Internal Audit Checklist

Board of Internal Audit and Management Accounting

The Institute of Chartered Accountants of India
(Set up by an Act of Parliament)
New Delhi
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or
otherwise, without prior permission, in writing, from the publisher.

DISCLAIMER: The views expressed in this Guide are those of author(s). The Institute of
Chartered Accountants of India may not necessarily subscribe to the views expressed by the
author(s).

First Edition : February, 2017

Second Edition : February, 2024

Committee/Department : Board of Internal Audit and Management Accounting

E-mail : [email protected]

Website : www.icai.org/ www.internalaudit.icai.org

Price : `

ISBN :

Published by :

Printed by :
 Foreword
The Internal Audit function has consistently evolved over time. Today, beyond the requirements
specified by the Companies Act, 2013, the internal auditors are expected to ensure risk and
governance aspects as well. Every organization adopts a unique approach to accepting certain
levels of risk and applying measures to reduce these risks. The success of an organization is often
closely linked to its proficiency in comprehending and managing its risk exposures. As a part of the
company's risk control ecosystem, it is essential for the internal auditor to have the necessary
skills to grasp the nature of risks and their corresponding controls.
I am happy to note that the Board of Internal Audit and Management Accounting of the Institute of
Chartered Accountants of India(ICAI) has undertaken the project of revising its publication and
issued ‘Internal Audit Checklist (2024 Edition)’ to provide step-wise guide to members to effectively
conduct the Internal Audit Process. This checklist is illustrative in nature and is based on Risk
Control Matrix. This checklist focuses on risk exposure and control effectiveness and data
analytics for each process.
I congratulate CA. Rajendra Kumar P, Chairman, CA. Charanjot Singh Nanda, Vice Chairman and
all other members of Board of Internal Audit and Management Accounting for bringing out this
revised comprehensive publication.
I am sure that this publication will assist the members in discharging their responsibilities as
internal auditors more effectively and efficiently.

February 1, 2024 CA. Aniket S Talati

New Delhi President, ICAI
 Preface
The Board of Internal Audit and Management Accounting, ICAI has issued Internal Audit Checklist
in 2017 to provide a step-by-step guidance to members on every aspect of internal audit. The
Board has immense pleasure in placing before the members Revised “Internal Audit Checklist” that
is drafted based on Risk Control Matrix for every aspect of Internal Audit. This checklist divides
each process into sub processes and identifies risks for each process, controls to mitigate risks,
sample size, test performed to check control effectiveness.
This Checklist has been divided into two parts: Part A and B. Part A contains Checklist Audit
Planning, Entity Level Controls, Business Controls Diagnostic, Financial Statement Closure
Process, Annual Operating Plan, Management Information system, Annual Operating Plan, IT
Internal Controls, Standards on Internal Audit Compliances, Legal and Statutory Compliances,
Operational and Administrative Expenses, Government Grants, Patents and Copyright, Business
Continuity Plan, Related Party Transactions, Audit Conclusion. Part B contains checklist Order to
Cash – Manufacturing and Services, Purchase to Pay – Material and Services, Capital Items,
Fixed Assets and Capex, Project, Treasury and Inventory Management, Cash and Bank,
Borrowings, Direct, Indirect Taxation and GST, Corporate Social Responsibility, Human Resources
– Hire to Retire and Payroll Management, Foreign Currency Transactions. This Checklist is
illustrative in nature and the internal audit team should review and update it based on systems and
procedures of the Organizations. This checklist would help members to ensure the operating
effectiveness of internal controls to mitigate key risks.

We would like to thank CA. Aniket Sunil Talati, President, ICAI and CA. Ranjeet Kumar Agarwal,
Vice-President, ICAI for their continuous support and encouragement to the initiatives of the
Board. We also thank the members of our Board who have always been a significant part of all our
endeavors.
We also wish to express our sincere appreciation for CA. Arti Bansal, Secretary, Board of Internal
Audit and Management Accounting, ICAI and team member CA. Gyanender Shokeen, Professional
for their technical and administrative assistance in bringing out this Checklist.
We firmly believe that this publication would serve as a basic Guide for the members and other
readers interested in the subject.
We will be glad to receive your valuable feedback at [email protected]. We also request you to visit
our website https://internalaudit.icai.org and share your suggestions and inputs, on internal audit
and Management Accounting.

CA. Rajendra Kumar P CA. Charanjot Singh Nanda

Chairman Vice-Chairman
Board of Internal Audit & Board of Internal Audit &
Management Accounting Management Accounting

January 22, 2024

New Delhi

vi
 Foreword to First Edition
The Chartered Accountancy profession, since its inception, is regarded as the trustee of public
interest. In the last decade or so of financial turbulence, the role of Chartered Accountancy
profession has become increasingly relevant and critical for sustenance of businesses. The CA
profession has avowed duty to public interest and this can come through with increased impetus
on ethics, trust and integrity in discharging professional assignments.
The Companies Act, 2013, has definitely shaped the way forward for internal audit function in India
and has provided a strong legal mandate for the crucial role of internal aud itors in the corporate
governance structure.
Internal auditors should rise to the task and seize the opportunity of establishing high performing
internal audit functions as per the new requirements. Internal auditors must be conscious that the
current responsibilities come with new risks and new rewards. Continuous learning and timely
application of relevant knowledge to create value will help in increasing the internal audit’s
credibility and confidence in their enhanced roles.
I am happy that the Internal Audit Standards Board is issuing this publication “Internal Audit
Checklist” to provide updated guidance for helping internal auditors to stay at the cutting edge of
best practices. This publication is quite comprehensive, providing a step-by-step guidance on
every aspect of internal audit.
At this juncture, I wish to compliment CA. Mukesh Singh Kushwah, Chairman, CA. Anil S.
Bhandari, Vice Chairman and other members of Internal Audit Standards Board, for their zeal
towards bringing out comprehensive literature on internal audit.
I am sure that this publication would prove useful to the members in efficiently discharging their
responsibilities as internal auditors.

February 7, 2017 CA. M. Devaraja Reddy

New Delhi President, ICAI
 Preface to First Edition
In today’s dynamic environment organisations are constantly reinventing the way business is done,
to meet the challenges of rapidly changing marketplace and regulatory framework. This makes it
imperative for internal audit function to find innovative means to facilitate organizations to succeed
and sustain their performance by imbibing/ integrating performance improvement in internal audit
approach. The Companies Act, 2013, has also highlighted the important role of internal auditors in
corporate governance framework.
The Institute is committed to continue its efforts in helping its members to understand, guide and
shape the internal audit profession in the country. The Internal Audit Standards Board of ICAI has
immense pleasure in placing before the members this publication on Internal Audit Checklist. It
would serve as a simple step-wise guide intended to help internal auditors to effectively conduct
the internal audit process. This checklist is illustrative in nature and the internal team should
review and update it on the basis of systems and procedures of the organisations. It is divided into
four main parts. Part I is Introduction, Part II deals with Internal Audit of Specific Function, Part III
deals with Review and Reporting and Part IV covers Other Aspects. While each of the Parts is
further divided into relevant sub topics, Part II contains, guidance on aspects such as Sales, Fixed
Assets, Owner’s Capital, Fixed Assets and Depreciation and Payables and Receivables, etc. This
publication has therefore, a wider usage and appeal. This would also help to guide the members in
maintaining proper internal audit documentation in accordance with SIA 3, Documentation.
At this juncture, I wish to place on record my sincere thanks to all the members of the Study Group
formed under my convenorship at Delhi, viz., CA. Rakesh Garg (co-convener), CA. Anil Aggarwal,
CA. Manoj Tayal, CA. Vidhya Jayaraman, CA. Vinod Gupta, CA. Prashant Chand, CA. Umesh
Pandey, CA. Rajeev VD Gupta, CA. Vikas Agarwal, CA. Abhishek Jain, CA. Manoj Arora, CA. Rajiv
Walia, CA. Manu Jindal, CA. Sandeep Goel, CA. Naveen Sharma for taking time out of their
pressing preoccupations and contributing in preparation of this publication.
I would also like to thank CA. M. Devaraja Reddy, President, ICAI and CA. Nilesh Shivji Vikamsey,
Vice President, ICAI for their continuous support and encouragement to the initiatives of the
Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board,
viz., CA. Anil Satyanarayan Bhandari, Vice-Chairman, IASB, CA. Tarun Jamnadas Ghia,
CA. Mangesh Pandurang Kinare, CA. Dhinal Ashvinbhai Shah, CA. Babu Abraham Kallivayalil,
CA. K. Sripriya, CA. M. P. Vijay Kumar, CA. Ranjeet Kumar Agarwal, CA. Sushil Kumar Goyal,
CA. Debashis Mitra, CA. Shyam Lal Agarwal, CA. Kemisha Soni, CA. Sanjiv Kumar Chaudhary,
CA. Sanjay Vasudeva, Shri Vithayathil Kurian and Shri Vijay Kumar Jhalani for their vision and
support. I also wish to place on record my gratitude for the co-opted members on the Board viz.,
CA. Anil Kumar Jain, CA. Kartik Bharatkumar Radia, CA. Krishna Kumar T., CA. Vipin Gupta,
CA. Vishwanath K., CA. Yashwant Jaywant Kasar and special invitee viz., CA. Shobhit Dwivedi for
their invaluable guidance as also their dedication and support to the various initiatives of the
Board.
I am sure that the publication would be warmly received by the members and they would find it
immensely useful in improving quality of their internal audit assignment.

New Delhi CA. Mukesh Singh Kushwah

February 8, 2017 Chairman, Internal Audit Standards Board

x
 MEMBERS OF THE COUNCIL [2022-25]
CA. Aniket Sunil Talati, President CA. Rohit Ruwatia Agarwal
CA. Ranjeet Kumar Agarwal, Vice President CA. Abhay Kumar Chhajed
CA. Rajkumar Satyanarayan Adukia CA. (Dr.) Anuj Goyal
CA. Piyush Sohanrajji Chhajed CA. Gyan Chandra Misra
CA. Chandrashekhar Vasant Chitale CA. Prakash Sharma
CA. Vishal Doshi CA. (Ms.) Kemisha Soni
CA. Durgesh Kabra CA. Sanjay Kumar Agarwal
CA. Dheeraj Kumar Khandelwal CA. Raj Chawla
CA. Purushottamlal Hukamichand Khandelwal CA. Hans Raj Chugh
CA. Mangesh Pandurang Kinare CA. Pramod Jain
CA. Priti Paras Savla CA. Charanjot Singh Nanda
CA. Umesh Sharma CA. Sanjeev Kumar Singhal
CA. Dayaniwas Sharma Shri Sanjay Kumar
CA. Muppala Sridhar Shri Ritvik Ranjanam Pandey
CA. Prasanna Kumar D Shri Manoj Pandey
CA. Rajendra Kumar P Shri Deepak Kapoor
CA. Cotha S Srinivas Shri Rakesh Jain
CA. Sripriya K Dr. P C Jain
CA. (Dr.) Debashis Mitra, Past President Shri Vijay Kumar Jhalani, Advocate
CA. Sushil Kumar Goyal Shri Chandra Wadhwa
 MEMBERS OF THE BOARD OF INTERNAL AUDIT AND MANAGEMENT
ACCOUNTING [2023-24]
Members from the Sitting Council
CA. Rajendra Kumar P, Chairman CA. Prasanna Kumar D
CA. Charanjot Singh Nanda, Vice-Chairman CA. Cotha S Srinivas
CA. Aniket Sunil Talati, President (Ex-officio) CA. (Dr.) Debashis Mitra
CA. Ranjeet Kumar Agarwal, Vice-President (Ex-officio) CA. Rohit Ruwatia
CA. (Dr.) Rajkumar Satyanarayan Adukia CA. (Dr.) Anuj Goyal
CA. Chandrashekhar Vasant Chitale CA. Prakash Sharma
CA. Vishal Doshi CA. Sanjay Kumar Agarwal
CA. Durgesh Kumar Kabra CA. Pramod Jain
CA. Priti Savla CA. (Dr.) Sanjeev Kumar Singhal
CA. Piyush S Chhajed Shri Deepak Kapoor
CA. Sridhar Muppala Shri Chandra Wadhwa
Co-opted Members
CA. Mohit Bharti CA. Sarda Satish Girdharlal
CA. Anil Kumar Jain CA. Pankaj Soni
CA. Sharath Kumar D CA. Nitin Hukumchand Agarwal
CA. Bhupal Sing Sulhyan
Special Invitee
Shri Avinash Sopan Jadhav CA. Bisworanjan Sutar
CA. Krishnaswamy Vidyadaran CA. Gavish Uberoi
CA. P K Manoj CA. Pradeep Tyagi
CA. Savio Vincent Mendonca CA. Tarun Kansal
CA. Sana Baqai
 Contents
Foreword .................................................................................................................................... iii
Preface ....................................................................................................................................... v
Foreword & Preface of previous edition ................................................................................... vii-x
Introduction .............................................................................................................................. 1-4
PART A ................................................................................................................................ 5-140
Checklist 1 : Audit Planning................................................................................................... 7-9
Checklist 2 : Entity Level Controls ...................................................................................... 10-28
Checklist 3 : Business Controls Diagnostic ......................................................................... 29-30
Checklist 4 : Financial Statement Closure Process ............................................................. 31-36
Checklist 5 : Annual Operating Plan ................................................................................... 37-41
Checklist 6 : Management Information System ................................................................... 42-44
Checklist 7 : IT Internal Controls ........................................................................................ 45-91
Checklist 8 : Standards on Internal Audit (SIAs) Compliances ........................................... 92-102
Checklist 9 : Legal and Statutory Compliances ............................................................... 103-104
Checklist 10 : Operational and Administrative Expenses ................................................... 105-110
Checklist 11 : Government Grants ..................................................................................... 111-117
Checklist 12 : Patents and Copyright ................................................................................ 118-123
Checklist 13 : Business Continuity Plan ............................................................................ 124-135
Checklist 14 : Related Party Transactions ........................................................................ 136-138
Checklist 15 : Audit Conclusion ........................................................................................ 139-140
PART B ............................................................................................................................ 141-563
Checklist 16 : Order to Cash – Manufacturing ................................................................... 143-162
Checklist 17 : Order to Cash – Services ........................................................................... 163-178
Checklist 18 : Purchase to Pay – Direct Material............................................................... 179-222
Checklist 19 : Purchase to Pay – Indirect Material and Services ....................................... 223-297
Checklist 20 : Purchase to Pay – Capital Items ................................................................. 298-378
Checklist 21 : Fixed Assets and Capex ............................................................................. 379-412
Checklist 22 : Project Management .................................................................................. 413-417
Checklist 23 : Inventory Management ............................................................................... 418-449
Checklist 24 : Cash and Bank .......................................................................................... 450-481
Checklist 25 : Treasury Management ............................................................................... 482-522
Checklist 26 : Borrowings................................................................................................. 523-530
Checklist 27 : Direct and Indirect Taxation & GST ............................................................. 531-544
Checklist 28 : Corporate Social Responsibility .................................................................. 545-550
Checklist 29 : Human Resources – Hire to Retire ............................................................. 551-556
Checklist 30 : Human Resources – Payroll Management .................................................. 557-561
Checklist 31 : Foreign Currency Transactions ................................................................... 562-563

x vi
 Introduction
The objective of this Internal Audit Checklist is to ensure that all relevant tasks and procedures are
completed, and to ensure that the internal audit is done thoroughly and effectively. A checklist
ensures that all necessary steps are taken and helps to identify the areas that may need
improvement or further attention. Additionally, a checklist helps audit team to be organized and be
focused and to ensure that all necessary information is collected and reviewed.

Scope
The Scope of checklists depends on both strategic and operational needs of the engagement. As
part of the engagement, best efforts are done to identify areas where checklists are required.

About the Checklists

There are about 32 checklists which have been included in this publication can be customized as
per requirements of the internal auditors. These checklists cover largely the common areas of an
internal audit, however; the internal auditors may prepare additional checklists based on their
engagement. The column against each of the line item in the checklist include:
 Process
 Sub-process
 Risk description
 Risk reference
 Controls
 Control reference
 Control owner
 Control frequency
 Design effectiveness
 Test perform
 attributes tested
 sample size
 work paper reference
Internal Audit Checklist

 operating effectiveness
 exceptions
 data analytics performed
 results of data analytics and
 issue summary or observations.
 Process metrics

Need for Checklists

The Checklists is a tool which the professional can use to :
1. Help in giving direction to the team to cover specific areas of work with detailed action
points;
2. Ensure completeness of the work by reviewing the critical points to be covered;
3. Documentation of the audit procedures carried out;
4. Consistency in the audit process especially in multi-team and multi-location assignments;
5. New team member need lesser amount of orientation since what needs to be done is
covered;
6. The Internal Audit Checklist also covers Risk and Control Activities which would help the
professional to fine tune the requirements based on the circumstance;
7. The Quality Reviewer of the engagement can also use the checklist to review the coverage,
documents verified and other qualitative aspects of the engagement;
8. Helps the team to request for specific information from client based on the tasks to be done;
9. To document the granular levels of information on sample selection, data analytics.

Order of Checklists
Part A
1. Audit Planning Checklist
2. Entity Level Controls
3. Business Controls Diagnostic

2
 Introduction

4. Financial Statement Closure Process

5. Annual Operating Plan
6. Management Information system
7. IT Internal Controls
8. Standards on Internal Audit (SIAs) Compliances
9. Legal and Statutory Compliances
10. Operational and Administrative Expenses
11. Government Grants
12. Patents and Copyright
13. Business Continuity Plan
14. Related Party Transactions
15. Audit Conclusion

Part B
1. Order to Cash – Manufacturing
2. Order to Cash – Services
3. Purchase to Pay – Direct Material
4. Purchase to Pay – Indirect Material and Services
5. Purchase to Pay – Capital Items
6. Fixed Assets and Capex
7. Project Management
8. Inventory Management
9. Cash and Bank
10. Treasury Management
11. Borrowings
12. Direct and Indirect Taxation & GST

3
Internal Audit Checklist

13. Corporate Social Responsibility

14. Human Resources – Hire to Retire
15. Human Resources – Payroll Management
16. Foreign Currency Transactions

4
PART A
 Checklist 1
Audit Planning
Process Sub- Risk Description Control Test Performed Attributes tested
process
Overall Internal Audit Risk that internal A documented process, 1. Check the 1. Whether
Internal Charter/ audits are not in listing detailed process comprehensivene documented
Audit Terms of line with the for preparing Annual ss of the Auditing process
Planning Internal Audit objectives of the audit plan keeping in plan, covers all the
Engagement internal audit view various facets of 2. Check the areas as
where it is an function, as per the coverage required. Adherence to the listed in Audit
outsources internal audit Annual Audit Plan.
engagement charter of the entity It can be part of Audit planning process 2. Step by Step
(and terms of Manual or a separate as per document. adherence to
engagement, where document. the Annual
it is an outsourced audit planning
engagement) and process as
also not in line with per document.
the overall
objectives of the
organisation.
Developing / Risk of leaving key Process of continuous Check the interactions Updation of
Enhancing elements of risk engagement with Internal Audit has with overall business
Business unattended due to stakeholders both inside inside and outside and regulatory
Knowledge lack of Business / and outside the stakeholders and knowledge.
regulatory organization. other research and
environment documents as
knowledge. referred by the
auditor.
Audit Missing of Key Risk 1. Having Audit Universe 1. Check the 1. Audit Area
Universe Area for coverage for Organisation / availability of Audit Listing
in Overall Internal Auditable Entity. Universe for the 2. Risk Rating
Audit Plan Organisation/ of the
2. Review of the Audit Auditable Entity Various Audit
Universe at regular 2. How many areas Areas
intervals. added or deleted from 3. Updation of
Audit Universe. Audit
Universe on
3. See the risk rating regular basis
of Various Audit
Universe areas and
any change in the risk
ratings.
Plan Lack of Audit Inputs from Enterprise Communication of 1. Usage of inputs
Linkages Planning process Risk Management Team inputs to and from in preparation
with linkage with Risk on key risk facing Enterprise Risk of overall
Internal Audit Checklist

Process Sub- Risk Description Control Test Performed Attributes tested

process
Enterprise faced by the organisation and Management Team audit plan
Risk Organisation factoring the same in
Assessment overall audit planning
process
Independent Risk of not 1. Doing Independent 1. Check 1. Risk rating of
Risk prioritising high risk Risk assessment of Independent risk each
Assessment area or missing each auditable unit assessment along Auditable
for various them altogether. to arrive at correct with methodology unit.
Auditable risk attributable to 2. See the coverage 2. Scope/
units each auditable unit. for scope/ Frequency
(i.e., 2. Having adequate frequency / and
locations, coverage in terms of resource resources
functions, scope/ frequency/ allocation, etc. allocated to
business resource allocation auditable
units and to address the unit.
legal entities same.
including
third parties,
wherever
relevant).
Resource Risk of inadequate Allocation of resources Assessment of 1. Criticality and
and time resource allocation and skill set depending resources and skill set Complexity of
allocation and available skill upon criticality and allocation vis a vis Auditable unit
set complexity of the criticality and 2. Skill set of
auditable unit along with complexity of the resources
proper time duration for auditable unit. allocated
the review Sufficiency of the time along with
duration to have time duration
adequate coverage of for covering
Auditable unit auditable unit
Inputs for Risk of Audit Plan 1. Communication of 1. Reviewing 1. Audit
Audit plan for not in sink with Audit Planning communication Planning
Executive Organisational process with with executive communicatio
Management realities/ executive management n
Organisation management 2. Check various 2. Various
objectives and 2. Various meeting to minutes of the inputs to the
strategies capture inputs meetings/ or Audit Plan
3. Circulation of other documents 3. Accuracy of
approved audit plan to capture inputs communicatio
3. Review approved n of end
and circulated result i.e.
audit plan final audit
plan
Approval of Risk of Audit 1. Inputs from Audit Review of Audit Inputs and
Audit Plan Planning not Committee/ Board Committee minutes to approval of audit
with Audit aligned with those check inputs and

8
 Audit Planning

Process Sub- Risk Description Control Test Performed Attributes tested

process
Committee / charged with 2. Approval of Final approval committee
Board governance Audit plan by Audit
Committee
Periodic Risk of derailment Review of the Overall Check the review Alignment of
review of or non-alignment of audit plan on regular performed by Chief overall audit plan
Overall Overall Internal basis by Chief Audit Audit executive with stated
Internal Audit Audit Plan Executive objectives
plan

9
 Checklist 2
Entity Level Controls
Final Sub-process Risk Description Control Test Attributes Sample Control
Performed tested size Frequency

Entity Ethics and Management -The company Control Documentation 100% Event
Level Code of does not has Codes of evidence of Code of Driven
Controls Conduct demonstrate Conduct that required: Conduct
character, provide guidance Signed Code of compliance/
integrity and for ethical Conduct undertaking
ethical values. behavior for all Declaration
officers, directors
and employees, Define the
partners and criteria for
consultants, as evaluating
well as suppliers. compliance
The codes with the Code
include of Conduct.
guidelines to These criteria
promote integrity, may include:
sound business a. Clarity and
practices, and accessibility of
legal compliance. the Code of
-The codes are Conduct.
reviewed and
b. Effective-ness
modified on as of
needed. communication
-Codes of channels used
Conduct are to disseminate
available on the the Code of
company Conduct.
website. c. Employee
-Annually, allawareness and
employees are understanding
asked to sign a of the Code of
Certification Form Conduct.
indicating that
d. Reporting
they have mechanisms for
received, read, potential
understood, and violations or
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

agree to abide by concerns.

the Code e. of Actions taken in
Conduct response to
-Annually, reported
partners and violations.
consultants are
required to
provide
acknowledgemen
t that they have
received and
have been in
compliance with
the relevant
policies
- The requirement
to share the Code
of Conduct with
key and direct
suppliers is
documented in
the Supplier
Qualifications
Procedures
- The Compliance
team tracks the
completion of
employee training
against the active
employee
headcount. The
Compliance team
also reviews the
list of employees
who have not
completed the
training and
conducts timely
follow-ups.

11
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

Entity Corporate The Constitutions The Board and Control Existence of 100% Yearly
Level Governance of Board and other committees evidence Corporate
Controls Guidelines other committee under the Board required: Governance
are not in line are formed/ Corporate Guidelines
with the modified with the Governance
Companies relevant statue Guidelines
Act/Regulator requirements like
requirements Companies Act, Ensure that
IRDA there is a
requirements, written
RBI requirement Corporate
etc. (As Governance
applicable to the Guideline
relevant entity) specifying
details such as
Board
Independence,
Committees,
Qualification
and expertise,
executive
compensation,
board
evaluation etc.
Ensure that the
board and other
committees as
required by the
statutes are
formed and the
roles and
responsibilities
are clearly laid
down.

Entity Board Board does not -Board powers Control Appropriatenes 100% Ongoing
Level Oversight clearly define are clearly evidence s of Board
Controls authority to be defined. required: Board oversight
exercised at -Board powers composition,
Board level and are derived from Corporate
authority Governance

12
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

delegated to Companies Act, Guidelines,

other Directors. Memorandum of Board Minutes,
Association MoA & AoA of
(MoA) & Articles the Company
of Association
(AoA.) Assess the
-Also, for effectiveness of
Directors the board of
appointed during directors in
the year, a Board providing
Resolution has oversight and
been passed to governance to
define general ensure that the
powers of a organization's
Director. strategic
objectives are
-Board meeting
met, risks are
has been held
managed
once every
appropriately,
quarter and
and compliance
attendance
with laws and
records have
regulations is
been maintained.
maintained.
-Review the
Board
Structure,
Composition,
meeting
minutes,
oversight
(strategic,
compliance,
financial, risk)
-Assess the
effectiveness of
board
committees
(e.g. Audit
committee,
Governance

13
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

committee) in
fulfilling their
respective
oversight
responsibilities.
-Verify that
board members
act
independently
-Compare the
board's
practices
against industry
best practices
and corporate
governance
guidelines.

Entity Board Board does not Board of Control Appropriatenes 100% Monthly
Level Oversight have a Directors review evidence s of Board
Controls mechanism to the performance required: Board oversight
review Internal of the company Minutes, MIS
Control over and adequacy of for the month,
Financial internal controls ICFR.
Reporting through regulara. Ensure that
(ICFR)adequacy interactions with there is a
and performance. the CFO. strong control
Monthly reporting environment
is done by Senior that promotes
Manager to the ethical behavior
CFO who in turn and a
reports to BOD. commitment to
internal
Minutes of Board controls.
Meetings where
b. Ensure that
the Internal Audit
minutes of
reports are
meetings are
reviewed and
reviewed and
adopted by the
adopted by the
Board. There is
Board.

14
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

an established
c. Verify if
process of monthly MIS is
monthly reporting prepared and
on operations, reviewed by the
performance and management.
financial
reporting.
Monthly MIS
prepared by the
Senior Manager-
Finance is
reviewed by the
CFO and
Chairman &
Managing
Director.
Entity Risk and Financial On an annual Control Verification of 100% Quarterly
Level Control Matrix Reporting and basis, evidence the Risk and
Controls related management required: Control Matrix
application and performs a review Risk and and ensuring
information of controls and Control Matrix that the design
systems are not processes and operating
a. Check whether
reliable. including effectiveness
all significant
identification of of the controls
risks related to
risks and relevant are effective.
each process
financial
or activity
statement
identified and
assertions. The
included in the
final version of
risk control
the controls and
matrix.
process
narratives andb. Ensure that
any changes there is a clear
made during the and concise
year are reviewed mapping of
by the each risk to the
control/process corresponding
owners to ensure control
they are activities
accurate. The designed to

15
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

risk and control mitigate or

matrix, is manage that
maintained in the risk.
company's c. Verify that
control control
management procedures and
system. protocols
adequately
documented for
each control
activity.

Entity Risk The Company On a quarterly Control Appropriatenes 100% Quarterly

Level Assessment does not carry basis, the Chief evidence s of the
Controls Process out the risk Risk Officer required: Quarterly Risk
assessment (CRO) reports to Quarterly Risk review
the Risk review presentation.
committee about presentation
the results of the
a. Ensure that the
risk assessment. risk
The assessment assessment
includes process is well-
Business risk, defined and
Solvency aligned with the
Position, Asset organization's
Liability goals.
Management,
b. Check whether
Industry position,
relevant
etc.
stakeholders,
including
management,
department
heads, and
subject matter
experts are
involved in the
risk
assessment
process.

16
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

Entity Whistle Blower The complaints The Management Control Adequacy of 100% Quarterly
Level Mechanism received through monitors/reviews evidence the whistle
Controls Whistle blower the complaint required: blower
policies are not received through List of whistle complaint
enquired/ whistle blower blower process.
resolved. policy. The Define the
Ombudsman criteria for
appointed evaluating the
enquire/ do a effectiveness
investigation of and efficiency
the complaints of the whistle-
received and blower
suitable action is mechanism,
taken if found including:
guilty. On a
a. User access:
quarterly basis,
The mechanism
the report is
should be
provided to
accessible to
Managing
all relevant
Director &
stakeholders.
Company
secretary and theb. Anonymity:
same is reviewed Whistle-blowers
and placed with should be able
Board. to report
without fear of
identification.
c. Confidentiality:
The mechanism
should
safeguard the
confidentiality
of the reporter
and the
information
provided.
d.
Acknowledgm
ent and follow-
up: The system

17
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

should
acknowledge
receipt of the
report and
allow for follow-
up
communication.
e. Timeliness:
Reports should
be processed
promptly.
f. Resolution: The
mechanism
should facilitate
appropriate
investigations
and resolution
of reported
issues.

Entity Organizational Roles and The company Check whether Existence of an 100% Yearly
Level Structure Responsibilities maintains an reporting lines approved
Controls not clearly organizational are well-defined Organizational
defined structure with and clearly Structure.
requisite communicated
positions throughout the
supported by job organization
descriptions that and roles,
explain skill responsibilities,
levels and and job
responsibilities. descriptions are
Organizational clearly outlined
chart is in place for each
and maintained position within
up to date to the
communicate organization.
lines of reporting. Review whether
The company has the succession
set in place a plan for critical
succession plan business

18
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

(prepared by the operations and

HR Department) positions are
that identifies clearly laid
critical business down and
operations and maintained.
positions
(designation with
Managers &
above level) and
a back up plan is
ensured to avoid
impact on normal
business
operations.

Entity Authorization Roles, Departmental a. Role Definition: Existence of an 100% Yearly

Level Matrix responsibilities, policies and Verify that each approved
Controls authorisation and Management role or position Authorization
approval levels Guidelines in the authority Matrix
not clearly outline matrix has a
defined. responsibilities, clear and well-
authorization, defined scope
and approval of
levels for responsibilities.
transactions. b. Responsibility
Assignment:
Ensure that
each task or
activity in the
organization is
assigned to at
least one
responsible
party in the
authority matrix
c.
Accountabilitie
s: Check that
each task or
activity has a

19
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

single person
or role
designated as
"Accountable"
for its
successful
completion
d. Role Mapping:
Validate that
each
individual's
name or role
listed in the
authority matrix
matches their
actual position
and
responsibilities
in the
organization.
e. Approval
Process: If
there is an
approval
process defined
in the authority
matrix, verify
that the steps
and criteria for
approval are
clear and
adhered to.
f. Delegation and
Escalation:
Assess whether
the authority
matrix includes
provisions for
delegation of
responsibilities

20
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

and escalation
procedures for
unresolved
issues.

Entity Segregation of Duties and Segregation of

a. Ensure that Appropriatenes 100% Yearly
Level Duties (SOD) responsibilities duties (SOD) there is a well- s of
Controls are not controls are documented Segregation of
appropriately implemented policy and Duties
assigned/segrega throughout the procedures
ted sites where ERP manual
has been regarding
implemented. segregation of
SOD deficiencies duties.
are monitored,
b. Check whether
and management there exists a
identifies mechanism to
compensating address
controls that are conflicts
present and identified
functioning to during the
mitigate SOD transaction flow
risks. analysis.
c. Check whether
the SOD
controls are
reviewed and
tested as part
of internal and
external audits.

Entity Strategic Plan Strategic plans Management Control Existence of an 100% Yearly
Level and objectives periodically evidence approved
Controls are not clearly reviews entity- required: Strategic Plan.
defined. wide strategic Approved
plans and Strategic plans
objectives. The and objectives.
Board of Director
approves the Ensure that the
entity-wide strategic plan
strategic plans includes a clear

21
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

and objectives. and compelling

vision
statement that
defines the
organization's
long-term
aspirations and
are aligned with
the core values
of the
organisation.

Entity Budget vs The budget Management Control Appropriatenes 100% Yearly

Level Actuals estimates are not establishes evidence s of Budget vs
Controls prepared/set for business plans required: Actuals
the business and budgets as Approved
teams. The well as measures Budget and
Senior results against actuals.
Management plans quarterly. a. Ensure that the
does not review Analyses are budget is
the business independently accurate,
operations on reviewed for reflecting
timely basis. appropriate realistic
assumptions and estimates of
methodology. revenues and
Significant expenses and
unusual aligned with the
relationships, organization's
variances, and strategic
exceptions are objectives and
identified, operational
investigated, and plans.
justified.
b. Check whether
the
assumptions
and
methodologies
used in
preparing the
budget are

22
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

clearly
documented
and
communicated.
c. Verify whether
the budget
incorporates
contingency
plans to
address
unexpected
events or
changes in the
business
environment.
d. Check whether
unusual
variances and
exceptions are
identified and
justified.

Entity Financial Regulatory non- Management a. Ensure that all Existence of 100% As and
Level Reporting compliance and specifies financial employees and Policies and when
Controls financial reporting rules relevant Procedures
misstatements if and standards stakeholders (Including
suitable which are aware of the Financial
accounting consistent with organization's Reporting
principles, accounting policies and Rules and
policies or rules principles procedures Standards)
not followed. suitable andb. Verify whether
appropriate for there is a
the entity. process to
Reviews monitor and
by/consultations assess
with the Statutory compliance
Auditors as with policies
required by the regularly
regulation
c. Check whether
(annual review)
internal

23
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

or as considered controls in
necessary by the place to detect
management, are and prevent
done. Internal non-compliance
audit coverage with policies
extends to
compliance
review.
Accounting
policies and
principles
followed are
stated in the
'Notes to
accounts' in the
financial
statements.
Circulars/email
issued for closure
of financial
transactions are
shared. Internal
audit is done by
professional firms
and Internal Audit
Reports identifies
the issues
observed.
Annual review is
done by Statutory
Auditors.

Entity Review of Absence of an Various a. Ensure that all Appropriatenes 100% As and
Level Related Party appropriate compliances related parties, s of disclosure when
Controls Transactions mechanism of under different including of related party
related party statutes in individuals, transactions
transactions relation to entities, and
identification can transactions with key
lead to regulatory a related party management
non-compliance (transfer pricing personnel,
and / or financial related identified and

24
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

misstatements. compliance and appropriately

return filing) are disclosed.
verified. Audit
b. Check whether
Committee and related party
Board approval transactions
are taken for have been
related party assessed for
transactions. materiality and
are material
transactions
adequately
disclosed.
c. Is audit
committee
approval and
board approval
obtained for
related party
transactions.

Entity Internal Audit A robust system The Internal Audit

a. Ensure that Appropriatenes 100% Ongoing
Level of monitoring function is led by audit objectives s of Internal
Controls through periodic and staffed with aligned with the Audit
internal audits or qualified, organization's
control Self competent goals and risks
Assessments has personnel with
b. Verify whether
not been appropriate scope of
established. professional internal audit is
credentials and adequately
designations. For defined and
purposes of documented
independence,
c. Ensure that
Internal Audit
internal audit
reports
function is
functionally to the
independent
Audit Committee
and free from
of BOD and
undue influence
administratively
or conflicts of
to the CFO, who
interest
approve the
d. Check whether

25
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

annual audit plan. the auditor

Internal Audit possesses the
completes an necessary
annual risk skills,
assessment and knowledge, and
audit plan and qualifications to
provides periodic perform their
updates of its duties
activities to effectively
executive
management and
the Audit
Committee.

Entity Information Company IT policies and a. Ensure that IT Existence of IT 100% Quarterly
Level technology infrastructure and practices are policies cover Policies and
Controls controls IT systems being properly all relevant Procedures
used for documented and areas, such as
fraudulent communicated to information
activities thereby achieve security, data
affecting the consistency privacy, IT
reputation and across business governance, IT
increasing the units. Policies are asset
legal risks communicated to management,
attached. users via the acceptable use,
Company Intranet and disaster
and policy recovery.
updates are
b. Verify if the IT
approved policies in
annually by alignment with
management. the
Adequate organization's
measures are overall
taken to protect business
sensitive objectives and
information and risk appetite.
data privacy.
c. Check whether
the IT policies
are in
compliance

26
 Entity Level Controls

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

with relevant
laws,
regulations,
and industry
standards
applicable to
the
organization's
operations

Entity Information & In the absence of There are Control Appropriatenes 100% As and
Level Communicatio clear properly identified evidence s of grievance when
Controls n-External communicating communication required: mechanism for
Communicatio channels for channels (email Dedicated third parties
n external parties, ids) for third email id created
employee/ parties under to register
management grievance complaints;
malpractices may mechanism. details
not come to light, available on
may have a company
reputation risk website.
with respect to a. Ensure that
third parties. email ids are
created
specifically for
addressing
third party
grievance.
b. Verify whether
the email id is
made available
in the company
website.
c. Ensure that
ethical
considerations
are prioritized
in all external
communication
efforts.

27
Internal Audit Checklist

Final Sub-process Risk Description Control Test Attributes Sample Control

Performed tested size Frequency

d. Verify whether
key personnel
are trained to
handle crisis
communication
effectively;

Entity Information & Risk events, Formal Control Existence of an 100% Monthly
Level Communicatio exceptional and communication evidence approved
Controls n-Management unusual events process required: MIS/Dashboar
Oversight remain established for Procedure on d
unreported to the escalating Communication
management and disruption to Protocol, MIS
hence the risk operations, a. Ensure that a
management occurrence of risk formal
framework is not events and any communication
duly enhanced. material process is
exceptional established for
event. Periodic escalating
MIS / Dash disruption for
Boards, operations.
highlighting of all
b. Verify whether
exceptions.
there is an
Board meetings,
established
management
communication
review discusses
protocol for
discuss unusual
different types
events. Monthly
of information
MIS prepared by
(e.g., financial,
the Senior
operational,
Manager -
strategic).
Finance
department c.is Ensure that the
reviewed and monthly MIS is
approved by the reviewed and
CFO, Chairman & approved by
Managing the Senior
Director. management.

28
 Checklist 3
Business Controls Diagnostic
Process Sub- Risk Description Control Control Test Performed
process Owner
Business Respective Risk of non- Whether the entity has Business Review of all the Risk
Controls sub- identifying 'what prepared Risk Control Head / Control Matrix and ensure
process can go wrong' in matrix covering all Vertical its completeness and
each sub-process. risks (strategic, or accuracy and critically
operational, financial, Segment evaluating the controls that
compliance, etc.,) and Head. is place and making
ensure that risk effectively.
mitigation measures
are operating
effectively.
Business Controls Risk of controls To review the control Each Review all the controls
Controls not being effective objectives critically process- critically and check whether
and efficient. and take steps to owner it is sufficient to cover the
modify the control risk envisaged.
activity to make it
more effective. with
the approval of the
appropriate
authorities.
Business Designing Risk of ineffective Process walkthrough Each Walkthrough of all the
Controls designing or of each sub-process process- processes and review
designing gap. and analyse whether owner design gap.
there is any gap in
internal control
designing, then
document the same.
Business controls Risk of ineffective There is tracker of all Internal Follow up of all pending
Controls controls not in effective controls Auditor issues and corrective action
addressed. and step has been
taken to address it.
Business Policies Risk of There has to be a Each To check whether all the
Controls and inconsistency in Standard Operating process- steps given in the Standard
procedures applying the Procedure for all the owner Operating Procedure are
policies and sub-processes and the followed.
procedures. same needs to be
Internal Audit Checklist

Process Sub- Risk Description Control Control Test Performed

process Owner
complied with.

Business Standard Risk of Standard To ensure that Each Periodicity of revision of

Controls operating Operating Standard Operating process- standard operating
procedure Procedure being Procedure is updated owner procedure. Further, review
irrelevant and not periodically and the new risks and controls
in line with Board of environment and check
changed Directors necessary changes are
circumstances. made to the SOP.

Business Ineffective Risk of ineffective All ineffective controls Process All the remediated Internal
Controls controls controls not being need to be reported to Owner controls should be checked
remediated. the management and in the subsequent quarter to
a mitigation plan verify. operating
should be designed by effectiveness.
the process owner and
agreed upon with the
internal auditors.

Business Manual Risk of manual Desirable to have Process To review all manually
Controls controls intervention at more preventive and Owner tested or manually
various control IT controls than dependent controls to
points. manual interventions. explore automation
To explore automation opportunities and provide a
opportunities and plan of action to the
check how the same management.
can be implemented.
Business Process Risk of non- The internal auditor Process All mitigation plans are to
Controls Gaps reporting of Gaps should have a Owner be approved by the Board of
to the comprehensive list of Directors for their
management by gaps in the processes compliance.
the process and also suggest the
owners. mitigation plan.
Business Action Risk of non- To ensure that the Process Review of the internal audit
Controls taken compliances or internal audit reports Owner reports verify remedial
gaps not being are discussed with action taken.
addressed to. Management for their
action plan.

30
 Checklist 4
Financial Statement Closure Process
Process Sub- Risk Control Test Performed Attributes Sample
process Description tested size
Schedule of Closing Risk of The Management Whether a Existence of 4 for
preparing Schedule accounting should come out proper communication monthly
financials remaining with a schedule communication activities, 2
unclosed or of closing the is done by the for Quarter
not completed books of Management activities, 1
unless there is accounts: say Director for semi-
a formal illustrative list: (Finance) or annual and
process for a. All month end CFO Office to all 100% for
formal closing activity - by 7th of the Finance and Annual
of accounts at the next month; Accounts activity.
the month end/ b. All Quarter end division or to
Quarter end. activities - by service provider
10th of the next about the
quarter beginning closure process.
month.

To also ensure
that the closure of
accounts period
is aligned to
regulatory
requirements like
SEBI LODR
Requirements for
listed companies
or Group
company norms.
Schedule of Closing Risk of ledger 1. Obtain a. Whether Correctness / 4 for
preparing Schedule balances not reasonable there is list of Accuracy of monthly
financials being updated assurance about reconciliations the ledger activities, 2
and Risk of whether the required to be balances. for Quarter
material Financial prepared. activities, 1
misstatement Statements as a b. Whether the for semi-
of financial whole are free reconciliations annual and
results. from material are reviewed 100% for
misstatement, (maker-checker Annual
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample

process Description tested size
whether due to concept) with activity
fraud and error. delegated
2. Preparation authority.
and Review of c. Whether
Reconciliation there is an
statements action plan for
relating to
the items
(illustrative list is
pending in the
given as under): reconciliation
a. Bank and appropriate
Reconciliation accounting
Statement; treatment has
b. Reconciliation been provided.
GST.
c. Reconciliation
of inter-company
transactions
within the Group;
d. Stock
Reconciliation.
Schedule of Closing Risk of non- To ensure Checking of Compliance 100%
preparing Schedule compliances whether the disclosures and with financial
financials with applicable Financial alignment to reporting
financial Statement is financial framework
reporting prepared and reporting
framework. presented, framework.
keeping in mind
all the material
aspects, as per
financial reporting
frameworks as
applicable.
To do an
assessment
whether
considering the
requirement of
relevant financial
reporting
frameworks:

32
 Financial Statement Closure Process

Process Sub- Risk Control Test Performed Attributes Sample

process Description tested size
 That such
Financial
Statements
appropriately
disclose the
important
accounting
policies that are
selected and
subsequently
applied.
 That the
accounting
policies which are
selected and
subsequently
applied are in
conformity with
the relevant
financial reporting
framework.
 That the
accounting
estimated which
are made by
management are
rational.
 That the
information
presented in
financial
statement is
reliable, relevant,
understandable,
and comparable.
 That the Financial
Statement
disclosure allows
the users of the
Financial

33
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample

process Description tested size
Statement to
property
understand the
impact of material
event and
transaction on the
information that is
conveyed in
Financial
Statements.

Schedule of Closing Risk of non-  The checklist can Checking of Compliance 100%
preparing Schedule compliances be used to disclosures and with regulatory
financials with regulatory conduct self- alignment to requirements
requirements audits and regulatory
on specific identify areas requirements
disclosures. where they are like SEBI LODR.
not compliant
with regulations.
 The checklist can
be updated
periodically to
reflect changes in
laws and
regulations.

Review of the Material Risk of a Review by CFO Review of the Completeness 100%
financial Transaction material of the financial CFO notes and and accuracy
Results transaction not performance and action being of the financial
being reported position including taken to take results.
or reported cash flows and corrective
incorrectly. noting down action.
significant issues
and taking
corrective action.

Review of the Variance Risk of a Review of the Review of the Completeness 100%
financial Analysis material Variance Analysis CFO notes and and accuracy
Results transaction not (on Quarterly / action being of the financial
being reported Monthly / taken to take results.
or reported Annually basis / corrective
incorrectly. Budget Vs. action.

34
 Financial Statement Closure Process

Process Sub- Risk Control Test Performed Attributes Sample

process Description tested size
Actual) to enable
to understand
major
transactions.

Approval for Approval Approval of the The Financial Whether the Ensuring 100%
publishing the process financial statement may be reviews have review is
results results without reviewed at been done with comprehensive
being reviewed various levels by respective and approved
by CFO/Director, authorities and before the
management. Statutory Auditor, the discussions results are
CEO/ MD, Audit are recorded in declared.
Committee and minutes.
Board of
Directors.

Compliance Protecting Risk of non- a. All staff to be Whether steps Ensuring 100%
with the financial compliance sensitised on have been taken compliance
guidelines on information with SEBI UPSI and PIT to protect UPSI with UPSI and
Unpublished which is Regulations on Regulations and and PIT PIT
Price classified as UPSI and obtain regulations. Regulations.
Sensitive price Prevention of confirmation from
Information sensitive. Insider Trading them in writing
(UPSI). Regulations that no price
(PIT). sensitive
information will
be disclosed to
anybody, and if
done they are
personally liable.
b. Ensuring that
price sensitive
information is
handled by senior
executives and
documented in a
structured
manner.
c. Not permitting
electronic or hard
copies of the
information to be

35
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample

process Description tested size
circulated or
transmitted
unless.
approved by
appropriate
authority.

36
 Checklist 5
Annual Operating Plan
Process Sub- Risk Description Control Test Performed Attributes
process tested

Annual Collection of Risk of inaccurate Business objectives Check whether the 1. Annual
Operating Data for data considered or for the organisation data considered for Operating
Plan preparation incomplete data are clearly defined preparation of Plan
Annual taken into account while considering annual operating Template.
Operating for preparation of the data to be plan is adequate and 2. Projected
Plan annual operating requested for accurate. Annual
plan. preparation of Revenue
Risk of non- annual operating Check whether the Plan.
consideration of plan. factors in the
3. Projected
economic factors / Correctness of operating
monthly
current and future various factors environment in which
expenditure
market conditions considered are the entity operates
budget.
while considering verified and any have been
considered and 4. Annual
the requirements in modifications to be
current and future Manpower
the annual made to the plan
market conditions Cost.
operating plan. are verified and
approved. have also been 5. Projected
Realistic taken into Interest
expectations are consideration while Cost.
set for the preparing annual
organisation to operating plan.
achieve its
objectives.
Inputs are
requested in a pre-
defined format, for
preparation of
annual operating
plan for every
financial year.

Preparation Risk of inaccurate Summarise the Check whether 1. Draft Annual

of Annual preparation of annual operating opinions and inputs Operating
Operating annual operating plan prepared to of every department Plan.
Plan plan i.e. the teams and heads have been
preparation done leaders in the taken into account
Internal Audit Checklist

Process Sub- Risk Description Control Test Performed Attributes

process tested
based on collection organisation to while preparation of
of inadequate or ensure everyone is annual operating
inaccurate on track. plan.
information.
Risk of not While outlining the Check whether
considering the annual operating annual operating
basic and main plan preparation plan is prepared and
objectives of the process, take communicated to
organisation in special note of every department for
preparation of potential achievement of
annual operating roadblocks that objectives.
plan. might hinder the
process.
Risk of setting
unrealistic goals Consider the time
and expectations constraints that
while preparing might affect the
annual operating annual operating
plan which lead to plan process.
not meeting those Communicate the
expectations. information
Risk of not taking acquired to the
into account the respective
expertise of department heads
department heads for preparation of
in the preparation annual operating
of annual operating plan.
plan.

Review of Risk of not Unified Check whether 1. Reviewed

Annual reviewing the basis collaboration with annual operating Annual
Operating and validity of stakeholders is a plan prepared is Operating
Plan assumptions made key step in the reviewed by the key Plan.
in preparation of preparation of stakeholders in the 2. Minutes of
annual operating annual operating organisation. the meeting
plan. plan process and Check whether basis in which the
Risk of not stakeholders and validity of the Annual
reviewing the data should review the data is reviewed Operating
considered in the annual operating while preparation of Plan is
preparation of plan prepared. annual operating reviewed
annual operating Strategic plans plan. periodically.

38
 Annual Operating Plan

Process Sub- Risk Description Control Test Performed Attributes

process tested
plan. should align with Check whether
Risk of not annual operating assumptions made in
reviewing whether plan without being preparation of
objectives of the redundant. annual operating
organization as a Set up parameters plan is adequate to
whole have been to track and functioning of the
considered in measure and organisation.
preparation of review the
annual operating achievement of
plan. objectives of
organisation as per
the annual
operating plan
prepared.

Approval of Risk of annual The Chief Financial Check whether the 1. Final
Annual operating plan Officer (CFO) and annual operating Approved
Operating being not approved the Chief Executive plan is reviewed and Annual
Plan or presented Officer (CEO) vetted before the Operating
before audit reviews and Audit Committee and Plan.
committee or board presents the Draft Bboard of Directors 2. Minutes of
of directors. Annual Operating for consideration. Audit
Risk of not Plan for approval to Check whether any Committee
completing the the Audit revisions or changes where
preparation of Committee and suggested by the annual
annual operating Board of Directors, Audit Committee or operating
plan before who reviews the Board of Directors plan have
beginning of next major assumptions have been made. been
financial year considered in the presented
Check whether the
including approval preparation of for
annual operating
of the same. annual operating approval.
plan for the financial
Risk of non- plan.
year after all 3. Minutes of the
approval of annual Based on Draft necessary changes meeting
operating plans Annual Operating as communicated with the
lead to lack of Plan being have been duly Board of
awareness among prepared the Audit reviewed and Directors
the audit Committee or approved. where
committee Board of Directors approval of
Check whether the
members or board suggest revisions annual
final approved
of directors about or changes, if any, operating
annual operating
the plan being for achievement of

39
Internal Audit Checklist

Process Sub- Risk Description Control Test Performed Attributes

process tested
prepared and objectives of the plan is in line with plan have
achievement of organisation. the overall objectives been made.
objectives. Audit committee of the organisation. 4. Changes
Risk of unapproved and Board of communicat
or unauthorised Directors approve ed by the
annual operating the Final Annual Board of
plan lead to Operating Plan Directors to
material omissions though a board be made to
in the plan being resolution. the annual
prepared or leading The approved operating
to unplanned annual operating plan.
expenditures plan shall be
during the year and communicated to
financial strains. the department
Risk of department heads.
head not aware of
the approved
annual operating
plan

Monitoring Risk of not On a monthly basis Check whether 1. Final

and Review monitoring the as part of Monthly annual operating Approved
of Annual annual operating Information System plan prepared is Annual
Operating plan periodically, (MIS), the Annual being periodically Operating
Plan lead to non- Operating Plan monitored and Plan.
achievement of should be reviewed reviewed by the 2. Variance
objectives stated in and monitored for management. Analysis
the annual the objectives Check whether prepared.
operating plan. which are achieved variance analysis is 3. Deviations
Risk of not and which are yet prepared for identified
preparing variance to be achieved. monitoring from the
analysis with the Annual Operating deviations and Annual
objectives set out Plan should be analysing the same Operating
in the annual periodically in the annual Plan during
operating plan and reviewed to factor operating plan the period
what have been in unanticipated prepared. and
achieved. occurrence of Check whether implementati
Risk of not events in the unanticipated events on of
addressing the organisation that in the business corrective
unanticipated lead financial during the period is actions.

40
 Annual Operating Plan

Process Sub- Risk Description Control Test Performed Attributes

process tested
expenditure strains in the factored in the
occurring during organisation and annual operating
the year which are act as hindrance to plan prepared and
not part of annual achievement of necessary approvals
operating plan may objectives set out have been received
lead to adverse in the initial annual for the same.
effects on the operating plan. Check whether
organisation. The CFO and CEO annual operating
Risk of not monitor and review plan is being
monitoring the the annual reviewed and
annual operating operating plan and presented to board
plan periodically presents the same of director for review
may lead to to the Audit and their advice.
operational Committee and Check whether
difficulties. Board of Directors corrective action is
for their review and taken for variances
advice. identified.
Variance analysis
should be prepared
for deviations from
the annual
operating plan and
should be
addressed for
effective
achievement of
objectives.

41
 Checklist 6
Management Information System
Final Sub- Risk Description Control Test Performed Attributes
process tested

Management System Absence of formally There is a well- Check whether: Existence of a

Information Governance laid down policy for defined MIS i) There is a well- well - defined
System and Strategy MIS. governance defined MIS MIS
framework with governance
clear roles and framework with
responsibilities clear roles and
The organization response-bilities.
has an MIS strategy ii) The MIS
aligned with its strategy is
business goals and aligned with its
objectives. business goals
Policies and and objectives.
procedures for iii) Policies and
managing the MIS procedures for
lifecycle is clearly managing the
documented. MIS lifecycle is
documented.

Management MIS Design MIS does not meet The MIS system is Ensure that: Appropriateness
Information and the organization’s designed to meet i) The MIS system of the MIS
System Development requirement the organization's is designed to
reporting and meet the
analysis organization's
requirements and reporting and
user’s analysis
requirements, and it requirements.
is well-documented ii) User
(including the data requirements are-
flows and documented, and
processing logic). was there user
involvement
during the
designing phase.
iii) The data flows
and processing
logic is clearly
 Management Information System

Final Sub- Risk Description Control Test Performed Attributes

process tested

defined and
documented.
iv) Adequate
controls are
embedded in the
system design to
prevent errors
and fraud.

Management Reporting Inaccurate/Untimely Templates and Check whether: Accuracy of the

Information and Analysis MIS Reporting Timelines for MIS i) The required MIS
System Reporting are reports are
standardized. MIS generated
reports cover the accurately and on
overall organization time.
and each function. ii) Reporting
templates are
standardized and
consistent across
the organization.
iii) There is a
process for
validating report
results against
source data.
iv) The MIS
covers the overall
business and
each business
function.

Management User Effective use of Training are Check whether Effectiveness of

Information Training and MIS provided to users the users are the MIS
System Support on using the MIS provided with
system. The details training on using
of the helpdesk or the MIS system
support channel are effectively and
available for there is
addressing user’s a helpdesk or
issues and is also support channel
communicated to available for

43
Internal Audit Checklist

Final Sub- Risk Description Control Test Performed Attributes

process tested

users. addressing user’s

issues.

Management Compliance MIS System is not There is an up-to- Verify whether: Appropriateness
Information align with to the date documentation i) The MIS system of the MIS
System relevant laws and of all applicable align with relevant
audit trail of user’s laws, regulations, laws, regulations,
activities is not and standards and industry
tracked. applicable and clear standards.
documentation of ii) Audit trails are
how the MIS aligns maintained to
with each track user
requirement and activities and
control. Regular system changes.
training is provided iii) Security
to employees about assessments or
the importance of vulnerability tests
compliance and are conducted
data protection. regularly.
Logging and
tracking user
actions, periodic
audit trail reviews
and restricted
access to audit logs
are also ensured.

44
 Checklist 7
IT Internal Controls
Process Sub-process Risk Control Test Performed Attribute Sampl Data
Description s tested e size analytics
performe
d

Governance, Policies, Absence of IT Do corporate 1. Identify the IT

Management Standards and controls at the policies and control
& Technical Procedures Governance standards that environment of the
Controls level would describe the need organization,
lead to loss of for IT controls exist Whether Policy,
effective Standards and
information Procedures
management existing the
and security Organisation.
principles, 2. Check for IT
policies, and Security Policy
processes document
deployment in including Values,
the Philosophy,
organisation. Management
style, IT
awareness,
Organisation,
Policies,
Standards.
3. Check for
evidence of
performance and
compliance
metrics that
demonstrate
ongoing
support for IT
Security
framework.

Governance, Policies, The Board of Determine whether 1. Examine how

Management Standards and Directors have the Board of Governance
& Technical Procedures the primary Directors have controls, IT
responsibility reviewed and Policies and
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
Controls as keepers of approved IT policies Standards are
the mandated in the
Governance organisation -
Framework of either by the
which IT entire Board of
Controls are a Directors or a
part. Board committee
in conjunction with
the organization’s
executive
management.

Governance, IT Security Information Does the Establish the

Management Management Security organisation have existence of the
& Technical Management Information Security ISMS document
Controls System needs Management availability within
to be top System (ISMS) the organisation
driven, there and review it in
needs to be detail
adequate
Leadership
and Top
Management
support

Governance, IT Security Lack of IS Policy Alignment

Management Management alignment established in line between ISMS
& Technical between ISMS with Org obj, int with and
Controls and Org processes, Organisational
Organisation resources, goals and
Goals & supporting, comms, objectives need to
Objectives will CI, etc) be checked with
lead to non- respect to:
fulfilment of 1. Internal
business business
needs in an objectives and
effective requirements:
manner 2. Requirements
specified in
contracts and

46
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
service level
agreements
(SLAs) of the
Company
3. Compliance
requirements
defined in
legislation and
regulations.

Governance, Regulations & Compliance to What legislation 1. Check for

Management Compliance legislation of exists that impacts compliance with
& Technical the country on the need for IT industry specific
Controls where the controls and has the laws and
organisation is Management taken regulations and
situated is a steps to ensure compliance with
mandatory compliance with this Digital Personal
requirement legislation? Data Protection
that cannot be Act, 2023 or
compromised General Data
Protection
Regulation
(GDPR) that
require protection
of personal data
that detail specific
information
security
requirements2.
Check for
telecommunicatio
ns regulations that
specify
regulations to be
complied with.
3. Examine laws
that relate to
relate to the

47
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
admissibility of
electronic
evidence that
organisations
should be aware
of regarding the
collection of
evidence during a
security incident.

Governance, Technical Absence of Examine how IT Examine the

Management Controls standards and management has overarching set of
& Technical methodology defined standards standards &
Controls adoption for and adopted a methodology the
Software Life methodology organisation
Cycle governing the adopts for
Management process of Software Project
will affect developing, Management and
reliability and acquiring, Software
integrity of implementing, and development.
information maintaining Examples include
assets information systems Prince2,
and related traditional
technology. Waterfall
methods, Agile
methodology,
Rapid Application
Development, etc.
Compliance with
ISO/IEC
27001:2022
Information
Security,
Cybersecurity and
Privacy Protection
(Refer Rule 8:
Reasonable
Security Practices

48
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
and Procedures).

Governance, Technical Absence of Determine if IT The standards

Management Controls standards, management has and procedures
& Technical methodologies adequate standards should cover all
Controls and and procedures for: aspects of IT, viz.,
procedures for Systems Organisation &
Software Life development Management,
Cycle Program change Physical &
Management control Environment
will affect Data Centre Control, System
reliability and operations Software &
integrity of Data Base Infrastructure
information administration Controls, System
assets Direct Access Development
Storage Devices Controls and
(DASD)management Application-based
(Disk Subsystem) controls
Performance
monitoring
Capacity planning
Network
administration
Information security
Contingency
planning/disaster
recovery

HR Roles & Segregation of Lack of 1. Check whether all 1. Is the allocation

Responsibiliti Duties oversight or the relevant of responsibilities
es the lack of responsibilities for compatible with
segregation of IT controls been the need to apply
duties rules allocated to division of duties?
within an individual. 2. Are IT
organisation 2. Conflicting duties responsibilities
will increase and areas of documented?
the risk of responsibility shall 3. Are IT control
fraud, as in the be segregated to responsibilities
case when a reduce opportunities communicated to
single person for unauthorized or the whole

49
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
performs every unintentional organization?
financial modification or 4. Do individual
function. misuse of the role holders
organization’s clearly understand
assets. their
responsibilities in
relation to IT
controls?
5. Does internal
auditing employ
sufficient IT audit
specialists to
address the IT
control issues?

HR Roles & Information Inadequate All information - Each function or

Responsibiliti security roles mapping of security department being
es and roles with the responsibilities shall assessed should
responsibilities organisational be defined and be checked for
structure allocated. availability of a
creates well-defined Org
overlapping Structure and
and confusing Roles &
execution of Responsibilities
activities definition.
- Special checks
should be
performed to see
whether there is
any duplication of
work pointing to
improper
segregation of
duties, especially
in Quality
Assurance,
Procurement,
Finance, Supply
Chain, etc.,

50
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
functions.

Mobile & Mobile Device Absence of a A policy and There is a need to

Teleworking Policy mobile device supporting security check the
security policy measures shall be following:
can lead to adopted to manage 1. Acceptable use
security the risks introduced policy for mobile
incidents and by using mobile devices;
other potential devices. 2. BYOD, CYOD
costly Bring Your Own (choose your own
problems that Device (BYOD) device), etc
may lead to policy may be laid policies and
data breaches down to given restrictions of use.
if employees employees to use 3. Mobile security
aren't aware of personal devices for policy related to
the risks when work related user registrations,
using activities. regular updates,
technologies etc.
improperly.

Mobile & Teleworking Several risks A policy and Check the policy
Teleworking associated supporting security and
with measures shall be implementation
Teleworking / implemented to thereof.
Remote protect information
working accessed,
include: processed or stored -If any
Accessing at teleworking sites. discrepancies and
Sensitive Data report thereto.
Through
Unsafe Wi-Fi
Networks,
Using Personal
Devices for
Work, Ignoring
Basic Physical
Security
Practices in
Public Places,
Email Scams,

51
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
Cyberattacks
on Remote-
working
Infrastructure,
etc. A robust
policy
addressing
these risks
would lead to
safe working
operations for
all types of
employees.

Access Policies and Poor access Access control 1. Verify that

Control Procedures control can policy - An access Access Control
expose the control policy shall policy limits
organization to be established, access to
unauthorized documented and information
access of data reviewed based on systems and
and programs, business and network systems
fraud, or the information security to authorised
shutdown of requirements. personnel only
computer Access to networks 2. Verify that IT
services. and network and facility
services - Users personnel are
shall only be aware of the
provided with applicable
access to the policies.
network and
network services
that they have been
specifically
authorized to use.

