12/20/2010

1

Recent developments in auditing standards

Bangalore Branch of SIRC of ICAI

15th December 2010

CA Suresh DM

All U DO IS TICKING

12/20/2010

2

Auditing Standards: Indian Perspective

Auditing Standards are codification of existing bestpractices in the area of auditing.

International Standards on Auditing (ISAs) are issued bythe IAASB of IFAC.

In India, the ICAI formulates Auditing and AssuranceStandards (AASs).

Basic Considerations behind AASs formulation

◦ Harmonization with ISAs, to the extent possible – a Membershipobligation for ICAI

◦ Applicable laws in India.

◦ Customs, usages & business environment in India.

Auditing Standards:

Indian Perspective

Companies Bill 2009 – NACAAS to be

given authority to notify Auditing

Standards

MCA has observed that Auditing

Standards are currently issued by a ―Single

Institute‖. The fact is standards are issued after due consultations by

releasing Exposure Drafts

12/20/2010

3

Auditing Standards: Indian Perspective

(contd. …)

Scope of AASs Apply whenever independent audit carried out.

Apply irrespective of size, legal form or commercial motives of

the client.

May appropriately apply to other functions of auditors.

Authority Attached to AASs Mandatory compliance by members of ICAI.

Material departures from AASs to be brought out in the report

Engagement & Quality Control Standards

Road to Convergence – Clarity Project

AASB founder member of IFAC

Auditing standards based to the extent possible on

corresponding International Standards (IS) of International

Auditing and Assurance Standards Board (IAASB).

Chalked out timeline for bridging gap in convergence with IS

under IAASB Clarity Project

Revised the entire suite of 36 Standards on Auditing in line with

the International Standards.

12/20/2010

4

Engagement & Quality Control Standards

AASB’s response to IAASB Clarity Project (2006 till date):

◦ Revised & more rigorous Due Process

◦ Revised Framework & Preface

◦ AASs renamed & renumbered in line with IAASB terminology –

ENGAGEMENT STANDARDS:

Standards on Auditing

Standards on Review Engagements

Standards on Assurance Engagements

Standards on Related Services

◦ Mother Standard on Quality Control

◦ Revised/ new Standards on Fraud, Audit Planning & Risk-based Audits

◦ Many new/ revised Standards in pipeline

Diagrammatic presentation of structure of

standards under New preface

Related Services

Assurance

engagements other

than Audits and

review of historical

financial information

Standards on

Audting (SA)

100-999

Standards on

Review

engagements

(SRE)

2000- 2699

Standards on

Assurance

Engagements (SAE)

3000- 3699

Standards on

Related Services

(SRS)

4000 - 4699

Framework for Assurance Engagements

Assurance services

Audits and review of historical financial

information

Standards on Quality Controls (SQC)

Chartered Accountants Act, 1949

Pronouncements by ICAI

12/20/2010

5

Clarity Project

Exercise to rewrite and Update.

Includes :

Identifying the overall objectives of the auditor when conducting an audit in accordance with ISAs, setting an objective in each ISA, and establishing an obligation on the auditor in relation to those objectives

Clarifying the obligations imposed on auditors by the requirements of the ISAs and the language used to communicate such requirements

Eliminating ambiguity about the requirements the auditor needs to fulfil.

Engagement & Quality Control

Standards

12/20/2010

6

Layout of Standards

Scope

Effective Date

Objective

Definitions

Requirements

Application and Other Explanatory

material ( Basically details out requirements)

Audit Process

12/20/2010

7

Standard on Quality Control – SQC 1

QUALITY CONTROL FOR FIRMS

THAT PERFORM AUDITS AND

REVIEWS OF HISTORICAL

FINANCIAL INFORMATION, AND

OTHER ASSURANCE AND

RELATED SERVICES

ENGAGEMENTS

SQC 1 – Quality Control for Firms

Definitions

Elements of a System of Quality Control

Leadership Responsibilities for quality within the Firm

Ethical Requirements

Acceptance and Continuance of Client Relationships

Human Resources

Engagement Performance

Monitoring

Documentation

12/20/2010

8

Objective of SQC 1

The firm should establish a system of

quality control designed to

provide it with reasonable assurance

that the firm and its personnel comply

with professional standards and

regulatory and legal requirements,

and that reports issued by the firm or

engagement partner(s) are appropriate in

the circumstances

Meaning of certain terms

Engagement quality control review –

How:a process designed to provide an

Whyobjective evaluation,

Whenbefore the report is issued,

Whatof the significant judgments the engagement team

made and the conclusions they reached in formulating the report

12/20/2010

9

Meaning of Certain Terms

Engagement quality control reviewera partner, other person in the firm,

suitably qualified external person,

a team made up of such individuals,

with sufficient and appropriate experience and authority to objectively evaluate, before the report is issued, the significant judgments the engagement team made and the conclusions they reached in formulating the report.

