Академический Документы
Профессиональный Документы
Культура Документы
R Bassed Inteernal Au
udit Plan
DISCLAIMER:
The views expresseed in this Guidde are those of author(s). The Institute of
Charteered Accountants of India may
m not necesssarily subscriibe to the viewws
expresssed by the author(s).
Internal Aud
dit Standards Board
The Institute
e of Charttered Accountantts of Indiia
(Sett up by an
n Act of Parliament
P t)
Ne
ew Delhi
© The Institute of Chartered Accountants of India
Email : cia@icai.in
Website : www.icai.org
vi
Contents
Foreword ............................................................................................................ iii
Preface ................................................................................................................ v
Chapter 1: Introduction ...................................................................................... 1
Objective .............................................................................................................. 1
Chapter 2: Need for Risk Based Internal Audit Plan ....................................... 2
Chapter 3: RBIAP Concepts .............................................................................. 5
Chapter 4: Responsibility for Developing RBIAP ............................................ 6
Chapter 5: RBIAP- Development and Implementation ............................... 7-45
Define Objective, Criteria and Risk Appetite......................................................... 8
Risk Categorization ............................................................................................ 10
Risk Assessment Criteria ................................................................................... 11
Criteria for Assessing Control Environment ........................................................ 11
Understanding the Business Environment and Processes ................................. 11
Prepare Audit Universe ...................................................................................... 13
Risk Assessment ................................................................................................ 19
Risk Identification ............................................................................................... 20
Risk Prioritization ................................................................................................ 20
Assess Control Environment .............................................................................. 27
Develop Internal Audit Plan ................................................................................ 35
Planning and Developing Internal Audit Plan ..................................................... 38
Implement and Update RBIAP ........................................................................... 40
Allocate Resources, Engagement Scheduling and Execution ............................ 42
Reassess Risk and Control Environment and Update RBIAP ............................ 43
Chapter 6: Case Study .............................................................................. 46-197
vii
viii
Chapter 1
Introduction
1.1 Traditionally, internal auditing was understood as one time exercise
with limited documentation. Increase in the trend of frauds in the corporate
sector over the last couple of decades has shifted the pendulum towards the
need of a strong and robust internal auditing and internal control systems.
Regulators have also become more vigilant towards the requirement of
strong internal control system which resulted in the announcement of
statutory obligations viz., Sarbanes Oxley Act in USA, Clause 49 of Listing
Agreement as per SEBI and recently notified Companies Act, 2013 and rules
thereunder. This has put organizations under increasing pressure to identify
all the business risks they face and to explain how they manage them.
1.2 Risk-based Internal Auditing (RBIA) allows internal auditor to provide
assurance to the Board of Directors that risk management processes are
managing risks effectively, having regards to the risk appetite of the
organization. Risk-based internal auditing begins by reviewing the
organizational objectives, then considers the risks that impact on the
achievement of those objectives, and examines the methodologies in place
to mitigate those risks. The only defence auditors have in instances of
corporate failures is sufficient, appropriate audit evidence that proves their
innocence. This audit evidence will be the result of a well-planned and
performed audit. An audit plan, currently a risk-based audit plan, is therefore
a crucial component in the planning of an effective audit.
Objective
1.3 This guide provides guidance on developing and implementing an
effective Risk Based Internal Audit Plan in an organization. This guide would
be meant for the individuals who are already an internal auditor, preparing to
become one or responsible for overseeing and controlling the business
function(s).
Chapter 2
Need for Risk Based Internal Audit
Plan
2.1 Preface to the Standards on Internal Audit, issued by the Institute of
Chartered Accountants of India defines the term “internal audit” as, “Internal
Audit is an independent management function, which involves a continuous
and critical appraisal of the functioning of an entity with an view to suggest
improvements thereto and add value to and strengthen the overall
governance mechanism of the entity, including the entity’s strategic risk
management and internal control system.”
Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, lays down
that the internal auditor should, in consultation with those charged with
governance, including the audit committee, develop and document a
plan for each internal audit engagement to help him conduct the
engagement in an efficient and timely manner.
2.2 Standard on Internal Audit (SIA) 13 “Enterprise Risk Management”
mentions that “The internal auditor will normally perform an annual risk
assessment of the enterprise, to develop a plan of audit engagements for the
subsequent period. This plan will be reviewed at various frequencies in
practice. This typically involves review of the various risk assessments
performed by the enterprise (e.g., strategic plans, competitive benchmarking,
etc.), consideration of prior audits, and interviews with a variety of senior
management. It is designed for identifying internal audit key areas and, not
for identifying, prioritizing, and managing risks directly for the enterprise. The
internal audit plan, which should be approved by the audit committee,
should be based on risk assessment as well as on issues highlighted
by the audit committee and senior management. The risk assessment
process should be of a continuous nature so as to identify not only
residual or existing risks, but also emerging risks. The risk assessment
should be conducted formally at least annually, but more often in
complex enterprises. To serve this objective, the internal auditor should
design the audit work plan by aligning it with the objectives and risks of
the enterprise and concentrate on those issues where assurance is
sought by those charged with governance.”
Need for Risk Based Internal Audit Plan
3
Guide on
o Risk Based
d Internal Auditt Plan
2.6 Internal audit planning neeeds to make use u of the orgganizational riisk
managgement processs, where it haas been deveeloped by the organization. In
planninng an engagement, the inteernal auditor considers
c the significant rissks
of the activity and thhe means by whichw manageement mitigatees the risk to an
acceptable level. Thhe internal auuditor uses rissk assessmennt techniques in
developing the interrnal audit activvity’s plan and in determining priorities for f
allocating internal audit
a resourcees. Risk asseessment is ussed to examine
auditabble units and select
s areas foor review to bee included in the internal audit
activityy’s plan that haave the greateest risk exposuure.
4
Chapter 3
RBIAP Concepts
3.1 Risk Based Internal Audit Plan (RBIAP) is an important tool that helps
internal auditor to respond to the challenges being faced by the internal
auditor, and also enhances the quality of the services that the internal audit
function provides. By following the structured approach for planning the
internal audit, it could be easily concluded that:
A proper evaluation has been done to identify and assess the risk vis-
a-vis risk appetite of the company.
Plan to respond to the risks are effective in managing inherent risks
within the risk appetite.
Increased focus and rigorous response to risks where residual risks
are not in line with the risk appetite.
3.2 RBIAP is an approach to develop the internal audit plan in such a
manner that all the business processes covering both financial as well as
operational activities are reviewed by internal audit function within a defined
time cycle, generally, varying from 3 to 5 years. Also, ensuring that
appropriate consideration is made and adequate balance is ensured to the
following:
Risk underlying the business process.
Value that the internal audit can provide to the organization.
Effort involved in conducting the internal audit for a particular business
process.
7
Guide on Risk Based Internal Audit Plan
Filter Risks
(Acceptable Develop Audit Approval from
Risk identification
Risks, under Plan Audit Committee
tolerance limit)
8
RBIAP — Development and Implementation
Risk rating depends on the criteria set by the organization to assess and
prioritise its risk. Depending on the risk appetite of the organization, it could
mean financial loss of ` 1 Lac could be ‘minor’ for a large PSU with annual profit
of ` 500 crores but it could be major for an organization with annual profit of ` 50
Lacs.
9
Guide on Risk Based Internal Audit Plan
Risk Categorization
5.8 According to the Internal Control Framework issued by The Committee
of Sponsoring Organizations (COSO) of the Treadway Commission, risk can
be categorized as under:
Operational – Risks that impact the efficiency and effectiveness of the
operations of the organization are categorized as operational risk.
E.g., process delays in completing the activity, customer
dissatisfaction, inadequate fund management, excess payment, etc.
Some companies further categories operational risk into financial risk
and non-financial risk depending on the direct impact of risk.
Reporting – Risk of incorrect financial reporting. Internal control
weaknesses which may result into incorrect financial reporting are
categorized at reporting risk, e.g., inadequate cutoff procedures, lack
of senior management review of financial statements, etc.
Compliance – Risk that may result in non-compliance to the applicable
regulatory requirements. E.g., delay in submission of taxes and
returns, operating without obtaining the required licenses, etc. These
may result into possible fines and penalties being imposed on the
organization.
5.9 Organizations also classify the risk under the additional category
depending on the nature of the business, e.g., a company operating in
energy sector could categories the risk as under:
Operational
Financial
Health, Safety and Environment
Compliance
Reporting
Company operating in the technology intensive sector could categories the
risk as under:
Operational
Financial
Technology
Compliance
Reporting
10
RBIAP — Development and Implementation
11
Guide on Risk Based Internal Audit Plan
12
RBIAP — Development and Implementation
13
Guide on Risk Based Internal Audit Plan
The important factor which could affect the selection of an auditable entity
under the audit universe are:
(i) Organization vision, mission and objectives: The audit universe
can include components from the organization’s strategic plan. By
incorporating components of the organization’s strategic plan, the
audit universe will consider and reflect the overall business objectives.
Inputs from senior management and board should be obtained and
assessment of risk and exposure affecting the organization should be
carried out.
(ii) Expectations from the internal audit function: Audit universe need
to factor all the expectations from the internal audit function. The
internal audit plan, audit execution and the outcome of the internal
audit process depends on the quality and comprehensiveness of the
audit universe to gather all the expectations, focus areas and results
expected from the performance of the internal audit activities.
(iii) Organization structure and set up: Organisation structure need to be
understood while identifying the auditable entities. In case of highly
centralized operations, more attention should be given to the auditable
units at corporate, while in case of decentralized operations separate
auditable entity need to be identified for plant/ branch/ regional office
locations as applicable.
(iv) Geographical location of the organisation: Geographical location of
the business set up also plays a key role in selection of units. Every
location need to have a consideration and some place in the audit
universe, however the identification of auditable unit need to be
evaluated in consideration with other points. E.g., in case of regional
office with smaller size of operations and lesser number of
transactions, regional office can be considered as one auditable entity
and all the business processes can be reviewed at that particular
regional office together. However, if the scale of operations are larger,
locations would need to be split into further functional areas e.g.,
Procurement - RO, Sales & Marketing – RO, HR and Payroll – RO,
etc.
(v) Scalability of the operations: Scale of business operations should
also be factored while deciding an auditable entity. Auditing an entity
with very low scale may not be cost effective to be audited separately
and may not give the actionable results as it would fall in the comfort
range of the risk appetite of the organization.
