recent developments in auditing standards · recent developments in auditing standards bangalore...
TRANSCRIPT
12/20/2010
1
Recent developments in auditing standards
Bangalore Branch of SIRC of ICAI
15th December 2010
CA Suresh DM
All U DO IS TICKING
12/20/2010
2
Auditing Standards: Indian Perspective
Auditing Standards are codification of existing bestpractices in the area of auditing.
International Standards on Auditing (ISAs) are issued bythe IAASB of IFAC.
In India, the ICAI formulates Auditing and AssuranceStandards (AASs).
Basic Considerations behind AASs formulation
◦ Harmonization with ISAs, to the extent possible – a Membershipobligation for ICAI
◦ Applicable laws in India.
◦ Customs, usages & business environment in India.
Auditing Standards:
Indian Perspective
Companies Bill 2009 – NACAAS to be
given authority to notify Auditing
Standards
MCA has observed that Auditing
Standards are currently issued by a ―Single
Institute‖. The fact is standards are issued after due consultations by
releasing Exposure Drafts
12/20/2010
3
Auditing Standards: Indian Perspective
(contd. …)
Scope of AASs Apply whenever independent audit carried out.
Apply irrespective of size, legal form or commercial motives of
the client.
May appropriately apply to other functions of auditors.
Authority Attached to AASs Mandatory compliance by members of ICAI.
Material departures from AASs to be brought out in the report
Engagement & Quality Control Standards
Road to Convergence – Clarity Project
AASB founder member of IFAC
Auditing standards based to the extent possible on
corresponding International Standards (IS) of International
Auditing and Assurance Standards Board (IAASB).
Chalked out timeline for bridging gap in convergence with IS
under IAASB Clarity Project
Revised the entire suite of 36 Standards on Auditing in line with
the International Standards.
12/20/2010
4
Engagement & Quality Control Standards
AASB’s response to IAASB Clarity Project (2006 till date):
◦ Revised & more rigorous Due Process
◦ Revised Framework & Preface
◦ AASs renamed & renumbered in line with IAASB terminology –
ENGAGEMENT STANDARDS:
Standards on Auditing
Standards on Review Engagements
Standards on Assurance Engagements
Standards on Related Services
◦ Mother Standard on Quality Control
◦ Revised/ new Standards on Fraud, Audit Planning & Risk-based Audits
◦ Many new/ revised Standards in pipeline
Diagrammatic presentation of structure of
standards under New preface
Related Services
Assurance
engagements other
than Audits and
review of historical
financial information
Standards on
Audting (SA)
100-999
Standards on
Review
engagements
(SRE)
2000- 2699
Standards on
Assurance
Engagements (SAE)
3000- 3699
Standards on
Related Services
(SRS)
4000 - 4699
Framework for Assurance Engagements
Assurance services
Audits and review of historical financial
information
Standards on Quality Controls (SQC)
Chartered Accountants Act, 1949
Pronouncements by ICAI
12/20/2010
5
Clarity Project
Exercise to rewrite and Update.
Includes :
Identifying the overall objectives of the auditor when conducting an audit in accordance with ISAs, setting an objective in each ISA, and establishing an obligation on the auditor in relation to those objectives
Clarifying the obligations imposed on auditors by the requirements of the ISAs and the language used to communicate such requirements
Eliminating ambiguity about the requirements the auditor needs to fulfil.
Engagement & Quality Control
Standards
12/20/2010
6
Layout of Standards
Scope
Effective Date
Objective
Definitions
Requirements
Application and Other Explanatory
material ( Basically details out requirements)
Audit Process
12/20/2010
7
Standard on Quality Control – SQC 1
QUALITY CONTROL FOR FIRMS
THAT PERFORM AUDITS AND
REVIEWS OF HISTORICAL
FINANCIAL INFORMATION, AND
OTHER ASSURANCE AND
RELATED SERVICES
ENGAGEMENTS
SQC 1 – Quality Control for Firms
Definitions
Elements of a System of Quality Control
Leadership Responsibilities for quality within the Firm
Ethical Requirements
Acceptance and Continuance of Client Relationships
Human Resources
Engagement Performance
Monitoring
Documentation
12/20/2010
8
Objective of SQC 1
The firm should establish a system of
quality control designed to
provide it with reasonable assurance
that the firm and its personnel comply
with professional standards and
regulatory and legal requirements,
and that reports issued by the firm or
engagement partner(s) are appropriate in
the circumstances
Meaning of certain terms
Engagement quality control review –
How:a process designed to provide an
Whyobjective evaluation,
Whenbefore the report is issued,
Whatof the significant judgments the engagement team
made and the conclusions they reached in formulating the report
12/20/2010
9
Meaning of Certain Terms
Engagement quality control reviewera partner, other person in the firm,
suitably qualified external person,
a team made up of such individuals,
with sufficient and appropriate experience and authority to objectively evaluate, before the report is issued, the significant judgments the engagement team made and the conclusions they reached in formulating the report.