However, in case the review is done by a team of individuals, such team should be headed by a member of the Institute

Any individual with

capabilities to act as

engagement partner or

an employee of another

firm

Meaning of Certain Terms

Engagement team –

all personnel performing an engagement,

including any experts contracted by the

firm in connection with that engagement

12/20/2010

10

Meaning of Certain Terms

Network Firm – Change made

during Clarity Project

An entity

under common control, ownership or management with the firm or

Any entity that a reasonable and informed third party having knowledge of all relevant information would reasonably conclude as being part of the firm nationally or internationally

That is aimed at cooperation, and aimed at profit or cost-sharing

or shares common ownership, control or management,

common quality control policies and procedures,

common business strategy,

Use of a common brand name, or a significant part of professional resources.

BEFORE AFTER

Elements of a System of Quality

Control – Policies to address(a) Leadership responsibilities

for quality within the firm.

(b) Ethical requirements.

(c) Acceptance and continuance

of client relationships

(d) Human resources.

(e) Engagement performance.

(f) Monitoring

12/20/2010

11

Leadership Responsibilities for

Quality within the Firm

promote an internal culture for stressing upon quality in deliverance

firm’s chief executive officer to assume ultimate responsibility for the firm’s system of quality control

Perform work that complies with professional standards and regulatory and legal requirements

How to promote quality-oriented

internal culture

clear, consistent and frequent actions and messages from all levels

culture that recognizes and rewards high quality work

training seminars, meetings, formal or informal dialogue, mission statements, newsletters, or briefing memoranda.

12/20/2010

12

Ethical Requirements

The firm should establish procedures that enable its personnel comply with ethical requirements:

(a) Integrity;

(b) Objectivity;

(c) Professional competence and due care;

(d) Confidentiality; and

(e) Professional behavior.

INDEPENDENCE

Scope of various services provided to Client not to be threat to Independence

Annual Independence confirmation from all the personnel of the Audit Firm regarding independence.

Rotation of Partners and Managers to reduce familiarity threat( SEC Rules – 7 years for listed entities and 10 years for other engagements)

Note: For Sole Proprietors/Individuals auditing listed entities, rotation policy is not applicable. However they need to undergo compulsory Peer Review Process.

12/20/2010

13

• An auditor of an entity is prohibited from

providing an audit client, any of nine specified

non-audit services.

Threats to Independence -

Prohibited Activities

1. Bookkeeping or other services related to

the accounting records or financial

statements of the audit client;

2. Financial information systems design and

implementation;

3. Appraisal or valuation services, fairness

opinions, or contribution-in-kind reports;

4. Actuarial services;

Prohibited Non-Audit Activities

12/20/2010

14

4. Internal audit services;

5. Management functions or human

resources;

6. Broker or dealer, investment adviser, or

investment banking services;

7. Legal services and expert services

unrelated to the audit; and

Prohibited Non-Audit Activities

Independence

Firm Should frame policies so that

◦ Firm’s personnel are aware of the

independence requirements

◦ Partners are provided with relevant data

about client hierarchy and threats to

independence.

12/20/2010

15

Threats to Independence

Independence of Mind

Independence of Appearance

◦ Threat of potential employment

◦ Threat of undue dependence on fees and fear

of losing client

◦ Threat of self review – review of judgements

made in earlier periods

◦ Threat of investment in client’s shares

Acceptance & Continuance ( A&C)

Undertake or continue relationships and

engagements.

Ascertain Integrity of Client

Auditor is competent to perform and has

sufficient resources.

Compliance with ethical requirements

achieved

12/20/2010

16

Human Resource

Firms should frame policies to address

(a) Recruitment;

(b) Performance evaluation;

(c) Capabilities;

(d) Competence;

(e) Career development;

(f) Promotion

(g) Compensation; and

(h) Estimation of personnel needs

Engagement Performance

establish consistency in the quality of

engagement performance which is

accomplished through standardized

documentation.

