Gui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl Aimer

Guiide on Risk
R Bassed Inteernal Au
udit Plan
DISCLAIMER:
The views expresseed in this Guidde are those of author(s). The Institute of
Charteered Accountants of India may
m not necesssarily subscriibe to the viewws
expresssed by the author(s).
Internal Aud
dit Standards Board
The Institute
e of Charttered Accountantts of Indiia
(Sett up by an
n Act of Parliament
P t)
Ne
ew Delhi
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form, or by any means, electronic
mechanical, photocopying, recording, or otherwise, without prior permission,
in writing, from the publisher.
Edition : February, 2015
Committee/Department : Internal Audit Standards Board
Email : cia@icai.in
Website : www.icai.org
Price : ` 250/- (Including CD)
ISBN No. : 978-81-8441-776-0
Published by : The Publication Department on behalf of the

Institute of Chartered Accountants of India,
ICAI Bhawan, Post Box No. 7100, Indraprastha
Marg, New Delhi - 110 002.
Printed by : Sahitya Bhawan Publications, Hospital Road,

Agra 282 003
February/2015/P1761 (New)
Foreword
Recent economic events and increased regulatory scrutiny have impacted
the importance of understanding and managing the risks, which drive
uncertainty about the organizational success. Effective risk management
helps organizations to understand the risks they are exposed to, put controls
in place to counter threats, and also to effectively pursue their objectives. In
a nutshell, risk management is an important aspect of an organization’s
governance, management and operations.
In such a scenario, internal audit plays a very critical role by providing
assurance that all the risks related to the activities of the organization are
being identified, monitored and managed effectively. The Institute, from time
to time, has issued guidance to help the members enhance their skill base
and competencies in the area of risk management. This “Guide on Risk
based Internal Audit Plan” is being issued by the Internal Audit Standards
Board of the Institute of Chartered Accountants of India (ICAI) to provide
guidance on developing and implementing an effective Risk Based Internal
Audit Plan.
I would like to congratulate CA. Charanjot Singh Nanda, Chairman, Internal
Audit Standards Board and all the other members of the Board on issuance
of this publication which provides updated guidance on this important area.
The objective is to help internal auditors in embedding risk based approach
thereby enabling them to meet stakeholder’s expectations.
I am confident that this Guide would help our members to play a leading role
in promoting good risk management practices.
February, 2, 2015 CA. K Raghu

New Delhi President, ICAI
Preface
In today’s complex regulatory and compliance environment, while capitalizing
on emerging opportunities, risk management assumes tremendous
importance. Risk management systems encompass the policies, culture,
processes, systems and other aspects of an organization that, taken together
facilitate its effective and efficient operation by enabling it to assess current
and emerging risks, respond appropriately to risks and significant control
failures and to safeguard it’s assets. Assessment of risks should support
better decision-taking, ensure that the board and management respond
promptly to risks when they arise, and ensure that shareholders and other
stakeholders are well informed about the principal risks and prospects of the
organization. Internal auditors undoubtedly play a leading role in helping their
organizations achieve an integrated, organization-wide approach to risk
management which ultimately helps to create, enhance, and protect
stakeholder value.
Considering the above, the Internal Audit Standards Board of the Institute is
issuing this “Guide on Risk Based Internal Audit Plan”. Accordingly, the
Board is withdrawing its pervious publication “Guide to Implementing
Enterprise Risk Management” issued in 2008. Internal auditors can through
risk based auditing provide feedback on the adequacy of internal control as
well as they can provide a source of information for monitoring risk. Further,
the cycle of continually assessing risk, efficiently planning audit activities,
and effectively performing, delivering, and reporting audit activities can result
in overall lower risk to the organization. This Guide comprehensively explains
the concepts of Risk Based Internal Audit Plan and provides a step-wise
approach to effectively implement the same in an organization. It includes
detailed guidance on risk appetite, understanding business environment,
preparing audit universe, risk identification, risk prioritization and rating,
assessing control environment, deriving residual risk rating and finally
developing internal audit plan. Further, for enhancing the understanding of
the readers, an illustrative case study including all the steps to prepare the
RBIAP has also been also provided in the guide.
At this juncture, I would like to place on record my sincere gratitude to
CA. Amit Gupta, CA. Mohit Gupta, Shri Anurag Agarwal and CA. Sameer
Mittal for sharing their experience and knowledge with us and preparing the
draft of this Guide.
I would like to express my immense gratitude to CA. K. Raghu, President,
ICAI and CA. Manoj Fadnis, Vice President, ICAI for their continuous support
and encouragement to the initiatives of the Board. I must also thank my
colleagues from the Council at the Internal Audit Standards Board, viz.,
CA. Shriniwas Y. Joshi, Vice Chairman, IASB, CA. Rajkumar S. Adukia,
CA. Prafulla Premsukh Chhajed, CA. Sanjeev K. Maheshwari, CA. Dhinal
Ashvinbhai Shah, CA. Shiwaji Bhikaji Zaware, CA. V. Murali, CA. S.
Santhanakrishnan, CA. Abhijit Bandyopadhyay, CA. Sanjiv Kumar
Chaudhary, CA. Atul Kumar Gupta, CA. Naveen N.D. Gupta, Shri Manoj
Kumar, Shri P. Sesh Kumar and Shri R.K. Jain for their vision and support. I
also wish to place on record my gratitude for the co-opted members on the
Board, viz., CA. R. Balakrishnan, CA. N. S. Ayyanagoudar, CA. Sunil H.
Talati, CA. J. Vedantha Ramanujam and CA. Milind Vijayvargia and special
invitees, CA. Nagesh D. Pinge and CA. Hardik Chokshi for their invaluable
guidance as also their dedication and support to various initiatives of the
Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary,
Internal Audit Standards Board and her team of officers for their efforts and
inputs in finalizing this Guide.
I am sure that the members and other interested users will find this
publication useful in discharge of their professional obligations.
February 9, 2015 CA. Charanjot Singh Nanda

New Delhi Chairman, Internal Audit Standards Board
vi
Contents
Foreword ............................................................................................................ iii
Preface ................................................................................................................ v
Chapter 1: Introduction ...................................................................................... 1
Objective .............................................................................................................. 1
Chapter 2: Need for Risk Based Internal Audit Plan ....................................... 2
Chapter 3: RBIAP Concepts .............................................................................. 5
Chapter 4: Responsibility for Developing RBIAP ............................................ 6
Chapter 5: RBIAP- Development and Implementation ............................... 7-45
Define Objective, Criteria and Risk Appetite......................................................... 8
Risk Categorization ............................................................................................ 10
Risk Assessment Criteria ................................................................................... 11
Criteria for Assessing Control Environment ........................................................ 11
Understanding the Business Environment and Processes ................................. 11
Prepare Audit Universe ...................................................................................... 13
Risk Assessment ................................................................................................ 19
Risk Identification ............................................................................................... 20
Risk Prioritization ................................................................................................ 20
Assess Control Environment .............................................................................. 27
Develop Internal Audit Plan ................................................................................ 35
Planning and Developing Internal Audit Plan ..................................................... 38
Implement and Update RBIAP ........................................................................... 40
Allocate Resources, Engagement Scheduling and Execution ............................ 42
Reassess Risk and Control Environment and Update RBIAP ............................ 43
Chapter 6: Case Study .............................................................................. 46-197
vii
viii
Chapter 1
Introduction
1.1 Traditionally, internal auditing was understood as one time exercise
with limited documentation. Increase in the trend of frauds in the corporate
sector over the last couple of decades has shifted the pendulum towards the
need of a strong and robust internal auditing and internal control systems.
Regulators have also become more vigilant towards the requirement of
strong internal control system which resulted in the announcement of
statutory obligations viz., Sarbanes Oxley Act in USA, Clause 49 of Listing
Agreement as per SEBI and recently notified Companies Act, 2013 and rules
thereunder. This has put organizations under increasing pressure to identify
all the business risks they face and to explain how they manage them.
1.2 Risk-based Internal Auditing (RBIA) allows internal auditor to provide
assurance to the Board of Directors that risk management processes are
managing risks effectively, having regards to the risk appetite of the
organization. Risk-based internal auditing begins by reviewing the
organizational objectives, then considers the risks that impact on the
achievement of those objectives, and examines the methodologies in place
to mitigate those risks. The only defence auditors have in instances of
corporate failures is sufficient, appropriate audit evidence that proves their
innocence. This audit evidence will be the result of a well-planned and
performed audit. An audit plan, currently a risk-based audit plan, is therefore
a crucial component in the planning of an effective audit.
Objective
1.3 This guide provides guidance on developing and implementing an
effective Risk Based Internal Audit Plan in an organization. This guide would
be meant for the individuals who are already an internal auditor, preparing to
become one or responsible for overseeing and controlling the business
function(s).
Chapter 2
Need for Risk Based Internal Audit
Plan
2.1 Preface to the Standards on Internal Audit, issued by the Institute of
Chartered Accountants of India defines the term “internal audit” as, “Internal
Audit is an independent management function, which involves a continuous
and critical appraisal of the functioning of an entity with an view to suggest
improvements thereto and add value to and strengthen the overall
governance mechanism of the entity, including the entity’s strategic risk
management and internal control system.”
Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, lays down
that the internal auditor should, in consultation with those charged with
governance, including the audit committee, develop and document a
plan for each internal audit engagement to help him conduct the
engagement in an efficient and timely manner.
2.2 Standard on Internal Audit (SIA) 13 “Enterprise Risk Management”
mentions that “The internal auditor will normally perform an annual risk
assessment of the enterprise, to develop a plan of audit engagements for the
subsequent period. This plan will be reviewed at various frequencies in
practice. This typically involves review of the various risk assessments
performed by the enterprise (e.g., strategic plans, competitive benchmarking,
etc.), consideration of prior audits, and interviews with a variety of senior
management. It is designed for identifying internal audit key areas and, not
for identifying, prioritizing, and managing risks directly for the enterprise. The
internal audit plan, which should be approved by the audit committee,
should be based on risk assessment as well as on issues highlighted
by the audit committee and senior management. The risk assessment
process should be of a continuous nature so as to identify not only
residual or existing risks, but also emerging risks. The risk assessment
should be conducted formally at least annually, but more often in
complex enterprises. To serve this objective, the internal auditor should
design the audit work plan by aligning it with the objectives and risks of
the enterprise and concentrate on those issues where assurance is
sought by those charged with governance.”
Need for Risk Based Internal Audit Plan
2.3 Internal auditor is expected to review business processes and various

transactions to provide comfort to the management whether adequate
internal controls are in place considering the nature and size of business
operations. Considering the volume of the transaction and complexity of the
business processes, it would not be possible to check 100% of the business
transactions. The internal auditor usually, adopts sampling and judgment
based on past experience and knowledge. However, this leaves a risk of gap
in internal controls which may remain undetected. Accordingly, there is a
need for auditors to follow risk based internal audit approach.
2.4 There are many challenges being faced by the internal auditors in
performance of their duties. The major challenges include:
 Mismatch in the expectations from and output of the internal audit
function;
 Audit risk;
 Practical implementation of audit standards; and
 Uncertainties due to changing environment – internal as well as
external.
2.5 The internal audit function is, normally, expected to focus on areas of
high risk, including both inherent and residual risk. The internal audit activity
needs to identify areas of high inherent risk, high residual risks, and the key
control systems upon which the organization is most reliant.
 Audit risk – Audit risk refers to the risk that an auditor may issue
unqualified report due to the auditor's failure to detect material
misstatement either due to error or fraud. This risk is composed of
inherent risk (IR), control risk (CR) and detection risk (DR).
 Inherent risk – These risks are “all pervasive in nature” meaning they
are inherent in all business activities. Inherent risk is a risk in ‘raw
form’ before any risk treatment/ mitigation activity has been applied to
it.
 Residual risk – Residual risk is the level of risk that would remain
untreated despite all mitigation efforts.
3
Guide on
o Risk Based
d Internal Auditt Plan
The figgure below depicts

d the reelationship between the inherent risk and
residuaal risk.
2.6 Internal audit planning neeeds to make use u of the orgganizational riisk
managgement processs, where it haas been deveeloped by the organization. In
planninng an engagement, the inteernal auditor considers
c the significant rissks
of the activity and thhe means by whichw manageement mitigatees the risk to an
acceptable level. Thhe internal auuditor uses rissk assessmennt techniques in
developing the interrnal audit activvity’s plan and in determining priorities for f
allocating internal audit
a resourcees. Risk asseessment is ussed to examine
auditabble units and select
s areas foor review to bee included in the internal audit
activityy’s plan that haave the greateest risk exposuure.
4
Chapter 3
RBIAP Concepts
3.1 Risk Based Internal Audit Plan (RBIAP) is an important tool that helps
internal auditor to respond to the challenges being faced by the internal
auditor, and also enhances the quality of the services that the internal audit
function provides. By following the structured approach for planning the
internal audit, it could be easily concluded that:
 A proper evaluation has been done to identify and assess the risk vis-
a-vis risk appetite of the company.
 Plan to respond to the risks are effective in managing inherent risks
within the risk appetite.
 Increased focus and rigorous response to risks where residual risks
are not in line with the risk appetite.
3.2 RBIAP is an approach to develop the internal audit plan in such a
manner that all the business processes covering both financial as well as
operational activities are reviewed by internal audit function within a defined
time cycle, generally, varying from 3 to 5 years. Also, ensuring that
appropriate consideration is made and adequate balance is ensured to the
following:
 Risk underlying the business process.
 Value that the internal audit can provide to the organization.
 Effort involved in conducting the internal audit for a particular business
process.
 Risk appetite of the organization.

 Coverage of all auditable areas within the defined time range.
Chapter 4
Responsibility for Developing RBIAP
4.1 The need to manage risks has become recognised as an essential part
of good corporate governance practice. This has put organisations under
increasing pressure to identify all the business risks they face and to explain
how they manage them. In fact, the activities involved in managing risks have
been recognised as playing a central and essential role in maintaining a
sound system of internal control. While the responsibility for identifying and
managing risks belongs to management, one of the key roles of internal audit
is to provide assurance that those risks have been properly managed.
The Chief Internal Auditor, as designated by the audit committee, must
establish a risk-based plan to determine the priorities and focus areas of the
internal audit activity which are aligned to the business objectives and
organization’s goals. The prime responsibility of developing the Risk Based
Internal Audit Plan is with the Chief Internal Auditor. The Chief Internal
Auditor must prepare the RBIAP and review the same on annual basis in the
light of changing business environment, processes, technology, etc. having
impact on the prevailing risk for the Company and its control environment.
4.2 The RBAIP, thus, prepared by the Chief Internal Auditor must be
approved by the Audit Committee. Audit Committee assesses the
appropriateness of the process followed for development of the RBIAP to
ensure that due consideration is given to the following:
 Consideration of all major risk for the company
 Business objectives
 Risk appetite of the company
 Inputs from the key managerial persons of the company
 Changes in the operational and regulatory environment.
Chapter 5
RBIAP — Development and
Implementation
5.1 The internal auditor takes into account the organization’s risk
management framework, including using risk appetite levels set by
management for the different activities or parts of the organization. If a
framework does not exist, the internal auditor uses his/her own judgment of
risks after consideration of input from senior management and the board.
The internal auditor must review and adjust the plan, as necessary, in
response to changes in the organization’s business, risks, operations,
programs, systems, and controls.
5.2 Risk based internal audit planning includes formal annual planning,
updating the plan before audit segments begin and periodic feedback from
management and the audit committee regarding report content expectations.
The internal audit scope is adjusted based on all of these factors and gives
the internal auditor a keen ability to understand and react quickly to
management and audit committee concerns regarding risk and audit
coverage. Thus, there are two phases of successful implementation of the
RBIAP. These include the following:
 Develop and approve RBIAP
 Implement and update RBIAP
5.3 Methodology for development of risk based internal audit plan can be
divided into following steps:
I Develop and Approve RBIAP
(i) Define objective, criteria and risk appetite
(ii) Understanding the business environment and processes
(iii) Prepare audit universe
(iv) Risk assessment
(a) Risk identification
(b) Risk prioritization and rating
7
Guide on Risk Based Internal Audit Plan
(v) Assess control environment

(vi) Derive residual risk rating
(vii) Develop internal audit plan.
II Implement and update RBIAP
(i) Derive Annual Internal Audit plan
(ii) Allocate resources, engagement scheduling and execution
(iii) Re-assess risk and control environment
(iv) Update RBIAP.
Process of Risk Based Internal Audit Planning
Define objective, Update RBIAP

criteria and risk Summarise Risks
Assess control
appetite for each audit
environment
area
Re-assess risk
Understanding and control
the Business environment
Risk Prioritisation Derive Residual
Environment and and Rating Risk Rating
processes
Allocate
Resources,
Categorise Risks Derive engagement
Prepare Audit scheduling and
and link to Audit Frequency of
Universe execution
Areas Audit
Filter Risks
(Acceptable Develop Audit Approval from
Risk identification
Risks, under Plan Audit Committee
tolerance limit)
Define Objective, Criteria and Risk Appetite