However, in case the review is done by a team of individuals, such team should be headed by a member of the Institute
Any individual with
capabilities to act as
engagement partner or
an employee of another
firm
Meaning of Certain Terms
Engagement team –
all personnel performing an engagement,
including any experts contracted by the
firm in connection with that engagement
12/20/2010
10
Meaning of Certain Terms
Network Firm – Change made
during Clarity Project
An entity
under common control, ownership or management with the firm or
Any entity that a reasonable and informed third party having knowledge of all relevant information would reasonably conclude as being part of the firm nationally or internationally
That is aimed at cooperation, and aimed at profit or cost-sharing
or shares common ownership, control or management,
common quality control policies and procedures,
common business strategy,
Use of a common brand name, or a significant part of professional resources.
BEFORE AFTER
Elements of a System of Quality
Control – Policies to address(a) Leadership responsibilities
for quality within the firm.
(b) Ethical requirements.
(c) Acceptance and continuance
of client relationships
(d) Human resources.
(e) Engagement performance.
(f) Monitoring
12/20/2010
11
Leadership Responsibilities for
Quality within the Firm
promote an internal culture for stressing upon quality in deliverance
firm’s chief executive officer to assume ultimate responsibility for the firm’s system of quality control
Perform work that complies with professional standards and regulatory and legal requirements
How to promote quality-oriented
internal culture
clear, consistent and frequent actions and messages from all levels
culture that recognizes and rewards high quality work
training seminars, meetings, formal or informal dialogue, mission statements, newsletters, or briefing memoranda.
12/20/2010
12
Ethical Requirements
The firm should establish procedures that enable its personnel comply with ethical requirements:
(a) Integrity;
(b) Objectivity;
(c) Professional competence and due care;
(d) Confidentiality; and
(e) Professional behavior.
INDEPENDENCE
Scope of various services provided to Client not to be threat to Independence
Annual Independence confirmation from all the personnel of the Audit Firm regarding independence.
Rotation of Partners and Managers to reduce familiarity threat( SEC Rules – 7 years for listed entities and 10 years for other engagements)
Note: For Sole Proprietors/Individuals auditing listed entities, rotation policy is not applicable. However they need to undergo compulsory Peer Review Process.
12/20/2010
13
• An auditor of an entity is prohibited from
providing an audit client, any of nine specified
non-audit services.
Threats to Independence -
Prohibited Activities
1. Bookkeeping or other services related to
the accounting records or financial
statements of the audit client;
2. Financial information systems design and
implementation;
3. Appraisal or valuation services, fairness
opinions, or contribution-in-kind reports;
4. Actuarial services;
Prohibited Non-Audit Activities
12/20/2010
14
4. Internal audit services;
5. Management functions or human
resources;
6. Broker or dealer, investment adviser, or
investment banking services;
7. Legal services and expert services
unrelated to the audit; and
Prohibited Non-Audit Activities
Independence
Firm Should frame policies so that
◦ Firm’s personnel are aware of the
independence requirements
◦ Partners are provided with relevant data
about client hierarchy and threats to
independence.
12/20/2010
15
Threats to Independence
Independence of Mind
Independence of Appearance
◦ Threat of potential employment
◦ Threat of undue dependence on fees and fear
of losing client
◦ Threat of self review – review of judgements
made in earlier periods
◦ Threat of investment in client’s shares
Acceptance & Continuance ( A&C)
Undertake or continue relationships and
engagements.
Ascertain Integrity of Client
Auditor is competent to perform and has
sufficient resources.