Qualitative deliverance involves

consultation

12/20/2010

17

Review of Quality Controls and

Risks ( RQR process) Engagement Quality control review –

Objective evaluation of Judgments used,

which should be done before issue of

report.

Must for all Listed Companies Audit

Criteria to be set out for other Audits

RQR Process

Nature, Timing and Extent

Criteria for Reviewers

Documentation Requirements

12/20/2010

18

Other Matters

Engagement Documentation

◦ Final Working Files to be completed and assembled before reports have been finalized.

◦ (Means before release of report)

◦ Confidentiality, Safe Custody, Integrity, Accessibility and Retrievability of Documentation

◦ Retention of Documentation

◦ Ownership of Documentation

◦ Monitoring Process

International Standard on QC

Vs

Indian Standard on QC

Subject Matter International SQC Indian SQC

Engagement Quality

Control Reviewer

Reviewer can be

anyone with sufficient

and appropriate

experience

Reviewer should be a

member of ICAI

Minimum Period of

Retention of Working

papers

5 Years 7 Years

Rotation of Auditors 7 years No specific time limit

12/20/2010

19

SA’s applicable for audits relating to

accounting periods beginning on or

after 1.4.2010SA Title of the Standard

200 ( Revised) Overall Objectives of the Independent Auditor and the

Conduct of an Audit in Accordance with Standards on

Auditing

210 (Revised) Agreeing the Terms of Audit Engagements

220 ( Revised) Quality Control for an Audit of Financial Statements

265 Communicating Deficiencies in Internal Control to Those

Charged with Governance and Management

320 ( Revised) Materiality in Planning and Performing an Audit

402 ( Revised) Audit Considerations Relating to an Entity Using a Service

Organization

450 Evaluation of Misstatements Identified during the Audit

501 ( Revised) Audit Evidence – Specific Considerations for Selected Items

505 ( Revised) External Confirmations

SA’s applicable for audits relating to

accounting periods beginning on or

after 1.4.2010SA Title of the Standard

510 ( Revised) Initial Audit Engagements — Opening Balances

520 ( Revised) Analytical Procedures

550 (Revised) Related Parties

610 ( Revised) Using the work of Internal Auditors

620 ( Revised) Using the Work of an Auditor’s Expert

720 The Auditor’s Responsibility in Relation to Other Information

in Documents Containing Audited Financial Statements

12/20/2010

20

SA 265 - COMMUNICATING DEFICIENCIES IN

INTERNAL CONTROL TO THOSE CHARGED WITH

GOVERNANCE AND MANAGEMENT

Scope

Auditor is required to obtain understanding of internal Control.

This understanding is to design appropriate audit procedures and not for purpose of expressing opinion on internal controls.

Standard is only a carve out standard from SA 260 – Communicating to those charged with governance.

No such separate reporting requirements normally.(Other than SOX assignments)

SA 265 - COMMUNICATING DEFICIENCIES IN

INTERNAL CONTROL TO THOSE CHARGED WITH

GOVERNANCE AND MANAGEMENT

This standard is very simple. Contains Just

11 Para in the Main Text.

Others clauses are Application and

explanatory Material

12/20/2010

21

SA 265 - COMMUNICATING DEFICIENCIES IN

INTERNAL CONTROL TO THOSE CHARGED WITH

GOVERNANCE AND MANAGEMENT

Identify deficiencies in Internal Control on the basis of audit work performed

Determine whether they constitute significant deficiencies ( Deficiency which merit immediate attention of

Management in terms of likelihood, susceptibility to Loss or Fraud, Amount exposed)

Communicate to those charged with Governance

Please note it is ―communicate to the Management‖ and not the owners.◦ (Auditor Report under legal framework will be addressed to the

Owners/Shareholders.)

SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO

THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT

What Should be Communicated

◦ Description of Deficiencies

◦ Context and effect of such deficiencies

◦ Highlight the fact that these are only identified

deficiencies in designing the Audit Procedures.

12/20/2010

22

SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO

THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT

What type of controls are analysed.

General monitoring controls (such as oversight of management).

Controls over the prevention and detection of fraud.

Controls over the selection and application of significant accounting policies.

Controls over significant transactions with related parties.