5.4 Internal Auditor need to first define the objective of preparing the risk
based internal audit plan for a particular organization. There are varied
factors that need to be considered while defining the objective of the
exercise, these may include:
 Size and nature of business
 Complexity of the business process
 Resource constraint
8
RBIAP — Development and Implementation
 Time horizon which the organization considers appropriate for review

of all the business processes.
5.5 Internal auditor need to define the criteria that would be used for
developing the internal audit plan. It would include the following:
 Risk categorization
 Risk assessment criteria
 Criteria for assessing the control environment
 Criteria to priorities and decide the frequency of audit.
5.6 It is very critical that the criteria for developing the RBIAP are
documented in advance and approved to avoid any subjectivity on the
outcome of the exercise. The key factors that need to be kept in mind while
finalizing these criteria include the following:
 Inherent risks – ensure all inherent risks are identified and assessed.
 Residual risks – ensure all residual risks are identified and assessed.
 Mitigating controls– ensure elements of control environment (e.g.,
level of automation, governance structure, etc.) are identified that
could be linked to the individual events and/ or risks.
5.7 Internal auditor need to interact with the senior management and take
a view on the risk appetite of the organization. Risk appetite of the
organization can significantly impact the criteria that need to be used for the
development of RBIAP. A Risk Based Internal Audit Plan should ensure that
it covers all unacceptable current risks where management action is
required. These would be the areas with high residual risks, i.e., high
inherent risk and minimal key controls or mitigating factors. These would be
the areas that senior management should get audited immediately.
Identification, assessment and prioritization of the audit areas is dependent
on the residual risk for the organization, which is monitored and evaluated in
the light of risk appetite of the organization.
Risk rating depends on the criteria set by the organization to assess and
prioritise its risk. Depending on the risk appetite of the organization, it could
mean financial loss of ` 1 Lac could be ‘minor’ for a large PSU with annual profit
of ` 500 crores but it could be major for an organization with annual profit of ` 50
Lacs.
9
Risk Categorization
5.8 According to the Internal Control Framework issued by The Committee
of Sponsoring Organizations (COSO) of the Treadway Commission, risk can
be categorized as under:
 Operational – Risks that impact the efficiency and effectiveness of the
operations of the organization are categorized as operational risk.
E.g., process delays in completing the activity, customer
dissatisfaction, inadequate fund management, excess payment, etc.
Some companies further categories operational risk into financial risk
and non-financial risk depending on the direct impact of risk.
 Reporting – Risk of incorrect financial reporting. Internal control
weaknesses which may result into incorrect financial reporting are
categorized at reporting risk, e.g., inadequate cutoff procedures, lack
of senior management review of financial statements, etc.
 Compliance – Risk that may result in non-compliance to the applicable
regulatory requirements. E.g., delay in submission of taxes and
returns, operating without obtaining the required licenses, etc. These
may result into possible fines and penalties being imposed on the
organization.
5.9 Organizations also classify the risk under the additional category
depending on the nature of the business, e.g., a company operating in
energy sector could categories the risk as under:
 Operational
 Financial
 Health, Safety and Environment
 Compliance
 Reporting
Company operating in the technology intensive sector could categories the
risk as under:
 Operational
 Financial
 Technology
 Compliance
 Reporting
10
Risk Assessment Criteria

5.10 Risk need to be assessed in terms of severity of the impact that may
come to the organization in the event of risk occurrence. Assigning the rating
to the risk depending on the assessed severity is termed as risk prioritization.
The typical risk prioritization is done on the scale of 1 to 5 as mentioned
below:
 Score 1 - Insignificant
 Score 2 – Minor
 Score 3 – Moderate
 Score 4 – Major
 Score 5 - Critical
Criteria for Assessing Control Environment

5.11 The control environment sets the tone of an organization, influencing
the control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values and competence of
the entity's people; management's philosophy and operating style; the way
management assigns authority and responsibility; organizes and develops its
people; and the attention and direction provided by the board of directors.
The typical control environment assessment is done on the scale of 1 to 5 as
mentioned below:
 Score 1 – Very strong
 Score 2 – Strong
 Score 4 – Weak
 Score 5 – Almost missing.
Understanding the Business Environment and

Processes
5.12 As per the requirement of Standard on Internal Audit (SIA) 1 “Planning
an Internal Audit”, The internal audit plan should be comprehensive
enough to ensure that it helps in achieving of the above overall
11
objectives of an internal audit. The internal audit plan should, generally,

also be consistent with the goals and objectives of the internal audit
function as listed out in the internal audit charter, as well as the goals
and objectives of the organisation.
5.13 The key to effective risk-based auditing is for the internal auditor to
begin the planning process with a thorough understanding of the business
process for the area under review. In combination with feedback from
management and the audit committee, business objectives are reviewed,
specific risks that could cause management not to meet those business
objectives are identified, and controls established by management to mitigate
these risks are evaluated. These business objectives, risks and controls
should also be reviewed in relationship to the entity wide business
objectives, risks, and controls to assist in developing comprehensive
corporate decisions.
Below mentioned is a simple framework that can assist in understanding the
business environment:
(i) Understand where the company is: Really understand. Taking
complete stock of a company’s current situation – as regard to product
innovation, customer buying patterns, PR branding, what are you
selling and what you can sell.
(ii) Compare the company with the leader in the business: A critical
comparison with the market leader will bring out the areas where most
attention needs to be paid, because most often, the leading business
has read the business environment right.
(iii) Engage with stakeholders: Constant dialogue with all stakeholders will
lead to understanding the company’s niche and positioning in the
competitive market.
5.14 SIA 1 further defines the steps that could be followed for obtaining the
knowledge of the business. The internal auditor should obtain a level of
knowledge of the entity sufficient to enable him to identify events,
transactions, policies and practices that may have a significant effect
on the financial information. Following are some of the sources wherefrom
the internal auditor can obtain such knowledge:
 Previous experience, if any, with the entity and the industry.
 Legislation and regulations that significantly affect the entity.
 Entity’s policy and procedures manual.
12
 Minutes of the meetings of the shareholders, board of directors, and

important committees of the board such as, audit committee,
remuneration committee, shareholders’ grievances committee.
 Management reports/ internal audit reports of prior periods.
 Newspaper/ industry journals.
 Discussion with client’s management and staff.
 Visits to entity’s plant facilities, etc., to obtain first hand information
regarding the production processes of the entity.
 Visits to the entity’s department where the accounting and other
documents are generated, maintained, and the administrative
procedures followed.
Prepare Audit Universe

5.15 The first important step towards putting the RBIAP on papers is the
documentation of the Audit Universe. The Audit Universe is to be prepared
on the basis of the business understanding obtained under previous step.
SIA1 defines audit universe as “Audit universe comprises the activities,
operations, units etc., to be subjected to audit during the planning period.
The audit universe is designed to reflect the overall business objectives and
therefore includes components from the strategic plan of the entity. Thus, the
audit universe is affected by the risk management process of the client. The
audit universe and the related audit plan should also reflect changes in
the management’s course of action, corporate objectives, etc.”
Professor Brian Cox writing in the Wall Street Journal in April 2013 explained
“Quantum theory tells us that the universe we experience emerges from a
bewildering, counterintuitive maelstrom of interactions between an infinity of
recalcitrant sub-atomic particles.” Defining the internal audit universe is much
simpler than that, although the principles may well be similar.
5.16 In simple terms, audit universe can be termed as the set of all
auditable units/ departments/ business process and audit areas, collectively
called as auditable entities. Preparation of audit universe and selection of
auditable entities in the audit universe is the most critical activity which lays
the foundation for developing a robust and effective Risk Based Internal
Audit Plan.
13
The important factor which could affect the selection of an auditable entity
under the audit universe are:
(i) Organization vision, mission and objectives: The audit universe
can include components from the organization’s strategic plan. By
incorporating components of the organization’s strategic plan, the
audit universe will consider and reflect the overall business objectives.
Inputs from senior management and board should be obtained and
assessment of risk and exposure affecting the organization should be
carried out.
(ii) Expectations from the internal audit function: Audit universe need
to factor all the expectations from the internal audit function. The
internal audit plan, audit execution and the outcome of the internal
audit process depends on the quality and comprehensiveness of the
audit universe to gather all the expectations, focus areas and results
expected from the performance of the internal audit activities.
(iii) Organization structure and set up: Organisation structure need to be
understood while identifying the auditable entities. In case of highly
centralized operations, more attention should be given to the auditable
units at corporate, while in case of decentralized operations separate
auditable entity need to be identified for plant/ branch/ regional office
locations as applicable.
(iv) Geographical location of the organisation: Geographical location of
the business set up also plays a key role in selection of units. Every
location need to have a consideration and some place in the audit
universe, however the identification of auditable unit need to be
evaluated in consideration with other points. E.g., in case of regional
office with smaller size of operations and lesser number of
transactions, regional office can be considered as one auditable entity
and all the business processes can be reviewed at that particular
regional office together. However, if the scale of operations are larger,
locations would need to be split into further functional areas e.g.,
Procurement - RO, Sales & Marketing – RO, HR and Payroll – RO,
etc.
(v) Scalability of the operations: Scale of business operations should
also be factored while deciding an auditable entity. Auditing an entity
with very low scale may not be cost effective to be audited separately
and may not give the actionable results as it would fall in the comfort
range of the risk appetite of the organization.
14
(vi) Organic linkage between the business process/ sub processes: It

is becoming increasingly important, to perform the objective study and
conduct end to end review of a business process so that organization
level impact on the identified gaps can be assessed and more
objective decisions could be taken by the management on the basis of
result of the internal audit activities. Hence, it is vital to study the
linkage between business process and sub process. E.g., it is more
effective to review the complete process of Procure to Pay (P2P) so
that financial implication and complete process gaps could be
identified. Review of the procurement process or payment process in
isolation would not provide effective root causing and implication
assessment of the internal audit gaps noted during the review.
(vii) Sufficiency to justify cost of control: Internal audit function acts as
a control activity and keeps the regular check on the functioning of the
business activities. Internal audit requires a team of qualified
professionals with expert knowledge on the subject matter. With the
increase in the expectations from and responsibilities of internal audit
professional, the cost of the internal audit function is also increasing. It
is important to keep the adequate balance in the cost of the internal
audit review and benefit envisaged to realize from the review. Hence,
cost of internal audit should be kept in mind while identifying the
auditable entities.
5.17 It is important to understand that it’s not the size of the audit universe
that matters rather it is the extent of the focus for the internal audit plan in
strategic and operational terms.
Having understood the key factors to be kept in mind and the objective of
preparing the audit universe, let’s have a quick glance at the steps that need
to be followed for developing the audit universe.
(i) Discussion with Management: Perform detailed discussion at all the
level of senior and top management including the board members to
understand their expectation, objectives and key focus areas.
(ii) Sketch Audit Universe: Prepare the initial sketch of the audit
universe containing the list of identified business process and
auditable entities that need to be audited by the internal audit function.
(iii) Assess objectives for identified auditable entities: Align the
objective of the internal audit with the objectives of the business and
assess the objectivity of reviewing the identified auditable entities. The
category of such objective could be:
15
(a) Reliability and integrity of financial and operational Information

(b) Effectiveness and efficiency of operations
(c) Safeguarding of assets
(d) Compliance with laws, regulations, and contracts
(iv) Re-validate Audit Universe: The audit universe and related audit plan
are updated to reflect changes in management direction, objectives,
emphasis, and focus. It is advisable to assess the audit universe on at
least an annual basis to reflect the most current strategies and
direction of the organization. The validation exercise is pervasive and
continuous in nature until the annual plan is finalized and approved by
the audit committee/ board.
Steps for Developing the Audit Universe
Discussion with
Management
Draft initial sketch of

audit universe
Assess objective of
auditable entities
Re-validate audit
universe
Finalize audit
universe
Develop RBIAP
Approve RBIAP
16
5.18 Following are some illustrative audit universe:

(i) Illustrative Audit Universe of a Manufacturing Company:
Sr. Department Business Locations

no. Corporate Plant Branch Branch
Office Office Office
1 2
1 Order to Cash  
2 Procure to Pay 
3 Human Resource and Payroll 
4 Finance and Accounts  
5 Production 
6 Logistics and Distribution   
7 Capital Expenditure 
8 Plant Maintenance 
9 Information Technology 
10 Warehouse Management  
11 Statutory Compliances  
(ii) Illustrative Audit Universe of a Oil and Gas Company:
D. Department P. Process Business Locations

Sr. Sr. Corporate Plant Depot
no. No. Office
1 Contracts 1.1 Tendering and 
RFQ
1 Contracts 1.2 Contracting and 
Ordering
2 Plant 2.1 Production and 
Operations Distribution
2 Plant 2.2 Operation and 
Operations Maintenance
17

no. No. Office
2 Plant 2.3 Safety and 
Operations Environment
3 Drilling 3.1 Drilling 
4 Information 4.1 IT Security  
Technology
4 Information 4.2 ERP and other 
Technology applications
5 Geology & 5.1 Geology & 
Reservoir Reservoir
6 Research and 6.1 Research and 
Development Development
7 Material 7.1 MM - Planning & 
Management Receiving
7 Material 7.2 MM - Depot  
Management
7 Material 7.3 MM - Inventory  
Management Handling and
Storage
8 Well Logging 8.1 Well Logging 
9 Finance and 9.1 Financial 
Accounts Planning and
Analysis
9 Finance and 9.2 Treasury 
Accounts
9 Finance and 9.3 Financial  
Accounts Reporting
9 Finance and 9.4 Asset 
Accounts Management
9 Finance and 9.5 Payables 
Accounts
18

no. No. Office
9 Finance and 9.6 Invoicing and  
Accounts Receivables
9 Finance and 9.7 JV Operations 
Accounts
9 Finance and 9.8 Taxation 
Accounts
10 Human 10.1 Recruitment 
Resource
10 Human 10.2 Learning and 
Resource Development
10 Human 10.3 Separations 
Resource
10 Human 10.4 Payroll Process 
Resource
11 Projects 11.1 Planning and 
Investment
11 Projects 11.2 Execution and 
handover
12 Business 12.1 Business 
13 Exploration & 13.1 Exploration & 
development development
Risk Assessment
5.19 The objective of the risk assessment is to assess the level of risk in
the various business processes. Risk assessment focuses on the business
environment, regulatory environment, organisation structure, organizational
and business environmental changes and specific concerns of management
and the audit committee to determine the areas of greatest risk. It also
serves to aid the internal auditor in evaluating the control design to determine
19
the desired audit scope. Risk assessment includes risk identification and
then risk prioritization based on defined criteria.
Risk Identification
5.20 Risk identification is the process to identify all possible risk in the
auditable entities identified at the time of preparation of the audit universe.
This includes evaluation of ‘what can go wrong’ in the particular process
attached with the identified auditable entity which can have any adverse
impact on the organization. The adverse impact could be in the form of
possible financial loss, operational inefficiency and ineffectiveness, statutory
non-compliance, incorrect reporting, etc. The quality and effectiveness of the
risk assessment depends on the comprehensiveness and completeness of
the risk identification exercise.
5.21 The first step in the risk identification exercise is to identify the event
which may affect the entity positively or negatively in achieving its objectives.
Such events may be classified as risk and opportunities depending on its
impact on the organization. Risk identification is followed by risk filtration
steps. Risk can be all pervading; they can surface from the most obscure to
the most obvious (but overlooked) areas. Similarly, their outcomes can also
be from the immaterial to highly significant. These are the matters which are
quite difficult to appreciate or evaluate at the time of risk identification and
are therefore best left for the next state (Risk Prioritization). Nevertheless,
given the practical limitations, some level of judgment will have to be applied
in deciding what to include and what to exclude at the identification stage.
Here, to ensure that no important matters are overlooked, it is always safer
to begin by initially including all the risk and then filtering out everything
which appears to be obviously insignificant and with remote probability of
occurrence.
Risk Prioritization
5.22 The identified risk need to the prioritized based on the pre-defined
criteria (Refer step 1 - Define objective, criteria and risk appetite). The typical
risk periodization is done on the scale of 1 to 5 as mentioned below:
 Score 1 - Insignificant
 Score 2 – Minor
20
 Score 4 – Major
 Score 5 - Critical
5.23 There are various factors that could affect the risk prioritization and
rating. Following factors need to be kept in mind while performing the risk
prioritization exercise:
(i) “Auditable” risks associated with/ mapped to the business process,
entity or location
(ii) Risk of non compliance (penalty, etc.)
(iii) Magnitude of Financial Loss
(iv) Significance of threat to Health, Safety & Environment (HSE)
(v) Risk to reputation of organisation
(vi) Possibility of fraud/ misappropriation
(vii) History of frauds or irregularity
(viii) Management’s assertion on impact
(ix) Magnitude of impact on organisational profitability
(x) Stability of IT systems
(xi) Complexity (volume of business, nature of business)
(xii) Results of earlier audits external/ internal
Risk Rating Pyramid
Insignificant
(1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
21
5.24 The preliminary risk rating can be assessed and interpreted using the
below mentioned methodology.
Preliminary Description Illustrative parameters for Assessing
Risk Rating
1 Insignificant  Process risks with insignificant risk
on the organization.
 Non-compliance with minor
penalties.
 Impact of very low financial loss.
 No major threat to Health, Safety &
Environment.
 No history of fraud/ misappropriation
 Minor impact on organizational
profitability.
 Stable IT and ERP systems.
2 Minor  Process risks with minor risk on the
organization.
 Non-compliance with minor
penalties.
 Impact of minor Financial Loss.
 No significant threat to Health,
Safety & Environment.
 Minor fraud/ misappropriation.
 Minor impact on organizational
profitability.
3 Moderate  Process risks with tolerable risk on
the organization.
 Non-compliance with major financial
penalties.
 Impact of significant financial loss.
 Possible threat to Health, Safety &
Environment.
 Possible fraud/ misappropriation.
 Tolerable impact on organizational
profitability.
22
Preliminary Description Illustrative parameters for Assessing

Risk Rating
4 Major  Process risks with major risk on the
organization.
 Risk of reputational impact to
organization.
penalties or prosecutions.
 Impact of Major Financial Loss.
 Significant threat to Health, Safety &
Environment.
 Repeated fraud/ misappropriation.
 Major impact on organizational
profitability.
 Deficient IT and ERP systems.
5 Critical  Process risks with critical risk on the
organization.
 Risk of high reputational impact to
organization.
 Risk with impact on going concern
of the organization.
penalties and prosecutions.
 Impact of High Financial Loss.
 Significant threat to Health, Safety &
Environment.
 Repeated fraud/ misappropriation
with major financial or reputational
consequences.
 High impact on organizational
profitability.
 Missing IT and ERP systems.
5.25 Some techniques of risk assessment are explained below:
 Interviews: Internal auditor need to conduct interviews at all levels of
management to identify the possible risk that could occur in the
23
particular process as per the experience of the management

personnel. Internal auditor can assess the level of understanding of
the organization’s process, policies, systems used and controls in
place during these interviews. This would help them in assessing the
control environment around the particular auditable entity. We would
discuss more about the control environment later in this chapter.
 Surveys: Internal auditor can perform surveys to identify and assess
the gravity of the risk and its possible impact on the organization. An
important aspect of the survey is to prepare a qualitative questionnaire
that would help in identification of the qualitative risk and its impact.
The target audience need to be selected carefully while performing the
survey so that results are not biased.
 Workshops: The Internal auditor can also perform workshops with the
selected managerial persons to identify the risk in the particular
process and ask them to rate them based on the defined methodology.
There are many tools that may be used to perform these workshops
effectively.
 Past events: The activities performed by the internal auditor during
the business understating stage can also give lot of information to the
auditor to identify the possible risks for the organization. This could
include past events, annual report and directors statement, past
internal audit reports, risk register, etc.
 Internal auditors experience: Experience of the internal auditor also
plays a key role in identifying the possible risks in the particular
process of the organization. The gravity of the risk identified by the
auditor from his experience can be moderated by using the techniques
specified in the above mentioned bullets.
Prepare Risk Register