Compliance with ethical requirements
achieved
12/20/2010
16
Human Resource
Firms should frame policies to address
(a) Recruitment;
(b) Performance evaluation;
(c) Capabilities;
(d) Competence;
(e) Career development;
(f) Promotion
(g) Compensation; and
(h) Estimation of personnel needs
Engagement Performance
establish consistency in the quality of
engagement performance which is
accomplished through standardized
documentation.
Qualitative deliverance involves
consultation
12/20/2010
17
Review of Quality Controls and
Risks ( RQR process) Engagement Quality control review –
Objective evaluation of Judgments used,
which should be done before issue of
report.
Must for all Listed Companies Audit
Criteria to be set out for other Audits
RQR Process
Nature, Timing and Extent
Criteria for Reviewers
Documentation Requirements
12/20/2010
18
Other Matters
Engagement Documentation
◦ Final Working Files to be completed and assembled before reports have been finalized.
◦ (Means before release of report)
◦ Confidentiality, Safe Custody, Integrity, Accessibility and Retrievability of Documentation
◦ Retention of Documentation
◦ Ownership of Documentation
◦ Monitoring Process
International Standard on QC
Vs
Indian Standard on QC
Subject Matter International SQC Indian SQC
Engagement Quality
Control Reviewer
Reviewer can be
anyone with sufficient
and appropriate
experience
Reviewer should be a
member of ICAI
Minimum Period of
Retention of Working
papers
5 Years 7 Years
Rotation of Auditors 7 years No specific time limit
12/20/2010
19
SA’s applicable for audits relating to
accounting periods beginning on or
after 1.4.2010SA Title of the Standard
200 ( Revised) Overall Objectives of the Independent Auditor and the
Conduct of an Audit in Accordance with Standards on
Auditing
210 (Revised) Agreeing the Terms of Audit Engagements
220 ( Revised) Quality Control for an Audit of Financial Statements
265 Communicating Deficiencies in Internal Control to Those
Charged with Governance and Management
320 ( Revised) Materiality in Planning and Performing an Audit
402 ( Revised) Audit Considerations Relating to an Entity Using a Service
Organization
450 Evaluation of Misstatements Identified during the Audit
501 ( Revised) Audit Evidence – Specific Considerations for Selected Items
505 ( Revised) External Confirmations
SA’s applicable for audits relating to
accounting periods beginning on or
after 1.4.2010SA Title of the Standard
510 ( Revised) Initial Audit Engagements — Opening Balances
520 ( Revised) Analytical Procedures
550 (Revised) Related Parties
610 ( Revised) Using the work of Internal Auditors
620 ( Revised) Using the Work of an Auditor’s Expert
720 The Auditor’s Responsibility in Relation to Other Information
in Documents Containing Audited Financial Statements
12/20/2010
20
SA 265 - COMMUNICATING DEFICIENCIES IN
INTERNAL CONTROL TO THOSE CHARGED WITH
GOVERNANCE AND MANAGEMENT
Scope
Auditor is required to obtain understanding of internal Control.
This understanding is to design appropriate audit procedures and not for purpose of expressing opinion on internal controls.
Standard is only a carve out standard from SA 260 – Communicating to those charged with governance.
No such separate reporting requirements normally.(Other than SOX assignments)
SA 265 - COMMUNICATING DEFICIENCIES IN
INTERNAL CONTROL TO THOSE CHARGED WITH
GOVERNANCE AND MANAGEMENT
This standard is very simple. Contains Just
11 Para in the Main Text.
Others clauses are Application and
explanatory Material
12/20/2010
21
SA 265 - COMMUNICATING DEFICIENCIES IN
INTERNAL CONTROL TO THOSE CHARGED WITH
GOVERNANCE AND MANAGEMENT
Identify deficiencies in Internal Control on the basis of audit work performed
Determine whether they constitute significant deficiencies ( Deficiency which merit immediate attention of
Management in terms of likelihood, susceptibility to Loss or Fraud, Amount exposed)
Communicate to those charged with Governance
Please note it is ―communicate to the Management‖ and not the owners.◦ (Auditor Report under legal framework will be addressed to the
Owners/Shareholders.)
SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO
THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT
What Should be Communicated
◦ Description of Deficiencies
◦ Context and effect of such deficiencies
◦ Highlight the fact that these are only identified
deficiencies in designing the Audit Procedures.
12/20/2010
22
SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO
THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT
What type of controls are analysed.