14
RBIAP — Development and Implementation
15
Guide on Risk Based Internal Audit Plan
Assess objective of
auditable entities
Re-validate audit
universe
Finalize audit
universe
Develop RBIAP
Approve RBIAP
16
RBIAP — Development and Implementation
17
Guide on Risk Based Internal Audit Plan
18
RBIAP — Development and Implementation
Risk Assessment
5.19 The objective of the risk assessment is to assess the level of risk in
the various business processes. Risk assessment focuses on the business
environment, regulatory environment, organisation structure, organizational
and business environmental changes and specific concerns of management
and the audit committee to determine the areas of greatest risk. It also
serves to aid the internal auditor in evaluating the control design to determine
19
Guide on Risk Based Internal Audit Plan
the desired audit scope. Risk assessment includes risk identification and
then risk prioritization based on defined criteria.
Risk Identification
5.20 Risk identification is the process to identify all possible risk in the
auditable entities identified at the time of preparation of the audit universe.
This includes evaluation of ‘what can go wrong’ in the particular process
attached with the identified auditable entity which can have any adverse
impact on the organization. The adverse impact could be in the form of
possible financial loss, operational inefficiency and ineffectiveness, statutory
non-compliance, incorrect reporting, etc. The quality and effectiveness of the
risk assessment depends on the comprehensiveness and completeness of
the risk identification exercise.
5.21 The first step in the risk identification exercise is to identify the event
which may affect the entity positively or negatively in achieving its objectives.
Such events may be classified as risk and opportunities depending on its
impact on the organization. Risk identification is followed by risk filtration
steps. Risk can be all pervading; they can surface from the most obscure to
the most obvious (but overlooked) areas. Similarly, their outcomes can also
be from the immaterial to highly significant. These are the matters which are
quite difficult to appreciate or evaluate at the time of risk identification and
are therefore best left for the next state (Risk Prioritization). Nevertheless,
given the practical limitations, some level of judgment will have to be applied
in deciding what to include and what to exclude at the identification stage.
Here, to ensure that no important matters are overlooked, it is always safer
to begin by initially including all the risk and then filtering out everything
which appears to be obviously insignificant and with remote probability of
occurrence.
Risk Prioritization
5.22 The identified risk need to the prioritized based on the pre-defined
criteria (Refer step 1 - Define objective, criteria and risk appetite). The typical
risk periodization is done on the scale of 1 to 5 as mentioned below:
Score 1 - Insignificant
Score 2 – Minor
Score 3 – Moderate
20
RBIAP — Development and Implementation
Score 4 – Major
Score 5 - Critical
5.23 There are various factors that could affect the risk prioritization and
rating. Following factors need to be kept in mind while performing the risk
prioritization exercise:
(i) “Auditable” risks associated with/ mapped to the business process,
entity or location
(ii) Risk of non compliance (penalty, etc.)
(iii) Magnitude of Financial Loss
(iv) Significance of threat to Health, Safety & Environment (HSE)
(v) Risk to reputation of organisation
(vi) Possibility of fraud/ misappropriation
(vii) History of frauds or irregularity
(viii) Management’s assertion on impact
(ix) Magnitude of impact on organisational profitability
(x) Stability of IT systems
(xi) Complexity (volume of business, nature of business)
(xii) Results of earlier audits external/ internal
Risk Rating Pyramid
Insignificant
(1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
21
Guide on Risk Based Internal Audit Plan
5.24 The preliminary risk rating can be assessed and interpreted using the
below mentioned methodology.
Preliminary Description Illustrative parameters for Assessing
Risk Rating
1 Insignificant Process risks with insignificant risk
on the organization.
Non-compliance with minor
penalties.
Impact of very low financial loss.
No major threat to Health, Safety &
Environment.
No history of fraud/ misappropriation
Minor impact on organizational
profitability.
Stable IT and ERP systems.
2 Minor Process risks with minor risk on the
organization.
Non-compliance with minor
penalties.
Impact of minor Financial Loss.
No significant threat to Health,
Safety & Environment.
Minor fraud/ misappropriation.
Minor impact on organizational
profitability.
Stable IT and ERP systems.
3 Moderate Process risks with tolerable risk on
the organization.
Non-compliance with major financial
penalties.
Impact of significant financial loss.
Possible threat to Health, Safety &
Environment.
Possible fraud/ misappropriation.
Tolerable impact on organizational
profitability.
22
RBIAP — Development and Implementation
23
Guide on Risk Based Internal Audit Plan
24
RBIAP — Development and Implementation
25
Guide on Risk Based Internal Audit Plan
5.27 The next step is to prepare the summarized risk register. The objective
of preparing the summarized register is to arrive at the consolidated risk
rating for an auditable entity and assess the overall inherent risk in the
auditable entity. There are two techniques which may be used for arriving at
the summarized risk register:
(i) Arithmetic mean of preliminary risk rating: In this method,
arithmetic mean of all the identified risk ratings are is calculated to
arrive at the consolidated risk rating. Considering the simplicity of the
technique, this is the most widely used technique to arrive at the
summarized risk register.
(ii) Weighted average of preliminary risk rating: In this method, weights
are assigned to all the identified risk on the basis of statistical
computation of the probability and quantification of possible risk on the
organisation. Weighted average of all the identified risk ratings is then
calculated to arrive at the consolidated risk rating.
Illustrative Format of Summarized Risk Register
Sr. Auditab Sub Risk Description Risk Risk Consolidate
no. le Entity Process Category Score d Risk
Rating
1 Procure Procurem Procurement beyond Financial 4 3.25
to Pay ent the defined budgetary Loss
Planning limits.
2 Vendor Inadequate vendor Financial 4
Selection selection due to non- Loss
compliance to
procurement policies
and procedures (incl.
tendering)
3 Ordering Increased cost of Financial 5
procurement due to Loss
ineffective
negotiation/compariso
n of commercial bid
submitted
26
RBIAP — Development and Implementation
27
Guide on Risk Based Internal Audit Plan
28
RBIAP — Development and Implementation
Strong (2)
Moderate (3)
Weak (4)
Almost missing
(5)
5.32 Internal auditor need to assess and consider the level of effectiveness
of control environment activities and the risk of deficiencies in the control
environment, while defining the audit universe and RBIAP.
29
Guide on Risk Based Internal Audit Plan
The control environment rating can be assessed and interpreted using the
below mentioned methodology.
Control Description Illustrative Parameters for Assessing
Environment
Rating
1 Very Strong Existence of strong preventive or
detective control with mechanism for
continuous monitoring and update the
same
Strong legal compliance framework
Well established ERP system and IT
security measures
Well defined and implemented policy
and procedures
Consistent organisation growth with rare
surprises
Balance of centralized versus
decentralized operations within the
organization
2 Strong Defined preventive or detective control
Strong legal compliance framework
Established ERP system and IT security
measures
Well defined policy and procedures and
minor deviations
Consistent organisation growth with
unlikely losses
Balance of centralized versus
decentralized operations within the
organization
3 Moderate Defined preventive or detective control
but unlikely monitoring and update
exercise.
Legal compliance framework with minor
deviations
Established ERP system and IT security
measures
Defined policy and procedures but
insufficient control on implementation
and compliance to same.
30
RBIAP — Development and Implementation
31
Guide on Risk Based Internal Audit Plan
At this stage, the detailed risk register is replaced with the summarized risk
register to contain the following information:
(i) Auditable Entity
(ii) Sub-process
(iii) Initial Risk Rating for each sub process (i.e., the consolidated risk
rating arrived in previous step)
(iv) Rationale for initial risk rating
(v) Control environment rating
(vi) Rationale for control environment rating
Illustrative Updated Risk Register
Sr. Audita Sub Process Initial Rationale for Control Rationale for
no. ble Risk initial risk environme control
Entity Rating rating nt rating environment
rating
1 Procure Procurement 3.25 High risk of 4 Weak IT system
to Pay Planning financial loss and Manual
and controls.
Vendor
procurement
Selection
at high prices
Policies and
Ordering procedures not
Receiving defined and
ineffective
Quality check monitoring by
Invoicing management.
Accounts
payables
Payment
processing
32
RBIAP — Development and Implementation
33
Guide on Risk Based Internal Audit Plan
At this stage, the summarized risk register would contain the following
information:
(i) Auditable entity
(ii) Sub process
(iii) Initial risk rating for each sub process
(iv) Rationale for initial risk rating
(v) Control environment rating
(vi) Rationale for control environment rating
(vii) Residual risk rating score
34
RBIAP — Development and Implementation
The Matrix below describes the residual risk rating score for all combinations
of the Preliminary Risk Assessment and Control Environment Rating.
Very
Strong 5 10 15 20 25
(1)
Strong
Control Environment Rating
4 8 12 16 20
(2)
Moder-
ate (3) 3 6 9 12 15
Weak 2 4 6 8 10
(4)
Almost
Missin 1 2 3 4 5
g (5)
Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)
Preliminary Risk Assessment
35
Guide on Risk Based Internal Audit Plan
Selection of Risks
5.39 At this point, the risk and audit universe shows risks, their scores and
the audits linked to them. There will be a range of scores and, in drawing up
the audit plan, a policy will have to be established about which risks to cover
and how often. It is unlikely that the board, or audit committee, will require
assurance on the management of every risk above the risk appetite, every
year. They may require assurance on the risks with a high likelihood of
significant/ critical losses every year but other risks above the risk appetite
every two or three years. Note the audit action to be taken and the next audit
year in the appropriate columns. The diagram below shows a possible
method of assessing the type of work and frequency. The thick line
represents the risk appetite (the equation of the line is control risk = inherent
risk – risk appetite).
36
RBIAP — Devvelopment and
d Implementatiion
F
Frequency of Audit and its Selection
5.40 The
T various auditable
a entities can be plootted on a mattrix which wouuld
fall in any of the ZoneZ 1 to 4 as mentioneed in the aboove graph. The
approppriate audit plaan for the varioous auditable entities in thesse zones can be
derivedd as per beloww explanation:
Zone 1: These are the areas beelow the risk appetite of thhe organisatioon.
Considdering the factt that they are well within the tolerance (Risk Appetitte)
range of the organissation, these does not reqquire immediatte internal audit
attentioon. For these areas control score is minnimal and the inherent risk is
maximum. These areasa require managementt attention too carry out the
consulttancy work and develop the control enviroonment.
Zone 2:2 Areas wherre inherent riskk is near maxiimum and the control score is
also veery strong, thee residual risk score remain high. These areas
a need to be
auditedd every year as i considered to be very effeective as well as
a the control is
the riskk is high.
3 Areas wherre inherent risk is moderate and the control score is also
Zone 3:
moderaate, the residdual risk scoree remain meddium. These areas could be
auditedd every two yeears.