5.26 The consolidated form of all risks is referred to as “Risk Registers”
since all such identified risks most often get listed in the form of a register.
The typical contents of the risk register are listed below.
Contents applicable and filled till the stage of risk assessment are as follows:
(i) Auditable Entity
(ii) Sub Process
(iii) Risk Description
24
(iv) Risk Category

(v) Risk Rating
Illustrative format of the Risk Register is as follows:
Sr. Auditable Sub Process Risk Description Risk Risk
no. Entity Category Rating
1 Order to
Cash
2 Procure to Procurement Procurement be- Financial 4
Pay Planning yond the defined Loss
budgetary limits.
3 Vendor Inadequate ve- Financial 4
Selection ndor selection due Loss
to non-compliance
to procurement
policies and
procedures (incl.
tendering)
4 Ordering Increased cost of Financial 5
procurement due Loss
to ineffective
negotiation/compa
rison of
commercial bid
submitted
5 Receiving
6 Quality check
7 Invoicing
8 Accounts
payables
9 Payment
processing
* Information included in the above format is illustrative.
The next step toward documentation of risk based internal audit plan is to
document the detailed risk register containing the list of all the risks identified
and the preliminary risk rating.
25
5.27 The next step is to prepare the summarized risk register. The objective
of preparing the summarized register is to arrive at the consolidated risk
rating for an auditable entity and assess the overall inherent risk in the
auditable entity. There are two techniques which may be used for arriving at
the summarized risk register:
(i) Arithmetic mean of preliminary risk rating: In this method,
arithmetic mean of all the identified risk ratings are is calculated to
arrive at the consolidated risk rating. Considering the simplicity of the
technique, this is the most widely used technique to arrive at the
summarized risk register.
(ii) Weighted average of preliminary risk rating: In this method, weights
are assigned to all the identified risk on the basis of statistical
computation of the probability and quantification of possible risk on the
organisation. Weighted average of all the identified risk ratings is then
calculated to arrive at the consolidated risk rating.
Illustrative Format of Summarized Risk Register
Sr. Auditab Sub Risk Description Risk Risk Consolidate
no. le Entity Process Category Score d Risk
Rating
1 Procure Procurem Procurement beyond Financial 4 3.25
to Pay ent the defined budgetary Loss
Planning limits.
2 Vendor Inadequate vendor Financial 4
Selection selection due to non- Loss
compliance to
procurement policies
and procedures (incl.
tendering)
3 Ordering Increased cost of Financial 5
procurement due to Loss
ineffective
negotiation/compariso
n of commercial bid
submitted
4 Receiving Risk of receiving Financial 3

more than the Loss
ordered quantity
5 Quality Risk of accepting the Operation 4
26
Sr. Auditab Sub Risk Description Risk Risk Consolidate

no. le Entity Process Category Score d Risk
Rating
check inferior quality of al/
material Financial
6 Invoicing Risk of delay in Operation 2
invoice processing al
7 Accounts Operation 3
Duplicate vendor
payables al/
codes
Financial
8 Payment Operation 1
Risk of delay in
processin al/
payment processing
g Financial
Assess Control Environment

5.28 Preliminary assessment of the risk provides the understanding and
evaluation of inherent risk. Assessment of inherent risk alone is not sufficient
to identify the audit areas requiring the larger focus from the internal audit
function. The inherent risk need to be factored with the mitigating controls
and the control environment around the underlying processes that could
reduce the level of residual risk. Hence, it is vital to perform the assessment
of control environment around the identified risks. The control environment
thus assessed provides the assessment of the ‘likelihood’ factor of the
identified risk.
Assessing likelihood of the happening of an event comes with its own
challenges. It is relatively easy to put in place a pre-set methodology for the
actual measurement of the rating by taking some percentages and assigning
them on 1 to 10 rating. However, what’s most difficult is the foresight
required to actually determining the probability of the risk. One technique
used commonly is the history of past occurrence and the periodicity of those
occurrences, which can help to get a better grasp over the probability.
27
5.29 Some of the examples of situations that might influence the

assessment of control environment are as below:
 Inappropriate pay, reward and incentive structures which contribute to
inappropriate behavior or excessive risk-taking.
 Increasing employee turnover leading to insufficient experience and
less reliable execution of controls. This may be the result of a number
of failures in the control environment.
 The absence of a defined code of conduct and ethics and/ or a
whistleblower policy, absence of a process to evaluate the
effectiveness of the code of conduct and ethics policy, a high number
of reported frauds, or management over-ride of controls which can
lead to inappropriate activity that is not detected and addressed timely.
 Board’s capability and structure for effective governance.
 Key managers making business decisions without considering the
related risks; management may not exhibit risk and control
consciousness in its decision making.
 Processes relating to defining job descriptions for key positions may
be weak, background checks and/ or reference checks are not
consistently performed, or the organization has difficulty hiring and
retaining qualified individuals.
5.30 The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) published the updated Internal Control – Integrated
Framework in 2013. The framework states “The control environment is the
set of standards, processes and structures that provide the basis for carryign
out internal control across the organisation. The board of directors and senior
management establish the tone at the top regarding the importance of
internal control including expected standards of conduct. The control
environment comprises the integrity and ethical values of the organsation;
the parameters enabling the board of directors to carry out its governance
oversight responsibilities; the organisational structure and assignment of
authority and responsibility; the process for attracting, developing, and
retaining competent individuals; and the rigour around performance
measures, incentives, and rewards to drive accountability for performance.
The resulting control environment has a pervasive impact on the overall
system of internal control.”
5.31 There are various factors that could affect the assessment of control
environment and its rating.
28
Following factors need to be kept in mind while performing the assessment of

control environment as mentioned below:
(i) Existence of preventive or detective control to mitigate risks
associated with/ mapped to the business process, entity or location.
(ii) Legal compliance framework
(iii) Appropriate and established IT Control environment
(iv) Governance structure/ monitoring Mechanism
(v) Documented policy and procedures
(vi) Past incidents/ trend
(vii) Organization’s sensitivity towards Health, Safety & Environment
(viii) Fraud detection
(ix) Balance of centralized versus decentralized operations within the
organization
Control Environment Rating Pyramid
Very Strong (1)
Strong (2)
Moderate (3)
Weak (4)
Almost missing
(5)
5.32 Internal auditor need to assess and consider the level of effectiveness
of control environment activities and the risk of deficiencies in the control
environment, while defining the audit universe and RBIAP.
29
The control environment rating can be assessed and interpreted using the
below mentioned methodology.
Control Description Illustrative Parameters for Assessing
Environment
Rating
1 Very Strong  Existence of strong preventive or
detective control with mechanism for
continuous monitoring and update the
same
 Strong legal compliance framework
 Well established ERP system and IT
security measures
 Well defined and implemented policy
and procedures
 Consistent organisation growth with rare
surprises
 Balance of centralized versus
decentralized operations within the
organization
2 Strong  Defined preventive or detective control
 Strong legal compliance framework
 Established ERP system and IT security
measures
 Well defined policy and procedures and
minor deviations
 Consistent organisation growth with
unlikely losses
 Balance of centralized versus
decentralized operations within the
organization
3 Moderate  Defined preventive or detective control
but unlikely monitoring and update
exercise.
 Legal compliance framework with minor
deviations
 Established ERP system and IT security
measures
 Defined policy and procedures but
insufficient control on implementation
and compliance to same.
30
Control Description Illustrative Parameters for Assessing

Environment
Rating
possible losses
4 Weak  Preventive or detective controls not
identified or defined
 Missing legal compliance framework
with alternative measure to monitor legal
compliance
 Moderate IT environment with missing
automated controls.
 Policy and procedures not formally
defined and there may be possible
deviations
frequent losses
 Inadequate board monitoring and
governance structure
5 Almost  Missing preventive or detective controls
Missing  Missing legal compliance framework
with no alternative measure to monitor
legal compliance.
 Insufficient IT environment with missing
automated controls.
 Policy and procedures not defined
 Inconsistent organisation growth with
major losses
 Inadequate board monitoring and
governance structure
 Inadequate decentralisation of decision
making
Update Summarized Risk Register

5.33 The next step is to update the summarized risk register. The
summarized risk register needs to be updated with the following information:
(i) Factor Affecting Control Environment
(ii) Control Environment Rating
31
At this stage, the detailed risk register is replaced with the summarized risk
register to contain the following information:
(i) Auditable Entity
(ii) Sub-process
(iii) Initial Risk Rating for each sub process (i.e., the consolidated risk
rating arrived in previous step)
(iv) Rationale for initial risk rating
(v) Control environment rating
(vi) Rationale for control environment rating
Illustrative Updated Risk Register
Sr. Audita Sub Process Initial Rationale for Control Rationale for
no. ble Risk initial risk environme control
Entity Rating rating nt rating environment
rating
1 Procure Procurement 3.25 High risk of 4 Weak IT system
to Pay Planning financial loss and Manual
and controls.
Vendor
procurement
Selection
at high prices
Policies and
Ordering procedures not
Receiving defined and
ineffective
Quality check monitoring by
Invoicing management.
Accounts
payables
Payment
processing
Derive Residual Risk Rating

5.34 As referred earlier, preliminary assessment of the risk provides the
understanding and evaluation of inherent risk. The inherent risk needs to be
factored with the mitigating controls and the control environment around the
underlying processes that could reduce the level of residual risk.
32
There are two elements of a risk:

 Impact Rating or Preliminary Risk Assessment Rating.
 Likelihood Rating (also called probability) or Control Environment
Rating.
Consequence and likelihood can be multiplied together to give a single
measure of the significance of a risk, or a residual risk. For example, take a
risk that purchases prices are not competitive. Assuming it has high impact
on the organization’s cost of purchase, the impactrating could be major
(scores 4) but the likelihood could be 3 due to moderate control environment.
Table below describes the illustrative examples of calculating the residual
risk scores.
Illustrative Risk Preliminary Control Residual
Risk Rating Environment Risk Score
(A) Rating (C)
(B)
Inadequate objectives and 5 1 5
strategy
Inappropriate stocking of 5 1 5
goods
Ineffective assessment of 5 3 15
competition
Ineffective Pricing 5 2 10
Inadequate store layout 4 4 16
Incorrect Invoicing 4 1 4
Stock Outs 5 1 5
Thus, this can be concluded that :
Residual Risk Rating Score = Preliminary Risk Assessment x Control
Environment Rating

summarized risk register need to be updated with the residual Risk Rating.
33
At this stage, the summarized risk register would contain the following
information:
(i) Auditable entity
(ii) Sub process
(iii) Initial risk rating for each sub process
(vii) Residual risk rating score

Sr. Audita Sub Initial Rationale Control Rationale for Residual
no. ble Process Risk for initial environm control Risk
Entity Rating risk rating ent environment Rating
A rating rating Score
B C=AXB
1 Procur Procuremen 3.25 High risk of 4 Weak IT 13
e to t Planning financial system and
Pay Vendor loss and Manual
Selection procuremen controls.
t at high Policies and
Ordering
prices procedures
Receiving not defined
Quality and ineffective
check monitoring by
Invoicing management.
Accounts
payables
Payment
processing
34
The Matrix below describes the residual risk rating score for all combinations
of the Preliminary Risk Assessment and Control Environment Rating.
Very
Strong 5 10 15 20 25
(1)
Strong
Control Environment Rating
4 8 12 16 20
(2)
Moder-
ate (3) 3 6 9 12 15
Weak 2 4 6 8 10
(4)
Almost
Missin 1 2 3 4 5
g (5)
Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)
Preliminary Risk Assessment
Develop Internal Audit Plan

5.36 Business environment is very dynamic, typically three to five years
internal audit plan is developed, considering the nature of business, business
environment, stability of the business processes, changes in the objective of
the management and expectations from the internal audit.
With certain adjustments based on management and audit committee input
or regulatory requirements, low- risk areas would be audited every three
years, moderate-risk areas audited every other year, and high-risk areas
audited every year. The three-year audit plan should be revisited each year
during the update phase of the risk assessment process and adjustments
should be made based on new or changed risk factors. This methodology
allows the internal auditor flexibility in a changing risk environment. Further
consideration should be given to the following aspect while deriving the
annual internal audit plan.
 Availability of audit resources over the 3 year period;
35
 Feasibility of conducting an audit;

 Conduct of other reviews providing oversight;
 Mandated audit projects;
 Management requests;
 Audit and Evaluation Committee direction.
5.37 New priorities are determined based on these considerations; audits
are defined for the top priorities. The outcome is a short-list of audit projects
and activities to be conducted during the coming three-year planning horizon.
An analysis of the proposed audit coverage of the organization is conducted
in order to ensure an appropriately balanced audit plan. The project team
considered the number of corporate risks covered by the plan, the number of
priorities covered, and how the allocation of audit resources aligns with the
organization’s expenditures.
Acceptable Range of Risks

5.38 At this stage it is important to understand and define the organisation’s
‘risk appetite’. One method of deciding which risks to accept is to place them
on a grid of Risk and Control Environment rating. This enables the board/
audit committee to define the action it requires internal audit function to take
for each likelihood/ consequence combination. The boundary between the
acceptable risks and those which require managing is known as the ‘risk
appetite’. If inherent risks cannot be managed below this line by ‘treatment’
then they will have to be terminated, transferred or tolerated.
Selection of Risks
5.39 At this point, the risk and audit universe shows risks, their scores and
the audits linked to them. There will be a range of scores and, in drawing up
the audit plan, a policy will have to be established about which risks to cover
and how often. It is unlikely that the board, or audit committee, will require
assurance on the management of every risk above the risk appetite, every
year. They may require assurance on the risks with a high likelihood of
significant/ critical losses every year but other risks above the risk appetite
every two or three years. Note the audit action to be taken and the next audit
year in the appropriate columns. The diagram below shows a possible
method of assessing the type of work and frequency. The thick line
represents the risk appetite (the equation of the line is control risk = inherent
risk – risk appetite).
36
RBIAP — Devvelopment and
d Implementatiion
F
Frequency of Audit and its Selection
5.40 The
T various auditable
a entities can be plootted on a mattrix which wouuld
fall in any of the ZoneZ 1 to 4 as mentioneed in the aboove graph. The
approppriate audit plaan for the varioous auditable entities in thesse zones can be
derivedd as per beloww explanation:
Zone 1: These are the areas beelow the risk appetite of thhe organisatioon.
Considdering the factt that they are well within the tolerance (Risk Appetitte)
range of the organissation, these does not reqquire immediatte internal audit
attentioon. For these areas control score is minnimal and the inherent risk is
maximum. These areasa require managementt attention too carry out the
consulttancy work and develop the control enviroonment.
Zone 2:2 Areas wherre inherent riskk is near maxiimum and the control score is
also veery strong, thee residual risk score remain high. These areas
a need to be
auditedd every year as i considered to be very effeective as well as
a the control is
the riskk is high.
3 Areas wherre inherent risk is moderate and the control score is also
Zone 3:
moderaate, the residdual risk scoree remain meddium. These areas could be
auditedd every two yeears.
Zone 4:4 Areas wheere inherent riisk is minor anda the controol score is also
missingg, the residual risk score is low. These arreas need to beb audited eveery
three year
y as the posssible impact on the organissation is low.
37
Planning and Developing Internal Audit Plan

5.41 At this stage, the risk and audit universe shows risks, their scores and
the audits linked to them. Internal audit function needs to plot the auditable
entities in the following zones based on the residual risk ratings and the
immediate objective of the management and audit committee.
(i) High Risk: This is said to be the unacceptable zone, where the
residual risk score is more than 12. These are the areas with high
inherent risk and low control environment. These areas need to be
audited every year until the residual risk are reduced and brought in
the manageable zone.
(ii) Medium Risk: This is said to be the manageable zone, where the
residual risk score is more than 8 and less than or equal to 12. These
are the areas with minor to critical risk and varying control
environment. These areas need to be audited once in every two year
until the residual risk are reduced to advisable zone.
(iii) Low Risk: This is said to be the advisable zone, where the residual
risk score is more than 4 and less than or equal to 8. These are the
areas with insignificant to Major risk and strong to almost missing
control environment. These areas need to be audited once in every
three year until the residual risk are reduced acceptable zone.
(iv) Insignificant Risk: This is said to be the acceptable zone, where the
residual risk score is less than or equal to 4. These are the areas with
low risk and strong control environment. These areas need not be
audited unless Board/ Management/ Audit Committee directs
considering the recent changes or business objectives. This is the
zone which contains the areas within the risk appetite of the
organisation.
Update Risk Register and Audit Universe

5.42 The risk register containing all identified and assessed risk need to be
updated with following:
(i) Factors Affecting Control Environment
(ii) Control Environment Rating
(iii) Risk Category
(iv) Risk Rating
38

summarized risk register need to be updated with the frequency of internal
audit.
At this stage, the summarized risk register would contain the following
information:
(i) Auditable entity
(ii) Sub-Process
(iii) Initial Risk Rating for each sub process
(vii) Residual Risk Rating Score
(viii) Frequency of Audit
Sr. Audita Sub Initial Rationale Control Rationale Residu Frequ
no ble Process Risk for initial environ for control al Risk ency
Entity Rating risk rating ment environme Rating of
A rating nt rating Score Audit
B C=AX
B
1 Procur Procurement 3.25 High risk of 4 Weak IT 13 Once
e to Planning financial system and in a
Pay Vendor loss and Manual year
Selection procurement controls.
Ordering at high
Receiving prices Policies and
Quality procedures
check not defined
Invoicing and
Accounts ineffective
payables monitoring
by
Payment
managemen
processing
t.
39
The Matrix below describes the residual risk rating score for all combinations
of the Preliminary Risk Assessment and Control Environment Rating and the
corresponding audit frequency.
Very
Strong
(1) 5 10 15 20 25
Strong 4
8 12 16 20
Control Environment Rating
(2) Acceptable
Moderate 3
(3) 6 9 12 15
Acceptable
2 4
Weak 6 8 10
Acceptable Acceptable
(4)
Almost 1 2 3 4
Missing 5
Acceptable Acceptable Acceptable Acceptable
(5)
Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)
Preliminary Risk Assessment
Matrix of Residual Risk Scores and Audit Frequency
Implement and Update RBIAP