General monitoring controls (such as oversight of management).
Controls over the prevention and detection of fraud.
Controls over the selection and application of significant accounting policies.
Controls over significant transactions with related parties.
Controls over significant transactions outside the entity’s normal course of business.
Controls over the period-end financial reporting process (such as controls over non-recurring journal entries).
SA 402 – Audit Considerations
relating to an entity using a service
organisation.
This standard deals with auditors
responsibility to obtain sufficient
appropriate audit evidence when an entity
uses the services of service organisations.
Common examples are Actuary Services,
Payroll outsourcings, Vendor payment
process etc.
12/20/2010
23
SA 402 – Audit Considerations
relating to an entity using a service
organisation.
Methodology of obtaining Audit Comfort
◦ Obtain a Type 1 or Type 2 Report
◦ Contact/Visit the Service Organization.
◦ Using the work of another auditor.
SA 501 – Audit Evidence – Selected
Items This standard mainly deals with
◦ Inventory
◦ Litigation and Claims
◦ Segment Information
◦ Compared to earlier SA 501, this revised
standard does not deal with Valuation and
Disclosure of Long Term Investments.
12/20/2010
24
SA 501 – Audit Evidence – Selected
Items - Inventory Attendance at Physical Count
◦ Evaluate managements instructions and
procedures
◦ Observe the performance of managements
count procedures
◦ Inspect the inventory
◦ Perform test counts
◦ Verify financial inventory records to ensure it
reflects physical counts
SA 501 – Audit Evidence – Selected
Items - Inventory If count < or > ―Balance Sheet Date‖,
perform roll forward/backward testing
Inventory lying with third party
◦ Obtain confirmation
◦ Perform Inspection
12/20/2010
25
Quantities and prices
Ending inventories = Net income
Inventories – Basic Principles
50,000 lbs
l Changed quantities on inventory tags
l Altered quantities on computer
listings
l Management created fictitious tags
Cenco Corporation
12/20/2010
26
=l Management explains:
l Computer keypunch
errors
l Tags discarded
Cenco Corporation
"I am unable to definitely
say that the inventory is
being inflated, but there
are a few things about
the new tags which
bother me."
Cenco Corporation
12/20/2010
27
SA 501 – Audit Evidence – Selected
Items – Litigations and Claims Inquiry of in house legal personnel/
Management
Reviewing Minutes of Meetings
Review Legal Expenses accounts
Request confirmation from External Legal
Counsel
Written representations about completeness
of disclosures
SA 520(R) – Analytical Procedures
Types of Procedures
◦ Trends
◦ Reasonableness Testing
For Eg: Bank Deposits to Interest earned
Raw Material Consumption to Production
◦ Ratios
Affected by reliability of data, precision
of estimation, source of information etc
12/20/2010
28
SA’s applicable for audits relating to
accounting periods beginning on or
after 1.4.2011
SA 700 (Revised) –
• Forming an opinion and Reporting on Financial Statements
SA 705
• Modifications to the Opinion in the Independent Auditor’s Report
SA 706
• Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report
SA 710 ( Revised)
• Comparative Information –Corresponding Figures and Comparative Financial Statements
Gist of requirements of the new SAs
Indicate on the top of the report that it is ―INDEPENDENT AUDITORS REPORT‖
Title should be prominently indicated about
◦ ―MANAGEMENT RESPONSIBILITY
◦ ―AUDITOR’S RESPONSIBILITY‖
◦ ―OPINION‖
◦ Report under other LEGAL FRAMEWORK
Reference to CARO, Companies Act to be included in this clause.
12/20/2010
29
Gist of requirements of the new SAs
Opinion on corresponding figures in
financial statements
◦ Generally audit report is for current period
numbers
◦ If corresponding figure in previous period was
qualified and such matter is unresolved than
report should continue reference to the
previous corresponding number also.
RISK AND ASSESSMENT
ASSESSING RISK IN AUDIT PLANNING
12/20/2010
30
Focus on Risk Management
Out of the total 35 general standards
◦ There are 6 standards on Risk Management
◦ ICAI has come up with a separate
Implementation Guide to Risk Based Audit
◦ Hence Risk Management is important as the
entire Audit Process Revolves around Risk
Audit involves
Assessing the risks – Risk of Material
Misstatements
Designing and performing audit
procedures to obtain reasonable
assurance
Issue of audit report
12/20/2010
31
Key Definitions
Risk: The uncertainty of an event occurring that
could have an impact on the achievement of
objectives.