Access User Access Risk of 1. User - Ensure that

Control Management information registration and de- terminated users
being registration - A are promptly
accessed formal user removed. Obtain
without the registration and de- a current user

52
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
appropriate registration process account list for all
authorisation, shall be systems and cross
unlawfully and implemented to reference it with
the risk of a enable assignment current payroll or
data breach. of access rights. human resource
2. User access data. Any users
provisioning - A not found in the
formal user access payroll or human
provisioning process resource files.
shall be -Check User
implemented to profiles are
assign or revoke defined in system.
access rights for all
user types to all
systems and
services.
3. Management of
privileged access
rights - The
allocation and use
of privileged access
rights shall be
restricted and
controlled.
4. Review of user
access rights -
Asset owners shall
review users’
access rights at
regular intervals.
5. Removal or
adjustment of
access rights - The
access rights of all
employees and
external party users
to information and
information
processing facilities

53
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
shall be removed
upon termination of
their employment,
contract or
agreement, or
adjusted upon
change.

Access User Poor Use of secret Secret

Control Responsibilitie management authentication authentication
s or improper information - Users information is a
allocation of shall be required to gateway to access
authentication follow the valuable assets. It
information organization’s typically includes
may result in practices in the use passwords,
unauthorised of secret encryption keys
access to authentication etc. so needs to
information information. be controlled
systems and in through a formal
loss of management
confidentiality. process and
needs to be kept
confidential to the
user. This is
usually tied into
employment
contracts and
disciplinary
processes. Verify :
1. Documentation
of Management
process,
2. Maintenance of
confidentiality
3. Disciplinary
processes

Access System and lack of System 1. Information 1. Determine the

Control Application and access restriction - application and
Access Application Access to system level Login

54
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
Control Access information and procedures.
Controls can application system
result in risks functions shall be 2. Determine the
like Software restricted in user data and
attacks, theft accordance with the roles assigned for
of intellectual access control admin and
property, policy. privileged access
identity theft, 2. Secure log-on and how the user
theft of procedures - Where id/passwords for
equipment or required by the these types of
information, access control access are
sabotage, policy, access to maintained and
information systems and kept confidential.
extortion and applications shall be 3. Examine how
many others. controlled by a granular are
secure log-on application and
procedure. transaction level
3. Use of privileged controls and how
utility programs - they are
The use of utility implemented and
programs that might whether the
be capable of process is
overriding system reliable.
and application
controls shall be
restricted and tightly
controlled.
4. Access control to
program source
code - Access to
program source
code shall be
restricted.

Physical Physical Physical 1. Physical security Are the following

Security Security security perimeter - Security access
represented by perimeters shall be procedures in
the security of defined and used to place: -
personnel, protect areas that Appropriate

55
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
hardware, contain either granting and
programs sensitive or critical discontinuance of
networks, and information and authorizations?
data, if not information - Control over
protected can processing facilities. passkeys, keys?
result in 2. Physical entry - Do post-
severe losses controls - Secure emergency re-
or harm to an areas shall be entry procedures
enterprise, protected by exist?
agency, or appropriate entry - Do controls over
organization in controls to ensure entry by time of
terms of: that only authorized day exist?
1. Tailgating personnel are - Are there
2. Theft of allowed access. specific
documents 3. Securing offices, exclusions to
3: rooms and facilities policy?
Unaccounted - Physical security - Observe and
visitors for offices, rooms inquire about the
4: Stolen and facilities shall physical security
identification be designed and of the Computer
5: Social applied. Systems room.
engineering 4. Protecting against - Are alarm events
There is a external and logged and
need to environmental routinely
Measure, threats - Physical reconciled to
mitigate and protection against actual events?
monitor this natural disasters, - List any network
risk. Physical malicious attack or monitoring
security accidents shall be packages used
components designed and along with the
connected to applied. manufacturer and
the Internet, 5. Working in secure version. Obtain a
such as RFID areas - Procedures list of the
key card door for working in authorized users.
locks, secure areas shall Determine that
smartphones, be designed and any unauthorized
and video applied. network
surveillance 6. Delivery and monitoring
cameras, are loading areas - software is strictly

56
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
common Access points such prohibited and
targets for as delivery and that access to
hackers and loading areas and authorized
need to be other points where software is
protected unauthorized approved by IT
persons could enter management.
the premises shall - Determine
be controlled and, if whether adequate
possible, isolated segregation of
from information duties exists
processing facilities between those
to avoid responsible for the
unauthorized day-to-day
access. network
operations and
those responsible
for the network
monitoring
software and
access controls.
- Assure that
access
authorization
procedures are
used for all
persons
(employees,
contract workers,
security staff and
visitors) requiring
access to
sensitive areas.
(Are photo ID
cards or electronic
key cards required
for entry?)
- Analyze the
potential threat
posed by fires in

57
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
adjacent buildings
and areas.
- Are alarms
installed at all
potential entry and
exit points of
sensitive areas?
- Determine that
the physical
components of the
network are
properly secured.
This includes
wiring closets,
demarcation
blocks, patch
panels, cabling,
terminals and LAN
stations, as well
as the
communications
processors.
- Review access
point control. Are
entry/exit logs
maintained? Does
electronic and/or
video surveillance
equipment exist?
- Is the LAN file
server housing
locked or
otherwise secured
to prevent removal
of boards, chips,
and the computer
system?
- Determine if the
plant utilizes a

58
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
"Certificate of
Understanding"
for all employees
with access to
Personal
Computers as
required by Policy.
This document
should be
distributed by the
LAN
Administrators at
the plant to all
personnel.

Physical & Equipment Lack of 1. Equipment siting 1. Clear desk and

Environment Security controls for and protection - clear screen
Security equipment Equipment shall be policy - A clear
security can sited and protected desk policy for
lead to several to reduce the risks papers and
risks from environmental removable storage
associated threats and hazards, media and a clear
with equipment and opportunities for screen policy for
malfunction, unauthorized information
breach of access. processing
contractual 2. Supporting facilities shall be
relations, utilities - Equipment adopted.
industrial shall be protected 2. Review
espionage, from power failures placement of
interruption of and other water and
business disruptions caused drainage pipes to
processes and by failures in ensure they are
other threats supporting utilities. routed away from
that can 3. Cabling security - operations areas.
damage an Power and Assess the
organisation's telecommunications potential for
ability to cabling carrying storage tanks to
perform and data or supporting flood electronic
function. information services equipment and the

59
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
shall be protected susceptibility to
from interception, external flooding.
interference or 3. Review smoke
damage. detection and
4. Equipment automatic fire
maintenance - extinguishing
Equipment shall be equipment to
correctly maintained ensure that it is
to ensure its functional and that
continued it provides
availability and adequate
integrity. protection. (i.e.
5. Security of ensure that fire
equipment and extinguishing
assets off-premises equipment is not a
- Security shall be sprinkler placed
applied to off-site over each server.)
assets taking into 4.
account the different 6. Is there
risks of working scheduled
outside the preventative
organization’s maintenance on
premises. the components,
6. Unattended user either by the LAN
equipment - Users administrator or
shall ensure that by the vendor
unattended under a
equipment has maintenance
appropriate contract? Do
protection. these procedures
7. Clear desk and meet the
clear screen policy - manufacturer's
A clear desk policy recommendations
for papers and ?
removable storage 7. If a
media and a clear maintenance
screen policy for contract exists for
information routine cleaning,
processing facilities verify that the

60
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
shall be adopted. vendor has
honoured the
contract.

Operations Operational Standard 1. Documented Verify that

security procedures operating operating Standard
and procedures procedures - Operating
responsibilities provide the Operating Procedures exist
policies, procedures shall be for each of the
processes and documented and functions and
standards made available to all production, non-
needed for the users who need production
organization to them. departments and
succeed. They 2. Change that people are
can benefit a management - aware of the
business by Changes to the documents and
reducing organization, process steps.
errors, business processes, Also verify that the
increasing information SOPs are
efficiencies processing facilities maintained under
and and systems that strict document
profitability, affect information and version
creating a safe security shall be control and that
work controlled. latest versions,
environment 3. Capacity duly authenticated
and producing management - The are available for
guidelines for use of resources use.
how to resolve shall be monitored,
issues and tuned and
overcome projections made of
obstacles. future capacity
Lack of SOPs requirements to
would lead to ensure the required
inconsistency system
in operations performance.
of each of the 4. Separation of
above areas development,
testing and
operational

61
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
environments -
Development,
testing, and
operational
environments shall
be separated to
reduce the risks of
unauthorized access
or changes to the
operational
environment.

Operations Protection Malware Controls against 1. Check

security from malware viruses malware - Detection, whether the
piggyback on prevention and organisation
existing recovery controls to regularly conducts
programs and protect against 3rd Party
can only be malware shall be Vulnerability
activated when implemented, Assessment and
a user opens combined with Penetration
the program. appropriate user Testing (VAPT)
These viruses awareness. and takes
can corrupt or remedial actions
delete data, Controls against on the VAPT test
use the user's Virus Protection report
email to 1. Determine the recommendations
spread, or level of virus for reducing
erase protection external threats
everything on established on 2. Check also how
a hard disk. servers and the system
Some of the workstations software and
risks 2. The monitoring of application
associated infection being done software versions
with malwares by IS administration. are kept updated
can be one of 3. Virus Application 3. Check how 3rd
the following: should be updated Party Application
1. Viruses and on a monthly basis. Development or
worms. are outsourced
malicious application

62
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
software development work
programs are checked for
(malware) Security
aimed at vulnerabilities
destroying an before these are
organization's deployed in the
systems, data production
and network environments
2. Botnets 4. Check the
3. Drive-by methods of Virus
download Protection
attacks software
4. Phishing installation,
attacks. ... tracking and
5. Distributed resolution adopted
denial-of- in the
service (DDoS) organisation.
attacks
6.
Ransomware
7. Exploit kits
8. Advanced
persistent
threat attacks

Operations Backup/Recov Risk of major 1. Whether the 1. Verify: LAN is

security ery disruption of organisation has supported by an
business adequately uninterruptible
operations in documented backup power supply
case of and recovery (UPS).
business will procedures/plans/sc 2. Verify: Has the
not be able to hedules for critical UPS been tested
recover the sites. in the last year (to
data. 2. If procedures test the
exists, backup batteries)?
copies of 3. Verify: Has the
information, UPS been tested
software and system in the last year (to
images shall be test the

63
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
taken and tested batteries)?
regularly in 4. For disaster-
accordance with an recovery
agreed backup purposes, have
policy LAN applications
been prioritized
and scheduled for
recovery based on
importance to the
operation? Also
determine if the
recovery
sequence is
proper so that key
applications can
be restored.
5. Are LAN files
backed up at
appropriate
intervals to ensure
the need to re-
enter data is
minimized?
6. To ensure that
the backups are
good and can be
used to recover
the system have
the System
Administrator:
Restore a file or
files from the
backup media.
(Restore a file to a
different location
and then check
the file)
7. Verify:

64
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
a) Backup tapes
are properly
labelled and
organized.
b) Backup tapes
are stored
securely in a
fireproof safe and
not left in the
open.
c) Backup tapes
are secured off-
site.
8. Obtain a copy
of the insurance
policy that applies
to the LAN facility.
With the
assistance of
computer
insurance
specialists,
determine the
adequacy of the
LAN facility
insurance
coverage.

Operations Logging and Centralised 1. Event logging - 1. Verify the

security monitoring Automated Event logs recording Security Event
Event logging user activities, Log Monitoring
allows an exceptions, faults process followed
organization to and information in the
track and security events shall organisation.
understand all be produced, kept 2. Conduct an
the processes and regularly electronic audit of
that occur reviewed. the logs for
within a 2. Protection of log indications that
network of IT information - unauthorized

65
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
servers and Logging facilities security-related
systems and log information activities have
deployed. The shall be protected been attempted or
log of against tampering performed on a
information and unauthorized system or
ensures that access. application that
valuable 3. Administrator and processes,
information is operator logs - transmits or stores
preserved to System confidential
avoid the administrator and information.
efforts of system operator 3. Verify the
cybercriminals activities shall be security incidents
and potential logged, and the logs on a sample
deletions due protected and basis, if any, and
to a lack of regularly reviewed. check of
storage space. 4. Clock documented root
Security synchronisation - cause analysis
incidents The clocks of all and Corrective
related to relevant information and Preventive
external or processing systems actions taken to
internal threats within an mitigate future
could be organization or risks
mitigated with security domain 4. Check the
proper log shall be process of Clock
collection and synchronised to a Synchronisation
monitoring. single reference through the
time source. organisation's
information
systems.

Operations Control of Automation of Procedures shall be 1. Check for

security operational system and implemented to availability of
software operational control the Software
software is installation of Deployment tools
necessary as software on in the organisation
outdated operational systems. and the
software might associated Group
not be able to Policy for software
withstand an deployment.

66
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
up-to-date Examples include
cyber-attack. Microsoft SCCM,
Systems will AWS Code
become more Deploy, Google
vulnerable to Cloud Deployment
ransomware Manager, or any
attacks, other remote
malware and deployment tools.
data breaches 2. Validate the
if automated updates on the
procedures for software tool and
software check whether
installation on latest versions are
operational being used.
systems are
not
implemented

Operation Technical Risk of 1. Management of 1. Check whether

Security vulnerability fraudulent technical the organisation
management activities and vulnerabilities - regularly conducts
external Information about 3rd Party
threats(Malwar technical Vulnerability
e, SQL vulnerabilities of Assessment and
Injection, information systems Penetration
Denial of being used shall be Testing (VAPT)
Service, etc) to obtained in a timely and takes
the fashion, the remedial actions
organisation . organization’s on the VAPT test
exposure to such report
vulnerabilities recommendations
evaluated and for reducing
appropriate external threats.
measures taken to 2. Check whether
address the the organisation
associated risk. restricts software
2. Restrictions on installation
software installation through policies
- Rules governing and use of tools

67
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
the installation of like VMware
software by users Airwatch, or any
shall be established other similar tool
and implemented. that allows IT to
automate, control,
and secure
administrative
policies on
laptops, tablets, or
any other device
connected to the
organization’s
network.

Operation Information Risks of poorly Information systems 1. Check for

Security systems audit designed audit controls - Audit availability of
considerations business requirements and formal Internal
processes, IT activities involving Audit Schedules
security risk, verification of within the
integrity and operational systems organisation.
ethical risk, shall be carefully 2. Check validity
human errors planned and agreed of the scope of
and fraud risk. to minimise Internal Audit -
disruptions to whether the
business processes. organisation
periodically
conducts ITGC
and/or ISO 27001
audits
3. Review
Strengths,
Opportunities for
Improvements
(OFIs) and non-
conformities and
whether
appropriate
actions have been
initiated from the

68
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
last audit.

Communicatio Network Risks of 1. Network controls 1. Check whether

n security security widespread - Networks shall be the IT department
management cyberattacks managed and of the organisation
and degrade controlled to protect has implemented
network information in preventive
performance systems and measures like
due to inability applications. Network
of restricting 2. Security of Segmentation &
the number of network services - Network Zoning
users in Security based on Zero
specific zones. mechanisms, Trust Architecture
service levels and (ZTA).
management 2. Check the
requirements of all policy and
network services deployment of
shall be identified Firewalls, whether
and included in the organisation
network services makes use of
agreements, latest Firewall
whether these technologies (For
services are example, from
provided in-house or Palo Alto
outsourced. Networks, etc.).
3. Segregation in 3. Check whether
networks - Groups the company has
of information made
services, users and Documentation
information systems and Network
shall be segregated Diagrams for all
on networks. segments and
locations making
maintenance and
traceability of
malfunctioning
devices easier.
4. Check whether
the organisation

69
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
has provided for
redundancy in the
network to avoid
single point of
failures. For
example, use of
Multi-Protocol
Label Switching
(MPLS) and
Internet Lease
Lines (ILL) to
provide
redundancy to the
Fibre based WAN
services, etc.

Communicatio Information Risks involved 1. Information Check for

n security transfer in relation to transfer policies and availability of
the procedures - Formal Policies on:
confidentiality, transfer policies, a) Information
integrity and procedures and transfer policies
availability of controls shall be in and procedures.
the information place to protect the b) Information &
and this will transfer of data flows and the
need to take information using all classification
into account types of system used.
the type, communication c) Agreement on
nature, amount facilities. information
and sensitivity 2. Agreements on transfer
or information transfer addressing the
classification - Agreements shall secure transfer of
of the address the secure business
information transfer of business information
being information between between the
transferred. the organization and organisation and
external parties. external parties.
3. Electronic d) Electronic
messaging - messaging and
Information involved protection of

70
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
in electronic messages.
messaging shall be e) Confidentiality
appropriately or non-disclosure
protected. agreements.
4. Confidentiality or
nondisclosure
agreements -
Requirements for
confidentiality or
non-disclosure
agreements
reflecting the
organization’s needs
for the protection of
information shall be
identified, regularly
reviewed and
documented.

Vendor Information Risk from 1. Information 1. Whether vendor

Management security in suppliers and security policy for reliability is
supplier vendors. supplier considered before
relationships Absence of an relationships - purchasing LAN
adequate Information security hardware and
Supplier Policy requirements for software.
may lead to mitigating the risks 2. Whether a
financial, associated with service log is
environmental, supplier’s access to maintained to
operational, the organization’s document vendor
and legal risks. assets shall be support servicing.
agreed with the 3. Whether a
supplier and service log is
documented. maintained to
2. Addressing document vendor
security within support servicing.
supplier agreements
- All relevant
information security
requirements shall

71
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
be established and
agreed with each
supplier that may
access, process,
store, communicate,
or provide IT
infrastructure
components for, the
organization’s
information.
3. Information and
communication
technology supply
chain - Agreements
with suppliers shall
include require-
ments to address
the information
security risks
associated with
information and
communications
technology ser-vices
and product supply
chain.

Vendor Supplier External risks 1. Monitoring and 1. On a sample

Management service like Process review of supplier basis, select LAN
delivery disruptions, services - hardware and
management Intellectual Organizations shall software
property theft regularly monitor, contracts.
and Non- review and audit Whether vendor
compliance supplier service support
with regulatory delivery. requirements are
security 2. Managing clearly defined.
standards. changes to supplier Whether product
services - Changes licensing
to the provision of restrictions is
services by clearly identified.

72
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
suppliers, including 2. Obtain the
maintaining and service log and
improving existing look for software
information security or hardware that
policies, procedures has been subject
and controls, shall to numerous
be managed, taking problems and
account of the vendor-assisted
criticality of support. Whether
business management and
information, systems the users can
and processes support or justify
involved and re- the activity.
assessment of risks. 3. From the
sample of LAN
hardware and
software
contracts,
determine if the
vendor is reliable.
Such information
can be obtained
from trade
periodicals,
financial reporting
services (e.g.
Standard &
Poor's), trade
associations, and
MIS management.
4. Obtain a copy
of the negotiated
service level
agreement from
the IS department
noting specific
performance
requirements.
Compare the

73
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
agreement with
the performance
reports.

Asset Asset Improper IT 1. Inventory of 1. Determine:

Management Responsibility Asset assets - Assets Whether there is a
Management associated with complete
can drive up information and inventory of the
insurance information following:
costs, can lead processing facilities Hardware:
to inability to shall be identified Computers, File
identify and an inventory of Servers, Printers,
potential these assets shall Modems,
savings, be drawn up and Switches,
enhance maintained. Routers, Hubs,
performance 2. Ownership of etc. Software: all
and prevent assets - Assets software for each
data breaches maintained in the PC is logged with
as a result of inventory shall be licenses and serial
outdated owned by the entity. numbers.
inventory 3. Acceptable use of 2. Check
information. assets - Rules for availability of
Also, it will the acceptable use Information Asset
become of information and of Register with
difficult to assets associated records of all
remotely with information and assets
manage IT information 3. Verify:
infrastructure. processing facilities
a) Written
shall be identified,
procedures for
documented, and
keeping asset
implemented.
inventory.
4. Return of assets -
All employees and b) The inventory
external party users procedures
shall return all the identify who (title)
organizational is responsible for
assets in their maintain-ing the
possession upon inventory report.
termination of their c) The inventory

74
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
employment, procedures
contract or require regular
agreement. updating of the
5. Disposal of inventory report.
assets - 4. Unused
a) Whether there is equipment is
a policy regarding properly and
disposal of obsolete securely stored.
or badly damaged 5. Copies of the
asset. software and
b) Does the policy hardware
require management inventory reports
approval of disposal are stored at
of the equipment. another secure
location.
c) Obtain a copy
6. On a sample
and determine if it
basis, match the
has been reviewed
inventory report to
and approved by
actual hardware
management.
devices (Inventory
Record Accuracy
Checks-IRA), All
of the hardware
present is properly
identified/tagged,
and located in the
proper place.

Asset Information Improper 1. Information shall 1. Check whether

management Classification Information be classified in the organisation
(Data) Asset terms of legal has adopted a
Classification requirements, value, formal Information
can impact criticality and Asset
Confidentiality, sensitivity to Classification
Integrity and unauthorised method. The
Availability disclosure or classification
related to modification. method may
organisational 2. Labelling of include:
operations, information - An a) Identification of

75
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
assets, and appropriate set of information assets
individuals. procedures for (labelling),
Poor information labelling b) Classification of
classification shall be developed information
systems can and implemented in assets; by
lead to loss of accordance with the Confidentiality,
information in information Integrity, and
areas like classification Availability
Health and scheme adopted by (“CIA”);
Safety, the organization. c) Determining
Financial Loss, 3. Handling of controls identified
Company’s assets - Procedures and handling
Mission/Progra for handling assets methods adopted
ms and Public shall be developed based upon the
Trust. and implemented in classification.
accordance with the 2. Check
information availability of
classification Information Asset
scheme adopted by Register with
the organization. records of all
assets.

Asset Media Risk of both 1. Management of 1. Management of

Management Handling reputational removable media - removable media :
(Data) damage and Procedures shall be check
financial implemented for the documented
losses. Errors management of procedures and
in physical removable media in records related to
media transfer accordance with the a) authorization
could also lead classification for the removal of
to cyber- scheme adopted by media from the
attacks using the organization. company and a
the social 2. Disposal of media record of these
engineering -Media shall be removals
route disposed of securely maintained in
when no longer order to preserve
required, using the audit trail,
formal procedures. b) Media storage :
3. Physical media In compliance with

76
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
transfer - Media manufacturers’
containing standards, all
information shall be media should be
protected against kept in a secure
unauthorized and safe
access, misuse or environment;
corruption during c) Where
transportation. confidentiality or
integrity of data is
important, whether
cryptographic
techniques for
securing data on
removable media
is used,
d) whether
Multiple copies of
important data is
stored in different
media to further
reduce the
possibility of
accidental data
damage or loss;
e) Process for
Registration of
removable media
2. Disposal of
Media : Check
documented
procedures and
records related to
:
a) Whether
Confidential media
is disposed safely
through, e.g. by
incineration or
shredding, or data

77
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
erasure
b) Procedures to
identify the items
that need safe
disposal
c) If opting for
media collection
and disposal
services; care
must be taken to
select a suitable
external party with
adequate controls
and experience;
d) In order to
maintain an audit
trail, the disposal
of confidential
items is being
logged.
e) Whether
contents of
reusable media
that are to be
removed from the
organization
should be made
unrecoverable;
3. Physical Media
Transfer: Check
documented
procedures and
records related to
:
a) Reliable
transport or the
use of authorized
couriers;

78
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
b) Packaging to
safeguard the
content from any
physical damage
likely to occur
during transit and
to protect the
content against
environmental
factors such as
exposure to heat,
humidity, or
electro-magnetic
fields which could
reduce media
recovering
efficiency.
c) Logs to be
maintained with
details of the
media content,
date/ time of
transfer to location
and receipt at the
destination.

System Security Lead to the 1. Information Check for the

acquisition, requirements development security SDLC
development, of information unreliable requirements methodology
and systems software prone analysis and adopted with
maintenance to external specification - The specific inclusion
threats and information security of application
vulnerabilities. related requirements security needs.
shall be included in Check how the
the requirements for documentation of
new information security
systems or requirements have
enhancements to been carried out
existing information

79
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
systems.
2. Securing
application services
on public networks -
Information involved
in application
services passing
over public networks
shall be protected
from fraudulent
activity, contract
dispute and
unauthorized
disclosure and
modification.
3. Protecting
application services
transactions -
Information involved
in application
service transactions
shall be protected to
prevent incomplete
transmission,
misrouting,
unauthorized
message alteration,
unauthorized
disclosure,
unauthorized
message duplication
or replay.

System Security in Vulnerable to 1. Secure Check and

acquisition, development external development policy - validate the
development and support threats and Rules for the following:
and processes lead to likely development of 1. Examine how
maintenance disruption of software and the security
business systems shall be requirements

80
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
operations. established and captured in the
applied to Analysis or Initial
developments within phases have been
the organization. addressed in the
2. System change design,
control procedures - development,
Changes to systems testing and
within the implementation
development processes.
lifecycle shall be Special attention
controlled by the to be given on
use of formal how the
change control organisation has
procedures. included
3. Technical review preventive
of applications after measures to block
operating platform SQL Injection,
changes - When Denial of Service
operating platforms threats, etc. from
are changed, the external
business critical environment
applications shall be 3. Check whether
reviewed and tested 3rd Party VAPT
to ensure there is no testing has been
adverse impact on formally carried
organizational out on the
operations or developed system
security. and remedial
4. Restrictions on actions initiated
changes to software and closed before
packages - Go Live
Modifications to 4. Assess the
software packages Change
shall be Management
discouraged, limited process to
to necessary ascertain how
changes and all changes have
changes shall be been carried out
strictly controlled. during

81
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
5. Secure system development and
engineering post
principles - implementation
Principles for phases ensuring
engineering secure security reliability.
systems shall be 5. Examine the
established, procedures
documented, related to
maintained and Infrastructure and
applied to any operating system
information system changes during
implementation the life cycle of
efforts. the project
6. Secure implementation.
development Ensure that the
environment - organisation
Organizations shall tracks and control
establish and the changes in a
appropriately protect systematic
secure development manner for the
environments for complete
system development infrastructure
and integration environment
efforts that cover the comprising of
entire system Development,
development Test and
lifecycle. Production
7. System security servers.
testing - Testing of
security functionality
shall be carried out
during development.
8. System
acceptance testing -
Acceptance testing
programs and
related criteria shall
be established for
new information

82
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
systems, upgrades
and new versions.

Information Management Risk of 1. Responsibilities 1. Check for

Security of information security issues and procedures - availability of
Incident security within an IT Management procedures on
Management incidents and infrastructure. responsibilities and management of
improvements procedures shall be Information
established to Security Incidents,
ensure a quick, events and
effective and orderly weaknesses with
response to emphasis on:
information security - Responsibil-ities
incidents. & Procedures:
2. Reporting Planning and
information security preparing incident
events - Information response,
security events shall Monitoring,
be reported through detecting,
appropriate analysing and
management reporting
channels as quickly information
as possible. security events,
3. Reporting Logging incident
information security management
weaknesses - activities,
Employees and Handling forensic
contractors using evidence,
the organization’s Assessing and
information systems deciding on
and services shall information
be required to note security events
and report any and weaknesses,
observed or Responding to a
suspected security incident,
information security both internally and
weaknesses in externally
systems or services. - Reporting
4. Assessment and Information

83
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
decision on Security Incidents
information security - Reporting
events - Information Information
security events shall Security
be assessed, and it Weaknesses
shall be decided if - Assessment &
they are to be Decision on
classified as Information
information security Security Events
incidents. - Response to
5. Response to Information
information security Security Incidents
incidents - - Learning from
Information security Information
incidents shall be Security Incidents
responded to in - Collection of
accordance with the Evidence
documented 2. Check sample
procedures. security incidents
6. Learning from in the past and
information security check compliance
incidents - to the incident
Knowledge gained management
from analysing and processes
resolving
information security
incidents shall be
used to reduce the
likelihood or impact
of future incidents.
7. Collection of
evidence - The
organization shall
define and apply
procedures for the
identification,
collection,
acquisition and
preservation of

84
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
information, which
can serve as
evidence.

Business Information Absence of a 1. Planning 1. Check whether

Continuity security rigorous information security the Organisation
Management continuity Disaster continuity - The has appointed a
Recovery and organization shall Top Management
Business determine its driven Disaster
Continuity Plan requirements for Recovery / BCP
could result in information security Task Force to
a and the continuity of implement the
- Complete information security plan
Loss of Data, management in 2. Review how the
which is critical adverse situations, organisation has
to business e.g. during a crisis implemented or is
operations or disaster. in the process of
- Business 2. Implementing implementing
Interruption information security DRP/BCP with
- Loss of continuity - The focus on
Clients, organization shall - Project Planning
- Damaged establish, document, - Country
Reputation, implement and Risk/Analysis
and / or maintain processes, Review
- Business procedures and - Business Impact
Failure. controls to ensure Analysis
the required level of - Recovery
continuity for Strategy (RTO,
information security RPO guarantees)
during an adverse - Plan
situation. Development
3. Verify, review and - Testing
evaluate information -Training
security continuity - - Business
The organization Continuity Plan
shall verify the - Maintenance
established and
implemented
information security

85
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
continuity controls at
regular intervals in
order to ensure that
they are valid and
effective during
adverse situations.
4. Redundancies -
Availability of
information
processing facilities
- Information
processing facilities
shall be
implemented with
redundancy
sufficient to meet
availability
requirements.

Review of Monitoring Risk of Non- 1. t Processes exist Examine the

Information Processes, compliance to monitor Performance
System Performance with all compliance with all Management and
Security Evaluation relevant relevant legislation Monitoring
legislation and plus internal policies process with
internal and standards. special emphasis
policies and 2. Monitoring on metrics
standards. processes are identification,
carried out by measurement and
management. reporting.
Also review how
actions have been
initiated looking at
metrics trends or
targets not getting
achieved.

Review of Management Risk of Top management Validate how the

Information Review progressive shall review the Management

86
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
System degradation of organization’s Review process is
Security Security information security carried out in the
measures. management organisation -
system at planned either directly by
intervals to ensure the Board of
its continuing Directors or by
suitability, Audit Committee
adequacy, and Check for
effectiveness. appropriate review
records and action
points.

Review of Internal Audit Absence of a The organization 1. Check the

Information formal Internal shall conduct Internal Audit
System Audit function internal audits at policy, standard
Security and not having planned intervals to and procedure
adequate and provide information within the
competent on whether organisation
staff in the the information 2. Check for
internal audit security evidence of
activity are a management Internal Audits
risk that system: conducted by the
exposes the a) conforms to: Organisation, the
organization 1) the organization’s Audit schedules,
to inadequate own requirements and the results of
evaluation of for its information the Audit.
the security 3. Check how the
effectiveness management recommendations
of risk system; and of the Internal
management, 2) the requirements Audit have been
control, and of this International Implemented.
governance Standard;
processes. b) is effectively
implemented and
maintained.

Information & Information & Risk that the 1. Metrics are 1. Check the IT
Communicatio Communicatio Security provided to the Security
ns ns policies are not Board of Directors, Management
working its committees and Reports that are

87
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
effectively. management in prepared and
relation to IT circulated to the
security. Board of
2. Additional reports Directors.
are provided to the 2. Examine the
Board of Directors content and
and to management records of the
on a regular basis. Board Review /
3. Management is Audit Committee
always provided review and the
with reports when actions taken.
there are IT control
failures.
4. The Board of
Directors and its
committees receive
similar reports of IT
control failures.

Cryptography Cryptographic exposes 1. Policy on the use In case the

Controls sensitive of cryptographic Organsiation's
application controls - A policy business
data on a weak on the use of environment
or non-existent cryptographic requires,
cryptographic controls for 1. Review the
algorithm. protection of Cryptographic
information shall be Control policy and
developed and procedures
implemented. adopted in the
2. Key management organisation.
- A policy on the 2. Review that
use, protection and robust Key
lifetime of Management
cryptographic keys procedures are in
shall be developed place to protect
and implemented sensitive
through their whole information.
lifecycle.

88
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d

Compliance Compliance Risk to non- 1. Identification of Review and

with legal and compliance applicable validate how the
contractual legislation and organisation has
requirements contractual identified and
requirements - All recorded its legal,
relevant legislative regulatory, and
statutory, regulatory, contractual
contractual obligations; the
requirements and responsibilities for
the organization’s meeting such
approach to meet requirements and
these requirements any necessary
shall be explicitly policies,
identified, procedures and
documented, and other controls
kept up to date for required for
each information meeting the
system and the controls.
organization.
2. Intellectual
property rights -
Appropriate
procedures shall be
implemented to
ensure compliance
with legislative,
regulatory and
contractual
requirements related
to intellectual
property rights and
use of proprietary
software products.
3. Protection of
records - Records
shall be protected
from loss,
destruction,

89
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
falsification,
unauthorized access
and unauthorized
release, in
accordance with
legislator,
regulatory,
contractual and
business
requirements.
4. Regulation of
cryptographic
controls -
Cryptographic
controls shall be
used in compliance
with all relevant
agreements,
legislation and
regulations.

Compliance Information Risk of not in 1. Independent 1. Check that

security keeping review of Independent
reviews current policies information security Reviews are being
and standards - The organization’s conducted
changing with approach to periodically of the
business managing Information
needs and information security Security Policy
regulations. and its with a focus to
implementation (i.e. improve the
control objectives, organisation’s
controls, policies, approach to
processes and information
procedures for security, including
information security) The information
shall be reviewed security policy.
independently at Topic-specific
planned intervals or policies.
when significant Related controls.

90
 IT Internal Controls

Process Sub-process Risk Control Test Performed Attribute Sampl Data

Description s tested e size analytics
performe
d
changes occur. 2. Check whether
2. Compliance with the persons who
security policies and have conducted
standards - the reviews have
Managers shall been independent,
regularly review the possess relevant
compliance of operational
information competence and
processing and have no vested
procedures within interests.
their area of 3. Check whether
responsibility with the organisation
the appropriate also conducts Ad-
security policies, hoc reviews due
standards and any to amendment of
other security laws/regulations,
requirements. post security
3. Technical incidents, major
compliance review - changes to
Information systems business,
shall be regularly introduction of
reviewed for new products,
compliance with the organisational
organization’s changes, etc.
information security
policies and
standards.

91
 Checklist 8
Standards on Internal Audit (SIAs)
Compliances
This Checklist on Standards on Internal Audit is illustrative in nature. Members are advised to
suitably modify the same as per the facts, circumstances, and nature of the entity under internal
audit. This document neither supersedes nor is a replacement of any guidance/ pronouncements/
Standards issued by ICAI. Members are advised to read or use the Checklist in conjunction with
the Standards on Internal Audit. Members are also advised to exercise the professional judgement
while using the Checklist on Standards on Internal Audit.

Particulars Standards on Internal Response

Audit (Yes/No/ NA)

Planned internal audits are in line with the objectives of the SIA 220, Conducting
internal audit function, as per the internal audit charter of the entity Overall Internal Audit
(and terms of engagement, where it is an outsourced engagement) Planning
and in line with the overall objectives of the organisation.

Confirm and agree with those charged with governance the broad
scope, methodology and depth of coverage of the internal audit
work to be undertaken in the defined time-period.

Overall resources are adequate, skilled and deployed with focus in

areas of importance, complexity and sensitivity.

Audits undertaken conform at all times with the applicable

pronouncements of the Institute of Chartered Accountants of India.

The Internal Auditor shall gather all the information required to

fully understand the entity’s business environment, the risks it
faces and its operational challenges.

Key element of planning involves extensive discussion and

deliberation with all stakeholders, including executive
management, risk owners, process owners, statutory auditors, etc.

Prior to defining the scope of internal audit, a complete

identification of all the Auditable Units (locations, functions,
business units, legal entities, including third parties where
relevant) of the organisation shall be made.

To confirm compliance of audit procedures with the SIA, all key

 Standards on Internal Audit (SIAs) Compliances

steps undertaken in the planning process shall be adequately

documented to confirm their proper completion.

A risk-based planning exercise shall form the basis of the Internal SIA 310, Planning the
Audit Assignment Plan. The Internal Auditor shall undertake an Internal Audit Assignment
independent risk assessment exercise to prioritise and focus audit
work on high risk areas and processes, with due attention given to
matters of importance, complexity and sensitivity.

To confirm compliance of audit procedures with the SIA, all key

steps undertaken in the planning process shall be adequately
documented to confirm their proper completion.
Essential documentation shall be as follows:
(a) Planning Process documentation (or Checklists) and any
tools used in the planning process.
(b) Documentation supporting the information gathered about
the Auditable Unit’s business and operations, systems and
processes and past or known issues.
(c) Summary of meetings and communication with key
stakeholders, with a summary of their inputs.
(d) Risk Assessment documentation and a Summary of risk
mitigating controls deployed.
(e) Summary of available resources, their competencies and the
proper matching of their skills with the audit requirements.
(f) Detailed Internal Audit Programme (IAP) which lists the
specific testing procedures to be conducted for each audit
objective.
(g) The final Internal Audit Assignment Plan duly approved by
the Chief Internal Auditor.

The Internal Audit Charter and the Engagement Letter shall be SIA 230, Objectives of
reviewed periodically by the Chief of Internal Audit and the Internal Audit
Engagement Partner to ensure its relevance to the changing times
or circumstances (e.g. change in scope). If found necessary, the
proposed amendments to these documents shall be put up to the
approving authority for their review and approval.

All internal audits are conducted with certain fundamental features Basic Principles of
designed to: Internal Audit
• establish the credibility of the Internal Auditor
o Independence
o Integrity and Objectivity

93
Internal Audit Checklist

o Due Professional Care

o Confidentiality
o Skills and Competence
• outline the elements essential for performance of internal
audit activities
o Risk Based Audit
o System and Process Focus
o Participation in Decision Making
o Sensitive to Multiple Stakeholder Interest
o Quality and Continuous Improvement

The Chief Internal Auditor has the overall responsibility to ensure SIA 210, Managing the
the achievement of the objectives of the internal audit function Internal Audit Function
through a well-documented internal audit process.

To confirm compliance with the Standard, all key activities which

form part of the internal audit process shall be documented to
confirm their timely completion.

Where the findings of the Expert will form part of the assurance SIA 240, Using the Work
report to be issued by the Internal Auditor, the Internal Auditor of an Expert
shall participate in defining the scope, approach and work to be
conducted by the Expert. Otherwise, the Internal Auditor shall not
incorporate the finding of the Expert in his Internal Audit report.

The Internal Auditor shall perform an evaluation of the work

completed by the Expert to ensure that the work completed
constitutes appropriate and reliable evidence to support the overall
conclusions to be reported.

The Internal Auditor shall retain ultimate responsibility for internal

audit conclusions and opinions which are incorporated in his
internal audit report, unless specifically mandated otherwise by the
Assurance User (the recipient of the Internal Audit Report). Hence,
the Internal Auditor shall not refer to the work of an Expert in his
Internal Audit Report.

An effective communication relationship is established and SIA 250, Communi-cation

maintained with Those Charged with Governance. with Those Charged with
Governance
The matters to be communicated, the form and manner, and
periodicity of communication are best established between the
Internal Auditor and Those Charged with Governance.
In this regard, a formal communication process shall be pre

94
 Standards on Internal Audit (SIAs) Compliances

agreed with TCWG, and include the following (indicative list):

(a) form and content of communication (the “what”);
(b) manner and protocol of communication (the “who” and
“how”);
and
(c) timelines and periodicity of communication (the “when”)

Certain matters which the Internal Auditor should consider as

essential matters for communication may include the following
(indicative list):
(a) Annual Internal Audit plan, covering the scope, timing,
methodology of audit assignments to be undertaken, along
with resources and budgets of the internal audit department;
(b) Outcome of the risk assessment exercise conducted to
develop the Internal Audit Plan;
(c) Periodic update on significant observations, with corrective
action plans, as agreed with the auditee;
(d) Details of the functioning of the internal audit department
and a continuous update on their progress, status of
performance and any resource or budget constraints;
(e) Status update of prior audit issues, their timely closure with
an Action Taken Report; and
(f) Any other matters as per Standards on Internal Audit, laws
and regulations and the professional judgement of the
Internal Auditor.

Maintain all the documents as required by the Standard on Internal

Audit (SIA) 330, Internal Audit Documentation. Oral
communications with TCWG may be documented for records
through written communication or as the minutes of meetings.

The Internal Auditor shall obtain sufficient and appropriate audit SIA 320, Internal Audit
evidence which can form the basis of audit findings and allow Evidence
reliable conclusions to be drawn from those findings. Evidence
collected through various audit procedures shall be
complementary and relevant to the objectives of the audit
procedure conducted

The evidence shall be obtained from reliable sources with

consistency between various evidence collected

All audit evidence collected shall be recorded and the internal

audit function shall maintain a written process explaining the

95
Internal Audit Checklist

manner in which audit evidence is to be gathered, reviewed,

documented and stored as per Standards of quality and in
conformance to the Standards on Internal Audit.

The internal auditor shall record the nature, timing and extent of SIA 330, Internal Audit
completion of all internal audit activities and testing procedures in Documentation
the form of reproducible documents.

Documentation shall be complete and sufficient to support the

analysis conducted on the audit evidence, the identification of
findings, the formulation of audit observations and the drafting of
the internal audit reports based on the findings. Documentation
shall clearly state the purpose of the procedure, the source of
evidence, the outcome of the audit work and also identify the
performer and reviewer.

The internal audit function shall maintain a written process

explaining the manner in which documentation will be prepared,
reviewed, stored and finally discarded, to ensure quality and
conformance to Standards on Internal Audit.

The internal audit work paper files shall be completed prior to the
issuance of the final internal audit report. Any pending
administrative matters shall also be completed within sixty days of
the release of the final report.

The ownership and custody of the internal audit work papers shall
remain with the Internal Auditor.

The audit work is executed in accordance with the Internal Audit SIA 350, Review and
Programme and Audit Procedures are completed effectively and Supervision of Audit
timely to help achieve overall objectives of the audit assignment. Assignments

The extent of the documentation reviewed is based on the

professional judgement of the reviewer, and can include checking
the name of preparer, date of preparation, relevance and reliability
of audit evidence, conclusions formed, audit observations drafted,
the sufficiency of documents, etc. The adequacy of the
documentation is tested on the basis of the requirements of the
applicable Standards on Internal Audit.

A review of the audit workpapers shall be carried out to ensure

that these are sufficient and appropriate to allow the reviewer to
arrive at the same conclusions and formulate similar observations,
as done by the audit staff. The documentation shall record the
evidence of the supervision and review conducted, including the
performance of any audit procedures subsequent to the review.

96
 Standards on Internal Audit (SIAs) Compliances

The Internal Audit function (or out-sourced Firm) shall maintain a

written process explaining the manner in which review and
supervision shall be performed to ensure conformance to the
quality as per Standards on Internal Audit.

All communication with management shall be clear, appropriate SIA 360, Communication
and in line with the agreed process and timelines. with Management

The process documentation shall outline the various modes and

channels of communication, the periodicity and timelines for
communication, and also cover certain essential information
required to be communicated. Where essential matters are
concerned, any verbal communication should subsequently be
confirmed in writing and maintained as audit documentation.

To confirm compliance of audit procedures with this SIA, the list of

documents required is as follows:
(a) Written Communication process and protocol, as part of the
Internal Audit Manual.
(b) Written details of essential exchange of information, as
required by other SIAs, cross reference to the Internal Audit
Program, where appropriate.

On the basis of the internal audit work completed, the Internal SIA 370, Reporting
Auditor shall issue a clear, well documented Internal Audit Report Results
which includes the following key elements:
(a) An overview of the objectives, scope and approach of the
audit assignments;
(b) The fact that an internal audit has been conducted in
accordance the Standards of Internal Audit;
(c) An executive summary of key observations covering all
important aspects, and specific to the scope of the
assignment;
(d) A summary of the corrective actions required (or agreed by
management) for each observation; and
(e) Nature of assurance, if any, which can be derived from the
observations.

The nature of assurance, if any, to be provided shall be in line with

Standard on Internal Audit (SIA) 110, Nature of Assurance as
pre agreed with the auditee at the planning stage.

The content and form of the Internal Audit Report is to be

established by the Internal Auditor based on his best professional

97
Internal Audit Checklist

judgement, in consultation with the auditee and, if necessary, with

inputs from other key stakeholders. No internal audit report shall
be issued in final form unless a written draft of the report has
previously been shared with the auditee.

The internal audit report shall be issued within a reasonable time

frame from the completion of the internal audit work.

Where the internal audit is conducted in compliance with the

Standards of Internal Audit, (within the Framework governing
Internal Audits), and the internal auditor can substantiate the same
with supporting evidence and documentation, the internal audit
report shall include a statement confirming that “the internal audit
was conducted in accordance with the Standards of Internal Audit
issued by the Institute of Chartered Accountants of India”.

The manner in which the internal audit report is drafted and

presented is a matter of professional judgment and choice and
could be influenced with preferences of the recipients. The SIA
does not mandate any particular format or list of contents since
the Internal Auditor is expected to exercise his best professional
judgement on matters regarding how and what to report. Where
some level of assurance is being provided, the form and content of
the report shall be as per
SIA 380, “Issuing Assurance Reports”.

To confirm compliance of audit procedures with this SIA, the list of

documents required is as follows:
(a) Copies of draft and final internal audit reports to be
maintained, appropriately cross referenced to specific
observations.
(b) If appropriate, management action plans may be counter
signed by respective management personnel

The Chief Internal Auditor is responsible for continuously SIA 390, Monitoring and
monitoring the closure of prior audit issues through a timely Reporting of Prior Audit
implementation of action plans included in past audits. This shall Issues
be done with a formal monitoring process, elements of which are
pre-agreed with management and those charged with governance.
The responsibility to implement the action plans remains with the
management

For critical or sensitive issues (e.g., those rated high risk or with
fraud risk), follow-up audit procedures shall be performed to
ensure that the risk has been mitigated to an acceptable level. For

98
 Standards on Internal Audit (SIAs) Compliances

medium risk issues, documentation proof of the implementation of

the audit recommendations may be acceptable. For low-risk
issues, a written note confirmation from management may be
sufficient. However, the documentation for all the three categories
of risks shall be maintained as per the Standard on Internal Audit
(SIA) 330, “Internal Audit Documentation”.

When the Internal Auditor observes delay in the agreed time

schedule for implementation, the Internal Auditor shall intimate the
auditee and agree to a new time schedule.

The Internal Auditor shall document the working papers according

to the Standard on Internal Audit (SIA) 330, “Internal Audit
Documentation”, which shall include:
(a) The monitoring plan as agreed with management, including
escalation procedures and protocol to be followed in case of
delays.
(b) Auditee’s confirmation of either complete implementation of
agreed actions, or reasons for part/non-implementation and
thereby, acceptance of risks.
(c) The documentary evidence and working papers to support
additional audit procedures performed to confirm effective
closure of prior issues.
(d) Escalation communication with corresponding management
responses.
(e) Periodic status reports (ATR) issued to the management and
those charged with governance.

The internal auditor shall periodically report to the management,

and the Audit Committee, the status of prior issues (generally in
the form of an “Action Taken Report”), including providing a
confirmation of closure based on additional procedures, ageing of
issues pending closure and reasons for any delays.

Audits are undertaken after due study and understanding of the SIA 520, Internal Auditing
Organisation’s ITE, which covers the IT strategy, policies, in an
operating procedures, the risks and governance mechanism in Information Technology
place to manage the ITE. Environment
An independent risk assessment, along with an evaluation of the
controls required to mitigate those risks, forms the basis of the
audit procedures.

The audit procedures, as designed and executed, are sufficient to

allow an independent assurance, especially in the areas of

99
Internal Audit Checklist

(indicative list):
• Security and reliability of information.
• Efficiency and effectiveness of information processing.
• Analysis and reporting of the information.
• Continuous access and availability of the information.
• Compliance of the IT related laws and regulations.

The overall objective of performing an internal audit in an ITE is to

provide independent assurance and help in making improvements
in the ITE, thereby enabling the achievement of business
objectives.

Audit documentation shall include IT environment understanding

and scoping, IT risk assessment, IT Audit planning, IT risk and
controls matrix, IT test work papers, system generated reports with
the supporting documents, evidence gathered and so on. Modern
audit documentation tools may be used by the Internal Auditor to
make the audit more efficient and effective.

The Internal Auditor shall review both, the Pre-engagement and SIA 530, Third Party
Post engagement due diligence undertaken by the User Entity, Service Provider
including an assessment of the control environment at the TPSP.

A periodic independent risk assessment of each third-party

arrangement shall be conducted by the management and reviewed
by the Internal Auditor to ensure adequate mitigation steps and
control activities are designed, implemented, and operated
effectively.

In case, the Internal Auditor is not performing an independent

audit but obtains TPAA reports, the review of the TPAA reports
shall be undertaken in compliance with Standard on Internal Audit
(SIA) 240, Using the Work of an Expert.

The Internal Auditor provides a written report expressing an SIA 110, Nature of
opinion that conveys the assurance obtained about the Subject Assurance
matter.
Standard on Internal Audit (SIA) 380, “Issuing Assurance Reports”
establish the basic elements, form and content of assurance
reports. In addition, the Internal Auditor considers other reporting
responsibilities, including communicating with those charged with
governance (SIA 250) when it is appropriate to do so.
Standard on Internal Audit (SIA) 370, “Reporting Results” covers
those assignments where no formal assurance report is required,

100
 Standards on Internal Audit (SIAs) Compliances

and the Internal Auditors’ report is, generally, in the form of a

Summary of Findings or Observations.

The Internal Auditor shall review the risk assessment exercise SIA 120, Internal
undertaken at the time of planning the audit assignment to Controls
establish a basis of evaluating whether adequate and appropriate
Internal Controls are in place to address the risks identified.

Where the Internal Auditor is required to provide an independent

opinion over the presence, design, implementation and/or
operating effectiveness over Internal Controls, this shall be
consistent with the requirements of SIA 110, Nature of Assurance,
especially with regard to the need to have a clear understanding of
the Internal Controls Framework which shall form the basis of the
assurance.

In situations where the Statutory Auditor is expected to rely on the

work of the Internal Auditor as per Standard on Auditing (SA) 610,
Using the Work of Internal Auditors, issued by ICAI, regarding their
audit of Internal Financial Controls over Financial Reporting, the
Internal Auditor shall document the objectives and agreed scope
and approach of the internal audit, over which the reliance is to be
placed by the Statutory Auditor.

Where the independent assurance requires the issuance of an SIA 130, Risk
audit opinion over the design, implementation and operating Management
effectiveness of risk management, this shall be undertaken in line
with the requirements of SIA 110, “Nature of Assurance”,
especially with regard to the need to have a formal Risk
Management Framework in place, which shall form the basis of
such an assurance.

The Internal Auditor shall not assume any responsibility to manage

the risks or to execute risk management decisions. It is not
responsibility of the Internal Auditor to mitigate or resolve the
risks.

“Basic Principles of Internal Audit” on Risk Based Audits, requires

the Internal Auditor to conduct the audits based on a risk
assessment exercise. SIA 220, “Conducting Overall Internal Audit
Planning” and SIA 310, “Planning the Internal Audit Assignment”
mandate the Internal Auditor to conduct risk-based audit planning
to ensure that due attention is given to matters of importance,
complexity and sensitivity. Similarly, SIA 370, “Reporting Results”
expects the auditor to consider the risk of the observations in
deciding the matters to be reported.

101
Internal Audit Checklist

Where a written assurance report is being issued, the Internal

Auditor shall also consider the following as a basis for audit
opinion:
(a) The linkage of the risk management framework with the
system of CEO and CFO certification on Internal Controls;
and
(b) Certificates of self-compliance from owners of key risks to
support a system of continuous compliance.

102
 Checklist 9
Legal and Statutory Compliances
Process Sub-process Risk Control Control Test Performed
Description Owner

Control Legal and Non-compliance The Board of Directors Board of Review of the Legal
Environment Statutory with legal and should clearly have a Directors and Regulatory
statutory policy on 'Compliance Compliance policy.
requirements with legal and statutory Review of the minutes
requirements' and of the meeting
demonstrate the same discussing. Audit of
by oversight legal and statutory
periodically. compliances.

Compliances Legal and Risk of Non- To have a 'compliance Legal a. Legal compliance
Statutory compliance with calendar' which enlists team calendar;
a particular all the compliance and b. Details of returns
statute requirements during the Board of filed and compliances
period / year and then Directors carried out;
circulated to the c. Minutes of the Board
department. At the due Meeting.
date, the legal team has
to ensure that the
requisite compliances
are done.
Compliance calendar to
be approved by Board
and periodically
reviewed by the
Directors.

Compliances Legal and Risk of Legal The Head of Legal Legal To review the
Statutory Compliance should ensure that any team amendments made to
calendar not amendments to law, to law (reference to
updated. the extent applicable, is website, authoritative
also reflected in the pronouncements of the
compliance calendar. Government, expert
advice, etc.) and see
whether the
amendments are
carried out.
Internal Audit Checklist

Process Sub-process Risk Control Control Test Performed

Description Owner

Compliances Legal and Risk of incorrect To take legal opinion Legal To review the advice
Statutory interpretation of for critical issues and team received by the legal
statutes advise the management experts and how the
accordingly. To discuss same have been
with CFO and make addressed.
necessary entries /
disclosures in financial
statements.

Compliances Legal and Risk of no All the statutory notices Legal To review all the legal
Statutory response given should be sent to CFO team notices received and
to the notice of or Chief Legal or Chief and their response is
the statutory Counsel as decided by Board of submitted within the
authorities the Board. All Directors timeframe.
communication should
be tracked with a
tracking number and
responded to within the
timeframe given by law.

Compliances Legal and Risk of No case or demand be Legal Legal team should
Statutory defending a contested without the team obtain written advice
case or legal advice. from experts before
contesting any claim is contested.
demand without On basis, legal team
legal advice. should hire an
advocate to represent
them.

Compliances Legal and Risk of hiring a Due diligence of the Legal Board to evaluate
Statutory consultant or legal team (including Team, different legal firms
legal expert who their expertise known Board of and choose the one
does not have with peers of the same Directors that meets the
experience. industry, known requirements of the
associates / affiliates entity including their
etc.,) and also to expertise, geographical
ensure that there is no spread, history of
dependency on one handling similar cases
legal expert. and their reputation.

104
 Checklist 10
Operational and Administrative Expenses
Process Sub-process Risk Control Control Test Performed Attributes
Description Owner tested
Operational Expense Risk of poor The CFO Perform tests
1. Budget
and Budgeting and expense organization including data Documents
Administrative Planning budgeting and establishes accuracy, 2. Policies and
Expenses planning process comprehensive assumption procedures
lies in inaccurate controls for validation, scenario3. Email
projections, expense analysis, alignment Corresponde
underestimated budgeting and with objectives, nce
or overestimated planning, budget vs. actual
4. Meeting
costs, including data variance analysis,
Minutes
inflexibility, accuracy multi-level review,
misalignment validation, contingency 5. Actual
with objectives, multi-level planning, expense
incomplete review, collaboration reports
analysis, and alignment with assessment 6. Financial
communication strategic technology statements
gaps, which can objectives, functionality, 7. Budget
lead to financial flexible documentation revisions
strains. contingency review, continuous 8. Approval
planning, improvement Logs
regular evaluation, and
monitoring, policy adherence to
technology ensure the
utilization, and effectiveness and
continuous accuracy of the
improvement to expense budgeting
mitigate risks and planning
and ensure process.
accurate
resource
allocation.
Expense Risk of non- The Procurement 1. Expense
Approval compliance, with organization Perform tests approval
Workflow policy implements including policy records
segregation of controls such adherence checks, 2. Expense
duties issues, as enquiry, segregation of reports
inconsistent quotation duties verification,
3. Approval
Internal Audit Checklist

Process Sub-process Risk Control Control Test Performed Attributes

Description Owner tested
approvals, comparison electronic signature workflows
approval delays, and lease cost validation, real-time
4. Approval
bias, limited service visibility threshold
visibility, errors, engagement assessment, and levels
inefficient with clear compliance reviews, 5. Audit trail
processes, lack approval accuracy logs
of guidelines, evaluations, training
6. Exception
documentation, segregation of effectiveness
handling
insufficient duties, assessments, and
documentati
training, automated regulatory
on
regulatory workflows, compliance
compliance documented verification 7.
to Manager
concerns, audit policies, ensure the training
trail gaps, training, multi- effectiveness, records
system level reviews, accuracy, and
vulnerabilities, electronic compliance of the
and scalability signatures, expenses approval
challenges. audit trail workflow process
logging, for operational and
transparency, administrative
real-time expenses.
visibility,
compliance
reviews, and
regular audits
to ensure the
integrity,
accuracy, and
efficiency of
the expenses
approval
workflow for
operational and
administrative
expenses.
Expenses Risk of The CFO Perform tests
1. Expenses
Tracking and inaccurate data organization including policy policies and
Recording entry, missing implements a compliance, service procedures
documentation, comprehensive receipt verification,
2. Authori-
policy non- expense policy authorization zation
compliance, with clear checks, and

106
 Operational and Administrative Expenses

Process Sub-process Risk Control Control Test Performed Attributes

Description Owner tested
duplicate entries, procedures, reconciliation records
misallocation, proper testing to ensure 3. Expenses
human error, authorization, accurate, complete, documentati
fraud, and thorough and efficient on
technology documentation, expenses tracking 4. Expenses
failures, and regular and recording for reports
highlighting the reconciliations both operational
5. Audit trails
need for robust to ensure and administrative
controls and accurate and expenses. 6. Recon-
standardized transparent ciliation
procedures to expenses records
ensure accurate tracking and
financial recording while
reporting and preventing
decision-making. fraud and
errors.
Invoice Risk of wrong The Accounts Perform 1. Invoices and
processing and invoice organization Payable comprehensive supporting
Approval processing and implements tests including documentati
approval comprehensive verification, on
processes controls for segregation of
2. Approval
encompass invoice duties, records
issues such as processing and authorization, 3. Segreg-ation
duplicate or approval in compliance checks, of Duties
fraudulent operational and automated records
invoices, administrative processing, and
4. Audit trails
unauthorized expense documentation to
and logs
approvals, data processes, ensure the
entry errors, including 3-way accuracy, security, 5. Vendor
manual matching, and effectiveness of master data
processes, verification, the invoice records
complex segregation of processing 6.
and Automated
approval duties, approval process in system
hierarchies, and automated operational and records
inadequate processing, administrative
compliance compliance expense workflows.
checks, checks, and
necessitating documentation,
robust controls to ensure
and automation accuracy,
to mitigate prevent fraud,

107
Internal Audit Checklist

Process Sub-process Risk Control Control Test Performed Attributes

Description Owner tested
potential and maintain
financial, compliance.
operational, and
reputational
impacts.
Expense Risk of expenses The Accounts Perform tests
1. Reimbur-
Reimbursement reimbursement organization Payable including policy sement
processes implements a adherence, requests
include range of authorization, 2. Receipts and
inaccurate controls compliance checks, supporting
submissions, including policy timely documentati
policy violations, adherence, reimbursement, on
fraudulent documentation data security, and 3. Reim-
claims, delayed requirements, system functionality bursement
submissions, segregation of to ensure accuracy, policy
lack of duties, compliance, and
4. Pre-Approval
documentation, automated efficiency in the
records
inadequate systems, expense
review, and non- compliance reimbursement 5. Com-pliance
compliance with checks, process. check
regulations, auditing, and records
necessitating timely 6. Audit trails
strong controls, reimbursement and logs
policy to ensure
adherence, accurate,
automation, and compliant, and
regular audits for secure
risk mitigation. handling of
expense
reimbursement
within
operational and
administrative
expenses.
Vendor Risk of vendor The Accounts Perform tests and
1. Vendor
Management management organization Payable assessments Documentati
encompass implements throughout the on
issues such as comprehensive vendor 2. Financial
vendor reliability, controls in management records
quality control, vendor process, including
3. Quality

108
 Operational and Administrative Expenses

Process Sub-process Risk Control Control Test Performed Attributes

Description Owner tested
financial management to due diligence, Assurance
instability, ensure vendor contract records
compliance selection, compliance, quality4. Perfor-
challenges, data contract control, security, mance
security, agreements, and regulatory monitoring
contractual performance adherence, to and
disputes, and monitoring, ensure vendors reporting
overdependence, compliance meet financial,
5. Security and
necessitating checks, data contractual, quality, comp-liance
comprehensive security, risk security, and legal documentati
processes to mitigation, and requirements. on
ensure reliable continuous
6. Comm-
supply, improvement,
unication
compliance, fostering
records
quality, and reliable
financial stability relationships
while minimizing while
disruptions and minimizing
legal liabilities. risks and
disruptions.
Expenses Risk of data The Accounts Perform tests
1. Expenses
Analysis and inaccuracies, organization Payable including expenses documents
Reporting lack of implements sampling, policy
2. Expenses
documentation, controls such adherence checks, reports and
compliance as expense duplicate expenses summaries
issues, manual approval detection, data
3. Approval
inefficiencies, processes, reconciliation, records
complex documentation budget compliance
4. Expenses
expense standards, assessment, and
management
structures, segregation of verification of
and system
reporting delays, duties, authorization levels
data
technological automated to ensure accurate,
limitations, systems, data compliant, 5.
and Bank and
change reconciliation, transparent financial
management audit trails, and expenses analysis records
challenges, third- training to and reporting for 6. Expenses
party vendor ensure operational and category
issues, and accuracy, administrative documentati
insufficient compliance, expenses. on
oversight, all of and efficiency
which can impact in expenses

109
Internal Audit Checklist

Process Sub-process Risk Control Control Test Performed Attributes

Description Owner tested
financial analysis and
accuracy and reporting for
transparency. operational and
administrative
expenses.
Expenses Risk of The CFO Perform tests
1. Budget
Reduction and operational organization including variance reports
Cost Control disruption, implements analysis, cost-
2. Financial
employee morale controls such benefit statements
impact, as budgetary assessments, 3. Vendor
compromised oversight, cost vendor contract contracts
quality, short- analysis, reviews, employee
4. Process
term focus, loss management engagement
documentati
of competitive approval, evaluations,
on
edge, stakeholder technology
unintended communication, utilization 5. Key
consequences, employee assessments, performance
inadequate cost engagement, regulatory indicators
analysis, vendor compliance audits, 6. Opera-tional
resistance to management, and operational metrics
change, supplier technology impact
relationship utilization, assessments to
risks, over- Lean practices, validate the
reliance on strategic effectiveness of
automation, legal alignment, expense reduction
and compliance regulatory and cost control
risks, lack of compliance, efforts while
monitoring, and audit minimizing risks
misalignment monitoring to and ensuring
with strategy, ensure alignment with long-
financial effective and term strategy.
instability, and sustainable
diminished expense
customer reduction and
experience. cost control for
operational and
administrative
expenses.