5.44 Once the three year risk based internal audit plan is developed, the
same needs to be implemented in the organisation for ensuring effective
conduct of the internal audit activities. For effective implementation of the
RBIAP, the following stages are involved.
(i) Prepare audit scope
(ii) Allocate resources, engagement scheduling and execution
(iii) Re-assess risk and control environment
(iv) Update RBIAP
40
Prepare Internal Audit Scope

5.45 As per the SIA 1, “Planning an Internal Audit” issued by The Institute
of Chartered Accountant of India:
“15. The next stage in planning an internal audit is establishing the
scope of the engagement. The scope of the engagement should be
sufficient in coverage so as to meet the objectives of the
engagement. The internal auditor should consider the information
gathered during the preliminary review stage to determine the
scope of his audit procedures. The nature and extent of the internal
auditor’s procedures would also be affected by the terms of the
engagement. In case the internal auditor is of the view that
circumstances exist which would restrict the auditor from
carrying out the procedures, including any alternative
procedures, considered necessary by him, he should discuss the
matter with the client to reach a conclusion whether or not to
continue the engagement. The scope of his engagement should
documented comprehensively to avoid misunderstanding on the
areas covered for audit. The internal auditors are often confronted
with a situation where client denies access to certain information or
has a negative list of areas where internal audit is not desired. There
are also situations where while the client requires internal audit
procedures to be carried but findings are not to form part of the
reportbut to be reported separately.
16. Further, in case of information technology based environment,
the scope of engagement would include the extent to which internal
auditor are permitted to access the system and reports which can be
viewed and those which can be exported. Further, system based
audit tools that an internal auditor can use to draw and analyze
the data should be clearly understood in the scope of his
engagement.”
5.46 The annual internal audit plan need to be approved by the board/ audit
committee and should be developed on the basis of the three year RBIAP
and the following additional factors:
 Changes in the business environment
 Changes in the organisation structure
41
 Changes in the business processes

 Changes in the regulatory environment
 Time of last audit engagement
 Availability of the skilled resources
 Management’s feedback and expectation from internal audit
 Changes in employee and government relations
 Recent change in accounting system
 Recent change in key personnel
5.47 The audit scope for the year need to be developed considering the
above mentioned factors. The scope, thus, prepared would be finalized for
an year and approved by the board/ audit committee. The audit scope
comprises of the following:
 Auditable entities
 Locations to be covered
 Tentative schedule of the audit
 Key objective of the audit
 Factors which define the limits of the audit including processes
specifically excluded
 Any special considerations, such as management requests, provided
they are acceptable
 Personnel carrying out the audit, including any special responsibilities
Allocate Resources, Engagement Scheduling and

Execution
5.48 We can decide on the staff resources required to deliver the internal
audit plan by deciding on the number of days each level of auditor is required
for each audit, adding these up, and comparing them with the total days
available. Note that audits will vary in length, even those which are high risk
could be done very quickly. It may only take logging into organisation’s
intranet to confirm that it has a strategy, and this is being communicated. The
resource requirements should be regularly updated to ensure the plan can be
completed, especially, if audits are added and staff leave.
Next step is to perform the detailed engagement scheduling based in the
42
allocated resources, availability of the auditee, target date to finalise the

report and criticality and extent of audit required. The schedule need to be
agreed with the auditee before execution. The schedule need to be realistic
to ensure adequate coverage of the work plan, assessment of all the
identified risks and testing of all the controls. This is followed by the
execution of the internal audit as per the defined approach and methodology
of the internal audit function of the organisation and the relevant auditing
standards.
Steps for Audit Scheduling, Resource Allocation and Execution
Develop and
Derive Annual Audit
approve Risk Based Audit Schedule
Plan
Internal Audit Plan
Update Risk
Registers and Conduct Audit Resource Allocation
RBIAP
Report to Audit
Committee
Re-assess Risk and Control Environment and

Update RBIAP
5.49 SIA 1 “Planning as Internal Audit” defines audit universe as “Audit
universe comprises the activities, operations, units, etc., to be subjected to
audit during the planning period. The audit universe is designed to reflect the
overall business objectives and therefore includes components from the
strategic plan of the entity. Thus, the audit universe is affected by the risk
management process of the client. The audit universe and the related audit
plan should also reflect changes in the management’s course of action,
corporate objectives, etc.”
43
Planning involves developing an overall plan for the expected scope and
conduct of audit and developing an audit programme showing the nature,
timing and extent of audit procedures. Planning is a continuous exercise. A
plan once prepared should be continuously reviewed by the internal auditor
to identify any modifications required to bring the same in line with the
changes, if any, in the audit environment. However, any major modification to
the internal audit plan should be done in consultation with those charged with
governance. Further, the internal auditor should also document the changes
to the internal audit plan.
Therefore, the preparation of the risk based internal audit plan is based on
the defined methodology to be followed and the various steps as described
earlier. It is vital to note that the entire exercise of the risk identification,
prioritization and development of audit plan is not scientific and some level of
judgement and past experience is involved while preparing the risk based
internal audit plan. The risk registers prepared should be reviewed
periodically and updated while performing the actual internal audit.
5.50 As discussed earlier, risk identification is the process to identify all
possible risk in the auditable entities identified at the time of preparation of
the audit universe. This includes evaluation of ‘what can go wrong’ in the
particular process attached with the identified auditable entity which can
have any adverse impact on the organization. The adverse impact could be
in the form of possible financial loss, operational inefficiency and
ineffectiveness, statutory non-compliance, incorrect reporting etc. The quality
and effectiveness of the risk assessment depends on the
comprehensiveness and completeness of the risk identification exercise. The
risk identification can be more comprehensive and complete by the exercise
of continuous exercise of re-validating the risk along with the audit execution.
The risk based internal audit plan should be evaluated every year by
repeating the steps involved in development of risk based internal audit plan
to identify if there are some auditable entities for which residual risk score
has increased or decreased and that is required to be audited more often, or
the same be brought down to the manageable/ acceptable zone to reduce
the frequency of internal audit.
44
Steps for Developing the Audit Universe
Draft initial sketch of audit universe
Develop RBIAP
Allocate Resources, engagement scheduling

and execution
Re-assess risk and control environment
Updated RBIAP
Revalidate RBIAP
Approve RBIAP
45
Chapter 6
Case Study
Situation
Company is involved in upstream and midstream business of oil and gas with
wide spread business across the country having a Corporate Office, Plant
Operations and Depots. Internal audit function of the Company comprises of
a small team who needs to complete the internal audit for the Company as
per the annual charter approved by the Audit Committee of the Company.
The IA function is headed by an Internal Audit Head who is reporting to the
Audit Committee. Audit Committee directs the IA head to prepare the Risk
Based Internal Audit Plan (RBIAP) of the Company for a period of 3 years.
Solution
IA head forms a team of 4 members comprising of Accounting and Technical
professionals. The team which has follows the following steps to prepare the
RBIAP:
(a) Define objective, criteria and risk appetite
(b) Understanding the business environment and processes
(c) Prepare audit universe
(d) Risk identification
(e) Risk prioritization and rating
(f) Assess control environment
(g) Derive residual risk rating
(h) Develop internal audit plan
Steps (a) and (b) equips the team with the relevant knowledge and
information required for the purpose of developing the RBIAP (Refer
Chapter 5 for steps). The illustrative deliverables of the steps (c) to (h) are
summarized below:
46
Step 1: Prepare Audit Universe
Prepare Risk Assess Derive Develop

Risk
Audit prioritization control Residual Internal
Identification
Universe and rating environment Risk Rating Audit plan
47
D. Sr. Department P. Sr. Process Business Locations
no. No. Corporate Office Plant Depot
1 Contracts 1.1 Tendering and RFQ 
1 Contracts 1.2 Contracting and Ordering  
2 Plant Operations 2.1 Production and Distribution 
2 Plant Operations 2.2 Operation and Maintenance 
2 Plant Operations 2.3 Safety and Environment 
3 Drilling 3.1 Drilling 
Case Study
4 Information Technology 4.1 IT Security  
4 Information Technology 4.2 ERP and other applications 
5 Geology & Reservoir 5.1 Geology & Reservoir 
6 Research and Development 6.1 Research and Development 
7 Material Management 7.1 MM - Planning & Receiving 
7 Material Management 7.2 MM - Depot  
7 Material Management 7.3 MM - Inventory Handling and  
48
Storage
8 Well Logging 8.1 Well Logging 

9 Finance and Accounts 9.1 Financial Planning and 
Analysis
9 Finance and Accounts 9.2 Treasury 
9 Finance and Accounts 9.3 Financial Reporting  
9 Finance and Accounts 9.4 Asset Management 
9 Finance and Accounts 9.5 Payables 
9 Finance and Accounts 9.6 Invoicing and Receivables  
9 Finance and Accounts 9.7 JV Operations 
9 Finance and Accounts 9.8 Taxation 
10 Human Resource 10.1 Recruitment 
10 Human Resource 10.2 Learning and Development 
10 Human Resource 10.3 Separations 
10 Human Resource 10.4 Payroll Process 
11 Projects 11.1 Planning and Investment 
11 Projects 11.2 Execution and handover 
49
12 Business Development 12.1 Business Development 
13 Exploration & Development 13.1 Exploration & Development 
14 Maintenance 14.1 Pipeline Maintenance 
14 Maintenance 14.2 Equipment Maintenance 
Case Study
Step 2: Risk Identification
Prepare Risk Assess Derive Develop

Risk
Audit prioritization control Residual Internal Audit
Identification
Universe and rating environment Risk Rating plan
D. Sr. Department P. Sr. Process Business Locations Risk Description Risk Category
50
No. No. Corporate Plant Depot
Office
1 Contracts 1.1 Tendering  Procurement beyond the Financial
and RFQ defined budgetary limits.
1 Contracts 1.1 Tendering  Inadequate vendor Financial
and RFQ selection due to non-
compliance to
procurement policies and
procedures (incl.
tendering)
1 Contracts 1.1 Tendering  Increased cost of Financial
and RFQ procurement due to
ineffective negotiation/
Office
comparison of
commercial bid submitted
1 Contracts 1.1 Tendering  Unfavourable RFQ terms Financial
and RFQ and conditions.
1 Contracts 1.1 Tendering  Risk of favoritism to Financial
and RFQ vendor.
1 Contracts 1.1 Tendering  Inappropriate technical Financial
and RFQ evaluation procedures.
51
1 Contracts 1.1 Tendering  Inadequate procedures Financial
and RFQ for procurement in case
of proprietary items.
1 Contracts 1.1 Tendering  Fictitious vendors in the Financial
and RFQ system
1 Contracts 1.2 Contracting  Contract terms and Financial
and conditions not favourable
Ordering to the Company
1 Contracts 1.2 Contracting  Delay in contracting or Operational
and ordering
Ordering
Case Study
1 Contracts 1.2 Contracting  Risk of issue of Financial

Office
and unauthorised order.
Ordering
1 Contracts 1.2 Contracting  Inadequate contract Operational
and compliance procedures.
Ordering
1 Contracts 1.2 Contracting  Work started before Operational
and completion of contracting
Ordering procedures.
52
2 Plant 2.1 Production  Regular updation and Financial
Operations and review of the actual

Distribution production against the
planned production not
done.
2 Plant 2.1 Production  Production levels may not Financial
Operations and have been monitored
Distribution regularly on a Central
Tank Farm (CTF), GGS
and well-wise basis for
the level of oil production
2 Plant 2.1 Production  Production targets are Financial
Operations and not being communicated
Office
Distribution and monitored by the
Group Gathering Stations
(GGS).
2 Plant 2.1 Production  Crude Oil pilferages / Financial
Operations and leakages while
Distribution transportation
2 Plant 2.1 Production  Incorrect certification of Financial
Operations and bills
Distribution
53
2 Plant 2.1 Production  Inadequate testing of Financial
Operations and material used leading to
Distribution well issues later affecting
production
2 Plant 2.1 Production  Non-utilization of the Financial
Operations and assets
Distribution
2 Plant 2.1 Production  Inadequate fire safety Health, Safety
Operations and arrangement at site & Environment
Distribution
2 Plant 2.1 Production  Wrong financial reporting Incorrect
Case Study
and due to inadequate Financial

Office
Operations Distribution controls on production Reporting
recording
2 Plant 2.1 Production  Inadequate QA / QC Financial Loss
Operations and process during
Distribution Production
2 Plant 2.1 Production  Production loss due to Financial Loss
Operations and inadequate breakdown
Distribution analysis and compliance
54
2 Plant 2.2 Operation  Scheduled maintenance Operational
Operations and and work over operations

Maintenance for various wells not
planned in advance.
2 Plant 2.2 Operation  Track of total amount of Operational
Operations and water pumped into each
Maintenance well is not being tracked
causing over pumping of
water.
2 Plant 2.2 Operation  Appropriate records are Operational
Operations and not being maintained in
Maintenance respect of the collection
of oil and gas from the
Office
wells
2 Plant 2.2 Operation  Flow meters at CTF are Operational
Operations and not properly calibrated
Maintenance and the calibration is not
being periodically
checked.
Pumping records of the
extent of oil pumped to
the customer are not
55
properly kept and
maintained.
2 Plant 2.2 Operation  Production failure/ loss Financial Loss
Operations and due to inadequate
Maintenance preventive maintenance
schedule or lack of
compliance of schedule.
2 Plant 2.2 Operation  Delays in maintenance Financial Loss
Operations and
Maintenance
2 Plant 2.3 Safety and  Regular visits of the oil Operational
Case Study
Operations Environment well are not conducted

Office
and all oil well
installations are not being
inspected
2 Plant 2.3 Safety and  HSE non-compliances by Statutory Non
Operations Environment contractors compliance
3 Drilling 3.1 Drilling  The cost benefit analysis Financial
for drilling not done
resulting into excess cost
56
of operations.
3 Drilling 3.1 Drilling  Risk of accidents due to Health, Safety

inadequate training and and
mis-handling. Environment
3 Drilling 3.1 Drilling  Inadequate HSE Health, Safety
compliance at the drilling and
sites. Environment
3 Drilling 3.1 Drilling  Damage to the Financial
equipment due to
inadequate security at
the drilling site.
3 Drilling 3.1 Drilling  Sub-optimal utilization of Financial
rigs and other drilling
Office
equipment.
3 Drilling 3.1 Drilling  Delays in operation due Operational
to inadequate co-
ordination and delays in
equipment availability.
3 Drilling 3.1 Drilling  Mis-alignment of the Financial
drilling plan with the
overall work program

57
3 Drilling 3.1 Drilling Wrong financial reporting Reporting
due to inappropriate
inputs for cost allocation
process, well cost
reconciliation process
3 Drilling 3.1 Drilling  Lack of planning and Financial
monitoring of cost and
effort involved in drilling
of wells (recording and
monitoring against KPIs /
Targets)
3 Drilling 3.1 Drilling  Ineffective/ Inefficient Financial
Case Study
functioning of the process

Office
due to non-compliance to
policies and procedures
defined
4 Information 4.1 IT Security   Unauthorized system Operational
Technology access due to weak
logical access control
rights, password controls,
etc.
58
4 Information 4.1 IT Security   Inadequate environment Operational
Technology controls.
4 Information 4.1 IT Security   Inadequate access Operational
Technology controls to data centre.
4 Information 4.1 IT Security   Unauthorised access to Operational
Technology data centre.
4 Information 4.1 IT Security   Penal consequences due Financial Loss
Technology to usage on unlicensed
softwares.
4 Information 4.1 IT Security   Disaster recovery policy Financial Loss
Technology and procedures to
identify critical business
applications/ data not
Office
defined
4 Information 4.1 IT Security   Increased vulnerability of Financial Loss
Technology the network to intrusions
- external or internal.
4 Information 4.1 IT Security   Leakage/ loss of Financial Loss
Technology sensitive information/
corrupted and insecure
data

59
4 Information 4.2 ERP and Corrupt/ loss of data due Incorrect
Technology other to inadequate Financial
applications configuration and logical Reporting
controls within SAP
4 Information 4.2 ERP and  Unauthorized Financial Loss
Technology other transactions due to
applications inadequate segregation
of duties
4 Information 4.2 ERP and  Inaccurate master data Financial Loss
Technology other due to inadequate
applications controls on master data
maintenance and
Case Study
changes
Office
4 Information 4.2 ERP and  Absence of an audit trail Financial Loss
Technology other in case of unauthorized
applications access / users.
4 Information 4.2 ERP and  Inadequate system logic Financial Loss
Technology other controls to prevent
applications unauthorized/ incorrect
transaction processing
through SAP.
60
4 Information 4.2 ERP and  Inadequate user Financial Loss
Technology other management

applications
4 Information 4.2 ERP and  Access and ID of the Financial Loss
Technology other separated employees not
applications removed.
5 Geology & 5.1 Geology &  Existing work being done Operational
Reservoir Reservoir within the department is
not backed up by a
physical plan.
5 Geology & 5.1 Geology &  Proper procedure do not Operational
Reservoir Reservoir exists or are not followed
while deciding the type of
Office
survey (2D, 3D or 4D
survey).
5 Geology & 5.1 Geology &  Cost report not prepared Financial
Reservoir Reservoir
5 Geology & 5.1 Geology &  Surveys done are not Operational
Reservoir Reservoir properly recorded.
5 Geology & 5.1 Geology &  Adequate physical Health, Safety
Reservoir Reservoir security does not exist of and
61
the recorded data Environment
5 Geology & 5.1 Geology &  Unavailability of Operational
Reservoir Reservoir adequate technical data
used for proposing
exploratory locations
5 Geology & 5.1 Geology &  Inability to optimize/ Financial Loss
Reservoir Reservoir actualize expected
returns from exploration
blocks
5 Geology & 5.1 Geology &  Delays in monitoring the Financial Loss
Reservoir Reservoir reserves