Controls over significant transactions outside the entity’s normal course of business.

Controls over the period-end financial reporting process (such as controls over non-recurring journal entries).

SA 402 – Audit Considerations

relating to an entity using a service

organisation.

This standard deals with auditors

responsibility to obtain sufficient

appropriate audit evidence when an entity

uses the services of service organisations.

Common examples are Actuary Services,

Payroll outsourcings, Vendor payment

process etc.

12/20/2010

23

SA 402 – Audit Considerations

relating to an entity using a service

organisation.

Methodology of obtaining Audit Comfort

◦ Obtain a Type 1 or Type 2 Report

◦ Contact/Visit the Service Organization.

◦ Using the work of another auditor.

SA 501 – Audit Evidence – Selected

Items This standard mainly deals with

◦ Inventory

◦ Litigation and Claims

◦ Segment Information

◦ Compared to earlier SA 501, this revised

standard does not deal with Valuation and

Disclosure of Long Term Investments.

12/20/2010

24

SA 501 – Audit Evidence – Selected

Items - Inventory Attendance at Physical Count

◦ Evaluate managements instructions and

procedures

◦ Observe the performance of managements

count procedures

◦ Inspect the inventory

◦ Perform test counts

◦ Verify financial inventory records to ensure it

reflects physical counts

SA 501 – Audit Evidence – Selected

Items - Inventory If count < or > ―Balance Sheet Date‖,

perform roll forward/backward testing

Inventory lying with third party

◦ Obtain confirmation

◦ Perform Inspection

12/20/2010

25

Quantities and prices

Ending inventories = Net income

Inventories – Basic Principles

50,000 lbs

l Changed quantities on inventory tags

l Altered quantities on computer

listings

l Management created fictitious tags

Cenco Corporation

12/20/2010

26

=l Management explains:

l Computer keypunch

errors

l Tags discarded

Cenco Corporation

"I am unable to definitely

say that the inventory is

being inflated, but there

are a few things about

the new tags which

bother me."

Cenco Corporation

12/20/2010

27

SA 501 – Audit Evidence – Selected

Items – Litigations and Claims Inquiry of in house legal personnel/

Management

Reviewing Minutes of Meetings

Review Legal Expenses accounts

Request confirmation from External Legal

Counsel

Written representations about completeness

of disclosures

SA 520(R) – Analytical Procedures

Types of Procedures

◦ Trends

◦ Reasonableness Testing

For Eg: Bank Deposits to Interest earned

Raw Material Consumption to Production

◦ Ratios

Affected by reliability of data, precision

of estimation, source of information etc

12/20/2010

28

SA’s applicable for audits relating to

accounting periods beginning on or

after 1.4.2011

SA 700 (Revised) –

• Forming an opinion and Reporting on Financial Statements

SA 705

• Modifications to the Opinion in the Independent Auditor’s Report

SA 706

• Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report

SA 710 ( Revised)

• Comparative Information –Corresponding Figures and Comparative Financial Statements

Gist of requirements of the new SAs

Indicate on the top of the report that it is ―INDEPENDENT AUDITORS REPORT‖

Title should be prominently indicated about

◦ ―MANAGEMENT RESPONSIBILITY

◦ ―AUDITOR’S RESPONSIBILITY‖

◦ ―OPINION‖

◦ Report under other LEGAL FRAMEWORK

Reference to CARO, Companies Act to be included in this clause.

12/20/2010

29

Gist of requirements of the new SAs

Opinion on corresponding figures in

financial statements

◦ Generally audit report is for current period

numbers

◦ If corresponding figure in previous period was

qualified and such matter is unresolved than

report should continue reference to the

previous corresponding number also.

RISK AND ASSESSMENT

ASSESSING RISK IN AUDIT PLANNING

12/20/2010

30

Focus on Risk Management

Out of the total 35 general standards

◦ There are 6 standards on Risk Management

◦ ICAI has come up with a separate

Implementation Guide to Risk Based Audit

◦ Hence Risk Management is important as the

entire Audit Process Revolves around Risk

Audit involves

Assessing the risks – Risk of Material

Misstatements

Designing and performing audit

procedures to obtain reasonable

assurance

Issue of audit report

12/20/2010

31

Key Definitions

Risk: The uncertainty of an event occurring that

could have an impact on the achievement of

objectives.