110
 Checklist 11
Government Grants
Final Sub-process Risk Control Control Test Performed Attributes Sample
Description Owner tested size

Government Understanding Risk of To understand Auditor To understand Eligibility for the 100%
Grants the business eligible the business how the business Grant
government carefully, is eligible for
grant not including government
claimed reading grants and
necessary document how
materials and the Company has
review of been assessed or
peers in the evaluated that it
similar industry is eligible for the
as to whether grant.
the particular
business is
eligible for
government
grant.
Government Use of Risk of Periodically Corporate Review of the Eligibility for the 100%
Grants Government possible the CFO Accounts conditions for the Grant
Grant misuse of (designated Grant and have
Grant or non- employee) an understanding
compliance verifies of the compliance
with the compliance requirements and
conditions. with grant how the same is
terms, aligned to the
conditions, client's business.
and reporting
requirements
and that grant
funds are
being used for
their intended
purposes and
are in
compliance
with applicable
regulations.
Internal Audit Checklist

Final Sub-process Risk Control Control Test Performed Attributes Sample

Description Owner tested size

Government Classification Classification Classification Corporate Whether the Classification of 100%

Grants of of funds as is essential Accounts classification is Grant
Government capital funds since the based on the
Grant or revenue accounting conditions
receipts. treatment is prescribed in AS
fully 12 or Ind AS 20.
dependent on
this, a material
error can
misstate the
financial
statements.
Government Capital Grant Risk of CFO Corporate Review of the Utilisation of the 100%
Grants misuse of (designated Accounts document Grant
Capital Grant employee) to prepared by CFO
review the use (designated
of capital grant employee) to
as mentioned indicate how the
in the capital grant is
conditions to expected to be
the Grant. used. Also to
review whether
there is any other
audit / review
done by an
independent
official or
representative of
the Government
to ensure
utilisation and
documents like
utilisation
certificate is
available for
review.
Government Capital Grant Risk of a) Corporate Review of the Actual To be
Grants assets Management Accounts procurement procurement of decided
procured to approve the and process. assets based
which is not expenditure; Accounts Vouching of the on the

112
 Government Grants

Final Sub-process Risk Control Control Test Performed Attributes Sample

Description Owner tested size

related to the b) Select the Payable expenditure with project

project for vendors based underlying size.
which Grant on the purchase orders,
is obtained. quotations invoices, receipt
received; of assets and
c) Receipt of acknowledgement
assets and from the
inspection of Company.
the assets; Reviewing the
d) asset has been
Acknowledging put to use.
the receipt of
asset;
e) Ensuring
this is put to
use.
Government Capital Grant Accounting of Review of the Corporate Review of any Appropriateness 100%
Grants Capital CFO Accounts note prepared by of Accounting
Grants (designated and the CFO
employee) to Accounts (designated
decide upon Payable employee) on the
the accounting appropriate
aspects accounting
including treatment to be
whether to given.
choose the
option to
reduce the
Grant received
from the
Overall cost of
assets or show
the same
separately.
Government Revenue Risk of CFO Corporate Review of the Utilisation of the To be
Grants Grant misuse of (designated Accounts document Grant decided
Capital employee) to prepared by CFO based
Revenue review the use (designated on the
Grant of revenue employee) to project
grant as indicate how the size.

113
Internal Audit Checklist

Final Sub-process Risk Control Control Test Performed Attributes Sample

Description Owner tested size

mentioned in revenue grant is

the conditions expected to be
to the Grant. used. Also to
review whether
there is any other
audit / review
done by an
independent
official or
representative of
the Government
to ensure
utilisation and
documents like
utilisation
certificate is
available for
review.
Government Revenue Risk of a) Corporate Review of the Actual To be
Grants Grant assets Management Accounts procurement procurement of decided
procured to approve the and process. assets based
which is not expenditure; Accounts Vouching of the on the
related to the b) Select the Payable expenditure with project
project for vendors based underlying size.
which Grant on the purchase orders,
is obtained. quotations invoices, receipt
received; of assets and
c) Receipt of acknowledgement
goods and from the
inspection of Company.
the goods; Reviewing the
d) asset has been
Acknowledging put to use.
the receipt of
goods;
e) Ensuring
this is put to
use.
Government Financial Risk of The Corporate Assess the Accurate and 100%
Grants Controls and Unauthorized transactions Accounts adequacy and Authorized

114
 Government Grants

Final Sub-process Risk Control Control Test Performed Attributes Sample

Description Owner tested size

Expenditures transaction related to and effectiveness of transaction

receipt and Accounts financial controls
expenditure of Payable related to grant
Government funds.
grants are Examine financial
accurate, transactions and
valid, properly expenditures to
authorized and ensure accuracy,
supported by validity, and
Invoices, proper
Receipts, authorization.
Payment Verify the
records, etc. documentation
supporting
financial
transactions,
such as invoices,
receipts, and
payment records.
Government Budget and Risk of Management Corporate Verify the Budget vs 100%
Grants Expense Expenditure periodically Accounts process of formal Actual
Tracking exceeding compares the and review of budget Expenditure
the budget approved Accounts vs actuals.
budget with Payable Compare the
Actual approved budget
expenses with actual
incurred during expenses
the Grant incurred during
period. The the grant period.
Budget Analyze budget
variances are variances and
analysed and investigate any
significant significant
deviation from deviations from
original plan the original plan.
are
investigated.
Government Revenue Risk of Review of the Corporate Review of any Appropriateness 100%
Grants Grant Inappropriate CFO Accounts note prepared by of Accounting
Accounting (designated and the CFO

115
Internal Audit Checklist

Final Sub-process Risk Control Control Test Performed Attributes Sample

Description Owner tested size

employee) to Accounts (designated

decide upon Payable employee) on the
the accounting appropriate
aspects accounting
ensuring that treatment.
the
Government
Grant is
accounted as
revenue grant
over a period
of time.
Government Project Risk of Typically, large Project Review of how Existence of 100%
Grants Management Projects not projects Manager progress facility and
being wherein the (including but not timely
managed as Government is limited to even completion.
per the plan. giving the physical
grant, could be verification of the
towards facility being
building a new constructed) and
facility or observe for any
procurement of inordinate delays.
an asset, etc.,
such projects
needs to be
monitored
closely
including (but
not
necessarily)
have a
separate team
to monitor the
progress and
report to the
CEO / Board
as the case
may be.
Government Reporting to Risk of Review of the CEO / Review of the Accuracy of 100%
Grants Government misstatement reports being CFO / reports being reporting to the

116
 Government Grants

Final Sub-process Risk Control Control Test Performed Attributes Sample

Description Owner tested size

or shared with COO shared with the Government.

misreporting the Government with
to Government the project
Government. with a higher management
authority along reports and other
with supporting documents.
documents. Assess the
quality and
accuracy of
progress reports
submitted to the
funding agency.
Check whether
reporting
timelines and
requirements are
being met.

117
 Checklist 12
Patents and Copyright
Process Sub- Risk Description Control Control Test Attributes
process Owner Performed tested

Intellectual Patents Risk of Patents Whenever the Legal / To check the Ensuring
Property and and copyrights Company is hiring a CFO / agreement has patents and
Rights Copyrights may be assigned consultant, or in an Human a clause copyrights are
to a third party. employment Resource mentioning not used by a
agreement or hiring about the third party.
sub-contractors ownership of
where it is intended any patents or
that the copyright in copyrights
the work arising in arising of the
the course of their work done .
engagement rests
with the entity, are
in the agreements
with them and
drafted with
sufficient care to
ensure that their
legal Impact is
considered.

Intellectual Patents Risk of patents and Review of Legal / No case is filed Non-
Property and copyrights confidentiality CFO / against the compliance with
Rights Copyrights assigned to a third clauses in the Human company by patent and
party. agreement, and no Resource third party for copyright law.
part of their work violating
would include - copyrights.
existing patented or
copyright material or
if any copyright is
included whether
the permission is
taken from the
owner.

Intellectual Patents Assignment of If the copyright has Legal Registration Registration of

Property and Copyrights may not been acquired, to and assignment acquired patent
Rights Copyrights be complete. ensure that the of copyright is and copyright.
 Patents and Copyright

Process Sub- Risk Description Control Control Test Attributes

process Owner Performed tested

rights are assigned, complete in all

and documented respect.
properly with
copyright
authorities.

Intellectual Patents Risk of third party Proper patents and Legal Company's Declaration of
Property and claiming the copyright notice official ownership of
Rights Copyrights patents and should be given in documents copyrights
copyrights. all publicly having
distributed reference of
newspapers or patents and
media and on the copyrights are
literature wherever reviewed.
the company's work
is communicated.

Intellectual Patents Risk of To inquire whether Legal Discussions Risks of using

Property and infringements any third party has with legal copyrights of
Rights Copyrights breached filed a case against advisors and third party
the company for refer any
infringing the advisory issued
patents and by them.
copyrights and if so,
what action has the
company taken to
defend it.

Intellectual Patents Risk of To review the Legal Review of the Valuation of

Property and overstatement of impairment impairment patents. and
Rights Copyrights value of Patents workings, workings and copyrights.
and copyrights. assumptions on how the
the business assumptions of
expected to get cash flows,
economic returns revenue,
from the copyrights discount rate,
and whether the tax impact,
present value of etc., Review of
returns are likely to the valuation
be more than the expert's report
carrying value of the for the
patents and assumptions

119
Internal Audit Checklist

Process Sub- Risk Description Control Control Test Attributes

process Owner Performed tested

copyrights. Further, made and

if required, the justification for
valuation been done the value (as to
by a valuation whether it is
expert. reasonable or
not).

Intellectual Patents Risk of Whether the cost of CFO To review the Valuation of
Property and overstatement of copyright is amortisation patents. and
Rights Copyrights value of amortised over the workings and copyrights.
copyrights. useful life. ensure that the
amortisation is
not beyond the
legal life.

Intellectual Patents Non-compliance Review of all the Legal / Check Non- Ensuring there
Property and with agreements. agreements of CFO compliance are no non-
Rights Copyrights acquisition, clause in compliances of
technology transfer, agreement and contractual
royalty, etc., to action how the obligations.
observe for any same are being
clauses on non- dealt with.
compliance.

Intellectual Patents Risk of Company's To ensure that all IP Legal and To check copy Possibility of
Property processes and Rights including Secretarial of registered any new
Rights copyrights being Patents and Team patents and product being
infringed by a third Copyrights copyrights and developed
party. registered with the check if and which poses a
Government infringement. risk of
authorities. competitor or
market using
the same in an
unauthorised
manner.

Intellectual Patents Risk of Company's To review the Legal and To discuss with Possibility of
Property IP Rights not being process of business Secretarial CFO and Legal any intellectual
Rights identified during acquisition as it is Team / team, how have property right
any business possible that the CFO they ensured not being
acquisition. acquiree had certain that all the accounted.
intellectual property intellectual

120
 Patents and Copyright

Process Sub- Risk Description Control Control Test Attributes

process Owner Performed tested

rights which were property rights

not identified or have also been
recognised during acquired and
acquisition. the legal status
has been
transferred to
the acquiring
business name.

Intellectual Patents Possibility of new To ensure the Legal / To check Risk of non-
Property and products registration of CFO patents and registration of
Rights Copyrights developed and patents and copyrights new product
launched in market copyrights after registration is patents and
without having product is taken for all copyrights.
Patents and developed. new products
Copyrights over Developed and
them. registered.

Intellectual Patents Risk of non- To a checklist of all Legal / To review the Compliance
Property and compliances with compliance required CFO compliance with local laws
Rights Copyrights specific industry as per all industry requirements of and regulations.
regulations like regulations is all the industry
Pharmaceutical, prepared. standard
Software, regulations.
Telecommunication
and technology,
consumer
electronics, food
products, etc.,

Intellectual Patents Unauthorized Secure document IT To review that Risk of

Property and access to management Department access unauthorized
Rights Copyrights patent/copyright system with access permissions access to
documentation. controls and are properly patent/copyright
implement non- configured in documentation.
disclosure the document
agreements for management
external parties. system and
NDA
Compliance
Testing is
carried out.

121
Internal Audit Checklist

Process Sub- Risk Description Control Control Test Attributes

process Owner Performed tested

Intellectual Patents Unauthorized use Strong licensing Legal and To review logs Risk of
Property and leading to loss of agreements and Secretarial and reports unauthorized
Rights Copyrights licensing revenue. tracking of usage. Team generated by use of licensed
software or software
systems that
track usage of
licensed
software or
intellectual
property and
ensure that the
usage data is
accurate and
comprehensive,
covering all
licensed
assets.

Intellectual Patents Misplacement or Backup and disaster IT To test the Risk of

Property and destruction of recovery procedures Department frequency of destruction of
Rights Copyrights patent/copyright for IP records. data backups patent/copyright
records. to ensure that records.
critical IP
records are
backed up at
appropriate
intervals, verify
the integrity of
backup data to
ensure that it is
not corrupted
or
compromised
during the
backup process
and perform
data restoration
tests to confirm
that IP records
can be
successfully

122
 Patents and Copyright

Process Sub- Risk Description Control Control Test Attributes

process Owner Performed tested

recovered from
backups.

Intellectual Patents Lack of Intellectual Develop and Legal / To review IP To ensure that
Property and Property Policies implement clear IP CFO / policies and there are
Rights Copyrights and Procedures policies and Human procedures to policies and
covering aspects procedures and Resource ensure they are procedures for
such as ownership ensure employees well- Intellectual
of and right to use are aware of and documented, Property
the IP, Procedures trained on IP up-to-date, and
for identification, policies. comprehensive
evaluation, and verify that
protection and the policies
management of IP, comply with
procedures for relevant
cooperation with intellectual
third parties, property laws
guidelines on the and
sharing of profits regulations.
from successful
commercialization,
etc.

123
 Checklist 13
Business Continuity Plan
Process Sub- Risk Control Control Test Performed Attributes
process Description Owner tested
Business Preparation Risk of not The Information Perform a 1. Risk
Continuit , Review having a BCP organization Technology comprehensive assessment
y Plan and and DRP has a formally Department series of tests reports.
(BCP) Approval document reviewed and . including 2. Business
and approved BCP evaluation of risk Impact
Disaster and DRP assessment analysis (BIA)
Recovery document process, business Documentation
Plan impact analysis, .
(DRP) scope and 3. Scope and
dependency dependency
verification, documentation
alignment with .
business 4. Alignment
objectives, threat with Business
scenario objectives
simulation, 5. Threat
documentation scenario test
review, results.
dependency 6.
mapping, Documentation
personnel training, of plans.
backup and
recovery tool
testing,
communication
plan validation,
testing of recovery
procedures, data
integrity
verification,
alternate site
activation testing,
testing frequencies
determination,
third-party vendor
testing, user
acceptance
 Business Continuity Plan

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
testing, incident
handling
simulation,
recovery
documentation
validation, and
regulatory
compliance checks
to ensure the
effectiveness,
accuracy, and
feasibility of BCP
and DRP.
Business Testing of Risk of The Information Perform tests 1. Stakeholder
Continuit BCP and inadequate organization's Technology including feedback
y Plan DRP stakeholder mitigation Department stakeholder 2. Business
(BCP) engagement, strategies . engagement, alignment
and misalignment encompass business alignment records.
Disaster with business stakeholder validation, 3. Technical
Recovery objectives, involvement, technical expertise expert
Plan lack of regular assessment, assessment
(DRP) technical updates, documentation reports.
expertise, technical input, accuracy and 4.
incomplete clear completeness Documentation
documentation documentation checks, version completeness.
, version , version control verification, 5. Version
control issues, control, clarity and control
overly ownership understandability records.
complex clarity, scope evaluation, 6. Regulatory
plans, lack of coverage, ownership compliance
accountability, testing, assignment, scope documentation
scope unbiased consistency .
changes, review, verification, 7. Testing
insufficient compliance effectiveness scenarios and
testing, limited checks, testing, adequate plans.
review time, effective review time 8. Test scripts
bias and communication assessment, and
conflict of , and change unbiased review procedures.
interest, management evaluation, 9. Test results.
overlooked approaches to dependency 10.
dependencies, ensure plan mapping Communicatio

125
Internal Audit Checklist

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
regulatory quality and validation, n records.
compliance alignment. regulatory 11. Data
gaps, compliance audit, Recovery
communicatio The communication documentation
n breakdown, organization effectiveness .
and resistance plan carefully, assessment, and 12. Backup
to change. involve change and restoration
stakeholders, management records.
Risk of ensure testing to ensure
disruptions to compliance, the quality,
production balance accuracy, and
systems, thoroughness, alignment of BCP
inadequate document and DRP.
test scenarios, processes,
failure to validate Perform tests
identify recovery including tabletop
weaknesses, strategies, exercises,
operational analyse functional testing,
impact, data outcomes, and full-scale
privacy continually simulations, data
violations, refine the recovery tests,
incomplete plans based on communication
recovery, testing results. tests, alternate site
resource activation tests,
constraints, load
testing balancing/failover
complexity, testing,
unpredictable performance
outcomes, testing, user
inaccurate access testing,
assumptions, resource
data availability tests,
corruption, integration testing,
lack of data integrity
stakeholder testing, Recovery
involvement, Time Objective
insufficient (RTO) testing,
documentation documentation
, and review, training
challenges assessment,
with testing scenario variability

126
 Business Continuity Plan

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
complexity. testing,
management
involvement
testing, lessons
learned analysis,
and post-test
evaluation.
Business Review and Risk of The Information Perform tests 1. Updated
Continuit periodic outdated organization's Technology including Documentation
y Plan updated of information, mitigation Department document review, .
(BCP) BCP and incomplete strategies . scenario 2.
and DRP documentation involve validation, Documentation
Disaster , unaddressed structured dependency review logs.
Recovery risks, non- review check, regulatory 3. Scenario
Plan compliance, processes, compliance, Validation
(DRP) lack of ownership recovery results.
stakeholder assignment, objectives 4. Dependency
involvement, stakeholder assessment, verification
inaccurate involvement, stakeholder 5. regulatory
dependencies, thorough involvement, risk compliance
unrealistic testing, assessment, documentation
recovery regulatory testing plan .
objectives, alignment, review, 6. Stakeholder
complexity resource communication feedback
increase, prioritization, protocol records.
time/resource version assessment,
constraints, control, clear resource allocation
inadequate communication test, training and
testing, , and awareness
inconsistent continuous evaluation, change
version assessment of management
control, scope plans' assessment,
creep, change relevance to version control
management evolving check, complexity
challenges, business review, scalability
and lack of needs and assessment,
awareness. risks and business impact
ensured that analysis update,
the BCP and lessons learned
DRP document integration, and
has been communication

127
Internal Audit Checklist

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
aligned and test to ensure the
updated effectiveness,
periodically accuracy, and
with version alignment of
controls. updated BCP and
DRP processes
with the
organization's
evolving needs.
Business Backup Risk of The Information Testing of backup 1. Backup
Continuit Policies Backup organization's Technology policy and Policies and
y Plan and Policies and Backup Department schedule within a Procedures.
(BCP) Procedures Procedures Policies and . BCP has to be 2. Policy
and formulated are Procedures performed, which Approval
Disaster not in line with are formalized is essential for records.
Recovery business after formal ensuring the 3. Backup
Plan requirements, risk reliability of data configuration
(DRP) leading to assessment of recovery records.
backup Information processes during 4. Testing
failures and Security (IS) disruptions. This records.
loss of threats and involves regular 5. Backup
financial data. adhered for tests like backup notification
compliance. and restoration records.
Business simulations, full 6. Backup
Process system recovery Infrastructure
Owners and trials and partial documentation
Information data restoration .
Technology assessments.
(IT) functional Additionally, the
heads are backup frequency,
involved in retention, offsite
determining storage, encryption
what backup and notification
resources are procedures should
required. be systematically
Backup of all tested.
critical servers Incorporating
(application scenario-based
and database) testing,
are taken on a documentation
daily / weekly / review and

128
 Business Continuity Plan

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
monthly basis. performance
Backups are assessments,
taken in a these tests
centralised validate the
server (primary effectiveness of
server) or on a backup strategies
third-party under diverse
infrastructure circumstances.
(cloud).
Business Backup Risk of The Information Regular testing of 1. Backup
Continuit Schedules financial data organization Technology backup integrity Logs.
y Plan loss and implements Department and recovery 2. Timestamps
(BCP) resource strain robust controls . processes to be 3. Backup
and due to for executing initiated and Reports.
Disaster frequent the backup detailed 4. Data
Recovery failures in schedule documentation Integrity
Plan backups, within a BCP combined with a checks.
(DRP) potential gaps which is change 5. Notification
in recovery imperative for management emails
points, and ensuring data process helps 6. Backup
challenges in protection and track adjustments retention
managing efficient to the schedule. records.
complex recovery. Aligning the
schedules. Automation backup schedule
Risk of not tools are with recovery time
balancing the employed to objective and
need for data schedule recovery point
protection with backups at objective
resource defined requirements are
limitations as intervals, to be ensured for
longer backup reducing the timely recovery
intervals could risk of errors without excessive
increase the and ensuring data loss.
risk of consistency. Additional
significant strategies involve
data loss, implementing
while frequent redundancy, offsite
backups might backups,
impact system encryption and
performance monitoring storage
and require capacity to support

129
Internal Audit Checklist

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
additional effective backup
resources. processes.
Business Monitoring Risk of The Information Preparation of 1. Alert Log
Continuit of Backup undetected organization's Technology detailed and Reports.
y Plan failures and backup mitigation Department documentation of 2. Notification
(BCP) Action failures, measures . incidents and records.
and Taken inadequate include cross-training 3. Alert
Disaster alerting, implementing personnel escalation
Recovery human error, automated mitigates risks of records.
Plan and monitoring dependency and 4. Personnel
(DRP) incomplete tools with confusion. Actions Log
monitoring that proper alert Technical glitches 5. Incident
could configurations, are managed by Reports.
compromise regular training testing the 6.
data for personnel, monitoring tools Documentation
protection. comprehensive and introducing of procedures.
coverage of redundancy. 7. Training
monitored records.
systems, and Perform tests to
well verify the accuracy
documented and efficiency of
procedures for backup failure
responding to monitoring and
failures and response
should processes within
implement the BCP, including
fine-tune alert configuration,
thresholds and notification,
tiered alerting. escalation,
coverage,
personnel training,
documentation,
backup
remediation,
technical glitch
handling, backup
validation,
dependency
scenarios, alert
fatigue
assessment,

130
 Business Continuity Plan

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
performance
impact analysis,
incident trend
analysis and audit
trail review.
Business Re-run of Risk of data The Information Perform tests to 1. Rerun
Continuit Backup Job inconsistency, organization Technology verify the documentation
y Plan backup implement Department compatibility, data .
(BCP) window controls such . validation, backup 2.
and overruns, as change verification, Compatibility
Disaster resource management, resource test results.
Recovery overutilization, version utilisation, 3. Data
Plan dependency compatibility notification, Validation
(DRP) on personnel, testing, data personnel reports.
versioning and validation, availability, change 4. Backup
compatibility resource management, verification
issues, allocation, documentation reports.
increased risk testing review, data 5. Resource
of failure, environment, retention, security utilisation
overwriting personnel and privacy, audit reports
existing availability, trail creation,
backups, backup log personnel training,
impact review, overwriting
recovery point verification, protection, impact
objectives, notification and assessment and
notification monitoring, incident handling
and monitoring data retention, tests to ensure
challenges, documentation effectiveness and
documentation , security reliability of the
and auditing measures, "Rerun backup job"
concerns and audit trails and within a BCP.
data privacy regular testing
and security to effectively
considerations manage risks
. associated
with the
"Rerun backup
job" process in
a BCP.
Business Storage of Risk of The Information Perform tests to 1. Physical

131
Internal Audit Checklist

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
Continuit Backup physical organization Technology review general Security
y Plan Tapes - damage, implements Department measures such as Measures
(BCP) Onsite and single points controls to . documentation, Documentation
and Offsite of failure, secure regular monitoring, .
Disaster limited physical data testing restoration, 2. Climate
Recovery accessibility, storage both personnel training, Control
Plan human error, onsite and incident response Records.
(DRP) transportation offsite within a plans, and physical 3. Access
vulnerabilities, BCP. For security to control logs.
security onsite storage, safeguard data 4. Vendor
concerns at utilizes integrity and Agreements.
offsite fireproof facilitate efficient 5. Secure
facilities, storage, recovery in transportation
vendor control access, alignment with the records.
reliability ensures BCP. 6. Access logs.
issues, longer redundancy,
recovery and maintains
times, data proper
privacy and labelling. For
compliance offsite storage,
challenges, prioritizes
and the secure
potential for transportation,
unnoticed assesses
deterioration. vendors
rigorously,
encrypts
during transit,
tracks the
access,
conducts
audits,
establishes
data privacy
agreements,
defines
retrieval
protocols, and
ensures
redundancy.
Business Restoration Risk of data The Information Perform 1. Restoration

132
 Business Continuity Plan

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
Continuit of Backed integrity organization's Technology comprehensive Test Reports.
y Plan up Data issues, data mitigation Department tests including full 2. Data
(BCP) inconsistency, control and partial Integrity
and extended involves robust restoration, cross- verification.
Disaster recovery testing, system 3. Partial
Recovery times, comprehensive dependencies, Restoration
Plan application documentation data integrity records.
(DRP) compatibility , personnel checks, application 4. Dependency
challenges, training, data compatibility, test results.
dependency validation, recovery time 5. Application
complications, dependency objectives compatibility
inadequate management, assessment, reports.
documentation redundancy documentation
, human planning, review, user
errors, regular acceptance,
personnel validation, personnel
unavailability, technical availability, testing
testing gaps, resilience, and gap identification,
technical adherence to technical glitch
glitches, security and simulation, data
insufficient compliance volume evaluation,
bandwidth, protocols to security/complianc
and security / ensure e validation,
compliance effective data incident scenario
concerns. recovery and simulation, and
minimized backup validation
disruptions. to ensure the
reliability and
effectiveness of
data restoration
within a BCP.
Business Evaluation Risk of data The Information Perform tests 1. Testing
Continuit of integrity organization Technology including data plans.
y Plan Restoration issues, implement Department retrieval, integrity, 2. Test results.
(BCP) of Backed inadequate controls to restoration time, 3. Data
and up Data testing, mitigate, documentation Retrieval logs.
Disaster from Offsite unreliable ensure regular review, facility 4. Data
Recovery Storage restoration, testing and access, Integrity
Plan storage facility updates, environmental verification.
(DRP) vulnerabilities, accurate simulation, vendor 5. Restoration
location documentation assessment, time data.

133
Internal Audit Checklist

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
challenges, , due diligence personnel training 6.
outdated with vendors, evaluation, Documentation
documentation proper communication assessment
, untrained communication testing, results.
personnel, , geographical documentation
third-party considerations, update verification,
dependency compliance cost analysis, data
risks, review, privacy compliance
communicatio personnel check, contingency
n gaps, lack of training, planning
regular review, contingency assessment,
unplanned planning, and resource allocation
costs, data integration with test, and full
privacy overall recovery
concerns, loss recovery simulation to
of control, testing. evaluate and
resource ensure the
limitations, effectiveness of
and testing the offsite storage
constraints. process in a BCP.
Business Training Risk of Information Perform tests 1. Training
Continuit and including The Technology including Attendance
y Plan Awareness inadequate organization's Department knowledge records.
(BCP) content, lack mitigation assessments, 2. Training
and of control ensures scenario materials.
Disaster customization, relevant, simulations, 3. Knowledge
Recovery infrequent engaging, and communication assessment
Plan sessions, poor regular training, drills, role play results.
(DRP) engagement, effective exercises, tabletop 4. Scenario-
communicatio communication, exercises, based exercise
n breakdown, diverse evacuation drills, reports.
personnel participation, technology failure 5.
changes, realistic simulations, Communicatio
overreliance scenarios, response time n drill records.
on key management assessments, 6. Evacuation
individuals, endorsement, feedback drill records.
misinterpreted and continuous collection, post-
procedures, improvement training surveys,
lack of testing, based on documentation
resistance to feedback. The reviews, crisis
change, organization communication

134
 Business Continuity Plan

Process Sub- Risk Control Control Test Performed Attributes

process Description Owner tested
cultural / implement tests, leadership
language controls such as evaluations,
barriers, customized decision-making
unrealistic training content, assessments, and
scenarios, frequent adaptability tests
inadequate sessions, to thoroughly
management engaging assess employees'
support, methods, clear preparedness and
technology communication, understanding
challenges, personnel within the training
and change plans, and awareness
incomplete diverse process of the
evaluation. participation, BCP.
crisis
simulations,
multi-language /
cultural
considerations,
senior
management
involvement,
feedback
collection,
training
evaluation,
documentation.

135
 Checklist 14
Related Party Transactions
Final Sub- Risk Control Test Performed Attributes
process Description tested

Related Party Entity level Risk of non- The Company Secretary Obtaining copies a. Declaration
Transactions controls identification (or equivalent in absence of the declaration given by
of Related of a company secretary) by the Directors Directors;
Parties should have a policy on and whether the b. Review by
identifying related parties same have been the Board of
including obtaining discussed at the Directors
declaration from directors Board. Further, through the
regarding their interests whether the list of Minutes of the
in companies and other related parties Meeting;
business entities and the already existing c. Updated list
position they hold as are updated with of Related
directors or otherwise in any new updates Party
other business entities. from the
directors.
Related Party Entity level Risk of non- A list of related parties- Review of the Relationship
Transactions controls identification subsidiaries is prepared, notes prepared with other
of Related and other documents by the Corporate entities.
Parties - related thereto. Accounts Team
Subsidiaries Transactions carried out to understand
with subsidiaries are how they have
properly recorded. identified entities
as subsidiaries
and the tests
applied under AS
21 or under Ind
AS 110 as the
case may be.
Related Party Entity level Risk of non- A list of related parties- Review of the Relationship
Transactions controls identification Association is prepared, notes prepared with other
of Related and other documents by the Corporate entities.
Parties - related thereto. Accounts Team
Associates Transactions carried out to understand
with Associations are how they have
properly recorded. identified entities
as associates
and the tests
 Related Party Transactions

Final Sub- Risk Control Test Performed Attributes

process Description tested
applied under AS
23 or under Ind
AS 28 as the
case may be.
Related Party Entity level Risk of non- A list of related parties- Review of the Relationship
Transactions controls identification Jointly controlled entities notes prepared with other
of Related or joint ventures is by the Corporate entities.
Parties - prepared, and other Accounts Team
Jointly documents related to understand
controlled thereto. Transactions how they have
entities or carried out with Jointly identified entities
joint ventures controlled entities or joint as associates
ventures are properly and the tests
recorded. applied under AS
27 or under Ind
AS 28 as the
case may be.
Related Party Entity level Risk of non- Identification of related Review of the Relationship
Transactions controls identification parties including as per notes prepared with other
of Related Regulation 23 of SEBI by Company entities.
Parties LODR Guidelines Secretary's team
on applicability of
SEBI LODR
Guidelines and
identification of
additional related
party
transactions.

Review of the
minutes of the
audit committee
and Board of
Directors.
Related Party Transaction Risk of non- Identification of Key Review of the Nature of
Transactions level identification Managerial Personnel appointment responsibilities
of Key (KMP) as related parties. letters of the
Managerial KMP, their roles
Personnel and
(KMP) as responsibilities

137
Internal Audit Checklist

Final Sub- Risk Control Test Performed Attributes

process Description tested
related and conclusion
parties drawn on
whether they are
related parties or
not.
Related Party Transaction Approval for Ensuring compliance u/s Review of the Basis and copy
Transactions level transactions 188 and Regulation 23 of approvals by of approvals.
with related SEBI LODR Guidelines audit committee
parties and Board of
Directors.
Related Party Transaction Transactions Review of the contracts Review of the Basis and copy
Transactions level with related (with copies of PO / approvals by of approvals.
parties which Invoice / any other audit committee
are not document) with related and Board of
approved parties and ensuring that Directors.
the contract terms are
approved by the Board.
Related Party Transaction Transactions Whether the company Review of Pricing of the
Transactions level which are not has reviewed the Transfer Pricing transactions
at arm's transactions with related Study report and with related
length price. parties and has done comparing the parties.
transfer pricing study to same with the
ensure that the prices contracts.
charged are at arm’s
length price? To observe
whether there are
transactions which are
abnormally over or under
priced (Risk of Fraud and
non-compliance).
Related Party Transaction Transactions Whether the transactions Review of the Disclosure
Transactions level for Services disclosed are as per AS disclosures made required as per
rendered by 18 / Ind AS 24 (as the in the financial AS 18 / Ind AS
family case may be)? statements / 24 and as per
members. information financial
submitted to statements /
regulatory information.
authorities.

138
 Checklist 15
Audit Conclusion
Final Sub-process Test Performed
Audit Review Audit a) Verify whether the audit objectives set at the beginning of the audit
Conclusion Objectives and have been met.
Scope b) Ensure that the audit scope was adhered to and any deviations are
documented appropriately.
Audit Verify Audit Work a) Cross-reference workpapers, evidence received, and audit
Conclusion documentation to ensure accuracy and completeness.
b) Validate that audit procedures were performed are in accordance with
the established standards and methodologies.
Audit Assess a) Determine the thresholds for materiality used for assessing findings and
Conclusion Materiality their impact on the audit report.
b) Confirm that identified issues and discrepancies meet the defined
materiality criteria.
Audit Evaluate Internal a) Review the effectiveness of internal controls relevant to the audit
Conclusion Controls objectives.
b) Identify any weaknesses or deficiencies in internal controls and assess
their impact on audit findings.
Audit Analyse Audit a) Summarize the audit findings, including significant issues and
Conclusion Findings exceptions.
b) Categorize findings based on their severity and potential impact.
c) For each finding, identify the root cause and provide recommendations
(based on industry best practices) to address the root cause.
Audit Obtain a) Communicate audit findings and recommendations to management
Conclusion Management personnel.
Responses b) Obtain management's responses to the audit findings, including any
corrective actions planned or taken.
c) Obtain the target timeline for corrective actions.
Audit Review a) Evaluate the adequacy of proposed/implemented corrective actions to
Conclusion Corrective address audit findings.
Actions b) Ensure that management's responses are aligned with the identified
issues.
Audit Finalize the Audit a) Compile audit findings, management responses, and supporting
Conclusion Report evidence into a comprehensive audit report.
b) Ensure the report follows the organization's prescribed format and
Internal Audit Checklist

includes required sections.

c) Address any feedback or revisions required by the reviewer of the audit
report.
d) Ensure that the audit report is clear, concise, and free of errors.
e) Circulate the finalized audit report to relevant stakeholders, including
management, audit committee, and regulatory bodies as required.
Audit Review for a) Verify that the audit report is unbiased, factual, and objective in its
Conclusion Objectivity and presentation.
Accuracy b) Confirm whether all findings and conclusions are accurately portrayed
and supported by evidence.
Audit Archive Safely store all audit documentation, workpapers, and evidence for future
Conclusion Documentation reference and potential follow-up audits.
Audit Post Audit a) Conduct a post-audit review to identify areas for improvement in the
Conclusion Review audit process.
b) Document findings to enhance future audit engagements.

140
PART B
 Checklist 16
Order to Cash – Manufacturing
Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
Order Customer Customer chosen is Defined process to Check whether 1. Credit Whether there
to Cash Manageme not appropriate to check the customer credit Worthiness are any
nt complete the contract worthiness and worthiness of all Supporting customers
obligations resulting approval from new credit 2. Approval for where the credit
in bad debts. marketing head is customers has customer. worthiness is
needed for finalising been evaluated deteriorated
customer. by and after the
Credit worthiness documented for contract.
process should approval.
include the following:
• Analysis of
customers’ latest
available financial
statements.
• Understanding
customers’
management and
business.
• Personal guarantee.
• Site visit.
• Reference Check.
• Evaluation of 4 C's of
Credit
Proper documents Authorised Person 1. Check the 1. Customer How many data
not taken from approves onboarding customer hard Hard file fields or critical
customer at the time of a new customer file to test points in the
of onboarding. after reviewing data Customer form customer file
input with the and other are empty or
supporting's attached required data for are not filled up
with customer form. onboarding for any reason?
Documents needed
with customer form-
• GST Certificate
• PAN card
• E-mail ID
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
• Contact Details
• Bank details
• Other details as
required in Customer
KYC Form
Without necessary
documents, no
customer is
onboarded.
Inaccurate/ 1. Authorised person 1. Check that 1. Supporting
Incomplete updation approves onboarding the information documents
of customer master of a new customer so entered is 2. Approvals
after reviewing the reviewed by
data input with the Authorised
supporting's attached person.
with customer form. 2. Check with
2. Recorded changes the supporting
to the customer documents that
master file are the information
compared to has been
authorized source completely &
documents to ensure accurately
that they were input entered.
accurately.
3. Customer master
file data is
periodically reviewed
by management for
accuracy and
ongoing pertinence.
Risk of inadequate Every employee is 1. Check the Declarations by
screening viz. an mandated to inform employee the employees.
employee being a concerned division declarations  Check whether
customer. head/ Superior where requirements of
conflict of interest code of conduct
exists. and Companies
Act, 2013 are
Employees are fulfilled.
required to certify
compliance with the

144
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
policy on an annual
basis.
Unauthorised Customer master can 1. Check that 1. Approvals for Check whether
modifications/alterati be updatedthe person addition / log of changes
ons made to (modifications /
making the alteration is available.
customer master. Alterations) only with
addition /
the approval of
alteration is
authorised person. authorised to do
so
Also, the access to 2. Check
make modification / approval as per
alteration to the approval matrix.
customer master is
restricted to
personnel authorised
as per approval
matrix.
Inactive/ fictitious Customer with no 1. Check the 1. Customer
customers are not transactions for a customer master Ledgers
blocked. period specified as for blocked 2. Customer
per organisation customers. Master
policy are blocked in
ERP/Accounting
Package for further
sales with approval
of authorised person
Unauthorised Block customer 1. Check list of 1. Customer
reopening of accounts can only be blocked Master
customer blocked opened again after customer 2. Approval logs
earlier. taking approval as account
per approval matrix. reopened
2. Verify proper
approvals have
been taken.
Annual Annual Targets are An annual target is Check whether Approved Sales
Target not prepared, no developed for annual sales Budget
proper planning defining the sales for budget is
leading to loss of each year. Targets prepared and
revenue. are duly approved by approved as per

145
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
the authorised the authority
personnel matrix
management/ Board.
Annual targets are Every month, Review Minutes Minutes of
not being achieved. meeting of Division of Meeting meetings
head with Marketing
team is held to keep
the annual sales
target on track.
At period end,
reasons are
identified for
variances in actual
sales with budgeted
sales and same is
considered while
formulating plan for
the next year.
Order Product prices The pricing of each Check approved Price List
Manageme catalogue is not product is decided by price list
nt approved by the Management with Verify changes
authorized person. Division heads made are
considering costing properly
and other factors and authorized.
the same is defined
in the ERP/
Accounting Package.
Also, the prices are
reviewed by the
management on a
regular basis, and
changed, if required.
Unauthorized Authorised personnel Check whether Quotations
quotations send to prepare and record the quotations
customer. the quotation in the are approved
ERP/ Accounting properly as per
Package, the the authority
quotation is approved matrix
by Approving
authority as per

146
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
authority matrix and
shared to customer.
Unauthorized Data validation is Check whether Price List
discount allowed to done in the ERP/ the pricing of Sales orders
the customers Accounting Package sales orders is Approvals for
so that the personnel according to the discount
inputting days cannot price list.
enter the price below Verify discounts
than allowed limit have been
Further Approval as approved from
per approval matrix as per approval
is required to quote a matrix.
rate/price to
customer.
Quotations not Customer inquiry for Verify quotations Quotations
shared with customer quotations is input by are being with Listing
within time sales team in time specified as
ERP/Accounting per Organisation
Package. Delayed policy.
quotation is time
flagged in
ERP/Accounting
Package. Quotations
as made are required
to be, approved and
shared to customer
within 2 Days of
receipt of inquiry of
quotations.

Signed purchase The sales executive Check proper Purchase order/

order/agreement not shall ask for the supporting agreement
obtained and sales customer to share attached with received from
process started the approved sales order customer
purchase order/ raised.
agreement, or in Also, check the
absence of P.O, he sale order is not
shall prepare the issued until
Performa invoice PO/agreement/
after onboarding of Performa

147
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
customer into invoice not
ERP/Accounting received.
Package and get it
signed & stamped by
the customer.
Further, work is not
started until sales
order is made.
Sales order is not Sales orders are to Check sales Authority Matrix
entered or incorrectly be reviewed (with orders are Approvals for
entered in the system respective purchase approved as per sales order
with respect to rate, order/agreement) authority matrix.
quantities & other and approved as per
terms or duplicates authority matrix.
orders are entered. Further, Invoices are
linked to sales order,
invoices can’t be
issued without sales
order.
Sales Specifications are Check sales Sales order
order/agreement mandatory field in orders are
does not prescribe the sales order and prepared with all
the correct technical cannot be specifications
specifications of circumvented (in necessary and
goods required ERP/Accounting match the sale
resulting in Package). order
procurement of Sales agreement is specification
incorrect goods approved by with customer's
approving authority purchase order
after proper review.
Delay in approving The sales order Verify sales Authority Matrix
sales order created should be orders are Organisation
approved within time approved within policy
specified as per time limit Approvals for
organisation policy. specified. sales order
Unapproved sales
order are time
flagged on
dashboard of
approving authority.

148
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
Unauthorized Request for Check sales Authority Matrix
modification/cancella modification/cancella orders are Approvals for
tion of sales tion of sales modified/ sales order
order/agreement order/agreement is cancelled as per
raised in ERP/ authority matrix
Accounting Package,
and after approval as
per authority matrix,
the request is closed.
No process of In case, sales order Check sales Listing for Sale
closing/ blocking the has not been orders are orders
old sale order in the completed within closed after time
ERP automatically time agreed, the limit specified in
sales order is closed. sales order has
Customer has to passed.
apply to the
Organisation for new
order for the
unexpired quantity.
Credit Credit policy is not in Approved credit Check whether Approved Credit
Manageme place / Unapproved policy is in place and credit policy is Policy
nt credit policy is all the customers are formulated
formulised given credit as per
the policy only. Same
is also mentioned on
invoice.
Unauthorized Credit limits are Check changes Authority Matrix
changes in credit defined in in credit limit are Approved Credit
limit, period and ERP/Accounting authorised as Limit
terms of a customers Package, any per authority
modifications made matrix
are to be approved
as per authority
matrix
Unauthorized credit Credit Limit Matrix Check credit Approved Credit
allowed to have been defined limit matrix is Limit Matrix
customers. for allowing credit prepared and
period to the clients approved
in Credit Policy.

149
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
Delivery order has Credit Limits are Check whether Data for credit
been generated by linked to customer credit limits are given to
the system and the account in ERP/ breached during customer during
customers trade Accounting Package, the year. the year
debts exceed their for exceeding credit If exceeded,
credit terms/ limits. limits, prior approval Check whether
has to be taken as prior approvals
per authority matrix were taken.
Order Quality of the goods 1. Person Check reports of Quality Reports
Fulfilment delivered not in line responsible shall quality team
with the requirement regularly follow-up issued during
of the customer with the production the year.
team for the purpose
of quality of goods to
be delivered.
2. Before loading of
material, the quality
team and sales team
shall check the
quality of material on
a random basis and
shall share the
quality inspection
report to the
dispatch/document
team.
Delivery not made to Sales order validity is Check whether Outward Register
customer within time mentioned in the sale sales are made E-Way Bails
order at the time of to customer Sale Orders
creation of sale order within time
and the same is specified in
monitored by the sales order.
authorized personnel
to make all deliveries
timely.
Customers do not 1) Delivery challan to Check whether Acknowledgemen Customer
receive dispatched be taken from acknowledgeme t from customer. confirmation
products leading to transporter. nts has been Delivery Challan. obtained where
customer dispute 2) Goods receipt received from Invoice. Acknowledgem
note / material customers and ent from

150
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
receipt note as delivery challans customer is not
confirmation is taken are available. available
from respective
customer through
mail.
Order Goods are a. Items are Verify dispatch Dispatch
Shipping dispatched more dispatched on the order/packing order/packing list
than sales order basis of sales order list with sales Invoice
quantity issued by sales and order Sale order
marketing
department.
b. Inventory
Personnel ensure
that items are not
issued more than the
sales order quantity
of customer.
c. Goods are loaded
in the vehicle in the
presence of security,
marketing executive,
and inventory
personnel.
Shipping is made Sale order is not Verify advances Bank Statement
without obtaining generated until have been Sale
advance payment advance is not received as per order/Agreement
received as per the sale
PO/agreement/profor agreements/sale
ma invoice. order.
Also check that
no sale order is
generated until
advance
received.
Invoicing & dispatch Invoice and dispatch Reconcile Invoice
documents are documents are Invoices with E- E-way bills
generated but generated after the way bills
products are not dispatch team has
dispatched loaded the goods on
vehicle.

151
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
Invoice generated Based on marketing Match Invoice Invoice
and goods team communication, generated with Sale order
dispatched are not in packaging list is sales order
line with customer prepared, and goods issued and
order are identified and PO/agreement
made ready for to customer
dispatch by stores
team. Goods
dispatched note is
prepared by stores in
charge and goods
are loaded in vehicle
in presence of stores
in charge & security
in charge. Based on
packaging list and
goods dispatch note,
invoicing is done.
Delivery is made Invoice is linked with check that Invoice
without sale order sales order. Invoices have Sale order
Inventory team been linked to
issues the inventory sales order
to dispatch team
after recovering
approved sales order
form sales team.
Dispatched Goods Security in charge Verify Dispatch Invoice
have not been input/ checks outward goods have Outward register
incorrectly input in registers are updated input in outward
outward register before dispatch of register
maintained at goods from gate.
factory/company gate Security supervisor
on regular intervals
checks registers are
updated timely and
correctly.
Customer Dispatch is done Goods are not exiting Match the Outward register
Invoicing without issuing the factory gate outward register Dispatch register
invoice. before the issue of with invoice and invoices
Invoice and other dispatch

152
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
dispatch documents. register.
Invoice is not as per Dispatch team and Verify Invoices Invoices
dispatch Security in charge issued during Dispatch
order/packaging list. scrutinises the the year with order/packaging
dispatch their respective list
order/packaging list dispatch
with invoice and order/packaging
ensure both are in list
line.
Invoicing is not in Predefined format for Check the Invoices
line with statutory invoice has been format of Invoice Refer respective
requirements made in is in line with law
ERP/Accounting statutory
Package after requirements
approval of
authorised
personnel. The same
is regularly reviewed
by FP&A team.
Invoice generated Invoices are Check correct Invoices
with incorrect prepared by statutory details Refer respective
statutory details (Like authorised person, are filled for law
HSN, Place of and invoice is invoices issued
supply, GST Rate, reviewed and during the year
etc.) approved by the
authorised signatory
Invoices raised on Invoices are linked Verify invoices Invoice
unauthorized/incorre with sales order are matching Sale order
ct rates. (agreed earlier with with sales order
the customer). Rates linked to it
and other terms are
pre-specified in
invoices as per sales
order.
Invoices not For every sale, Verify Invoice
generated and delay packaging list, goods Packaging list/ Packaging list/
in generating the dispatch note & Goods dispatch Goods dispatch
invoice. invoice is created. note/order with Data
Without packaging Invoice issued

153
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
list & invoice, goods during the Year.
loaded vehicle is not
allowed to exit
factory gate.
E-way bill generated Dispatch team and Reconcile Invoice
not in line (incorrect Security in charge Invoices with E- E-way bills
item, rates, quantity, scrutinises the way bills
etc.) with the invoice dispatch documents
issued. like invoice, e-way
bill, etc and ensure
all are matching with
one-another.
Cash sales made not Invoice/cash receipts Check invoices Invoices
recorded/ under are to be issued from is issued from Cash Receipts
recorded. ERP/Accounting ERP and Reconciliation
Package for cash monthly
sales and monthly reconciliation is
reconciliation is made or not
made of invoice
generated with cash
deposit by authorised
personnel.
Cash received not Cash received Check cash is Bank Deposit
deposited in bank should be deposited deposited within Slips
within time as per at the branch office time as per the Cash
Organisation policy. as per the Organisation Reconciliations
Organisation policy. policy and
Responsible reconciliation is
Personnel should done for cash
reconcile it with receipt at
ERP/Accounting branch.
Package receipts Verify cash
and issue received for
acknowledge-ment. sales during
Responsible year has been
Personnel should deposited in
deposit the cash in bank.
bank daily basis/
next working day.

154
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
Sales Policy has not been Approved policy has Check sales Sales Return and
Return and formulated for Sales been defined for return and Refund policy
Refund return and refund. Sales Return and refund policy
Refund.
Sales return request Authorised matrix Check proper Approval for
accepted without has been defined for approvals have sales return
proper approvals approval of sales been taken for
return request approving sales
return request.
Unauthorised/ 1) Approval as per Check approvals Credit Notes
improper Credit approval matrix is for Credit notes register/ledger
notes is issued taken for issue of the issued during
credit note through the year
mail/ERP/Accounting
Package by
personnel
responsible.
2) After approval, the
credit notes are
prepared by
personnel
responsible and
shared to customer.
Sales returns are 1) After arrival of Check Report Quality team
incorrectly recorded vehicle at issued by quality report
(Quantities, Rate warehouse/factory, team for MRN for
etc.) or accounted goods are checked returned goods, Returned Goods
without physically by quality team. MRN generated Approval as per
receiving goods Report is issued and by Inventory approval matrix.
goods are forwarded team and
to inventory team. approval of
2) Inventory team Division head for
inputs the goods in Sales Return.
register and raises
material receipt note.
3) After issue of MRN
and approval from
Division head, sales
return entry is

155
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
passed in books.
Refund of sales Bank account is Check approval Approval
return made to updated in the received as per
incorrect customer ERP/accounting approval matrix
package.
Before refund,
approval as taken
per the approval
matrix.
Accounts No policy for Account statements Check whether Accounts
Receivable periodical customer for all customers has accounts Statements/Bala
balance been obtained on statement are nce confirmations
reconciliation / quarterly basis and obtained as per from customers
Incorrect customer reconciliation is Organisation
balance reflected in prepared by person policy.
books of accounts responsible. Further,
balance
confirmations are
obtained from all
customers on yearly
basis.
Identified Identified deviations Check whether Accounts
discrepancies during are reconciled by there is any Statements/Bala
reconciliation with responsible discrepancy nce confirmations
customer are not accounting personnel between from customers
adjusted correctly in and reviewed by customer Customer
the books of approving authority. statements and Ledgers
accounts Adjustment is Organisation Approvals for
entered in ledgers. adjusting entries
Accounting Package Check identified
after approved by discrepancy are
approving authority. resolved and
adjusted in
necessary books
after approvals
as per authority
matrix
Revenue is recorded Revenue for Goods Check Revenue
in books for goods sent on approval is conditions as Recognition

156
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
sent on approval, but recorded when mentioned in Policy
approval not received i) The goods have Organisation Data for Goods
from customers. been formally policy are Sent on
accepted by the satisfied before Approval.
buyer, or booking revenue Book entry
ii) The buyer has for "Goods Sent
done an act adopting on Approval".
the transaction, or
iii) The time period
for rejection has
elapsed or where no
time has been fixed,
a reasonable time
has elapsed.
Provision for bad & Organisation has Check whether Policy for
doubtful debt is not defined policy for policy is provisions.
made or made using creation of provision formulated for Customer
incomplete and for doubtful debts. recording of Ageing.
inaccurate data or Ageing for debtors is doubtful debts Approvals for
not correctly prepared. Provision and ageing is recording
accounted for in the for doubtful debts is prepared provision for
books of accounts approved by Chief regularly. doubtful debts
Financial Officer & Verify necessary
provision is entered approvals as per
in accounting authority matrix
package by have been
responsible received for
accounting personnel recording
and approved by provision for
approving authority doubtful debts.
to take legal advice
for collecting the
dues and filing suits.
Debtors written off The Accounts Check the bad Bad debts ledger
without approval receivable team debts in the Trail
share the list of ERP with the mail/Supporting's
customers who have share list by the for bad debts by
not made the authorised authorised
payment to Division person. person

157
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
heads and CFO.
Decision is taken to
written off the
balance and the
same is shared to
authorised personnel
to pass the entry in
the ERP/Accounting
Package.
Payment Regular delay in Monthly aging is Check that Aging
Collections collecting payments extracted from regular follow up Follow up mail
from customers. ERP/Accounting is done with
Package by customer whose
marketing team and payment is due
regular follow up is
done with the
customer whose
payment is due.
Cheque received but 1) Cheques received Check the Receipts data
not deposited in are collected by the deposit slip with Deposit slip
Bank marketing team and entry in the ERP
forwarded to
accounts
department, and
cheque is deposited
in bank on the same
day or next working
day.
2) Monitoring of
cheque deposit being
done on regular
basis.
Cheque deposited in After receiving the Check Bank Ledgers
bank but not cheque from the organisation Bank Statements
accounted marketing team, books are Reconciliation
entry is made in matching with
ERP/Accounting bank
Package on the statements, and
same day or next daily bank

158
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
working day. BRS is reconciliation
also prepared and statements are
monitored on daily being made
basis,
Collections are Collection is Check bank Bank
recorded incorrectly recorded in reconciliations Reconciliation
in the books with ERP/Accounting are prepared, Statements
respect to amount, Package and and appropriate
period or customer approved by journal entries
account. authorised person are passed as
after verification of per
supporting reconciliation
document. Further,
reconciliation is
performed for bank
ledger & bank
statement and
deviations are
recorded accordingly.
Incorrect calculation Interest on defaulting Check whether Customer Ageing
is done for the companies is to be the sales Invoice Receipts
interest accrued on calculated on the proceeds have data
the outstanding basis of a fixed been realised interest working
receivable balance. percentage as per within the time
approved policy and limit as per the
same is to be as per credit
approved by the given to
authorised person. customer.
Obtain collection
date & invoicing
date for all
invoice and
verify interest
has been
charged on
defaulting
companies
Reporting Revenue is not Organisation has Ensure that an Revenue
and Data recognized as per defined revenue appropriate, Recognition
Manageme applicable AS / recognition policy in consistent

159
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
nt organisation policy compliance with revenue Policy
applicable recognition
accounting standard. policy is applied
at the year end.
Ensure that the
policy adopted is
in line with
generally
accepted
accounting
principles.
Compare the
Organization’s
policy for
accounting sales
with the
significant
accounting
policies
mentioned in the
Notes to the
Accounts.
Transactions have Monthly sales Check Revenue Sales Data
been recorded in invoices, GST is recorded in GST Returns
incorrect period. returns, e-way bill & correct period Invoice Data
sales data as per and apply cut-off
Reconciliation
accounting package procedures for
are reconciled by testing.
person responsible,
to ensure no invoice
is omitted to be
recorded and
recorded in the
current financial
period/ year.
Reconciliation are
approved by
authorised person.
Fictitious /duplicate All invoices are to be Check that Approved
sales are recorded in authorised/ approved invoices are invoices

160
 Order to Cash – Manufacturing

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
the books of from Authorised approved from Ledger of sale
accounts. Signatory. authorised
Further all entries are signatory and
approved as per entries are
approval matrix. approved as per
approval matrix.
Sales transactions Sales entry is passed Scrutinise sales Sales Schedule
are not properly by person ledgers on Sale leger
classified in accounts responsible, and it is overall basis,
approved by and check sales
authorised person. are recorded in
correct ledgers.
Benefits for export Export incentive Check trail Working of export
sales not availed/ working is prepared, mail/supporting' incentive
under availed by the and it is reviewed by s of approval as Trail mail
Organisation. authorised person. per approval
matrix.
Export sales are All export sales are Check export Export sale
recorded at incorrect recorded at same sale made are ledger
foreign exchange day prevailing CBEC recorded at Invoice
rate. website rate. Sales rates as CBEC rates
entry is passed as specified by
per accounting accounting
manual. manual
Accounting for Separate expense Check Books of Account
exempt sales is done and revenue ledgers accounting for
incorrectly in books are made related to exempt sale and
of account. exempt sales for taxable sale in
compliance with books
applicable tax laws
Customer No policy has been Approved Policy for 1. Obtain policy Customer
Evaluation formed for evaluation evaluation of of customer Evaluation Policy
of customer. customer has been evaluation
formed.
Customer The Customer Check whether Customer
evaluations are not Evaluation is done as customer Evaluation
being performed per policy. Marketing evaluations are forms/report
regularly. and Finance team is being
responsible for doing performed, and

161
Internal Audit Checklist

Proces Sub- Risk Description Control Test Performed Attributes Data analytics
s process tested performed
the customer approved
evaluation. Based on customer list is
the same and updated as per
subsequent the evaluations
discussions with the
approving
authorities, Sales
depart-ment revises
the approved
customer list and
block customers as
per evaluations list.
Customer No policy has been Approved Policy for 1. Obtain policy Customer Policy
Complaints for handling of handling customer of handling
customer complaints. complaints has been customer
formed. complaints
Policy made for Authorised levels are 1. Check for Customer Policy
handling of customer formulated for compliance with Complaint Log
complaints not handling a customer the policy for
complied. complaint, regular handling
monitoring is done to customer
ensure customer complaints.
complaints are
handled as per policy
by authorised
personnel.
Timely redressal of Authorised person as 1. Check status Complaint Log
customer complaints per policy handles of customer
not done. customer complaints complaints.
and take appropriate 2. Report
action. complaints
Regular monitoring is which have not
done for status of been resolved in
customer complaints time specified as
by authorised per Organisation
personnel as per policy
company policy.

162
 Checklist 17
Order to Cash – Services
Process Sub- Risk Description Control Test Attributes Data
process Performed tested analytics
performed
Order to Customer Customer chosen is Defined process to Check whether 1. Credit
Cash Managem not appropriate to check the customer credit Worthiness
ent complete the contract worthiness and worthiness of Supporting
obligations resulting in approval from all new credit 2. Approval for
bad debts. marketing head is customers has customer.
needed for finalising been evaluated
customer. by checking
Credit worthiness company’s
process should include financial heath,
the following: credit’s history,
• Analysis of customers’ edit rating
latest available report and
financial statements. documented for
approval.
• Understanding
customers’
management and
business.
• Personal guarantee.
• Reference Check.
• Evaluation of 4 C's of
Credit
Proper documents not Authorised Person 1. Check the 1. Customer
taken from customer at approves onboarding customer hard Hard file
the time of onboarding. of a new customer file to test
after reviewing data Customer form
input with the and other
supporting's attached required data
with customer form. for onboarding
Documents needed
with customer form –
• GST Certificate
• PAN card
• E-mail ID
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
• Contact Details
• Bank details
• Other details as
required in Customer
KYC Form
Without necessary
documents, no
customer is
onboarded.
Inaccurate/Incomplete 1. Authorised person 1. Check that 1. Supporting
updation of customer approves onboarding the information documents
master of a new customer so entered is 2. Approvals
after reviewing the reviewed by
data input with the Authorised
supporting's attached person
with customer form. 2. Check with
2. Recorded changes the supporting
to the customer master documents that
file are compared to the information
authorized source has been
documents to ensure completely &
that they were input accurately
accurately. entered
3. Customer master file
data is periodically
reviewed by
management for
accuracy and ongoing
pertinence.
Risk of inadequate Every employee is 1. Check the  Declarations by
screening viz. an mandated to inform employee the employees
employee being a concerned division declarations  Check whether
customer. head/ Superior where requirements of
conflict of interest code of conduct
exists. and Companies
Employees are Act, 2013 are
required to certify fulfilled.
compliance with the

164
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
policy on an annual
basis.
Unauthorised Customer master can 1. Check that 1. Approvals for
modifications/alteration be updated the person addition/
s made to customer (modifications/ making the alteration
master. Alterations) only with addition/
the approval of alteration is
authorised person. authorised to
Also, the access to do so
make modification/ 2. Verify
alteration to the customer
customer master is approval forms
restricted to personnel are approved
authorised as per as per approval
approval matrix. matrix.
Inactive/ fictitious Customer with no 1. Check the 1. Customer
customers are not transactions for a customer Ledgers
blocked. period specified as per master for 2. Customer
organisation policy are blocked Master
blocked in ERP/ customers.
Accounting Package
for further sales with
approval of authorised
person.
Unauthorised Block customer 1. Check list of 1. Customer
reopening of customer accounts can only be blocked Master
blocked earlier. opened again after customer 2. Approval logs
taking approval as per account
approval matrix. reopened
2. Verify proper
approvals have
been taken.
Annual Annual Targets are not An annual target is Check whether Approved Sales
Target prepared, no proper developed for defining annual sales Budget
planning leading to the sales for each budget is
loss of revenue. year. Targets are duly prepared and
approved by the approved as
authorised personnel per the

165
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
management. authority
matrix.
Annual targets are not Every month, meeting Review Minutes of
being achieved. of Division head with Minutes of meetings
Marketing team is held Meeting
to keep the annual
sales target on track.
At period end, reasons
are identified for
variances in actual
sales with budgeted
sales and same is
considered while
formulating plan for the
next year.
Order Service prices Pricing of each service Check Price List
Managem catalogue is not is decided by the approved
ent approved by Management with service price
authorized person. Division heads and the list
same is defined in the Verify changes
ERP/Accounting made are
Package. Also, the properly
prices are reviewed by authorized.
the management on a
regular basis, and
changed, if required.
Absence of pricing Pricing policy is Check whether Pricing Policy
policy/review of pricing maintained/updated the proper
policy leading to sale regularly for all pricing policy
of services below the services offered by the for services
incurred cost. organization. has been made
or not.
Unauthorized Authorised personnel Check whether Quotations
quotations send to prepare and record the the quotations
customer. quotation in the are approved
ERP/Accounting properly as per
Package, the quotation the authority
is approved by matrix

166
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
Approving authority as
per authority matrix
and shared to
customer.
Unauthorized discount Data validation is done Check whether Price List
allowed to the in the ERP/Accounting the pricing of Sales orders
customers. Package so that the sales orders is Approvals for
personnel inputting according to discount
days cannot enter the the price list.
price below than Verify
allowed limit discounts have
Further Approval as been approved
per approval matrix is from as per
required to quote a approval
rate/ price to customer. matrix.
Quotations not shared Customer inquiry for Verify Quotations
with customer within quotations is input by quotations are Listing
time. sales team in being with time
ERP/Accounting specified as
Package. Delayed per
quotation is time Organisation
flagged in ERP/ policy
Accounting Package.
Quotations madeis
required to be
approved and shared
to customer within 2
Days of receipt of
inquiry of quotations.
Signed purchase The sales executive Check proper Purchase
order/agreement not shall ask for the supporting order/agreement
obtained and sales customer to share the attached with received from
process started approved purchase sales order customer
order/ agreement, or in raised.
absence of P.O, he
shall prepare the
Performa invoice after
onboarding of
customer into ERP/

167
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
Accounting Package
and get it signed &
stamped by the
customer. Further,
work is not started until
sales order is made.
Sales order is not Sales orders are to be Check sales Authority Matrix
entered or incorrectly reviewed (with orders are Approvals for
entered in the system respective purchase approved as sales order
with respect to rate, order/agreement) and per authority
quantities & other approved as per matrix
terms or duplicates authority matrix.
orders are entered. Further, Invoices are
linked to sales order,
invoices can’t be
issued without sales
order.
Sales order/ Specifications areCheck sales Sales order
agreement does not mandatory field in the orders are
prescribe the correct sales order and cannot prepared with
technical specifications be circumvented (in all
of services required ERP/ Accountingspecifications
resulting in rendering Package). necessary and
of incorrect services Sales agreement is match the sale
approved by approving order
authority after proper specification
review. with customer's
purchase order
Delay in approving The sales order Verify sales Authority Matrix
sales order created should be orders are Organisation
approved within the approved policy
time specified as per within time limit Approvals for
organisation policy. specified. sales order
Unapproved sales
order is time flagged
on dashboard of
approving authority.
Unauthorized Request for Check sales Authority Matrix

168
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
modification/cancellatio modification/cancellatio orders are Approvals for
n of sales n of sales modified/ sales order
order/agreement order/agreement is cancelled as
raised in ERP/ per authority
Accounting Package, matrix.
and after approval as
per authority matrix,
the request is closed.
No process of closing/ In case, sales order Check sales Listing for Sale
blocking the old sale has not been orders are orders
order in the ERP completed within time closed after
automatically agreed, the sales order time limit
is closed. specified in
Customer has to apply sales order has
to the Organisation for passed.
new order for the
unexpired quantity.
Credit Credit policy is not in Approved credit policy Check whether Approved Credit
Managem place / Unapproved is in place and all the credit policy is Policy
ent credit policy is customers are given formulated.
formulized. credit as per the policy
only. Same is also
mentioned on invoice.
Unauthorized changes Credit limits are Check changes Authority Matrix
in credit limit, period defined in in Credit limit Approved Credit
and terms of a ERP/Accounting are authorised Limit
customers. Package, any as per authority
modifications made are matrix.
to approved as per
authority matrix.
Unauthorized credit Credit Limit Matrix Check Credit Approved Credit
allowed to customers. have been defined for limit matrix is Limit Matrix
allowing credit period prepared and
to the clients in Credit approved.
Policy.
Services has been Credit Limits are linked Check whether Data for credit
performed and the to customer account in credit limits are given to
customers trade debts ERP/Accounting breached customer during

169
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
exceed their credit Package, for during the the year
terms/ limits. exceeding credit limits, year.
prior approval has to If exceeded,
be taken as per Check whether
authority matrix. prior approvals
were taken.
Order Services provided not 1. Engagement team is Check reports Quality Reports
Fulfilment in line with the briefed at the of quality team
requirement of the commencement of a issued during
customer service. Regular the year.
reviews meetings are
held to ensure the
services are performed
timely and as per
customers requirement
Services not rendered Service order validity is Check whether Outward
to customer within time mentioned in the services are Register Service
service order at the provided to Orders
time of creation of customer within
service order and the time specified
same is monitored by in Sales order.
the authorized
personnel to make all
services timely.
Customer Invoices not generated After service has been Verify Invoices Invoice
Invoicing and delay in generating performed, has been
the invoice. Engagement team issued within
informs the Finance approved time
team and invoices is as per policy.
raised within 2 days.
Invoicing is not in line Predefined format for Check the Invoices
with statutory invoice has been made format of Refer respective
requirements in ERP/Accounting Invoice is in law
Package after approval line with
of authorised statutory
personnel. The same is requirement.
regularly reviewed by
FP&A team.