Risk assessment: A systemic process for assessing
and integrating professional judgments about
probable adverse conditions and/or events.
Risk management: The culture, processes and
structures that are directed towards the effective
management of potential opportunities and
adverse effects.
Why only reasonable assurance and
not absolute assurance Limitation on Testing – Use of sampling
Internal Control Limitations
Undetected Frauds
Persuasive nature of audit evidence
Reliance on Judgement
12/20/2010
32
Key Risks in Audit
• Inherent
•Control
Financial Statements
contains Material Misstatements
•DetectionAuditor will not
detect such Material
Misstatements
Interrelationship of Audit Risk Components
12/20/2010
33
3 Phases in Risk Based Audit
Risk Assessment
Risk Response
Risk Reporting
Risk Assessment
12/20/2010
34
Risk Response
Reporting
12/20/2010
35
Audit Time Spent
Strategy Decision Making
& Process
Information collected about Mgt Decisions
Financial Statements
Ideal Audit Time Spending
Strategy Decision Making & Processes
Information about Decisions
Financial Statements
12/20/2010
36
Risk Assessment Procedures
Inquiries of Management and
Others
Analytical Procedures
Observations and
Inspections
Results of Risk Assessment Process
Target audit
resources
where risk is
greatest!
Probability of RiskHL
H
12/20/2010
37
Fraud Risk
Components of Fire
FIRE
Heat Oxygen
Fuel
12/20/2010
38
Page 75
Components of Fraud
FRAUD
Situational
Opportunity
Rationalization
Pressure or Motive
Page 76
Top Management
The ability of top management to override controls significantly increases the likelihood of fraud
12/20/2010
39
Page 77
Fraud Comes in Bunches
Embezzlement
Check Kiting
Expense
Report
Financial
Statement
Conversion
Laundering
Theft
Credit Card
Page 78
The Perfect Crime
Any three people can commit the perfect crime as long as two of the three are dead
12/20/2010
40
Page 79
Materiality
Immaterial
Documentation
Standardized Documentation to be
practiced
12/20/2010
41
Importance of Documentation
A systemic process designed to
yield a comprehensive risk
assessment
• core business processes
• enabling processes
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
12/20/2010
42
Risk Planning ModelP
RO
BA
BIL
ITY
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
MATERIALITY
Visibility and
Sensitivity
Impact on
Enterprise
Operations
IDENTIFY AUDIT AREAS
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Risk Factors
Materiality Points( account balances in INR)
Audit Area > 100 million 8-10
Audit Area 10 million < 100 million 4-7
Audit Area < 10 million 1-3
12/20/2010
43
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Risk Factors
Impact on Operations Points Significant impact on core business 8-10
Significant impact on specific
program moderate impact on core
business 4-7
Negligible impact on specific program
or core business 1-3
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Risk Factors
Public Sensitivity Points Likely to result in public or
congressional interest 8-10
May result in public or
congressional interest 4-7
Unlikely to result in public or
congressional interest 1-3
12/20/2010
44
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Probability Factors
Probability of Risk Points High probability of significant issues 0.8-1.0
Moderate probability of significant
issues and high probability of
improvement needed 0.4-0.7
Low probability of significant issues
and moderate to low probability of
improvement needed 0.1-0.3
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Asset Capitalisation
Payroll Processing
Bank Transactions
4 7 5 16 0.5 8.0
7 7 8 22 0.6 13.2
3 5 9 17 0.3 5.1
Potential Audit Subject
Example of Risk Assessment
12/20/2010
45
Risk-Based Audit Engagements:
Understand
Processes
and
Objectives
1
Identify
Risks
2
Measure
Potential
Impacts
3
Evaluate
Controls and
Estimate
Probability
4Evaluate
and
Prioritize
Risks
5
Develop
Audit
Objectives
& Program
6
Largest Bankruptcy Filings(1980 to Present)
Company Assets (Billions) When Filed
1. WorldCom $101.9 July, 2002
2. Enron $63.4 Dec., 2001
3. Texaco $35.9 April, 1987
4. Financial Corp of
America
$33.9 Sept., 1988
5. Global Crossing $25.5 Jan., 2002
6. Adelphia $24.4 June, 2002
7. United Airlines $22.7 Dec. 2002
8. PG&E $21.5 June, 2002
9. MCorp. $20.2 March, 1989
10. Kmart $17.0 Jan., 2002
12/20/2010
46
Auditing in the
ERP
Environments
SAP -R/3 Enterprises - Application components
ERPAM
PS
CO
SD
QM
PM
HRIS
WF
FI
MMPP
12/20/2010
47
Key business processes in Sales and Distribution
(SD), Materials Management (MM) and Financial
Accounting (FI) need to be studied in detail to
identify their vulnerability to threats from within
and outside. Based on this and experience of
internal audit team, risk statements relevant to
businesses are to be captured.