Zone 4:4 Areas wheere inherent riisk is minor anda the controol score is also
missingg, the residual risk score is low. These arreas need to beb audited eveery
three year
y as the posssible impact on the organissation is low.
37
Guide on Risk Based Internal Audit Plan
38
RBIAP — Development and Implementation
39
Guide on Risk Based Internal Audit Plan
The Matrix below describes the residual risk rating score for all combinations
of the Preliminary Risk Assessment and Control Environment Rating and the
corresponding audit frequency.
Very
Strong
(1) 5 10 15 20 25
Strong 4
8 12 16 20
Control Environment Rating
(2) Acceptable
Moderate 3
(3) 6 9 12 15
Acceptable
2 4
Weak 6 8 10
Acceptable Acceptable
(4)
Almost 1 2 3 4
Missing 5
Acceptable Acceptable Acceptable Acceptable
(5)
Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)
Preliminary Risk Assessment
40
RBIAP — Development and Implementation
41
Guide on Risk Based Internal Audit Plan
42
RBIAP — Development and Implementation
Develop and
Derive Annual Audit
approve Risk Based Audit Schedule
Plan
Internal Audit Plan
Update Risk
Registers and Conduct Audit Resource Allocation
RBIAP
Report to Audit
Committee
43
Guide on Risk Based Internal Audit Plan
Planning involves developing an overall plan for the expected scope and
conduct of audit and developing an audit programme showing the nature,
timing and extent of audit procedures. Planning is a continuous exercise. A
plan once prepared should be continuously reviewed by the internal auditor
to identify any modifications required to bring the same in line with the
changes, if any, in the audit environment. However, any major modification to
the internal audit plan should be done in consultation with those charged with
governance. Further, the internal auditor should also document the changes
to the internal audit plan.
Therefore, the preparation of the risk based internal audit plan is based on
the defined methodology to be followed and the various steps as described
earlier. It is vital to note that the entire exercise of the risk identification,
prioritization and development of audit plan is not scientific and some level of
judgement and past experience is involved while preparing the risk based
internal audit plan. The risk registers prepared should be reviewed
periodically and updated while performing the actual internal audit.
5.50 As discussed earlier, risk identification is the process to identify all
possible risk in the auditable entities identified at the time of preparation of
the audit universe. This includes evaluation of ‘what can go wrong’ in the
particular process attached with the identified auditable entity which can
have any adverse impact on the organization. The adverse impact could be
in the form of possible financial loss, operational inefficiency and
ineffectiveness, statutory non-compliance, incorrect reporting etc. The quality
and effectiveness of the risk assessment depends on the
comprehensiveness and completeness of the risk identification exercise. The
risk identification can be more comprehensive and complete by the exercise
of continuous exercise of re-validating the risk along with the audit execution.
The risk based internal audit plan should be evaluated every year by
repeating the steps involved in development of risk based internal audit plan
to identify if there are some auditable entities for which residual risk score
has increased or decreased and that is required to be audited more often, or
the same be brought down to the manageable/ acceptable zone to reduce
the frequency of internal audit.
44
RBIAP — Development and Implementation
Develop RBIAP
Updated RBIAP
Revalidate RBIAP
Approve RBIAP
45
Chapter 6
Case Study
Situation
Company is involved in upstream and midstream business of oil and gas with
wide spread business across the country having a Corporate Office, Plant
Operations and Depots. Internal audit function of the Company comprises of
a small team who needs to complete the internal audit for the Company as
per the annual charter approved by the Audit Committee of the Company.
The IA function is headed by an Internal Audit Head who is reporting to the
Audit Committee. Audit Committee directs the IA head to prepare the Risk
Based Internal Audit Plan (RBIAP) of the Company for a period of 3 years.
Solution
IA head forms a team of 4 members comprising of Accounting and Technical
professionals. The team which has follows the following steps to prepare the
RBIAP:
(a) Define objective, criteria and risk appetite
(b) Understanding the business environment and processes
(c) Prepare audit universe
(d) Risk identification
(e) Risk prioritization and rating
(f) Assess control environment
(g) Derive residual risk rating
(h) Develop internal audit plan
Steps (a) and (b) equips the team with the relevant knowledge and
information required for the purpose of developing the RBIAP (Refer
Chapter 5 for steps). The illustrative deliverables of the steps (c) to (h) are
summarized below:
46
Step 1: Prepare Audit Universe
47
D. Sr. Department P. Sr. Process Business Locations
no. No. Corporate Office Plant Depot
1 Contracts 1.1 Tendering and RFQ
1 Contracts 1.2 Contracting and Ordering
2 Plant Operations 2.1 Production and Distribution
2 Plant Operations 2.2 Operation and Maintenance
2 Plant Operations 2.3 Safety and Environment
3 Drilling 3.1 Drilling
Case Study
D. Sr. Department P. Sr. Process Business Locations
no. No. Corporate Office Plant Depot
4 Information Technology 4.1 IT Security
4 Information Technology 4.2 ERP and other applications
5 Geology & Reservoir 5.1 Geology & Reservoir
6 Research and Development 6.1 Research and Development
7 Material Management 7.1 MM - Planning & Receiving
7 Material Management 7.2 MM - Depot
7 Material Management 7.3 MM - Inventory Handling and
48
Storage
Guide on Risk Based Internal Audit Plan
49
12 Business Development 12.1 Business Development
13 Exploration & Development 13.1 Exploration & Development
14 Maintenance 14.1 Pipeline Maintenance
14 Maintenance 14.2 Equipment Maintenance
Case Study
Step 2: Risk Identification
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
50
No. No. Corporate Plant Depot
Guide on Risk Based Internal Audit Plan
Office
1 Contracts 1.1 Tendering Procurement beyond the Financial
and RFQ defined budgetary limits.
1 Contracts 1.1 Tendering Inadequate vendor Financial
and RFQ selection due to non-
compliance to
procurement policies and
procedures (incl.
tendering)
1 Contracts 1.1 Tendering Increased cost of Financial
and RFQ procurement due to
ineffective negotiation/
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
comparison of
commercial bid submitted
1 Contracts 1.1 Tendering Unfavourable RFQ terms Financial
and RFQ and conditions.
1 Contracts 1.1 Tendering Risk of favoritism to Financial
and RFQ vendor.
1 Contracts 1.1 Tendering Inappropriate technical Financial
and RFQ evaluation procedures.
51
1 Contracts 1.1 Tendering Inadequate procedures Financial
and RFQ for procurement in case
of proprietary items.
1 Contracts 1.1 Tendering Fictitious vendors in the Financial
and RFQ system
1 Contracts 1.2 Contracting Contract terms and Financial
and conditions not favourable
Ordering to the Company
1 Contracts 1.2 Contracting Delay in contracting or Operational
and ordering
Ordering
Case Study
52
2 Plant 2.1 Production Regular updation and Financial
Guide on Risk Based Internal Audit Plan
53
2 Plant 2.1 Production Inadequate testing of Financial
Operations and material used leading to
Distribution well issues later affecting
production
2 Plant 2.1 Production Non-utilization of the Financial
Operations and assets
Distribution
2 Plant 2.1 Production Inadequate fire safety Health, Safety
Operations and arrangement at site & Environment
Distribution
2 Plant 2.1 Production Wrong financial reporting Incorrect
Case Study
54
2 Plant 2.2 Operation Scheduled maintenance Operational
Guide on Risk Based Internal Audit Plan
55
properly kept and
maintained.
2 Plant 2.2 Operation Production failure/ loss Financial Loss
Operations and due to inadequate
Maintenance preventive maintenance
schedule or lack of
compliance of schedule.
2 Plant 2.2 Operation Delays in maintenance Financial Loss
Operations and
Maintenance
2 Plant 2.3 Safety and Regular visits of the oil Operational
Case Study
56
of operations.
Guide on Risk Based Internal Audit Plan
57
3 Drilling 3.1 Drilling Wrong financial reporting Reporting
due to inappropriate
inputs for cost allocation
process, well cost
reconciliation process
3 Drilling 3.1 Drilling Lack of planning and Financial
monitoring of cost and
effort involved in drilling
of wells (recording and
monitoring against KPIs /
Targets)
3 Drilling 3.1 Drilling Ineffective/ Inefficient Financial
Case Study
58
4 Information 4.1 IT Security Inadequate environment Operational
Guide on Risk Based Internal Audit Plan
Technology controls.
4 Information 4.1 IT Security Inadequate access Operational
Technology controls to data centre.
4 Information 4.1 IT Security Unauthorised access to Operational
Technology data centre.
4 Information 4.1 IT Security Penal consequences due Financial Loss
Technology to usage on unlicensed
softwares.
4 Information 4.1 IT Security Disaster recovery policy Financial Loss
Technology and procedures to
identify critical business
applications/ data not
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
defined
4 Information 4.1 IT Security Increased vulnerability of Financial Loss
Technology the network to intrusions
- external or internal.
4 Information 4.1 IT Security Leakage/ loss of Financial Loss
Technology sensitive information/
corrupted and insecure
data
59
4 Information 4.2 ERP and Corrupt/ loss of data due Incorrect
Technology other to inadequate Financial
applications configuration and logical Reporting
controls within SAP
4 Information 4.2 ERP and Unauthorized Financial Loss
Technology other transactions due to
applications inadequate segregation
of duties
4 Information 4.2 ERP and Inaccurate master data Financial Loss
Technology other due to inadequate
applications controls on master data
maintenance and
Case Study
changes
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
4 Information 4.2 ERP and Absence of an audit trail Financial Loss
Technology other in case of unauthorized
applications access / users.
4 Information 4.2 ERP and Inadequate system logic Financial Loss
Technology other controls to prevent
applications unauthorized/ incorrect
transaction processing
through SAP.
60
4 Information 4.2 ERP and Inadequate user Financial Loss
Guide on Risk Based Internal Audit Plan
61
the recorded data Environment
5 Geology & 5.1 Geology & Unavailability of Operational
Reservoir Reservoir adequate technical data
used for proposing
exploratory locations
5 Geology & 5.1 Geology & Inability to optimize/ Financial Loss
Reservoir Reservoir actualize expected
returns from exploration
blocks
5 Geology & 5.1 Geology & Delays in monitoring the Financial Loss
Reservoir Reservoir reserves
Case Study
62
Reservoir Reservoir processing due to
Guide on Risk Based Internal Audit Plan
ineffective scheduling
6 Research and 6.1 Research Inadequate calibration of Financial Loss
Development and R&D tools and
Development equipments causing
incorrect results.
6 Research and 6.1 Research High cost of operation Financial Loss
Development and due to obsolete
Development technology.