170
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
Invoice generated with Invoices are prepared Check correct Invoices
incorrect statutory by authorised person, statutory Refer respective
details (Like HSN, and invoice is reviewed details are law
Place of supply, GST and approved by the filled for
Rate, etc.) authorised signatory. invoices issued
during the
year.
Invoices raised on Invoices are linked with Verify Invoices Invoice
unauthorized/ incorrect sales orders (agreed are matching Sale order
rates. earlier with the with sales
customer). Rates and order linked to
other terms are pre- it.
specified in invoices as
per sales order.
Cash sales made not Invoice/cash receipts Check invoices Invoices
recorded/ under are to be issued from is issued from Cash Receipts
recorded. ERP/ Accounting ERP and Reconciliation
Package for cash sales monthly
and monthly reconciliation is
reconciliation is made made or not.
of invoice generated
with cash deposit by
authorised personnel.
Cash received not Cash received should Check cash is Bank Deposit
deposited in bank be deposited at the deposited Slips
within time as per branch office as per within time as Cash
Organisation policy. the Organisation per the Reconciliations
policy. Responsible Organisation
Personnel should policy and
reconcile it with reconciliation is
ERP/Accounting done for cash
Package receipts and receipt at
issue acknowledge- branch.
ment. Verify cash
Responsible Personnel received for
should deposit the sales during
cash in bank daily year has been
basis/ next working deposited in

171
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
day. bank.
Sales Policy has not been Approved policy has Check credit Credit Note
Return formulated for issuing been defined for Credit notes policy. Policy
and credit notes. notes.
Refund
Credit note request Authorised matrix has Check proper Credit Notes
accepted without been defined for approvals have
proper approvals approval of credit note been taken for
request approving
credit note
request.
Unauthorised/ 1) Approval is taken as Check Credit Notes
improper Credit notes per approval matrix for approvals for register/ledger
is issued issue of the credit note Credit notes
through issued during
mail/ERP/Accounting the year.
Package by personnel
responsible.
2) After approval, the
credit notes are
prepared by personnel
responsible and shared
to customer.
Refund of sales return Before refund, Check approval Approvals
made to different approval as taken per received as per
customer the approval matrix. approval
matrix.
Accounts No policy for periodical Account statements for Check whether Accounts
Receivabl customer balance all customers has been accounts Statements/
e reconciliation / obtained on quarterly statement are Balance
Incorrect customer basis and obtained as per confirmations
balance reflected in reconciliation is Organi-sation from customers.
books of accounts. prepared by person policy.
responsible. Further,
balance confirmations
are obtained from all
customers on yearly
basis.

172
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
Identified Identified deviations Check whether Accounts
discrepancies during are reconciled by there is any Statements/Bala
reconciliation with responsible accounting discrepancy nce
customer are not personnel and between confirmations
adjusted correctly in reviewed by approving customer from customers
the books of accounts. authority. Adjustment statements and Customer
is entered in Organi-sation Ledgers
Accounting Package ledgers. Approvals for
after approved by Check adjusting entries.
approving authority. identified
discrepancy
are resolved
and adjusted in
necessary
books after
approvals as
per authority
matrix.
Provision for bad & Organisation has Check whether Policy for
doubtful debt is not defined policy for policy is provisions.
made or made using creation of provision formulated for Customer
incomplete and for doubtful debts. recording of Ageing.
inaccurate data or not Ageing for debtors is doubtful debts Approvals for
correctly accounted for prepared. Provision for and ageing is recording
in the books of doubtful debts is prepared provision for
accounts. approved by Chief regularly. doubtful debts.
Financial Officer & Verify
provision is entered in necessary
accounting package by approvals as
responsible accounting per authority
personnel and matrix have
approved by approving been received
authority. for recording
provision for
doubtful debts.
Debtors written off The Accounts Check the bad Bad debts ledger
without approval receivable team share debts in the Trail mail/
the list of customers ERP with the Supportings for
who have not made the share list by

173
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
payment to Division the authorised bad debts by
heads and CFO. person. authorised
Decision is taken to person
written off the balance
and the same is shared
to authorised
personnel to pass the
entry in the
ERP/Accounting
Package.
Payment Regular delay in Monthly aging is Check that Aging
Collection collecting payments extracted from regular follow Follow up mail
s from customers. ERP/Accounting up is done with
Package by marketing customer
team and regular follow whose payment
up is done with the is due.
customer whose
payment is due.
Cheque received but 1) Cheques received Check the Receipts data
not deposited in Bank. are collected by the deposit slip Deposit slip
marketing team and with entry in
forwarded to accounts the ERP.
department, and
cheque is deposited in
bank on the same day
or next working day.
2) Monitoring of
cheque deposit being
done on regular basis.
Cheque deposited in After receiving the Check Bank Ledgers
bank but not cheque from marketing Organisation Bank Statements
accounted. team, entry is made in books are Reconciliation
ERP/Accounting matching with
Package on the same bank
day or next working statements,
day. BRS is also and daily bank
prepared and reconciliation
monitored on daily statements are

174
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
basis. being made.
Collections are Collection is recorded Check Bank Bank
recorded incorrectly in in ERP/Accounting Reconciliations Reconciliation
the books with respect Package and approved are prepared, Statements
to amount, period, or by authorised person and
customer account. after verification of appropriate
supporting document. journal entries
Further, reconciliation are passed as
is performed for bank per
ledger & bank reconciliation.
statement and
deviations are
recorded accordingly.
Incorrect calculation is Interest on defaulting Check whether Customer
done for the interest companies is to be the sales Ageing
accrued on the calculated on the basis proceeds have
outstanding receivable of a fixed percentage been realised Invoice Receipts
balance. as per approved policy within the time data Interest
and same is to be limit as per the calculation.
approved by the Organisation's
authorised person. policy.
Obtain
collection date
& invoicing
date for all
invoice and
verify interest
has been
charged on
defaulting
companies.
Reporting Revenue is not Organisation has Ensure that an Revenue
and Data recognized as per defined revenue appropriate, Recognition
Managem applicable Accounting recognition policy in consistent Policy
ent Standards / compliance with revenue
organisation policy. applicable accounting recognition
standard. policy is
applied at the
year end.

175
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
Ensure that the
policy adopted
is in line with
generally
accepted
accounting
principles.
Compare the
Organisation's
policy for
accounting
sales with the
significant
accounting
policies
mentioned in
the Notes to
the Accounts.
Transactions have Monthly sales invoices, Check Sales Data
been recorded in GST returns & sales Revenue is GST Returns
incorrect period. data as per accounting recorded in E-Way
package are reconciled correct period
Invoice Data
by person responsible, and apply cut-
to ensure no invoice is off procedures Reconciliation
omitted to be recorded for testing.
and recorded in the
current financial
period/ year.
Reconciliation are
approved by
authorised person.
Fictitious /duplicate All invoices are to be Check that Approved
sales are recorded in authorised/ approved invoices are invoices
the books of accounts. from Authorisedapproved from Ledger of sale
Signatory. authorised
Further all entries are signatory and
approved as per entries are
approval matrix. approved as
per approval

176
 Order to Cash – Services

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
matrix.
Sales transactions are Sales entry is passed Scrutinise Sales Schedule
not properly classified by person responsible, sales ledgers sale leger
in accounts. and it is approved by on overall
authorised person. basis and
check sales are
recorded in
correct ledgers
are per
Organisation
policy.
Benefits for export Export incentive Check trail Working of
sales not availed/ working is prepared mail/supporting export incentive
under availed by the and it is reviewed by s of approval Trail mail
Organisation. authorised person. as per approval
matrix.
Export services are Export services are Check export Export sale
recorded at incorrect recorded at same day sale made are ledger
foreign exchange rate. prevailing CBEC recorded at Invoice
website rate. Sales rates as CBEC rates
entry is passed as per specified by
accounting manual. accounting
manual.
Accounting for exempt Separate expense and Check Books of
sales is done revenue ledgers are accounting for Account
incorrectly in books of made related to exempt sale
account. exempt sales for and taxable
compliance with sale in books.
applicable tax laws.
Customer No policy has been Approved Policy for Obtain policy of Customer
Evaluation formed for evaluation evaluation of customer customer Evaluation Policy
of customer. has been formed. evaluation.
Customer evaluations Customer Evaluation is Check whether Customer
are not being done as per policy. customer Evaluation
performed regularly. Marketing and Finance evaluations are forms/report
team is responsible for being
doing the customer performed, and
evaluation. Based on approved

177
Internal Audit Checklist

Process Sub- Risk Description Control Test Attributes Data

process Performed tested analytics
performed
the same and customer list is
subsequent updated as per
discussions with the the
approving authorities, evaluations.
Sales department
revises the approved
customer list and block
customers as per
evaluations list.
Customer No policy has been for Approved Policy for Obtain policy of Customer Policy
Complaint handling of customer handling customer handling
s complaints. complaints has been customer
formed. complaints.
Policy made for Authorised levels are Check for Customer Policy
handling of customer formulated for handling compliance Complaint Log
complaints not a customer complaint, with the policy
complied. regular monitoring is for handling
done to ensure customer
customer complaints complaints.
are handled as per
policy by authorised
personnel.
Customer Timely redressal of Authorised person as 1. Check status Complaint Log
Complaint customer complaints per policy handles of customer
s not done. customer complaints complaints.
and take appropriate 2. Report
action. complaints
Regular monitoring is which have not
done for status of been resolved
customer complaints in time
by authorised specified as
personnel as per per
company policy. Organisation
policy.

178
 Checklist 18
Purchase to Pay – Direct Material
Process Sub- Risk Control Test Attributes Sample Data Process
process Descriptio Performed tested size analytics Metrics
n performed

Procure Vendor Risk of Defined 1. Check the 1. Approvals 30 new 1. New -Number
ment Manage chosen of process for approval for for vendors vendors of
ment incompeten vendor technical evaluations. vis-à-vis certified
t vendor evaluation evaluation 2. Support- existing suppliers.
and supply and approval and ing for vendors -Number
of inferior exists and supporting evaluations 2. Single of local
quality of includes the documents vendors for and
goods. following: thereof. non-critical global
- technical 2. Check items suppliers.
and approval for -Number
commercial commercial of
evaluation by evaluation national
cross and contracts.
functional supporting -Number
teams. documents of rate
- approval thereof. contracts.
authority. 3. Check -Supplier
- single justification developm
vendor for ent
justification exceptions, if programs
like for any. .
imports or
critical items
including
development
of new
vendors.

Risk of Updates 1. Check the 1. Approvals 1. 30 - -

Unauthoris (Additions / ACL is as per for addition / vendor
ed updates Alterations) to approved alteration2. approval
/ the vendor authority Acccess forms
alterations master can be matrix. Control List 2.
to vendor done only 2. Check that Access
master. with the person Control
approval of making the
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
HOD addition / List
(Commercial) alteration is
and IT Head. authorised to
do so.
Also, the 3. Verify
access to vendor
make approval
additions / forms are
alteration to approved by
the vendor HOD
master is commercial
restricted to and IT Head.
personnel
authorised as
per approved
Authority
Matrix. The
Authority
Matrix is
entered in the
Access
Control List
(ACL) in the
ERP systems.

Risk of Recorded 1. Check that 1. 1. 30 check

Inaccurate changes to the Supporting vendor whether
updation in supplier information documents approval approvals
the vendor master file so entered is 2. Approvals forms are there
master. are compared reviewed by for all the
to authorized Manager new vendor
source (Commercial) empanelme
documents by 2. Check with nt.
Manager the
(Commercial) supporting
or the documents
designated that the
authority to information
ensure that has been
they were Completely &

180
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
entered Accurately
accurately. entered.

Risk of Requests to Check the 1. 1.

Critical change requests log Outstanding Request
vendor supplier to ensure Request log log
data is master file that there are
incomplete data are no long
and not logged; the pending
upto date. log is requests for
reviewed to updation.
ensure that all
requested
changes are
processed
timely.

Requests to 1. Check the 1. Sequence 1.

change requests log of the Request
supplier to ensure request log
master file that there are forms used
data are no missing
submitted on request.
prenumbered Alternatively,
forms; the there should
numerical be number
sequence of cancellation
such forms is note on the
accounted for log.
to ensure that
all requested
changes are
processed
timely. In an
ERP
environment,
the request
for change
can also be
done in the
system on the

181
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
basis of
chronology
and
numbering.

Supplier 1. Check the 1.

master file evidence of Managemen
data is the t review
periodically management
reviewed by review.
management

Recorded 1. Check that 1. 1. 30

changes to the Supporting vendor
the supplier information documents approval
master file so entered is 2. Approvals forms
are compared reviewed by
with Manager
authorized (Commercial)
source 2. Check with
documents by the
Manager supporting
(Commercial) documents
or designated that the
authority. information
has been
Completely &
Accurately
entered.

Risk of As per 1. Check the Declarations 1.

inadequate Company's employee by vendors Certificati
screening Code of declarations and the ons of 30
Conduct, the for employees employe
employees compliance es
are mandated with the
to inform the ethical 2.
concerned standards. Acknowl
HOD / 2. Check the edgemen
Superior vendor t from 30
where conflict acknowledge vendors

182
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
of interest ments in the
exists. Purchase
Order.
Employees
are required
as per Code
of Conduct to
certify
compliance
with the policy
on an annual
basis.

Also, the
vendors are
required to
inform as per
the standard
terms and
conditions
printed on the
Purchase
Order, if they
have any
relations
employed
with the
organization.

Risk of not For ERP like 1. Check by 1. field 1. List of

following Oracle, there creating a validation one-time
screening is an option of dummy vendors
procedures ticking "One Purchase 2. PO
for one - time flag" Order, if the dump
time which needs vendor
vendor to be updated flagged off as
at the time of One-time can
vendor be reused.
creation. As a 2. Obtain a
result, the list of One-

183
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
vendor gets time vendors
deactivated and compare
after placing it with the PO
one PO. dump to
check
whether one
time vendors
have been
used more
than once.

Vendor Performance 1. Verify Timelines 1. for -Number

performanc Appraisal of whether the Quality annual of stock
e not vendor is vendor approvals appraisal outs
reviewed done once in appraisals - check -Number
periodically a year for have been one of
. long term PO done sample, rejections
/ Contract and annually & 2. for -Number
quarterly for quarterly. quarterly of
short term PO 2. Verify appraisal warranty
/ Contract. updation of - check 3 claims
Based on the the approved samples % of
evaluation, vendor list. rework
Approved done
Vendor list is
updated.
Company is
responsible
for doing the
vendor
appraisals.
Based on the
same and
subsequent
discussions
with the
buyers /
within the
purchases
group,

184
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
Purchases
department
revises the
approved
vendor list.

Riks of Suppliers that 1. Compare Dummy/ 1. Active

Dummy / have not been the active Inactivity in vendor
inactive used for a vendor listing vendors listing
vendors significant (VLOOKUP) accounts 2. PO
exists time period with the PO Dump
are reviewed listing for the
by Manager year.
(– 2. Scrutinise
Commercial) the vendor
and marked dump for
for deletion by vendors with
the common /
application. dummy
names or
details.

Procure Risk of An annual Check that Timeliness 1. Annual - -Type of

ment increased plan is there is in updating Plan items
Planning material developed for compliance the plan 2. All the required
cost or defining the with defined Completene activities -
erratic material process ss of to be Quantitie
inventory requirement regarding defining checked s
levels due for each of identification material for 30 required
to lack of the of vendors, requirement items -No of
planning. departments. entering into Vendor vendors
The plan is agreement identification
duly approved with the Vendor
by the vendors for communicati
different long term on
HODs and supplies, the Authorizatio
CEOs. The plans are ns.
plan includes communicate
the following d to the
factors vendors, etc.
(regarding

185
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
procurement):
1. type of
material
required
2. frequency
of
requirement
3.
authorisation
Based on the
Annual plan,
purchases
department
identifies the
suppliers for
the regular
material,
agreements
with the
suppliers,
communicatio
n of the plan
to the
suppliers,
lead time for
delivery,
periodicity of
supply, etc.

The company
has defined
procedure for
undertaking
the above
activities.

Ordering Risk of Sufficient 1. Check for Number of Vendors - -

Inadequate quotations, compliance vendors vis- for 30
number of before with the à-vis the items
vendors approving the purchase requirement

186
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
are PO. policy for of purchase
identified Justification identification policy.
for for deviation of vendors
Request from for RFQ.
for Quote purchase 2. Check
(RFQ) policy is whether
mentioned as incase the
remarks, requisite
which is also number of
reviewed by vendors were
the approving not available;
authority the due
before PO is escalation
approved. procedure
was followed.

All POs are 1. Check the Approval 30 Pos

required to be approvals for
approved in the PO with
accordance the Authority
with the Matrix.
approved 2. In case,
authority the approvals
matrix. The are not as
Authority per the
Matrix authority
specifies the matrix,
expenditure ratification/
limits of the justification
relevant for the same
personnel and needs to be
has been checked.
entered into
ERP
package.

Wrong Purchase 1. Check that 1. Quantity 30 items - -

quantity / Order is the PO is as per
rates / prepared by supported indent vis-à-
payment the buyer with a duly vis PO.
terms are which is approved 2. Approval

187
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
raised in reviewed and indent. for the PO.
Purchase approved by 2. Check that
Order, etc. the person so the PO is
authorized as approved as
per Authority per Authority
Matrix. Matrix.

The reviewer
verifies the
details in the
PO with the
supporting.

Access to
create and
approve PO
are with
different
users in ERP
system.

Indent The indent is 1. Check that 1. Approvals 1. 30

raised/ reviewed and indent is for indent indents
approved approved by approved in 2. Access 2. ACL
for the accordance Control List
purchase authorized with the
when there personnel (as Authority
is no per the limits Matrix.
requiremen set out in
t for goods approved
/ services Authority
or goods Matrix),
are already signifying the
in stock. need to
procure
material. The
Authority
Matrix is
entered in the
ERP system

188
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
in Access
Control List
(ACL).

Review of 1. Check that 1. Quantity 1. MIS -

Monthly all the reported in 3 months
Budget vs indents which MIS.
Actual get converted
Expenditure into PO are
is conducted reported as
encapsulating part of MIS
department for variance
budgets and analysis (viz.
major budget vs.
expenditures actual).
incurred. Any 2. To review
unauthorized the progress/
expenditure minutes of
or double the meeting
processing of and analyse
significant the common /
expenditure continuing
would be issues.
identified in
the review
meeting.

Unauthoris The indent is 1. Check that 1. Approvals 1. 30

ed indents reviewed and the indents for indent indents
may be approved by are approved 2. Access 2. ACL
raised for the in control list
purchases. authorized accordance
personnel (as with the
per the limits Authority
set out in Matrix.
approved
Authority
Matrix),
signifying the
need to
procure

189
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
material. The
Authority
Matrix is
entered in
the ERP
system in
Access
Control List
(ACL).

The ERP Check the 1. Approvals 30

system does access for indent indents
not allow control list to 2. Access ACL
changes to be see that no control list
made to the one other
approved than HOD
indents. They has
can either be modification
cancelled or access for
processed for indent and
PO. The access to
amendment cancel indent
rights are is with
available only Managers in
to the Head of respective
the user
Department departments
(HOD). / Cost
In case of any centers.
modification,
if done, in a
log which
needs to be
reviewed.

Indent Specifications 1. Check the Rejections Exceptio No of -No of

does not are exception due to n report rejections indents
prescribe mandatory report incorrect / and vis-à-vis no placed
the correct field in the generated missing Rejection of indents -No of
technical indent and from ERP for specification report for placed rejections

190
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
specificatio cannot be indents s. the -No of
ns of bypassed (in raised period of rejections
goods/ ERP). without any audit. due to
services specification. specificat
required 2. Check the ions.
resulting in rejection
procureme report for the
nt of material
incorrect rejected due
goods/servi to incorrect
ces. specification.

Indent The indent is 1. Check that 1. Approvals 1. 30

does not reviewed and the indents for indent indents
prescribe approved by are approved 2. Access 2. ACL
the correct the in control list
technical authorized accordance
specificatio personnel (as with the
ns of per the limits Authority
goods/servi set out in Matrix.
ces approved
required Authority
resulting in Matrix),
procureme signifying the
nt of need to
incorrect procure
goods/servi material. The
ces. Authority
Matrix is
entered in the
ERP system
in Access
Control List
(ACL)
Indents
without the
specifications
are treated as
incomplete
since the

191
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
quotations
cannot be
obtained for
the same.
In case the 1. Check the specification 1.
goods are Material s Rejection
rejected by Rejection list report
the Quality and if they
Control are due to
department or incorrect
shop floor, specifications
reasons for .
the same are
reviewed to
ensure that
the same
were not due
to incorrect
specifications
mentioned on
indent. This is
ensured by
AM –
Commercial.

Indents / All supporting 1. Check the Supporting 30 POs

PRs are documents PO review documents
not used (Indents/ and approval (including
when vendor quote process. indents)
purchasing analysis Check that
goods or sheet/ vendor the PO is
services. quotes. etc) supported
are reviewed with a duly
at the time of approved
PO approval indent.
by authorised
personnel (as
per the
approved
Authority
Matrix).

192
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed

All POs are 1. Check that 1. Approvals 30 POs

required to be the PO are 2. ACL
approved by approved in
the accordance
authorized with the
personnel (as Authority
per the limits Matrix.
set out in 2. Check that
approved the Purchase
Authority Order cannot
Matrix), be created
signifying without
correctness approval.
and accuracy
thereof. The
Authority
Matrix is
entered in the
ERP system
in Access
Control List
(ACL).

POs do not All supporting 1. Check the Supporting 30 POs

contain documents PO review documents
accurate (Indents/ and approval (including
information vendor quote process. indents)
. analysis 2. Check that
sheet/ vendor the PO is
quotes, etc.) supported
are reviewed with a duly
at the time of approved
PO approval indent.
by authorised
personnel (as
per the
approved
Authority
Matrix).

193
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed

All POs are 1. Check that 1. Approvals 30 POs

required to be the PO are 2. ACL
approved by approved in
the accordance
authorized with the
personnel (as Authority
per the limits Matrix.
set out in 2. Check that
approved the PO
Authority cannot be
Matrix), created
signifying authorizer
correctness without
and accuracy approval.
thereof. The
Authority
Matrix is
entered in the
ERP system
in Access
Control List
(ACL).

PO prices ERP system 1. Check the 1. 1. PO 1. Same Number

are not requires the Price Supporting dump Material of non-
competitive PO approving fluctuations documents 2. 30 from same certified
. authority to for same 2. Price POs vendor at suppliers
review vendor items. fluctuations different Commodi
quotes at the 2. Check that rates ty/ forex
time of the PO is 2. Same hedging
approving the supported material Proportio
PO. with a duly from n of
approved different procurem
quotes. vendor at ent from
3. Check that different high rate
the PO is rates vis-à-vis
approved as 3. Foreign low-rate
per Authority exchange vendors
Matrix. fluctuations Rising
unit cost.

194
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed

The purchase 1. Check that 1. quotes 30 POs

policy of the specific
company number of
requires quotes
obtaining a required as
certain per purchase
minimum policy are
number of obtained.
quotations 2. Check that
before placing in case of
the order. In exceptions,
case the escalation
specified procedure as
number of per the policy
quotes are is followed.
not available
then
escalation
procedure
specified in
the purchase
policy needs
to be
followed.

Price If the terms of 1. Check by Price Audit trail

changes an approved raising a changes in report
are not Purchase dummy PO, PO
authorised. Order are getting it
altered in approved and
ERP, it then altering
automatically it.
sends PO in 2. Check by
pre-approval review of the
stage. audit trail
report in
ERP, if any
PO has been
modified after
approval.

195
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed

The purchase 1. Check Price 30 POs

policy of the whether the changes in
company PO wherein PO
requires that price has
in case the been altered
approved has been re-
price in a PO approved as
is changed, it per the
needs to be Authority
re-approved / Matrix.
re-processed
as if it is a
new PO.

Unauthoriz All POs are 1. Check that Unauthorise 1. ACL

ed approved as the PO is d approval 2.
POs/Contr per the approved as rights Authority
acts approved per Authority Matrix
Authority Matrix 3. 30
Matrix. Also, 2. Check the POs
the same has ACL and
been entered confirm that
into ERP the same is
software in updated as
Access per Authority
Control List Matrix
(ACL).

All supporting 1. Check the Supporting 30 POs

documents PO review documents
(Indents/vend and approval (including
or quote process. 2. indents)
analysis Check that
sheet/vendor the PO is
quotes, etc.) supported
are reviewed with a duly
at the time of approved
PO approval indent.
by authorised
personnel (as

196
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
per the
approved
Authority
Matrix).

-Terms of General terms 1. Check Standard 30 PO / Vendor

PO / and whether the PO terms Contract claims
contract conditions, standard and s
are not approved by terms and Conditions;
suitable - legal are pre- conditions Approval
contract printed on are approved
terms not reverse of by Legal
vetted by PO. Department.
Legal Dept. 2. Check
whether the
standard
terms and
conditions
are printed
on reverse of
PO.

In case of 1. Check Approval of 30 PO /

unusual or whether the terms for Contract
non-regular terms and customised s
contracts, the Conditions of contracts
personnel unusual or
authorised as non-regular
per Authority contracts are
Matrix to approved by
approve the authorised
contract are personnel in
required to legal
obtain the department
approval of
personnel
authorised to
do so in Legal
department.

197
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed

Contracts All PO / Check the Existence 30

are not contract existence of and storage Contract
stored / copies contracts s
kept in a (active/ with Buyers /
central / expired) are Manager -
safe maintained Legal
repository with the
to buyer.
safeguard Contracts on
company's stamp paper
interests are being
and to stored
prevent the centrally with
use of the Manager –
contract Legal.
which
might be
detrimental
to
company's
interests.

Vendor, At the time of 1. Compare Accuracy of 30 POs

order PO approval, the approved data
details are PO is printed, PO with the updation
not and the supporting
accurately details of the documents to
input in the order, vendor ensure
system. and terms of accuracy of
the order are data input.
checked for
accuracy by
the personnel
authorised to
approve the
PO as per the
Authoritiy
Matrix.

PO issued Receipts for 1. Check by Existence of GRN and GRN for % of

198
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
after the the goods raising a PO for PO dump which no GRNs
goods have cannot be dummy goods PO without
been entered in the receipt where received reference POs
received or ERP system PO does not PO date
goods / unless PO exist. after GRN
services exists 2. Compare date
may have ,therefore in the GRNs
been the system. with the PO
procured i.e. GRN to ensure
without cannot be that PO
raising a prepared in exists for all
PO the absence the goods
of PO receipt and
Reference in the POs are
the ERP dated prior to
system. GRN.

Vendor Compare the Existence of Vendor- PO date

invoices invoices PO for wise after
cannot be recorded in invoices Invoice Invoice
processed in vendors' booked listing date
ERP system accounts with
in absence of the PO listing
a PO in to ensure
system. that PO is
available for
invoices
booked.

Orders not Purchases 1. Check the Date, GRN 1. Same Logistics

clubbed to Report is receipt of quantity, dump date same cost per
save generated material vis- location, and PO location location/
logistics monthly and à-vis vendor, dump different delivery
cost. is reviewed locations - logistics supplier.
by Sr date wise provider. 2. Close
Manager - and quantity- range of
Commercial wise. dates same
to ensure that 2. Check the location
same location monthly different
procurement purchases supplier.
requirements report for

199
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
are evaluated evidence of
for scheduling Sr Manager's
deliveries so review.
as to reduce
logistics /
freight and
related costs.

Business All POs are 1. Check that Unauthorise 1. ACL Same Servicing
share reviewed and the PO is d approval 2. material time for
allocation approved as approved as rights Authority different each of
amongst per the per Authority Matrix suppliers the
different approved Matrix. 3. 30 Item cost supplier
vendors Authority 2. Check the POs Lead time for same
results in Matrix. Also, ACL and for delivery material
higher the same has confirm that of material
procureme been entered the same is for different
nt prices into ERP updated as suppliers.
software in per Authority
Access Matrix.
Control List
(ACL).

Purchases 1. Check the Monthly MIS MIS for 3

MIS is monthly review months
reviewed purchases
monthly by MIS review
cross for evidence
functional of HODs
team of review.
Heads of 2. See the
Purchases, minutes of
Finance and discussion
Production and check
and reasons / whether the
costs for or action points
due to have been
allocation of actioned
procurement upon.
among
different

200
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
vendors are
analysed.
Exceptions, if
any are taken
into account
at the time of
placement of
subsequent
orders.

Inadequate Adequate 1. Check that SOD ACL

segregatio segregation the user
n of duties of duties department
-- Vendor (SOD) exists does not
identified for all have access
by the user purchases to raise PO
and that are by creating a
goods/servi routed dummy PO
ces through the with id of a
ordered buying buyer.
directly by department 2. Check the
the user which is ACL for
from the different from existence of
vendor the user SOD.
(including department.
determinati The same is
on of ensured in
purchase ERP system
price and through
other terms updation of
and Access
conditions). Control List
(ACL).

Purchase The majority 1. Check the Timely Contract No of Periodicit

against of contracts validity of the renewal of s dump contracts y of the
Invalid are generated contracts. Contracts Periodicity contracts
contracts for a calendar 2. Check the of the
year thereby time gap contracts
facilitating between date Time taken
timely of expiry of for renewal

201
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
renewal. contract and of
Details of date of actual contracts.
each of these renewal.
time-bound
contracts are
maintained in
a Tracker. As
and when
contracts are
shown due for
renewal in
Tracker, they
are reviewed
to assess
whether fresh
terms and
conditions/co
ntracts need
to be drawn
up.

Vendors Negotiations 1. compare Price PO dump Movement Acquisitio

not are conducted the approved fluctuations in market n price as
challenged with approved PO with the price of compare
on a vendors on an subsequent items over d to the
regular annual and reductions in a period. market
basis to routine basis the prices. Movement price.
bring down to reduce the 2. check the in purchase
the price of cost of market rates price of the
supply. purchase. for the bulk items over
Also, the items / a period of
Quotes are critical items time.
compared for and their
negotiations movements
during the during the
appraisal time period of
of the audit.
vendors. This
is done by the
personnel

202
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
approved as
the Authority
Matrix.

MIS is 1. Check the Monthly MIS MIS for 3

reviewed by MIS for review months
cross evidence of
functional HODs
team of HODs review.
for critical 2. See the
items and minutes of
costs. discussion
Actionable, if and check
any are whether the
flagged off for action points
implementatio have been
n. actioned
upon.

Duplicate MIS is 1. Check the Monthly MIS MIS for 3

Orders reviewed by MIS review review months
cross for evidence
functional of HOD’s
team of HODs review.
for critical 2. See the
items and minutes of
costs. discussion
Actionable, if and check
any are whether the
flagged off for action points
implementatio have been
n. actioned
upon.

Exception Check the Quantities, Invoice / Difference

report is linking of the PO PO dump in PO and
generated at attributes and numbers, and link PR quantity
the time of the exception PR with PR Check in
processing of report reference, dump supplier
invoices for generated for supplier ledger for
POs / any duplicate name duplicate

203
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
Invoices with orders. payments.
certain same Sort the
attributes Invoice batch
such as / PO dump
supplier, on the
quantity, PR attributes and
reference and check for the
is reviewed common
by HOD information.
Commercial.

All POs are 1. Check that Unauthorise 1. ACL

reviewed for the PO is d approval 2.
accuracy and approved as rights Authority
correctness per Authority Matrix
and approved Matrix. 3. 30
as per the 2. Check the POs
Authority ACL and
Matrix. Also, confirm that
the same has the same is
been updated as
enteredinto per Authority
ERP software Matrix.
in Access
Control List
(ACL).

All POs are PO are 1. Check Serial PO dump No of PO

not sequentially whether control raised
recorded. pre- there are any No of POs
numbered. missing serial raised
The sequence numbers of manually
of PO the POs.
processed is
accounted
for.

In case of 1. Check that Approval Invoice

emergency there exists dump
purchases, specific
the purchases approval for

204
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
made without purchases
indent / PO without
need to be indent or PO
specifically as per the
approved as Authority
per the Matrix.
Authority
Matrix.

Validity of The list of 1. Check the Open PO Open PO Open PRs Delay in
the open open POs / validity of dates listing and POs receipt of
POs / contracts is open PO / Ageing – materials
Contracts reviewed Contracts. Periodic as
monthly by Sr review and compare
Manager - closure d to PO
Commercial. process. date.
The
redundant /
expired PO
are purged
from the list.

Receivin Stock outs Open PO list 1. Check the 1. Open PO 1. 10 Open PRs Delay in
g due to is prepared instances of dates weeks and POs receipt of
delays in on a weekly stock outs 2. stock outs open PO Ageing – materials
delivery of basis by the and review list Periodic as
stocks Commercial the 2. Stock review and compare
ordered department. justification / out event closure d to PO
through This is used root cause list process. date.
open Pos. as basis for for the same.
tracking 2. Check
timely whether the
deliveries by buyers track
the buyers. deliveries
against the
Open PO list.

Goods Statements 1. Check that Vendor Vendor

received received from the vendor Reconciliati Reconcili
may not be vendors are accounts on ation
recorded. reconciled to reconciliation statemen

205
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
the vendor is done on a ts
accounts in periodic
the accounts basis.
payable sub 2. Check the
ledger differences, if
quarterly and any, are
differences reconciled
are and are not
investigated. carried
This is forward.
reviewed by
AM –
Accounts,

The stock is 1. Check the Periodicity Physical

physically working and verificati
verified at papers of Variances on
least once a physical noted in statemen
year by verification physical ts and
Accounts and see that verification. reconcili
department the ation
/independent differences, if
auditors. any were
Variances, if reconciled
any are and
reconciled accounted
with the for.
books of
accounts to
ensure
accuracy of
the books of
accounts.

Goods and The receiving 1. Check specification 30 GRNs

services personnel are whether GRN s
accepted required to can be raised
without match the for items
proper goods without a PO
inspection received with or that do not
and the open meet the PO

206
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
verification purchase specifications
orders. In .
case, the
goods
received do
not match
with the
quantities or
specifications
or exceed the
purchase
order
quantity, the
same are
rejected.

All receipts 1. Check that Unauthorise 1. ACL

are reviewed the GRN is d approval 2.
and approved approved as rights Authority
by the per Authority Matrix
personnel as Matrix. 3. 30
per the 2. Check the GRNs
Authority ACL and
Matrix. Also, confirm that
the same has the same is
been entered updated as
into ERP per Authority
software in Matrix.
Access
Control List
(ACL).

Quantity The receiving Check specification 30 GRNS

received in personnel are whether GRN s
excess of required to can be raised
ordered match the for items
quantity. goods without a PO
received with or that do not
the open meet the PO
purchase specifications
orders. In

207
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
case, the .
goods
received do
not match
with the
quantities or
specifications
or exceed the
purchase
order
quantity, the
same are
rejected.

All receipts 1. Check that Unauthorise 1. ACL

are reviewed the GRN is d approval 2.
and approved approved as rights Authority
by the per Authority Matrix
personnel as Matrix. 3. 30
per the 2. Check the GRNs
Authority ACL and
Matrix. Also, confirm that
the same has the same is
been entered updated as
into ERP per Authority
software in Matrix.
Access
Control List
(ACL).

Quantity The receiving 1. Check specification 30 GRNS

received personnel are whether GRN s
has not required to can be raised
been match the for items
ordered. goods without a PO
received with or that do not
the open meet the PO
purchase specifications
orders. In .
case, the
goods

208
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
received do
not match
with the
quantities or
specifications
or exceed the
purchase
order
quantity, the
same are
rejected.

All receipts 1. Check that Unauthorise 1. ACL

are reviewed the GRN is d approval 2. Autho-
and approved approved as rights rity
by the per Authority Matrix
personnel as Matrix.
3. 30
per the 2. Check the
GRNs
Authority ACL and
Matrix. Also, confirm that
the same has the same is
been entered updated as
into ERP per Authority
software in Matrix.
Access
Control List
(ACL).

Quantity The receiving Check specification 30 GRNS

ordered but personnel are whether GRN s
received required to can be raised
before the match the for items
due date. goods received
received with before the
the open due date or
purchase without a PO
orders. In or that do not
case, the meet the PO
goods are specifications
received .
before the

209
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
due date or
do not match
with the
quantities or
specifications
or exceed the
purchase
order
quantity, the
same are
rejected.

All receipts 1. Check that Unauthorise 1. ACL

are reviewed the GRN is d approval 2. Autho-
and approved approved as rights rity
by the per Authority Matrix
personnel as Matrix.
3. 30
per the 2. Check the
GRNs
Authority ACL and
Matrix. Also, confirm that
the same has the same is
been entered updated as
into ERP per Authority
software in Matrix.
Access
Control List
(ACL).

Unauthoriz All receipts 1. Check that Unauthorise 1. ACL

ed person are reviewed the GRN is d approval 2. Autho-
can create and approved approved as rights rity
receipts. by the per Authority Matrix
personnel as Matrix. 3. 30
per the 2. Check the GRNs
Authority ACL and
Matrix. Also, confirm that
the same has the same is
been entered updated as
into ERP per Authority
software in Matrix.
Access

210
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
Control List
(ACL).

Terms and The receiving Check that Appropriate 30 GRNs

conditions stamp that is the GRNs are stamp on
of used to being marked the GRNs
acceptance acknowledge with the
of goods at receipt of stamp 'goods
the factory goods at the are being
gate gate on GRN, received
(before the bears the subject to
goods have inscription count and
been 'goods are quality
approved being procedures'.
by quality) received
may be subject to
detrimental count and
to the quality
interests of procedures'.
company.

Inappropria Before the Check Post QC - 1. 30 1. Number

te quality GRN is sent whether the rejections GRNs of Post QC
of material to Accounts GRNs have 2. Rejections
accepted. for booking been marked Exceptio 2. Number
the liability or as approved n report of items
the goods are by Quality raised for rejected
sent to store, Department. post QC during the
quality 2. Review - period
department is exception rejection
required to report for the s
certify the goods
quality of rejected due
material to quality
received in constraints at
accordance the shop
with the set floor.
guidelines.
The store
clerk will not

211
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
accept the
goods unless
the "QC
checked" is
stamped on
GRN.
Also,
Accounts will
not book the
liability and
process the
payment
unless the QC
checked
stamped GRN
is received by
them.
In the event,
quality check
is not
required for
any item, the
same should
be a part of
QC
exceptions list
which is
reviewed on a
monthly
basis.

Access to 1. Review Access Access

certify the Access rights for Control
quality of Control List certifying List
material is for access to quality
restricted as personnel
per Authority other than
Matrix in those
ERP. authorised
for certifying

212
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
quality of the
goods.

Delay in The report on Check the Demurrage Dump of Demurrage

clearing demurrage Demurrage charges demurra charges
and charges charges paid ge and linking
forwarding incurred due and charges to receipt of
of imported to delay in justification ledger goods.
goods. C&F of for the same. balance.
imported
goods is
reviewed by
Sr. Manager -
Receiving and
Manager -
Accounts
monthly. Also,
these charges
are
separately
disclosed in
the MIS for
Sr.
Management
review.
Unauthoris All transporter Check the Transporter 30
ed or claims are supporting charges transport
Inaccurate authorised by for the claims er
release of the Sr. viz. invoices
payments Manager - agreements,
for Stores prior to if any / rate
transporter payment by contract
dues. Accounts.
This is based
on the
agreements
with the
vendors /
transporters.

213
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed

CENVAT Monthly Check the Periodicity 3 months

not availed reconciliation CENVAT of reconcili
/ Short / of CENVAT reconciliation reconciliatio ation
Excess account and for long n and
availed CENVAT outstanding reasons for
register is items and outstanding
done jointly check items.
by Stores and justifications
Accounts. for the same.

Invoice Invoices Before any Check that supporting 30

Processi may be invoice is the invoice is documents invoices
ng booked approved for supported by
incorrectly booking, AM - duly
Accounts authorised
performs a PO and
three-way GRN.
match of the
PO, GRN and
Invoice.

In case of Check that supporting 30

emergency the invoice is documents invoices
purchases, supported by
the invoice is GRN and
verified with post-
the GRN and purchase
the approval
subsequent from the
approval authorize
obtained for personnel.
the purchase
from
authorise
personnel.

Same At the time of Check that Defacing of 30

invoice booking of the invoices invoice invoices
may be invoice, are defaced
booked invoice is at the time of
more than defaced with booking.

214
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
once. the Stamp
"Processed"
by Booking
Clerk.

Once a Check that supporting 30

invoice is the invoice is documents invoices
booked, the supported by
supporting duly
documents authorised
viz. GRN, PO, PO and
Indent are GRN.
attached with
it.
Invoices
without these,
cannot be
processed.

Unapprove The invoices Check the Approval of 30

d invoices before being approval of AM - invoices
are processed are AM - Accounts
processed reviewed by Accounts on
AM - the invoice.
Accounts

Access rights Check the Access ACL

to process the Access rights
invoices are Control List
restricted to for the
the access rights
authorised given to the
personnel and authorised
are entered in personnel.
Access
Control List
(ACL) in ERP
system.

Delay in Statements 1. Check the Timeliness Reconcili Time taken

accounting received from periodicity of of booking ation for for booking

215
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
of invoices vendors are vendor of invoices 30 of invoices
reconciled to reconciliation vendors from the
the vendor 2. Sample date of
accounts in check the receipt of
the accounts pending material.
payable items in the
subledger reconciliation
quarterly and s for invoices
differences pending
are booking and
investigated. confirm the
This is reasons for
reviewed by same.
AM –
Accounts.

The list of 1. Check Aging of Dump of 1. Time

Goods aging of the GRNI and GRNI taken for
Received Not Temp GRN material and QC of
Invoiced raised for the being held material material
(GRNI) and material with by QC. with QC procured.
the items with Quality 2. Time
Quality Control taken for
Control are department booking of
reviewed and the invoices
monthly to GRNIs. from the
ensure that 2. Ensure date of
there are no that the same receipt of
delays in are material.
booking the accounted in
liability. the books as
liability in the
suspense
accounts.

Delay in Statements 1. Check the Timeliness Reconcili Time taken

raising received from vendor of raising ation for for issuing
debit/ vendors are reconciliation Debit / 30 debit /
credit reconciled to for the Credit Notes vendors credit notes
notes the vendor periodicity of from the
accounts in date of

216
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
the accounts reconciliation booking of
payable 2. Sample invoices or
subledger check the date of
quarterly and pending receipt of
differences items in the material.
are reconciliation
investigated. s for debit /
This is credit notes
reviewed by yet to be
AM – raised.
Accounts. Confirm
reasons for
the same.

Unauthoriz The debit / 1. Check that 1. Approvals 30 debit / 1. Number

ed debit/ credit notes the access 2. Reasons credit of debit /
credit are approved control list for issuance notes credit notes
notes may by the defined in issued vis-
be raised. authorised ERP system à-vis
personnel. is as per the number of
The same approved purchases
entered in the Authority made.
Access Matrix. 2. Value of
Control List 2. Check that debit /
existing in the adequate credit notes
ERP system. back up / issued vis-
supporting à-vis value
documents of
exist for purchases
issuing debit made.
/ credit notes.

Accounti Unauthoris The payment 1. Check that 1. Access 1.Access

ng ed voucher with the Access Control List Control
payments required Control list in 2. List
supporting is ERP is as Supporting 2.Authori
reviewed by per the ty Matrix
authorised Authority
3. 30
personnel. Matrix.
Payment
The authority 2. Check that

217
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
matrix is requisite vouchers
entered in the supporting
Access are attached
Control List with the
(ACL) in ERP payment
system. voucher.
The 3. Check that
supporting the
documentatio supporting
n is cancelled are defaced
or defaced, for the
once it is approved
reviewed and vouchers.
payment
voucher is
approved.

At the time of 1. Check that 1. unlinked 30 Same

processing a there are no amounts in vendor Vendor-
vendor amounts vendor accounts Same Date-
invoice for pending accounts More than
payment, AM adjustment pending one
- Accounts for vendors adjustments payment
are required where all the .2. multiple
to identify and invoices have payments
set off all the been paid. on same or
advances See nearby date.
pending justification
adjustment for
for such exceptions.
vendor. 2. Scrutinise
the vendor
accounts /
party
accounts to
check the
cases of
segregation
of amounts to
avoid

218
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
authority
matrix.

The listing of 1. Check that review 30

vendor the evidence vendor
payments is of review on payment
reviewed prior the vendor lists
to release of payment list.
payment by
the
authorised
person.

The 1. Check the approval Authority

personnel approval for Matrix
making the authority to
payment make the
(either payment.
through 2. Check
cheque / DD / whether the
wire transfer) same has
are been
authorised communicate
person. d to the bank.

Management 1. Check the review Returned

periodically evidence of cheques
reviews the the
returned paid management
cheques for review.
unauthorised
signatures,
alterations
and / or
alterations.

Payments The payment 1. Check that 1. Access 1.Access

are made voucher with the ACL in Control List Control
to incorrect required ERP is as 2. List
vendors supporting is per the Supporting 2.Authori
reviewed by approved ty Matrix

219
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
authorised Authority 3. 30
persons. Matrix. Payment
The 2. Check that vouchers
supporting requisite
documentatio supporting
n is cancelled are attached
or defaced, with the
once it is payment
reviewed and voucher.
payment 3. Check that
voucher is the
approved. supporting
are defaced
for the
approved
vouchers.

The listing of Check that managemen 30

vendor the evidence t review vendor
payments is of review on payment
reviewed prior the vendor lists
to release of payment list.
payment by
the
authorized
person.
Cheques / DD
are restrict
endorsed by
the preparer
to ensure that
they are paid
to specific
payee.

Management Check the managemen Returned

periodically evidence of t review cheques
reviews the the
returned paid management
cheques for review.

220
 Purchase to Pay – Direct Material

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
unauthorised
signatures,
alterations
and / or
alterations.

Duplicate The payment 1. Check that 1. Access 1.

payments voucher with the Access Control List Access
required Control list in 2. Control
supporting is ERP is as Supporting List
reviewed by per the 2.
authorised approved Authority
person. Authority Matrix
The Matrix.
3. 30
supporting 2. Check that Payment
documentatio requisite vouchers
n is cancelled supporting
or defaced, are attached
once it is with the
reviewed and payment
payment voucher.
voucher is 3. Check that
approved. the
supporting
are defaced
for the
approved
vouchers.

Non receipt The listing of 1. Check the 1. Open PO Open PO Open PRs Delay in
of material Open POs is due dates in dates listing and POs receipt of
against reviewed the open PO 2. justifi- Ageing – materials
advances monthly to / Contracts. cation for Periodic as
check the 2. Check the delays review and compare
cases of reasons for closure d to PO
delayed delays in process. date.
supplies supplies.
wherein
advances
have been

221
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process

process Descriptio Performed tested size analytics Metrics
n performed
released to
the vendors.
Ageing of the 1. Check the 1.Approvals, Vendors Advances Old
party debit 2. Amount, Account ageing outstandi
balances is balances 3. Receipt of and the statement ng items
reviewed appearing in material Advance and due in ageing
monthly and the supplier's 4. Due date s Aging date for report
account account and statemen receipt of
reconciliation ageing t supplies.
is done on a thereof.
quarterly 2. Check
basis. whether any
unauthorized
advance has
been given to
the supplier.
3. Check
whether the
advances
have not
been
adjusted
correctly
while
accounting
for receipt of
goods.
Wrong Weekly Compare the Exchange Forex
Foreign foreign rates applied rate applied rates in
exchange currency for invoice 10 weeks
rates used rates are processing
for updated in with the RBI
conversion the ERP rate.
of foreign system by the
currency authorised
invoices. person.

222
 Checklist 19
Purchase to Pay – Indirect Material and
Services
Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Procure General Procurement The As per 1. Check 1. Approved Approved NA
ment of and policy and organisation compan clear procurement procurement
Indirect entity Authority has clear y policy updated policy policy
Material level matrix may not and procurement 2.
and control be prepared or comprehensi policy Completene
Services approved by ve (up to approved by ss
Board of date) Indirect BOD or
Directors and material and designated
thus leading to service authority.
risk of procurement 2. Check it
procurement at policy as addresses all
unfavorable approved by attributes
conditions to Board of related to
the Directors service
organisation. (BOD) or procurement.
designated
authority.
1. The As per 1. Check Approved Approved NA
organization compan Indirect DOA/DOP DOA/DOP
has clear y policy material and for purchase from BOD
and service
comprehensi procurement
ve (up to DOA/DOP is
date) available and
Delegation of approved by
Authority BOD.
(DOA)/
Delegation of
Power (DOP)
and Authority
Matrix.
2. Authority
Matrix is
approved by
Board of
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Directors,
defining the
authorities
for approving
purchase
transactions
or performing
various
transactions
during the
purchase
process.
Inadequate 1. Document As per 1. Check 1. Docum- 1. SOD Analyse
Segregation of defining compan documented ented SOD, 2. Access transaction
Duties and appropriate y policy SOD and Access right right List carried out
access rights Segregation Access right 2. Periodic during the
which may of Duties list which are 3. Half yearly review
review review
result in (SOD) is in duly period to
fraudulent / place. updated. document identify the
unauthorised 2. Access 2. Verify following:
transactions. rights (Write same SOD 1. Un-
/ Read / and Access authorised
Delete / right also users
Modify) to input in the performing
various system for transactions.
people in the approval of 2. Con-
origination of transactions flicting
reviewed 3. Verify transaction
periodically evidence of rights
to ensure periodic granted to
appropriate review of same
SOD and SOD and person.
avoid any Access rights 3.Internal
unauthorized in ERP Auditor to
transact- system. review the
ions. circumstanc
3. Periodic es of conflict
Review of of interest.
Segregation
of Duties and
Access rights
is conducted.

224
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
SOP may not 1. The As per 1. Check Approved Updated SOP NA
be defined to organization compan SOP SOP and
ensure has clearly y policy available and completenes
consistency defined complete in s
and Standard all aspect of
standardization Operating roles, KPIs,
of operations. Procedures Timelines
and are in and
place. frequency of
2. SOP activities,
should define etc.
the 2. Check
sequence of when SOP
activities, updated last
Roles and and enquire
Responsibiliti the reason
es, Key for not
Performance updating the
Indicators SOPs in
(KPIs), case, not
Timelines updated for
and long time.
Frequency of
activities
along with
various
documents
to be
maintained
by the
organization
for
procurement
of Indirect
material and
service
transactions.
Review system Review As per 1. Review 1. MIS MIS for 3 Analyse
to mitigate risk system is in compan appropriaten 2. RSM months various
of place to y policy ess of 3. Fraud figures
inappropriate mitigate risk Management assessment Action and reported in
transaction in Information activity step taken to MIS vis-a-vis
may not be in procurement System identify and the details

225
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
place. of indirect (MIS) for control appearing in
material and regular fraudulent ERP system
services. monitoring of activity. to identify
1. operations instances of
Management and financial incorrect
Information activities by reporting.
System senior / top
(MIS) for management Risk
monitoring of , especially management
procurement for any : To review
of indirect management the risks that
material and override of are being
services are controls. mitigated
in place. and whether
2. Risk 2. Review there is any
management appropriate risk not
system is in Risk being
place to Management mitigated.
identify and System is in Risk being
mitigate risk place to dynamic,
related to identify and whether
procurement mitigate emerging
of indirect various risk risks are
materials related to also covered
and services. procurement needs to be
3. Fraud risk activities of reviewed.
assessment the
activity organization. Fraud Risk:
conducted by Critical
management 3. Review of review of
frequently. Fraud Risk transactions
Assessment from the
activity is possibility of
conducted, fraud.
and fraud
risk are
identified
along with
relevant
controls to
avoid any
fraudulent
transactions
viz.

226
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
unapproved
transactions,
fictious
invoices and
payments,
etc.
Annual Procurement 1. Base for As per 1. Check Approved Approved Verify the
procurem budget may not preparing compan Annual budget and Budget for the accuracy of
ent be prepared budget and y policy Procurement subsequent year the Budget
budget of and monitored Budget is Budget is monitoring vs Actual
indirect on regular approved by approved by Budget Vs MIS from the
material basis to avoid the BOD the actual MIS for independent
and deviation in before start designated 3 months and data source
service future. of financial authority and upto date e,g,
year. agreed with / transactions
communicate recorded in
2. Monitoring d to the ERP to
of Budget Vs relevant identify
Actual is authorities instances of
done on delegated incorrect
monthly authority well monitoring
basis and in advance. or Budget
review of overrides. to
action plan 2. Review of understand
wherever periodic the reasons
required. monitoring of for variances
deviations and not
(variances) limited to
from the (a) incorrect
approved preparation
budget of budget (b)
conducted accounting
along with and
reasons for classification
deviations, if of errors (c)
any. use of
budgetary
3. Action provision for
plan is other
documented purposes,
and adhered etc.
for avoiding
such

227
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
identified
variance in
future.
Absence of 1. Approved As per 1. Check Approved Approved Verify the
formal planning procurement compan annual plan budget and Budget for the accuracy of
policy may lead plan is is y policy is developed subsequent year the Budget V
to increased existed for defining monitoring Actual MIS
material and prepared and the material Budget Vs from the
service cost or prepared requirement actual MIS for independent
increased based on the for each of 3 months and data source
inventory production the upto date e,g,
levels. plans or departments. transaction
business The plan is recorded in
plans. duly ERP to
approved by identify
2. the different instances of
Operations HODs and incorrect
are CEO. The monitoring
conducted as plan includes or Budget
per plan and the following overrides.
process is in factors
place to (regarding
identify and procurement)
report :
deviations. a. type of
corrective material
actions are required in
required to terms of
be taken units, price,
where there source and
are other
variances. preferences
b. frequency
of
requirement
c. autho-
rization
2. Check
based on the
Annual plan,
purchase
department

228
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
identifies the
suppliers for
the regular
material,
agreements
with the
suppliers,
communicati
on of the
plan to the
suppliers,
lead time for
delivery,
periodicity of
supply, etc.
Vendor Vendor chosen Defined As per 1. Check the 1. Approvals 20% of new 1. Analyse
Selection is not process for compan approval for of plan vendors or 20 vendor list of
and competent vendor y policy technical evaluations whichever is current year
Master resulting in evaluation evaluation 2. higher vis-à-vis
Manage inferior quality and approval and Supporting previous
ment of goods being exists and supporting for year to
supplied. includes the documents evaluations identify
following: for addition of
- technical delegation of new vendors
and authority. to increase
commercial 2. Check competition.
evaluation by approval for 2. Analyse
cross commercial sufficient no.
functional evaluation of vendor
teams. and were for
- approving supporting each type of
authority. documents service and
- single for material to
vendor for delegation of get best
imports or authority. competitive
critical items 3. Check rates,
including justification 3. Check
development for quotations
of new exceptions, if were taken
vendors. any, and to find
Any reason there competent
regulatory for. vendors on
requirements 4. See the regular basis

229
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
to be overall to give
fulfilled. approval contract to
including that appropriate
party is in parties.
approved
vendor list.
Incomplete/ 1. Pre- As per 1. Check 1. Approved 30% of new Analyse
Inaccurate defined / compan approved format for vendors or 10 Vendor
vendors Pre-designed y policy vendor creation/alte whichever is Database for
records Vendor format and ration higher any
creation all requests 2. duplicate
forms should be Completene vendor
contains key received in ss and records and
details of standard accuracy correspondin
vendor i.e. format only. g purchase /
Name, PAN, 2. Complete payment
Address, details of transactions
Contact vendors filled with such
Details, GST in format codes.
registration mentioning
details, Bank not
Account, applicable in
place of case, any
business, field is not
MSME applied.
certificate, 3, Check
Turnover system
details for e- control to
Invoicing, avoid
etc. duplicity at
2. Mandatory code level,
field are PAN and
defined in GST level,
the system address and
without contact level.
which vendor
code is not
allowed to be
created in
the system.
Selection of 1. Market As per 1. Check the Managemen Select 2 1. Analyse
inappropriate research are compan list of pre- t review and contractor that vendor

230
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
material / carried out y policy qualified approval from each
list are
vendor from time to contractor for mechanism major Service
updated by
time to different to identify and material
company on
specify the types of prospective group frequent
minimum Service vendors basis and
timeline to requirement Or as per should have
identify of business sufficient
prospective organization. need vendor who
contractor for actively
the required 2. Check due participate in
Service/ diligence and bidding.
Material. financial / 2. Check
operational company
2. and technical should not
Appropriate background be
due-diligence check dependent
and financial performed as on some
/operational per checklist. vendors for
and technical quotation
background 3. Frequency purpose.
checks be of updating
performed as of list and
per approved identify non-
checklist and responding
the bidders.
contractor be
added to the 4. Check
approved list approval
after due from
approvals. designated
3. Con- authority of
tractors who selected
do not vendor for
participate in quotation
bidding purpose.
process, are
reviewed and
removed
after
obtaining
NOC from
them.
4. Con-

231
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
tractor are
selected on
basis of pre-
qualification
and merit
basis. After
selection of
vendor, list is
approved by
designated
authority
before
asking for
quotation.
1. Open As per 1. Check Tendering PO Records Analyse
tender compan open as per policy ERP Open
system are y policy tendering of the tender,
followed for used by the company Limited
high value company for tender data
transactions high value or and verify
or critical critical that
services / service/ tendering is
material as material done as per
per the transaction policy of the
organization or for company.
policy for specific
inviting all procurement
possible s.
vendors for
indented 2. For other
procurement. services/
2. Limited material
tender limited
requests for tender
quotation are request are
given to the sent to all
pre-approved approved
vendors for vendors.
select 3. Check
category of method used
service/mate for open
rial or value tender, i.e.,
below the no. of

232
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
define limit advertisemen
as per the t in different
organization newspapers,
policy. coverage
area and in
different
languages to
create
competition
among
vendors.
4. Check
NOC are
obtained
from vendors
who did not
send quote.
Standard As per 1. Check Standard For 5 major NA
request for compan standard format used tenders and 5
Quotation / y policy format of for Tender major RFQ
tender are request are /quotation process or
prepared and approved cover 40%
circulated to and used by tender
all parties for departments. whichever is
inviting 2. Check higher.
quotations as changes
per the should be
organization’ done by only
s policy. by
addendum
after
approval.
3. If
quotation,
not in
standard
format,
should be
rejected
unless there
is a chance
to accept the

233
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
quotation.
1. Technical As per 1. Check 1. Defining for 5 major Analyse
criteria are compan technical of technical tenders and 5 tracker to
defined in y policy criteria for criteria major RFQ verify
the bids as selection of 2. Deviation process or technical
per the vendor are approval cover 50% qualification,
requirement define in bids tender details are
of user and matched whichever is obtained and
department with higher. considered
and requirements for all
approved by as specified bidders.
HOD by user Note:
(purchase). department exception
2. Marks are and and check
allotted to approved by approval of
bidders on HOD. deviation are
the basis of 2. Check obtained.
technical technical
qualification qualification
and no of document
deviations and mark is
allowed. allocated to
bidders
based on it
only.

