigated to an acceptable
level by the control(s),
although the consequence
from the risk occurring, or
likelihood of the risk
occurring, is not
considered significant.
There is the possibility that
some objectives will not be
achieved
The action being taken
will result in some
reduction in risk but not
to acceptable levels
Some additional
monitoring is
required
The risk is not being
mitigated to an acceptable
level by the control(s) and it
is probable that some
objectives will not be
achieved, with significant
(material) results (red) or
The risk is not being
mitigated to an acceptable
level by the control(s) and
objectives are not being
achieved, with significant
results
The risk is not being
mitigated to an acceptable
level by the control(s) and
it is probable that some
objectives will not be
achieved, with significant
(material) results (red) or
The risk is not being
mitigated to an acceptable
level by the control(s) and
objectives are not being
achieved, with significant
results
No action is being
taken, OR insufficient
action is being taken to
mitigate risks
Major
improvements are
required to the
monitoring of
controls
Report as
Supplementary issue,
if cost effective
controls can reduce
the risk further,
otherwise do not
report
Key issue
Key issue