6 Research and 6.1 Research Delay in procurement of Financial Loss
Development and lab equipments causing
Development delay in completion of
R&D activities
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
7 Material 7.1 MM - Risk of receiving more Financial
Management Planning & than the ordered quantity
Receiving
7 Material 7.1 MM - Risk of accepting the Financial
Management Planning & inferior quality of material
Receiving
7 Material 7.1 MM - Proper quality assurance Financial
Management Planning & testing of all raw
Receiving materials is not done
63
when it is received.
7 Material 7.2 MM - Depot Unauthorized disposal of Financial Loss
Management scrap
7 Material 7.2 MM - Depot Inadequate segregation Financial Loss
Management of duties between
personnel responsible for
ordering, receiving and
issue of material
7 Material 7.2 MM - Depot Inventory loss due to Financial Loss
Management weak storage/ stacking
and segregation
Case Study
guidelines.
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
7 Material 7.2 MM - Depot Financial loss due to Financial Loss
Management inadequate security
procedures at the
warehouse
7 Material 7.2 MM - Depot Loss of life/ resources Health, Safety
Management due to non-compliance to & Environment
regulatory laws and
regulations
64
7 Material 7.2 MM - Depot Delay in renewal or Statutory Non
Guide on Risk Based Internal Audit Plan
65
8 Well Logging 8.1 Well Logging Absence of monitoring of Operational
the time taken to interpret
the data given to the
interpretation team and
review the records
maintained in this respect
to ascertain major delays.
8 Well Logging 8.1 Well Logging Inadequate records Operational
maintained to document
discussions and
conclusions of
Case Study
interpretation team.
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
8 Well Logging 8.1 Well Logging Database/ information Operational
not maintained about
unsuccessful wells and
the same is used during
subsequent decisions.
8 Well Logging 8.1 Well Logging Existing work being done Operational
within the Department is
not backed up by a plan.
66
9 Finance and 9.1 Financial Delays in preparation and Operational
Guide on Risk Based Internal Audit Plan
67
Reporting
9 Finance and 9.3 Financial Mis-representation in Incorrect
Accounts Reporting financial statements and Financial
reports Reporting
9 Finance and 9.4 Asset Incorrect capitalization of Incorrect
Accounts Management assets Financial
Reporting
9 Finance and 9.4 Asset Physical verification of Incorrect
Accounts Management assets not done Financial
Reporting
9 Finance and 9.4 Asset Depreciation & Depletion Incorrect
Case Study
68
9 Finance and 9.5 Payables Risk of delay in payment Financial
Accounts processing
Guide on Risk Based Internal Audit Plan
69
9 Finance and 9.6 Invoicing Quantitative Financial
Accounts and reconciliation not done to
Receivables identify excessive losses.
9 Finance and 9.6 Invoicing Royalty not paid as Financial
Accounts and specified Production
Receivables Sharing Contract.
9 Finance and 9.6 Invoicing Inaccurate calculations of Financial
Accounts and the wellhead value.
Receivables
9 Finance and 9.6 Invoicing Investment multiple not Financial
Accounts and calculated in the manner
Receivables as provided in the
Case Study
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
Production Sharing
Contract.
9 Finance and 9.6 Invoicing Inadequate monitoring of Financial
Accounts and receivable and follow up
Receivables for collections.
9 Finance and 9.7 JV Inaccurate working of Incorrect
Accounts Operations cost allocated by Financial
operating partners for JV Reporting
70
Non Operated
Guide on Risk Based Internal Audit Plan
71
9 Finance and 9.8 Taxation Inadequate monitoring Financial Loss
Accounts mechanism for pending
demands or assessment
cases, etc.
10 Human 10.1 Recruitment Delay in hiring impacting Operational
Resource operation delays
10 Human 10.1 Recruitment Hiring inappropriate Operational
Resource personnel
10 Human 10.1 Recruitment Incomplete Operational
Resource documentation in
employee records/ files
Case Study
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
10 Human 10.1 Recruitment Inadequate background Operational
Resource and reference checks
10 Human 10.2 Learning and Inadequate planning of Operational
Resource Development training requirements
10 Human 10.2 Learning and Training needs not Operational
Resource Development identified
10 Human 10.2 Learning and Training programs not Operational
Resource Development conducted in timely
72
manner
Guide on Risk Based Internal Audit Plan
73
Resource Process monitoring and
accounting of leaves.
10 Human 10.4 Payroll Incorrect provisioning Financial Loss
Resource Process and accounting of
retirement funds
management by the
company.
10 Human 10.4 Payroll Delay in disbursement/ Financial Loss
Resource Process transfer of salary.
11 Projects 11.1 Planning Inadequate planning and Financial Loss
and budgeting of Projects
Case Study
Investment
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
11 Projects 11.1 Planning Appropriate feasibility Financial
and studies not conducted
Investment
11 Projects 11.1 Planning Required clearances not Compliance
and obtaining on timely basis
Investment
11 Projects 11.1 Planning Inadequate assessment Financial
and of Return on Investments
74
Investment
Guide on Risk Based Internal Audit Plan
75
handover contractors / internal staff
during execution
12 Business 12.1 Business Inadequate post Financial Loss
Development Development acquisition techno-
commercial review for
overseas acquisitions
12 Business 12.1 Business Delays in floating of Financial Loss
Development Development Tenders
12 Business 12.1 Business Financial health check up Financial Loss
Development Development analysis not performed
for acquired assets
Case Study
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
No. No. Corporate Plant Depot
Office
13 Exploration & 13.1 Exploration Inability to optimize/ Financial Loss
development & actualize expected
development returns from exploration
blocks
13 Exploration & 13.1 Exploration Non fulfillment to Financial Loss
development & minimum work program
development specially with respect to
timeliness
76
14 Maintenance 14.1 Pipeline All Flow lines are not Operational
Guide on Risk Based Internal Audit Plan
77
14 Maintenance 14.2 Equipment Inadequate planning of Operational
Maintenance maintenance activities
14 Maintenance 14.2 Equipment Preventive maintenance Operational
Maintenance not carried on timely
basis.
14 Maintenance 14.2 Equipment Inadequate training to Financial Loss
Maintenance manpower
14 Maintenance 14.2 Equipment Safety risk of working in Health, Safety
Maintenance running pipelines & Environment
14 Maintenance 14.2 Equipment Frequent breakdowns Financial Loss
Maintenance due to non-performance
Case Study
78
Guide on Risk Based Internal Audit Plan
(a) Assign Risk Score to each of the risk identified under risk identification
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
1 Contracts 1.1 Tendering and Procurement beyond Financial 4
RFQ the defined budgetary
limits.
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
1 Contracts 1.1 Tendering and Inadequate vendor Financial 5
RFQ selection due to non-
compliance to
procurement policies
and procedures (incl.
tendering)
1 Contracts 1.1 Tendering and Increased cost of Financial 4
RFQ procurement due to
ineffective negotiation/
79
comparison of
commercial bid
submitted
1 Contracts 1.1 Tendering and Unfavourable RFQ Financial 5
RFQ terms and conditions.
1 Contracts 1.1 Tendering and Risk of favoritism to Financial 5
RFQ vendor.
1 Contracts 1.1 Tendering and Inappropriate technical Financial 4
RFQ evaluation procedures.
1 Contracts 1.1 Tendering and Inadequate procedures Financial 2
RFQ for procurement in case
Case Study
of proprietary items.
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
1 Contracts 1.1 Tendering and Fictitious vendors in the Financial 3
RFQ system
1 Contracts 1.2 Contracting Contract terms and Financial 4
and Ordering conditions not
favourable to the
Company
1 Contracts 1.2 Contracting Delay in contracting or Operational 3
and Ordering ordering
80
1 Contracts 1.2 Contracting Risk of issue of Financial 5
Guide on Risk Based Internal Audit Plan
81
Distribution communicated and
monitored by the Group
Gathering Stations
(GGS).
2 Plant 2.1 Production Crude Oil pilferages / Financial 4
Operations and leakages while
Distribution transportation
2 Plant 2.1 Production Incorrect certification of Financial 4
Operations and bills
Distribution
2 Plant 2.1 Production Inadequate testing of Financial 5
Case Study
82
2 Plant 2.1 Production Wrong financial Incorrect 4
Guide on Risk Based Internal Audit Plan
83
Operations Maintenance not being maintained in
respect of the collection
of oil and gas from the
wells
2 Plant 2.2 Operation and Flow meters at CTF are Operational 4
Operations Maintenance not properly calibrated
and the calibration is
not being periodically
checked.
Pumping records of the
extent of oil pumped to
Case Study
84
2 Plant 2.2 Operation and Delays in maintenance Financial 4
Guide on Risk Based Internal Audit Plan
85
3 Drilling 3.1 Drilling Damage to the Financial 4
equipment due to
inadequate security at
the drilling site.
3 Drilling 3.1 Drilling Sub-optimal utilization Financial 4
of rigs and other drilling
equipment.
3 Drilling 3.1 Drilling Delays in operation due Operational 3
to inadequate co-
ordination and delays in
equipment availability.
3 Drilling 3.1 Drilling Mis-alignment of the Financial 3
Case Study
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
drilling plan with the
overall work program
3 Drilling 3.1 Drilling Wrong financial Reporting 4
reporting due to
inappropriate inputs for
cost allocation process,
well cost reconciliation
process
86
3 Drilling 3.1 Drilling Lack of planning and Financial 3
Guide on Risk Based Internal Audit Plan
87
4 Information 4.1 IT Security Penal consequences Financial 5
Technology due to usage on Loss
unlicensed softwares.
4 Information 4.1 IT Security Disaster recovery policy Financial 3
Technology and procedures to Loss
identify critical business
applications/ data not
defined
4 Information 4.1 IT Security Increased vulnerability Financial 4
Technology of the network to Loss
intrusions - External or
Case Study
Internal.
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
4 Information 4.1 IT Security Leakage / loss of Financial 4
Technology sensitive information/ Loss
corrupted and insecure
data
4 Information 4.2 ERP and Corrupt/ loss of data Incorrect 3
Technology other due to inadequate Financial
applications configuration and Reporting
logical controls within
88
SAP
Guide on Risk Based Internal Audit Plan
89
Technology other separated employees Loss
applications not removed.
5 Geology & 5.1 Geology & Existing work being Operational 3
Reservoir Reservoir done within the
department is not
backed up by a physical
plan.
5 Geology & 5.1 Geology & Proper procedure do Operational 4
Reservoir Reservoir not exists or are not
followed while deciding
the type of survey (2D,
Case Study
3D or 4D survey).