3. Check for
any deviation
from
technical
qualification,
verify
approval of
designated
authority.
Possibility of Same As per 1. Check 1. Same and for 5 major Analyse time
vendor timelines and compan bidding timely tenders and 5 tracker of
preference process are y policy document process for major RFQ
followed for and process all parties process or - Submission
all parties to verify 2. Deviation cover 50% of technical,
and deviation timeline and approval tender financial
are approved process are whichever is qualification

234
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
by common in higher document
designated case of all and approval
authority tendering thereof.
except parties - Submission
procurement 2. In case of of financial
of low value deviation bidding and
and selected approval approval
category as obtained
per from to verify all
procurement designated process are
policy. authority. followed in
time bound
manner for
all vendors.
Note
exception
and check
deviation for
same to
check
tendering
process is
monitored
properly.
Selection of 1. As per 1. Check 1. Approval For 5 major Analyse
wrong vendor Comparative compan whether on tenders and 5 ERP or other
or high cost of quotation y policy comparative comparative major RFQ softwares for
procurement. analysis sheet of bids sheet process or final
sheet drawn is prepared 2. Deviation cover 50% comparison
before or not. approval tender of rates for
purchases 2. Check 3. Sign off whichever is all vendors
are Justification by tender higher with original
approved. for selection committee rates quoted
of other than by individual
2. If lowest lowest vendor to
quotation is bidders and identify
not approval of difference.
accepted, the same.
appropriate 3. Check
justification whether
be quotation
documented opened,
and registered

235
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
approved by and
designated comparative
authority. list is
approved by
3. Quotations authorised
are opened persons.
and 4. Check
registered, quotation
and a opened in
comparative presence of
chart is tender
prepared and committee
authorised. for qualified
4. Quotations bidders and
are opened sign off by
in presence them.
of tender 5. Check
committee order given
only for the to lowest
qualified bidder but
bidders and whether
rest bid may earlier
be rejected. project was
performed by
him within
time and cost
(Check
history of
vendor).
1. Approved As per 1. Check 1. Approval for 5 major Check
note with all compan justification note with tenders and 5 justification
relevant y policy must be Justification major RFQ given in
justification prepared and process or approval
is approved by cover 50% note with
documented designated tender actual work
for selected authority. whichever is performed
vendor by higher by vendor or
designated 2. Check with
authorities. justification previous
must be work
2. Adequate supported by performed
approval (as evidence, from ERP
per i.e., project records.

236
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Companies delivered in 1. Quality
Act,2013, past. rejection
SEBI) from 2. Timely
Board of 3. Check delivery
Directors is justification 3.
in place for given in Qualitative
purchase approval delivery
from related note. Verify
parties. justification
with actual
work
performed by
vendor
during audit
period or
record of
previous
work
performed by
same
vendor.
Non- 1. Adequate As per 1. Check BOD All purchase Analyse
compliance to approval compan BOD approval from related ERP data to
requirement of from Board y policy approval and party. check rates
Companies Act of Directors obtained in justification of other
and other is in place for case of vendor with
regulations purchase purchase same
from related from related requirement
parties. party. s as of
2. Check related
2. Disclosure disclosure parties to
of related note given in verify
parties and financial transaction
purchased statement. are
from it. 3. performed at
Justification arm length
3. Adequate documented basis or not
documentati for purchase
on is in place from related
to justify parties.
price of 4. In case of
purchases purchase
from related from related

237
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
parties. party,
compliance
with relevant
provisions of
Section 188
of
Companies
Act, 2013.
5. The
procurement
price is
reasonable
according to
Section 40
A(2) of
Income Tax
Act, 1961, if
purchase is
made from
sister
concern.
System control 1. System As per 1. System System System Analyse
may not be are not compan walkthrough control for walkthrough ERP or other
implemented allowed to y policy for RFQ modification software
for modification raise RFP without at RFQ final rates
at RFQ level, without approved level, data for all
Quotation approved requisition. quotation vendors with
level, approval requisition in 2. System level, original rates
level may lead place. walkthrough Identified quoted by
to unauthorised for vendor and individual
purchase. 2. All vendor modification other vendor to
quotations in quotation information. identify
and bid are and locked difference.
locked in parties, so
modification identified,
and are check the
opened in audit trail for
presence of it.
designated 3. Check
authorities. rates of
vendors in
3. Selected final
party is comparison

238
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
identified sheet
and locked in matched with
system after rates in
all approval. individual
quotes.
4. System 4. Verify all
are not approved
allowed to vendor with
backdate / final vendor
modify any comparison
information list.
once process 5. Change
is completed. log must be
available for
all
modification
and reviewed
by
authorised
person.
Unauthorised 1. Updates As per 1. Check the 1. Approvals 40% of Analyse
updates / (Additions / compan Access for addition / addition/alter transaction
alterations may Alterations) y policy Control List alteration, ation or 20 carried out
be made to to the vendor (ACL) is as 2. ACL whichever is in vendor
vendor master. master are per approved higher master
made only authorities during the
with the matrix. review
approval of 2. Check that period to
authorised the person identify the
person on making the following:
the basis of addition / 1.
requisition in alteration is Transactions
proper authorised to performed
format from do so. by
users. 3. Verify unauthorised
vendor users.
2. Also, the creation/alter 2.
access to ation forms Conflicting
make are approved transaction
additions / by rights
alteration to authorised granted to
the vendor persons. same
master is person.

239
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
restricted to
personnel
authorised
as per
approved
Authorities
Matrix. The
Authorities
Matrix is
entered in
the Access
Control List
(ACL) in the
systems(Nor
mally
additions/
alteration
rights
provided to
IT).
Inaccurate Recorded As per 1. Check that 1. 40% of Analyse
updation in the changes to compan information Supporting alteration or vendor
vendor master. the supplier y policy so entered is documents 20 whichever master data
master file reviewed and 2. Approvals is higher to validate
are authorised. following:
compared to 2. Check
authorized with the 1. Matching
source supporting of PAN with
documents documents GST
by that the 2. GST no.
authorized information with state
person to has been code
ensure that Completely & 3. Length of
they were Accurately PAN and
input entered. GSTIN
accurately 4. Length of
and he mobile
should be number
different from 3. Check
person who bank
entered data account no.
in file. provided or
not.

240
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)

Analyse
Vendor
Database is
comprehensi
ve, and all
vendor
details are
complete
and accurate
– viz.,
Name, PAN,
Address,
Contact
Details, GST
registration
details,
place of
business,
etc.
Audit logs for Request to As per 1. Check the 1. 1. Request NA
changes made change compan request log Outstanding log
in vendor supplier y policy to ensure list in
master may not master file is that there are Request log
be available logged; the no long
and reviewed log is pending
that may lead reviewed to requests for
to unauthorized ensure that change.
changes. all requested
change is
processed
timely.
Steps taken
when there
are
unauthorized
changes.
Critical vendor 1. Vendors As per 1. Verify mail 1. MEME 20% of NA
data is are classified compan sent to and E- service
incomplete and correctly as y policy vendor for invoicing /material
is not up to MSME data declaration Vendor vendor
date. in master as MSME listing.

241
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
and updation and for
are done on turnover. In
yearly basis. case, there is
MSME portal for
certificates vendor,
are obtained check vendor
yearly. have
2. List of submitted
vendors who their
have to do E- credential.
Invoicing are 2. Verify
prepared and vendors’
bills are declaration
processed received and
accordingly. vendors’
record
updation is
done on the
basis of
declaration.
3. Verify E-
invoicing by
specified
vendors.
Request to As per 1. Check the 1. Sequence 1. Request NA
make compan request log of the log
change in y policy to ensure request
supplier that there is forms used.
master file is no missing
submitted request.
account and Alternatively,
ensure that there should
all requested be request
changes are cancellation
processed note in the
timely. log.
Supplier As per 1. Check the 1. Management NA
master is compan evidence of Managemen signoff or
periodically y policy the t review of approved file.
reviewed by management supplier
management review. master
for accuracy

242
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
and ongoing
pertinence.
Risk of conflict 1. As per As per 1. Check the 1. 1. NA
of Interest of Company’s company employee’s Declarations Certifications
vendor Code of policy declarations by vendors from 30%
Conduct, for and by the employees
the compliance employees. 2.Acknowledg
employees with the ement from
are ethical 20% vendors
mandated to standards. or having
inform the 2. Check the 60% business
concerned vendor’s with
HOD / acknowledge company.
Superior ments in the
where PO, if they
conflict of have relation
interest with
exists. employee.
2.
Employees
are required
to comply
with the
policy.

3. Also, the
vendors are
required to
inform as
per the
standard
terms and
conditions
printed on
the PO, if
they have
any
relations
with
employee in
organization
.

243
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
One-time 1. There is As per 1. Check by 1. Field 1. List of one- Analyse
vendors are an option of compan creating a validation to time vendors. ERP records
not subjected ticking "One y policy dummy PO, use code 2. PO for POs with
to same time flag" if the vendor one-time Records pre-define
controls as all which needs flagged off only. 3. System one-time
other vendors. to be as One time walkthrough vendor code
updated at user. and identify
the time of more than
vendor 2. Obtain a one PO are
creation. As list of One- raised with
a result, the time vendors one-time
vendor gets and compare code from
deactivated it with the PO same
after placing Records to vendors.
one PO. check
whether one-
2. Specific time vendors
vendor code have not
is used for been used
creating one- more than
time vendors once order.
(e.g. 1000
for domestic
and 1100 for
import).
Contractor 1. As per 1. Verify 1. contractor 1. For annual Analyse PO
performance Performance compan whether the Performance appraisal - record with
not reviewed Appraisal of y policy contractor evaluation check GRN records
periodically vendor is appraisals and appraisal of to identify
done once in have been appraisal 30% vendor wise:
a year for done contractor or - Cases of
long term PO annually & 15 whichever quality
/ Contract quarterly as is higher. rejection
and quarterly the case may 2. same for - Case of
for short be and it quarterly late delivery
term PO / documented. appraisal. against PO
Contract. . Verify terms
department - Cases of
2. Based on wise list of low quantity
the vendors and delivery
evaluation, total against PO
Approved appraisal quantity
contractor done during

244
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
list is audit period to ascertain
updated. by each 1. Vendor
respective department. with low
departments performance
are 2. Verify evaluation
responsible updation of have high
for doing the the approved share of
contractor contractor business
appraisals. list on basis 2. Action
of appraisal, taken
3. Based on Check list is against
the same updated on regular
and the basis of default
subsequent appraisal vendor.
discussions only.
with the user
department, 3. Mails sent
the to contractor
Purchases by
department management
revises the to take action
approved otherwise
contractor remove from
list. approved
vendor list.
Dummy/ 1. Contractor As per 1. Compare 1. dummy / 1. Active Analyse
inactive/ that have not compan the active Inactivity in vendor listing Vendor
unsatisfactory been y policy vendor listing vendors 2. PO master file
performance selected (VLOOKUP) accounts Records for Service
by contractor from a with the PO 3. /Material PO
significant listing for the Performance list of 2 to 3
period of year. evaluation years to
time are 2. Scrutinize report ascertain
reviewed by the vendor following:
purchase Records for
team and vendors with 1. Blocking
marked for common/ of vendors
deletion. dummy with whom
names or organization
2. Ensure details. had no
contractor 3. transaction
are timely Unsatisfactor 2. Restrict to
blacklisted y vendors use vendor

245
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
wherever removed code for
required for after non-
unsatisfactor performance submission
y evaluation. 4. of updated
performance User KYC
as per the department document.
defined approval for
policy. removal of
service /
3. Vendors material
are restricted vendor.
for award of 5. Check
contract, who vendor are in
are not master but
engaged with work or
organization transaction
from long could not
period and performed
are allowed with them
after updated due to
KYC restriction or
document blockage.
only. 6. Check
process to
obtain
updated KYC
document if
vendors are
used after
define
period.
Placing Inadequate Sufficiency As per 1. Check for Number of Select 1. Analyse
Order number of of compan compliance contractor vendors and vendor list
vendors are quotations, is y policy with the vis-à-vis the correspondin are updated
identified for checked purchase requirement g PO's to by company
RFQ before policy for of purchase cover major on frequent
approving identification policy item and basis and
the PO. of vendors service should have
for RFQ. category sufficient
Justification 2. Check (Cover at vendor who
for deviation whether in least 60-120 actively
from case, the PO's or more participate in
purchase requisite depend on bidding.

246
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
policy is number of quantum of 2. Check
mentioned vendors were business) company
as remarks, not available, should not
which is also the due be
reviewed by escalation dependent
the approver procedure on some
before PO is was followed vendors only
approved. 3. Ask for quotation
reason for purpose.
significant
change in
rates of
products.
Check
reason and
approval of
higher price.
4. Approval,
in case
change is
approved
vendor.
All POs are As per 1. Check the Prepare, Cover all Analyse
required to compan approvals for Review and service transaction
be approved y policy the PO with Approval of /Material and carried out
by approved the Authority purchase approval in vendor
authority Matrix. order matrix which master
matrix. The 2. In case, combinedly during the
Authority the cover more review
Matrix approvals than 30% of period to
specifies the are not as purchase identify the
expenditure per the value. following:
limits of the authority 1.
relevant matrix, Unauthorise
personnel ratification / d users
and has justification performing
been entered for the same transactions
into relevant needs to be 2.
software. checked. Conflicting
transaction
rights
granted to
same

247
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
person.

Also analyse
purchase on
same or
nearby dates
to identify
cases of
splitting of
PO to
override
authority
matrix.
PO's raised 1. PO is As per 1. Check that 1. Quantity Cover all NA
with wrong prepared by compan the PO is as per service
quantity / rates the y policy supported indent vis-à- /Material and
/ payment designated with a duly vis PO approval
terms, etc. person which approved 2. Approval matrix which
is reviewed indent. for the PO combinedly
and 2. Check that cover more
approved by the PO is than 30% of
the person approved as purchase
so per Authority value.
authorized Matrix
as per 3. Check
Authority creating and
Matrix. approving
right should
2. The be with
reviewer different
verifies the person.
details in the
PO with the
supporting.

3. Access to
create and
approve PO
are with
different
users in
system.

248
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Indent raised / The indent is As per 1. Check that 1. Approvals Cover all Analyse
approved for reviewed and compan indents are for indent service transaction
purchase when approved by y policy approved in 2. Access /Material and carried out
there is no the accordance control list approval during the
requirement for authorized with the matrix which review
goods / personnel Authority combinedly period to
services or (as per the Matrix. cover more identify the
goods are limits set out than 30% of following:
already in in approved 2. Check purchase 1.
stock Authority whether value. Unauthoirse
Matrix), Authority d users
signifying the Matrix is performing
need to configured in transactions
procure the system in 2.
material. The Access Conflicting
Authority Control List transaction
Matrix is for system rights grated
configured in control point to same
the ERP of view. person.
system in
Access
Control List
(ACL)
Unauthorised 1. The indent As per 1. Check that 1. Approvals Cover all Analyse the
indents may be is reviewed compan the indents for indent service total Service
raised for and y policy are approved 2. Budget /Material and budget
purchases. approved by in availability approval approved by
the accordance at the time matrix which department
authorized with the of indent combinedly before start
personnel Authority approval. cover more of year and
(as per the Matrix than 30% of total value of
limits set out 2. Check purchase indent
in approved service value. approved
Authority budget during
Matrix), availability budget
signifying the while period to
need to approving of verify.
procure indents.
material. The 3. Check -Indent
Authority excess approved
Matrix is budget are more than
entered in approved original
the ERP from budgeted

249
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
system in authority in without
Access case of total obtaining
Control List budget approval for
(ACL) exhausted by excess
2. Budget department budget
availability before which is
with release of against the
department service policy of
is considered indent. organization.
before
approval of
Service
indent
otherwise
indent could
not be
approved.
3. Service
budget are
approved
from
appropriate
authority to
release
indent.
The system, As per 1. Check the 1. Approval System Analyse
does not compan access for indent walkthrough records of
allow y policy control list to 2. Access and check purchase
changes to verify that no control list system despite
be made to one other allowed to same item in
the approved than HOD make hand and
indents. has changes in lying un-
They can modification approved utilised.
either access for indent.
cancelled or indent and Analyse
processed access to quantity,
for PO. The cancel specification
amendment indent. as per indent
rights are and PO
available records
only with punched in
Head of ERP system
Department for any

250
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
(HOD). deviation.

If excess
quantity
purchased,
verify excess
quantity
consumed or
not to, verify
wrong
decision of
high
purchase
against
indent.
Indent does not Specification As per 1. Check the 1. Exception Analyse
prescribe the s are compan exception Rejections report and ERP data to
correct mandatory y policy report due to Rejection compare
technical field in the generated incorrect / report for the specification
specifications indent and from ERP for missing period of as per indent
of cannot be indents specification audit. and
goods/services bypassed (in raised s. correspondin
required ERP). without any g
resulting in specification. specification
procurement of Maker 2. Check the in PO to
incorrect checker rejection identify
goods/ controls is report for the deviation.
services. established material
to verify rejected due Further,
completenes to incorrect verify
s and specification. deviation
correctness with rejected
of all details. GRN at
quality stage
to establish
rejection due
to wrong
purchase
against
indent.
Indent sent to 1. Material As per 1. Check 1. Timely Indent report Analyse
purchase and service compan indent conversion compare with ERP data of

251
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
department requisition y policy reports to of indents PO reports indent and
with delay may are sent to verify timely into PO’s PO to
hamper purchase sharing and identify
production department conversion of following:
activity. within approved
defined indent into 1. Time gap
timelines. PO. between
indent raised
2. Timeline 2. Check list and
are defined of indents approval/
for approval raised by release of
of indent and user indent.
issued department 2. Time gap
further to but not between
procurement approved indent
team for yet. release to
processing. PO approval
3. Check list date.
of approved 3. Expected
indents sent date of
but no action material as
initiated by per indent
purchase along with
team on deadline to
same. vendor in
PO for
supply.

to calculate
probable
losses due
to delay in
approval at
different
stage from
indent to
PO.
Indent does not The indent is As per 1. Check that 1. Approvals 1. System Analyse
prescribe the reviewed and compan the indents for indent walkthrough Purchase
correct approved by y policy are approved 2. Access for approval requisition
technical the in control list procedure transaction
specifications authorized accordance and to identify
of goods/ personnel with the specification. the

252
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
services (as per the Authority following:
required limits set out Matrix. 1.
resulting in in approved 2. System Incomplete
procurement of Authority walkthrough or incorrect
incorrect Matrix), to check details in PR
goods/services signifying the indent 2. PRs
. need to without backdate or
procure specification. raised after
material. The ordering
Authority 3. PRs are
Matrix is created for
entered in quantity/serv
the ERP ice in excess
system in of the
Access budgeted
Control List amount
(ACL) 4.
Indents Requisition
without the is in excess
specification of average
s are treated consumption
as or in spite of
incomplete high
since the inventory
quotations levels.
cannot be 5. Open PRs
obtained for not reviewed
the same. and closed
In case the As per Check the Service and Rejection
goods/ compan Material goods report along
services are y policy Rejection list specification with reasons.
rejected by and if it is s mentioned
Quality due to properly with
Control incorrect complete
department specification description.
or by user s.
department,
reasons for
the same are
reviewed to
ensure that
the same
were not due

253
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
to incorrect
specification
s mentioned
on indent.
Indents / PRs All As per 1. Check the Supporting Cover all Analyse PO
are not used supporting compan PO review documents service Records with
when documents y policy and approval (including /Material and Indent
purchasing (Indents/ven process. indents) approval Records to
goods or dor quote Check that matrix which verify each
services. analysis the PO is combinedly is supported
sheet/vendor supported cover more by indent.
quotes, etc.) with a duly than 30% of
are reviewed approved purchase
at the time of indent. value.
PO approval
by
authorized
personnel
(as per the
approved
Authority
Matrix).
POs do not All As per 1. Check the Supporting Cover all NA
contain supporting compan PO review documents service
accurate documents y policy and approval (including /Material and
information. (Indents/ven process. indents) approval
dor quote, 2.Check that matrix which
analysis the PO is combinedly
sheet, etc.) supported cover more
are reviewed with a duly than 30% of
at the time of approved purchase
PO approval indent. value.
by 3. To check
authorised accuracy of
personnel PO verify it
(as per the with
approved customer
Authority source
Matrix). document,
management
approval
process of

254
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
project.
All POs are As per 1. Check that 1. Approvals Cover all Analyse
required to compan the PO are 2. ACL service purchase in
be approved y policy approved as /Material and record to
by the per Authority approval identify the
authorized Matrix. matrix which following:
personnel 2. Check that combinedly 1.
(as per the the PO cover more Unauthorise
limits set out cannot be than 30% of d users
in approved created in purchase performing
Authority absence of value. transactions
Matrix), approval. 2.
verifying Conflicting
correctness transaction
and accuracy rights
thereof. The granted to
Authority same
Matrix is person.
entered in
the ERP
system in
Access
Control List
(ACL)
Service / ERP system As per 1. Check the 1. 1. PO records Analyse
Material prices requires the compan PO review Supporting 2. All cases of ERP data for
are not PO y policy and approval documents deviation in review of
competitive approving process. 2. Price rates within vendor
authority to 2.Check that fluctuations audit period quote by
review the PO is appropriate
vendor supported authority
quotes at the with a duly before
time of approved approval of
approval of indent. PO.
the PO 3. To check
accuracy of
PO to verify
it with
customer
source
document,
management

255
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
approval
process of
project.
The As per 1. Check that Sufficient Select Analyse
purchase compan specific quotes vendors and ERP data for
policy of the y policy number of obtained or correspondin number of
company quotes not g POs to quotation
requires required as cover major and compare
obtaining per purchase items and with
certain policy are services purchase
minimum obtained. (Cover at policy to
number of 2. Check that least 60-120 identify
quotations in case of PO's or more exception.
before exceptions, depend on
placing the procedure as quantum of Verify
order. In per the policy business) exception
case, the is followed. approval for
specified insufficient
number of no. of
quotes are quotes.
not available,
then as
procedure
specified in
the purchase
policy needs
to be
followed.
Change in 1. If the As per 1. Check by Price and Audit trail Analyse
order are not terms of an compan raising a scope report and change
authorised. approved PO y policy dummy PO, alteration in select 20 order record
are altered getting it original sample for to identify
for price and approved order. change order the
scope, it and then following:
automatically altering it. 1.
sends PO in 2. Check by Unauthorise
pre-approval review of the d users
stage. audit trail performing
report in transactions.
2. Original ERP, if any 2.
Pos’ terms PO has been Conflicting
are reviewed modified transaction

256
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
regarding after rights
provision for approval. granted to
change due same
to change in 2. Changes person.
price and could be
scope. done only if
original PO
permits for
changes.
1. The As per 1. Check Price and 15 PO or 50% Analyse
purchase compan whether the scope of change ERP original
policy of the y policy PO wherein alteration order POs with
company price has original whichever is change
requires that been altered order lower. orders due
in case of has been re- to price
Change in approved as revision and
Order, it per the check
needs to be Authority significant
re-approved / Matrix. impact on
re-processed 2. Check budget.
as if it is a amendment
new PO. no. shown in
PO after
2. price
Amendment change.
number must
be provided
in change in
order for trail
log of old
PO.
1. Change As per 1. Check 1. Authority 15 PO or 50%
orders are compan whether matrix for of change
approved by y policy authority change order
next higher matrix order whichever is
authority defined for 2. lower.
(DOA) or change Justification
from highest order. remark with
authority, if 2. Whether approval
changes are reason for
above changes is
defined documented

257
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
limits. and
approved
2. Reason with impact
for change on budget.
order with
proper
justification
must be
documented
which also
show impact
on budget
and should
also be
approved.
Unauthorized All Pos are As per 1. Check that Unauthorise 1. ACL Analyse
Pos/Contracts approved as compan the PO is d approval 2. Authority transaction
per the y policy approved as rights Matrix carried in
approved per Authority 3. 30 Pos purchase
Authority Matrix. record to
Matrix. Also 2. Check the identify the
the same ACL and following:
has been confirm that 1.
entered into the same is Unauthorise
ERP updated as d users
software in per Authority performing
Access Matrix. transactions
Control List 2.
(ACL). Conflicting
transaction
rights
granted to
same
person.
All As per 1. Check the Supporting 30 POs NA
supporting compan PO review documents
documents y policy and approval (including
(Indents/ process. indents)
vendor quote Check that
analysis the PO is
sheet/vendor supported
quotes, etc.) with a duly

258
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
are reviewed approved
at the time of indent.
PO approval
by
authorised
personnel
(as per the
approved
Authority
Matrix).
Unfavorable 1. General As per 1. Check General and 30 PO / NA
terms and terms and compan whether the Standard Contracts
conditions of conditions, y policy general and PO Terms
the purchase approved by standard and
order. legal team terms and Conditions;
and part of conditions Approval
Agreement/ are approved
Purchase by Legal and
order/ Work part of
order are agreement/p
pre-printed urchase
on reverse of order/work
PO. order.

2. Standard
terms and
condition,
approved by
legal team
and part of
Agreement/
Purchase
order/ Work
order.
In case of As per 1. Check Approval of 30 PO/ NA
unusual or compan whether the terms for Contracts
non-regular y policy terms and customised (Unusual and
contracts, Conditions of contracts non-regular)
the unusual or
personnel non-regular
authorised contracts are
as per approved by

259
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Authority authorised
Matrix to personnel in
approve the legal
contract are department.
required to
obtain the
approval of
person
authorised to
do so in
Legal
department.
Contracts are 1. All PO/ As per 1. Check the Existence 1. Check NA
not stored/ contract compan existence of and storage process of
kept in a copies y policy contracts of contracts maintaining
central/ safe (active/expir with documents by
repository to ed) are designated buyer/ legal
safeguard maintained authority only department.
company's with and no other 2. Check 15
interests and to department. person have PO on sample
prevent the use access for basis.
of the contract 2. Contracts same.
which might be on stamp
detrimental to paper are 2. Stamp
company's being stored paper stored
interests. centrally with centrally with
designated designated
authorities. authority
only.
Contractor, At the time of As per 1. Compare Accuracy of 30 POs NA
order details PO approval, compan the approved data
are not PO is printed y policy PO with the updation
accurately and the supporting
input in the details of the documents to
system. order, ensure
contractor accuracy of
and terms of data input.
the order are
checked for
accuracy by
the
personnel

260
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
authorised to
approve the
PO as per
the
Authorities
Matrix.
PO issued after Receipts for As per 1. Check by Existence of GRN/SRN Analyse
the goods have the goods compan raising a PO for and PO GRN/SRN
been received cannot be y policy dummy goods/servic records record or
or goods / affected in receipt e received Gate entry
services may the ERP where PO record
have been system does not having
procured unless the exist. transactions
without raising POs exist in 2. Compare of goods and
a PO the system. the service to
i.e. GRN/SRN identify:
GRN/SRN record with
cannot be the PO to - GRN/ SRN
prepared in ensure that or gate entry
the absence PO exists for without PO
of PO all the goods reference.
Reference in receipt and - PO created
the ERP the POs are after gate
system. dated prior to entry or
GRN/SRN. invoice date.

Calculate
value of
such
purchases
during audit
period to
show
impact.Also
to check
GRN
prepared but
risk of
inventory not
being
received.
Vendor As per 1. Compare Existence of Vendor-wise Analyse

261
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
invoices compan the invoices PO for Invoice listing ERP data of
cannot be y policy recorded in invoices various
processed in vendors' booked expense GL
ERP system accounts with Goods
in absence of with the PO receipt /
a PO in listing to Service
system. ensure that clearing
PO is account to
available for check
invoices expenses
booked. rooted
through 3-
way control
system i.e.
PO,
GRN/SRN
and invoice
instead of
direct
booking.
Orders not 1. Purchase As per 1. Check the Planning for GRN records Analyse
clubbed to Report is compan receipt of possible and PO purchase on
save logistics generated on y policy material vis- saving in records same or
cost monthly à-vis logistic cost closed date
basis and is locations - from same
reviewed by date wise location/city
designated and quantity- and from
authority. wise. same or
2. Check the different
2. monthly suppliers
Procurement purchases to calculate
requirements report to total logistic
are check that it saving
evaluated for is reviewed possible
scheduling by during audit
deliveries so designated period if
as to reduce authority. transported
logistics / through
freight and same
related vehicle.
costs.
Business share All POs are As per 1. Check that Unauthorise 1. ACL Analyse PO

262
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
allocation reviewed and compan the PO is d approval 2. Authority records with
among approved as y policy approved as rights Matrix GRN/SRN
different per the per Authority 3. 30 POs records to
vendors result approved Matrix. identify
in higher Authority 2. Check the vendor wise.
procurement Matrix. Also, ACL and - Cases of
prices. the same confirm that quality
has been the same is rejection
entered into updated as - Case of
ERP per Authority late delivery
software in Matrix. against PO
Access terms,
Control List - Cases of
(ACL). less quantity
delivery
against PO
quantity.

and
ascertains:-
1. Vendor
with low
performance
evaluation
have high
share of
business
2. Action
taken
against
regular
default
vendors.
1. Purchases As per 1. Check the Monthly MIS MIS for 3 Analyse
MIS is compan monthly review months ERP
reviewed on y policy purchases procurement
a monthly MIS review as per
basis by as evidence approved
cross for HODs allocation of
functional review business
team of among
Heads of 2. See the vendors or
Purchases, minutes of not.

263
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Finance and discussion
Production and check Analyse
and reasons whether the latest
/ costs for or action points quality,
due to have been delivery
allocation of implemented. reports to
procurement recommend
among 3.Check change in
different approval of share of
vendors are allocation of business
analysed. business among
among vendor. Also
2. different analyse
Exceptions, vendors and charges for
if any are check same same
taken into allocation services by
account at provided in different
the time of system for vendors.
placement of procurement
subsequent purpose. Calculate
orders. losses due
to high
allocation of
business to
high-rate
vendor even
provides low
quality
goods/servic
e or late
delivery.
Inadequate Adequate As per 1. Check that Review SOD ACL Analyse
segregation of segregation compan the user conflicts ERP data to
duties -- of duties y policy department verify ID of
Vendor (SOD) exists does not user (Indent)
identified by for all have access department
the user and purchases to raise PO and
goods/services that are by creating a purchase
ordered routed dummy PO department
directly by the through the with id of a must be
user from the buying purchase different.
vendor department department.
(including which is 2. Check the

264
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
determination different from ACL for
of purchase the user existence of
price and other department. SOD.
terms and The same is
conditions) ensured in
ERP system
through
updation of
Access
Control List
(ACL).
Service and Majority of As per 1. Check the Timely Contracts Analyse
material service compan validity of the renewal of records contract
procurement contracts are y policy contracts. Contracts tracker with
contract not generated for 2. Check the dates of
approved after a calendar time gap original
expiry and year thereby between date renewal and
procurement facilitating of expiry of actually
done against timely contract and renewed.
Invalid/expired renewal. date of
contracts. Details of actual
each of renewal to
these time- identify value
bound of service
contracts are procurement
maintained in against
a Tracker. As invalid
and when contracts.
contracts are 3. Analyse
shown due losses due to
for renewal procurement
in tracker, at old rates if
they are subsequent
reviewed to reduction in
assess price.
whether
fresh terms
and
conditions/co
ntracts need
to be drawn
up.

265
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Continued Negotiations As per 1. compare Price PO records NA
procurement at are compan the approved fluctuations
higher price as conducted y policy PO with the and periodic
reduction in with subsequent review
market prices approved reductions in
and not vendors on the prices.
renegotiated an annual 2. Check the
with suppliers. and routine market rates
basis so as for the bulk
to reduce items /
cost of critical items
purchase. and their
Also, the movements
Quotes are during the
compared for period of
negotiations audit.
during the
appraisal
time of the
vendors.
This is done
by the
personnel
approved as
the Authority
Matrix.
MIS is As per 1. Check the Monthly MIS MIS for 3 NA
reviewed by compan MIS for and review months
cross y policy HODs review
functional 2. See the Minutes and
team of minutes of timely action
HODs for discussion
critical items and check
and costs. whether the
Actionable, if action points
any, are have been
flagged off actioned
for upon.
implementati
on
Duplicate MIS is As per 1. Check the Monthly MIS MIS for 3 NA
Orders reviewed by compan MIS for review months

266
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
cross y policy HODs Status of
functional review. previous
team of 2. See the issue
HODs for minutes of flagged.
critical items discussion
and costs. and check
Actionable, if whether the
any, are action points
flagged off have been
for actioned
implementati upon.
on
Exception As per 1. Check the Quantities, Invoice / PO Analyse gate
report is compan linking of the PO Records and entry, GRN,
generated at y policy attributes numbers, link with PR PO Records,
the time of and the PR Records PR Records
processing of exception reference, for any
invoices for report supplier common
POs / generated for name information
Invoices with any duplicate which show
certain same order. duplicate PO
attributes 2. Sort the raised for
such as Invoice batch same items.
supplier, / PO Records
quantity, PR on the
reference attributes
and is and check
reviewed by for the
designated common
authority. information.
All POs are As per 1. Check that Unauthorise 1. ACL NA
reviewed for compan the PO is d approval 2. Authority
accuracy and y policy approved as rights Matrix
correctness per Authority 3. 30 POs
and Matrix.
approved as 2. Check the
per the ACL and
approved confirm that
Authority the same is
Matrix. Also, updated as
the same per Authority
has been Matrix.

267
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
entered into
ERP
software in
Access
Control List
(ACL).
All POs are not PO are As per 1. Review of Serial no. PO records Analyse
recorded sequentially compan PO records if control of ERP PO
pre- y policy there are any purchase records to
numbered. missing order verify PO
The serial sequence
sequence of numbers of number.
PO the Pos.
processed is
accounted
for.
In case of As per 1. Check that Approval of Invoice Analyse
emergency compan there exists emergency records GRN record
purchases, y policy specific purchase or Gate
the approval for entry record
purchases purchases having
made without without transactions
indent / PO indent or PO of
need to be as per the Service/mat
specifically Authorities erial to
approved as Matrix. identify:
per the
Authorities - GRN/SRN
Matrix. or gate entry
without PO
reference.
- PO created
after gate
entry or
invoice date.

Calculate
value of
such
purchases
during audit
period to

268
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
show
impact.
Validity of the 1. The list of As per 1. Check the Open PO Open PO Analyse list
open POs / open POs / compan validity of dates listing of Purchase
Contracts contracts is y policy open PO / Orders for
reviewed on Contracts. following:
a monthly 2. Check the
basis by documented - Instances
purchase reason for of open
team. The delayed Pos. purchase
redundant / orders not
expired PO closed for
are purged long times.
from the list.
- may be
2. Timelines used for
of the unauthorised
procurement transactions.
activities are
monitored on Calculate
monthly financial loss
basis. to the
Reason of company
analysis is due to delay
performed in delivery, If
and possible.
documented
for all
delayed
beyond the
defined
timelines.
Audit logs for 1. Audit logs As per 1. Check Audit Logs 1. Audit logs Analyse
changes in PO are compan logs are of changes 2. monthly Audit log of
may not be generated for y policy available for in PO review on modification
available and all POs / POs/ Wos logs- 3 carried in
reviewed leads WOs raised / and Month. purchase
to unauthorized modified in modification. record to
changes. the system. 2. identify the
2. Process is Mechanism following:
in place to in place to 1.
monitor audit review audit Unauthorise

269
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
logs to logs. d users
identify any performing
inappropriate transactions
/ suspicious 2.
activity. Conflicting
transaction
rights
granted to
same
person.
quality Stock outs due Open As per 1. Check the 1. Open PO 1. 10 weeks Analyse
assessm to delays in PO/contract compan instances of dates open PO list ERP Open
ent delivery of list is y policy stock outs 2. stock outs 2. Stock out PO records
stocks ordered prepared on and review event list with daily
through open a weekly the stock details
Pos. basis by justification / to identify
designated root cause instances
department. for the same where PO is
This is used 2. Check undelivered,
as basis for whether the and material
tracking purchase is out of
timely department stock.
deliveries by track
the user deliveries
department. against the
Open PO list
Goods/ service Statements As per 1. Check that Unrecorded Top 30 NA
received may received compan the vendor services/goo vendor
not be from vendors y policy accounts ds service/materi
recorded. are reconciliation al Vendors
reconciled is done on a Reconciliation
with the periodic statements
vendor basis. or cover 40%
accounts in 2. Check the purchase
the accounts differences, value.
payable sub if any are
ledger reconciled
quarterly and and are not
differences carried
are forward.
investigated.
This is

270
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
reviewed by
Accounts
teams.
The stock at As per 1. Check the Periodicity Physical NA
the business compan working and verification
locations of y policy papers of Variances statements
the company physical noted in and
is physically verification physical reconciliation
verified at and see that verification
least once a the
year by differences,
Accounts if any, were
department / reconciled
independent and
auditors. accounted
Variances, if for.
any, are
reconciled
with the
books of
accounts to
ensure
accuracy of
the books of
accounts.
Goods and 1. The As per 1. Check GRN and PO records NA
services receiving compan whether service and GRN
accepted personnel y policy GRN / SRN against records
without proper are required can be Authorised
inspection and to match the raised for PO only 30 GRNs for
verification goods items without physical
received with a PO or that verification
the open do not meet
purchase the PO
orders. In specification
case the s
goods 2. Verify user
received do department
not match head
with the approval on
quantities or service
specification invoices

271
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
s or exceed before
the purchase booking the
order same in
quantity, the books.
same are 2. Whether
rejected. store person
2. The user sign off on
department invoice after
verifies physical
service count of
invoices of goods.
vendor with
internal
service
records and
obtained
approval of
department
head. Only
after service
booked in
system.
3. Invoice
quantity and
physical
quantity are
matched for
which store
person count
inventory
before GRN
and sign off
on invoice.
All receipts As per 1. Check that Unauthorise 1. ACL Analyse
are reviewed compan the GRN is d approval 2. Authority records of
and y policy approved as rights Matrix GRN/SRN
approved by per Authority 3. 30 GRNs with records
the Matrix. of PO
personnel as 2. Check the quantity and
per the ACL and rates to
approved confirm that identify
Authority the same is Instances of
Matrix. Also, updated as deviation.

272
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
the same per Authority
has been Matrix.
enteredinto
ERP
software in
Access
Control List
(ACL).
Quantity/servic 1. The As per 1. Check Order Vs PO Records Analyse list
e received in receiving compan possibility of Receipt qty VS GRN of GRN/SRN
excess of personnel is y policy GRN/ SRN Records and for following:
ordered required to more than Material not amended PO 1 Instance of
quantity match the PO quantity received as for change in delays in
goods/ by system per order qty. receipt of
service. So, walkthrough. specification materials/ser
received with 2. Check s vice.
the open approved 2. Instances
purchase tolerance of GRN /
orders. In limit against SRN without
case, the PO quantity PO or before
goods/ from PO
service management 3. Instances
received do side. Verify of GRN
not match cases where without gate
with the goods/servic entry
quantities or e allowed 4. Instances
specification more than of GRN
s or exceed tolerated before gate
the purchase limit. entry
order 5. Instances
quantity, the of GRN/SRN
same are more than
rejected. PO quantity
6. Instances
of GRN /
2. ERP also SRN value
has control more than
over quantity PO / SO
booking, value
system does
not allowed
booking of
quantity

273
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
more than
PO quantity.
All receipts As per 1. Check that Unauthorise 1. ACL Analyse
are reviewed compan the GRN is d approval 2. Authority ERP receipt
and y policy approved as rights Matrix record
approved by per Authority 3. 30 GRNs during the
the Matrix. review
personnel as 2. Check the period to
per the ACL and identify the
approved confirm that following:
Authority the same is 1.
Matrix. Also, updated as Unauthorise
the same per Authority d users
has been Matrix. performing
entered into transactions
ERP 2.
software in Conflicting
Access transaction
Control List rights
(ACL). granted to
same
person.
Quantity The As per 1. Check Material not PO records NA
received has receiving compan whether received as VS GRN
not been personnel is y policy GRN/SRN per records and
ordered. required to can be specification amended PO
match the raised for s for reason of
goods items without Qty and
received with a PO or that specification.
the open do not meet
purchase the PO
orders. In specification
case, the s
goods
received do
not match
with the
quantities or
specification
s or exceed
the purchase
order

274
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
quantity, the
same are
rejected.
All receipts As per 1. Check that Unauthorise 1. ACL Analyse
are reviewed compan the d approval 2. Authority ERP receipt
and y policy GRN/SRN is rights Matrix record to
approved by approved as 3. 30 GRNs identify the
the per Authority following:
personnel as Matrix 1.
per the 2. Check the Unauthorise
approved ACL and d users
Authority confirm that performing
Matrix. Also, the same is transactions
the same updated as 2.
has been per Authority Conflicting
entered into Matrix. transaction
ERP rights
software in granted to
Access same
Control List person.
(ACL).
Unauthorized All receipts As per 1. Check that Unauthorise 1. ACL Analyse
person can are reviewed compan the GRN is d approval 2. Authority ERP receipt
create and y policy approved as rights Matrix record
receiving approved by per Authority 3. 30 GRNs during the
documents the Matrix review
personnel as 2. Check the period to
per the ACL and identify the
approved confirm that following:
Authority the same is 1.
Matrix. Also, updated as Unauthoirse
the same per Authority d users
has been Matrix performing
entered into transactions
ERP 2.
software in Conflicting
Access transaction
Control List rights
(ACL). granted to
same
person.
Terms and The As per 1. Check that Appropriate 30 GRNs NA

275
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
conditions of receiving compan the GRNs stamp on
acceptance of stamp that is y policy are being the GRNs
goods at the used to marked with
factory gate acknowledge the stamp
(before the receipt of 'goods are
goods have goods at the being
been approved gate on received
by quality/ GRN, bears subject to
indenter may the count and
be detrimental inscription quality
to the interests 'goods are procedures'.
of company. being
received
subject to
count and
quality
procedures'.
Accordingly,
liability would
not accrue to
the Company
until these
procedures
are complied
with.
Inappropriate 1. Before the As per 1. Check Post QC - 1. 30 GRNs Analyse
quality of GRN is sent compan whether the rejections 2. Exception Quality and
service / to Accounts y policy GRNs have report raised Return to
material for booking been marked for post QC - Vendor for
accepted the liability or as approved rejections following:
the goods by Quality - Delays in
are sent to head. sending
store, quality 2. Review back
department exception rejected
is required to report for the material to
certify the goods vendor.
quality of rejected due - Instances
material to quality of GRN and
received in constraints at issue of
accordance the shop material
with the set floor. Check despite
guidelines. all these quality
goods are rejection.

276
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
2. The user returned to - Quality
department vendors as note are
verify service per created by
invoices of agreement. unauthorized
vendor with 3. If rejected person/
internal goods are Absence of
service not returned, SOD.
records and it should be
obtained with recorded as
approval of scrap.
department 4. Monthly
head. Only quality
after service exception list
booked in reviewed by
system. authorised
3. The store person.
clerk will not 5. Verify user
accept the department
goods unless head
the "QC approval on
checked" is service
stamped on invoices
GRN. before
booking the
4. Also, same in
Accounts will books.
not book the
liability and
process the
payment
unless the
QC checked
and stamped
on GRN is
received by
them.

5. Quality
check is not
required for
any item, the
same should
be a part of
QC

277
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
exceptions
list which is
reviewed on
a monthly
basis.
Access to As per 1. Review Access Access Analyse
certify the compan Access rights for Control List GRN and
quality of y policy Control List certifying Quality
material is for access to quality record to
restricted to personnel identify the
persons per other than following:
approved those 1.
Authority authorised Unauthorise
Matrix in for certifying d users
ERP. quality of the performing
goods. transactions
2.
Conflicting
transaction
rights
granted to
same
person.
Policy may not 1. Policy in As per 1. Check Checklist, Select 30 Analyse
be in place for place for compan policy of sampling GRN/SRN ERP Quality
sampling, quality y policy sampling and and quality Records and
methodology, testing of methodology methodolog check
checklist leads required of quality y quantity
to credit to material testing is transferred
vendor for poor including documented. to
quality service sampling, 2. Check unrestricted
/ material. methodology quality category or
and inspection not (for
documentati policy is issue
on of quality defined for purpose).
testing. all material. Check
3. Inspection quantity in
2. Quality carried out restricted
inspection as per policy category and
standards or ISO reason for
are defined certification same.
for all process.

278
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
materials. 4. Check Analyse
services ERP quality
3. Ensure all should be record of
steps are approved actual
carried out basis of sample with
as per complete define
company checklist and sampling
policy or ISO reviewer method.
certification approval.
process for Verify
quality checklist for
assessment different type
and of services.
documentati
on.

4. All service
are approved
basis of
complete
checklist.
Rejected 1. Any As per 1. Physically Storing of 4 Month Mis Analyse
material may rejection is compan verify rejected and of rejected ERP quality,
be placed segregated y policy rejected return to items GRN records
separately and stored items and vendor and
(Quarantine) separately. storage 20 Debit Vendor’s
and return to 2. All control to notes for ledger to
vendor on rejections avoid issue rejected establish
timely basis are supplied for operation. material following:
leads to risk back to 2. Check - Debit note
issue to floor vendor on rejected item raised to
and ownership. timely basis. are returned vendor or
3. and replaced not for
Department by vendors quality
ensure timely on timely rejection.
return and basis or not. - GRN
recording of 3. Verify reversal in
return. return case of
4. Material is recorded on rejected
consumed timely basis material
only after in books or - GRN
Quality not. records for
checks. 4. Ensure replacement

279
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
5. Perform material by vendor
assessment consumed against
in case of after quality same PO.
high check only. - Material
rejection in 5. Monthly are issued
the material assessment after quality
supplied by of vendor approval
the vendor wise only.
6. Debit rejection to
notes should take
be raised appropriate
immediately action
for all against
rejections regular
and return to default
vendors. vendors.
7. Credit to 6. Debit note
service raised for
vendors rejected
provided only material and
for approved by
satisfactory appropriate
services authority.
only. 7. Verify
rejected
material with
advance paid
vendors.
8. Check
whether
services are
not
performed as
per
agreement,
credit not
passed on to
vendors for
same.
Delay in The report As per Check the Demurrage Demurrage NA
clearing and on compan Demurrage charges due charges
forwarding of demurrage y policy charges paid to delay in ledger
imported charges and clearing

280
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
goods. incurred due justification 30 imported
to delay in for the same. invoices
carrying and
forwarding of
imported
items is
reviewed by
the
designated
person on a
monthly
basis. Also,
these
charges are
separately
disclosed in
the MIS for
Sr.
Management
review.
Unauthorised All As per 1. Check the Transporter 50 transporter NA
or Inaccurate transporter compan supporting charges invoices or as
release of claims are y policy for the claims authorizatio per quantum
payments for authorised viz. n of business of
transporter by the Sr. agreements, company.
dues. Manager - if any. Rate
Stores prior contract
to payment should also
by Accounts. be reviewed
This is based for any
on the changes in
agreements petrol/ diesel
with the prices.
vendors /
transporters. 2. Check
reconciliation
of purchase
register with
transporter
invoice to
avoid
duplicate
booking.

281
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)

3. Check
lorry
documents
for freight
payment.
GST Input Monthly As per 1. Check the Periodicity 3 months Analysis
Credit not reconciliation compan GST Input of reconciliation GSTR-2A
availed / Short of GST Input y policy Credit reconciliatio report with
/ Excess Credit reconciliation n and purchase
availed account and for long reasons for register to
register is outstanding outstanding indemnify
done both items and items cases where
by Stores justifications GST credit
and and action available as
Accounts. taken for the per portal
same. but invoice
are not
booked or
vice versa.
Invoice Invoices may Before any As per 1. Check that Three-way 50 invoices or Analyse and
Processi be booked invoice is compan the invoice is control PO, as per compare PO
ng incorrectly approved for y policy supported by GRN and quantum of Records with
booking, AM duly Invoice transaction GRN records
- Accounts authorised to verify
performs a PO and accuracy in
three-way GRN. booking
match of the value.
PO, GRN
and Invoice Verify
transporter
charges GL
or clearing &
forwarding
or suspense
GL where
excess
invoiced
value (More
than PO
value) may
be provided

282
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
to verify
approval
process.

Analyse
ERP data of
various
expense GL
with Goods
receipt /
Service
clearing
account to
check
expenses
rooted
through
three-way
control
system i.e.
PO,
GRN/SRN
and invoice
instead of
direct
booking.
In case of As per 1. Check that Emergency 50 invoices or Compare
emergency compan the invoice is purchase as per Invoice date
purchases, y policy supported by approval quantum of and PO date
the invoice is GRN and transaction to identify
verified with post- emergency
the GRN purchase purchase.
/SRN and approval of (Invoice date
the the should be
subsequent personnel after PO
approval authorised date).
obtained for as per
the purchase Authority Verify ERP
from Matrix. records
personnel where
authorised invoices
as per booked
Authority without

283
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Matrix. three-way
control i.e.
PO, GRN
and invoice
to check
approval
procedure.
Duplicate At the time of As per Check that Defacing of 50 invoices or Analyse
booking of the booking of compan the invoices invoice to as per Vendor
invoice. invoice, y policy are defaced avoid quantum of Invoices for
invoice is at the time of duplicate transaction following:
defaced with booking. booking. 1. Incorrect/
the Stamp duplicate
"Processed" Invoices
by executive. processed
2. Check for
same
invoice
amount in
the same
period for
same
vendor.
Once a As per 1. Check that Supporting 50 invoices or Analyse POs
invoice is compan the invoice is documents as per value from
booked, the y policy supported by quantum of ERP records
supporting duly transaction and compare
documents authorised it with GRN
viz. GRN, PO and value for
PO, Indent GRN. accuracy in
are attached between.
with it.
Invoices
without
supporting,
cannot be
processed.
Unapproved The invoices As per Check the Invoice 50 invoices or Analyse
invoices are before being compan approval of approval as per GRN and
processed. processed y policy AM - from quantum of invoice
are reviewed Accounts on designated transaction record to
by the invoice. authority identify the

284
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
designated following:
authority. 1.
Unauthorise
Access rights As per Check the Transaction ACL d users
to process compan Access performed performing
the invoices y policy Control List as per transactions
are restricted for the access 2.
to the access rights rights. Conflicting
personnel given to the transaction
authorised authorised rights
as per the personnel. granted to
Authorities same
Matrix and person.
are entered
in Access
Control List
(ACL) in
ERP system
Delay in Statements As per 1. Check the Timely Reconciliation Analyse
accounting of received compan periodicity of booking of for 30 ERP data to
invoices from vendors y policy vendor invoices vendors compare
are reconciliation invoice date,
reconciled for GRN date,
with the appropriaten Quality date,
vendor ess thereof. invoice
accounts in 2. Sample booking date
the accounts check the to verify
payable pending timely
subledger items in the processing
quarterly and reconciliation of invoice.
differences s for invoices
are pending
investigated. booking and
This is confirm the
reviewed by reasons for
designated same.
authority.
The list of As per 1. Check Aging of records of Analyse
Goods compan aging of the GRN and GRN with QC ERP data to
Received y policy Temp GRN material compare
Not Invoiced raised for the being held Liability invoice date,
(GRNI)/Servi material with by QC provides for GRN date,
ce Receipt Quality non-booked Quality date,

285
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Note and the Control GRNs invoice
items with department booking date
Quality and the - to verify
Control are GRNIs. timely
reviewed on 2. Ensure processing
a monthly that the of activities
basis to same are - to check
ensure that accounted in vendor
there are no the books as liability
delays in liability in the booked on
booking the suspense timely basis
liability. accounts. so that
reconciliatio
n gaps
should be
zero or
minimum.
Booking of 1. GST Input As per 1. Check Credit 50 invoice NA
related credit are compan cenvatable booking and and as
expenditure obtained for y policy credit deduction decided with
and cenvat all eligible provided management
along with credits, and along with
invoice may it is duly invoice
not be booked. verified at booking
the time of 2. All related
recording of expenditure
invoices. like toll tax
and freight
2. All the booked along
related with
expenditure, goods/servic
such as toll es
tax, cess, 3. TDS and
freight, etc., other
are recorded deduction as
as cost of per law are
material or done and
service. recorded

3.
Appropriate
deduction
and

286
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
recording of
TDS are
done
wherever
applicable.
Delay in raising Statements As per 1. Check the Timely issue Reconciliation Analyse time
debit/ credit received compan vendor of Debit / for 30 taken to
notes from vendors y policy reconciliation Credit Notes vendors issuing debit
are for the / credit notes
reconciled to periodicity of from the
the vendor reconciliation date of
accounts in . booking of
the accounts 2. Sample invoices or
payable check the date of
subledger pending receipt/retur
quarterly and items in the n of material
differences reconciliation
are s for debit /
investigated. credit notes
This is yet to be
reviewed by raised.
AM - Confirm
Accounts reasons for
the same.
Unauthorized The debit / As per 1. Check that 1. Approvals 30 debit / Analyse
debit/ credit credit notes compan the access for credit notes number of
notes may be are approved y policy control list debit/credit debit / credit
raised by the defined in noted notes issued
personnel ERP system 2. Reasons vis-à-vis
approved in is as per the for issuance number of
the Authority approved purchases
Matrix. The Authority made.
same Matrix. Analyse
entered in 2. Check that value of
the Access adequate debit / credit
Control List back up / notes issued
existing in supporting vis-à-vis
the ERP documents value of
system exist for purchases
issuing debit made.
/ credit
notes. To check

287
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
efficiency of
purchase
Accounti Unauthorised The payment As per 1. Check that 1. Access 1. Access Analyse
ng and payments voucher with compan the Access Control List Control List Vendor
payable required y policy Control list in 2. Approved 2. Authority payment
supporting's ERP is as supporting Matrix record
is reviewed per the documents. 3. 30 during the
and approved Payment review
authorised Authority vouchers period to
by the Matrix. any identify the
personnel changes to following:
authorised the 1.
as per authorised Unauthorise
approved signatory to d users
Authority the bank performing
Matrix. The transactions transactions.
authority should be 2.
matrix is authorised Conflicting
entered in by Board and transaction
the Access intimated to rights
Control List the Bank granted to
(ACL) in immediately. same
ERP system. 2. Check that person.
requisite
The supporting is
supporting attached with
documentati the payment
on is voucher.
cancelled or 3. Check that
defaced, the
once it is supporting is
reviewed and defaced for
payment the approved
voucher is vouchers.
approved. 4. Sign of
In case vendor's
cheque representativ
payment, e.
when cheque
is handed
over to
vendor
representativ

288
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
e and
acknowledge
ment
obtained.
At the time of As per 1. Check that 1. Advance 30 vendor Analyse
processing a compan there are no amounts in accounts and vendor
vendor y policy amounts vendor per business payment for
invoice for pending accounts need following
payment, adjustment pending for
designated for vendors adjustments, 1. Same
authority is where all the 2. Multiple vendor with
required to invoices payments same date-
identify and have been on same or and more
set off all the paid. See nearby date than one
advances justification payment
pending for 2. Check
adjustment exceptions. advance is
for such 2. Scrutinise adjusted as
vendor. the vendor per contract
accounts / terms.
party 3. Check
accounts to advance
check the paid but
cases of without bank
segregation guarantee
of amounts against the
to avoid policy of the
authority company.
matrix.
3. Vendor
advance
should be
adjusted as
er contract
terms.
4. Check
cases of
advance paid
contractor
but work
performed
with slow
pace, leads

289
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
to financial
loss to the
company.
The listing of As per 1. Check that Review of 30 vendor Analyse
vendor compan the evidence payment payment lists vendor
payments is y policy of review on payment
reviewed the vendor record
prior to payment list during the
release of review
payment by period to
the identify the
personnel following:
authorised 1.
as per Unauthorize
approved d users
Authorities performing
Matrix transactions
2.
The As per 1. Check the Approval of Authority Conflicting
personnel compan approval for payment to Matrix transaction
making the y policy authority to vendors rights
payment make the granted to
(either payment. same
through 2. Check person.
cheque / DD whether the
/ wire same has
transfer) are been
authorised to communicate
do so as per d to the
the approved bank.
Authority
Matrix.
Management As per 1. Check the Review of Returned Analyse total
periodically compan evidence of returned cheques cheque
reviews the y policy the cheque issue during
returned paid management the period
cheques for review. and returned
unauthorised to verify
signatures, following:
alterations
and / or 1. Control at
alterations the time of
issue of

290
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
cheques
2. Period for
which
cheques
returned due
to
alteration/mi
smatch, etc.
Payments are 1. The As per 1. Check that 1. Access 1. Access NA
made to payment compan the ACL in Control List Control List
incorrect voucher with y policy ERP is as 2. Approved 2. Authority
vendors required per the supporting Matrix
supporting is approved document. 3. 30
reviewed and Authority Payment
authorised Matrix. vouchers
by the 2. Check that
personnel requisite
authorised supporting
as per are attached
approved with the
Authorities payment
Matrix. The voucher.
authority 3. Check that
matrix is the
entered in supporting
the Access are defaced
Control List for the
(ACL) in approved
ERP system vouchers.

2. The
supporting
documentati
on is
cancelled or
defaced,
once it is
reviewed and
payment
voucher is
approved.
1. The listing As per 1. Check that Managemen 30 vendor 1. Data

291
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
of vendor compan the evidence t review payment lists analysis of
payments is y policy of review on before the
reviewed the vendor release of Open/Long
prior to payment list payment pending
release of advances
payment by which are
the not adjusted
personnel 2. Analyse
authorised data for
as per Instances of
approved delay in
Authorities payment
Matrix made to
MSME
2. Cheques / vendors over
DD are 45 days
restrict 3. Whether
endorsed by liability write
the preparer off approval
to ensure are obtained
that they are from
paid to management
specific as per
payee policy.
Management As per 1. Check the Managemen Returned Analyse total
periodically compan evidence of t review for cheques cheque
reviews the y policy the returned issue during
returned paid management cheque and the period
cheques for review. reissue and returned
unauthorised to verify
signatures, following:
alterations
and / or 1. Control at
alterations. the time of
issue of
cheque.
2. Period for
which
cheques
returned due
to
alteration/mi
smatch, etc.

292
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Credit terms 1. Payment As per 1. Check Credit terms check ledger Analyse
may not be are compan payment and and weekly of 10 major ERP vendor
utilized processed y policy credit terms review of vendor ageing of
effectively. for approved with vendors overdue different
invoices as 10 weekly month to
per agreed 2. Review review of verify
payment document of overdue payment
terms to vendor payment made after
optimize on ageing on utilizing
using credit weekly basis credit terms
period and to maintain
efficient working
utilization of capital
working balance.
capital.

2. Vendor
ageing is
prepared and
reviewed by
the Finance
head on
weekly basis
to ensure all
overdue
payments
are
processed.
MSME Vendor Payment to As per 1. Check Timely Check Ledger 1. Data
not paid on MSME compan ageing of payment to of 20 MSME analysis of
timely basis vendors is y policy MSME MSME vendors the
reviewed and vendors on vendors Open/Long
made within different pending
defined date/months advances
timelines as which are
per terms of not adjusted
agreement or 2. Analyse
timelines data for
defined Instances of
under Micro, delay in
Small and payment
Medium made to
Enterprises MSME

293
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
Development vendors over
Act, 2006 or 45 days
amendments
thereafter
(45 days),
whichever is
earlier.
GST credit Reconciliatio As per 1. Check GST 3 Month Analyse
reconciliation n of eligible compan monthly reconciliatio reconciliation vendor wise
and payable GST credits y policy reconciliation n credit
more than 180 on GST sheet of GST available at
days portals with credit as per portal and
GST Input books with credit
credit Portal and availed/book
available and deposited. ed by the
deposited company
are and reason
performed for non-
periodically. utilization/bo
oking and
vis a vis
cases.
If payment to As per 1. Verify GST credit 1. Vendor NA
vendors is compan vendors reversal in ageing
not made y policy ageing and case of non- 2. GST
within 180 identified payment returns for
days then cases where within 180 reversal
GST credit payments days. purpose
related to are
particular outstanding
amount by more than
needs to be 180 days.
reversed.
2. Check
GST return
and verify
credit related
to this
vendor is
reversed in
particular
month or not.

294
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)

3. Tracker
should be
maintained
by the
company for
credit
reversal and
subsequent
utilization
after
payment.
Duplicate 1. The As per 1. Check that 1. Access 1. Access NA
payments payment compan the Access Control List Control List
voucher with y policy Control list in 2. Approved 2. Authority
required ERP is as supporting Matrix
supporting is per the document. 3. 30
reviewed and approved Payment
authorised Authority vouchers
by the Matrix.
personnel 2. Check that
authorised requisite
as per supporting
approved are attached
Authority with the
Matrix. The payment
authority voucher.
matrix is 3. Check that
entered in the
the Access supporting
Control List are defaced
(ACL) in for the
ERP system. approved
vouchers.
2. The
supporting
documentati
on is
cancelled or
defaced,
once it is
reviewed and
payment

295
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
voucher is
approved.
Non-receipt of The listing of As per 1. Check the 1. Open PO 1. Open PO Analyse PO
material Open POs is compan due dates in with listing list (where
against reviewed on y policy the open PO correspondi 2. Unadjusted timeline of
advances a monthly / Contracts. ng advances advances supply/servic
basis to 2. Check the 2. GL e has been
check the reasons for justification expired) and
cases of delays in for delays compare
delayed supplies. with
supplies/cont 3. Verify advance GL
ractor advance GL to identify
wherein for long cases where
advances pending advance
have been unadjusted unadjusted
released to advance. and vendor
them. This is POs are also
reviewed by outstanding.
the
personnel
authorised
as per the
approved
Authority
Matrix.
Ageing of the As per 1. Check the 1. Vendors Analyse
party compan debit Approvals, Account and various
balances is y policy balances 2. Amount, the Advances figures
reviewed on appearing in 3. Receipt of Aging reported in
a monthly the supplier's material statement MIS vis a vis
basis and account and 4. Due date the details
account ageing appearing in
reconciliation thereof ERP system
is done on a 2. Check to identify
quarterly whether any instances of
basis unauthorized incorrect
advance has reporting.
been given
to the
supplier (this
needs to be
checked with

296
 Purchase to Pay – Indirect Material and Services

Process Sub- Risk Control Control Test Attributes Sample size Data
process Description Owner Performed tested (* may vary analytics
upon performed
organization
size, policy,
decision)
the
justification
provided and
the Authority
Matrix)
3. Check
whether the
advances
have not
been
adjusted
correctly
while
accounting
for receipt of
goods.
Wrong Foreign Weekly As per 1. Compare Exchange Forex rates in NA
exchange rates foreign compan the rates rate applied 10 weeks
used for currency y policy applied for as per RBI
conversion of rates are invoice rate
foreign updated in processing
currency the ERP with the RBI
invoices. system by rate.
the
personnel
authorised
as per the
Authority
Matrix. The
rights to
update the
masters are
restricted as
per Authority
Matrix the
source of
foreign
exchange
rates should
also be
approved by
Management
.