For each risk statement, risk impact and risk
exposure is to be assessed as under
RISK ASSESMENT METHODOLOGY – BY A QUANTIFICATION
MODEL
Risk impact ( Severity x Detectability) to be assessed on a scale of 1 – 100 (100 being the highest adverse impact.
A-Risk Severity ( on a scale of 1- 10 ) is determined based on weighted average affect on 5 parameters ie
i- PBT, ii- Statutory / regulatory compliance iii-Strategic value iv- Financial statement accuracy , v-Reliability/ operational effectiveness .
B- Risk Detectability ( on a scale of 1 – 10 ) is determined based on the stage of detectability of adverse event ie with in the co.or from outside customers.
Risk impact-Severity X Detection
12/20/2010
48
Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely).
Risk exposure is determind based on weighted average effect of 10 parameters,responsiblefor the exposure ie
I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation vii-Authority norms not defined/ followed viii-Inappropriate configuration/ process logic ix-Weak internal/ compensating controls x-Others (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.)
Risk exposure
S
.
N
o
Risk statement
Risk
Risk
exposu
re
Heat
zone
Severi
tyDetectabIlit
y
Impa
ct
1 Invoice may be raised without
effecting physical delivery of
the goods from depot/ plant
(bill and hold)
7 8 56 5R1
2Sales order may not be
executed in time and in full4 6 24 3
Y2
3 Debit / credit notes sent to
customers may not contain
adequate supporting details
2 4 8 4G2
RISK STATEMENTS – SD-Examples
12/20/2010
49
S
.
N
o
Risk statement
Risk
Risk
exposu
re
Heat
zone
Severi
ty
DetectabIlit
y
Impa
ct
1 Financial authority norms for
release of PO may not be
mapped into SAP
4 8 32 6R3
2 GR may be prepared for a
quantity lower/ higher than
vendor delivery challan
4 6 24 4Y2
3 CENVAT credit availed may be
lower than CENVATABLE
excise duty credited to vendor
through invoice verification
3 6 18 4G2
RISK STATEMENTS – MM-Examples
RISK STATEMENTS – FI-Examples
S
.
N
o
Risk statement
Risk
Risk
exposu
re
Heat
zoneSeveri
ty
DetectabIlit
y
Impa
ct
1Depreciation rates may have
been incorrectly set up 5 6 30 5
R3
2 Vendors account may not
have been reconciled/
confirmed as per laid down
frequency
5 6 30 4Y2
3Line items (individual entries)
clearing may not have been
carried out in vendor accounts
3 6 18 4G2
12/20/2010
50
RISK STATEMENTS – Common to all functions Examples
S
.
N
o
Risk statement
Risk
Risk
expos
ure
Heat
zoneSever
ity
DetectabIl
ity
Imp
act
1
SAP transaction authorizations
granted to users may not
relate to their assigned
role/responsibility
8 8 64 8 R1
2
SAP transactions may be
carried out using group IDs
resulting in non traceability of
transactions to any specific
individual (employee)
8 8 64 8 R1
3
Audit trails (chronological log
of changes) may not be
reviewed/ analyzed by process
owners
5 8 40 7 R3
R
I
S
K
I
M
P
A
C
T
HIGH100 Y1 R2 R1
MEDIUM
40
G1 Y2 R3
LOW20
G3 G2 Y3
0 2 4 10
LOW MEDIUM HIGH
RISK EXPOSURE →
Risk Registers and Heat Maps – Module wise
Using the risk impact and risk exposure scores as worked out above,allpossible risk statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1 page HEAT MAP.