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
5 Geology & 5.1 Geology & Cost report not Financial 3
Reservoir Reservoir prepared
5 Geology & 5.1 Geology & Surveys done are not Operational 3
Reservoir Reservoir properly recorded.
5 Geology & 5.1 Geology & Adequate physical Health, 4
Reservoir Reservoir security does not exist Safety and
of the recorded data Environment
5 Geology & 5.1 Geology & Unavailability of Operational 4
90
Reservoir Reservoir adequate technical data
Guide on Risk Based Internal Audit Plan
91
6 Research and 6.1 Research and Inadequate calibration Financial 2
Development Development of R&D tools and Loss
equipments causing
incorrect results.
6 Research and 6.1 Research and High cost of operation Financial 3
Development Development due to obsolete Loss
technology.
6 Research and 6.1 Research and Delay in procurement of Financial 2
Development Development lab equipments causing Loss
delay in completion of
R&D activities
Case Study
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
7 Material 7.1 MM - Planning Risk of receiving more Financial 3
Management & Receiving than the ordered
quantity
7 Material 7.1 MM - Planning Risk of accepting the Financial 3
Management & Receiving inferior quality of
material
7 Material 7.1 MM - Planning Proper quality Financial 4
Management & Receiving assurance testing of all
92
raw materials is not
Guide on Risk Based Internal Audit Plan
done when it is
received.
7 Material 7.2 MM - Depot Unauthorized disposal Financial 2
Management of scrap Loss
7 Material 7.2 MM - Depot Inadequate segregation Financial 2
Management of duties between Loss
personnel responsible
for ordering, receiving
and issue of material
7 Material 7.2 MM - Depot Inventory loss due to Financial 2
Management weak storage/ stacking Loss
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
and segregation
guidelines.
7 Material 7.2 MM - Depot Financial loss due to Financial 2
Management inadequate security Loss
procedures at the
warehouse
7 Material 7.2 MM - Depot Loss of life/ resources Health, 4
Management due to non-compliance Safety &
to regulatory laws and Environment
93
regulations
7 Material 7.2 MM - Depot Delay in renewal or Statutory Non 5
Management expiry of various compliance
licenses
7 Material 7.3 MM - Unauthorized and Financial 1
Management Inventory inappropriate indenting Loss
Handling and
Storage
7 Material 7.3 MM - Inadequate monitoring Financial 4
Management Inventory of slow/ non moving Loss
Handling and inventory
Case Study
Storage
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
7 Material 7.3 MM - Damage to spares and Financial 4
Management Inventory material due to Loss
Handling and inadequate storage.
Storage
7 Material 7.3 MM - Critical spares not Financial 4
Management Inventory identified and Loss
Handling and maintained
Storage
94
7 Material 7.3 MM - Unauthorised issue of Financial 3
Guide on Risk Based Internal Audit Plan
95
subsequent decisions.
8 Well Logging 8.1 Well Logging Existing work being Operational 3
done within the
Department is not
backed up by a plan.
9 Finance and 9.1 Financial Delays in preparation Operational 3
Accounts Planning and and communication of
Analysis annual plans.
9 Finance and 9.1 Financial Inappropriate basis and Operational 4
Accounts Planning and inputs for planning
Analysis
Case Study
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
9 Finance and 9.1 Financial Management Incorrect 3
Accounts Planning and Information System Financial
Analysis inadequately aligned Reporting
with strategic objectives
9 Finance and 9.1 Financial Delays in financial Operational 4
Accounts Planning and reporting and closing
Analysis
9 Finance and 9.2 Treasury Adverse fluctuation in Financial 4
96
Accounts foreign exchange rates Loss
Guide on Risk Based Internal Audit Plan
97
calculated and recorded
in the appropriate
period.
9 Finance and 9.5 Payables Risk of delay in invoice Financial 3
Accounts processing
9 Finance and 9.5 Payables Duplicate vendor codes Financial 4
Accounts
9 Finance and 9.5 Payables Risk of delay in Financial 3
Accounts payment processing
9 Finance and 9.5 Payables Royalty not paid as Financial 3
Accounts specified in Production
Case Study
Sharing Contract.
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
9 Finance and 9.5 Payables Risk of excess payment Financial 4
Accounts
9 Finance and 9.6 Invoicing and The accounting policies Reporting 3
Accounts Receivables for accounting of sales
especially take or pay,
underlifts/ overlifts,
contractual liabilities
etc. not in compliance
98
with the Accounting
Guide on Risk Based Internal Audit Plan
Standards.
9 Finance and 9.6 Invoicing and Delay in invoicing. Financial 3
Accounts Receivables
9 Finance and 9.6 Invoicing and Incorrect and Financial 4
Accounts Receivables unauthorised invoicing.
9 Finance and 9.6 Invoicing and Quantitative Financial 4
Accounts Receivables reconciliation not done
to identify excessive
losses.
9 Finance and 9.6 Invoicing and Royalty not paid as Financial 3
Accounts Receivables specified Production
Sharing Contract.
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
9 Finance and 9.6 Invoicing and Inaccurate calculations Financial 4
Accounts Receivables of the wellhead value.
9 Finance and 9.6 Invoicing and Investment multiple not Financial 4
Accounts Receivables calculated in the
manner as provided in
the Production Sharing
Contract.
9 Finance and 9.6 Invoicing and Inadequate monitoring Financial 3
99
Accounts Receivables of receivable and follow
up for collections.
9 Finance and 9.7 JV Operations Inaccurate working of Incorrect 4
Accounts cost allocated by Financial
operating partners for Reporting
JV Non Operated
9 Finance and 9.7 JV Operations Non raising/ delayed Financial 4
Accounts recovery of cash call Loss
from JV partner.
9 Finance and 9.7 JV Operations Wrong allocations to JV Financial 4
Accounts due to inadequate Loss
Case Study
100
Service Tax and other Compliance
Guide on Risk Based Internal Audit Plan
relevant acts
9 Finance and 9.8 Taxation Tax payments and tax Statutory Non 4
Accounts returns are not made / compliance
filed within permissible
time limits
9 Finance and 9.8 Taxation Inadequate monitoring Financial 4
Accounts mechanism for pending Loss
demands / assessment
cases, etc.
10 Human 10.1 Recruitment Delay in hiring Operational 3
Resource impacting operation
delays
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
10 Human 10.1 Recruitment Hiring inappropriate Operational 4
Resource personnel
10 Human 10.1 Recruitment Incomplete Operational 2
Resource documentation in
employee records/ files
10 Human 10.1 Recruitment Inadequate background Operational 3
Resource and reference checks
10 Human 10.2 Learning and Inadequate planning of Operational 4
Resource Development training requirements
101
10 Human 10.2 Learning and Training needs not Operational 4
Resource Development identified
10 Human 10.2 Learning and Training programs not Operational 4
Resource Development conducted in timely
manner
10 Human 10.2 Learning and Feedback procedures Operational 3
Resource Development not established
10 Human 10.3 Separations Delay in Full and Final Financial 3
Resource
10 Human 10.3 Separations Inadequate clearance Financial 3
Case Study
Resource procedures
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
10 Human 10.3 Separations Inadequate waivers Financial 3
Resource
10 Human 10.3 Separations Old loan and advances Financial 3
Resource not settled before
relieving.
10 Human 10.3 Separations Exit formalities not Operational 3
Resource completed timely
manner.
102
10 Human 10.4 Payroll Incorrect processing of Financial 4
Guide on Risk Based Internal Audit Plan
103
11 Projects 11.1 Planning and Required clearances Compliance 5
Investment not obtaining on timely
basis
11 Projects 11.1 Planning and Inadequate assessment Financial 4
Investment of Return on
Investments
11 Projects 11.2 Execution and Time and Cost overruns Financial 4
handover in the projects due to Loss
weak project monitoring
and/ or execution.
11 Projects 11.2 Execution and Operational delays due Financial 4
Case Study
104
11 Projects 11.2 Execution and Commissioning without Financial 4
Guide on Risk Based Internal Audit Plan
105
blocks
13 Exploration & 13.1 Exploration & Non fulfillment to Financial 3
development development minimum work program Loss
specially with respect to
timeliness
14 Maintenance 14.1 Pipeline All Flow lines are not Operational 4
Maintenance being regularly tested
and inspected for any
blockage
14 Maintenance 14.1 Pipeline Delays in providing Financial 4
Case Study
106
14 Maintenance 14.1 Pipeline Inadequate training to Financial 3
Guide on Risk Based Internal Audit Plan
107
Maintenance due to non performance Loss
of root cause analysis
Case Study
Prepare the summarized Risk Register using the arithmetic mean of the Risk Scores assigned to the risk identified under
previous step. Also, assign the rationale for providing the risk ratings for each of the audit area
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
1 Contracts 1.1 Tendering and RFQ 4.00 • Impact of Major Financial
Loss
• Repeated fraud/
misappropriation
• Major impact on
108
organizational profitability
Guide on Risk Based Internal Audit Plan
109
financial penalties or
prosecutions.
• Impact of Major Financial
Loss
• Significant threat to Health,
Safety & Environment
2 Plant Operations 2.3 Safety and 4.50 • Risk of high reputational
Environment impact to organization
• Non-compliance with major
financial penalties and
prosecutions.
Case Study
110
• Major impact on
Guide on Risk Based Internal Audit Plan
organizational profitability
4 Information 4.1 IT Security 4.13 • Process risks with critical risk
Technology on the organization.
• Impact of High Financial Loss
• Repeated fraud/
misappropriation with major
financial or reputational
consequences
• Missing IT and ERP systems
4 Information 4.2 ERP and other 3.43 • Process risks with major risk
Technology applications on the organization.
• Repeated fraud/
misappropriation
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
• Deficient IT and ERP
systems
5 Geology & 5.1 Geology & 3.64 • Process risks with major risk
Reservoir Reservoir on the organization.
• Impact of Major Financial
Loss
• Major impact on
organizational profitability
6 Research and 6.1 Research and 2.33 • Process risks with tolerable
111
Development Development risk on the organization.
• Tolerable impact on
organizational profitability
7 Material 7.1 MM - Planning & 3.33 • Process risks with major risk
Management Receiving on the organization.
• Impact of Major Financial
Loss
• Repeated fraud/
misappropriation
• Major impact on
organizational profitability
Case Study
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
7 Material 7.2 MM - Depot 2.83 • Process risks with tolerable
Management risk on the organization.