297
 Checklist 20
Purchase to Pay – Capital Items
Final Sub- Risk Control Control Test Attributes ` Data
process Descriptio Owner Performed tested analytics
n performed
Procureme General Procureme The As per 1. Check 1. Capital NA
nt of and entity nt policy organisatio company updated Approved item
Capital level and n has clear policy and Capital procureme
Items control Authority and comprehen procureme nt policy
matrix may comprehen sive capital nt policy approved
not be sive (up to procureme 2. by BOD
prepared date) nt policy Completen
or capital approved ess
approved procureme by BOD or
by Board of nt policy designated
Director approved authority.
(BOD). by Board of 2. Check it
Directors addresses
(BOD) or all
designated attributes
authority. related
Due capital
considerati items to
on given procureme
to: nt.
- Time
(speed vs
certainty of
completion
date)
- Cost
(price level
vs cost
certainty)
- Quality
(functionali
ty and
performanc
e)
1. The As per 1. Check Approved Approved NA
organisatio company capital item DOA/DOP DOA/DOP
n has clear policy procureme for capital from BOD
and nt purchase
comprehen DOA/DOP
sive (up to is available
date) and
Delegation approved
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
of Authority by BOD.
(DOA)/
Delegation
of Power
(DOP) and
Authority
Matrix.
2. Authority
matrix is
approved
by Board of
Directors,
defining
the
authorities
for
approving
capital
purchase
transaction
s or
performing
various
transaction
s during
the
purchase
process.
Inadequate 1. As per 1. Check 1. 1. SOD Analyse
Segregatio Document company documente Documente 2. Access transaction
n of Duties defining policy d SOD and d SOD, right List carried out
and access appropriate Access Access 3. Half during the
rights Segregatio right list. right yearly review
which may n of Duties 2. Verify 2. Periodic review period to
result in (SOD) is in same SOD review document identify the
fraudulent / place. and following:
unauthoris Access 1.
ed 2. Access right also Unauthoris
transaction rights entered in ed users
. (Write / system for performing
Read / approval of transaction
Delete / transaction .
Modify) to s. 2.
various 3. Verify Conflicting
people in evidence of transaction
the periodic rights
origination review of granted to

299
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
of reviewed SOD and same
periodically Access person.
to ensure rights in 3. Internal
appropriate ERP Auditor to
SOD and system. review the
avoid any circumstan
unauthoriz ces of
ed conflict of
transaction interest.
s.

3. Periodic
Review of
Segregatio
n od Duties
and
Access
rights is
conducted.
SOP may 1. The As per 1. Check Approved Updated NA
not be organizatio company SOP SOP and SOP
defined to n has policy available completen
ensure clearly and ess
consistenc defined complete in
y and Standard all aspect
standardis Operating of roles,
ation of Procedures KPIs,
operations. and are in Timelines
place. and
2. Should frequency
define of
sequence activities,
of etc.
activities, 2. Check
Roles and when SOP
Responsibi updated
lities, Key last and
Performan enquire the
ce reason for
Indicators not
(KPIs), updating
Timelines the SOPs,
and in case,
Frequency not
of activities updated for
along with long time.
various

300
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
documents
to be
maintained
by the
organizatio
n for
performanc
e of capital
transaction
s.
Review 1. The As per 1. Check 1. MIS MIS for 3 Analyse
system to organizatio company MIS for 2. RSM months various
mitigate n has set policy monitoring 3. Fraud figures
risk of up an of capital assessmen Action and reported in
inappropria appropriate procureme t activity step taken MIS vis a
te Manageme nt/ project to identify vis the
transaction nt operation. and control details
and project Information 2. Check fraudulent appearing
progress System RMS in activity. in ERP
may not be (MIS) for place to system to
in place. regular identify identify
monitoring and instances
of mitigate of incorrect
operations risk and its reporting.
and functioning
financial related to
activities project.
by senior/ 3. Fraud
top risk
manageme assessmen
nt. t activity
conducted,
2. and control
Appropriat deployed.
e Risk 4. Check
Manageme project
nt System milestone
(RMS) is in is
place to achieving
identify on timely
and basis.
mitigate
various
risk.

3. Fraud
Risk

301
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Assessmen
t activity is
conducted,
and fraud
risk are
identified
along with
relevant
controls to
avoid any
fraudulent
transaction
s.
Annual Procureme 1. Base for As per 1. Check Approved Approved Verify the
Capital nt budget preparing company Annual budget and Budget for accuracy of
procureme may not be budget and policy Capital subsequen the year the Budget
nt budget prepared Capital Procureme t vs Actual
and budget is nt Budget monitoring Budget Vs MIS from
monitored approved is actual MIS the
on regular by BOD approved for 3 independe
basis to before start by the months nt data
avoid of financial designated and upto source e,g,
deviation in year. authority date transaction
future. and agreed s recorded
2. with / in ERP to
Monitoring communica identify
of Budget ted to the instances
Vs Actual delegated of incorrect
is done on authority monitoring
monthly well in or Budget
basis and advance. overrides.
review of Understan
action plan 2. Review d the
wherever of periodic reasons for
required. monitoring variance
of and not
deviations limited to
from the (a)
approved Incorrect
budget preparation
conducted of budget.
along with (b)
reasons for Accounting
deviations, and
if any. classificati
on of
3. Action errors.

302
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
plan is (c) Use of
documente budgetary
d and provision
adhered for for other
avoiding purpose,
such etc.
identified
variance in
future.
Absence of An annual As per 1. Check 1. 1. Annual NA
formal plan is company approved Timeliness Plan
planning developed policy capital followed in
policy may for defining procureme updating 2. MIS for
lead to the capital nt plan the plan. 3 months
increased requiremen exist and Completen
capital cost t for each prepared ess of
or of the after defining
increased department considering material
inventory s. The production requiremen
levels. plan is duly plan and t,
approved business Vendor
by the plans. identificatio
different n,
HODs and 2. Check Vendor
CEO. The whether communica
plan project/pro tion and
includes curement Authorizati
the activity are ons
following as per plan
factors and check
(regarding process is
procureme in place to
nt): identify
1. Capital and
items report/MIS
required in case of
2. Capital deviations.
requiremen
t (Owned
or
financed)
3.
Authorisati
on

Based on
the Annual

303
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
plan,
purchases
department
identifies
the
suppliers
for the
capital
items, Pre-
qualificatio
n and do
agreement
s with the
suppliers,
communica
tion of the
plan to the
suppliers,
lead time
for
delivery,
periodicity
of supply,
etc.
Indenting Indent The indent As per 1. Check 1. Cover Analyse
and raised / is reviewed company that Approvals capital transaction
approval approved and policy indents are for indent category carried out
for approved approved 2. Access and during the
purchase by the in control list approval review
when there authorized accordanc matrix period to
is no personnel e with the which identify the
requiremen (as per the Authority combinedly following:
t for capital limits set Matrix. cover more 1.
items. out in than 40% Unauthoris
approved 2. Check of capital ed users
Authority whether purchase. performing
Matrix), Authority transaction
signifying Matrix is s
the need to configured 2.
procure in the Conflicting
capital system in transaction
items. The Access rights
Authority Control List granted to
Matrix is for system same
configured control person.
in the ERP point of
system in view.

304
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Access
Control List
(ACL).
A Monthly As per 1. Check Quantity 1. MIS - 3 Verify the
Budget Vs company that all the reported in months accuracy of
Actual policy indents MIS the Budget
review is which get vs Actual
conducted converted MIS from
considering into PO are the
department reported as independe
budgets part of MIS nt data
and major for source,
capital variance e.g.,
expenditur analysis transaction
es incurred (viz. recorded in
are budget vs. ERP to
identified. actual). identify
Any instances
unauthoriz of incorrect
ed monitoring
expenditur or Budget
e or double overrides.
processing
of
significant
expenditur
e would be
identified in
the review
meeting.
1. Budget As per 1. Check 1. Budget 1. Analyse
for company all budget freezing at Activity/pro
budget for
particular policy for indent ject wise2 to 3 year
capital particular stage capital period and
expenditur expenditur expenditur
identify
e are made es are 2. e budget following:
at the time blocked at Approved tracker. 1. Number
of indent indent of of projects
approval approval deviation 2. 10 cases where
and stage only at later of budget
amount are and could stage deviation increase vs
deducted not be from total no. of
from total increased. approved project
capital budget. executed/
expenditur 2. Check awarded.
e budget. any 2. Total
increase in value of

305
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
2. If value particular budget
of capital capital increased
expenditur expenditur to analyse
e is higher e against effectivene
from freeze ss of
budget at budget planning in
later stage, should be contract
approval of approved awarding
appropriate from process.
authority designated
are authority
required with proper
depending documente
on d
increased justification
in amount .
or define
limit as 3. Check
decided by whether
Board. working
done by
3. Reason manageme
for higher nt for total
value cost to be
should be incurred to
supported complete
by project.
evidence
and
documente
d.
Unauthoris 1. The As per 1. Check 1. 1. Cover Analyse
ed indents indent is company that the Approvals different the total
may be reviewed policy indents are for indent items for budget
raised for and approved 2. Budget different approved
purchases. approved in availability user for the
by the accordanc at the time department department
authorized e with the of indent s to cover before start
personnel Authority approval. major & of year and
(as per the Matrix. medium total value
limits set 2. Check value. of indent
out in budget 2. ACL approved
approved availability during
Authority while budget
Matrix), approving period to
signifying of indents. verify.
the need to 3. Check

306
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
procure of excess -Indent
capital budget are approved
items. The approved more than
Authority from original
Matrix is authority in budgeted
entered in case of without
the ERP total obtaining
system in budget approval of
Access exhausted excess
Control List by budget
(ACL) department which is
before against the
2. Budget release of policy of
availability indent. organizatio
with n.
department
is
considered
before
approval of
indent
otherwise
indent
could not
be
approved.

3. Budget
are
approved
by
appropriate
authority to
release
indent.
The As per 1. Check 1. System NA
system, company the access Approvals walkthroug
does not policy control list for indent h and
allow to check 2. Access check
changes to that no one control list system
be made to other than allowed to
the HOD has make
approved modificatio changes in
indents. n access approved
They can for indent indent.
either be and access
cancelled to cancel

307
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
or indent is
processed with
for PO. Managers
The in
amendmen respective
t rights are user
available department
only with s / Cost
the Head centers.
of the
Departmen
t (HOD).
Indent 1. As per 1. Check 1. Exception Analyse
does not Specificati company the Rejections report and ERP data
prescribe ons are policy exception due to Rejection to compare
the correct mandatory report incorrect / report for specificatio
technical field in the generated missing the period n as per
specificatio indent and from ERP specificatio of audit indent and
ns of cannot be for indents ns correspond
project/cap passed (in raised ing
ital items ERP). without any specificatio
required specificatio n in PO to
resulting 2. Maker- n. identify
placing in checker 2. Check deviation.
incorrect controls is the
order. established rejection Further
to verify report for verify
completen the items above
ess and rejected deviation
correctnes due to with
s of all incorrect rejected
details. specificatio GRN at
n. quality
stage to
establish
rejection
due to
wrong
purchase
against
indent.
Indent sent 1. As per 1. Check 1. Timely Indent Analyse
to Purchase company indent conversion report ERP data
purchase requisition policy reports to of indents compare of indent
department is sent to verify into POs with PO and PO to
with delay purchase timely reports identify
may department sharing following:

308
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
hamper within and
procureme defined conversion 1. Time
nt activity. timelines. of gap
approved between
2. Timeline indent into indent
are defined PO. raised and
for approval/
approval of 2. Check release of
indent and list of indent
issued indent 2. Time
further to raised by gap
procureme users between
nt team for department indent
processing. but not release
approved and PO
yet. approval
date.
3. Check 3.
list of Expected
approved date of
indent sent material as
but no per indent
action along with
initiated by deadline to
purchase vendor in
team on PO for
same. supply.

To
calculate
probable
losses due
to delay in
approval at
different
stages
from indent
to PO.
Indent 1. The As per 1. Check 1. 1. System Analyse
does not indent is company that the Approvals walkthroug Purchase
prescribe reviewed policy indents are for indent h for requisition
the correct and approved 2. Access approval transaction
technical approved in control list procedure to identify
specificatio by the accordanc and the
ns of authorized e with the specificatio following:
project/cap personnel Authority n. 1.
ital items (as per the Matrix. Incomplete

309
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
required limits set 2. System or incorrect
resulting in out in the walkthroug details in
incorrect approved h to check PR.
ordering. Authority indent 2. PRs
Matrix), without backdate
signifying specificatio or raised
the need to n. after
procure ordering.
material. 3. PRs are
The created for
Authority quantity in
Matrix is excess of
entered in the
the ERP budgeted
system in amount.
Access 4.
Control List Requisition
(ACL) quantity in
2. Indents excess of
without the average
specificatio consumptio
ns are n or in
treated as spite of
incomplete high
since the inventory
quotations levels.
cannot be 5. Open
obtained PRs not
for the reviewed
same. and closed.
In case, As per 1. Check Capital 1.
the capital company the item Rejection
items are policy Material specificatio report
rejected by Rejection ns along with
Quality list and if mentioned reasons.
Control they are properly
department due to with
or shop incorrect complete
floor, specificatio description
reasons for ns.
the same
are 2. Check
reviewed to specificatio
ensure that n of item in
the same indent and
were not PO
due to compare

310
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
incorrect them with
specificatio BOM
ns specificatio
mentioned ns.
on indent.

Project
activity are
rejected by
quality
department
if wrong
item is
utilized
against
specified
BOM item.
Indents / All As per 1. Check Supporting 30 PO or Analyse
PRs are supporting company the PO documents as per capital PO
not used documents policy review and (including business Records
when (Indents/ve approval indents) need with Indent
purchasing ndor quote process. Records to
capital analysis Check that verify each
items. sheet/vend the PO is order is
or quotes, supported supported
etc.) are with a duly by indent.
reviewed at approved
the time of indent.
PO
approval
by
authorised
personnel
(as per the
approved
Authority
Matrix).
Vendor Contractor Defined As per 1. Check 1. 30% of 1. Analyse
Selection chosen is process for company the Approvals new vender list
and Master not vendor policy approval of plan vendors or of current
Manageme competent evaluation for evaluations 10 year vis-à-
nt resulting in and technical 2. whichever vis
inferior approval evaluation Supporting is higher previous
quality in exists and and for year to
execution includes supporting evaluations identify
of projects. the documents addition of
following: thereof new

311
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
- technical 2. Check vendors to
and approval increase
commercial for competition
evaluation commercial .
by cross evaluation 2. Analyse
functional and sufficient
teams, supporting no. of
- approval documents vendor
authority thereof were not
- single 3. Check identified
vendor justification for each
justification for type of
like for exceptions, capital
imports or if any work get
critical 4. See the best
items, overall competitive
OEM item approval rates.
including 3. Check
the party in quotation
approved were asked
vendor list form
incompete
nt vendors
on regular
basis to
give
contract to
desired
parties.
Incomplete 1. Vendor As per 1. Check 1. 30% of Analyse
/ account company approved Approved new Vendor
Inaccurate creation policy format for format for vendors or Database
vendor form vendor creation/alt 10 for any
records contains account eration whichever duplicate
key details creation 2. is higher. vendor
of vendor, and all Completen records
i.e., Name, requests ess and and
PAN, should be accuracy correspond
Address, received in ing
Contact that format purchase/
Details, only. payment
GST 2. transaction
registration Complete s with such
details, details of codes.
Bank vendors as
Account, filled in
place of that format

312
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
business, along with
MSME field that is
certificate, not
Turnover applicable
details for in any
e- case.
Invoicing, 3, Check
etc. system
2. controls to
Mandatory avoid
field are duplicacy
defined in at code
the system level, PAN
without and GST
which level,
vendor address
code is not and
allowed to contact
be created level.
in the
system.
Selection 1. Market As per 1. Check Manageme Select 2
1. Analyse
of research company the list of nt review contractorthat vendor
inappropria are carried policy pre - and from each list as are
te vendor out from qualified approval major updated by
time to contractors mechanism category of
company
time to for different to identify projects on frequent
identify type of prospective and capital
basis and
prospective capital contractor. items. should
contractor requiremen have
for the ts of sufficient
required organizatio Or as per vendors
capital n. business who
item. need actively
2. Due participate
2. diligence in bidding.
Appropriat process is 2. Check
e due- followed company
diligence financial should not
and backgroun be
financial d is dependent
backgroun checked as on some
d check per vendors for
are checklist. quotations.
performed
as per 3.
approved Frequency

313
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
checklist of updating
and the list and
contractor identificatio
is added in n of non-
the responsive
approved bidders.
list after
due 4. Check
approval. approval of
designated
3. authority
Contractor for
who do not selected
participate vendor for
in bidding quotation.
process,
are
reviewed
and
removed
after
obtaining
NOC.

4.
Contractor
is selected
on basis of
Pre -
qualificatio
n and merit
basis. After
selection of
vendor, list
is
approved
by
designated
authority
before
quotation.
1. Open As per 1. Check Tendering PO Analyse
tender company open as per Records ERP Open
system is policy tendering policy of tender,
followed used by the Limited
for high the company. tender data
value company and verify

314
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
transaction for high tendering
or critical value done as
items as transaction per policy
per the s or critical of the
organizatio items. company.
n policy for
inviting all 2. For
possible other
vendors for items,
indented limited
procureme tender
nt. requests
are sent to
2. Limited all
tender approved
requests vendors.
for
quotation 3. Check
are given method
to the pre- used for
approved open
vendors for tendering,
selected i.e., no. of
category of advertisem
capital ent in
items or different
value newspaper
below the s,
define limit coverage
as per the area and in
organizatio different
n policy. languages
to create
competition
among
vendors.

4. Check
NOC are
obtained
from
vendors
who did not
sent quote
to check
they obtain
quote

315
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
request but
would not
participate
by their
will.
Standard As per 1. Check Standard For 5 major NA
Request company standard format tenders
for policy format of used for and 5
Quotation/ request is Tender major RFQ
tender are approved /quotation process or
prepared and used cover 50%
and by tender
circulated department whichever
to all . is higher
parties for 2. Check
inviting changes
quotations should not
as per the be done by
organizatio anyone
n policy. other than
addendum
after
approval.
3. If
quotation
provided in
other than
standard
format
should be
rejected.
1. As per 1. Check 1. Defining for 5 major Analyse
Technical company technical of technical tenders tracker to
criteria are policy criteria of criteria and 5 verify
defined in selection of 2. major RFQ technical
the bids as vendors Deviation process or qualificatio
per the are define approval cover 50% n, financial
requiremen in bids and tender qualificatio
t of user matched whichever n and other
department with is higher. details are
and requiremen obtained
approved t as and are
by HOD specified considered
purchase. by user for all
department bidders.
2. Marks and Report
should be approved exception

316
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
allotted to by HOD. and check
bidders on deviation
the basis 2. Check approval is
of technical technical obtained.
qualificatio qualificatio
ns and no n
deviation document
allowed. provided
and
accordingly
marks
allocated
to bidders.

3. Check
for any
deviation
from
technical
qualificatio
n, verify
approval
obtained
from
designated
authority or
not.
Possibility Same As per 1. Check 1. Same for 5 major Analyse
of vendor timelines company bidding and timely tenders time
favoritism and policy document process for and 5 tracker of:
processes and all parties major RFQ
are process to 2. process or -
followed verify Deviation cover 50% Submissio
for all timeline approval tender n of
parties and and whichever technical
deviation process is higher. and
are are financial
approved common in qualificatio
by case of all n
designated tendering document
authority parties. and
except 2. In case approval
procureme of thereof
nt of low deviation, -
value / approval Submissio
select obtained n of
category from financial

317
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
as per the designated bidding
procureme authority. and
nt policy. approval.

- to verify
all process
are time
bound for
all
vendors.
Report
exceptions
and check
deviation
for same.
Selection 1. As per 1. Check 1. Approval For 5 major NA
of Comparativ company whether of tenders
inappropria e quotation policy comparativ comparativ and 5
te analysis e sheet is e sheet major RFQ
contractor sheet prepared 2. process or
or high- drawn or not. Deviation cover 50%
cost before 2. Check approval tender
procureme purchases Justificatio 3. Signing whichever
nt of are n and by tender is higher.
capital authorized. approval committee.
goods. in case of
2. If lowest selection of
quotation other than
is not lowest
accepted, bidders.
appropriate 3. Check
justification whether
may be quotation
documente opened,
d and registered
approved and
by comparativ
designated e approved
authority. by
authorised
3. persons.
Quotations 4. Check
are opened quotation
and opened in
registered, presence
and a of
comparativ tendering

318
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
e chart is committee
prepared for
and technical
authorised. qualified
4. bidders
Quotations and sign
are opened off by
in them.
presence 5. Check
of even order
tendering given to
committee lowest
only for the bidder but
technically whether
qualified earlier
bidders. project is
performed
within time
and
approved
cost
(Check
previous
history of
vendor).
Approval As per 1. Check Approval for 5 major Analyse
note with company justification note with tenders justification
all relevant policy must be Justificatio and 5 given in
justification prepared n to select major RFQ approval
s is and vendor process or note with
documente approved cover 50% actual work
d for by tender performed
selected designated whichever by vendor
vendor and authority. is higher. or with
same is previous
approved 2. Check work
by all justification performed
designated must be from ERP
authorities supported records.
as per the by 1. Quality
Delegation evidence, rejection
of i.e,. project 2. Timely
Authority. delivered delivery
in past. 3.
Adequate Qualitative
approval 3. Check delivery
from Board justification

319
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
of given in
Directors is approval
in place for note. Verify
purchasing justification
from with actual
related work
parties. performed
by vendor
during
audit
period or
record of
previous
work
performed
by same
vendor.
Non- 1. As per 1. Check BOD All related Analyse
compliance Adequate company BOD approval party ERP data
with approval policy approval and purchase to check
requiremen from Board obtained in justification rates of
t of of case of other
Companies Directors is related vendor with
Act and in place for party’s same
other purchasing purchase scope as of
regulations from 2. Check related
. related disclosure parties to
parties. note given verify
in financial transaction
2. statement. are
Disclosure 3. performed
of related Justificatio at arm’s
parties and n length
purchased documente basis or
from d for not.
related purchase
parties is from
ensured. related
parties.
3.
Adequate
documenta
tion is in
place to
justify
appropriate
pricing of

320
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
purchases
from
related
parties.
System 1. System As per 1. Do System System Analyse
control are not company system control for walkthroug ERP or
may not be allowing to policy walkthroug modificatio h other
implement raise RFP h for RFQ n at RFQ software’s
ed for without without level, Verify final final rates
modificatio approved approved quotation compariso for all
n at RFQ requisition requisition. level, n sheet vendors
level, in place. 2. System Identified with with
Quotation walkthroug vendor and individual original
level, 2. All h for other quotes. rates
approval vendor modificatio information quoted by
level may quotations n in . individual
lead to and bid are quotation vendor to
unauthoris locked for and locked identify
ed modificatio identified difference.
purchase. n and parties.
opened in 3. Check
presence rates of
of vendors in
designated final
authorities. compariso
n sheet
3. Selected matched
party is with rates
identified in
and locked individual
in system quotes.
after all 4. Verify all
approval approved
as per the vendor with
requiremen final
t of vendor
Delegation compariso
of n list.
Authority. 5. Change
log must
4. System be
is not available
allowing for all
backdating modificatio
/ modifying ns and
any reviewed
information by

321
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
once authorised
process is person.
completed
Unauthoris 1. Updates As per 1. Check 1. 40% of Analyse
ed updates (Additions / company the ACL is Approvals addition/ transaction
/ Alterations) policy as per for addition alteration carried out
alterations to the approved / alteration, or 20 in vendor
may be vendor authority 2. ACL whichever master
made to master matrix. is higher. data during
vendor data done 2. Check the review
master. only with that the period to
the person identify the
approval of making the following:
authorised addition/ 1.
persons on alteration Unauthoris
the basis is ed users
of authorised performing
requisition to do so. transaction
in proper 3. Verify s.
format from vendor 2.
users. creation/alt Conflicting
eration transaction
2. Also, the forms are rights
access to approved granted to
make by same
additions / authorised person.
alteration persons.
to the
vendor
master is
restricted
to
personnel
authorised
as per
approved
Authority
Matrix. The
Authority
Matrix is
entered in
the Access
Control List
(ACL) in
the
systems.
(Normally

322
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
additions/
alteration
rights
provided to
IT).
Inaccurate Recorded As per 1. Check 1. 40% of Analyse
updation of changes in company that Supporting alteration vendor
the vendor the policy information documents or 20 master
master supplier so entered 2. whichever data to
data. master file is reviewed Approvals is higher. validate
are and following:
compared authorised.
to 2. Check 1.
authorized with Matching
source supporting of PAN
documents document with GST
by that the 2. GST no.
authorize information with state
person to has been code
ensure that Completely 3. Length
they were & of PAN and
entered Accurately GSTIN
accurately. entered. 4. Length
of mobile
number
3. Check
bank
account
no.
provided or
not.

Analyse
Vendor
Database
is
comprehen
sive, and
all vendor
details are
complete
and
accurate –
viz, Name,
PAN,
Address,
Contact

323
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Details,
GST
registration
details,
place of
business,
etc.
Audit logs Request to As per 1. Check 1. 1. Request NA
for change in company the Outstandin log
changes in supplier policy requests g list in
vendor master file log to Request
master data are ensure that log.
may not be logged; the there are
available log is no long
and reviewed to pending
reviewed ensure that change
leads toall requests.
unauthoriz requested
ed change is
changes. processed
timely.
Critical 1. Vendors As per 1. Mails 1. MEME 20% of NA
vendor are company sent to and E- capital
data is not classified policy vendor for invoicing vendors
complete correctly MSME and Vendor
and upto as MSME turnover listing.
date or not in declaration
master .
data and 2. Vendors
updations declaration
are done received
on yearly and
basis. vendors
MSME updation
certificates done basis
are of
obtained declaration
on yearly .
basis. 3. E-
2. List of invoicing
vendors by
who have specified
to do E- vendors
Invoicing done or not
are
prepared
and bills

324
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
are
processed
accordingly
.
Requests As per 1. Check 1. 1. Request NA
to change company the Sequence log
supplier policy requests of the
master file log to request
data are ensure that forms
submitted there are used.
on pre- no missing
numbered request
forms; the numbers.
numerical Alternativel
sequence y, there
of such should be
forms is number
accounted cancellatio
for to n note on
ensure that the log.
all
requested
changes
are
processed
timely.
Supplier As per 1. Check 1. Manageme NA
master file company the Manageme nt sign-off
data is policy evidence of nt review or
periodically the of supplier approved
reviewed manageme master file.
by nt review.
manageme
nt for
accuracy
and
ongoing
pertinence.
Risk of 1. As per As per 1. Check 1. 1. NA
conflict of Company's company the Declaration Certificatio
Interest of Code of policy employee s by ns from
vendor. Conduct, declaration vendors 30%
the s for and by the employees.
employees compliance employees. 2.Acknowle
are with ethical dgement
mandated standards. from 20%

325
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
to inform 2. Check vendors or
the the vendor having
concerned acknowled 60%
HOD / gements in business
Superior the PO. with
where company.
conflict of
interest
exists.

2.
Employees
are
required as
per Code
of Conduct
to certify
compliance
with the
policy on
an annual
basis.

3. Also, the
vendors
are
required to
inform as
per the
standard
terms and
conditions
printed on
the PO, if
they have
any
relations
with
employee
in the
organisatio
n.
One-time 1. There is As per 1. Check 1. Field 1. List of Analyse
vendors an option company by creating validation one-time ERP
are not of ticking policy a dummy to use vendors records for
subjected "One time PO, if the code one 2. PO POs with
to same flag" which vendor time only. Records pre-define

326
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
controls as needs to flagged off 3. System one-time
for other be updated as One- walkthroug vendor
vendors. at the time time h code and
of vendor vendor can identify
creation. be reused. more than
As a result, 2. Obtain a one PO are
the vendor list of One- raised with
gets time one-time
deactivated vendors code from
after and same
placing one compare it vendors.
PO. with the
PO
2. Specific Records to
vendor check
code is whether
used for one-time
creating vendors
one-time have been
vendors used more
(e.g. 1000 than once.
for
domestic
and 1100
for import.)
Contractor 1. As per 1. Verify 1. 1. for Analyse
performanc Performan company whether contractor annual PO record
e not ce policy the Performan appraisal – with GRN
reviewed Appraisal contractor ce check records to
periodically of vendor appraisals evaluation appraisal identify
. is done have been and of 30% vendor
once in a done appraisal. contractor wise:
year for annually & or 15 - Cases of
long term quarterly whichever quality
PO / as the case is higher. rejection
Contract may be. 2. Same - Case of
and Verify for late
quarterly department quarterly delivery
for short wise list of appraisal. against PO
term PO / vendor and terms,
Contract. total - Cases of
appraisal less
2. Based done quantity
on the during delivery
evaluation, audit against PO
Approved period by quantity
contractor each

327
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
list is department to scertain
updated. . 1. Vendor
Respective with low
department 2. Verify performanc
s are updation of e
responsible the evaluation
for doing approved have high
the contractor’ share of
contractor s list on the business
appraisals. basis of 2. Action
appraisal, taken
3. Based Check list against
on the is updated regular
same and on the default
subsequen basis of vendors.
t appraisal
discussion only.
s with the
respective 3. Mails
department sent to
, contractor
accordingly manageme
, nt on basis
purchases of
department performanc
revises the e analysis
approved to take
contractor action
list. otherwise
remove it
from
approved
vendor list.
Dummy / 1. As per 1. 1. Dummy / 1. Active Analyse
inactive/un Contractor company Compare Inactive vendor Vendor
satisfactory that have policy the active vendors listing master
performanc not been vendor accounts 2. PO data vs
e used for a listing Records capital PO
contractor significant (VLOOKUP 3. list of 4-5
exists. period of ) with the Performan years to
time are PO listing ce ascertain
reviewed for the evaluation following:
by year. report
purchase 2. 1. Blocking
team and Scrutinise of vendors
marked for the vendor or not with
deletion by Records whom

328
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
the for vendors organizatio
application, with n had no
if common / transaction
appropriate dummy .
. names or 2. Restrict
details. to use
2. Ensure 3. vendor
contractor Unsatisfact code for
are timely ory non-
blacklisted vendors submission
wherever are of updated
required removed KYC
for after documents
unsatisfact performanc if not
ory e blocked.
performanc evaluation
e as per or not
the defined 4. User
policy. department
approval
3. Capital for removal
vendors of capital
are vendor.
required 5. Check
even after vendors
4, 5 or 10 are in
years for master
spare parts data, but
and OEM work or
items. So, transaction
approval is could not
obtained perform
from user with them
department due to
before restriction
removal. or
blockage.
4. Vendors 6. Check
are process to
restricted obtain
for award updated
of contract, KYC
who are document
not if vendors
engaged are used
with after
organizatio defined

329
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
n from long period.
period.
Ordering Departmen 1. Project As per 1. Check 1. 15 projects NA
t approval is company whether Marketing approval
may not be approved policy approval of analysis 5 top
obtained by the marketing along with 5 medium
before department team along customer 5 lower
raising side along with approval.
indent for with customer 2. BOD or
capital complete obtained designated
item. details of before authority
projection, raising approval.
cash indent.
inflow,
Cash 2. Whether
outflow, approval is
payback sought
period. from BOD
or
2. designated
Customer authority.
approval
for go
ahead are
obtained
on project
if needed.

3. BOD or
designated
authority is
approved
the project
and
provide go
ahead for
further
feasibility.
Project 1. Project As per 1. Check 1. 15 projects NA
feasibility team has company whether Feasibility Feasibility
study may done policy feasibility study or study and
not be project study with not compariso
done by feasibility complete 2. n sheet.
project study and details and Compariso 5 top
team leads evaluate approval n sheet for 5 medium
to wastage technical from inhouse 5 lower
of money if capability, project developme

330
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
not able to commercial side is nt and
execute and obtained. third-party
effectively capacity purchase
at later evaluation. 2. approval.
stage. Comparativ
2. e cost
Accordingl sheet of
y, project tool
team has developme
prepared nt inhouse
cost sheet or third
of inhouse party are
developme approved
nt of tools from
or of manageme
purchase nt side.
from third
party and 3. Check
obtain differential
approval cost of
from Inhouse
manageme developme
nt. nt or
purchase
from third
party and
calculate
impact of it
for full
year.
(Check
reason i.e.
capacity,
technical
staff,
technology
issue).
Inadequate 1. As per 1. Check Number of Select 1. Analyse
number of Approver company for contractor items, vendor list
contractors checks for policy compliance vis-à-vis contractor are
are sufficiency with the the and updated by
identified of purchase requiremen correspond company
for RFQ. quotations, policy for t of ing PO's to on frequent
before identificatio purchase cover each basis and
approving n of policy. item should
the PO. contractor category have
for RFQ. and 90% sufficient

331
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
2. 2. Check major item vendor
Justificatio whether in contractor. who
n for case the (Cover at actively
deviation requisite least 60- participate
from number of 120 PO's in bidding.
purchase contractors or more 2. Check
policy is were not depend on company
mentioned available, quantum of should not
as due business) be
remarks, escalation dependent
which is procedure on some
also was vendors for
reviewed followed. quotation
by the 3. Ask purpose.
approver reason for
before PO significant
is change in
approved. rates of
products.
Check
reason and
approval of
higher
price.
All POs are As per 1. Check Prepare, Cover all Analyse
required to company the Review item transaction
be policy approvals and category carried out
approved for the PO Approval of and in vendor
in as per purchase approval master
accordanc Authority order matrix during the
e with the Matrix. which review
approved 2. In case, combinedly period to
authority the cover more identify the
matrix. approvals than 30% following:
The are not as of capital 1.
Authority per the purchase. Unauthoris
Matrix authority ed users
specifies matrix, performing
the ratification transaction
expenditur / s.
e limits of justification 2.
the for the Conflicting
relevant same transaction
personnel needs to rights
and has be grated to
been checked. same
entered person.

332
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
into
relevant Also
software. analyse
purchase
on same or
nearby
dates to
identify
cases of
splitting of
PO to
override
authority
matrix.
PO's 1. PO is As per 1. Check 1. Quantity Cover all NA
raised with prepared company that the PO as per capital item
wrong by the policy is indent vis- category
quantity / designated supported à-vis PO and
rates / person with a duly 2. Approval approval
payment which is approved for the PO matrix
terms, etc. reviewed indent. which
and 2. Check combinedly
approved that the PO cover more
by the is than 50%
person so approved of capital
authorized as per purchase.
as per Authority
Authority Matrix.
Matrix. 3. Check
creating
2. The and
reviewer approving
verifies the right
details in should be
the PO with
with the different
supporting. person.

3. Access
to create
and
approve
PO by
different
users in
system.
POs do not All As per 1. Check Supporting Cover all NA

333
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
contain supporting company the PO documents capital item
accurate documents policy review and (including category
information (Indents/ve approval indents) and
. ndor quote, process. approval
analysis 2.Check matrix
sheet, etc.) that the PO which
are is combinedly
reviewed at supported cover more
the time of with a duly than 30%
PO approved of capital
approval indent. purchase.
by 3. To
authorised check
personnel accuracy of
(as per the PO and
approved verify it
Authority with
Matrix). customer
source
document,
manageme
nt approval
process of
project.
All POs are As per 1. Check 1. Cover all Analyse
required to company that the PO Approvals capital item transaction
approved policy are 2. ACL category carried in
by the approved and purchase
authorized in approval record
personnel accordanc matrix during the
(as per the e with the which review
limits set Authority combinedly period to
out in Matrix. cover more identify the
approved 2. Check than 30% following:
Authority that the PO of capital 1.
Matrix), cannot be purchase. Unauthoris
signifying created in ed users
correctnes absence of performing
s and approved transaction
accuracy authorizer. s
thereof. 2.
The Conflicting
Authority transaction
Matrix is rights
entered in granted to
the ERP same
system in person.

334
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Access
Control List
(ACL)
PO prices ERP As per 1. Check 1. 1. PO Analyse
are not system company the Price Supporting Records ERP data
competitive requires policy fluctuations documents 2. All for review
. the PO for same 2. Price cases of of vendor
approving items fluctuations deviation in quote by
authority to during rates within appropriate
review audit audit authority
vendor period. period. before
quotes at 2. Check approval of
the time of that the PO PO.
approving is
the PO. supported
with a duly
approved
quotes.
3. Check
that the PO
is
approved
as per
Authority
Matrix.
The As per 1. Check Sufficient Cover at Analyse
purchase company that quotes least 30-50 ERP data
policy of policy specific obtained or PO or for number
the number of not more of
company quotes depending quotations
requires required as on and
obtaining per quantum of compare it
certain purchase business. with
minimum policy are purchase
number of obtained. policy to
quotations 2. Check identify
before that in exceptions.
placing the case of
order. In exceptions, Verify
case, the escalation exception
specified procedure approval
number of as per the for
quotes are policy is insufficient
not followed. no. of
available, quotes.
then
escalation

335
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
procedure
specified in
the
purchase
policy
needs to
be
followed.
Change If the terms As per 1. Check Price and Audit trail Analyse
order are of an company by raising scope report and change
not approved policy a dummy alteration select 20 order
authorised PO are PO, getting original sample for record
altered for it approved order change during the
price and and then order review
scope, it altering it. period to
automatical 2. Check identify the
ly sends by review following:
PO in pre- of the audit 1.
approval trail report Unauthoris
stage. in ERP, if ed users
any PO performing
Original has been transaction
POs terms modified s
are after 2.
reviewed approval. Conflicting
regarding transaction
provision 2. Changes rights
for change could be granted to
due to possible same
change in only if person.
price and original PO
scope. permits for
changes.
1. The As per 1. Check Price and 15 PO or
purchase company whether scope 60% of Analyse
policy of policy the PO alteration change ERP
the wherein original order original
company price has order whichever POs with
requires been is lower. change
that in altered has orders due
case of been re- to price
change in approved revision
order, it as per the and check
needs to Authority significant
be re- Matrix impact on
approved / 2. Check budget.
re- amendmen

336
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
processed t no. shown
as if it is a in PO after
new PO. price
change.
2.
Amendmen
t number
must be
provided in
change
order for
trail log of
old PO.
1. Change As per 1. Check 1. Approval 15 PO or
in orders company whether matrix for 60% of
are policy authority change change
approved matrix is order. order
by next defined for 2. whichever
higher change in Justificatio is lower.
authority order. n remark
(DOA) or 2. Whether with
by the reasons for approval.
highest changes
authority, if are
changes documente
are more d and
than approved
defined along with
limits. impact on
budget.
2. Reason
for change
order with
proper
justification
must be
documente
d which
also show
impact on
budget and
should also
be
approved.
Unauthoriz All POs are As per 1. Check Unauthoris 1. ACL Analyse
ed POs/ approved company that the PO ed 2. Authority transaction
Contracts as per policy is approval Matrix carried in

337
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Authority approved rights 3. 30 POs purchase
Matrix. as per record
Also, the Authority during the
same has Matrix. review
been 2. Check period to
entered ACL and identify the
into ERP confirm following:
software in that the 1.
Access same is Unauthoris
Control List updated as ed users
(ACL). per performing
Authority transaction
Matrix. s
2.
Conflicting
transaction
rights
granted to
same
person.
All As per 1. Check Supporting 30 POs NA
supporting company the PO documents
documents policy review and (including
(Indents/ approval indents)
vendor process.
quote Check that
analysis the PO is
sheet/ supported
vendor with a duly
quotes, approved
etc.) are indent.
reviewed at
the time of
PO
approval
by
authorised
personnel
(as per the
approved
Authority
Matrix).
Unfavorabl 1. General As per 1. Check General 30 PO / NA
e terms terms and company whether and Contracts
and conditions, policy the general Standard
conditions approved and PO terms
of the by legal standard and

338
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
purchase team and terms and conditions
order. part of conditions approval.
Agreement are
/ Purchase approved
order/ by Legal
Work order and part of
are pre- agreement/
printed on purchase
reverse of order/work
PO. order.

2.
Standard
terms and
condition,
approved
by legal
team and
part of
Agreement
/ Purchase
order/
Work
order.
In case of As per 1. Check Approval of 30 PO / NA
unusual or company whether if terms for Contracts
non-regular policy the terms customised (Unusual
contracts, and contracts and non-
the Conditions regular)
personnel of unusual
authorised or non-
as per regular
Authority contracts
Matrix to are
approve approved
the by
contract authorised
are personnel
required to in legal
obtain the department
approval of .
personnel
authorised
to do so in
Legal
department
.

339
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Contracts 1. All PO / As per 1. Check Existence 1. Check NA
are not contract company the and process of
stored /copies policy existence storage of maintaining
kept in a (active/ of contracts documents
central /expired) contracts by
safe are with buyer/legal
repository maintained designated department
to with authority .
safeguard department only and 2. Check
company's . no other 15 PO on
interests person sample
and to2. have basis.
prevent the Contracts access for
use of the on stamp same.
contract paper are
which being 2. Stamp
might be stored paper
detrimental centrally stored
to with centrally
company's designated with
interests. authorities. designated
authority
only.
Contractor, At the time As per 1. Accuracy 30 POs NA
order of PO company Compare of data
details are approval, policy the updation
not PO is approved
accurately printed, PO with
input in the and the the
system details of supporting
the order, documents
contractor to ensure
and terms accuracy of
of the data input.
order are
checked
for
accuracy
by the
personnel
authorised
to approve
the PO as
per the
Authority
Matrix.

340
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
PO issued Receipts As per 1. Checked Existence GRN and Analyse
after the for the company by raising of PO for PO records GRN
capital item capital policy a dummy goods record or
have been items receipt received Gate entry
received or cannot be where PO record
may have affected in does not having
been the ERP exist. transaction
procured system 2. s of capital
without unless the Compare purchase
raising a POs are the GRNs to identify:
PO. existing with the
therefore in PO to - GRN or
the system. ensure that gate entry
i.e., GRN PO exists without PO
cannot be for all the reference.
prepared in goods - PO
absence of receipt and created
PO the POs after gate
Reference are dated entry or
in the ERP prior to invoice
system. GRN. date.

Calculate
value of
such
purchases
during
audit
period to
show
impact.
Vendor As per 1. Existence Vendor- Verify ERP
invoices company Compare of PO for wise data of
cannot be policy the invoices Invoice asset GL
processed invoices booked listing with asset
in absence recorded in clearing
of a PO in vendors' account to
system. accounts check
with the assets
PO listing rooted
to ensure through 3 -
that PO is way control
available system,
for invoices i.e., PO,
booked. GRN and
invoice
instead of

341
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
direct
booking.
In case of 1. Project As per 1. Check Planning GRN Analyse
projects - Purchases company the receipt for records purchase
Orders not Report is policy of material possible and PO on same or
clubbed to generated of projects saving in records closed date
save monthly vis-à-vis logistic from same
logistics and is locations - cost location/cit
cost. reviewed date wise y and from
by and same or
designated quantity- different
authority to wise. suppliers
ensure that 2. Check to calculate
same the total
location. monthly logistic
purchases saving
2. report for possible
procureme evidence of during
nt review audit
requiremen from period if
ts are designated transported
evaluated authority. through
for same
scheduling vehicle.
deliveries
to reduce
logistics/
freight and
related
costs.
In case of All POs are As per 1. Check Unauthoris 1. ACL Analyse
projects reviewed company that the PO ed 2. Authority PO record
purchases- and policy is approval Matrix with GRN
business, approved approved rights 3. 30 Pos records to
share as per the as per identify
allocation approved Authority vendor
amongst Authority Matrix. wise:
different Matrix. 2. Check - Cases of
vendors Also, the the ACL quality
results in same has and rejection
higher been confirm - Case of
procureme entered that the late
nt prices. into ERP same is delivery
software in updated as against PO
Access per terms
Control List Authority - Cases of
(ACL). Matrix less

342
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
quantity
delivery
against PO
quantity

to
ascertain:
1. Vendor
with low
performanc
e
evaluation
have high
share of
business
2. Action
taken
against
regular
default
vendors.
1. As per 1. Check Monthly MIS for 3 Analyse
Purchases company the MIS review months ERP
MIS is policy monthly procureme
reviewed purchases nt as per
monthly by MIS review approved
cross for allocation
functional evidence of of business
team of HODs among
Heads of review. vendors or
Purchases, not.
Finance 2. See the
and minutes of Analyse
Production discussion latest
and and check quality,
reasons / whether delivery
costs for or the action reports to
due to points have recommen
allocation been d change
of actioned share of
procureme upon. business
nt among among
different 3.Check vendor.
vendors approval of
are allocation Calculate
analysed. of business losses due
among to high

343
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
2. different allocation
Exceptions vendors of business
, if any, are and check to high rate
taken into that same vendor
account at allocation even
the time of provided is provide low
placement entered in quality or
of system for late
subsequen procureme delivery.
t orders. nt purpose.
Inadequate Adequate As per 1. Check Review ACL Analyse
segregatio segregatio company that the SOD ERP data
n of duties n of duties policy user conflicts to verify ID
– Vendor (SOD) department of user
identified exists for does not (Indent)
by the user all have department
and capital purchases access to and
items/servi that are raise PO purchase
ces routed by creating department
ordered through the a dummy must be
directly by buying PO with id different.
the user department of a
from the which is purchase
vendor different department
(including from the .
determinati user 2. Check
on of department the ACL for
purchase . The same existence
price and is ensured of SOD.
other terms in ERP
and system
conditions) through
. updation of
Access
Control List
(ACL)
In case of Negotiation As per 1. Price PO records NA
large s are company Compare fluctuations
projects conducted policy the and
having life with approved periodic
of 2 to 5 approved PO with review
year- vendors on the
an annual subsequen
Continued and routine t
procureme basis so as reductions
nt at higher to reduce in the
price as cost of prices.

344
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
reduction purchase. 2. Check
in market Also, the the market
prices and Quotes are rates for
not compared the bulk
renegotiate for items /
d with negotiation critical
suppliers. s during items and
the their
appraisal movements
time of the during the
vendors. period of
This is audit.
done by
the
personnel
approved
as the
Authority
Matrix.
MIS is As per 1. Check Monthly MIS for 3 NA
reviewed company the MIS for MIS and months
by cross policy evidence of review
functional HOD’s
team of review. Minutes
HODs for 2. See the and timely
critical minutes of action
items and discussion
costs. and check
Actionable, whether
if any, are the action
flagged off points have
for been
implement actioned
ation. upon.
Duplicate MIS is As per 1. Check Monthly MIS for 3 NA
Orders reviewed company the MIS MIS review months
by cross policy review for Status of
functional evidence of previous
team of HOD’s issue
HODs for review. flagged.
critical 2. See the
items and minutes of
costs. discussion
Actionable, and check
if any, are whether
flagged off the action
for points have

345
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
implement been
ation. actioned
upon.
Exception As per 1. Check Quantities, Invoice /
report is company the linking PO PO
generated policy of the numbers, Records
at the time attributes PR and link
Analyse
of and the reference, with PR
gate entry,
processing exception supplier Records
GRN, PO
of invoices report name
Records,
for POs / generated
PR
Invoices for any
Records
with certain duplicate
for any
same orders.
common
attributes 2. Sort the
informatio
such, as, Invoice
n which
supplier, batch / PO
show
quantity, Records on
duplicate
PR the
PO raised
reference attributes
for same
and is and check
items.
reviewed for the
by common
designated information
authority. .
All POs are As per 1. Check Unauthoris 1. ACL
reviewed company that the PO ed 2. Authority
for policy is approval Matrix
accuracy approved rights 3. 30 POs
and as per
correctnes Authority
s and Matrix.
approved 2. Check
as per the the ACL
approved and
Authority confirm NA
Matrix. that the
Also, the same is
same has updated as
been per
entered Authority
into ERP Matrix.
software in
Access
Control List
(ACL).

346
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes `Data

process Descriptio Owner Performed tested analytics
n performed
All POs are PO are As per 1. Check Serial no. Records of Analyse
not sequentiall company by review control of PO ERP PO
recorded. y pre- policy of records purchase records to
numbered. of PO, if order. verify PO
The there are sequence
sequence any number.
of PO missing
processed serial
is numbers of
accounted the POs.
for.
In case of As per 1. Check Approval Records of Analyse
emergency company that there Invoice GRN
purchases, policy exists Gate entry record or
the specific records Gate entry
purchases approval record
made for having
without purchases transaction
indent / PO without s of capital
need to be indent or purchase
specifically PO as per to identify:
approved the
as per the Authority - GRN or
Authority Matrix. gate entry
Matrix. without PO
reference.
- PO
created
after gate
entry or
invoice
date.

Calculate
value of
such
purchases
during
audit
period to
show
impact.
Validity of 1. The list As per 1. Check Open PO Open PO Analyse list
the open of open company the validity dates listing of
POs / POs / policy of open PO Purchase
Contracts contracts is / Orders for
reviewed Contracts. following:

347
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
monthly by 2. Check
purchase the - Instances
team. The documente of open
redundant / d reason purchase
expired PO for delayed orders not
are purged Pos. closed for
from the long times.
list. - may be
used for
2. parking
Timelines unauthoris
of the ed
procureme transaction
nt activities s.
are
monitored Calculate
monthly financial
Reason loss to the
analysis is company
performed due to
and delay in
documente delivery, if
d for all possible.
delayed
beyond the
defined
timelines.
Audit logs 1. Audit As per 1. Check Audit Logs 1. Audit Analyse
for logs are company logs are of changes logs Audit log of
changes in generated policy available in PO. 2. monthly modificatio
PO may for all for PO's/ review on n carried in
not be Purchase WOs and logs- 3 purchase
available Orders modificatio Month. record
and review (POs) / n. during the
lead to Work 2. review
unauthoriz Orders Mechanism period to
ed (WOs) in place to identify the
changes. raised / review following:
modified in audit logs. 1.
the system. Unauthoris
2. Process ed users
is in place performing
to monitor transaction
audit logs .
to identify 2.
any Conflicting
inappropria transaction

348
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
te / rights
suspicious granted to
activity. same
person.
Receiving Project 1. Open As per 1. Check 1. Open 1. 10 Analyse
project delayed PO/contrac company the PO dates weeks ERP Open
material due to t list is policy instances 2. stock open PO PO records
and quality delays by prepared of stock outs list with daily
assessmen contractor on a outs and 2. Stock stock
t to weekly review the out event details to
complete basis by justification list identify
various designated / root instances
activities. department cause for where PO
. This is the same. undelivere
used as 2. Check d and
basis for whether material is
tracking the out of
timely department stock.
deliveries track
by the user deliveries
department against the
. Open PO
list.
2. Action
needed by 3. Check
project action
committee taken by
are monthly
recorded project
for future committee
action. and action
recorded
3. and taken
Drawings by
are timely contractor
provided for timely
by completion.
architect
well in 4. Check
advance timely
before 15 drawings
days of provided
start of by the
work. architect or
not.
Assets Statements As per 1. Check Unrecorde Top 20
NA
received received company that the d assets vendor

349
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
may not be from policy vendor capital
recorded. vendors accounts Vendor’s
are reconciliati Reconciliat
reconciled on is done ion
to the on a statements
vendor periodic or cover
accounts in basis. 40%
the 2. Check capital
accounts the purchase
payable differences
sub - , if any, are
ledger reconciled
quarterly and are not
and carried
differences forward.
are
investigate
d. This is
reviewed
by
Accounts
teams.
The stock As per 1. Check Periodicity Physical
at the company the working and verification
business policy papers of Variances statements
locations of physical noted in and
the verification physical reconciliati
company is and see verification. on.
physically that the
verified at differences
least once , if any,
in a year were
by reconciled
Accounts and
department accounted
/ for.
independe
nt auditors.
Variances,
if any, are
reconciled
with the
books of
accounts to
ensure
accuracy of
the books

350
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
of
accounts.
Capital 1. The As per 1. Check Capital PO NA
Asset receiving company whether items Records
accepted personnel policy GRN can against and GRN
without are be raised Authorised Records
proper required to for items PO only
inspection match the without a 30 GRNs
and assets PO or that for physical
verification received do not verification
with the meet the
open PO
purchase specificatio
orders. In ns.
case, the 2. Whether
assets store
received person
do not sign off on
match with invoice
the after
quantities physical
or count of
specificatio items.
ns or 3. Verify
exceed the check exist
purchase for physical
order count with
quantity, invoice
the same quantity by
are person
rejected. other than
GRN entry
2. Invoice person to
quantity avoid SOD
and conflicts.
physical
quantity
are
matched
for which
store
person
count
inventory
before
GRN and
sign off on

351
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
invoice.
All receipts As per 1. Check Unauthoris 1. ACL Analyse
are company that the ed 2. Authority records of
reviewed policy GRN is approval Matrix GRN with
and approved rights 3. 30 records of
approved as per GRNs PO
by the Authority quantity
personnel Matrix. and rates
as per the 2. Check to identify
approved the ACL Instances
Authority and deviation.
Matrix. confirm
Also, the that the
same has same is
been updated as
entered per
into ERP Authority
software in Matrix.
Access
Control List
(ACL).
Quantity 1. The As per 1. Check Order Vs PO Analyse list
received in receiving company possibility Receipt qty Records of GRNs
excess of personnel policy of GRN VS GRN for
ordered are more than Material Records following:
quantity. required to PO not and 1 Instance
match the quantity by received as amended of delays in
Quantity goods system per PO for receipt of
received received walkthroug specificatio change in materials.
has not with the h. ns. order 2.
been open 2. Check quantity. Instances
ordered. purchase approved of GRN /
orders. In tolerance SES
case, the limit without PO
goods against PO or before
received qty from PO.
do not manageme 3.
match with nt side. Instances
the Verify of GRN
quantities cases without
or where gate entry.
specificatio material 4.
ns or allowed Instances
exceed the more than of GRN
purchase tolerated before gate
order limit. entry.
quantity, 5.

352
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
the same Instances
are of GRN
rejected. more than
PO
2. ERP quantity.
also has 6.
control Instances
over of GRN /
quantity SES value
booking, more than
system PO / SO
does not value.
allowed 7. CWIP
booking of open for
quantity long time.
more than
PO
quantity.
All receipts As per 1. Check Unauthoris 1. ACL Analyse
are company that the ed 2. Authority ERP
reviewed policy GRN is approval Matrix receipt
and approved rights 3. 30 record
approved as per GRNs during the
by the Authority review
personnel Matrix. period to
as per the 2. Check identify the
approved the ACL following:
Authority and 1.
Matrix. confirm Unauthoris
Also, the that the ed users
same has same is performing
been updated as transaction
entered per .
into ERP Authority 2.
software in Matrix. Conflicting
Access transaction
Control List rights
(ACL). granted to
same
person.
Unauthoriz All receipts As per 1. Check Unauthoris 1. ACL Analyse
ed person are company that the ed 2. Authority ERP
can create reviewed policy GRN is approval Matrix receipt
receiving and approved rights 3. 30 record
documents approved as per GRNs during the
by the Authority review
personnel Matrix. period to

353
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
as per the 2. Check identify the
approved the ACL following:
Authority and 1.
Matrix. confirm Unauthoris
Also, the that the ed users
same has same is performing
been updated as transaction
entered per .
into ERP Authority 2.
software in Matrix. Conflicting
Access transaction
Control List rights
(ACL). granted to
same
person.
Terms and The As per 1. Check Appropriat 30 GRNs NA
conditions receiving company that the e stamp on
of stamp that policy GRNs are the GRNs.
acceptance is used to being
of goods at acknowled marked
the factory ge receipt with the
gate of goods at stamp
(before the the gate on 'goods are
goods Goods being
have been Receipt received
approved Note subject to
by quality/ (GRN), count and
control bears the quality
department inscription procedures
) may be 'goods are '.
detrimental being
to the received
interests of subject to
company. count and
quality
procedures
'.
Accordingl
y, liability
would not
accrue to
the
Company
until these
procedures
are
complied

354
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
with.
Inappropria 1. Before As per 1. Check Post QC - 1. 30 Analyse
te quality the GRN is company whether rejections GRNs Quality and
of material sent to policy the GRNs 2. Return to
accepted Accounts have been Exception Vendor for
department marked as report following:
for booking approved raised for - Delays in
the liability by Quality post QC - sending
or the control rejections back
goods are department rejected
sent to . material to
store. 2. Review vendor.
Quality exception - Instances
department report for of GRN
is required the goods and issue
to certify rejected of material
the quality due to despite
of material quality quality
received in constraints rejection.
accordanc on the - Quality
e with the shop floor. are created
set Check all by
guidelines. these unauthoriz
goods are ed person/
2. The returned to Absence of
store clerk vendors as SOD.
will not per
accept the agreement.
goods 3. If
unless the rejected
"QC goods are
checked" is not
stamped returned, it
on GRN. should be
recorded.
3. Also, 4. Monthly
Accounts quality
department exception
will not list is
book the reviewed
liability and by
process authorised
the person.
payment
unless the
QC
checked

355
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
stamped
GRN is
received by
them.

4. In that
case,
quality
check is
not
required
for any
item, the
same
should be
a part of
QC
exceptions
list which is
reviewed
monthly .
Access to As per 1. ReviewAccess Access Analyse
certify the company Access rights for Control List GRN and
quality of policy Control List
certifying Quality
material is for access
quality record
restricted to during the
as per personnel review
approved other than period to
Authority those identify the
Matrix in authorised following:
ERP. for 1.
certifying Unauthoris
quality of ed users
the goods. performing
transaction
s.
2.
Conflicting
transaction
rights
granted to
same
person.
Policy may 1. Policy in As per 1. Check Sampling Select 30 Analyse
not be in place for company policy of and quality GRN to ERP
place for quality policy sampling methodolo check Quality
sampling, testing of and gy quality Records

356
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
methodolo required methodolo sample and check
gy leads to material gy of taken and quantity
improper including quality methodolo transferred
quality. sampling, testing is gy used. to
methodolo documente unrestricte
gy and d. d category
documenta 2. Check or not (for
tion of quality issue
quality inspection purpose).
testing. for all Check
material. quantity in
2. Quality 3. restricted
inspection Inspection category
standards is carried and reason
are defined out as per for same.
for all policy or
materials. ISO Analyse
certification ERP
3. Ensure process. quality
that all record of
steps are actual
carried out sample by
as per defined
company sampling
policy or method.
ISO
certification
process for
quality
assessmen
t and
documenta
tion.
Project 1. Any As per 1. Storing of 4 Month
Analyse
Material - rejected company Physically rejected MIS of
ERP
Rejected work policy verify and return rejected quality,
material should be rejected to vendor items. GRN
may not be made good items and records
placed by storage 20 Debit and
separately contractor. control to notes for Vendor
and 2. Any avoid issue rejected ledger to
returned to rejections for material. establish
vendor on are operation. following:
timely segregated 2. Check - Debit
basis leads and stored rejected note raised
to risk separately. item to vendor
issue to 3. All returned or not for

357
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
floor and rejections and quality
ownership. are replaced rejection.
supplied by vendors - GRN
back to on timely reversal in
vendor on basis or case of
timely not. rejected
basis. 3. Verify material.
4. return - GRN
Departmen recorded records for
t ensure on timely replaceme
timely basis in nt by
return and books or vendor
recording not. against
of return. 4. Ensure same PO.
5. Material material - Material
is consumed are issued
consumed after after
only after quality quality
Quality check only. approval
checks. 5. Monthly only.
6. Perform assessmen
assessmen t of vendor
t in case of - wise
high rejection to
rejection in take
the appropriate
material action
supplied by against
the vendor. regular
7. Debit default
notes vendors.
should be 6. Debit
raised note raised
immediatel for rejected
y for all material
rejections and
and return approved
to vendors. by
appropriate
authority.
7. Verify
rejected
material
with
advance
paid
vendors.

358
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Delay inThe report As per 1. Check Demurrage Records of NA
clearing on company the charges demurrage
and demurrage policy Demurrage due to charges
forwarding charges charges delay in ledger
of imported incurred paid and clearing. balance.
assets. due to justification
delay in for the 30
carrying same. imported
and invoices
forwarding 2. Check
of imported approval of
capital demurrage
items and charges
is reviewed along with
by reason.
Designated
person
monthly .
Also, these
charges
are
separately
disclosed
in the MIS
for Sr.
Manageme
nt review.
Unauthoris 1. All As per 1. Check Transporte 30 NA
ed or transporter company the r charges transporter
Inaccurate claims are policy supporting authorizati invoices or
release of authorised for the on as per
payments by the claims viz. quantum of
for designated agreement business of
transporter authority s, if any / company.
dues prior to rate
payment contract.
by the
Accounts 2. Check
department reconciliati
. This is on of
based on purchase
the register
agreement with
s with the transporter
contractor / invoice to
transporter avoid
s. duplicate

359
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
booking.
2. Person
different 3. Check
from lorry
purchase documents
team is for freight
prepared a payment.
tracker of
transporter
invoice and
reconcile it
with
purchase
register.
GST Input Monthly As per 1. Check Periodicity 3 months
Analysis
Credit not reconciliati company the GST of reconciliati
GSTR-2A
availed / on of GST policy Input reconciliati on report with
Short / Input Credit on and purchase
Excess Credit reconciliati reasons for register to
availed account on for long outstandin identify
and GST outstandin g items. cases
Input g items where GST
Credit and check credit
register is justification available
done jointly s and as per
by Stores action for portal but
and the same. invoice not
Accounts. booked or
vice versa.
Invoice Invoices 1. Before As per 1. Check 3 way 50 invoices Analyse
Processing may be any invoice company that the control PO, or as per and
booked is policy invoice is GRN and quantum of compare
incorrectly. approved supported Invoice transaction PO
for by duly Records
booking, authorised with GRN
Designated PO and records to
Authority GRN. verify
performs a 2. Check accuracy in
three-way compliance booking
match of of value.
the PO, accounting
GRN and standard Verify
Invoice while transporter
booking of charges
2. Capital invoices. GL or
Goods are clearing &
recorded forwarding

360
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
as Fixed or
Assets as suspense
per AS10 GL where
excess
invoiced
value
(More than
PO value)
may be
provided to
verify
approval
process.
1. Bank As per 1. Check Complianc 50 invoices Analyse
guarantee company whether e with or as per vendor
(Advance policy PBG and agreement quantum of wise/ PO
Bank ABG terms transaction wise PBG
Guarantee received tracker to
and and have verify all
Performan sufficient PBG are
ce Bank time period active and
Guarantee) for claim in renewed
are case of on timely
received default. basis
for period 2. Check before
upto defect retention expiry in
liability. deducted cases of
Retention and paid work have
is deducted only not been
as per completion completed.
agreement of defect
terms. liability Analyse
period. retention
2. Labour 3. Labour payment
cess cess, GL and
deduction electricity contractor
is made and water defect
from bills. cess liability
Electricity deducted period from
or water from RA date of
charges bills. completion
deducted 4. of work.
from RA Retention
bills if and PBG
provided will be
by released
company. only after

361
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
satisfactory
performanc
e approval
certificate
received
from
project
team.
In case of As per 1. Check Emergency 50 invoices Compare
emergency company that the purchase or as per Invoice
purchases, policy invoice is approval quantum of dates and
invoice is supported transaction PO date to
verified by GRN identify
with the and post- emergency
GRN and purchase purchase
subsequen approval (Invoice
t approval from the date
obtained personnel should be
for authorised after PO
purchase as per date).
from Authority
personnel Matrix. Verify ERP
authorised records
in terms of where
Authority invoices
Matrix. are booked
without 3
way
control,
i.e., PO,
GRN and
invoice to
check
approval
procedure.
Same At the time As per Check that Defacing of 50 invoices Analyse
invoice of booking company the invoice to or as per Vendor
may be of invoice, policy invoices avoid quantum of Invoices
booked invoice is are duplicate transaction for
more than defaced defaced at booking following:
once. with the the time of 1. Incorrect
Stamp booking. / duplicate
"Processed Invoices
" by processed.
executive. 2. Check
for same
invoice

362
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
amount
during the
same
period for
same
vendor.
1. Once an As per 1. Check Supporting 50 invoices Analyse
invoice is company that the documents or as per POs value
booked, policy invoice is related to quantum of from ERP
the supported capital transaction records
supporting by duly items and
documents authorized compare it
viz. GRN, PO and with GRN
PO, Indent GRN. value for
are 2. Check accuracy in
attached other between.
with it. documents
, i.e.,
2. Other measurem
document, ent sheet,
i.e. Quality
measurem sheet,
ent sheet, engineer
Quality approval,
sheet, site
engineer photograph
approval, of
site progress.
photograph 3. Bill of
of progress Material
is verified attached
by as
designated supporting
authority. and invoice
verified
3. Bill of with it for
material is accuracy.
attached
which
show
details of
previous
bill, current
bill and
total billing
details.
Invoices

363
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
without
these,
cannot be
processed.
Unapprove The As per Check the Invoice 50 invoices Analyse
d invoices invoices company approval of approval or as per GRN and
are before policy designated from quantum of invoice
processed being authority designated transaction record
processed on the authority. during the
are invoice. review
reviewed period to
by identify the
designated following:
authority. 1.
Access As per Check the Access ACL Unauthoris
rights to company Access rights ed users
process policy Control List performing
the for the transaction
invoices access .
are rights 2.
restricted given to Conflicting
to the the transaction
personnel authorised rights
authorised personnel granted to
as per the same
Authority person.
Matrix and
are entered
in Access
Control List
(ACL) in
ERP
system
Delay in Statements As per 1. Check Timely Reconciliat Analyse
accounting received company the booking of ion for 20 ERP data
of capital from the policy periodicity invoices contractors to compare
invoices contractor of invoice
are contractor date, GRN
reconciled reconciliati date,
to the on for Quality
contractor appropriate date,
accounts in ness invoice
the thereof. booking
accounts 2. Sample date to
payable check the verify
subledger pending timely

364
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
quarterly items in processing
and the of invoice.
differences reconciliati
are ons for
investigate invoices
d. This is pending for
reviewed booking
by and
Designated confirm the
Authority. reasons for
same.
1. For As per 1. Check Aging of Records of Analyse
goods- The company aging of GRN and GRN with ERP data
list of policy the material QC to compare
Goods Temporary being held invoice
Received GRN by QC Liability date, GRN
Not raised for provides date,
Invoiced the for non- Quality
(GRNI) and material booked date,
the items with GRNs or invoice
with Quality invoice or booking
Quality Control performed date:
Control are department work. - to verify
reviewed and the timely
monthly to GRNIs. processing
ensure that 2. Ensure of activities
there are that the - to check
no delays same are vendor
in booking accounted liability
the liability. in the booked on
books as timely
2. For liability in basis
work- the
Monthly suspense So that
recompilati accounts. reconciliati
on are 3. Monthly on gaps
prepared recompilati should be
between on zero or
work between minimum.
performed work
and actual performed
billing by and actual
contractor. billing
approved
by civil
team or
mechanical

365
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
team.
Booking of 1. GST As per 1. Check Credit 50 invoice NA
related Input credit company cenvatable booking and as
expenditur are policy credit and decided
e and GST obtained provided deduction with
input credit for all along with manageme
along with eligible invoice nt
invoice credits, booking.
may not be and it is 2. All
booked. duly related
verified at expenditur
the time of e like toll
recording tax and
of invoices. freight
booked in
2. All the cost of
related capital
expenditur item/projec
e, such as t.
toll tax, 3. TDS and
cess, other
freight, deduction
etc., are as per law
recorded are done
as capital and
cost of recorded.
item/projec
t.