Risk assessment: A systemic process for assessing

and integrating professional judgments about

probable adverse conditions and/or events.

Risk management: The culture, processes and

structures that are directed towards the effective

management of potential opportunities and

adverse effects.

Why only reasonable assurance and

not absolute assurance Limitation on Testing – Use of sampling

Internal Control Limitations

Undetected Frauds

Persuasive nature of audit evidence

Reliance on Judgement

12/20/2010

32

Key Risks in Audit

• Inherent

•Control

Financial Statements

contains Material Misstatements

•DetectionAuditor will not

detect such Material

Misstatements

Interrelationship of Audit Risk Components

12/20/2010

33

3 Phases in Risk Based Audit

Risk Assessment

Risk Response

Risk Reporting

Risk Assessment

12/20/2010

34

Risk Response

Reporting

12/20/2010

35

Audit Time Spent

Strategy Decision Making

& Process

Information collected about Mgt Decisions

Financial Statements

Ideal Audit Time Spending

Strategy Decision Making & Processes

Information about Decisions

Financial Statements

12/20/2010

36

Risk Assessment Procedures

Inquiries of Management and

Others

Analytical Procedures

Observations and

Inspections

Results of Risk Assessment Process

Target audit

resources

where risk is

greatest!

Probability of RiskHL

H

12/20/2010

37

Fraud Risk

Components of Fire

FIRE

Heat Oxygen

Fuel

12/20/2010

38

Page 75

Components of Fraud

FRAUD

Situational

Opportunity

Rationalization

Pressure or Motive

Page 76

Top Management

The ability of top management to override controls significantly increases the likelihood of fraud

12/20/2010

39

Page 77

Fraud Comes in Bunches

Embezzlement

Check Kiting

Expense

Report

Financial

Statement

Conversion

Laundering

Theft

Credit Card

Page 78

The Perfect Crime

Any three people can commit the perfect crime as long as two of the three are dead

12/20/2010

40

Page 79

Materiality

Immaterial

Documentation

Standardized Documentation to be

practiced

12/20/2010

41

Importance of Documentation

A systemic process designed to

yield a comprehensive risk

assessment

• core business processes

• enabling processes

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

12/20/2010

42

Risk Planning ModelP

RO

BA

BIL

ITY

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

MATERIALITY

Visibility and

Sensitivity

Impact on

Enterprise

Operations

IDENTIFY AUDIT AREAS

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

Risk Factors

Materiality Points( account balances in INR)

Audit Area > 100 million 8-10

Audit Area 10 million < 100 million 4-7

Audit Area < 10 million 1-3

12/20/2010

43

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

Risk Factors

Impact on Operations Points Significant impact on core business 8-10

Significant impact on specific

program moderate impact on core

business 4-7

Negligible impact on specific program

or core business 1-3

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

Risk Factors

Public Sensitivity Points Likely to result in public or

congressional interest 8-10

May result in public or

congressional interest 4-7

Unlikely to result in public or

congressional interest 1-3

12/20/2010

44

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

Probability Factors

Probability of Risk Points High probability of significant issues 0.8-1.0

Moderate probability of significant

issues and high probability of

improvement needed 0.4-0.7

Low probability of significant issues

and moderate to low probability of

improvement needed 0.1-0.3

Risk Assessment in Annual Planning:

The Tennessee Valley Authority Model

Asset Capitalisation

Payroll Processing

Bank Transactions

4 7 5 16 0.5 8.0

7 7 8 22 0.6 13.2

3 5 9 17 0.3 5.1

Potential Audit Subject

Example of Risk Assessment

12/20/2010

45

Risk-Based Audit Engagements:

Understand

Processes

and

Objectives

1

Identify

Risks

2

Measure

Potential

Impacts

3

Evaluate

Controls and

Estimate

Probability

4Evaluate

and

Prioritize

Risks

5

Develop

Audit

Objectives

& Program

6

Largest Bankruptcy Filings(1980 to Present)

Company Assets (Billions) When Filed

1. WorldCom $101.9 July, 2002

2. Enron $63.4 Dec., 2001

3. Texaco $35.9 April, 1987

4. Financial Corp of

America

$33.9 Sept., 1988

5. Global Crossing $25.5 Jan., 2002

6. Adelphia $24.4 June, 2002

7. United Airlines $22.7 Dec. 2002

8. PG&E $21.5 June, 2002

9. MCorp. $20.2 March, 1989

10. Kmart $17.0 Jan., 2002

12/20/2010

46

Auditing in the

ERP

Environments

SAP -R/3 Enterprises - Application components

ERPAM

PS

CO

SD

QM

PM

HRIS

WF

FI

MMPP

12/20/2010

47

Key business processes in Sales and Distribution

(SD), Materials Management (MM) and Financial

Accounting (FI) need to be studied in detail to

identify their vulnerability to threats from within

and outside. Based on this and experience of

internal audit team, risk statements relevant to

businesses are to be captured.