Case Study
5 Geology & 5.1 Geology & Inaccurate estimation of Incorrect

Office
Reservoir Reservoir reserves Financial
Reporting
5 Geology & 5.1 Geology &  Incorrect interpretation Financial Loss
Reservoir Reservoir due to no quality review
process of validating the
interpretation workflow /
cycle followed
5 Geology & 5.1 Geology &  Delay in seismic data Financial Loss
62
Reservoir Reservoir processing due to
ineffective scheduling
6 Research and 6.1 Research  Inadequate calibration of Financial Loss
Development and R&D tools and
Development equipments causing
incorrect results.
6 Research and 6.1 Research  High cost of operation Financial Loss
Development and due to obsolete
Development technology.
6 Research and 6.1 Research  Delay in procurement of Financial Loss
Development and lab equipments causing
Development delay in completion of
R&D activities
Office
7 Material 7.1 MM -  Risk of receiving more Financial
Management Planning & than the ordered quantity
Receiving
7 Material 7.1 MM -  Risk of accepting the Financial
Management Planning & inferior quality of material
Receiving
7 Material 7.1 MM -  Proper quality assurance Financial
Management Planning & testing of all raw
Receiving materials is not done
63
when it is received.
7 Material 7.2 MM - Depot   Unauthorized disposal of Financial Loss
Management scrap
7 Material 7.2 MM - Depot   Inadequate segregation Financial Loss
Management of duties between
personnel responsible for
ordering, receiving and
issue of material
7 Material 7.2 MM - Depot   Inventory loss due to Financial Loss
Management weak storage/ stacking
and segregation
Case Study
guidelines.
Office
7 Material 7.2 MM - Depot   Financial loss due to Financial Loss
Management inadequate security
procedures at the
warehouse
7 Material 7.2 MM - Depot   Loss of life/ resources Health, Safety
Management due to non-compliance to & Environment
regulatory laws and
regulations
64
7 Material 7.2 MM - Depot   Delay in renewal or Statutory Non
Management expiry of various licenses compliance

7 Material 7.3 MM -   Unauthorized and Financial Loss
Management Inventory inappropriate indenting
Handling
and Storage
7 Material 7.3 MM -   Inadequate monitoring of Financial Loss
Management Inventory slow/ non-moving
Handling inventory
and Storage
7 Material 7.3 MM -   Damage to spares and Financial Loss
Management Inventory material due to
Handling inadequate storage.
Office
and Storage
7 Material 7.3 MM -   Critical spares not Financial Loss
Management Inventory identified and maintained
Handling
and Storage
7 Material 7.3 MM -   Unauthorised issue of Financial Loss
Management Inventory material
Handling
and Storage
65
8 Well Logging 8.1 Well Logging  Absence of monitoring of Operational
the time taken to interpret
the data given to the
interpretation team and
review the records
maintained in this respect
to ascertain major delays.
8 Well Logging 8.1 Well Logging  Inadequate records Operational
maintained to document
discussions and
conclusions of
Case Study
interpretation team.
Office
8 Well Logging 8.1 Well Logging  Database/ information Operational
not maintained about
unsuccessful wells and
the same is used during
subsequent decisions.
8 Well Logging 8.1 Well Logging   Existing work being done Operational
within the Department is
not backed up by a plan.
66
9 Finance and 9.1 Financial  Delays in preparation and Operational
Accounts Planning communication of annual

and Analysis plans.
9 Finance and 9.1 Financial  Inappropriate basis and Operational
Accounts Planning inputs for planning
and Analysis
9 Finance and 9.1 Financial  Management Information Incorrect
Accounts Planning System inadequately Financial
and Analysis aligned with strategic Reporting
objectives
9 Finance and 9.1 Financial  Delays in financial Operational
Accounts Planning reporting and closing
and Analysis
Office
9 Finance and 9.2 Treasury  Adverse fluctuation in Financial Loss
Accounts foreign exchange rates
9 Finance and 9.2 Treasury  Inadequate working Financial Loss
Accounts capital management
9 Finance and 9.2 Treasury  Inadequate monitoring of Financial Loss
Accounts cash and bank balances
9 Finance and 9.3 Financial   Inadequate financial Incorrect
Accounts Reporting reporting systems Financial
67
Reporting
9 Finance and 9.3 Financial   Mis-representation in Incorrect
Accounts Reporting financial statements and Financial
reports Reporting
9 Finance and 9.4 Asset  Incorrect capitalization of Incorrect
Accounts Management assets Financial
Reporting
9 Finance and 9.4 Asset  Physical verification of Incorrect
Accounts Management assets not done Financial
Reporting
9 Finance and 9.4 Asset  Depreciation & Depletion Incorrect
Case Study
Accounts Management charges have not been Financial

Office
accurately calculated and Reporting
recorded in the
appropriate period.
9 Finance and 9.5 Payables  Risk of delay in invoice Financial
Accounts processing
9 Finance and 9.5 Payables  Duplicate vendor codes Financial
Accounts

68
9 Finance and 9.5 Payables Risk of delay in payment Financial
Accounts processing
9 Finance and 9.5 Payables  Royalty not paid as Financial

Accounts specified in Production
Sharing Contract.
9 Finance and 9.5 Payables  Risk of excess payment Financial
Accounts
9 Finance and 9.6 Invoicing   The accounting policies Reporting
Accounts and for accounting of sales
Receivables especially take or pay,
underlifts/ overlifts,
contractual liabilities etc.
not in compliance with
Office
the Accounting
Standards.
9 Finance and 9.6 Invoicing   Delay in invoicing. Financial
Accounts and
Receivables
9 Finance and 9.6 Invoicing   Incorrect and Financial
Accounts and unauthorised invoicing.
Receivables
 
69
9 Finance and 9.6 Invoicing Quantitative Financial
Accounts and reconciliation not done to
Receivables identify excessive losses.
9 Finance and 9.6 Invoicing   Royalty not paid as Financial
Accounts and specified Production
Receivables Sharing Contract.
9 Finance and 9.6 Invoicing   Inaccurate calculations of Financial
Accounts and the wellhead value.
Receivables
9 Finance and 9.6 Invoicing   Investment multiple not Financial
Accounts and calculated in the manner
Receivables as provided in the
Case Study
Office
Production Sharing
Contract.
9 Finance and 9.6 Invoicing   Inadequate monitoring of Financial
Accounts and receivable and follow up
Receivables for collections.
9 Finance and 9.7 JV  Inaccurate working of Incorrect
Accounts Operations cost allocated by Financial
operating partners for JV Reporting
70
Non Operated
9 Finance and 9.7 JV  Non raising/ delayed Financial Loss

Accounts Operations recovery of cash call from
JV partner.
9 Finance and 9.7 JV  Wrong allocations to JV Financial Loss
Accounts Operations due to inadequate
process of costing and
identification of allocable
costs.
9 Finance and 9.7 JV  Inadequate control over Financial Loss
Accounts Operations expenses in case of non
operating blocks
Office
9 Finance and 9.8 Taxation  Risk of regulatory Risk of
Accounts penalties due to non Regulatory
compliance with TDS, Non-
Service Tax and other Compliance
relevant acts
9 Finance and 9.8 Taxation  Tax payments and tax Statutory Non
Accounts returns are not made or compliance
filed within permissible
time limits
71
9 Finance and 9.8 Taxation  Inadequate monitoring Financial Loss
Accounts mechanism for pending
demands or assessment
cases, etc.
10 Human 10.1 Recruitment  Delay in hiring impacting Operational
Resource operation delays
10 Human 10.1 Recruitment  Hiring inappropriate Operational
Resource personnel
10 Human 10.1 Recruitment  Incomplete Operational
Resource documentation in
employee records/ files
Case Study
Office
10 Human 10.1 Recruitment  Inadequate background Operational
Resource and reference checks
10 Human 10.2 Learning and  Inadequate planning of Operational
Resource Development training requirements
10 Human 10.2 Learning and  Training needs not Operational
Resource Development identified
10 Human 10.2 Learning and  Training programs not Operational
Resource Development conducted in timely
72
manner
10 Human 10.2 Learning and  Feedback procedures not Operational

Resource Development established
10 Human 10.3 Separations  Delay in Full and Final Financial
Resource
10 Human 10.3 Separations  Inadequate clearance Financial
Resource procedures
10 Human 10.3 Separations  Inadequate waivers Financial
Resource
10 Human 10.3 Separations  Old loan and advances Financial
Resource not settled before
releiving.
Office
10 Human 10.3 Separations  Exit formalities not Operational
Resource completed in timely
manner.
10 Human 10.4 Payroll  Incorrect processing of Financial Loss
Resource Process salary
10 Human 10.4 Payroll  Incorrect processing and Financial Loss
Resource Process settlement of various
employee claims
10 Human 10.4 Payroll  Incorrect attendance Financial Loss
73
Resource Process monitoring and
accounting of leaves.
10 Human 10.4 Payroll  Incorrect provisioning Financial Loss
Resource Process and accounting of
retirement funds
management by the
company.
10 Human 10.4 Payroll  Delay in disbursement/ Financial Loss
Resource Process transfer of salary.
11 Projects 11.1 Planning  Inadequate planning and Financial Loss
and budgeting of Projects
Case Study
Investment
Office
11 Projects 11.1 Planning  Appropriate feasibility Financial
and studies not conducted
Investment
11 Projects 11.1 Planning  Required clearances not Compliance
and obtaining on timely basis
Investment
11 Projects 11.1 Planning  Inadequate assessment Financial
and of Return on Investments
74
Investment
11 Projects 11.2 Execution  Time and Cost overruns Financial Loss

and in the projects due to
handover weak project monitoring
and/ or execution.
11 Projects 11.2 Execution  Operational delays due to Financial Loss
and delay in obtaining/
handover renewal of statutory
clearances
11 Projects 11.2 Execution  Non compliance to Statutory Non
and various statutory compliance
handover provisions and
requirements.
Office
11 Projects 11.2 Execution  Delay in procurement/ Financial Loss
and ordering.
handover
11 Projects 11.2 Execution  Commissioning without Financial Loss
and adequate quality checks
handover and testing procedures
11 Projects 11.2 Execution  Lack of monitoring of Health, Safety
and HSE compliance by & Environment
75
handover contractors / internal staff
during execution
12 Business 12.1 Business  Inadequate post Financial Loss
Development Development acquisition techno-
commercial review for
overseas acquisitions
12 Business 12.1 Business  Delays in floating of Financial Loss
Development Development Tenders
12 Business 12.1 Business  Financial health check up Financial Loss
Development Development analysis not performed
for acquired assets
Case Study
Office
13 Exploration & 13.1 Exploration  Inability to optimize/ Financial Loss
development & actualize expected
development returns from exploration
blocks
13 Exploration & 13.1 Exploration  Non fulfillment to Financial Loss
development & minimum work program
development specially with respect to
timeliness
76
14 Maintenance 14.1 Pipeline  All Flow lines are not Operational
Maintenance being regularly tested

and inspected for any
blockage
14 Maintenance 14.1 Pipeline  Delays in providing Financial Loss
Maintenance maintenance services
impacting operational
efficiency.
14 Maintenance 14.1 Pipeline  Inadequate planning of Operational
Maintenance maintenance activities
14 Maintenance 14.1 Pipeline  Preventive maintenance Operational
Maintenance not carried on timely
basis.
Office
14 Maintenance 14.1 Pipeline  Inadequate training to Financial Loss
Maintenance manpower
14 Maintenance 14.1 Pipeline  Safety risk of working in Health, Safety
Maintenance running pipelines & Environment
14 Maintenance 14.2 Equipment  Delays in providing Financial Loss
Maintenance maintenance services
efficiency.

77
14 Maintenance 14.2 Equipment Inadequate planning of Operational
14 Maintenance 14.2 Equipment  Preventive maintenance Operational
Maintenance not carried on timely
basis.
14 Maintenance 14.2 Equipment  Inadequate training to Financial Loss
Maintenance manpower
14 Maintenance 14.2 Equipment Safety risk of working in Health, Safety
Maintenance running pipelines & Environment
14 Maintenance 14.2 Equipment Frequent breakdowns Financial Loss
Maintenance due to non-performance
Case Study
of root cause analysis

Step 3: Risk Prioritization and Rating
Risk Assess Derive

Prepare Risk Develop
prioritizati control Residual
Audit Identificati Internal
on and environm Risk
Universe on Audit plan
rating ent Rating
78
(a) Assign Risk Score to each of the risk identified under risk identification
D. Department P. Sr. Process Business Locations Risk Description Risk Category Risk
Sr. No. Corporate Plant Depot Score
no. Office
1 Contracts 1.1 Tendering and  Procurement beyond Financial 4
RFQ the defined budgetary
limits.
no. Office
1 Contracts 1.1 Tendering and  Inadequate vendor Financial 5
RFQ selection due to non-
compliance to
procurement policies
and procedures (incl.
tendering)
1 Contracts 1.1 Tendering and  Increased cost of Financial 4
RFQ procurement due to
ineffective negotiation/
79
comparison of
commercial bid
submitted
1 Contracts 1.1 Tendering and  Unfavourable RFQ Financial 5
RFQ terms and conditions.
1 Contracts 1.1 Tendering and  Risk of favoritism to Financial 5
RFQ vendor.
1 Contracts 1.1 Tendering and  Inappropriate technical Financial 4
RFQ evaluation procedures.
1 Contracts 1.1 Tendering and  Inadequate procedures Financial 2
RFQ for procurement in case
Case Study
of proprietary items.
no. Office
1 Contracts 1.1 Tendering and  Fictitious vendors in the Financial 3
RFQ system
1 Contracts 1.2 Contracting  Contract terms and Financial 4
and Ordering conditions not
favourable to the
Company
1 Contracts 1.2 Contracting  Delay in contracting or Operational 3
and Ordering ordering
80
1 Contracts 1.2 Contracting  Risk of issue of Financial 5
and Ordering unauthorised order.

1 Contracts 1.2 Contracting  Inadequate contract Operational 4
and Ordering compliance procedures.
1 Contracts 1.2 Contracting  Work started before Operational 3
and Ordering completion of
contracting procedures.
2 Plant 2.1 Production  Regular updation and Financial 3
Operations and review of the actual
Distribution production against the
planned production not
done.
no. Office
2 Plant 2.1 Production  Production levels may Financial 3
Operations and not have been
Distribution monitored regularly on
a Central Tank Farm
(CTF), GGS and well-
wise basis for the level
of oil production
2 Plant 2.1 Production  Production targets are Financial 3
Operations and not being
81
Distribution communicated and
monitored by the Group
Gathering Stations
(GGS).
2 Plant 2.1 Production  Crude Oil pilferages / Financial 4
Operations and leakages while
Distribution transportation
2 Plant 2.1 Production  Incorrect certification of Financial 4
Operations and bills
Distribution
2 Plant 2.1 Production  Inadequate testing of Financial 5
Case Study
Operations and material used leading to

no. Office
Distribution well issues later
affecting production
2 Plant 2.1 Production  Non-utilization of the Financial 4
Operations and assets
Distribution
2 Plant 2.1 Production  Inadequate fire safety Health, 5
Operations and arrangement at site Safety &
Distribution Environment
82
2 Plant 2.1 Production  Wrong financial Incorrect 4
Operations and reporting due to Financial

Distribution inadequate controls on Reporting
production recording
2 Plant 2.1 Production  Inadequate QA / QC Financial 4
Operations and process during Loss
Distribution Production
2 Plant 2.1 Production  Production loss due to Financial 4
Operations and inadequate breakdown Loss
Distribution analysis and
compliance
2 Plant 2.2 Operation and  Scheduled Operational 4
Operations Maintenance maintenance and work
no. Office
over operations for
various wells not
planned in advance.
2 Plant 2.2 Operation and  Track of total amount of Operational 3
Operations Maintenance water pumped into each
well is not being
tracked causing over
pumping of water.
2 Plant 2.2 Operation and  Appropriate records are Operational 3
83
Operations Maintenance not being maintained in
respect of the collection
of oil and gas from the
wells
2 Plant 2.2 Operation and  Flow meters at CTF are Operational 4
Operations Maintenance not properly calibrated
and the calibration is
not being periodically
checked.
Pumping records of the
extent of oil pumped to
Case Study
the customer are not

no. Office
properly kept and
maintained.
2 Plant 2.2 Operation and  Production failure/ loss Financial 5
Operations Maintenance due to inadequate Loss
preventive maintenance
schedule or lack of
compliance of
schedule.
84
2 Plant 2.2 Operation and  Delays in maintenance Financial 4
Operations Maintenance Loss

2 Plant 2.3 Safety and  Regular visits of the oil Operational 4
Operations Environment well are not conducted
and all oil well
installations are not
being inspected
2 Plant 2.3 Safety and  HSE non compliances Statutory Non 5
Operations Environment by contractors compliance
3 Drilling 3.1 Drilling  The cost benefit Financial 4
analysis for drilling not
done resulting into
no. Office
excess cost of
operations.
3 Drilling 3.1 Drilling  Risk of accidents due to Health, 5
inadequate training and Safety and
mis-handling. Environment
3 Drilling 3.1 Drilling  Inadequate HSE Health, 5
compliance at the Safety and
drilling sites. Environment

85
3 Drilling 3.1 Drilling Damage to the Financial 4
equipment due to
inadequate security at
the drilling site.
3 Drilling 3.1 Drilling  Sub-optimal utilization Financial 4
of rigs and other drilling
equipment.
3 Drilling 3.1 Drilling  Delays in operation due Operational 3
to inadequate co-
ordination and delays in
equipment availability.
3 Drilling 3.1 Drilling  Mis-alignment of the Financial 3
Case Study
no. Office
drilling plan with the
overall work program
3 Drilling 3.1 Drilling  Wrong financial Reporting 4
reporting due to
inappropriate inputs for
cost allocation process,
well cost reconciliation
process
86
3 Drilling 3.1 Drilling  Lack of planning and Financial 3
monitoring of cost &

effort involved in drilling
of wells (recording and
monitoring against
KPIs/ Targets)
3 Drilling 3.1 Drilling  Ineffective/ Inefficient Financial 3
functioning of the
process due to non-
compliance to policies
and procedures defined
4 Information 4.1 IT Security   Unauthorized system Operational 5
Technology access due to weak
no. Office
logical access control
rights, password
controls, etc.
4 Information 4.1 IT Security   Inadequate Operational 4
Technology environment controls.
4 Information 4.1 IT Security   Inadequate access Operational 4
Technology controls to data centre.
4 Information 4.1 IT Security   Unauthorised access to Operational 4
Technology data centre.
87
4 Information 4.1 IT Security   Penal consequences Financial 5
Technology due to usage on Loss
unlicensed softwares.
4 Information 4.1 IT Security   Disaster recovery policy Financial 3
Technology and procedures to Loss
identify critical business
applications/ data not
defined
4 Information 4.1 IT Security   Increased vulnerability Financial 4
Technology of the network to Loss
intrusions - External or
Case Study
Internal.
no. Office
4 Information 4.1 IT Security   Leakage / loss of Financial 4
Technology sensitive information/ Loss
corrupted and insecure
data
4 Information 4.2 ERP and  Corrupt/ loss of data Incorrect 3
Technology other due to inadequate Financial
applications configuration and Reporting
logical controls within
88
SAP
4 Information 4.2 ERP and  Unauthorized Financial 3