3.
Appropriat
e
deduction
and
recording
of TDS are
done
wherever
applicable.
Delay in Statements As per 1. Check Timely Reconciliat Analyse
raising received company the vendor issue of ion for 30 time taken
debit/ from policy reconciliati Debit / vendors for issuing
credit vendors on for the Credit debit /
notes. are periodicity Notes credit
reconciled of notes from
to the reconciliati the date of
vendor on. booking of

366
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
accounts in 2. Sample invoices or
the check the date of
accounts pending receipt/
payable items in return of
subledger the material.
quarterly reconciliati
and ons for
differences debit /
are credit
investigate notes yet
d. This is to be
reviewed raised.
by Confirm
Designated reasons for
Authority. the same.
Unauthoriz The debit / As per 1. Check 1. 30 debit / Analyse
ed debit/ credit company that the Approvals credit number of
credit notes are policy access for notes debit /
notes may approved control list debit/credit credit
be raised. by the defined in noted notes
person as ERP 2. Reasons issued vis-
per system is for à-vis
Authority as per the issuance number of
Matrix. The approved purchases
same Authority made.
enteredin Matrix. Analyse
the Access 2. Check value of
Control List that debit /
existing in adequate credit
the ERP back up / notes
system supporting issued vis-
documents à-vis value
exist for of
issuing purchases
debit / made.
credit
notes. To check
efficiency
of
purchase.
Accounting Unauthoris 1. The As per 1. Check 1. Access 1. Access Analyse
and ed payment company that the Control List Control List vendor
payables payments voucher policy Access 2. 2. Authority payment
with Control list Supporting Matrix record
required in ERP is 3. 30 during the
supporting' as per the Payment review
s is approved vouchers period to

367
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
reviewed Authority identify the
and Matrix. following:
authorised 2. Check 1.
by the that Unauthoris
personnel requisite ed users
authorised supporting performing
as per is attached transaction
approved with the s
Authority payment 2.
Matrix. The voucher. Conflicting
Authority 3. Check transaction
Matrix is that the rights
enteredin supporting granted to
the Access is defaced same
Control List for the person.
(ACL) in approved
ERP vouchers.
system. 4. Sign of
vendor’s
2. The representat
supporting ive.
documenta
tion is
cancelled
or defaced,
once it is
reviewed
and
payment
voucher is
approved.

In case of
cheque
payment,
when
cheque is
handed
over to
vendor
representat
ive and
acknowled
gement is
obtained.
At the time As per 1. Check 1. Advance 30 vendor Analyse
of company that there amounts in accounts Vendor

368
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
processing policy are no
vendor and per payment
a vendor amounts accounts business for
invoice for pending pending for need following:
payment, adjustment adjustment
Designated for vendors s, 2. 1. Same
Authority where all Multiple vendor on
are the payments same date-
required to invoices on same or and more
identify have been nearby than one
and set off paid. See date payment
all the justification 2. Check
advances for advances
pending exceptions. are
adjustment 2. adjusted as
for such Scrutinise per
contractor the vendor contract
or capital accounts / terms.
vendor. party 3. Check
accounts to advance
check the paid but
cases of without
segregatio bank
n of guarantee
amounts to against the
avoid policy of
authority the
matrix. company.
3. Vendor
advance
should be
adjusted as
er contract
terms.
4. Check
cases of
advance
paid
contractor
but work
performed
with slow
pace, leads
to financial
loss to the
company.
The listing As per 1. Check Review of 30 vendor Analyse
of vendor company the payment payment vendor

369
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
payments policy evidence of lists payment
is reviewed review on record
prior to the vendor during the
release of payment review
payment list. period to
by the identify the
personnel following:
authorised 1.
as per Unauthoris
Authority ed users
Matrix. performing
The As per 1. Check Approval of Authority transaction
personnel company the payment to Matrix s
making the policy approval vendors 2.
payment for Conflicting
(either authority to transaction
through make the rights
cheque / payment. granted to
DD / wire 2. Check same
transfer) whether person.
are the same
authorised has been
to do so as communica
per the ted to the
approved bank.
Authority
Matrix.
Manageme As per 1. Check Review of Returned Analyse
nt company the returned cheques total
periodically policy evidence of cheque during cheque
reviews the the audit issue
returned manageme period during the
paid nt review. period and
cheques returned to
for verify
unauthoris following:
ed
signatures, 1. Control
alterations at the time
and / or of issue of
alterations. cheques.
2. Period
for which
cheques
returned
due to
alteration/

370
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
mismatch,
etc.
Payments 1. The As per 1. Check 1. Access 1. Access NA
are made payment company that the Control List Control List
to incorrect voucher policy ACL in 2. 2. Authority
vendors. with ERP is as Supporting Matrix
required per the of deface 3. 30
supporting approved Payment
is reviewed Authority vouchers
and Matrix.
authorised 2. Check
by the that
personas requisite
per supporting
approved is attached
Authority with the
Matrix. The payment
authority voucher.
matrix is 3. Check
entered in that the
the Access supporting
Control List is defaced
(ACL) in for the
ERP approved
system. vouchers.

2. The
supporting
documenta
tion is
cancelled
or defaced
once it is
reviewed
and
payment
voucher is
approved.
1. The As per 1. Check Manageme 30 vendor 1. Data
listing of company that the nt review payment analysis of
vendor policy evidence of before lists the
payments review on release of Open/Long
is reviewed the vendor payment. pending
prior to payment advances
release of list. which are
payment not
by the adjusted.

371
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
person as 2. Analyse
per data for
approved Instances
Authority of delay in
Matrix payment
. made to
2. Cheques MSME
/ DD are vendors
restrict over 45
endorsed days.
by the 3. Whether
preparer to liability
ensure that write off
they are approval
paid to are
specific obtained
payee. from
manageme
nt as per
policy.
Manageme As per 1. Check Manageme Returned Analyse
nt company the nt review cheques total
periodically policy evidence of for cheque
reviews the the returned issued
returned manageme cheque during the
paid nt review. and period and
cheques reissue. returned to
for verify
unauthoris following:
ed
signatures, 1. Control
alterations at the time
and / or of issue of
alterations cheque.
2. Period
for which
cheques
are
returned
due to
alteration/
mismatch,
etc.
Credit 1. Payment As per 1. Check Credit check Analyse
terms may are company payment terms and ledger of ERP
not be processed policy and credit weekly 10 major vendor
utilized for terms with review of vendor ageing of

372
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
effectively. approved vendors. overdue. different
invoices as 10 weekly month to
per agreed 2. Review review of verify
payment document overdue payment
terms to of vendor payment made after
optimize ageing on utilizing
during weekly credit
credit basis. terms to
period and maintain
efficient working
utilization capital
of working balance.
capital.

2. Vendor
ageing is
prepared
and
reviewed
by the
Designated
Authority
on weekly
basis to
ensure all
overdue
payments
are
processed.
MSME Payment to As per 1. Check Timely Check 1. Data
Vendor not MSME company ageing of payment to Ledger of analysis of
paid on vendors is policy MSME MSME 20 MSME the
timely reviewed vendors on vendors vendors Open/Long
basis. and made different pending
within date/ advances
defined months. which are
timelines not
as per adjusted.
terms of 2. Analyse
agreement data for
or Instances
timelines of delay in
defined payment
under made to
Micro, MSME
Small and vendors
Medium over 45

373
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
Enterprises days.
Developme
nt Act,
2006 or
amendmen
ts
thereafter
(45 days),
whichever
is earlier.
GST credit Reconciliat As per 1. Check GST 3 Month Analyse
reconciliati ion of company monthly reconciliati reconciliati vendor
on and eligible policy reconciliati on on wise credit
payable GST on sheet of available at
more than credits on GST credit portal and
180 days. GST portal as per credit
with GST books with availed/
Input credit Portal and booked by
available deposited. the
and company
deposited and reason
are for non-
performed utilization/
periodically booking
. and vice
versa.
If payment As per 1. Verify GST credit 1. Vendor NA
to vendors company vendors reversal in ageing
is not policy ageing and case of 2. GST
made identified non- returns for
within 180 cases payment reversal
days, then where within 180 purpose
GST credit payments days
related to are
particular outstandin
amount g by more
needs to than 180
be days.
reversed.
2. Check
GST return
and verify
credit
related to
this vendor
reversed in
particular

374
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
month or
not.

3. Tracker
should be
maintained
by the
company
for credit
reversal
and
subsequen
t utilization
after
payment.
Duplicate 1. The As per 1. Check 1. Access 1. Access NA
payments payment company that the Control List Control List
voucher policy Access 2. 2. Authority
with Control list Supporting Matrix
required in ERP is 3. 30
supporting as per the Payment
is reviewed approved vouchers
and Authority
authorised Matrix.
by the 2. Check
person as that
per requisite
Authority supporting
Matrix. The is attached
Authority with the
Matrix is payment
entered in voucher.
the Access 3. Check
Control List that the
(ACL) in supporting
ERP is defaced
system. for the
approved
2. The vouchers.
supporting
documenta
tion is
cancelled
or defaced,
once it is
reviewed
and

375
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
payment
voucher is
approved.
Non receipt The listing As per 1. Check 1. Open 1. Open Analyse
of material of Open company the due PO with capital PO Capital PO
against POs is policy dates in correspond listing list (where
advances reviewed the open ing 2. timeline of
monthly to PO / advances Unadjusted supply has
check the Contracts. 2. capital been
cases of 2. Check justification advances expired)
delayed the for delays GL and
supplies/ reasons for compare
contractor delays in with capital
wherein supplies. advance
advances GL to
have been identify
released to cases
them. This where
is reviewed advance
by the unadjusted
person as and vendor
per POs are
Authority also
Matrix. outstandin
g.

Analyse
advance
with Bank
Guarantee
(BG)
tracker for
BG
extension if
advance
pending for
adjustment
.
Ageing of As per 1. Check 1. Vendors Analyse
the party company the debit Approvals, Account various
balances is policy balances 2. Amount, and the figures
reviewed appearing 3. Receipt Advances reported in
monthly in the of material Aging MIS vis-a-
and supplier's 4. Due statement. vis the
account account date details
reconciliati and ageing appearing
on is done thereof. in ERP

376
 Purchase to Pay – Capital Items

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
on a 2. Check system to
quarterly whether identify
basis any instances
unauthoriz of incorrect
ed reporting.
advance
has been
given to
the
supplier
(this needs
to be
checked
with the
justification
provided
and the
Authority
Matrix).
3. Check
whether
the
advances
have not
been
adjusted
correctly
while
accounting
for receipt
of goods.
Penalty 1. Penalty As per 1. Check LD 20 Sample NA
may not be are company LD deduction for delay in
imposed imposed policy deducted and EOT supply and
and on from RA with completion
Extension contractor bills of justification of contract.
of Time in case of contractor
(EOT) may delay in if EOT not
not be supply or allowed.
allowed to constructio
contractor n as per 2. Check
for delay in project EOT
supply or terms. allowed
completion and
of contract. 2. If delay justification
from provided
manageme for delay.

377
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes ` Data

process Descriptio Owner Performed tested analytics
n performed
nt side,
EOT 3. Action
(Extension taken by
of time) will manageme
be allowed nt to avoid
and RA bill EOT next
processed time.
without
deduction.
Wrong Weekly As per 1. Exchange Forex rates
Foreign foreign company Compare rate in 10
exchange currency policy the rates applied as weeks
rates used rates are applied for per RBI
for updated in invoice rate
conversion the ERP processing
of foreign system by with the
currency the person RBI rate.
invoices. as per the
Authority
Matrix. The
rights to
update the
masters
are
restricted
as per
Authority
Matrix

378
 Checklist 21
Fixed Assets and Capex
Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
Fixed General Authority 1. The As per Check Approved Approved NA
Asset and entity matrix organisation compan capital DOA/DO DOA/DO
and level may not has clear and y policy item P for P from
Capex control be comprehensi procurem capital BOD
prepared ve (up to ent purchase
or date) DOA/DO
approved Delegation of P is
from Authority available
Board of (DOA)/ and
Director Delegation of approved
(BOD). Power (DOP) by BOD
and Authority for
Matrix. following
2. Authority activities.
matrix is
approved by 1.
Board of Requisitio
Directors, n for
defining the purchase
authorities for of
approving machiner
capital y, if any.
purchase 2.
transactions Opening
or performing of tender/
various quotation
transactions s for
during the purchase
purchase of
process. machiner
3. To y.
incorporate 3.
situations Purchase
where order for
emergency purchase
procurement of fixed
needed. assets.
4.
Comparat
ive chart
of
technical
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
and
financial
bidding.
5. Quality
check
and its
approval.
6. Issue
of Debit
note for
return/
rejection
of
machine
or for rate
difference
.
7.
Authorisa
tion of
date of
erection
and
commissi
oning of
plant and
machiner
y.
8. Ensure
the PPE
items
comply
with
safety,
regulatory
and
standards
.
9. Asset
requisitio
n report
indicating
the
payback
period.
Inadequat 1. Document As per 1. Check 1. 1. SOD Analyse

380
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
e defining compan document Documen 2. Access fixed asset
Segregati appropriate y policy ed SOD ted SOD, right List transactio
on of Segregation and Access 3. Half n carried
Duties of Duties Access right yearly out during
and (SODs) is in right list 2. review the review
access place. 2. Verify Periodic document period to
rights same review identify
which may SOD and the
result in Access following:
fraudulent 3. Periodic right also 1.
/ Review of entered in Unauthori
unauthoris Segregation system sed users
ed fixed of Duties and for performing
asset Access rights approval transactio
transactio is conducted. of ns
ns transactio 2.
ns. Transactio
3. Verify n rights
evidence granted to
of same
periodic person.
review of
SOD and
Access
rights in
ERP
system.

4. Check
only
authorize
d person
have
access to
perform
to fixed
assets.
5. Verify
the fixed
assets
transactio
ns on a
sample
basis and
trace
them
through

381
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
the
process
to identify
any
instances
where
one
person is
responsib
le for
multiple
steps
(intiating,
approving
and
recording
)
6. Check
physical
count of
assets on
a sample
basis and
reconcile
the
counts
with
Fixed
assets
register.
See for
discrepan
cies that
might
indicate
unauthori
zed
disposals
or
acquisitio
ns.
7.
Examine
any
document
s related
to

382
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
transfer
of fixed
assets
between
departme
nts or
location.
Verify
that
transfers
are
properly
authorize
d.
8. Review
the
system
audit trial
to identify
any
unusual
or
unauthori
zed
activity
relating to
fixed
assets,
that may
indicate
fraudulent
transactio
ns.
9. Check
the
system
access
log to
identify
any
unusual
or
unauthori
zed
access.

383
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
SOP may 1. The As per 1. Check Approved Updated NA
not be organization company SOP SOP and SOP
defined to has clearly policy available completene
ensure defined and ss
consistency Standard complete in
and Operating all aspect
standardisat Procedures for of roles,
ion of fixed asset and KPI,
operations. capex in place. Timelines
2. Organization and
has defined frequency
Activities, of
Roles and activities,
Responsibilitie etc.
s, Key 2. Check
Performance when fixed
Indicators asset SOP
(KPIs), updated
Timelines and last.
Frequency of
activities along
with various
documents of
capital
transactions to
be maintained .
Statutory Non- All statutory As per Ensure Complian Complian NA
complianc complianc requirements compan proof for ce under ce
e e of under various y policy complian various checklist
statutory Acis ces of act and
requireme complied. following: review
nts under 1. document
different Whether .
Acts. Schedule
II of
Compani
es Act,
2013,
which
relates to
useful life
of assets
to
compute
depreciati
on has

384
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
been
adhered
to.
2. As per
Schedule
III of
Compani
es Act,
2013,
fixed
assets
are
broadly
divided
into four
categorie
s, i.e.
tangible
assets,
intangible
assets,
capital
work in
progress,
and
intangible
assets
under
progress.
3.
Whether
the unit
has
complied
with the
provision
s of the
Factories
Act, 1948
with
regard to
hazardou
s
machine,
machine
in motion
and

385
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
transmiss
ion
machines
, etc.
4.
Whether
hoists
and lifts
are
properly
maintaine
d as per
Factories
Act 1948
and is
thoroughl
y
examined
by a
competen
t person
at least
once in
every
period of
six
months
and a
register is
kept for
this
purpose.
5.
Payment
of
Customs
duty and
custom
clearance
of
imported
machiner
y as per
Customs
Act, 1962
6.
Deductio

386
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
n and
payment
of TDS
for
installatio
n,
fabricatio
ns and
commissi
oning of
plant and
machiner
y, if
applicabl
e.
7.
Whether
the unit
has
obtained
an
appropria
te
certificate
from
Central
Pollution
Control
Board
(CPCB),
if
applicabl
e.
8.
Depreciat
ion is not
claimable
on the
amount
equal to
ITC/
Cenvat
Credit if
claimed
against
purchase
of any

387
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
machiner
y.
9. Ensure
the track
on fixed
assets for
claiming
input tax
credit
under
GST
ensuring
proper
document
ation and
reconcilia
tion on
input tax
credit
claims.
10.
Whether
a
company
is into
real
estate,
check
whether
they
complied
as per the
Transfer
of
property
act.
11.
Check
whether
the
company
has
compiled
with
labour
laws
complied

388
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
with
health
and
safety
regulation
.
Fixed Recognitio Fixed assets As per 1. Verify Recogniti 1. 30 NA
Assets n of fixed are compan that cost on of purchase
controls asset may recognized y policy of an item asset as invoice or
not be as only if they of per Ind 30% of
per Ind AS have future property, AS 16 high
16 economic plant and requirem value
Property, benefit to the equipmen ents asset
Plant and company. t shall be purchase
Equipment recognise invoice
d as an during the
asset if, year
and only whicheve
if: r is
(a) it is higher.
probable 2. 20
that installatio
future n
economic certificate
benefits
associate
d with the
item will
flow to
the entity;
and
(b) the
cost of
the item
can be
measured
reliably.

2. Items
such as
spare
parts,
stand-by
equipmen
t and
servicing

389
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
equipmen
t are
recognise
d in
accordan
ce with
this Ind
AS when
they meet
the
definition
of
property,
plant and
equipmen
t.
Otherwis
e, such
items are
classified
as
inventory
3. Check
certificate
/
Undertaki
ng of put
to use
Fixed 1. All fixed As per 1. Reconcili GL Analyse
Asset asset are compan Whether ation balances items
balances recorder in y policy the between and FAR descriptio
may not books as and reported FAR and balances n in fixed
be when fixed GL's at cut of asset
matched received and assets date. register
with updated in balance to
general Fixed Assets agrees ascertain
ledger Register with the various
balances (FAR) related assets
accordingly. account are
2. On records in correctly
monthly basis the grouped
designated general in
person ledger. different
review 2. Check heads as
General periodic per
Ledger (GL) review of nature.

390
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
balances with Fixed
Fixed asset Assets
register Register
prepare (FAR)
reconciliation and
for ensure its
difference. timely
3. All updation.
transaction 3.
are Whether
supported by recorded
vendor fixed
invoices. assets
transactio
ns tallies
with the
supportin
g
document
s, such
as,
vendor’s
invoice.
4. Check
reconcilia
tion
between
FAR and
GL must
be
reviewed
by
designate
d person,
and it
should
not have
long
pendency
.
5.
Whether
complied
with Ind
AS 16
requirem
ent or

391
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
not.
6. Check
fixed
assets
balances
with
external
parties.
7. Check
fixed
assets
transactio
ns are
recorded
in correct
accountin
g period.
Fixed 1. Company As per 1. Physical 1. Latest NA
assets have policy of compan Whether verificatio physical
may be physical y policy identificat n controls verificatio
physically verification of ion n report
verified at fixed asset at number is 2. Fixed
regular regular put on all asset
intervals intervals. the register
to identify 2. All fixed assets
unrecorde assets are and cross
d marked with verified
transactio unique with FAR.
ns, write identification 2.
off code. Whether
obsolete 3. Verification recorded
assets of asset are fixed
and gaps done along assets
with FAR. with have
identification been
of obsolete physically
machinery. examined
at regular
interval
and
compare
it with
fixed
assets
register
and

392
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
discrepan
cies, if
any,
should be
reported.
3. Check
obsolete/
non-
performin
g fixed
assets
are
periodical
ly
identified
and
document
ed. An
action
plan for
its
disposal/
alternate
use
should be
initiated.
Other 1. As per 1. Check Capitaliza Vendor NA
expenditur Expenditure compan recorded tion of invoice of
e related incurred upto y policy fixed other 30 assets
to fixed make an assets related capitalise
asset may asset are expenditu d during
not be operational correctly re the year
capitalised are classified along
along with capitalised as capital with cost
assets along with assets sheets
asset i.e. and
Installation certain
cost, expenses
commissionin that are
g cost. attributabl
2. Borrowing e for b
cost incurred that
upto date of asset to
capitalization its
also become working
part of fixed condition

393
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
assets. and use,
are to be
included
in the
cost.
2. Further
the
borrowed
cost, if
any, is
also to be
capitalize
d up to
the first
date of
acquisitio
n/
constructi
on as per
Ind AS
23.
3. Also
considere
d foreign
exchange
fluctuatio
n
provision
as per Ind
AS 21.
Ind AS 21
does not
permit
capitalisa
tion of
forex
difference
s.
4. Check
subseque
nt
expenditu
re
relating to
an item of
fixed
assets

394
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
should be
added to
its book
value
only if
they
increase
the future
benefits.
5. A cost
sheet
should be
prepared
with a
complete
breakup
of various
cost
incurred
to make
asset
operation
al.
Disclosure 1. Assets are As per 1. Check Disclosur Fixed NA
of fixed disclosed compan material e of all Assets
asset may with y policy items assets Register
not completed retiring during (FAR)
provide details of from use accountin with
complete gross, and held g period. complete
details of addition, for detail &
gross, net deletion and disposal general
and net value are to be ledger of
addition, during stated at various
deletion accounting lower of asset.
during period. net book
accountin 2. Asset for value and
g period. disposal is net
shown at net realizable
realizable value.
value or net Ensure
book value that the
whichever is cost of
lower. spare
parts of
obsolete
machiner

395
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
y is taken
at nil
value.
2. Check
fixed
assets
are
disclosed
– gross
and net
value at
the
beginning
and end
of the
accountin
g period
showing
addition,
disposal,
acquisitio
n, etc.
Assets All assets are As per 1. Check Insurance 1. NA
may not reinstated compan whether of fixed Insurance
be insured and y policy all the assets policy
to avoid reinstated fixed 2.
losses in values assets Reinstate
case of approved are ment
mis- from properly values
happening appropriate insured, 3. Gross
authority for and value of
insurance proper fixed
purposes. safety assets
measures
have
been
taken.
2. Assets
should be
insured
by
reinstated
value
instead of
gross.
Reinstate

396
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
ment
should be
approved
by
appropria
te
authority
before
insurance
quotation.
3.
Quotation
should be
obtained
from
different
vendors
and verify
all
clauses
under
different
quotation
and
according
ly obtain
insurance
policy
from
vendor
whose
quotes
match
with
business
requirem
ent.
4. Any
significan
t asset
purchase
d during
the year
should
also be
covered
under

397
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
insurance
policy by
giving
additional
premium.
5. Proper
records
have
been
maintaine
d for
sending
machiner
y for
outwards
repairs
fabricatio
n. Third
party
location
should be
insured
also
under
insurance
policy.
1.Disposa Company As per 1. Check Asset 1. 20 sale NA
l of fixed derecognised compan carrying may not invoices
assets is asset on y policy amount of be of asset
not in 1. Disposal an item of derecogni and
accordanc 2. When no property, sed correspon
e with future plant and ding entry
Company economic equipmen in Fixed
Policy. benefits are t shall be Asset GL.
2. Assets expected derecogni 2. Sale
identified from its use sed at the Register
for or time of
disposal disposal disposal.
may not 2.
be Complied
adequatel with other
y provision
safeguard of
ed against derecogni
theft or tion as
unauthoris per Ind

398
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
ed use. AS 16.
3. Check
sale
register
to verify
sale of
asset and
recognise
d as
revenue.
Depreciati Useful life 1. Useful life As per 1. Check Complian 1. Current NA
on control of assets of assets are compan useful life ce of year and
may not defined by y policy of Schedule previous
be defined considering tangible II of year FAR
as per life as per assets Company to check
Company schedule II of should Act 2013 useful life
Act 2013 Company Act not be of asset
requireme 2013. ordinarily 2.
nt and 2. different Depreciat
leads to Depreciation from the ion
inappropri method is useful life schedule
ate followed on specified as per
depreciati consistent in Part C Company
on. basis. of the Act 2013.
Schedule
II of the
Compani
es Act,
2013.
2. Check
residual
value
should
not be
more
than 5%
of the
original
cost of
the
tangible
asset.
3. Where
a
company
adopts a

399
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
different
useful life
or uses a
different
residual
value as
above,
the
company
is
required
to
disclose
such
difference
and
provide
justificatio
n, that it
is
supported
by a
technical
advice.
4. Check
depreciati
on
methods
applied
are
followed
consisten
tly.
5. Check
for
changes
needs to
be made
to comply
with the
requirem
ent of
statute,
change in
accountin
g
standard

400
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
and as
needed
for better
presentati
on.
6.
Electricity
Company
has to
continue
to charge
depreciati
on in
accordan
ce with
Electricity
Act.
7.
Depreciat
ion on
asset
which is
used in
double/
triple shift
is to be
increased
by 50%
and by
100%,
respectiv
ely.
8. Verify
the basis
of which
useful life
estimates
are made
The Depreciation As per 1. Check Complian 1. NA
depreciati method is compan complian ce with Analysis
on method used by y policy ce of Ind Ind AS 16 sheet of
may not considering AS 16, Property, future
reflect asset’s future the Plant and benefits
pattern of economic depreciati Equipmen 2.
future benefits are on t Depreciat
economic expected to method ion

401
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
benefit be consumed used schedule
from by the entity. shall as per
assets as reflect the Company
per Ind AS pattern in Act 2013.
16. which the
asset’s
future
economic
benefits
are
expected
to be
consume
d by the
entity.
2. Verify
the
depreciati
on
method
applied to
an asset
shall be
reviewed
at least at
each
financial
year-end
and, if
there has
been a
significan
t change
in the
expected
pattern of
consumpt
ion of the
future
economic
benefits
embodied
in the
asset, the
method
shall be
changed

402
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
to reflect
the
changed
pattern.
Such a
change
shall be
accounte
d for as a
change in
an
accountin
g
estimate
in
accordan
ce with
Ind AS 8.
3. Check
depreciab
le amount
of an
asset
shall be
allocated
on a
systemati
c basis
over its
useful
life.
4. Check
residual
value and
the useful
life of an
asset
shall be
reviewed
at least at
each
financial
year-end
and, if
expectati
ons differ
from

403
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
previous
estimates
, the
change(s)
shall be
accounte
d for as a
change in
an
accountin
g
estimate
in
accordan
ce with
Ind AS 8,
Accountin
g
Policies,
Changes
in
Accountin
g
Estimates
and
Errors.
Impairmen Impairmen On yearly As per 1. Check Complian Impairme NA
t t analysis basis, compan how ce of Ind nt
may not company is y policy company As 36, analysis
be performed reviews impairme of the
performed impairment the nts of company
by the analysis on carrying items of
company assets. amount of property,
its plant and
assets, equipmen
how it t
determine
s the
recoverab
le amount
of an
asset.
2. Check
when
company
recognise

404
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
s, or
reverses
the
recognitio
n of an
impairme
nt loss.
3. Check
other
complian
ce as per
Ind AS
36.
Income Non- Depreciation As per 1. Check Complian Depreciat
Tax Act, complianc under Income compan whether ce with ion
1961 e under Tax Act, y policy depreciati Income schedule
Income 1961 is on is Tax as per
Tax Act, provided on provided, Act,1961 Income
1961 percentage based on requirem Tax Act
on Written block of ent.
Down Value assets.
as prescribed 2. Check
in Income whether
Tax Rule, depreciati
1962. on is
provided
on the
percentag
e on the
written
down
value
(W.D.V.)
as
prescribe
d in Rule
5(1) read
with table
of
depreciati
on
prescribe
d in
Income
Tax
Rules,

405
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
1962.
3.
Depreciat
ion for a
period of
less than
180 days
is
restricted
to 50% of
the
amount
calculate
d as
above.
4. Other
depreciati
on
provision
under
Income
Tax Act
1961.
Fixed Company As per 1. Check Complian 1. GL and NA
Assets also complied compan whether,if ce with calculatio
disposal/ Income Tax y policy any, Income n sheet of
transfers provisions in asset is Tax Act profit or
are not case of sale sold 1961 loss on
accurately of asset discarded requirem sale of
calculated , ent. asset
and demolish 2. Capital
recorded. ed in the gain
previous working
year then sheet
its written 3. 10 sale
down invoice or
value at 50%
the value of
beginning asset
of sold
previous during the
year be year
increased whicheve
by actual r is
cost of higher.
assets

406
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
acquired
in the
same
block
during the
previous
year and
be
reduced
by the
sales
considera
tion with
scrap
value, if
any, and
depreciati
on be
provided
on
balance
of such
block.
2. Verify
surplus
arising on
sale of
capital
asset is
chargeabl
e to tax
as short-
term
capital
gain by
virtue of
Section
50, these
cases
are: (a)
When the
written
down
value of a
block of
asset is
reduced

407
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
to nil
though all
the
assets
falling in
block are
not
transferre
d.
(b) When
a block of
asset
ceases to
exist.
Intangible Non- Company As per 1. Check Depreciat Depreciat NA
Asset complianc complied with compan schedule ion on ion
e with Company y policy II of intangible schedule
statutory Act, 2013 Compani asset as per
low and Income es Act, Company
requireme Tax Act, 2013 for Act and
nt 1961 the as per
requirements. Intangible Income
assets, Tax Act.
the
provision
s of
accountin
g
standards
applicabl
e for the
time
being in
force
would
apply
(except in
the case
of
intangible
asset
created
under
Build,
Operate
and

408
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
Transfer
(BOT) or
Build,
Own,
Operate
and
Transfer
(BOOT),
etc.).
2. As per
Income
Tax Act
Depreciat
ion @
25% is
allowable
on
intangible
assets,
namely,
know–
how,
patents,
copy
rights,
trademar
ks,
licenses,
franchise
s, or any
other
business
or
commerci
al rights
of similar
nature.
3. Check
the
impairme
nt tests
for
intangible
assets.
4. Review
the
amortizati

409
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
on
methods
used for
intangible
assets.
Other Due Company As per 1. Check Due 10 high NA
Control diligence performs compan reasons diligence sale
decision proper due y policy and cost performe invoices
on sale diligence in benefit d on 20 high
purchase sale, analysis various purchase
of fixed purchase and of such asset Invoices
asset may maintenance buying transactio
not be of Fixed recorded. n
performed Assets 2. Check
leads to in case of
wrong make/
decision buy
decision,
the
calculatio
n of
actual
cost.
3. Check
that
related
party
transactio
ns are
made at
arm’s
length
price.
4. Check
whether,
in
case,repl
acement
of any
machiner
y is to be
done,
check
reason
for the
same

410
 Fixed Assets and Capex

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
whether it
is due to
technolog
ical
change or
obsolesc
ence of
assets.
5. Check
whether
technical
know-how
is
obtained
for
sophistica
ted
machineri
es.
6. When
any
machine
is
scrapped,
whether
way of its
disposal
is
ascertain
ed and
document
ed.
7.
Whether
break
down
analysis
of assets
is done.
8.
Whether
date-wise
obligation
for
insurance
and
maintena

411
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sample Size Data
Description Owner Performed tested analytics
performed
nce is
observed.
Fixed There is a As per 1, Check Periodic 3 months NA
Assets system of compan pending reporting
Register is reporting y policy requisitio and
not various ns for analysis
maintaine information which
d and not on periodic Purchase
reviewed basis and Order
at regular correspondin (PO) is
intervals. g actions are not
taken by raised.
management. 2. Check
list of
pending
Orders
(Pos) for
which
supply is
not made.
3. Check
list of
long
outstandi
ng
advances
to
suppliers
but fixed
assets
not
supplied
with
capital
commitm
ents.

412
 Checklist 22
Project Management
Process Sub-process Risk Control Control Test Attributes Sampl Data
Description Owner Performed tested e size analytics
performed
Pre-Project Business have Risk of taking Any project Review Due 100%
Readiness domain up projects that needs to whether the Diligence
expertise. which may not be taken project has of the
be financially should be been Project
or operationally assessed for approved by
viable or where its viability the Board of
the business by the Directors
does not have experts after a due
domain within the diligence is
expertise. The Company or done and its
business with support viability is
should do a of an established.
preliminary external
study of the consultant.
proposed The decision
project in terms to invest in
of viability from new project
(a) Financial vests with
(b) Operational the Board of
(c.) Legal / Directors.
Regulatory The Board of
view and also Directors
consider may entrust
whether the to review the
business has project
domain viability to a
expertise in it. committee of
Directors.
Pre-Project Budgetary Risk of Ensuring To review Adequacy 100%
Readiness Allocation adequate funds that the the of
not being budgetary budgetary Budgetary
allocated or process process to Allocation.
planned for the includes ensure that
project. consideratio the budget
n of new includes
projects funds
including allocated for
tenure, projects.
possible
borrowing
costs,
sources of
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sampl Data

Description Owner Performed tested e size analytics
performed
funds etc.,
Pre-Project Compliance to Risk of non- To review Review Review of 100%
Readiness Environmental compliance whether the critically ESG
, Social and with ESG Company decisions Factors
Governance factors which has reviewed relating to
requirements could later lead compliance type of
(ESG). to possible with ESG equipment
shut down of regulations being
the unit due to including procured,
ESG related pollution location of
factors. control the plant,
norms, how process
the project expected to
would be be adopted,
useful to the etc., which
community, may impact
diversified environment.
workforce,
fair pay or To review
remuneration the pay
and other structure,
factors. gender
diversificatio
n, medical
and health
insurance
related
aspects for
the
workforce,
impact on
the
community
around the
unit.

To also
review the
process of
how the
Governance
(i.e., the
Board) is
considering
investment in
new project.
Pre-Project Planning Risk of Project Review of (a) Ensuring Review of 100%

414
 Project Management

Process Sub-process Risk Control Control Test Attributes Sampl Data

Description Owner Performed tested e size analytics
performed
Readiness management how the the project is key project
without entire project managed milestones
adequate is planned to within the .
planning of include use timelines;
timelines and of any
activities. project (b) Ensuring
management the project is
tools, within the
allocation of budgetary
resources, allocation;
activities and
sub-activities (c.) Ensuring
being that the
planned, Board of
review of the Directors
progress on monitor the
a timely progress of
basis (say the project in
fortnightly / a timely
monthly) by manner;
the Board of
Directors. If (d) Review of
there is any the project
other progress
committee report and
managing compare the
the project, development
review the s with the
committee's project
report to the report.
Board on
project
management
and whether
key issues
are
discussed,
and action is
taken to
ensure the
bottlenecks
are removed.
Review of
Actual Vs.
Budgeted
activities.
Project Execution Risk of project Whether the Review of Review of 100%

415
Internal Audit Checklist

Process Sub-process Risk Control Control Test Attributes Sampl Data

Description Owner Performed tested e size analytics
performed
Management Stage not being project the project Project
. executed in the management management monitoring
manner it was is techniques process.
planned and continuously and whether
there is delay monitored by those
in project a dedicated charged with
execution team and governance
leading to whether the are aware of
additional costs Board of the progress.
/ investments, Directors are
delay in appraised of
obtaining the the progress.
benefits it was Whether
expected and there is an
possible non- audit or
viability of the review done
project if not by a third
done in time. party to
certify the
progress.
Project Execution Risk of taking Any Review of all Review of 100%
Management Stage alternative alternative the Project
. courses of courses of alternative monitoring
action without action or course of process.
formal approval decisions action with
process should have management
thereby been approval.
delaying the approved by
project or the Board or
incurring delegated
additional authority.
costs.
Project Completion Risk of non- The Review of Review of 100%%
Completion Stage compliances Company the checklist legal
with various should have being complianc
laws and a checklist of prepared e
regulations to all and ensuring
ensure compliances the
commencemen that would compliance.
t of operations. be required
and whether
the same
has been
complied
with or not
should be
reviewed by

416
 Project Management

Process Sub-process Risk Control Control Test Attributes Sampl Data

Description Owner Performed tested e size analytics
performed
the general
counsel /
legal expert.
Project Completion Risk of not Project Review that Review of 100%
Completion Stage ensuring that completion the project is the closure
all the aspects report should completed process
of project be prepared and certified
completion are and in all
complied with submitted to respects.
or not. the Board
including (a)
Budget Vs.
Actual
variances
and reasons
(b) Certifying
that all
regulatory
approvals
are obtained.

417
 Checklist 23
Inventory Management
Process Sub- Risk Control Test Performed Attributes Sample Data
process Description Tested Size Analytics
Performed
Inventory Initialization Stores in not Stores 1. Obtain a
Managemen functioning functions certified copy of
t properly. are defined the Trial Balance
and for the period
documente under audit.
d. Alternatively,
extract the Trial
Balance from the
system.
2. Obtain:
i. Key Result
Areas/ Objectives
of the Stores
Function as well as
of the Unit/
Category under
audit;
ii. An organogram
of the Stores
Function;
iii. Delegation of
Authority;
iv. All policies,
standard operating
procedures, office
orders, etc. which
relate to the Stores
Function.
3. Ask whether any
work has been
done on IT
General Controls
(ITGC) /
Segregation of
Duties (SoD) (in
ERP environment)
controls. Review
the report thereof
and modify the
audit program
accordingly.
4. Read the
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
internal audit
report of the
previous internal
audit as well as
any comments
made by External
Auditors and
identify any
unresolved issues
for follow-up with
Management.
Review the status
of such matters
with Management
and document the
results of the
same.

Note: There would

be possibility that
there would be
other departments
other than stores
which would be
involved in
inventory
management such
as Quality,
Production
Planning & Control
(PPC),
Procurement
depending on the
company and
industry. Ensure
that the audit steps
given above/
below are used
wherever
applicable.
Inventory Initialization Inadequate Inventory A. Conducting an
Managemen controls manageme analytical review
t over nt would reveal
inventory procedure certain trends
managemen is defined which would
t and indicate

419
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
documente inadequate
d. controls over
inventory
management. An
indicative list has
been given below:
i. Comparison of
Cost of goods sold
with the Sales;
ii. Identification of
short receipts per
inventory items/
vendor;
iii. Comparison of
rejections/ returns
to vendors with the
receipts;
iv. Comparison of
goods issue with
the production
planning.
Further a trend
analysis can be
conducted to
identify control
weakness. An
indicative list for
trend analysis:
i. Inventory
turnover – how
many days
inventory has been
maintained against
the norms defined
by the company;
ii. Inventory ageing
analysis:
. percentage of
inventory lying for
more than 180/
360 days;
. percentage of
inventory non-
moving/ slow-
moving for more
than 180/ 360

420
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
days;
. percentage of
inventory lying in
damaged, expired,
near-expiry,
rejected locations
etc., for more than
180/ 360 days;
iii. %age of total
inventory (RM/
PM/ FG) lying in
damaged, expired,
near-expiry,
rejected locations,
etc;
iv. Disposals then
reorder – multiple
instances of any
particular inventory
item being
prematurely
designated as
scrap and re-
ordered;
v. Rejections and
Returns – Check
whether there is an
unusually high
incidence of
returns and
rejections from any
particular vendor.
Inventory SOP for 1. SOP may 1. 1. Check whether 1. Identify
Managemen Inventory not be Organizatio SOP is available key metrics
t managemen defined to n has and complete in all and
t ensure clearly aspects of roles, performanc
consistency defined KPI, timelines, e indicators
and Standard frequency, MIS, that are
standardizati Operating Responsibility important
on of Procedures Assignments for
operations and Matrix (RACI), etc. inventory
including Delegation 2. Check when manageme
Segregation of Authority SOP was updated nt such as
of Duties (DOA) for last and process of order
(SOD). inventory change fulfilment
manageme management i.e. rate, lead

421
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
nt in place. proposal to time, stock
2. change, turnover
Organizatio acceptance and rate, DOA
n has approval of rate, etc.
defined amendment to
sequence SOP. Standard
of Operating
Activities, Procedures for
Roles and Inventory
Responsibil Management
ities, Key (including at-least
Performanc the following):
e i. Detailed
Indicators procedures for
(KPIs), receipt, storage
Timelines and movement of
and stocks;
Frequency ii. Inventory levels
of activities (re-order level,
along with minimum order
various level etc);
documents iii. Stacking norms;
to be iv. Inventory
maintained holding norms (ex.
for Domestic RM/ PM
Inventory – 60 days;
manageme Imported RM – 90
nt days; Imported PM
(including – 60 days etc.);
adequate v. Procedure to be
segregatio followed for all of
n of Duties) the important
activities described
above under
Segregation of
Authorirty (SoA) /
DoA;
3. To benchmark
the existing SOP
with the
companies from
similar/different
industries for
process
standardization.
4. To assess
whether

422
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
Delegation of
Authority (DoA)
mapped is in-line
with current
organization
structure and
updated to reflect
current processes
in-place, including
but not limited to
maker-checker-
approver concept
5. Review the
above documents
from the point of
view of:
i. Segregation of
duties;
ii. Coverage;
iii. Design of
controls.
6. Check the
coverage/
adequacy of the
documented policy
/ manual /
standard operating
procedures (SOP)
in respect of the
above-mentioned
areas.
7. Inquire as to
when these
policies were last
updated / reviewed
and when the next
review date is –
these should be
reviewed at-least
annually or
whenever there’s a
significant change
in business model,
whichever is
earlier.
8. If the Company
does not have

423
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
formally
documented
policies/ guidelines
or standard
operating
procedures, review
available financial/
non-financial
inventory
information and
conduct interviews
with operating
management to
identify the
significant
processes in the
Stores Function.
Assess the risk
due to absence of
documentation
(eg. In absence of
SoP for inventory
management, a
high staff turnover
in the stores
function might
indicate towards
inadequately
maintained
inventory records)
and accordingly
modify the audit
program; Also
ascertain the
extent of
automation in the
Stores Function.
Basis the Key
Result Areas/
Objectives,
document the
significant risks
and mitigating
controls. These
should be tested in
the Work Program,
unless some are

424
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
clearly out of
scope. Illustrative
list of important
activities which
should definitely
be mentioned in
the SoA/ DoA:
i. Approval for
write-off from
financial books/
physical
destruction/ cycle-
count adjustments/
shortages or
excesses identified
during quarterly or
annual physical
verification;
ii. Approval for re-
allocation of
inventory from
saleable to non-
saleable/
damaged/ expired
storage locations –
usually this may be
an automated
process;
iii. Approval for
movement of
inventory on
Returnable Gate
Pass (RGP) or
Non-Returnable
Gate Pass
(NRGP).
Inventory Material 1. 1. Access 1. Check access 1. Verify
Managemen master Inadequate to material rights for material
t maintenance master is creation/modificati master for
of material restricted on of Material any missing
master and only to the master. details.
inadequate authorized 2. Check Approved 2. Verify
access personnel request for unauthorize
rights of material code d creation
relating to inventory creation/modificati of material
Additions, department on from user codes.

425
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
Modification or Master department and 3. Verify
s and Data creation/modificati duplicate
blocking of Manageme on of material code material
material nt (MDM) in ERP by codes
codes team. authorized created for
2. Incorrect 2. The personnel only. same items.
data is material 2. Review material 4. Verify
updated in code is master change log whether
the material created and check whether correct
master based on same were done valuation
3. Shortage approved by authorized type
of material request personnel only selected.
due to from user after approved 5. Verify
materials department request from user material
levels being . department. master
not defined 3. Material 3. Review the change log
4. Materials master is dates for requests for any
not routed reviewed for change with the unauthorize
for QC on a log maintained for d changes.
clearance or regular actual changes 6. Verify
takes more basis and made.'- Check for correct
time for QC discrepanci any pending HSN code
clearance es noted, if requests and mapping
5. any, are ascertain the and correct
Invalid/Inacc corrected. reasons thereof tax
urate Logs of 4. Check maker- classificatio
changes changes checker process n.
being made are for 7. Verify
to the generated creation/modificati QC enabled
inventory from the on of material code or not for
managemen system and in ERP material
t master file approved. 5. Check whether codes.
5. Each of periodic review 8. Verify
the carried out for whether
materials Material master safety
has 6. Check process stock,
minimum to carry-out minimum
level, material criticality stock,
maximum assessment to maximum
level, ROQ, identify critical stock,
ROP materials/spares reorder
defined at 7. Check whether level, lot
master all materials have size, etc.
level.. ABC classification defined.
Critical and inventory 9. Verify
materials, if levels defined correct cost
8. Check whether Centre/

426
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
any, are defined materials profit center
identified are cleared via QC selected for
and check before GRN material
mapped for or issuing for code.
ABC consumption 10. Verify
classificatio turn-around
n. time for QC
6. System clearance
to be along with
configured material
for not to pending in
allow QC for
creation of longer time.
duplicate
material
code for
same
material.
7. Define
requiremen
t of QC
clearance
at material
code level
i.e.
whether
material is
required to
be routed
through QC
process.
Inventory Material 1. 1. To have 1. Check 1. Verify
Managemen Requisition Unauthorize defined documented SOD, that
t d DOA/DOP access rights and whether
preparation/ for creation whether they are there is any
modification of material followed or not conflicting
of material requisition 2. Verify conflicting access
requisition slip and access rights and rights given
slip authorizati inadequate SOD to the user
2. on of 3. Verify material 2. Verify
Inadequate material requisition slip that
inspection of requisition authorized by whether
material at slip. respective person DOA/DOP
entry gate 2. Material as per DOA/DOP has been
requisition 4. Verify period defined for
slip is review of MRS

427
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
raised for outstanding 3. Verify
requisite requisitions MRS
material pending approval prepared
and along with and
quantity by justification approved
authorized 5. Is there a as per
personnel system of defined
only, while preparing DOA/DOP
modificatio requisition slip by 4. Verify list
n of the production of Material
requisition department to requisition
slip to be source the slips
done only materials from pending for
after Stores dept/ or is it approval
proper automatically since long
justification generated through 5. Verify
and the ERP System? that
approval In case it is whether all
from HOD automatically necessary
3. To generated then details in
ensure that ensure that the MRS were
no material requisitions are mentioned
can enter created basis the or not
factory Bill of Material
gate loaded in the ERP
without due System;
inspection 6. Review of
from instances wherein
security special requisition
person notes(outside
BOM) have been
issued and root
cause analysis for
the requirement
and frequency for
issuance of the
same
Inventory Material 1. 1. Access 1. Check list of 1. Verify
Managemen Issuance Unauthorize to persons having that
t d inventory access right for whether
preparation module is issuance of there are
of issue note restricted material. any
and/or delay to 2. Check conflicting
in issue of authorized unauthorized issue access
material. personnel of material. rights given
2. All only. 3. Check delay in to user

428
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
material 2. issue of material. 2. Verify
issued may Materials 4. Check material that
not be should be issuance without whether
recorded or issued on a material requisition DOA/DOP
may not be timely for materials has been
recorded basis as wherein MRS is defined for
promptly. per required to be Material
3. Material requisition prepared in ERP. issue
issued and 5. Check 3. Verify
physically is consumptio outstanding Material
different n to be requisitions issue slip
from the one recorded in against which prepared
stated in ERP with material issue is and
requisition no delay. pending. approved
slip. 3. 6. Check sample as per
4. Materials Segregatio issue slips to verify defined
issued may n of duty that correct DOA/DOP
be between material is issued 4. Verify list
accounted at personnel in ERP, along with of Material
incorrect preparing delay in recording requisition
price/rate. issue slip material issue in slips
5. Earlier and one ERP as compared pending
procured physically to actual issue of material
material is moving physical material. issue since
not issued material 7. Check pattern in long
and leads to and which the material 5. Check
quality updating is being issued i.e. delay in
deterioration bin cards. FIFO or LIFO material
/pile-up. 4. Based 8. Check whether issue by
6. Material on the BoM material or comparing
specific to MRS maintenance entry date
the Bill of prepared, spares are issued and posting
Material system to as general date and
(BoM) or auto-fetch consumption. verify
maintenance quantities 9.Obtain an posting
is issued as and rate of understanding of date with
general material the process physical
consumption issued. No followed for issue issue slip
. manual of goods; obtain 6. Check
7. Cost of interventio the system report rate of
material n to be of the issuance material
consumption allowed for made during the issue is as
is not manually audit period; per policy
recorded to modifying 10. Check whether of
the rate or there is a system company.
appropriate quantities of updating the (For e.g.; in
while stock in system at case of

429
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
cost center. posting the time of issue to moving
material the shop floor or is average,
consumptio the same done at compare
n. the end of the day. moving
5. Unless 11 Is there a average
otherwise system of Issue rate for the
specified, slips against each period with
the requisition slip; Are material
materials the receipts issue rate)
to be against the issues 7. Verify
issued on acknowledged by ageing of
FIFO basis. the shop floor in- inventory to
6. Periodic charge; ensure that
review or 12. Check the the material
system inventory is issued on
configurati movement from FIFO and
on to be warehouse / inventory is
there to shopfloor not getting
ensure that locations. In case piled-up
all of any transfers to 8. Carry-out
materials locations other material
are than those movement
correctly involved in analysis (in
issued production, seek comparison
against explanation for the with past 2-
production/ same 3 period) to
maintenanc 13.Select samples see
e orders. from the issues procuremen
and ensure that t, ageing,
each issue: : lead-time
i. Issues are made and
as per requisition consumptio
which is consistent n pattern of
with the latest Bill individual
of Material; materials
ii. Issues are 9. Verify
approved as per that BoM
the DoA; items and
iii. Timely issue of maintenanc
goods; e spares
iv. Goods are are issued
quality approved; against
v. Issues are specific
recorded in orders only
Material Issue i.e.
Note; production
vi. Material is order or

430
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
issued in presence maintenanc
of quality dept. e order,
personnel; and not as
vii. Issue notes are general
acknowledged by consumptio
the receiver; n
viii. Timely 10. Verify
updation in that all
Inventory system. materials
14. Inquire issued as
whether there has general
been any reversal consumptio
of the issued n have
goods. Obtain the cost-
system report of centers
the reversal of the mapped,
issues made while
during the year. correct
Inquire on the cost-
reasons for the centers are
returns and mapped to
approval process. the
In case of department/
industries where function to
back flushing is which the
done. Understand said
the back flushing consumptio
process and n pertains
inquire on the
process of
identification of
negative stock
position.
Inventory Material 1. 1. Material 1. Check material 1. Check
Managemen Return Unauthorize is returned return rate is same material
t d return of to stores as per material return entry
material to after issue rate made
stores appropriate 2. Check that against
2. Incorrect authorizati material return slip correspondi
valuation of ons is authorised by ng material
returned 2. appropriate issue slip
material Appropriate authority along 2. Check
3. accounting with adequate material
Procurement treatment justification of return
and is done for material return. transferred
consumption returned 3. Check whether to

431
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
of low material material returned blocked/rest
quality of 3. Root- is transferred to ricted stock
material causes of blocked stock or in case of
materials not in case of rejected/da
returned damaged/rejected maged
from material material
production 4. check correct 3. Check
floor to be entry is posted in reversal of
analysed to ERP for material consumptio
ensure return against n entry in
whether original material case of
there exists issue slip return of
any quality 5. Review the time consumable
issue in taken in return of items
material rejected material 4. Check
supplied by to the vendor and frequency
vendor inquire into cases of material
of undue delay; returns from
6. Check that the specific
rejected material user/depart
which has not ment/machi
been returned to ne
the vendor is 5. Check
stored separately process of
from normal QC
material; approval
determine the and
ageing of such technical
materials and verification
understand before
reasons for items taking
held since long approval to
time; (also scrap out, if
determine the any
management 6. Check
guideline w.r.t. in that
what time rejected returned
goods should be material is
returned to stored to
vendors); same
7. Review reasons location/bin
for rejections and from which
action taken. In it was
case the Stores originally
Department issued
responsible for 7. Check
issuing Debit that there is

432
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
Notes / asking for no change
replacements, in cost-
verify whether they center while
have been raised recording
properly or not? material
Inquire whether return i.e.
production has cost-center
been hampered opted for
because of recording
rejections? Inquire material
as to who bears return to be
the cost of same as
returning the material
rejected goods to issue
the vendor and 8. Verify
suggest possible that
changes in case quantity of
the company bears material
the cost. return/cons
8. Check whether umption
the debit notes reversal
have been passed does not
directly in the FI excess the
Module and quantities
adjustment may of material
not have been issued till
done in inventory date
stock ledger;
9. Check whether
there has been
subsequent
reversal of
rejected material
and the same has
been approved by
Quality dept.
based on
documented
justification.
10. Conduct a
physical
verification of the
area where
rejected goods are
stored. Obtain the
rejection report
and verify the

433
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
physical
availability of the
rejected goods.
Inquire for missing
items and the
reason for the
same. Identify long
pending items in
the rejection report
and inquire the
reasons for delay
in dispatch/
liquidation/
destruction of said
stocks
Inventory Inventory 1. Inventory 1. 1. To check which 1. Compare
Managemen Valuation lying with Inventory cost method is value of
t individual value as followed for inventory
departments per inventory valuation reflected in
, at period MIS/Costin 2. Transfer pricing material
ends, may g & rules are followed module and
not be Financials or not finance
considered is 3. Inventory value module
for purpose reconciled as per MIS/Costing 2. Check
of inventory to ensure & Financials is inventory
valuation. accuracy. reconciled to showing at
2. Inventory 2. ensure accuracy. zero value
may be Weighted 4. Check correct 3. check
recorded at Average valuation type receipt of
the incorrect Cost selected for all inventory at
cost under method is material codes at zero value
the entity’s followed for respective location 4. check
costing inventory 5. Check cost of difference
method valuation & transportation and in rate of
(e.g., FIFO, inventories other incidental inventory at
LIFO, at each cost incurred were receiving
Average month end considered for and
Cost, are valued inventory valuation supplying
Standard accordingly 6. Check whether location in
Cost). . correct variance case of
3. 3. Material posting entry for transfer of
Inaccurate transfer difference in inventory
valuation of from one standard price and (e.g.;
the stock unit to actual price is material
being other are posted transfer
transferred valued 7. Check inventory from X

434
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
to other based on showing at zero location at
units, private transfer value Rs. 100 and
parties or pricing 8. Check inventory material
other rules and valuation for non- received at
organization reviewed at moving and slow Y location
s. a level that moving as per at Rs. 90)
identifies policy of the 5. Verify
inventory company calculation
age, 9. Check of standard
status, adjustment entry price of
expiration made in books of inventory
dating, account for and check
etc.. On provision of whether all
each diminution in value necessary
month end of inventory cost were
while 9. Check correct considered
preparing disclosure of to arrive at
monthly inventory valuation standard
MIS & in financial price
Financials statement as per 6. Compare
to ensure applicable material
accuracy of GAAP/Ind AS & movement
costing & correct disclosure rate with
valuation of of Inventory in Tax standard
such inter- Audit report. price to
site 10. Check that identify
transfers. inventory is valued material
5. Material at cost or NRV movement
disposals whichever is lower at other
and 11. Check that than
rejections manual changes in standard
should be inventory value price
reviewed should be done by 7. Verify
for trends, authorized persons variance
or signs only posting
that other 12. Check that entry for
inventory value of obsolete difference
materials material is reduced in standard
may be to give impact of price and
subject to obsolescence actual price
obsolescen 13. Check the 9. compare
ce. provision made in inventory
6. books of accounts valuation
Decisions for non-moving not more
regarding and slow-moving than its net
materials inventory items realizable
under value.