For each risk statement, risk impact and risk

exposure is to be assessed as under

RISK ASSESMENT METHODOLOGY – BY A QUANTIFICATION

MODEL

Risk impact ( Severity x Detectability) to be assessed on a scale of 1 – 100 (100 being the highest adverse impact.

A-Risk Severity ( on a scale of 1- 10 ) is determined based on weighted average affect on 5 parameters ie

i- PBT, ii- Statutory / regulatory compliance iii-Strategic value iv- Financial statement accuracy , v-Reliability/ operational effectiveness .

B- Risk Detectability ( on a scale of 1 – 10 ) is determined based on the stage of detectability of adverse event ie with in the co.or from outside customers.

Risk impact-Severity X Detection

12/20/2010

48

Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely).

Risk exposure is determind based on weighted average effect of 10 parameters,responsiblefor the exposure ie

I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation vii-Authority norms not defined/ followed viii-Inappropriate configuration/ process logic ix-Weak internal/ compensating controls x-Others (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.)

Risk exposure

S

.

N

o

Risk statement

Risk

Risk

exposu

re

Heat

zone

Severi

tyDetectabIlit

y

Impa

ct

1 Invoice may be raised without

effecting physical delivery of

the goods from depot/ plant

(bill and hold)

7 8 56 5R1

2Sales order may not be

executed in time and in full4 6 24 3

Y2

3 Debit / credit notes sent to

customers may not contain

adequate supporting details

2 4 8 4G2

RISK STATEMENTS – SD-Examples

12/20/2010

49

S

.

N

o

Risk statement

Risk

Risk

exposu

re

Heat

zone

Severi

ty

DetectabIlit

y

Impa

ct

1 Financial authority norms for

release of PO may not be

mapped into SAP

4 8 32 6R3

2 GR may be prepared for a

quantity lower/ higher than

vendor delivery challan

4 6 24 4Y2

3 CENVAT credit availed may be

lower than CENVATABLE

excise duty credited to vendor

through invoice verification

3 6 18 4G2

RISK STATEMENTS – MM-Examples

RISK STATEMENTS – FI-Examples

S

.

N

o

Risk statement

Risk

Risk

exposu

re

Heat

zoneSeveri

ty

DetectabIlit

y

Impa

ct

1Depreciation rates may have

been incorrectly set up 5 6 30 5

R3

2 Vendors account may not

have been reconciled/

confirmed as per laid down

frequency

5 6 30 4Y2

3Line items (individual entries)

clearing may not have been

carried out in vendor accounts

3 6 18 4G2

12/20/2010

50

RISK STATEMENTS – Common to all functions Examples

S

.

N

o

Risk statement

Risk

Risk

expos

ure

Heat

zoneSever

ity

DetectabIl

ity

Imp

act

1

SAP transaction authorizations

granted to users may not

relate to their assigned

role/responsibility

8 8 64 8 R1

2

SAP transactions may be

carried out using group IDs

resulting in non traceability of

transactions to any specific

individual (employee)

8 8 64 8 R1

3

Audit trails (chronological log

of changes) may not be

reviewed/ analyzed by process

owners

5 8 40 7 R3

R

I

S

K

I

M

P

A

C

T

HIGH100 Y1 R2 R1

MEDIUM

40

G1 Y2 R3

LOW20

G3 G2 Y3

0 2 4 10

LOW MEDIUM HIGH

RISK EXPOSURE →

Risk Registers and Heat Maps – Module wise

Using the risk impact and risk exposure scores as worked out above,allpossible risk statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1 page HEAT MAP.

12/20/2010

51

101

INTEGRATED INTERNAL CONTROL

FRAMEWORK

THANK YOU

suresh _dms@rediffmail.com

12/20/2010

52

Thank You

suresh _dms@rediffmail.com