Technology other transactions due to Loss
applications inadequate segregation
of duties
4 Information 4.2 ERP and  Inaccurate master data Financial 4
Technology other due to inadequate Loss
applications controls on master data
maintenance and
changes
4 Information 4.2 ERP and  Absence of an audit Financial 2
Technology other trail in case of Loss
applications unauthorized access /
users.
no. Office
4 Information 4.2 ERP and  Inadequate system Financial 4
Technology other logic controls to prevent Loss
applications unauthorized/ incorrect
transaction processing
through SAP.
4 Information 4.2 ERP and  Inadequate user Financial 4
Technology other management Loss
applications
4 Information 4.2 ERP and  Access and ID of the Financial 4
89
Technology other separated employees Loss
applications not removed.
5 Geology & 5.1 Geology &  Existing work being Operational 3
Reservoir Reservoir done within the
department is not
backed up by a physical
plan.
5 Geology & 5.1 Geology &  Proper procedure do Operational 4
Reservoir Reservoir not exists or are not
followed while deciding
the type of survey (2D,
Case Study
3D or 4D survey).
no. Office
5 Geology & 5.1 Geology &  Cost report not Financial 3
Reservoir Reservoir prepared
5 Geology & 5.1 Geology &  Surveys done are not Operational 3
Reservoir Reservoir properly recorded.
5 Geology & 5.1 Geology &  Adequate physical Health, 4
Reservoir Reservoir security does not exist Safety and
of the recorded data Environment
5 Geology & 5.1 Geology &  Unavailability of Operational 4
90
Reservoir Reservoir adequate technical data
used for proposing

exploratory locations
5 Geology & 5.1 Geology &  Inability to optimize/ Financial 4
Reservoir Reservoir actualize expected Loss
blocks
5 Geology & 5.1 Geology &  Delays in monitoring Financial 3
Reservoir Reservoir the reserves Loss
5 Geology & 5.1 Geology &  Inaccurate estimation of Incorrect 4
Reservoir Reservoir reserves Financial
Reporting
no. Office
5 Geology & 5.1 Geology &  Incorrect interpretation Financial 5
Reservoir Reservoir due to no quality review Loss
process of validating
the interpretation
workflow / cycle
followed
5 Geology & 5.1 Geology &  Delay in seismic data Financial 3
Reservoir Reservoir processing due to Loss
ineffective scheduling
91
6 Research and 6.1 Research and  Inadequate calibration Financial 2
Development Development of R&D tools and Loss
equipments causing
incorrect results.
6 Research and 6.1 Research and  High cost of operation Financial 3
Development Development due to obsolete Loss
technology.
6 Research and 6.1 Research and  Delay in procurement of Financial 2
Development Development lab equipments causing Loss
delay in completion of
R&D activities
Case Study
no. Office
7 Material 7.1 MM - Planning   Risk of receiving more Financial 3
Management & Receiving than the ordered
quantity
7 Material 7.1 MM - Planning   Risk of accepting the Financial 3
Management & Receiving inferior quality of
material
7 Material 7.1 MM - Planning   Proper quality Financial 4
Management & Receiving assurance testing of all
92
raw materials is not
done when it is
received.
7 Material 7.2 MM - Depot   Unauthorized disposal Financial 2
Management of scrap Loss
7 Material 7.2 MM - Depot   Inadequate segregation Financial 2
Management of duties between Loss
personnel responsible
for ordering, receiving
and issue of material
7 Material 7.2 MM - Depot   Inventory loss due to Financial 2
Management weak storage/ stacking Loss
no. Office
and segregation
guidelines.
7 Material 7.2 MM - Depot   Financial loss due to Financial 2
Management inadequate security Loss
procedures at the
warehouse
7 Material 7.2 MM - Depot   Loss of life/ resources Health, 4
Management due to non-compliance Safety &
to regulatory laws and Environment
93
regulations
7 Material 7.2 MM - Depot   Delay in renewal or Statutory Non 5
Management expiry of various compliance
licenses
7 Material 7.3 MM -   Unauthorized and Financial 1
Management Inventory inappropriate indenting Loss
Handling and
Storage
7 Material 7.3 MM -   Inadequate monitoring Financial 4
Management Inventory of slow/ non moving Loss
Handling and inventory
Case Study
Storage
no. Office
7 Material 7.3 MM -   Damage to spares and Financial 4
Management Inventory material due to Loss
Handling and inadequate storage.
Storage
7 Material 7.3 MM -   Critical spares not Financial 4
Management Inventory identified and Loss
Handling and maintained
Storage
94
7 Material 7.3 MM -   Unauthorised issue of Financial 3
Management Inventory material Loss

Handling and
Storage
8 Well Logging 8.1 Well Logging  Absence of monitoring Operational 3
of the time taken to
interpret the data given
to the interpretation
team and review the
records maintained in
this respect to ascertain
major delays.
no. Office
8 Well Logging 8.1 Well Logging  Inadequate records Operational 3
maintained to document
discussions and
conclusions of
interpretation team.
8 Well Logging 8.1 Well Logging  Database/ information Operational 3
not maintained about
unsuccessful wells and
the same is used during
95
subsequent decisions.
8 Well Logging 8.1 Well Logging  Existing work being Operational 3
done within the
Department is not
backed up by a plan.
9 Finance and 9.1 Financial  Delays in preparation Operational 3
Accounts Planning and and communication of
Analysis annual plans.
9 Finance and 9.1 Financial  Inappropriate basis and Operational 4
Accounts Planning and inputs for planning
Analysis
Case Study
no. Office
9 Finance and 9.1 Financial  Management Incorrect 3
Accounts Planning and Information System Financial
Analysis inadequately aligned Reporting
with strategic objectives
9 Finance and 9.1 Financial  Delays in financial Operational 4
Accounts Planning and reporting and closing
Analysis
9 Finance and 9.2 Treasury  Adverse fluctuation in Financial 4
96
Accounts foreign exchange rates Loss
9 Finance and 9.2 Treasury  Inadequate working Financial 5

Accounts capital management Loss
9 Finance and 9.2 Treasury  Inadequate monitoring Financial 3
Accounts of cash and bank Loss
balances
9 Finance and 9.3 Financial   Inadequate financial
Incorrect 4
Accounts Reporting reporting systems Financial
Reporting
9 Finance and 9.3 Financial  Mis-representation in Incorrect 3
Accounts Reporting financial statements Financial
and reports Reporting
no. Office
9 Finance and 9.4 Asset  Incorrect capitalization Incorrect 4
Accounts Management of assets Financial
Reporting
9 Finance and 9.4 Asset  Physical verification of Incorrect 4
Accounts Management assets not done Financial
Reporting
9 Finance and 9.4 Asset  Depreciation & Incorrect 4
Accounts Management Depletion charges have Financial
not been accurately Reporting
97
calculated and recorded
in the appropriate
period.
9 Finance and 9.5 Payables  Risk of delay in invoice Financial 3
Accounts processing
9 Finance and 9.5 Payables  Duplicate vendor codes Financial 4
Accounts
9 Finance and 9.5 Payables  Risk of delay in Financial 3
Accounts payment processing
9 Finance and 9.5 Payables  Royalty not paid as Financial 3
Accounts specified in Production
Case Study
Sharing Contract.
no. Office
9 Finance and 9.5 Payables  Risk of excess payment Financial 4
Accounts
9 Finance and 9.6 Invoicing and   The accounting policies Reporting 3
Accounts Receivables for accounting of sales
especially take or pay,
underlifts/ overlifts,
contractual liabilities
etc. not in compliance
98
with the Accounting
Standards.
9 Finance and 9.6 Invoicing and   Delay in invoicing. Financial 3
Accounts Receivables
9 Finance and 9.6 Invoicing and   Incorrect and Financial 4
Accounts Receivables unauthorised invoicing.
9 Finance and 9.6 Invoicing and   Quantitative Financial 4
Accounts Receivables reconciliation not done
to identify excessive
losses.
9 Finance and 9.6 Invoicing and   Royalty not paid as Financial 3
Accounts Receivables specified Production
Sharing Contract.
no. Office
9 Finance and 9.6 Invoicing and   Inaccurate calculations Financial 4
Accounts Receivables of the wellhead value.
9 Finance and 9.6 Invoicing and   Investment multiple not Financial 4
Accounts Receivables calculated in the
manner as provided in
the Production Sharing
Contract.
9 Finance and 9.6 Invoicing and   Inadequate monitoring Financial 3
99
Accounts Receivables of receivable and follow
up for collections.
9 Finance and 9.7 JV Operations  Inaccurate working of Incorrect 4
Accounts cost allocated by Financial
operating partners for Reporting
JV Non Operated
9 Finance and 9.7 JV Operations  Non raising/ delayed Financial 4
Accounts recovery of cash call Loss
from JV partner.
9 Finance and 9.7 JV Operations  Wrong allocations to JV Financial 4
Accounts due to inadequate Loss
Case Study
process of costing and

no. Office
identification of
allocable costs.
9 Finance and 9.7 JV Operations  Inadequate control over Financial 4
Accounts expenses in case of Loss
non operating blocks
9 Finance and 9.8 Taxation  Risk of regulatory Risk of 4
Accounts penalties due to non Regulatory
compliance with TDS, Non-
100
Service Tax and other Compliance
relevant acts
9 Finance and 9.8 Taxation  Tax payments and tax Statutory Non 4
Accounts returns are not made / compliance
filed within permissible
time limits
9 Finance and 9.8 Taxation  Inadequate monitoring Financial 4
Accounts mechanism for pending Loss
demands / assessment
cases, etc.
10 Human 10.1 Recruitment  Delay in hiring Operational 3
Resource impacting operation
delays
no. Office
10 Human 10.1 Recruitment  Hiring inappropriate Operational 4
Resource personnel
10 Human 10.1 Recruitment  Incomplete Operational 2
Resource documentation in
employee records/ files
10 Human 10.1 Recruitment  Inadequate background Operational 3
Resource and reference checks
10 Human 10.2 Learning and  Inadequate planning of Operational 4
Resource Development training requirements
101
10 Human 10.2 Learning and  Training needs not Operational 4
Resource Development identified
10 Human 10.2 Learning and  Training programs not Operational 4
Resource Development conducted in timely
manner
10 Human 10.2 Learning and  Feedback procedures Operational 3
Resource Development not established
10 Human 10.3 Separations  Delay in Full and Final Financial 3
Resource
10 Human 10.3 Separations  Inadequate clearance Financial 3
Case Study
Resource procedures
no. Office
10 Human 10.3 Separations  Inadequate waivers Financial 3
Resource
10 Human 10.3 Separations  Old loan and advances Financial 3
Resource not settled before
relieving.
10 Human 10.3 Separations  Exit formalities not Operational 3
Resource completed timely
manner.
102
10 Human 10.4 Payroll  Incorrect processing of Financial 4
Resource Process salary Loss

10 Human 10.4 Payroll  Incorrect processing Financial 4
Resource Process and settlement of Loss
various employee
claims
10 Human 10.4 Payroll  Incorrect attendance Financial 3
Resource Process monitoring and Loss
accounting of leaves.
10 Human 10.4 Payroll  Incorrect provisioning Financial 3
Resource Process and accounting of Loss
retirement funds
no. Office
management by the
company.
10 Human 10.4 Payroll  Delay in disbursement/ Financial 3
Resource Process transfer of salary. Loss
11 Projects 11.1 Planning and  Inadequate planning Financial 4
Investment and budgeting of Loss
Projects
11 Projects 11.1 Planning and  Appropriate feasibility Financial 5
Investment studies not conducted
103
11 Projects 11.1 Planning and  Required clearances Compliance 5
Investment not obtaining on timely
basis
11 Projects 11.1 Planning and  Inadequate assessment Financial 4
Investment of Return on
Investments
11 Projects 11.2 Execution and  Time and Cost overruns Financial 4
handover in the projects due to Loss
weak project monitoring
and/ or execution.
11 Projects 11.2 Execution and  Operational delays due Financial 4
Case Study
handover to delay in obtaining/ Loss

no. Office
renewal of statutory
clearances
11 Projects 11.2 Execution and  Non compliance to Statutory Non 5
handover various statutory compliance
provisions and
requirements.
11 Projects 11.2 Execution and  Delay in procurement/ Financial 3
handover ordering. Loss
104
11 Projects 11.2 Execution and  Commissioning without Financial 4
handover adequate quality Loss

checks and testing
procedures
11 Projects 11.2 Execution and  Lack of monitoring of Health, 5
handover HSE compliance by Safety &
contractors / internal Environment
staff during execution
12 Business 12.1 Business  Inadequate post Financial 3
Development Development acquisition techno- Loss
commercial review for
overseas acquisitions
no. Office
12 Business 12.1 Business  Delays in floating of Financial 2
Development Development Tenders Loss
12 Business 12.1 Business  Financial health check Financial 3
Development Development up analysis not Loss
performed for acquired
assets
13 Exploration & 13.1 Exploration &  Inability to optimize/ Financial 4
development development actualize expected Loss
105
blocks
13 Exploration & 13.1 Exploration &  Non fulfillment to Financial 3
development development minimum work program Loss
specially with respect to
timeliness
14 Maintenance 14.1 Pipeline  All Flow lines are not Operational 4
Maintenance being regularly tested
and inspected for any
blockage
14 Maintenance 14.1 Pipeline  Delays in providing Financial 4
Case Study
Maintenance maintenance services Loss

no. Office
efficiency.
14 Maintenance 14.1 Pipeline  Inadequate planning of Operational 3
14 Maintenance 14.1 Pipeline  Preventive Operational 4
Maintenance maintenance not
carried on timely basis.

106
14 Maintenance 14.1 Pipeline Inadequate training to Financial 3
Maintenance manpower Loss

14 Maintenance 14.1 Pipeline  Safety risk of working in Health, 4
Maintenance running pipelines Safety &
Environment
14 Maintenance 14.2 Equipment  Delays in providing Financial 4
Maintenance maintenance services Loss
efficiency.
14 Maintenance 14.2 Equipment  Inadequate planning of Operational 4
14 Maintenance 14.2 Equipment  Preventive Operational 3
no. Office
Maintenance maintenance not
carried on timely basis.
14 Maintenance 14.2 Equipment  Inadequate training to Financial 4
Maintenance manpower Loss
14 Maintenance 14.2 Equipment  Safety risk of working in Health, 3
Maintenance running pipelines Safety &
Environment
14 Maintenance 14.2 Equipment  Frequent breakdowns Financial 4
107
Maintenance due to non performance Loss
of root cause analysis
Case Study
Prepare the summarized Risk Register using the arithmetic mean of the Risk Scores assigned to the risk identified under
previous step. Also, assign the rationale for providing the risk ratings for each of the audit area
D. Sr. Department P. Sr. Process Business Locations Initial Rationale for Initial Risk Rating
no. No. Corporate Plant Depot Risk
Office Rating
1 Contracts 1.1 Tendering and RFQ  4.00 • Impact of Major Financial
Loss
• Repeated fraud/
misappropriation
• Major impact on
108
organizational profitability
1 Contracts 1.2 Contracting and  3.80 • Impact of Major Financial

Ordering Loss
• Repeated fraud/
misappropriation
• Major impact on
2 Plant Operations 2.1 Production and  3.91 • Process risks with major risk
Distribution on the organization.
• Risk of reputational impact to
organization
• Impact of Major Financial
Loss
Office Rating
• Significant threat to Health,
Safety & Environment
• Major impact on
2 Plant Operations 2.2 Operation and  3.83 • Process risks with major risk
Maintenance on the organization.
organization
• Non-compliance with major
109
financial penalties or
prosecutions.
Loss
2 Plant Operations 2.3 Safety and  4.50 • Risk of high reputational
Environment impact to organization
financial penalties and
prosecutions.
Case Study
• Impact of High Financial Loss

Office Rating
• High impact on organizational
profitability
3 Drilling 3.1 Drilling  3.80 • Impact of Major Financial
Loss
110
• Major impact on
4 Information 4.1 IT Security   4.13 • Process risks with critical risk
Technology on the organization.
• Repeated fraud/
misappropriation with major
financial or reputational
consequences
• Missing IT and ERP systems
4 Information 4.2 ERP and other  3.43 • Process risks with major risk
Technology applications on the organization.
• Repeated fraud/
misappropriation
Office Rating
• Deficient IT and ERP
systems
5 Geology & 5.1 Geology &  3.64 • Process risks with major risk
Reservoir Reservoir on the organization.
Loss
• Major impact on
6 Research and 6.1 Research and  2.33 • Process risks with tolerable
111
Development Development risk on the organization.
• Tolerable impact on
7 Material 7.1 MM - Planning &  3.33 • Process risks with major risk
Management Receiving on the organization.
Loss
• Repeated fraud/
misappropriation
• Major impact on
Case Study
Office Rating
7 Material 7.2 MM - Depot   2.83 • Process risks with tolerable
Management risk on the organization.
• Possible threat to Health,
• Possible fraud/
misappropriation
112
7 Material 7.3 MM - Inventory   3.20 • Process risks with major risk
Management Handling and on the organization.