• Possible threat to Health,
Safety & Environment
• Possible fraud/
misappropriation
• Tolerable impact on
organizational profitability
112
7 Material 7.3 MM - Inventory 3.20 • Process risks with major risk
Guide on Risk Based Internal Audit Plan
113
misappropriation
• Major impact on
organizational profitability
9 Finance and 9.3 Financial Reporting 3.50 • Process risks with major risk
Accounts on the organization.
• Risk of reputational impact to
organization
• Non-compliance with major
financial penalties or
prosecutions.
• Repeated fraud/
Case Study
misappropriation
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
9 Finance and 9.4 Asset Management 4.00 • Impact of Major Financial
Accounts Loss
• Repeated fraud/
misappropriation
• Major impact on
organizational profitability
9 Finance and 9.5 Payables 3.40 • Process risks with major risk
Accounts on the organization.
114
• Risk of reputational impact to
Guide on Risk Based Internal Audit Plan
organization
• Repeated fraud/
misappropriation
9 Finance and 9.6 Invoicing and 3.50 • Process risks with major risk
Accounts Receivables on the organization.
• Risk of reputational impact to
organization
• Impact of Major Financial
Loss
• Repeated fraud/
misappropriation
• Major impact on
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
organizational profitability
9 Finance and 9.7 JV Operations 4.00 • Process risks with major risk
Accounts on the organization.
• Risk of reputational impact to
organization
• Impact of Major Financial
Loss
• Repeated fraud/
misappropriation
115
• Major impact on
organizational profitability
9 Finance and 9.8 Taxation 4.00 • Process risks with major risk
Accounts on the organization.
• Risk of reputational impact to
organization
• Non-compliance with major
financial penalties or
prosecutions.
• Major impact on
organizational profitability
Case Study
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
10 Human Resource 10.1 Recruitment 3.00 • Process risks with tolerable
risk on the organization.
• Non-compliance with major
financial penalties.
• Possible fraud/
misappropriation
• Tolerable impact on
organizational profitability
116
10 Human Resource 10.2 Learning and 3.75 • Process risks with major risk
Guide on Risk Based Internal Audit Plan
117
impact to organization
• Non-compliance with major
financial penalties and
prosecutions.
• Impact of High Financial Loss
• High impact on organizational
profitability
11 Projects 11.2 Execution and 4.17 • Process risks with critical risk
handover on the organization.
• Risk of high reputational
impact to organization
Case Study
118
consequences
Guide on Risk Based Internal Audit Plan
119
organizational profitability
14 Maintenance 14.2 Equipment 3.67 • Impact of Major Financial
Maintenance Loss
• Significant threat to Health,
Safety & Environment
• Major impact on
organizational profitability
Case Study
Step 4: Assess control environment
Risk Assess
Prepare Risk Derive Develop
prioritizatio control
Audit Identificatio Residual Internal
n and environme
Universe n Risk Rating Audit plan
rating nt
120
Assign the control environment rating for each of the identified audit area and provide rational for assigning the control
Guide on Risk Based Internal Audit Plan
environment ratings.
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
1 Contracts 1.1 Tendering 4.00 • Impact of 4.00 • Preventive or
and RFQ Major detective
Financial Loss controls not
• Repeated identified or
fraud/ defined
misappropriati • Moderate IT
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
on environment
• Major impact with missing
on automated
organizational controls.
profitability • Policy and
Procedures not
formally defined
and there may
121
be possible
deviations
1 Contracts 1.2 Contracting 3.80 • Impact of 4.00 • Preventive or
and Ordering Major detective
Financial Loss controls not
• Repeated identified or
fraud/ defined
misappropriati • Moderate IT
on environment
• Major impact with missing
on automated
Case Study
organizational controls.
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
profitability • Policy and
Procedures not
formally defined
and there may
be possible
deviations
2 Plant 2.1 Production 3.91 • Process risks 3.00 • Defined
122
Operations and with major risk Preventive or
Guide on Risk Based Internal Audit Plan
123
2 Plant 2.2 Operation 3.83 • Process risks 3.00 • Defined
Operations and with major risk Preventive or
Maintenance on the detective control
organization. but unlikely
• Risk of monitoring and
reputational update exercise.
impact to • Legal
organization compliance
• Non- framework with
compliance minor
with major deviations.
Case Study
124
Health, Safety Organisation
Guide on Risk Based Internal Audit Plan
125
profitability • Consistent
Organisation
growth with
possible losses
3 Drilling 3.1 Drilling 3.80 • Impact of 4.00 • Policy and
Major Procedures not
Financial Loss formally defined
• Significant and there may
threat to be possible
Health, Safety deviations
& Environment • Consistent
Case Study
126
4 Information 4.1 IT Security 4.13 • Process risks 2.00 • Defined
Guide on Risk Based Internal Audit Plan
127
misappropriati measures
on • Well defined
• Deficient IT Policy and
and ERP Procedures and
systems minor deviations
5 Geology & 5.1 Geology & 3.64 • Process risks 2.00 • Defined
Reservoir Reservoir with major Preventive or
risk on the detective control
organization. • Well defined
• Impact of Policy and
Major Procedures and
Case Study
Financial
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
Loss minor deviations
• Major impact • Consistent
on organisation
organizational growth with
profitability unlikely losses.
6 Research 6.1 Research 2.33 • Process risks 1.00 • Existence of
and and with tolerable strong
128
Development Development risk on the Preventive or
Guide on Risk Based Internal Audit Plan
129
Receiving risk on the detective
organization. controls
• Impact of • Insufficient IT
Major environment
Financial with missing
Loss automated
• Repeated controls.
fraud/ • Policy and
misappropriati Procedures not
on defined
• Major impact • Inconsistent
Case Study
on organisation
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
organizational growth with
profitability major losses
• Inadequate
decentralisation
of decision
making
7 Material 7.2 MM - Depot 2.83 • Process risks 5.00 • Missing
130
Management with tolerable preventive or
Guide on Risk Based Internal Audit Plan
131
Handling and risk on the detective
Storage organization. controls
• Impact of • Insufficient IT
major environment
Financial loss with missing
• Repeated automated
fraud/ controls.
misappropriati • Policy and
on Procedures not
• Major impact defined
on • Inconsistent
Case Study
organizational Organisation
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
profitability growth with
major losses
• Inadequate
decentralisation
of decision
making
8 Well Logging 8.1 Well Logging 3.00 • Process risks 1.00 • Existence of
132
with tolerable strong
Guide on Risk Based Internal Audit Plan
133
Accounts Planning and with major risk Preventive or
Analysis on the detective control
organization. but unlikely
• Impact of monitoring and
major financial update exercise.
loss • Legal
• Major impact compliance
on framework with
organizational minor
profitability deviations.
• Established ERP
Case Study
system and IT
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
security
measures
• Defined Policy
and Procedures
but insufficient
control on
implementation
134
and compliance
Guide on Risk Based Internal Audit Plan
to same.
• Consistent
Organisation
growth with
possible losses
9 Finance and 9.2 Treasury 4.00 • Impact of 3.00 • Defined
Accounts Major Preventive or
Financial Loss detective control
• Repeated but unlikely
fraud/ monitoring and
misappropriati update exercise.
on • Established ERP
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
• Major impact system and IT
on security
organizational measures
profitability • Defined Policy
and Procedures
but insufficient
control on
implementation
135
and compliance
to same.
• Consistent
organisation
growth with
possible losses
9 Finance and 9.3 Financial 3.50 • Process risks 4.00 • Preventive or
Accounts Reporting with major risk detective
on the controls not
organization. identified or
• Risk of defined
Case Study
136
prosecutions. environment
Guide on Risk Based Internal Audit Plan
137
procedures not
formally defined
and there may
be possible
deviations
• Consistent
organisation
growth with
frequent losses.
9 Finance and 9.5 Payables 3.40 • Process risks 4.00 • Preventive or
Accounts with major risk detective
Case Study
138
misappropriati • Policy and
Guide on Risk Based Internal Audit Plan
on Procedures not
formally defined
and there may
be possible
deviations
9 Finance and 9.6 Invoicing and 3.50 • Process risks 3.00 • Defined
Accounts Receivables with major risk Preventive or
on the detective control
organization. but unlikely
• Risk of monitoring and
reputational update exercise.
impact to • Established ERP
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
organization system and IT
• Impact of security
Major measures
Financial Loss • Defined Policy
• Repeated and Procedures
fraud/ but insufficient
misappropriati control on
on implementation
139
• Major impact and compliance
on to same.
organizational • Consistent
profitability organisation
growth with
possible losses
9 Finance and 9.7 JV 4.00 • Process risks 4.00 • Preventive or
Accounts Operations with major risk detective
on the controls not
organization. identified or
• Risk of defined
Case Study
reputational • Moderate IT
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
impact to environment
organization with missing
• Impact of automated
Major controls.
Financial Loss • Policy and
• Repeated Procedures not
fraud/ formally defined
140
misappropriati and there may
Guide on Risk Based Internal Audit Plan
on be possible
• Major impact deviations
on • Consistent
organizational Organisation
profitability growth with
frequent losses
• Inadequate
board
monitoring and
governance
structure
9 Finance and 9.8 Taxation 4.00 • Process risks 4.00 • Preventive or
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
Accounts with major risk detective
on the controls not
organization. identified or
• Risk of defined
reputational • Missing Legal
impact to compliance
organization framework with
• Non- alternative
141
compliance measure to
with major monitor legal
financial compliance.
penalties or • Moderate IT
prosecutions. environment
• Major impact with missing
on automated
organizational controls.
profitability • Policy and
Procedures not
formally defined
Case Study
142
compliance • Moderate IT
Guide on Risk Based Internal Audit Plan
143
Resource Development with major risk detective
on the controls not
organization. identified or
• Risk of defined
reputational • Moderate IT
impact to environment
organization with missing
• Significant automated
threat to controls.
Health, Safety • Policy and
& Environment Procedures not
Case Study
formally defined
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
and there may
be possible
deviations
• Consistent
organisation
growth with
frequent losses
144
• Inadequate
Guide on Risk Based Internal Audit Plan
board
monitoring and
governance
structure
10 Human 10.3 Separations 3.00 • Process risks 4.00 • Preventive or
Resource with tolerable detective
risk on the controls not
organization. identified or
• Possible fraud/ defined
misappropriati • Moderate IT
on environment
• Tolerable with missing
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
impact on automated
organizational controls.
profitability • Policy and
Procedures not
formally defined
and there may
be possible
deviations
145
• Consistent
organisation
growth with
frequent losses
• Inadequate
board
monitoring and
governance
structure
10 Human 10.4 Payroll 3.40 • Process risks 5.00 • Missing
Resource Process with major risk preventive or
Case Study
on the detective
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
organization. controls
• Risk of • Insufficient IT
reputational environment
impact to with missing
organization automated
• Repeated controls.
fraud/ • Policy and
146
misappropriati Procedures not
Guide on Risk Based Internal Audit Plan
on defined.
11 Projects 11.1 Planning and 4.50 • Process risks 3.00 • Defined
Investment with critical Preventive or
risk on the detective control
organization. but unlikely
• Risk of high monitoring and
reputational update exercise.
impact to • Defined Policy
organization and Procedures
• Non- but insufficient
compliance control on
with major implementation
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
financial and compliance
penalties and to same.
prosecutions. • Consistent
• Impact of High organisation
Financial Loss growth with
• High impact on possible losses
organizational
profitability
147
11 Projects 11.2 Execution 4.17 • Process risks 4.00 • Preventive or
and handover with critical detective
risk on the controls not
organization. identified or
• Risk of high defined
reputational • Policy and
impact to Procedures not
organization formally defined
• Non- and there may
compliance be possible
with major deviations
Case Study
financial • Consistent
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
penalties and organisation
prosecutions. growth with
• Impact of High frequent losses
Financial Loss • Inadequate
• Significant board
threat to monitoring and
Health, Safety governance
148
& Environment structure.
Guide on Risk Based Internal Audit Plan
• Repeated
fraud/
misappropriati
on with major
financial or
reputational
consequences
• High impact on
organizational
profitability
12 Business 12.1 Business 2.67 • Impact of 2.00 • Defined
Development Development significant Preventive or
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
Financial Loss detective control
• Tolerable • Well defined
impact on Policy and
organizational Procedures and
profitability minor deviations
• Consistent
organisation
growth with
149
unlikely losses.
13 Exploration & 13.1 Exploration & 3.50 • Process risks 3.00 • Defined
development development with major risk Preventive or
on the detective control
organization. but unlikely
• Risk of monitoring and
reputational update exercise.
impact to • Legal
organization compliance
• Impact of framework with
Major minor
Case Study
150
profitability • Consistent
Guide on Risk Based Internal Audit Plan
organisation
growth with
possible losses
14 Maintenance 14.1 Pipeline 3.67 • Impact of 3.00 • Defined
Maintenance Major Preventive or
Financial Loss detective control
• Significant but unlikely
threat to monitoring and
Health, Safety update exercise.
& Environment • Legal
• Major impact compliance
on framework with
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
organizational minor
profitability deviations.
• Defined Policy
and Procedures
but insufficient
control on
implementation
and compliance
151
to same.
14 Maintenance 14.2 Equipment 3.67 • Impact of 3.00 • Defined
Maintenance Major Preventive or
Financial Loss detective control
• Significant but unlikely
threat to monitoring and
Health, Safety update exercise.
& Environment • Legal
• Major impact compliance
on framework with
organizational minor
Case Study
profitability deviations.
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
• Defined Policy
and Procedures
but insufficient
control on
implementation
and compliance
to same.
152
Guide on Risk Based Internal Audit Plan
Step 5: Derive Residual Risk Rating
Derive Residual Risk Ratings for each of the identified audit area by using the product of Initial Risk Ratings and Control
153
Environment Ratings.
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
1 Contracts 1.1 Tendering 4.00 • Impact of 4.00 • Preventive 16.00
and RFQ Major or detective
Financial Loss controls not
• Repeated identified or
fraud/ defined
misappropriati • Moderate IT
Case Study
environment
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
on with missing
• Major impact automated
on controls.
organizational • Policy and
profitability Procedures
not formally
defined and
154
there may
Guide on Risk Based Internal Audit Plan
be possible
deviations
1 Contracts 1.2 Contracting 3.80 • Impact of 4.00 • Preventive 16.00
and Major or detective
Ordering Financial Loss controls not
• Repeated identified or
fraud/ defined
misappropriati • Moderate IT
on environment
• Major impact with missing
on automated
organizational controls.
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
profitability • Policy and
procedures
not formally
defined and
there may
be possible
deviations
2 Plant 2.1 Production 3.91 • Process risks 3.00 • Defined 12.00
155
Operations and with major risk Preventive
Distribution on the or detective
organization. control but
• Risk of unlikely
reputational monitoring
impact to and update
organization exercise.
• Impact of • Legal
Major compliance
Financial Loss framework
• Significant with minor
Case Study
threat to deviations.
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
Health, Safety • Defined
& Policy and
Environment Procedures
• Major impact but
on insufficient
organizational control on
profitability implementat
156
ion and
Guide on Risk Based Internal Audit Plan
compliance
to same.
• Consistent
organisation
growth with
possible
losses
2 Plant 2.2 Operation 3.83 • Process risks 3.00 • Defined 12.00
Operations and with major risk Preventive
Maintenance on the or detective
organization. control but
• Risk of unlikely
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
reputational monitoring
impact to and update
organization exercise.
• Non- • Legal
compliance compliance
with major framework
financial with minor
penalties or deviations.
157
prosecutions. • Defined
• Impact of Policy and
Major Procedures
Financial Loss but
• Significant insufficient
threat to control on
Health, Safety implementat
& ion and
Environment compliance
to same.
• Consistent
Case Study
organisation
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
growth with
possible
losses
2 Plant 2.3 Safety and 4.50 • Risk of high 3.00 • Defined 14.00
Operations Environment reputational Preventive
impact to or detective
organization control but
158
• Non- unlikely
Guide on Risk Based Internal Audit Plan
compliance monitoring
with major and update
financial exercise.
penalties and • Legal
prosecutions. compliance
• Impact of High framework
Financial Loss with minor
• Significant deviations.
threat to • Defined
Health, Safety Policy and
& Procedures
Environment but
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
• High impact insufficient
on control on
organizational implementat
profitability ion and
compliance
to same.
• Consistent
Organisatio
159
n growth
with
possible
losses
3 Drilling 3.1 Drilling 3.80 • Impact of 4.00 • Policy and 16.00
Major Procedures
Financial Loss not formally
• Significant defined and
threat to there may
Health, Safety be possible
& deviations
Case Study
Environment • Consistent
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
• Major impact Organisatio
on n growth
organizational with
profitability frequent
losses
• Inadequate
board
160
monitoring
Guide on Risk Based Internal Audit Plan
and
governance
structure
4 Information 4.1 IT Security 4.13 • Process risks 2.00 • Defined 9.00
Technology with critical Preventive
risk on the or detective
organization. control
• Impact of High • Established
Financial Loss ERP system
• Repeated and IT
fraud/ security
misappropriati measures
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
on with major • Well defined
financial or Policy and
reputational Procedures
consequences and minor
• Missing IT deviations
and ERP
systems
4 Information 4.2 ERP and 3.43 • Process risks 2.00 • Defined 7.00
161
Technology other with major risk Preventive
applications on the or detective
organization. control
• Repeated • Established
fraud/ ERP system
misappropriati and IT
on security
• Deficient IT measures
and ERP • Well defined
systems Policy and
Procedures
Case Study
and minor
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
deviations
5 Geology & 5.1 Geology & 3.64 • Process risks 2.00 • Defined 8.00
Reservoir Reservoir with major risk Preventive
on the or detective
organization. control
• Impact of • Well defined
Major Policy and
162
Financial Loss Procedures
Guide on Risk Based Internal Audit Plan
163
ERP system
and IT
security
measures
• Well defined
and
implemente
d Policy and
Procedures
• Consistent
organisation
Case Study
growth with
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
rare
surprises
7 Material 7.1 MM - 3.33 • Process risks 5.00 • Missing 17.00
Management Planning & with major risk preventive
Receiving on the or detective
organization. controls
• Impact of • Insufficient
164
Major IT
Guide on Risk Based Internal Audit Plan
165
organization. controls
• Possible • Insufficient
threat to IT
Health, Safety environment
& with missing
Environment automated
• Possible controls.
fraud/ • Policy and
misappropriati Procedures
on not defined
• Tolerable • Inconsistent
Case Study
impact on organisation
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
organizational growth with
profitability major
losses
• Inadequate
decentralisa
tion of
decision
166
making
Guide on Risk Based Internal Audit Plan
167
tion of
decision
making
8 Well Logging 8.1 Well 3.00 • Process risks 1.00 • Existence of 3.00
Logging with tolerable strong
risk on the Preventive
organization. or detective
• Tolerable control with
impact on mechanism
organizational for
profitability continuous
Case Study
monitoring
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
and update
the same.
• Well
established
ERP system
and IT
security
168
measures
Guide on Risk Based Internal Audit Plan
• Well defined
and
implemente
d Policy and
Procedures
• Consistent
organisation
growth with
rare
surprises
9 Finance and 9.1 Financial 3.50 • Process risks 3.00 • Defined 11.00
Accounts Planning with major risk Preventive
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
and on the or detective
Analysis organization. control but
• Impact of unlikely
Major monitoring
Financial Loss and update
• Major impact exercise.
on • Legal
organizational compliance
169
profitability framework
with minor
deviations.
• Established
ERP system
and IT
security
measures
• Defined
Policy and
Procedures
Case Study
but
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
insufficient
control on
implementat
ion and
compliance
to same.
• Consistent
170
organisation
Guide on Risk Based Internal Audit Plan
growth with
possible
losses
9 Finance and 9.2 Treasury 4.00 • Impact of 3.00 • Defined 12.00
Accounts Major Preventive
Financial Loss or detective
• Repeated control but
fraud/ unlikely
misappropriati monitoring
on and update
• Major impact exercise.
on • Established
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
organizational ERP system
profitability and IT
security
measures
• Defined
Policy and
Procedures
but
171
insufficient
control on
implementat
ion and
compliance
to same.
• Consistent
organisation
growth with
possible
losses
Case Study
9 Finance and 9.3 Financial 3.50 • Process risks 4.00 • Preventive 14.00
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
Accounts Reporting with major risk or detective
on the controls not
organization. identified or
• Risk of defined
reputational • Missing
impact to Legal
organization compliance
172
• Non- framework
Guide on Risk Based Internal Audit Plan
compliance with
with major alternative
financial measure to
penalties or monitor
prosecutions. legal
• Repeated compliance.
fraud/ • Moderate IT
misappropriati environment
on with missing
automated
controls.
• Policy and
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
Procedures
not formally
defined and
they may be
possible
deviations.
9 Finance and 9.4 Asset 4.00 • Impact of 4.00 • Preventive 16.00
Accounts Manageme Major or detective
173
nt Financial Loss controls not
• Repeated identified or
fraud/ defined
misappropriati • Moderate IT
on environment
• Major impact with missing
on automated
organizational controls.
profitability • Policy and
Procedures
not formally
Case Study
defined and
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
they may be
possible
deviations
• Consistent
organisation
growth with
frequent
174
losses.