Storage • Impact of Major Financial
Loss
• Repeated fraud/
misappropriation
• Major impact on
8 Well Logging 8.1 Well Logging  3.00 • Process risks with tolerable
risk on the organization.
Office Rating
9 Finance and 9.1 Financial Planning  3.50 • Process risks with major risk
Accounts and Analysis on the organization.
Loss
• Major impact on
9 Finance and 9.2 Treasury  4.00 • Impact of Major Financial
Accounts Loss
• Repeated fraud/
113
misappropriation
• Major impact on
9 Finance and 9.3 Financial Reporting   3.50 • Process risks with major risk
Accounts on the organization.
organization
prosecutions.
• Repeated fraud/
Case Study
misappropriation
Office Rating
9 Finance and 9.4 Asset Management  4.00 • Impact of Major Financial
Accounts Loss
• Repeated fraud/
misappropriation
• Major impact on
9 Finance and 9.5 Payables  3.40 • Process risks with major risk
114
organization
• Repeated fraud/
misappropriation
9 Finance and 9.6 Invoicing and   3.50 • Process risks with major risk
Accounts Receivables on the organization.
organization
Loss
• Repeated fraud/
misappropriation
• Major impact on
Office Rating
9 Finance and 9.7 JV Operations  4.00 • Process risks with major risk
organization
Loss
• Repeated fraud/
misappropriation
115
• Major impact on
9 Finance and 9.8 Taxation  4.00 • Process risks with major risk
organization
prosecutions.
• Major impact on
Case Study
Office Rating
10 Human Resource 10.1 Recruitment  3.00 • Process risks with tolerable
financial penalties.
• Possible fraud/
misappropriation
116
10 Human Resource 10.2 Learning and  3.75 • Process risks with major risk
Development on the organization.

organization
10 Human Resource 10.3 Separations  3.00 • Process risks with tolerable
• Possible fraud/
misappropriation
Office Rating
10 Human Resource 10.4 Payroll Process  3.40 • Process risks with major risk
on the organization.
organization
• Repeated fraud/
misappropriation
11 Projects 11.1 Planning and  4.50 • Process risks with critical risk
Investment on the organization.
• Risk of high reputational
117
impact to organization
prosecutions.
profitability
11 Projects 11.2 Execution and  4.17 • Process risks with critical risk
handover on the organization.
• Risk of high reputational
impact to organization
Case Study

Office Rating
prosecutions.
• Repeated fraud/
misappropriation with major
financial or reputational
118
consequences

profitability
12 Business 12.1 Business  2.67 • Impact of significant Financial
Development Development Loss
13 Exploration & 13.1 Exploration &  3.50 • Process risks with major risk
development development on the organization.
organization
Loss
Office Rating
• Major impact on
14 Maintenance 14.1 Pipeline ` 3.67 • Impact of Major Financial
Maintenance Loss
• Major impact on
119
14 Maintenance 14.2 Equipment  3.67 • Impact of Major Financial
Maintenance Loss
• Major impact on
Case Study
Step 4: Assess control environment
Risk Assess
Prepare Risk Derive Develop
prioritizatio control
Audit Identificatio Residual Internal
n and environme
Universe n Risk Rating Audit plan
rating nt
120
Assign the control environment rating for each of the identified audit area and provide rational for assigning the control
environment ratings.
D. Department P. Sr. Process Business Locations Initial Rationale for Control Rationale for
Sr. No. Corporate Plant Depot Risk Initial Risk Environment Control
no. Office Rating Rating Rating Environment
Rating
1 Contracts 1.1 Tendering  4.00 • Impact of 4.00 • Preventive or
and RFQ Major detective
Financial Loss controls not
• Repeated identified or
fraud/ defined
misappropriati • Moderate IT
Rating
on environment
• Major impact with missing
on automated
organizational controls.
profitability • Policy and
Procedures not
formally defined
and there may
121
be possible
deviations
1 Contracts 1.2 Contracting  3.80 • Impact of 4.00 • Preventive or
and Ordering Major detective
fraud/ defined
on environment
on automated
Case Study
Rating
Procedures not
formally defined
and there may
be possible
deviations
2 Plant 2.1 Production  3.91 • Process risks 3.00 • Defined
122
Operations and with major risk Preventive or
Distribution on the detective control

organization. but unlikely
• Risk of monitoring and
reputational update exercise.
impact to • Legal
organization compliance
• Impact of framework with
Major minor
Financial Loss deviations.
• Significant • Defined Policy
threat to and Procedures
Health, Safety but insufficient
Rating
& Environment control on
• Major impact implementation
on and compliance
organizational to same.
profitability • Consistent
organisation
growth with
possible losses
123
2 Plant 2.2 Operation  3.83 • Process risks 3.00 • Defined
Operations and with major risk Preventive or
Maintenance on the detective control
impact to • Legal
• Non- framework with
compliance minor
with major deviations.
Case Study
financial • Defined Policy

Rating
penalties or and Procedures
prosecutions. but insufficient
• Impact of control on
Major implementation
Financial Loss and compliance
• Significant to same.
threat to • Consistent
124
Health, Safety Organisation
& Environment growth with

possible losses
2 Plant 2.3 Safety and  4.50 • Risk of high 3.00 • Defined
Operations Environment reputational Preventive or
impact to detective control
organization but unlikely
• Non- monitoring and
compliance update exercise.
with major • Legal
financial compliance
penalties and framework with
prosecutions. minor
Rating
• Impact of High deviations.
Financial Loss • Defined Policy
• Significant and Procedures
threat to but insufficient
Health, Safety control on
& Environment implementation
• High impact on and compliance
125
Organisation
growth with
possible losses
3 Drilling 3.1 Drilling  3.80 • Impact of 4.00 • Policy and
Major Procedures not
Financial Loss formally defined
• Significant and there may
threat to be possible
Health, Safety deviations
& Environment • Consistent
Case Study
• Major impact organisation

Rating
on growth with
organizational frequent losses
profitability • Inadequate
board
monitoring and
governance
structure
126
4 Information 4.1 IT Security   4.13 • Process risks 2.00 • Defined
Technology with critical Preventive or

risk on the detective control
organization. • Established ERP
• Impact of High system and IT
Financial Loss security
• Repeated measures
fraud/ • Well defined
misappropriati Policy and
on with major Procedures and
financial or minor deviations
reputational
consequences
Rating
• Missing IT and
ERP systems
4 Information 4.2 ERP and  3.43 • Process risks 2.00 • Defined
Technology other with major risk Preventive or
applications on the detective control
organization. • Established ERP
• Repeated system and IT
fraud/ security
127
misappropriati measures
on • Well defined
• Deficient IT Policy and
and ERP Procedures and
systems minor deviations
5 Geology & 5.1 Geology &  3.64 • Process risks 2.00 • Defined
Reservoir Reservoir with major Preventive or
organization. • Well defined
• Impact of Policy and
Major Procedures and
Case Study
Financial
Rating
Loss minor deviations
• Major impact • Consistent
on organisation
organizational growth with
profitability unlikely losses.
6 Research 6.1 Research  2.33 • Process risks 1.00 • Existence of
and and with tolerable strong
128
Development Development risk on the Preventive or
organization. detective control

• Tolerable with mechanism
impact on for continuous
organizational monitoring and
profitability update the
same.
• Well established
ERP system and
IT security
measures
• Well defined and
implemented
Rating
Policy and
Procedures
• Consistent
organisation
growth with rare
surprises
7 Material 7.1 MM -  3.33 • Process risks 5.00 • Missing
Management Planning & with major preventive or
129
Receiving risk on the detective
organization. controls
• Impact of • Insufficient IT
Major environment
Financial with missing
Loss automated
• Repeated controls.
fraud/ • Policy and
misappropriati Procedures not
on defined
• Major impact • Inconsistent
Case Study
on organisation
Rating
profitability major losses
• Inadequate
decentralisation
of decision
making
7 Material 7.2 MM - Depot   2.83 • Process risks 5.00 • Missing
130
Management with tolerable preventive or
risk on the detective

• Possible • Insufficient IT
threat to environment
Health, Safety with missing
& automated
Environment controls.
• Possible • Policy and
fraud/ Procedures not
misappropriati defined
on • Inconsistent
• Tolerable organisation
Rating
impact on growth with
organizational major losses
profitability • Inadequate
decentralisation
of decision
making
7 Material 7.3 MM -   3.20 • Process risks 5.00 • Missing
Management Inventory with major preventive or
131
Handling and risk on the detective
Storage organization. controls
• Impact of • Insufficient IT
major environment
Financial loss with missing
• Repeated automated
fraud/ controls.
misappropriati • Policy and
on Procedures not
• Major impact defined
on • Inconsistent
Case Study
organizational Organisation
Rating
profitability growth with
major losses
• Inadequate
decentralisation
of decision
making
8 Well Logging 8.1 Well Logging  3.00 • Process risks 1.00 • Existence of
132
with tolerable strong
risk on the preventive or

organization. detective control
• Tolerable with mechanism
impact on for continuous
organizational monitoring and
profitability update the
same.
• Well established
ERP system and
IT security
measures
• Well defined and
Rating
implemented
policy and
procedures
• Consistent
organisation
growth with rare
surprises
9 Finance and 9.1 Financial 3.50 • Process risks 3.00 • Defined
133
Accounts Planning and with major risk Preventive or
Analysis on the detective control
• Impact of monitoring and
major financial update exercise.
loss • Legal
• Major impact compliance
on framework with
organizational minor
profitability deviations.
• Established ERP
Case Study
system and IT
Rating
security
measures
• Defined Policy
and Procedures
but insufficient
control on
implementation
134
and compliance
to same.
• Consistent
Organisation
growth with
possible losses
9 Finance and 9.2 Treasury  4.00 • Impact of 3.00 • Defined
Accounts Major Preventive or
Financial Loss detective control
• Repeated but unlikely
fraud/ monitoring and
misappropriati update exercise.
on • Established ERP
Rating
• Major impact system and IT
on security
organizational measures
profitability • Defined Policy
and Procedures
but insufficient
control on
implementation
135
and compliance
to same.
• Consistent
organisation
growth with
possible losses
9 Finance and 9.3 Financial   3.50 • Process risks 4.00 • Preventive or
Accounts Reporting with major risk detective
on the controls not
organization. identified or
• Risk of defined
Case Study
reputational • Missing legal

Rating
impact to compliance
organization framework with
• Non- alternative
compliance measure to
with major monitor legal
financial compliance.
penalties or • Moderate IT
136
prosecutions. environment
• Repeated with missing

fraud/ automated
misappropriati controls.
on • Policy and
procedures not
formally defined
and there may
be possible
deviations.
9 Finance and 9.4 Asset  4.00 • Impact of 4.00 • Preventive or
Accounts Management major financial detective
loss controls not
Rating
fraud/ defined
on environment
on automated
137
procedures not
formally defined
and there may
be possible
deviations
• Consistent
organisation
growth with
frequent losses.
9 Finance and 9.5 Payables  3.40 • Process risks 4.00 • Preventive or
Accounts with major risk detective
Case Study
on the controls not

Rating
• Risk of defined
reputational • Moderate IT
impact to environment
organization with missing
fraud/ controls.
138
on Procedures not
formally defined
and there may
be possible
deviations
9 Finance and 9.6 Invoicing and   3.50 • Process risks 3.00 • Defined
Accounts Receivables with major risk Preventive or
on the detective control
impact to • Established ERP
Rating
organization system and IT
• Impact of security
Major measures
Financial Loss • Defined Policy
• Repeated and Procedures
fraud/ but insufficient
misappropriati control on
on implementation
139
• Major impact and compliance
on to same.
organizational • Consistent
profitability organisation
growth with
possible losses
9 Finance and 9.7 JV  4.00 • Process risks 4.00 • Preventive or
Accounts Operations with major risk detective
on the controls not
• Risk of defined
Case Study
Rating
• Impact of automated
Major controls.
Financial Loss • Policy and
• Repeated Procedures not
fraud/ formally defined
140
misappropriati and there may
on be possible
• Major impact deviations
on • Consistent
organizational Organisation
profitability growth with
frequent losses
• Inadequate
board
monitoring and
governance
structure
9 Finance and 9.8 Taxation  4.00 • Process risks 4.00 • Preventive or
Rating
Accounts with major risk detective
on the controls not
• Risk of defined
reputational • Missing Legal
impact to compliance
organization framework with
• Non- alternative
141
compliance measure to
with major monitor legal
financial compliance.
penalties or • Moderate IT
prosecutions. environment
on automated
Procedures not
formally defined
Case Study
and there may

Rating
be possible
deviations
10 Human 10.1 Recruitment  3.00 • Process risks 4.00 • Preventive or
Resource with tolerable detective
risk on the controls not
• Non- defined
142
compliance • Moderate IT
with major environment

financial with missing
penalties. automated
• Possible fraud/ controls.
on Procedures not
• Tolerable formally defined
impact on and there may
organizational be possible
profitability deviations
• Consistent
organisation
Rating
growth with
frequent losses
• Inadequate
board
monitoring and
governance
structure
10 Human 10.2 Learning and  3.75 • Process risks 4.00 • Preventive or
143
Resource Development with major risk detective
on the controls not
• Risk of defined
• Significant automated
threat to controls.
Health, Safety • Policy and
& Environment Procedures not
Case Study
formally defined
Rating
and there may
be possible
deviations
• Consistent
organisation
growth with
frequent losses
144
• Inadequate
board
monitoring and
governance
structure
10 Human 10.3 Separations  3.00 • Process risks 4.00 • Preventive or
Resource with tolerable detective
• Possible fraud/ defined
on environment
• Tolerable with missing
Rating
impact on automated
Procedures not
formally defined
and there may
be possible
deviations
145
• Consistent
organisation
growth with
frequent losses
• Inadequate
board
monitoring and
governance
structure
10 Human 10.4 Payroll  3.40 • Process risks 5.00 • Missing
Resource Process with major risk preventive or
Case Study
on the detective
Rating
• Risk of • Insufficient IT
reputational environment
impact to with missing
organization automated
• Repeated controls.
146
misappropriati Procedures not
on defined.
11 Projects 11.1 Planning and  4.50 • Process risks 3.00 • Defined
Investment with critical Preventive or
• Risk of high monitoring and
impact to • Defined Policy
organization and Procedures
• Non- but insufficient
compliance control on
with major implementation
Rating
financial and compliance
penalties and to same.
prosecutions. • Consistent
• Impact of High organisation
Financial Loss growth with
• High impact on possible losses
organizational
profitability
147
11 Projects 11.2 Execution  4.17 • Process risks 4.00 • Preventive or
and handover with critical detective
• Risk of high defined
reputational • Policy and
impact to Procedures not
organization formally defined
• Non- and there may
compliance be possible
with major deviations
Case Study
financial • Consistent
Rating
penalties and organisation
prosecutions. growth with
• Impact of High frequent losses
Financial Loss • Inadequate
• Significant board
threat to monitoring and
Health, Safety governance
148
& Environment structure.
• Repeated
fraud/
misappropriati
on with major
financial or
reputational
consequences
• High impact on
organizational
profitability
12 Business 12.1 Business  2.67 • Impact of 2.00 • Defined
Development Development significant Preventive or
Rating
• Tolerable • Well defined
impact on Policy and
organizational Procedures and
profitability minor deviations
• Consistent
organisation
growth with
149
unlikely losses.
13 Exploration & 13.1 Exploration &  3.50 • Process risks 3.00 • Defined
development development with major risk Preventive or
on the detective control
impact to • Legal
• Impact of framework with
Major minor
Case Study
Financial Loss deviations.

Rating
• Significant • Defined Policy
threat to and Procedures
Health, Safety but insufficient
& Environment control on
• Major impact implementation
on and compliance
150
organisation
growth with
possible losses
14 Maintenance 14.1 Pipeline  3.67 • Impact of 3.00 • Defined
Maintenance Major Preventive or
• Significant but unlikely
Health, Safety update exercise.
& Environment • Legal
on framework with
Rating
• Defined Policy
and Procedures
but insufficient
control on
implementation
and compliance
151
to same.
14 Maintenance 14.2 Equipment  3.67 • Impact of 3.00 • Defined
Maintenance Major Preventive or
• Significant but unlikely
Health, Safety update exercise.
& Environment • Legal
on framework with
Case Study
Rating
• Defined Policy
and Procedures
but insufficient
control on
implementation
and compliance
to same.
152
Step 5: Derive Residual Risk Rating
Risk Assess Derive

prioritizatio control Residual
Audit Identificatio Internal
n and environme Risk
Universe n Audit plan
rating nt Rating
Derive Residual Risk Ratings for each of the identified audit area by using the product of Initial Risk Ratings and Control
153
Environment Ratings.
D. Department P. Process Business Locations Initial Rationale for Control Rationale for Residual
Sr. Sr. Corporate Plant Depot Risk Initial Risk Environ- Control Risk Score
No. No. Office Rating Rating ment Rating Environment (Rounded
Rating up)
1 Contracts 1.1 Tendering  4.00 • Impact of 4.00 • Preventive 16.00
and RFQ Major or detective
fraud/ defined
Case Study
environment
Rating up)
on with missing
• Major impact automated
on controls.
organizational • Policy and
profitability Procedures
not formally
defined and
154
there may
be possible
deviations
1 Contracts 1.2 Contracting  3.80 • Impact of 4.00 • Preventive 16.00
and Major or detective
Ordering Financial Loss controls not
fraud/ defined
on environment
on automated
Rating up)
procedures
not formally
defined and
there may
be possible
deviations
2 Plant 2.1 Production  3.91 • Process risks 3.00 • Defined 12.00
155
Operations and with major risk Preventive
Distribution on the or detective
organization. control but
• Risk of unlikely
reputational monitoring
impact to and update
organization exercise.
• Impact of • Legal
Major compliance
Financial Loss framework
• Significant with minor
Case Study
threat to deviations.
Rating up)
Health, Safety • Defined
& Policy and
Environment Procedures
• Major impact but
on insufficient
organizational control on
profitability implementat
156
ion and
compliance
to same.
• Consistent
organisation
growth with
possible
losses
2 Plant 2.2 Operation  3.83 • Process risks 3.00 • Defined 12.00
Operations and with major risk Preventive
Maintenance on the or detective
Rating up)
• Non- • Legal
compliance compliance
with major framework
financial with minor
penalties or deviations.
157
prosecutions. • Defined
• Impact of Policy and
Major Procedures
Financial Loss but
• Significant insufficient
threat to control on
Health, Safety implementat
& ion and
Environment compliance
to same.
• Consistent
Case Study
organisation
Rating up)
growth with
possible
losses
2 Plant 2.3 Safety and  4.50 • Risk of high 3.00 • Defined 14.00
Operations Environment reputational Preventive
impact to or detective
organization control but
158
• Non- unlikely
compliance monitoring
with major and update
financial exercise.
penalties and • Legal
prosecutions. compliance
• Impact of High framework
Financial Loss with minor
• Significant deviations.
threat to • Defined
Health, Safety Policy and
& Procedures
Environment but
Rating up)
• High impact insufficient
on control on
organizational implementat
profitability ion and
compliance
to same.
• Consistent
Organisatio
159
n growth
with
possible
losses
3 Drilling 3.1 Drilling  3.80 • Impact of 4.00 • Policy and 16.00
Major Procedures
Financial Loss not formally
• Significant defined and
threat to there may
Health, Safety be possible
& deviations
Case Study
Environment • Consistent
Rating up)
• Major impact Organisatio
on n growth
organizational with
profitability frequent
losses
• Inadequate
board
160
monitoring
and
governance
structure
4 Information 4.1 IT Security   4.13 • Process risks 2.00 • Defined 9.00
Technology with critical Preventive
risk on the or detective
organization. control
• Impact of High • Established
Financial Loss ERP system
• Repeated and IT
fraud/ security
misappropriati measures
Rating up)
on with major • Well defined
financial or Policy and
reputational Procedures
consequences and minor
• Missing IT deviations
and ERP
systems
4 Information 4.2 ERP and  3.43 • Process risks 2.00 • Defined 7.00
161
Technology other with major risk Preventive
applications on the or detective
• Repeated • Established
fraud/ ERP system
misappropriati and IT
on security
• Deficient IT measures
and ERP • Well defined
systems Policy and
Procedures
Case Study
and minor
Rating up)
deviations
5 Geology & 5.1 Geology &  3.64 • Process risks 2.00 • Defined 8.00
Reservoir Reservoir with major risk Preventive
on the or detective
• Impact of • Well defined
Major Policy and
162
Financial Loss Procedures
• Major impact and minor

on deviations
growth with
unlikely
losses.
6 Research 6.1 Research  2.33 • Process risks 1.00 • Existence of 3.00
and and with tolerable strong
Development Developme risk on the Preventive
nt organization. or detective
• Tolerable control with
Rating up)
impact on mechanism
organizational for
profitability continuous
monitoring
and update
the same.
• Well
established
163
ERP system
and IT
security
measures
• Well defined
and
implemente
d Policy and
Procedures
• Consistent
organisation
Case Study
growth with
Rating up)
rare
surprises
7 Material 7.1 MM -  3.33 • Process risks 5.00 • Missing 17.00
Management Planning & with major risk preventive
Receiving on the or detective
• Impact of • Insufficient
164
Major IT
Financial Loss environment

fraud/ automated
on • Policy and
• Major impact Procedures
on not defined
organizational • Inconsistent
growth with
major
losses
Rating up)
• Inadequate
decentralisa
tion of
decision
making
7 Material 7.2 MM - Depot   2.83 • Process risks 5.00 • Missing 15.00
Management with tolerable preventive
risk on the or detective
165
• Possible • Insufficient
threat to IT
Health, Safety environment
& with missing
Environment automated
• Possible controls.
misappropriati Procedures
on not defined
• Tolerable • Inconsistent
Case Study
impact on organisation
Rating up)
profitability major
losses
• Inadequate
decentralisa
tion of
decision
166
making
7 Material 7.3 MM -   3.20 • Process risks 5.00 • Missing 16.00