Guide on Risk Based Internal Audit Plan
9 Finance and 9.5 Payables 3.40 • Process risks 4.00 • Preventive 14.00
Accounts with major risk or detective
on the controls not
organization. identified or
• Risk of defined
reputational • Moderate IT
impact to environment
organization with missing
• Repeated automated
fraud/ controls.
misappropriati • Policy and
on Procedures
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
not formally
defined and
they may be
possible
deviations
9 Finance and 9.6 Invoicing 3.50 • Process risks 3.00 • Defined 11.00
Accounts and with major risk Preventive
Receivables on the or detective
175
organization. control but
• Risk of unlikely
reputational monitoring
impact to and update
organization exercise.
• Impact of • Established
Major ERP system
Financial Loss and IT
• Repeated security
fraud/ measures
misappropriati • Defined
Case Study
on Policy and
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
• Major impact Procedures
on but
organizational insufficient
profitability control on
implementat
ion and
compliance
176
to same.
Guide on Risk Based Internal Audit Plan
• Consistent
organisation
growth with
possible
losses
9 Finance and 9.7 JV 4.00 • Process risks 4.00 • Preventive 16.00
Accounts Operations with major risk or detective
on the controls not
organization. identified or
• Risk of defined
reputational • Moderate IT
impact to environment
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
organization with missing
• Impact of automated
Major controls.
Financial Loss • Policy and
• Repeated Procedures
fraud/ not formally
misappropriati defined and
on they may be
177
• Major impact possible
on deviations
organizational • Consistent
profitability organisation
growth with
frequent
losses
• Inadequate
board
monitoring
and
Case Study
governance
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
structure
9 Finance and 9.8 Taxation 4.00 • Process risks 4.00 • Preventive 16.00
Accounts with major risk or detective
on the controls not
organization. identified or
• Risk of defined
reputational • Missing
178
impact to Legal
Guide on Risk Based Internal Audit Plan
organization compliance
• Non- framework
compliance with
with major alternative
financial measure to
penalties or monitor
prosecutions. legal
• Major impact compliance.
on • Moderate IT
organizational environment
profitability with missing
automated
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
controls.
• Policy and
Procedures
not formally
defined and
there may
be possible
deviations
179
10 Human 10.1 Recruitment 3.00 • Process risks 4.00 • Preventive 12.00
Resource with tolerable or detective
risk on the controls not
organization. identified or
• Non- defined
compliance • Moderate IT
with major environment
financial with missing
penalties. automated
• Possible controls.
fraud/ • Policy and
Case Study
misappropriati Procedures
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
on not formally
• Tolerable defined and
impact on there may
organizational be possible
profitability deviations
• Consistent
organisation
180
growth with
Guide on Risk Based Internal Audit Plan
frequent
losses
• Inadequate
board
monitoring
and
governance
structure
10 Human 10.2 Learning 3.75 • Process risks 4.00 • Preventive 15.00
Resource and with major risk or detective
Developme on the controls not
nt organization. identified or
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
• Risk of defined
reputational • Moderate IT
impact to environment
organization with missing
• Significant automated
threat to controls.
Health, Safety • Policy and
& Procedures
181
Environment not formally
defined and
there may
be possible
deviations
• Consistent
organisation
growth with
frequent
losses
• Inadequate
Case Study
board
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
monitoring
and
governance
structure
10 Human 10.3 Separations 3.00 • Process risks 4.00 • Preventive 12.00
Resource with tolerable or detective
risk on the controls not
182
organization. identified or
Guide on Risk Based Internal Audit Plan
• Possible defined
fraud/ • Moderate IT
misappropriati environment
on with missing
• Tolerable automated
impact on controls.
organizational • Policy and
profitability Procedures
not formally
defined and
there may
be possible
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
deviations
• Consistent
organisation
growth with
frequent
losses
• Inadequate
board
183
monitoring
and
governance
structure
10 Human 10.4 Payroll 3.40 • Process risks 5.00 • Missing 17.00
Resource Process with major risk preventive
on the or detective
organization. controls
• Risk of • Insufficient
reputational IT
impact to environment
Case Study
184
Investment risk on the or detective
Guide on Risk Based Internal Audit Plan
185
11 Projects 11.2 Execution 4.17 • Process risks 4.00 • Preventive 17.00
and with critical or detective
handover risk on the controls not
organization. identified or
• Risk of high defined
reputational • Policy and
impact to Procedures
organization not formally
• Non- defined and
compliance there may
with major be possible
Case Study
financial deviations
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
penalties and • Consistent
prosecutions. Organisatio
• Impact of High n growth
Financial Loss with
• Significant frequent
threat to losses
Health, Safety • Inadequate
186
& board
Guide on Risk Based Internal Audit Plan
Environment monitoring
• Repeated and
fraud/ governance
misappropriati structure.
on with major
financial or
reputational
consequences
• High impact
on
organizational
profitability
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
12 Business 12.1 Business 2.67 • Impact of 2.00 • Defined 6.00
Development Developme significant Preventive
nt Financial Loss or detective
• Tolerable control
impact on • Well defined
organizational Policy and
profitability Procedures
and minor
187
deviations
• Consistent
Organisatio
n growth
with unlikely
losses.
13 Exploration &13.1 Exploration 3.50 • Process risks 3.00 • Defined 11.00
development & with major risk Preventive
developme on the or detective
nt organization. control but
• Risk of unlikely
Case Study
reputational monitoring
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
impact to and update
organization exercise.
• Impact of • Legal
Major compliance
Financial Loss framework
• Significant with minor
threat to deviations.
188
Health, Safety • Defined
Guide on Risk Based Internal Audit Plan
189
Health, Safety monitoring
& and update
Environment exercise.
• Major impact • Legal
on compliance
organizational framework
profitability with minor
deviations.
• Defined
Policy and
Procedures
Case Study
but
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
insufficient
control on
implementat
ion and
compliance
to same.
14 Maintenance 14.2 Equipment 3.67 • Impact of 3.00 • Defined 11.00
190
Maintenanc Major Preventive
Guide on Risk Based Internal Audit Plan
191
to same.
Case Study
Step 6: Develop Internal Audit Plan
192
Guide on Risk Based Internal Audit Plan
(a) Arrive at the frequency of the internal audit using the residual risk score calculated in the previous steps. The following
definitions could be used for arriving at the frequency of audit in the time span of 3 years.
High Risk – Audit areas having residual risk score of more than 12 which need to be audited every year.
Medium Risk - Audit areas having residual risk score of more than or equal to 9 but less than or equal to 12 which
need to be audited twice in three years.
Low Risk - Audit areas having residual risk score of more than or equal to 5 but less than or equal to 8 which need
to be audited once in three years.
Acceptable - Audit areas having residual risk score of less than 5 which could to be audited based on management
discretion.
(b) Prepare the annual audit plan by identifying the areas that need to be audit in year 1, year 2 and year 3.
D. Sr. Department P. Sr. Process Business Locations Initial Control Residual Frequency Audit Audit Audit
no. No. Risk Environment Risk of Audit Plan Plan Plan
Corporate Plant Depot Rating Rating Score Year - Year - Year -
Office
1 2 3
1 Contracts 1.1 Tendering 4.00 4.00 16.00 Every Year
and RFQ
1 Contracts 1.2 Contracting 3.80 4.00 16.00 Every Year
and Ordering
2 Plant 2.1 Production 3.91 3.00 12.00 Twice in 3
Operations and years
Distribution
2 Plant 2.2 Operation 3.83 3.00 12.00 Twice in 3
193
Operations and years
Maintenance
2 Plant 2.3 Safety and 4.50 3.00 14.00 Twice in 3
Operations Environment years
3 Drilling 3.1 Drilling 3.80 4.00 16.00 Every Year
4 Information 4.1 IT Security 4.13 2.00 9.00 Twice in 3
Technology years
4 Information 4.2 ERP and 3.43 2.00 7.00 Once in 3
Technology other years
applications
Case Study
D. Sr. Department P. Sr. Process Business Locations Initial Control Residual Frequency Audit Audit Audit
no. No. Risk Environment Risk of Audit Plan Plan Plan
Corporate Plant Depot Rating Rating Score Year - Year - Year -
Office
1 2 3
5 Geology & 5.1 Geology & 3.64 2.00 8.00 Once in 3
Reservoir Reservoir years
6 Research 6.1 Research 2.33 1.00 3.00 Acceptable
and and
Development Development
7 Material 7.1 MM - 3.33 5.00 17.00 Every Year
Management Planning &
194
Receiving
Guide on Risk Based Internal Audit Plan
195
9 Finance and 9.6 Invoicing and 3.50 3.00 11.00 Twice in 3
Accounts Receivables years
9 Finance and 9.7 JV 4.00 4.00 16.00 Every Year
Accounts Operations
9 Finance and 9.8 Taxation 4.00 4.00 16.00 Every Year
Accounts
10 Human 10.1 Recruitment 3.00 4.00 12.00 Twice in 3
Resource years
10 Human 10.2 Learning and 3.75 4.00 15.00 Every Year
Resource Development
Case Study
D. Sr. Department P. Sr. Process Business Locations Initial Control Residual Frequency Audit Audit Audit
no. No. Risk Environment Risk of Audit Plan Plan Plan
Corporate Plant Depot Rating Rating Score Year - Year - Year -
Office
1 2 3
10 Human 10.3 Separations 3.00 4.00 12.00 Twice in 3
Resource years
10 Human 10.4 Payroll 3.40 5.00 17.00 Every Year
Resource Process
11 Projects 11.1 Planning and 4.50 3.00 14.00 Twice in 3
Investment years
11 Projects 11.2 Execution 4.17 4.00 17.00 Every Year
196
and
Guide on Risk Based Internal Audit Plan
handover
12 Business 12.1 Business 2.67 2.00 6.00 Once in 3
Development Development years
13 Exploration 13.1 Exploration 3.50 3.00 11.00 Twice in 3
& & years
development development
14 Maintenance 14.1 Pipeline 3.67 3.00 11.00 Twice in 3
Maintenance years
14 Maintenance 14.2 Equipment 3.67 3.00 11.00 Twice in 3
Maintenance years
Case Stu
udy
Risk Asssess
Prep
pare Rissk Deerive Devvelop
priorittizatio conntrol
Auddit Identiificati Ressidual Inteernal
n aand envirronme
Univeerse on Risk Rating Audit plan
rating nnt
197