Management Inventory with major risk preventive
Handling on the or detective
and organization. controls
Storage • Impact of • Insufficient
Major IT
Financial Loss environment
fraud/ automated
on • Policy and
Rating up)
on not defined
organizational • Inconsistent
growth with
major
losses
• Inadequate
decentralisa
167
tion of
decision
making
8 Well Logging 8.1 Well  3.00 • Process risks 1.00 • Existence of 3.00
Logging with tolerable strong
risk on the Preventive
organization. or detective
• Tolerable control with
impact on mechanism
organizational for
profitability continuous
Case Study
monitoring
Rating up)
and update
the same.
• Well
established
ERP system
and IT
security
168
measures
• Well defined
and
implemente
d Policy and
Procedures
• Consistent
organisation
growth with
rare
surprises
9 Finance and 9.1 Financial  3.50 • Process risks 3.00 • Defined 11.00
Accounts Planning with major risk Preventive
Rating up)
and on the or detective
Analysis organization. control but
• Impact of unlikely
Major monitoring
Financial Loss and update
• Major impact exercise.
on • Legal
organizational compliance
169
profitability framework
with minor
deviations.
• Established
ERP system
and IT
security
measures
• Defined
Policy and
Procedures
Case Study
but
Rating up)
insufficient
control on
implementat
ion and
compliance
to same.
• Consistent
170
organisation
growth with
possible
losses
9 Finance and 9.2 Treasury  4.00 • Impact of 3.00 • Defined 12.00
Accounts Major Preventive
Financial Loss or detective
• Repeated control but
fraud/ unlikely
misappropriati monitoring
on and update
• Major impact exercise.
on • Established
Rating up)
organizational ERP system
profitability and IT
security
measures
• Defined
Policy and
Procedures
but
171
insufficient
control on
implementat
ion and
compliance
to same.
• Consistent
organisation
growth with
possible
losses
Case Study
9 Finance and 9.3 Financial   3.50 • Process risks 4.00 • Preventive 14.00
Rating up)
Accounts Reporting with major risk or detective
on the controls not
• Risk of defined
reputational • Missing
impact to Legal
172
• Non- framework
compliance with
with major alternative
financial measure to
penalties or monitor
prosecutions. legal
• Repeated compliance.
fraud/ • Moderate IT
misappropriati environment
on with missing
automated
controls.
• Policy and
Rating up)
Procedures
not formally
defined and
they may be
possible
deviations.
9 Finance and 9.4 Asset  4.00 • Impact of 4.00 • Preventive 16.00
Accounts Manageme Major or detective
173
nt Financial Loss controls not
fraud/ defined
on environment
on automated
Procedures
not formally
Case Study
defined and
Rating up)
they may be
possible
deviations
• Consistent
organisation
growth with
frequent
174
losses.
9 Finance and 9.5 Payables  3.40 • Process risks 4.00 • Preventive 14.00
Accounts with major risk or detective
on the controls not
• Risk of defined
fraud/ controls.
on Procedures
Rating up)
not formally
defined and
they may be
possible
deviations
9 Finance and 9.6 Invoicing   3.50 • Process risks 3.00 • Defined 11.00
Accounts and with major risk Preventive
Receivables on the or detective
175
• Impact of • Established
Major ERP system
Financial Loss and IT
• Repeated security
fraud/ measures
misappropriati • Defined
Case Study
on Policy and
Rating up)
on but
organizational insufficient
profitability control on
implementat
ion and
compliance
176
to same.
• Consistent
organisation
growth with
possible
losses
9 Finance and 9.7 JV  4.00 • Process risks 4.00 • Preventive 16.00
Accounts Operations with major risk or detective
on the controls not
• Risk of defined
Rating up)
• Impact of automated
Major controls.
Financial Loss • Policy and
• Repeated Procedures
fraud/ not formally
misappropriati defined and
on they may be
177
• Major impact possible
on deviations
growth with
frequent
losses
• Inadequate
board
monitoring
and
Case Study
governance
Rating up)
structure
9 Finance and 9.8 Taxation  4.00 • Process risks 4.00 • Preventive 16.00
Accounts with major risk or detective
on the controls not
• Risk of defined
reputational • Missing
178
impact to Legal
• Non- framework
compliance with
with major alternative
financial measure to
penalties or monitor
prosecutions. legal
• Major impact compliance.
on • Moderate IT
organizational environment
profitability with missing
automated
Rating up)
controls.
• Policy and
Procedures
not formally
defined and
there may
be possible
deviations
179
10 Human 10.1 Recruitment  3.00 • Process risks 4.00 • Preventive 12.00
Resource with tolerable or detective
• Non- defined
compliance • Moderate IT
with major environment
financial with missing
penalties. automated
• Possible controls.
Case Study
misappropriati Procedures
Rating up)
on not formally
• Tolerable defined and
impact on there may
organizational be possible
profitability deviations
• Consistent
organisation
180
growth with
frequent
losses
• Inadequate
board
monitoring
and
governance
structure
10 Human 10.2 Learning  3.75 • Process risks 4.00 • Preventive 15.00
Resource and with major risk or detective
Developme on the controls not
nt organization. identified or
Rating up)
• Risk of defined
• Significant automated
threat to controls.
Health, Safety • Policy and
& Procedures
181
Environment not formally
defined and
there may
be possible
deviations
• Consistent
organisation
growth with
frequent
losses
• Inadequate
Case Study
board
Rating up)
monitoring
and
governance
structure
10 Human 10.3 Separations  3.00 • Process risks 4.00 • Preventive 12.00
Resource with tolerable or detective
182
• Possible defined
fraud/ • Moderate IT
misappropriati environment
on with missing
• Tolerable automated
impact on controls.
organizational • Policy and
not formally
defined and
there may
be possible
Rating up)
deviations
• Consistent
organisation
growth with
frequent
losses
• Inadequate
board
183
monitoring
and
governance
structure
10 Human 10.4 Payroll  3.40 • Process risks 5.00 • Missing 17.00
Resource Process with major risk preventive
on the or detective
• Risk of • Insufficient
reputational IT
Case Study

Rating up)
fraud/ controls.
on Procedures
not defined.
11 Projects 11.1 Planning  4.50 • Process risks 3.00 • Defined 14.00
and with critical Preventive
184
Investment risk on the or detective

• Risk of high unlikely
• Non- • Defined
compliance Policy and
with major Procedures
financial but
penalties and insufficient
prosecutions. control on
• Impact of High implementat
Rating up)
Financial Loss ion and
• High impact compliance
on to same.
growth with
possible
losses
185
11 Projects 11.2 Execution  4.17 • Process risks 4.00 • Preventive 17.00
and with critical or detective
handover risk on the controls not
• Risk of high defined
reputational • Policy and
impact to Procedures
organization not formally
• Non- defined and
compliance there may
with major be possible
Case Study
financial deviations
Rating up)
penalties and • Consistent
prosecutions. Organisatio
• Impact of High n growth
Financial Loss with
• Significant frequent
threat to losses
Health, Safety • Inadequate
186
& board
Environment monitoring
• Repeated and
fraud/ governance
misappropriati structure.
on with major
financial or
reputational
consequences
• High impact
on
organizational
profitability
Rating up)
12 Business 12.1 Business  2.67 • Impact of 2.00 • Defined 6.00
Development Developme significant Preventive
nt Financial Loss or detective
• Tolerable control
impact on • Well defined
organizational Policy and
and minor
187
deviations
• Consistent
Organisatio
n growth
with unlikely
losses.
13 Exploration &13.1 Exploration  3.50 • Process risks 3.00 • Defined 11.00
development & with major risk Preventive
developme on the or detective
nt organization. control but
Case Study
Rating up)
• Impact of • Legal
Major compliance
Financial Loss framework
• Significant with minor
threat to deviations.
188
Health, Safety • Defined
& Policy and

Environment Procedures
• Major impact but
on insufficient
organizational control on
profitability implementat
ion and
compliance
to same.
• Consistent
Organisatio
n growth
Rating up)
with
possible
losses
14 Maintenance 14.1 Pipeline  3.67 • Impact of 3.00 • Defined 11.00
Maintenanc Major Preventive
e Financial Loss or detective
• Significant control but
threat to unlikely
189
Health, Safety monitoring
& and update
Environment exercise.
• Major impact • Legal
on compliance
organizational framework
profitability with minor
deviations.
• Defined
Policy and
Procedures
Case Study
but
Rating up)
insufficient
control on
implementat
ion and
compliance
to same.
14 Maintenance 14.2 Equipment  3.67 • Impact of 3.00 • Defined 11.00
190
Maintenanc Major Preventive
e Financial Loss or detective

• Significant control but
threat to unlikely
Health, Safety monitoring
& and update
Environment exercise.
• Major impact • Legal
on compliance
organizational framework
profitability with minor
deviations.
• Defined
Rating up)
Policy and
Procedures
but
insufficient
control on
implementat
ion and
compliance
191
to same.
Case Study
Step 6: Develop Internal Audit Plan
Risk Assess Derive

prioritizati control Residual
Audit Identificat Internal
on and environm Risk
Universe ion Audit plan
rating ent Rating
192
(a) Arrive at the frequency of the internal audit using the residual risk score calculated in the previous steps. The following
definitions could be used for arriving at the frequency of audit in the time span of 3 years.
 High Risk – Audit areas having residual risk score of more than 12 which need to be audited every year.
 Medium Risk - Audit areas having residual risk score of more than or equal to 9 but less than or equal to 12 which
need to be audited twice in three years.
 Low Risk - Audit areas having residual risk score of more than or equal to 5 but less than or equal to 8 which need
to be audited once in three years.
 Acceptable - Audit areas having residual risk score of less than 5 which could to be audited based on management
discretion.
(b) Prepare the annual audit plan by identifying the areas that need to be audit in year 1, year 2 and year 3.
D. Sr. Department P. Sr. Process Business Locations Initial Control Residual Frequency Audit Audit Audit
no. No. Risk Environment Risk of Audit Plan Plan Plan
Corporate Plant Depot Rating Rating Score Year - Year - Year -
Office
1 2 3
1 Contracts 1.1 Tendering  4.00 4.00 16.00 Every Year   
and RFQ
1 Contracts 1.2 Contracting   3.80 4.00 16.00 Every Year   
and Ordering
2 Plant 2.1 Production  3.91 3.00 12.00 Twice in 3 
Operations and years
Distribution
2 Plant 2.2 Operation  3.83 3.00 12.00 Twice in 3 
193
Operations and years
Maintenance
2 Plant 2.3 Safety and  4.50 3.00 14.00 Twice in 3 
Operations Environment years
3 Drilling 3.1 Drilling  3.80 4.00 16.00 Every Year   
4 Information 4.1 IT Security   4.13 2.00 9.00 Twice in 3  
Technology years
4 Information 4.2 ERP and  3.43 2.00 7.00 Once in 3 
Technology other years
applications
Case Study
Office
1 2 3
5 Geology & 5.1 Geology &  3.64 2.00 8.00 Once in 3 
Reservoir Reservoir years
6 Research 6.1 Research  2.33 1.00 3.00 Acceptable   
and and
7 Material 7.1 MM -  3.33 5.00 17.00 Every Year   
Management Planning &
194
Receiving
7 Material 7.2 MM - Depot   2.83 5.00 15.00 Every Year   

Management
7 Material 7.3 MM -   3.20 5.00 16.00 Every Year   
Management Inventory
Handling and
Storage
8 Well Logging 8.1 Well Logging  3.00 1.00 3.00 Acceptable   
9 Finance and 9.1 Financial  3.50 3.00 11.00 Twice in 3  
Accounts Planning and years
Analysis
9 Finance and 9.2 Treasury  4.00 3.00 12.00 Twice in 3  
Office
1 2 3
Accounts years
9 Finance and 9.3 Financial   3.50 4.00 14.00 Twice in 3  
Accounts Reporting years
9 Finance and 9.4 Asset  4.00 4.00 16.00 Every Year   
Accounts Management
9 Finance and 9.5 Payables  3.40 4.00 14.00 Twice in 3  
Accounts years
195
9 Finance and 9.6 Invoicing and   3.50 3.00 11.00 Twice in 3  
Accounts Receivables years
9 Finance and 9.7 JV   4.00 4.00 16.00 Every Year   
Accounts Operations
9 Finance and 9.8 Taxation  4.00 4.00 16.00 Every Year   
Accounts
10 Human 10.1 Recruitment  3.00 4.00 12.00 Twice in 3  
Resource years
10 Human 10.2 Learning and  3.75 4.00 15.00 Every Year   
Resource Development
Case Study
Office
1 2 3
10 Human 10.3 Separations  3.00 4.00 12.00 Twice in 3  
Resource years
10 Human 10.4 Payroll  3.40 5.00 17.00 Every Year   
Resource Process
11 Projects 11.1 Planning and  4.50 3.00 14.00 Twice in 3  
Investment years
11 Projects 11.2 Execution  4.17 4.00 17.00 Every Year   
196
and
handover
12 Business 12.1 Business  2.67 2.00 6.00 Once in 3 
Development Development years
13 Exploration 13.1 Exploration  3.50 3.00 11.00 Twice in 3  
& & years
development development
14 Maintenance 14.1 Pipeline  3.67 3.00 11.00 Twice in 3  
Maintenance years
14 Maintenance 14.2 Equipment  3.67 3.00 11.00 Twice in 3  
Maintenance years
Case Stu
udy
Preppare Heat Map – Grraphical presentat

p ion of thee
Riskk Based In
nternal Au
udit Plan
Risk Asssess
Prep
pare Rissk Deerive Devvelop
priorittizatio conntrol
Auddit Identiificati Ressidual Inteernal
n aand envirronme
Univeerse on Risk Rating Audit plan
rating nnt
197

Gui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl Aimer

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Gui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl Aimer

Загружено:

Авторское право:

Доступные форматы

Guiide on Risk

All rights reserved. No part of this publication may be reproduced, stored in a

Edition : February, 2015

Committee/Department : Internal Audit Standards Board

Price : ` 250/- (Including CD)

ISBN No. : 978-81-8441-776-0

Published by : The Publication Department on behalf of the

Printed by : Sahitya Bhawan Publications, Hospital Road,

February, 2, 2015 CA. K Raghu

February 9, 2015 CA. Charanjot Singh Nanda

2.3 Internal auditor is expected to review business processes and various

The figgure below depicts

 Risk appetite of the organization.

(v) Assess control environment

Define objective, Update RBIAP

Define Objective, Criteria and Risk Appetite

 Time horizon which the organization considers appropriate for review

Risk Assessment Criteria

Criteria for Assessing Control Environment

Understanding the Business Environment and

objectives of an internal audit. The internal audit plan should, generally,

 Minutes of the meetings of the shareholders, board of directors, and

Prepare Audit Universe

(vi) Organic linkage between the business process/ sub processes: It

(a) Reliability and integrity of financial and operational Information

Draft initial sketch of

5.18 Following are some illustrative audit universe:

Sr. Department Business Locations

(ii) Illustrative Audit Universe of a Oil and Gas Company:

D. Department P. Process Business Locations

D. Department P. Process Business Locations

D. Department P. Process Business Locations

Preliminary Description Illustrative parameters for Assessing

particular process as per the experience of the management

Prepare Risk Register

(iv) Risk Category

4 Receiving Risk of receiving Financial 3

Sr. Auditab Sub Risk Description Risk Risk Consolidate

Assess Control Environment

5.29 Some of the examples of situations that might influence the

Following factors need to be kept in mind while performing the assessment of

Very Strong (1)

Control Description Illustrative Parameters for Assessing

Update Summarized Risk Register

Derive Residual Risk Rating

There are two elements of a risk:

Update Summarized Risk Register

Illustrative Updated Risk Register

Develop Internal Audit Plan

 Feasibility of conducting an audit;

Acceptable Range of Risks

Planning and Developing Internal Audit Plan

Update Risk Register and Audit Universe

Update Summarized Risk Register

Matrix of Residual Risk Scores and Audit Frequency

Implement and Update RBIAP

Prepare Internal Audit Scope

 Changes in the business processes

Allocate Resources, Engagement Scheduling and

allocated resources, availability of the auditee, target date to finalise the

Re-assess Risk and Control Environment and

Steps for Developing the Audit Universe

Draft initial sketch of audit universe