435
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
QC/QA 10. Check
review log of
should be changes in
documente inventory
d and value to
approved identify
to support unauthorize
financial d change in
reserves or inventory
lack value
thereof.
Inventory Gate Inward/ 1. Material 1. Gate 1. Check Gate 1. Compare
Managemen outward received in inward inward register GRN
t the company entry is 2. Check whether quantity
without made in all GRNs were and gate
authorizatio the system made against gate inward
n itself by the inward only. quantity
2. Incorrect person Inquire if there are 2. Check
material is verifying manual receipts of total
received as the material without quantity
compared to material at Gate Entry/ GRN. inward
what was gate Verify the during the
actually 2. Qty documentation period
ordered cannot maintained and the against PO
3. Quantity exceed the process of with PO
of material PO regularization of quantity
received in quantity manual receipts 3. Check
excess or and GRN and Identify the delay in
short as cannot be causes for manual gate inward
compared to prepared receipt of material entry from
purchase without and inquire the gate inward
order gate inward action taken by the date
entry management to 4. Check
3. Gate prevent such delay in
outward occurrences; GRN
should not 3. Check inward against
be allowed quantity in gate gate inward
without inward entry does entry
Returnable not exceed PO 5. Check
Gate Pass quantity (inc. material
(RGP)/ tolerance limit) inward
Non- 4. check delay in without PO
returnable gate inward entry (emergency
Gate Pass from gate inward procuremen
(NRGP)/ date t)
sales 5. Check delay in 6. Check

436
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
invoice GRN against gate long aged
4. inward entry pending
Tolerance 6. check long aged GRN
limits are pending GRN entries
defined in entries against against
the system gate inward date gate inward
to restrict 7. check whether date
excess/sho adequate 7. Check
rtage adjustment entry whether
receipt of passed for goods adequate
material in transit in books adjustment
on cut-off entry
date/book-closure passed for
date goods in
8. check SOD transit in
between person books on
doing gate inward cut-off
and GRN entry date/book
9. Check Gate closure
outward entry date
made only against 8. Check
RGP/NRGP/sales access
invoice rights for
10. Select a Gate entry
sample & analyse and GRN
the following: with same
i. Ensure that a user
record is 9. Check
maintained at the access
Plant gate for all rights for
goods/ materials RGP/NRGP
received at the /sales
Plant - Gate Entry invoice and
Record is gate
prepared; outward
ii. Ensure that a entry with
Goods Receipt same user
Note (GRN) or
equivalent is
prepared for every
receipt of goods;
iii. GRN is
prepared against a
valid Purchase
Order (PO)/
Contract; (Check
whether the IT

437
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
system or the
manual process,
as applicable,
allows a GRN to
be prepared
without a PO/
Contract);
iv. Date of PO is
before the date of
GRN (to determine
whether the client
follows a practice
of ordering
verbally &
preparing POs at
the time of receipt
of goods in Plant);
v. Timely
preparation of
GRN subsequent
to entry in Plant
premises;
vi. Timely
inspection of
goods received, by
the Quality Dept.;
vii. Timely
availability of the
material (in the
system), for issue
to production;
viii. GRN quantity
is after subtracting
the Quality Sample
– (understand how
documentation/
accounting is done
for sample quantity
withdrawn by
Quality for testing);
ix. Compare
details of Challan
and Inspection
Report with the
copy of Purchase
Order and
investigate for

438
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
differences, if any;
x. Quantity
received matches
quantity per
Purchase Order,
(or within
acceptable
tolerance limits as
defined by client
management);
xi. In case receipts
in excess of PO
quantity then
ensure that the
Stores personnel
accepts such
excess quantity
only once the PO
is amended & re-
approved per DoA
xii. Ensure that all
material receipts
are updated in
Inventory only
after approval by
Quality Dept.;
(understand how it
is ensured that no
material can be
received without
quality testing –
usually control is
built-in in the
material master in
the IT System);
xiii. In case goods
are damaged in-
transit, claims for
insurance is put in
as per the policy/
debits are made to
the CFA /
Transporter /
Vendor;
accordingly,
xiv. Confirmation
of receipt of goods

439
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
being sent to the
Accounts
department to
facilitate passing
of supplier’s bills;
(also check for
review of GR/IR at
the month end);
xv. Check for
ModVAT Benefit
taken on the Input
raw material at the
time of receipt of
material (also
ensure that in case
the Plant is located
at an Exempt
Location then
ModVAT benefit
should not be
taken):
xvi. In case of
imported material
ensure Bill of Entry
& other necessary
documents are
available before
accepting goods in
the Plant
premises.
5. Obtain a listing
of PO’s and
quantities received
against the same.
Analyse the
following:
i. PO’s are
automatically
closed/ blocked
once 100%
receipts have been
made against the
PO, to ensure that
further supplies
cannot be made;
ii. The time period
for which POs are

440
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
‘open’ & determine
the reasons
thereof;
6. Obtain the list of
GRN reversals and
verify the
following:
i. The reason for
reversal;
ii. Approval for
reversal;
iii. Supporting
documentation;
iv. For the selected
samples verify if
subsequent GRNs
have been
generated and are
genuine
Inventory Returnable 1. Material 1. Only 1. Check DoA/ 1. Check
Managemen Gate Pass/ moved authorized DoP for preparing whether
t Non- outside the personnel RGP/NRGP RGP/NRGP
Returnable company can access 2. Check whether created
Gate Pass without RGP/NRG RGP/NRGP from ERP
authorizatio P functions created as per or not.
n in ERP. defined DoA/ DoP. 2. Check
2. Material 2. Unless 3. Check long- delay in
being stolen authorized, aged outstanding return of
or missing gate pass RGP material
from the cannot be 4. Check delay in sent
third-party printed. In return on material against
location absence of on RGP basis RGP and
3. Sub- printed along with check
contracted gate pass, justification appropriate
material goods will 5. Check penalty action
cannot be not be clause for delay in taken for
made allowed to return of material reversal of
available on exit factory in the PO of GST credit
required gate. contractor and in case of
date 3. whether same is delay
4. Levy of Continuous followed or not. beyond
interest and monitoring 6. If material is not specified
penalty to be done received back time limit
under GST for material within 1 3. Check
law if sent of yearyears3 year release of
material RGP basis. for Input goods or RGP/NRGP

441
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
cannot be In case of capital goods and
returned any change respectively, GST extension
within the in expected credit is required of due date,
time-limit date of to be reversed and if any
defined in return, added to output followed in
GST law proper tax liability. Check ERP
5. Materials approval to whether same is 4. Check
returned be followed or not. turn-
back on obtained around-time
RGP are not from for material
recorded or concerned returned
reconciled HOD back from
6. Material 4. Periodic vendor
actually confirmatio
received ns to be
back is obtained
different from third-
than what party
was agreed vendors
to be (sub-
received contractors
back on ) to confirm
RGP quantities
of material
lying with
them
5. In case
of any
mismatch
in physical
material
quantity
with books,
immediate
actions to
be taken
6.
Materials
sent on
RGPs
should be
received
back
against
same
reference
of RGP

442
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
only, while
all RGPs to
be
periodically
reconciled
Inventory Inventory 1. 1. At 1. To check book 1. Verify
Managemen Reconciliatio Differences periodic stock is material
t n in physical interval, periodically & adjustment
and book physical regularly movements
stock may verification reconciled with and its
not be of physical stock. frequency
identified. inventories 2. Write-off/ write to identify
2. is carried back are duly certain
Unauthorize out by approved as per pattern/user
d adjustment Internal/ext authority matrix. /department
of difference ernal 3. Conduct doing it
in book parties at surprise physical frequently
stock and all sites verification (PV) of 2. Verify the
physical wherein inventory rates at
stock physical 4. Check which such
3. Material quantity is documents of write-offs
adjustments reconciled physical and write-
are posted with book verification and backs are
at quantity at verify that whether posted.
incorrect/ma all sites for the noted
nually all differences were
updated rate categories approved by
4. General of appropriate
ledger materials authority, along
inventory 2. To make with root-cause
balances are sure that analysis
inaccurate/ all items 5. Obtain periodic
unsupported are physical
. covered verification
under sheets,and review
physical the reconciliation
verification thereof with Book
once in a Stock. check
year i. Is there a written
3. guidelines for PV
Adjustment and it is circulated
to to the concerned
inventory team members.
quantities ii. Ensure that the
by way of frequency of the
write-offs physical count is

443
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
or write- adequate.
backs are iii. Ensure that the
approved counts are
by performed by
appropriate employees whose
authorities functions are
independent of the
physical custody of
inventories and
record-keeping
functions.
iv. Verify
availability of
documentation of
the PV,
reconciliation with
book stock,
approval of senior
management and
adjustment with
book stock.
v. Inquire if
significant
differences
between physical
counts and
detailed inventory
records
investigated before
the accounting and
inventory records
are adjusted to
match the physical
counts.
vi. Is there any
time gap between
physical
verification and
adjustments made
to the stock
ledger?
vii. Understand the
cycle count
procedure.
viii. Select
samples of the
cycle count

444
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
conducted and
ensure compliance
with procedure.
ix. Identify
instances of
consistent high
difference for
particular items.
Inquire for the
actions taken by
the management
for the identified
casuals.
x. Ensure that the
movement of
inventory adequate
controlled during
the physical count
to ensure proper
cut off.
Inventory Slow- 1. Inventory 1. ERP 1. Check clear 1. Compare
Managemen moving/Non- build up in contains policy or practice slow-
t moving stores requisite on disposal related moving &
Items leading to data for to non-moving and non-moving
high non- slow moving inventory
carrying moving & inventory goods. with
costs and slow- 2. Check periodic inventory
working moving review document ageing
capital being items. relating to review 2. Verify
blocked. However, of slow-moving & open PO
2. Incorrect no controls non-moving and PR for
representati in place to inventory non-moving
on of restrict 3. Check inventory inventory
financials procureme ageing report to 3. Verify
due to lack nt of items identify non- movements
of already moving/ slow- of shelf-life
provisioning available in moving inventory expiry
policy inventory. 4. check whether materials in
2. Such inventory with ERP
items are expired shelf life 4. verify
reviewed considered or not system
on (if available). controls to
quarterly 5. Analyse the block the
basis and if stock holding material
required, period of each approachin
such items category of items g expiry to

445
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
are and compare the restrict
transferred same with the further
to other company consumptio
sites for guidelines. n/sale of
consumptio Through the same
n. discussions with
the management
identify and isolate
items where
inventory may
have been built up
for strategic
reasons.
6. Inquire into
cases where the
inventory holding
is significantly at
variation with
established norms.
Discuss the
analysis with the
management in
detail.
7. Steps to carry
out stock holding
analysis:
i. Obtain the
closing stock
details for 6 to 12
month-ends;
determine the
average daily
stock;
ii. Obtain the total
consumption (RM/
PM) or sales (FG)
for the same 6
month period;
determine the
average monthly
consumption;
iii. Determine the
number of months’
inventory from
above;
iv. Identify
instances of high

446
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
inventory holding
where the no. of
months is also
high and discuss
the same with
Stores/ Production/
Procurement
personnel to
understand the
reasons thereof;
v. Document the
exceptions/
deviations noted;
8. Determine if the
management
regularly receives
and reviews
reports on ageing
of inventories as
well as slow/ non-
moving items.
9.Inquire about the
existence of any
obsolete/-damaged
inventory. Check
the authorization
for categorizing
such items as
obsolete/ damaged
inventory and
action being taken
by management
for liquidation of
such items.
10. Scrutinize the
stock ledger for
the audit period
and identify items
which have:
i. Either not been
issued; or
ii. Where the
receipts are
significantly in
excess of the
issues
iii. Review an

447
Internal Audit Checklist

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
ageing of such
items along with
the value thereof.
iv. Discuss the
plan of action of
the management
on the utilization of
such slow/ non-
moving inventory.
11. Tour
warehouse areas
and inquire about
any items that
appear to be old,
outdated or would
be considered
scrap
Inventory Inventory 1. Inventory 1. Stock 1. Check whether 1. Compare
Managemen Insurance may not be Fire floater all the location are actual value
t insured to Insurance covered under of inventory
avoid losses policy for insurance and as per
in case of inventory proper safety books with
mis- cover risk measures have declaration
happening of fire and been taken. value for
burglary Ensure that the the policy
policy for insurance cover in period and
inventory respect of the check
to cover average value of whether
risk of theft inventory is excess
is taken adequate and premium is
2. Value of includes all paid by
sum categories of company or
insured stocks not
under 2. Value of sum 2. Verify the
insurance insured should be treatment of
policy is approved by inventory/a
approved appropriate djustments
by authorities in the
appropriate 3. Quotation books in
authorities should be obtained case of any
from different mis-
vendors and verify happening
all clauses under noted, if
different quotation any.
and accordingly
obtain insurance

448
 Inventory Management

Process Sub- Risk Control Test Performed Attributes Sample Data

process Description Tested Size Analytics
Performed
policy from vendor
whose quotes
match with
business
requirement
4. Declaration for
average value of
inventory should
be filled with
insurance
company on
periodic basis as
per policy terms
and conditions and
at the time of
expiry of policy
excess premium
should be received
back by the
company

449
 Checklist 24
Cash and Bank
Process Sub- Risk Control Control Test Attributes Sample Data
process Description Owner Performed tested size analytics
performed
Cash Entity Inadequate 1. As per 1. Check 1. 1. SOD Analyse
and level Segregation Segregation compan documented Documente 2. Access transaction
Bank controls of Duties of duties y policy SOD and d SOD, right List carried out
and access relating to Access right Access 3. Half during the
rights which the following list for right yearly review period
may result in transactions: various 2. Periodic review to identify the
fraudulent / a. activity of review document following:
unauthorise Authorization cash and 1.
d of cash / bank Unauthorized
transactions bank transactions. users
transactions 2. Verify performing
b. Physical evidence of transactions
handling of periodic 2. Conflicting
cash review of transaction’s
c. Issuance SOD and rights grated
of cheques Access to same
and online rights in ERP person.
payment system. There has to
d. Recording be a
of cash and 3. Verify separate
bank same SOD report on
transaction in and Access roles
books of right also assigned to
account, entered in each of the
e. system for users and
Preparation approval of then analysis
of Bank cash and of conflicting
Reconciliatio bank roles and
n transactions. responsibiliti
Statements. es to be
reviewed.
2. Access
rights (Write /
Read /
Delete /
Modify) to
various
peoples in
the
organization
is reviewed
periodically
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
to ensure
appropriate
SOD and
avoid any
unauthorized
transactions.

3. Periodic
Review of
Segregation
of Duties and
Access rights
is conducted.
Interim
rotation of
the duties
are done
periodically
by
management
.
Authority 1. Proper As per 1. Check Approved Approved 1. Identify
matrix may authorization compan cash and DOA/DOP DOA/DO transactions
not be of cash and y policy bank for cash P from for unusual
prepared or bank transactions’ and bank BOD high value
approved transactions DOA/DOP is compared to
from Board as per available other
of Director Delegation of and transactions
(BOD). Authority approved by and seek
2. Board of BOD. valid
Directors 2. In case of authorization
defines the any and
authorities authorized documentary
for approving signatory evidence.
& performing leaving the 2. Analyse
cash and Company, transactions
bank whether list to identify
transactions. of authorized possible split
signatories is to circumvent
revised payment
timely with authorization
proper Board limits as per
Resolution Delegation of
and Authority and
intimated to bank
bank. signatories

451
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
as per Board
Resolution.
SOP may 1. The As per 1. Check Approved Updated NA
not be organization compan SOP SOP and SOP
defined to has clearly y policy available completene
ensure defined and ensure ss
consistency Standard completenes
and Operating s of it in all
standardisati Procedures. aspect of
on of 2. The defining
operations. organization roles, KPI,
should define Timelines
sequence of and
activities, frequency of
Roles and activities,
Responsibiliti etc.
es, Key 2. Check
Performance date when
Indicators SOP was
(KPIs), updated last.
Timelines
and
Frequency of
activities
along with
various
documents to
be
maintained
for
performing
cash and
bank
transactions.
Review 1. The As per 1. Check 1. MIS MIS for 3 Analyse
system may organization compan MIS for 2. RSM months various
not be in has set up an y policy monitoring of 3. Fraud figures
place to appropriate cash and assessmen Action reported in
mitigate risk Management bank t activity and step MIS vis a vis
of Information transaction taken to the details
inappropriat System (MIS) are identify appearing in
e cash and for regular appropriate and ERP system
bank monitoring of and cover control to identify
transactions. operations exception fraudulen instances of
and financial transaction. t activity. incorrect

452
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
activities by 2. Check reporting.
senior / top RMS in
management place to
. identify and
mitigate risks
2. and its
Appropriate functioning
Risk related to
Management cash and
System bank
(RMS) is in transaction.
place to 3. Check
identify and fraud risk
mitigate assessment
various risks activity
related to conducted
project on frequent
activities of basis and
the controls
organization. deployed are
effective.
3.
Appropriate
Fraud Risk
Assessment
activity is
conducted,
and fraud
risks are
identified
along with
relevant
controls to
avoid any
fraudulent
transactions.
1. Reports As per Verify Reporting Monthly 1. Analyse
are compan reports and action Exception cash
generated as y policy generated on reports transaction
per the meet the exception for 3 for any cash
requirement management month payment
of requirements more than
management . Also verify prescribed
along with following limit for cash
exceptional must be part payment.
reports. of reporting: 2. Analyse

453
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
2. Reports 1. List of cash
are reviewed stale or transaction
by dishonored for any cash
designated cheques. receipt of
reviewing 2. List of more than
authority and long prescribed
actions are outstanding limit for cash
taken on ‘cheques receipts.
exceptions issued but
accordingly. not yet
presented’
and cheques
sent for
collection but
not yet
collected.
3. List of
authorized
signatories
to bank
accounts
4. List of all
bank
account with
balances
including
those closed
during the
year
5. Relevant
ledgers for
all cash and
bank
accounts.
6. List of
blank
cheques
signed and
received by
the branch.
Cash Physical 1. The As per 1. The 1. Daily Monthly NA
Balance cash may organization compan auditor recording cash
and not match has policy of y policy should carry and physical
control with balance daily out physical reconciliati verificatio
as shown in recording of verification on n reports.
books cash and of cash on

454
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
reconciliation surprise 2. Surprise
of cash basis to cash
transaction assess if the verification
with books cash balance
are done by tally with the
designated books of
authority2. account.
Surprise 2. The
cash physical auditor
verification is should
done by examine
independent whether the
cross cash balance
functional shown in the
authority. financial
3. Multi- statements
currency reconciles
notes are with the
exchanged results of the
within define physical
timeline. verification
after taking
into account
the cash
receipts and
cash
payments
between the
date of the
physical
verification
and the date
of the
verification.
3. Obtain
surprise
physical
verification
document to
review
frequency of
process.
4. Internal
auditor
should
examine
whether torn

455
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
and
mutilated
currency
notes are
exchanged
within a
define
timeline as
per policy.
All cash of All cash As per 1. All cash Simultaneo Monthly NA
same balance in compan balances in us cash
location may the same y policy the same verification physical
not be location for location of cash at verificatio
verified at all entity are should be same n reports.
same time verified at verified location.
that may same time. simultaneous
lead to cash ly.
balance of 2. Where
one entity petty cash is
may be maintained
presented in by one or
others. more
officials, all
officials
concerned
deposit the
entire petty
cash on
hand on the
last day with
the cashier.
3. Check
whether the
cashier also
handles cash
of sister
concerns,
staff
societies,
etc. In such
a case, cash
pertaining to
them should
also be
verified at
the same

456
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
time.
Cash 1. Company As per 1. Check Cash Cash 1. Analyse
Insurance has cash compan cash in hand insurance insurance transactions
Policy may insurance y policy at various policies policies for cash
not cover policy instances deposit in
the cash against cash should not bank and
handle at balance be under cash
different maintained. insured withdrawal
time and 2. Company against from bank, if
cash in have cash policy exceeded the
transit transit obtained by limit as per
insurance the cash in-
policy of company. transit
sufficient 2. Check insurance
value to cash deposit obtained by
cover and the
depositing withdrawal Company.
and transaction 2. Analyse
withdrawal of during audit cash
cash. period to balances to
3. Company insure identify, if the
also have satisfactory cash holding
cash fidelity cash transit exceed the
insurance. insurance limit of cash
policy. in-hand
3. Verify insurance
cash fidelity policy
insurance obtained by
policy. the
Company.
Other 1. As per 1. Verify Safe 30 NA
control for Accounting compan various cash custody of payment
cash of collections y policy receipt and cash and
surveillance and payment receipt
not payments are document document
available. done on and check or
timely basis whether depend
2. Camera of accounting on no. of
surveillance of collections business
of the place and transactio
designated payments n.
for cash are done on
handling / timely basis Check
movement 2. Check auto alert
are placed whether record for

457
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
accordingly. camera 1 month
3. Cash is surveillance
stored and of the place
locked in designated
safe custody for cash
of authorised handling /
person only. movement
4. Managing are placed
keys for the accordingly.
cash safe are May also
allowed to verify
designated backup and
person. monitoring of
5.Maintenanc camera
e of register recording.
recording the 3. Verify
handing over cash is
the keys stored and
when the locked in
cashier goes safe custody
on leave etc., of authorised
to another person only.
person. 4. Verify
keys are in
6. Cashier control of
being sent on designated
compulsory person and
leave for 20 check who
days in a will be
year and authorised in
another absence of
person to act that person
as cashier. define or not.
7. System 5. Verify
are in place system of
for auto alert auto alert for
for all cash all cash and
and bank bank
transaction. transaction.
Check
whether auto
alerts are
sent to
designated
person.
All cash All cash As per 1. Check Unauthoris 1. ACL Analyse

458
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
transaction transactions compan that cash ed 2. Audit log of
may not be are reviewed y policy transactions approval Authority
modification
authorised and are approved rights Matrix of cash
to avoid approved as as per 3. 30
transaction
suspicious per the Authority POs during the
transaction approved Matrix review period
Authority 2. Check the to identify the
Matrix. Also, ACL and following:
the same has confirm that 1.
been the same is Unauthorized
enteredinto updated as users
ERP per Authority performing
software in Matrix transactions
Access 2. Conflicting
Control List transaction
(ACL). rights
granted to
1. Audit logs As per 1. Check Audit Logs 1. Audit same
are compan recording of of cash logs person.
generated for y policy audit logs for transaction 2.
changes in all cash monthly
cash transaction review on
transaction in in system. logs- 3
the system 2. Verify Month.
2. Process is mechanism
in place to in place to
monitor audit review audit
logs to logs.
identify any
inappropriate
/ suspicious
activity.
Bank Bank 1. The As per 1. Obtain Bank BRS for 3 Analyse
balance reconciliatio organization compan independent reconciliati months transaction
and n statement is obtained y policy confirmation on with reversal
control may not be balance from the statement for proper
prepared or confirmation bank for all and review authorization
authorised for all bank bank and reasons
for deviation account accounts and ensure
from book including including that the
balance. closed and dormant same are not
dormant. accounts as manipulated
2. Bank well as to circumvent
reconciliation accounts Bank
statements closed Reconciliatio
are prepared during the n Statement

459
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
on weekly year. or hide any
basis by 2. Verify unauthorised
designated whether transactions.
person and Bank
reviewed by Reconciliatio
authorised n Statement
person. is prepared
3. Un- at
reconciled appropriate
entries are frequency
identified and and the
reason for same is
non- reviewed by
adjustment the
are authorized
documented. person for
4. All timely action
reconciliation on
and evidence unreconciled
of review are items.
verified and 3. Long
signed by pending un-
person other reconciled
than person items should
who is be verified in
responsible detail with
of receipt adequate
and payment. documentary
evidence
justifying the
authenticity
of
transaction
and reason
of appearing
open in bank
reconciliation
statement.
4. Review
and approval
of all
reconciliation
s and
investigation
of unusual
reconciling
items by an

460
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
official not
responsible
for receipts
and
disbursemen
ts, including
recording
evidence of
the review
and
approval, by
signing the
reconciliation
.
Bank As per 1. The bank Updation of 2-month NA
reconciliation compan statements books with Bank
statements y policy of the bank statement
are prepared relevant statements. of 3
on a regular r period banks
basis and should be with BRS
entry of examined to or
reconciliation insure Depend
are posted whether on total
on regular cheques number
basis of bank issued by of banks.
statements to the entity but
maintain not
books upto presented
date. for payment,
and cheques
deposited for
collection by
the entity but
not credited
in the bank
account,
have been
duly debited/
credited in
the
subsequent
period.

2. Where the
auditor finds
that post-

461
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
dated
cheques are
issued by
the entity, he
should verify
that any
cheques
pertaining to
the
subsequent
period have
not been
accounted
for as
payments
during the
period under
audit.
Records of Designated As per In respect of Control Verify all NA
fixed or persons compan fixed over deposits
other prepare y policy deposits or deposit certificate
deposits record of all any other documents s
may not be deposits and type of
maintained certificate deposits with
for are banks, the
monitoring/ maintained in relevant
examination. safe locker. receipts/
certificates,
duly
supported by
bank advice,
should be
examined
and must
match with
books
records.

Verify control
of safe
custody of
certificate or
document to
designated
person.

462
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
Unauthorize Inter- As per Inter- Inter List of NA
d inter- company compan company company intercomp
company deposits y policy deposits deposits any loan
deposits made are made are and
backed by backed by deposits
board board
approval. approval,
and are
done at
annual
average rate
per annum of
public sector
bank.
Financial Designated As per 1. Monthly Rates Month Analyse
loss on person of compan reconciliation charges by reconcilia calculated
account of Finance y policy is prepared bank tion amount and
variance in reconciles by statement formula etc
rates agreed the rate designated . for accuracy
with the charged by person of amount
bank vis a the bank 2. Check charges by
vis charged with the rate deviation bank and
by bank agreed, reported to calculated by
variation if bank and finance.
any is correspondin
communicate g action
d to the taken by
bank. bank.
Control over 1. The As per 1. Where Control Verify all 1. Analyse
banking organization compan post-dated over reconcilia bank
document booked y policy cheques are cheque tion entry transactions
may not be collection on hand on with with
effective when the balance cheque duplicate
cheques sheet date, copies for cheque
deposited verify that latest number
with bank for they have month 2. Analyse
collection not been cash and
instead of accounted bank
cheques in for as transactions
hand. collections suspicious of
2. All signed during the duplicate
blank cheque period under payment viz
are kept in audit. same
safe locker 2. Verify any amount,
with signed blank same party,

463
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
designated cheque and date.
person. inventory is
3. All stale kept in safe.
cheque Person must
entries are be
reversed. authorised
4. All by BOD or
remittances designated
are provided authority for
in books and same.
reconcile 3. Examine
with bank suitable
statement on adjustments
regular basis. are made in
respect of
cheques
which have
become
stale as at
the close of
the year.
4.
Remittances
shown as
being in
transit
should be
examined
with
reference to
their credit in
the bank in
the
subsequent
period. Finds
that such
remittances
have not
been
credited in
the
subsequent
period to
ascertain the
reasons for
the same.
Should also

464
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
examine
whether the
entity has
reversed the
relevant
entries in
appropriate
cases.
Petty cash Control over 1. Company As per 1. Is petty Imprest 1. Analyse
& Imprest petty cash has defined compan cash control imprest
and imprest limit of y policy maintained testing. transaction
transaction imprest to for for timely
may not be employees. reasonable settlement.
effective 2. Company amount, 2. Verify
defines verify expense
nature of imprest incurred by
transaction provided as all
for which per actual employees
imprest paid business who are
through need or lying using Pre-
cash. idle. imprest
3. Company 2. Check the policy during
has a policy system audit period
of payment prohibit or imprest
of petty cash payment of lying idle.
expenses. cash for 3. Analyse
transaction cash
which may transactions
normally be for any
paid by imprest issue
cheque. / settlement
3. Are all of more than
payments prescribed
supported by amount as
vouchers? per
4. Are company’s
imprest policy.
vouchers
cancelled
upon
reimburseme
nt to prevent
reuse?
5. Are
reimburseme
nt cheques

465
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
drawn only
in favor of
the petty
cashier
(custodian)?
6. Whether
all petty
expenses
are paid as
per the petty
expense
policy of the
Company?
7. Timely
settlement of
the imprest
balances
needs to be
ensured.
Valuation Disclosure All cash and As per 1. Verify that Valuation Financial NA
and of cash and bank compan cash and and statement
Disclosure bank balances are y policy bank disclosure
balance not valued and balances requiremen
as per disclosed as have been t
accounting per valued and
policies and accounting disclosed in
disclosure policies and the financial
requirement statutory statements
of Company requirements in
Act, 2013. . accordance
with
recognized
accounting
policies and
practices
and relevant
statutory
requirements
, if any.
Further cash
and bank
balance is to
be disclosed
as ‘cash and
cash
equivalent’

466
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
as per
Schedule III
of
Companies
Act, 2013. It
is to be
disclosed
under the
head:
(i) balance
with banks,
(ii) cheques/
drafts in
hand,
(iii) cash on
hand.

2. Further as
per
Companies
Act, 2013
the following
additional
disclosures
are also
required to
be made:
(i)
Earmarked
balance with
banks e.g.,
unpaid
dividend.
(ii) Balance
with banks
held as
margin
money/
security
against
borrowings.
(iii) Bank
deposits with
more than 12
months
maturity.
(iii)

467
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
Temporary
advance
should not
be included
in cash and
bank
balance.
Payment Unauthorize 1. Every day As per 1. Advances Bank 20% Analyse
d or concerned compan - Verify payment advance advance
Inaccurate person y policy payment and control payment payment
recording of extract a list voucher 10% transaction
bank of cannot be other with PO
payment outstanding generated payment records and
invoices due without PO or verify all
for payment. reference Depend advance
On due date and beyond on payment
of invoice (as PO value. quantum should be
per payment of processed
term) 2. Other business after
designated payments and approval of
person print - Designated nature of PO only and
Cheque/ person transactio within PO
RTGS/ NEFT generate n. limits.
(as required), outstanding
generate liability and
payment payment due
advice, bank dates.
payment - Basis of
voucher and liability
post entry in select payee
system. and amount
2. After that from
all details are outstanding
sent to list
approving generated.
authority for - Payment
verification. list approved
Authority from
checks all designated
relevant person for
details payment
entered in processing.
payment
voucher and Insure
party account following
and make - All bank

468
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
signature on payment
payment should be
advice, routed only
payment through
voucher and payables
cheque/RTG account.
S if within his - Verify that
limit. If no
approval of modification
cheque/ in the payee
RTGS /NEFT account
is not within details at
his limit then transaction
same level.
wosendsent -
to Controlling automatically
Head/ CFO retrieve
or cheque
designated number from
authority for cheque
approval. master
Once cheque maintained
gets in system
approved after
same would approval of
be handed payment
over to advice.
respective - Bank
dept. for payment
realizing vouchers
payment to cannot be
vendors. back dated.

3. However
in case of
RTGS, after
getting
approved
RTGS copy,
Designated
person
prepare
RTGS/NEFT
details and
upload the
same to bank
site and will

469
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
receipt
statement
from bank on
next working
day.
4. Manual
cheques can
also be
issued and
later on
same would
be linked
with system.
1. The As per 1. Check 1. Access 1. Access Na
payment compan that the ACL Control List Control
voucher with y policy in ERP is as 2. List
required per the Supporting 2.
supporting is approved of deface Authority
reviewed and Authority Matrix
authorised Matrix. 3. 30
by the 2. In case of Payment
personnel any vouchers
authorised as authorized
per approved signatory
Authoritiy leaving the
Matrix. The Company,
authority whether list
matrix is of authorized
entered in signatories is
the Access revised
Control List timely with
(ACL) in ERP proper Board
system Resolution
and
2. The intimated to
supporting bank.
documentatio 3. Check
n is supporting
cancelled or documents
defaced, properly
once it is defaced
reviewed and and
payment identified by
voucher is cheque
approved. number at
the time of

470
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
signature.
Unauthorize For ERP As per 1. Cheque Control Latest NA
d use/ based control compan whether the over Cheque
access to 1. Cheque y policy serial wise cheques in Inventory
cheque Inventory is cheque ERP or
inventory maintained in inventory is online
may lead to ERP, as and maintained payment.
financial when or not,
losses payment is ensure that
or created in the missing
unauthorise the ERP with serial (if any)
d online Cheque as are Inventory
payment. the payment is
mode, maintained
cheque in ERP,
number is 2. Conduct a
auto system
populated walkthrough
to ensure
2. To ensure that cheque
cheque serial number is
number wise auto
control, populated
Tracker of 3. Whether
payment the
through stationery for
cheques is cheques
maintained required for
and on daily computerize
basis the d cheque
same is printing are
reviewed under the
safe
3. Cancelled custody.
cheques if 4. Identify
any kept for whether
period of physical
three months verification
and the of unused
serial is also cheques is
voided in the carried out
ERP on a periodic
basis
4. All 5. Check
cheques whether
which are there is a

471
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
issued but process of
not reconciliation
presented to of cheque
the bank stationery
within the with ERP
prescribed and the
time of three same is duly
months, carried out
reversed and 6. Whether
credited to reconciliation
stale cheque of void
account. cheques'
report
5. In case of generated
online bank from ERP
payment dual with actual
authorization void cheques
is is carried out
implemented. and all void
cheques are
filed
separately,
and their
details are
updated in a
file.
7. Verify
stale cheque
account and
reissue of
cheque to
vendor
against.
8. Check
dual
authorisation
controls for
on-line bank
transactions.
For Manual As per 1. Whether Control NA
Control compan in case of over
1. Cheque y policy manual Manual
Inventory is cheque cheque
maintained processing,
Manually, as the unused
and when cheque

472
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
payment is stationery is
created kept under
cheques are safe custody
used in of the senior
sequential officers
no. and 2. Whether a
approved by manual
designated cheque
authority. inventory
register is
2. To ensure maintained
cheque serial by Manager
number wise Corporate
control, Accounts in
Tracker of respect of
payment inventory of
through the
cheques is computerize
maintained d cheque
and on daily stationery
basis the and kept
same is under lock
reviewed and key.
3. Whether
cheque
receipt
registered in
updated
timely and
monitored
for timely
account and
deposit of
cheques in
bank.
Sample
cheque
transactions
with deposit
slips.
4. Check
safeguards
such as,
restrictive
crossing of
cheques,
use of pre-

473
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
printed, pre-
numbered
forms in
case of
manual
accounting
system
5. Cheques
should be
authorised
by Joint
signatories.
1. Payment As per 1. Other Control 50 cases NA
method other compan remittances over other of
than cheque y policy by bank than payment
are also transfers or cheque other
managed letters of payment than
with same instructions cheque
control as of (e.g., TTs, method.
cheques. MTS, and
standing
2. If instructions)
transactions subject to
are put on the same
hold due to controls as
“stop cheque
payment” payments.
instructions, 2. Check
then when “stop
correspondin payment”
g entries are instructions
also are issued,
reversed. the original
entries are
also
reversed
immediately.
Verify cases
were delay
in reversal
after stop
payment
instruction.
Unauthorize 1. Authorised As per 1. Verify only Cash 50 cash NA
d or controls over compan some payment payment

474
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
Inaccurate cash y policy payments control vouchers
recording of payment can be made or as per
Cash processing in cash like business
payment and small Inward quantum
recording. freight, and
2. Cash employee need.
payment travelling,
vouchers advance to
cannot be employees,
back dated. payment to
small
vendors
where they
have no
bank
accounts
etc. on
getting
approval as
per DOA.
2. Verify
cash
payment
vouchers to
insure
manual
control over
cash
payments
approvals.
Receipt Unauthorize 1. Cheques As per Following Bank 20% NA
d or are collected compan step to be receipt and advance
Inaccurate by the y policy performed control payment
recording of concerned 1. Verify 10%
bank receipt team i.e. posting of other
marketing, multiple payment
sales, they collection or
arrange to against Depend
submit to same UTR on
bank and number quantum
simultaneous 2. Verify of
ly prepare that no business
PFA modification and
(Payment in the nature of
Forwarding customer transactio
Advice) to account n.

475
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
finance for details at
updation in transaction
customer level.
account. 3. Verify
2. In case of posting of
RTGS/NEFT/ collection
Net banking, against
tracking of blocked
payment is customer
done through 4. Bank
daily bank receipt
statement vouchers
and cannot be
accordingly back dated.
whenever
payment
stands
credited, the
same receipt
is recorded
customer
account.
3. Ageing is
prepared by
designated
department
are being
sent to the
concerned
team
fortnightly for
follow up.
1. The As per 1. Check 1. Access 1. Access NA
receipt compan that the ACL Control List Control
voucher with y policy in ERP is as List
required per the 2.
supporting is approved Authority
reviewed and Authority Matrix
authorised Matrix. 3. 30
by the cash
personnel vouchers
authorised as
per approved
Authority
Matrix. The
authoritiy

476
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
matrix is
entered in
the Access
Control List
(ACL) in ERP
system
1. As per 1. Verify Control Security NA
Organization compan adequate over Tracker
receives y policy system in cheques as
postdated place to Security
cheques and store and
blank retrieve Post
cheques from Dated
vendors/cust cheques and
omers as a blank
security. cheques
2. All obtained as
cheques are security.
maintained 2. Physically
under safe verify
locker in security
custody of cheques with
authorize security
person. tracker and
to identify
expired
cheques.
Cash receipt 1. All cash As per 1. Verify in Timely 2 Month Analyse daily
may not be collected compan case of deposit of cash cash balance
deposited in during the y policy multiple cash cash in receipt from cash
bank on day are collection bank vis a vis record to
daily basis deposited in points (viz. deposits identify cash
create risk bank on in case of slip/bank maintenance
of theft same day or retail statement more than
at earliest on outlets), . define limit.
next day. whether
adequate
2. Excess Cash
cash more Management
than define Services is
limit by obtained
management from the
deposited in bank for
bank. timely
banking.

477
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed

2. Check all
cash receipt
are
deposited in
bank on
daily basis or
cash exceed
as per define
limit by
management
.
Bank High Organization As per 1. Check all Dormant Listed NA
balance balance verify compan bank account bank
Managem maintained transaction in y policy account and and closure account
ent in account bank transaction and GL
and not account, if in them.
utilised account idle 2. Verify if
properly to from long bank
save or earn period and account is
interest have balance not operative
are closed from long
after time and
approval reason for
from non closure.
management
.
Organization As per Verify Approval 20 NA
has proper compan approvals of for transfer interbank
approval y policy transfer from within transactio
policy for one ban to banks n or as
transfer of another per
balance from bank. business
one bank to need
another bank
account.
Organization As per Analyse Utilization GL of Analyse
has policy to compan Bank of funds Major Bank
review y policy transactions bank transactions
balance in to identify account to identify
major bank any idle any idle bank
account daily bank balances
and decision balances which could
of transfer of which could have been
balance or have been utilized for

478
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
convert into utilized for repayment of
FD are taken repayment of loans or
by loans or depositing in
considering depositing in the OD / CC
future the OD / CC limit account
collection limit account. or converted
and due into short
payments. terms FDs.
Statutory Non- Organization As per While Statutory GLs of 1. Analyse
Complianc compliance has system compan verifying compliance cash and cash
e with of proper y policy cash and bank transaction
statutory training for bank for any cash
requirement the purpose transaction, payment
leads to to complied due more than
penalty. with various consideratio prescribed
rules and n should be limit for cash
regulation given to payment.
under following. 2. Analyse
Income Tax cash
Act 1961, 1. The unit transaction
Company has repaid for any cash
Act, 2013 to loans/ receipt of
avoid non- advances/ more than
compliance deposits in prescribed
under any of cash of Rs. limit for cash
these Acts. 20,000 and receipts.
above in 3. Analyse
contraventio transactions
n of Section to identify
269T of possible split
Income Tax to circumvent
Act, 1961? payment
2. The entity authorization
has received limits as per
loans/ Delegation of
advances/ Authority and
deposits in bank
cash of Rs. signatories
20,000 and as per Board
above in Resolution.
contraventio
n of Section
269SS of
Income Tax
Act 1961?
3. The entity

479
Internal Audit Checklist

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
has made
any cash
payments
against
expenses
above Rs.
10,000 (or
Rs. 35,000
for goods
carriages) in
contraventio
n of Section
40A (3)/ 3A
of Income
Tax Act,
1961?
4. The entity
received an
amount of
Rs. 2 lakh or
more in
dealings of
cash
transaction
in aggregate
from a
person in a
day or in
respect of a
single
transaction
or in respect
of
transactions
relating to
one event or
occasion, in
contraventio
n of Section
269ST of the
Income Tax
Act, 1961?
5. The
Company
has passed
Board
resolution for

480
 Cash and Bank

Process Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
authorization
the
signatories
to Bank
Account as
per Section
179(3) of
Companies
Act, 2013?

481
 Checklist 25
Treasury Management
Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Treasury Initializatio NA NA NA 1. Obtain the Overview None 1. Analyse
Manageme n Policy on and cash flows,
nt Treasury Understa investment
Management nding of transactions
as approved Treasury and foreign
by the Board. operation exchange
2. Obtain a s transactions to
copy of detect
Accounting anomalies,
Manual or unusual
Standard patterns, or
Operating unauthorized
Procedures. activities.
3. In case 2. Identify
such a discrepancies
manual or that further
SOP is not investigation.
available,
obtain an
understandin
g of the
banking
process and
the BRS
preparation/
review
process.
4. Obtain
Authority
matrix for
Delegation of
Authority
w.r.t.
operation of
bank
accounts,
BRS, etc.
5. Obtain a
certified copy
of the Trial
Balances as
on the
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
opening and
cut off dates
for the audit
period.
6. Identify all
balances with
banks,
whether
current
account,
deposit
account, etc.
7. Discuss
the nature
and the
purpose of
each bank
account with
the CFO or
any other
senior person
from the
client’s side,
to identify
any
inoperative
accounts and
understand
any specific
purpose for
which they
are
maintained.
8. For the
last year,
year, plot a
bird’s eye
view of the
total number
of bank
accounts
(E.g. Current
Account,
Deposit
Account,
etc.) vis a vis
Balance
Confirmation

483
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
s available.
Be alert for
any trend,
e.g.
confirmation
a particular
bank balance
not being
received.
Inquire into
any unusual
trends.
9. Ensure
that there is
clear
bifurcation of
responsibiliti
es to ensure
that no single
individual has
complete
control over
all aspects of
treasury
functions.
10. Distinct
roles for
activities
such as cash
management,
payment
approvals,
investment
decisions
and
reconciliation
are defined.
Treasury Risk Absence of Treasury Treasury 1. Obtain Duly 100% None
Manageme manageme a Standard objectives Head copy of Approved
nt nt Policy/ Risk and risk Treasury comprehe
framework Managemen appetite Policy and nsive
and t Framework should be assess Treasury
governanc may lead to clearly whether it is Policy
e person defined in updated and and Risk
(including specific policy approved by Control
Treasury decisions/ document. the Matrix
Policy) actions. appropriate

484
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
authority.
2. Whether
the policy
align with the
organization'
s overall
financial
objectives
and risk
appetite.
Check
whether the
policy
address
various
financial
risks,
including
liquidity risk,
interest rate
risk, credit
risk, and
foreign
exchange
risk.
3. Check
whether
clear roles
and
responsibiliti
es are
defined for
treasury
personnel.
Treasury Segregatio Lack of Segregation Treasury 1. Verify the Segregati 100% 1. Identifying
Manageme n of Duties segregation of duties is Head Segregation on of unusual
nt of duties enforced of duties is Duties in patterns in
over keys, through implemented Treasury transaction
cash/ funds organisation to the extent Activities data such as
activities. al that it is large or
structures, possible, frequent
user access given the payments.
in the number of 2. Analysing
treasury/pay staff access
ment available in permission
systems finance and identify
and related any individual

485
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
procedural functions. having
documents. 2. excessive
There Compensatin access to
should be g controls sensitive data
an effective such as or systems
segregation senior
of key management
duties oversight are
including used.
dealing,
settlement,
and
accounting/
reconciliatio
n. These
segregation
s need to be
further
strengthene
d if the
treasurer
executes
transactions
. This
segregation
is reinforced
through
procedures
documentati
on and
position
descriptions
.
Treasury Bank Unauthorise The Board Treasury 1.Confirm Authorize 100% None
Manageme Account d personnel has Head that the d
nt Manageme may open or approved Board of Opening/
nt- close bank authority Directors or Closing of
Opening accounts. matrix to other Bank
and enter/ authorized Account,
Closing of terminate body has Review of
Bank bank explicitly Inactive
Account relationship authorized bank
s, including the approval accounts
opening and authorities
closing of for entering,
bank terminating,
accounts. and

486
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
(e.g. Bank managing
accounts bank
can be relationships.
opened or 2. Identify
closed only the list of
by Bank
resolution of Accounts
the Board of Opened and
Directors or closed during
other the period by
authorized reviewing the
body or Trial Balance
official). (current and
Inactive previous
bank period).
accounts Verify that
are these were
reviewed duly
and closed. approved.
When a 3. Confirm
signatory is that inactive
no longer bank
authorized accounts
to access (those not
the account, actively
the bank used) are
should identified and
promptly reviewed
remove periodically
their and check
access. whether
This there are
prevents clear criteria
unauthorize or guidelines
d for
individuals classifying
from accounts as
conducting inactive.
transactions
.
Treasury Bank Unauthorize Signing Treasury Ensure that Signatorie 100% None
Manageme Account d person act Limits are Head there are s to Bank
nt Manageme as a clearly dual Account
nt- signatory for established/ signatories
Authorized bank stated. (for both
Signatory accounts. There must online and
Fraudulent be two cheque

487
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
or Incorrect authorized payments)
payments signatories for each bank
are made. (e.g. A account and
senior the same has
managemen been
t level non- approved by
financial the Board.
functionary
and
Corporate
Treasurer/
Assistant
Treasurer).
Signatories
for cash
disburseme
nts can be
added only
by
resolution of
the Board of
Directors or
other
authorized
body or
official
Treasury Bank Compliance I - Treasury 1. Verify that Complian 100% None
Manageme Account with bank Corporate Head Corporate ce and
nt Manageme account Treasury Treasury Disclosur
nt - restrictions maintains maintains a es
Complianc is timely up-to-date comprehensi relating to
e to GAAP reported to record of all ve record of Bank
managemen bank all bank Account
t and accounts accounts,
necessary opened/ including
disclosures closed with those that
as per their name, have been
applicable locations; opened and
GAAP are name, titles closed and
not made. and check that
functions of the records
local contain
signatories; relevant
and information,
rationale for such as, the
opening/clo bank's name,
sing an location,

488
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
account. A account
separate numbers, and
general purpose of
ledger each
account is account.
maintained 2. Verify that
for each a separate
bank general
account. ledger
account is
II – maintained
Managemen for each bank
t account and
responsible check that
for the general
monitoring ledger
compliance accounts are
with bank properly
account labelled and
restrictions identified.
(e.g. those 3. Verify that
in case of the recording
Foreign and
Currency presentation
accounts), of bank
periodically accounts in
reviews the the general
compliance ledger
status. comply with
Adequate relevant
guidelines accounting
have been standards
drawn for and
capturing principles.
necessary 4. Ensure
information Compliance
for financial to all bank
statement related
disclosures restrictions.
(i.e.
compensati
ng
balances,
overdrafts,
restrictions
on cash
balances,

489
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
etc.)
Treasury Recording Adherence I - List of Treasury 1. Evaluate Appropria 100% 1. Apply data
Manageme of Bank to authorised Head the process te analytics to
nt Transactio authorisatio signatories for approving recording detect
ns- n process are payments, of Bank potential
Authorizati may not be available including the transactio fraudulent
on of verified with the appropriate ns activities, such
payments effectively Accounts authorization as
by the Officials. levels and unauthorized
banks for The same documentatio payments or
accounts. are n required for unusual
configured different patterns in
in the payment bank
banking types (for transactions.
Portal. online 2. Perform
Specimen payments, trend analysis
signature Cheque to identify
cards are Payments). deviations
available Check from normal
with the whether Host behaviour.
finance to Host
department based
so as to payment
verify the process has
signatures been
of implemented.
appropriate 2. Evaluate
authority controls in
before UPI
making for Payments,
payment. Receipts like
All the transaction
payments Limits, Real-
should be in time
compliance Notifications,
with Transaction
statutory Reconciliatio
requirement n, etc.
s.
Treasury Recording Cheque I - Adequate Treasury 1. Evaluate Control 100% None
Manageme of Bank instruments control over Head the controls over
nt Transactio may be inventory of over physical Physical
ns - mishandled/ cheques is cheques. cheques
Physical mis-utilized. maintained. 2. Ensure
control All cheques that only
over are marked authorized

490
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
cheques as account personnel
payee. can write,
Further for sign, or
all the handle
banks, checks.
access to 3. Ensure
stock of that access
unused controls to
cheques is restrict
controlled. access to
The details cheque-
of inventory writing
of cheque software or
(including tools has
unused been
cheques) is implemented.
maintained 4. Ensure
in Excel that account
Sheet/ reconciliation
records s are
(control performed to
sheet). ensure all
issued
II - As cheques are
generally, properly
the banking recorded and
system accounted
sequentially for.
allots
cheque
numbers, in
order to
cancel a
cheque the
same needs
to be
cancelled in
the system
which can
be done
only by
designated
person in
Finance
Department.
Cancelled
cheque are
clearly

491
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
marked and
inventory of
cancelled
cheques
maintained.
In case a
cheque gets
misplaced,
cheque is
voided in
the System
and at the
same time,
a stop
payment
advice is
sent to the
bank
concerned.
Treasury Recording All receipts The Treasury Scrutinize the Recording 100% None
Manageme of Bank may not be transactions Head transactions of Bank
nt Transactio correctly to be in each bank transactio
ns - /timely conducted account and n on
Appropriat accounted through ensure that appropriat
e Account for (by the each bank all capital e
cut-off account receipts are accounts
date). should be deposited in
adequately corporate
defined. (All bank account
capital and are
receipts are utilized for
deposited in specific
corporate purposes on
bank immediate
account and basis, all
are utilized working
for specific capital
purposes on receipts are
immediate deposited in
basis. All division bank
working accounts.
capital Verify
receipts are whether
deposited in payment
division accounts
bank should be
accounts. separate

492
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Payment from
accounts collection
should be accounts.
separate
from
collection
accounts for
better
monitoring
and control
over funds).
Treasury Recording Stale The stale Treasury Verify Reversal 100% None
Manageme of Bank cheques cheques are Head whether the of Stale
nt Transactio may not be reversed on stale cheques
ns - Stale reversed to monthly cheques are
cheques show basis to a reversed in
incorrect separate the separate
bank account account on a
balance. termed as monthly
"Stale basis.
Cheques
Payable
Account"
maintained
for this
purpose. No
direct
transfers to
Party's
Account is
made.
Amount
lying in the
"Stale
Cheques
Payable
Account"
which is
three years
old is
transferred
to the
Party's
Account.
Treasury Estimation All receipts Normal Treasury Review the Estimatio 100% 1. Assess the
Manageme of Working may not be working Head effectiveness n of accuracy of

493
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
nt capital correctly capital of the fund Working cash flow
Requireme /timely funds forecast capital forecasts by
nts accounted should be preparation requireme comparing
(by the cut- reviewed at and review nt forecasted
off date). the month procedure. values with
end for For sample actual cash
accuracy month obtain flows over a
and the forecast specified
completene and review period.
ss. Periodic the 2. Identify
financial underlying areas where
reports are assumptions forecasting
reviewed by and facts. accuracy can
Managemen be improved,
t, with and explain
comparison deviations.
to budgeted
amounts or
other
financial
data for
reasonablen
ess of cash
and bank
balances.
Treasury Bank Transaction Bank Treasury For each BRS 100% None
Manageme Reconcilia s may not reconciliatio Head BRS selected performed
nt tion be recorded n is in the by
either by performed sample, Independ
mistake or by person ensure that: ent
intentionally. independent 1. The Person
of banking person
transaction responsible
and for
accounting. reconciliation
(In cases is not a
where cheque
independent signing
treasury authority.
operating 2. The
systems are person does
used, a not have
three-way cash
reconciliatio handling
n is responsibility
between .
bank 3. The

494
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
statement, person does
treasury not have
system and bookkeeping
the ledger responsibility
balances). .
4. Adequate
maker-
checker
controls are
in place.
Treasury Bank Transaction Reconciliati Treasury 1. Review BRS 100% None
Manageme Reconcilia s may not ons Head each BRS: prepared
nt tion be recorded between a. For and
either by bank evidence of reviewed
mistake or statements review by a for all
intentionally. and general person bank
ledger are independent accounts
performed from person
on a regular responsible
basis and for
reviewed & reconciliation
approved by .
managemen b. To ensure
t. that the
Reconciling review was
items are conducted on
found and a timely
corrected as basis.
necessary. c. Check
whether the
date of
preparation,
date of
review and
date of
approval are
captured in
the BRS.
d. Ensure
that resultant
actions are
documented
(as minutes,
or emails,
etc.) and
check
whether

495
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
these have
resulted in
the desired
result (e.g.
clearance of
old items,
rectification
of errors/
omissions,
etc.)
e. For the
type of
reconciling
items. Inquire
in detail
unusual
items (E.g.
Payments
appearing in
Bank
Statement
but not in the
Bank Book,
etc.)
f. For
‘Cheques
Issued but
Not
Presented’
check
subsequent
clearance of
these, on a
100% basis.
Be alert of
any unusual
trends/
occurrences
(E.g. Large
number of
vendor
cheques or
employee
cheques
appearing as
un-presented
for unusually
long periods,

496
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
High value
vendor
cheques
appearing as
un-presented
for unusually
long periods,
etc.)
g. For
‘Cheques
Deposited
But Not
Cleared’
check
subsequent
clearance of
these on a
100% basis.
h. From the
original Bank
Statement of
the
subsequent
month, pick
up a sample
of cheques
that were
cleared in the
first 2-3
working
days. Trace
these back
into the BRS
of the
previous
month. These
cheques
should
reasonably
be appearing
in the BRS
as ‘Cheques
Issued But
Not
Presented’.
i. Specifically
inquire into
reconciling

497
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
items that are
over 60 days
old.
j. Review
Bank
Charges, if
material.
Ascertain if
these are
checked
independentl
y w.r.t. the
agreement
with Bankers
or whether
the entry is
simply picked
up from the
BRS and
effected in
the Bank
Book.

2. For all
BRSs tested,
reconcile the
opening bank
balance of
the
subsequent
period with
the closing
balance of
the period
under audit.

3. Inquire
regarding the
procedures in
place when
the persons
performing
and/ or
supervising
the
reconciliation
s are absent
at their

498
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
workplace.
Ensure that
any
substitute
persons
deployed are
competent,
compatible
with their
duties
assigned
duties and
are fully
aware of how
the
reconciliation
s are to be
performed
and
supervised.
4. Out of the
sample,
select a few
(To Be
Agreed with
Client and
Engagement
Manager/
Partner) BRS
for a detailed
verification.
For such
BRS, trace:
a. The
balance as
per Bank
Book with the
Bank
statement

b. Each
individual
reconciling
item into the
underlying
source
record
c. Check

499
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
arithmetical
accuracy of
each group
of reconciling
items as well
as the BRS
itself.

5. In cases
where BRS
has not been
prepared due
to opening
and closing
balances
being the
same, obtain
Bank
Statement for
the entire
audit period
to ensure
that there
were no
activities
during the
period. A
good control
practice is to
prepare a
formal BRS
for such
accounts as
well.

6. Similarly,
for accounts
explained to
be non-
operative,
check
whether if a
formal BRS
was
prepared.
Further,
obtain and
review the

500
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
original Bank
Statement for
the entire
audit period
to ensure
that there
were no
activities
during the
period.

7. For the
bank
accounts
selected,
ensure that
Bank
Statements
are
supported by
bank’s
balance
confirmations
, else the
bank
balances/
statements
should be
verified
online.
Proofs of
such online
confirmations
should be
retained in
the working
papers. If
none of the
above two
procedures
are
performed,
this fact
should be
clearly stated
as a
limitation in
the audit

501
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
report.

8. For all
balances on
deposit
account(s),
ensure that
the original
deposit
certificates
are
supported by
bank’s
balance
confirmations
, else the
deposits
should be
verified
online.
Proofs of
such online
confirmations
should be
retained in
the working
papers. If
none of the
above two
procedures
are
performed,
this fact
should be
clearly stated
as a
limitation in
the audit
report.

9. For all
balances on
deposit
account(s),
check the:
a. Due dates
of payment of
interest

502
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
b. Rate
(simple or
compounding
)
c.
Calculations
of ‘Interest
Accrued &
Due’ as well
as ‘Interest
Accrued But
Not Due’
d. Ensure
correct
accounting
thereof,
including Tax
Deducted at
Source
e. Ensure
correct
disclosure
thereof.

10. Review
the Bank
Book with the
Bank
Statements
for each bank
account
selected for
any unusual
entries (e.g.
inter-bank
transfers,
cash
deposits,
etc.) for a
period of 5
days before
and 5 days
after the ‘cut-
off’ date, i.e.
the period
end.
Specifically
determine

503
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
that:
a. Transfers
between
each bank
were
recorded in
the same
period, i.e.,
all transfers
prior to the
year-end
were
recorded in
each ledger
before the
year end,
and vice-
versa for post
year end
transfers.
b. Transfers
not affected
by banks
within the
same
accounting
period in
which these
were
initiated, are
properly
reflected as
reconciling
items in the
BRS.

11. Review
the trend in
balances with
banks (on
various
accounts). In
case the
entity seems
to be holding
Treasury Petty Cash Incompatibl Physical Treasury 1. Review the Physical 100% 1. Perform
Manageme transactio e tasks may cash Head controls for verificatio initial data

504
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
nt ns be assigned verification Physical n of cash exploration to
(to the same is cash understand
individual) conducted verification transaction
resulting in daily and 2. Count volume,
non- physical undeclared frequency, and
detection of verification petty cash patterns over
errors and sheets are and time.
omissions signed by a document it. 2. Analyse
person a. From the frequency and
independent above, make amount of
of the an cash
cashier. assessment replenishment
Surprise of the control s. Evaluate the
checks are of petty cash need for
made by funds. optimization.
Internal/
Statutory
auditors.
Treasury Petty Cash Incorrect/ The cash Treasury Evaluate the Reconcili 100% None
Manageme transactio incomplete ledger is Head procedure of ation of
nt ns cash reconciled reconciliation cash
transactions with the of the cash ledger
may be general ledger with with
recorded in ledger. general general
the general Discrepanci ledger. ledger
ledger. es are Physically
found , verify the
corrected, cash
and balance,
reprocessed cash Ledger
as and General
necessary Ledger
on a timely balance
basis. The during the
reconciliatio audit.
ns are
reviewed
and
approved by
appropriate
managemen
t.
Treasury Petty Cash Unauthorise I - Company Treasury Determine Approval 100% None
Manageme transactio d has clearly Head the of Petty
nt ns disburseme defined appropriaten cash
nts may be levels of ess of petty Transacti

505
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
made. authority for cash on
approving expenditures
and/or in
executing accordance
different with company
types of policies and
cash procedures
transactions by
. Monetary Judgmentally
limits have selecting a
been set for sample of
approval petty cash
and reimburseme
execution of nt vouchers.
transactions Check the
by following:
individual. 1. They have
been
II - properly
Authorizatio executed.
ns and 2. The
monetary expenditures
limits are are
regularly appropriate.
reviewed 3. The
and expenditure
updated as was
changes approved by
occur. All an authorized
updates are signatory.
communicat
ed both
internally
and
externally in
a timely
manner.
Treasury Fund Capital Application Treasury 1. Check the Applicatio 100% None
Manageme Manageme funds may of long-term Head process of n of Long-
nt nt be utilized capital review of term
for working funds and application of Funds
capital short term funds (Long and Short
requirement working term and term
s or vice capital short term) working
versa funds for the audit capital
should be period. funds.
monitored 2. Ensure

506
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
periodically. that the
short-term
Working
capital
requirement
is met
through short
term working
capital funds
and long
term capital
requirement
is done
through long
term capital
fund.
Treasury Borrowing Unauthorize Every Treasury 1. Obtain and Authorizat 100% Key
Manageme s d debts are borrowing Head review the ion of Performance
nt made in the should be organization' Borrowing Indicators
company's approved as s borrowing s (KPIs):
name per the policies, 1. Set the KPIs
authorizatio procedures, to measure
n matrix and treasury
(and the guidelines to performance,
approval understand such as cash
limits). the conversion
framework cycle, return
within which on
borrowings investments,
are made. or debt ratios.
2. Review the 2. Monitor
borrowing KPIs over time
authorization to identify
and approval trends and
process to deviations.
ensure that it
is in line with
the
organization'
s governance
structure and
clearly
defines roles
and
responsibiliti
es for
borrowing

507
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
decisions.
3. For the
borrowings of
the company,
check
whether
borrowing
was
approved as
per the
authority
matrix.
Treasury Borrowing Interest on Managemen Treasury 1. Assess the Review of 100% None
Manageme s borrowings t reviews Head organization' expenses
nt or other periodic s interest associate
transactions financial rate risk d with
such as reports, with management Debt
redemption, comparison strategies,
conversion s to including the
of debt or budgeted use of
accrual of amounts or hedging
interest may other instruments,
not be financial to mitigate
timely or data, for exposure to
accurately reasonablen interest rate
recorded. ess of fluctuations.
expenses 2. Ensure
associated that the
with debt. Management
Unusual reviews
variances reasonablene
are ss of
researched expenses
and associated
corrected as with debt.
necessary.
Reviews
could
include:
- Interest
expense
- Interest
expense by
debt facility,
including
effective
rates

508
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
- Accrued
interest
payable.
Treasury Borrowing Borrowing All Treasury 1. Verify that Complian 100% None
Manageme s terms or borrowing Head all borrowing ce with
nt obligations restrictions agreements Debt
may not be are formally and related agreemen
adequately monitored documentatio ts.
met and n are
resulting in compliance complete,
liabilities assessed accurate, and
severe then regularly by compliant
that a cross with relevant
accounted section of laws and
in normal managemen regulations.
course. t including 2. Verify the
legal, organization'
accounting s compliance
and with debt
treasury terms or,
personnel. loan
Questions agreements,
or grey and other
areas may contractual
be obligations
escalated to related to
outside borrowings.
legal
counsel for
additional
consideratio
n and
advice.
Treasury Investment Unauthorise I – The Treasury 1. Obtain the Approved 100% Investment
Manageme s d personnel company Head investment investmen Performance
nt may execute has a strategy/guid t Analysis:
investment defined elines/Standa strategies 1. Evaluate the
transactions investment rd operating / performance of
. strategy procedure. guideline investment
converted Ensure that portfolios by
into these are analysing
guidelines. reviewed by returns, yield
These the Board. calculations,
Investment 2. and risk
Strategies Understand measures.
Guidelines the defined 2. Compare

509
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
should be levels of investment
timely authority and performance
reviewed by monetary against
the Board. limits for benchmarks
approving and industry
II - The and/or standards.
company executing
has also different
clearly types of
defined Investments.
levels of
authority
and
monetary
limits for
approving
and/or
executing
different
types of
Investments
. All
investment
trades are
approved by
authorized
person only.
Further,
these
monetary
limits and
guidelines
should also
be
consistent
with
Companies
Act
requirement
s. (Section
185,
Section 186
of the
Companies
Act, 2013,
etc.)

III -

510
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Authorizatio
n and limits
are
regularly
reviewed
and
updated as
changes
occur and
communicat
ed both
internally
and
externally in
a timely
manner.
Treasury Investment Unauthorise The Treasury Obtain the Approval 100% None
Manageme s d personnel purchase of Head list of of
nt may execute self-directed investments investmen
investment financial done during t as per
transactions instruments, the audit defined
. including period. procedure
but not Check s
limited to, whether
stocks, these
bonds, investments
notes, are approved
debentures, by authorized
certificates persons.
of deposit,
commercial
paper or the
local
investment
of excess
cash
requires the
prior
approval of
the
Corporate
Treasurer.
Investments
initiated by
the
Corporate
Treasurer

511
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
are subject
to the
approval of
the Chief
Financial
Officer.
Treasury Investment Accounting I - Treasury 1. Review the Appropria 100% None
Manageme s (valuation) Managemen Head investments te
nt and t obtains to ensure valuation
disclosures mark-to- they are and
as per market appropriately accountin
applicable valuations classified as g of
GAAP may for trading per Investme
not be and accounting nts
made. available for standards
sale (e.g., held-to-
securities maturity,
as per available-for-
applicable sale, or
GAAP. trading).
These 2. Confirm
valuations that the
should be accounting
independent treatment of
and readily investments
verifiable. complies with
relevant
II - accounting
Managemen standards,
t also such as
reassess Indian
the Accounting
appropriate Standards
classificatio (IND AS 109)
n for all or Generally
debt and Accepted
equity Accounting
securities. Principles
(GAAP).
3. Check for
any
reclassificatio
ns of
investments
and ensure
they are
supported by

512
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
proper
documentatio
n and
approvals.
Treasury Writing of The Bank I - Bank Treasury Before Authorizat 100% None
Manageme Instrument Guarantee/ Guarantee/ Head issuing the ion of The
nt s - Letter LC/ BP may LC is instruments, Bank
of Credit / be opened opened by Verify that all Guarante
Bank without Appropriate instruments e/ LC/ BP
Guarantee/ proper Designated are issued
Bills authorisatio Authority and
Payable n after authorized by
receiving persons with
approved the
requisition appropriate
from authority, as
respective per the
dept. and organization’
the same is s delegation
approved by of authority
authorised policy.
signatories. 2. Review the
II - written
Standard instruments
LC terms is and ensure
drafted in that they are
consultation complete and
with the contain all
legal required
department. terms and
Any conditions.
deviation 3. Validate
from the the accuracy
same is of details
adequately such as the
vetted by beneficiary’s
legal. name,
Expiry amount,
status is payment
monitored terms, and
by expiry date,
Appropriate etc. in the
Designated instruments.
Authority. 4. The Bank
Guarantee/
LC/ BP
opened

513
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
during the
audit period.
Very if the
same was
approved as
per the
defined
guidelines.
Treasury Insurance Insurance Guidelines Treasury Ensure that Guideline 100% None
Manageme coverage for asset Head Guidelines s for
nt may not be (value wise) for insurance insurance
renewed or and risk are formally
may be (type of laid down
rendered insurance) and are
inadequate coverage approved.
are laid out
clearly. The
responsibilit
y for
obtaining
and
managing
the same is
also clearly
specified.
Cost benefit
analysis for
not covering
an asset
should be
prepared
and
reviewed by
an
appropriate
managemen
t level.
Treasury Insurance Insurance The Treasury 1. Review the Adequacy 100% None
Manageme coverage Insurance Head organization' of
nt may not be Manager s insurance Insurance
renewed or reviews the policies. ,
may be list of 2. accuracy
rendered assets Understand of
inadequate (including the terms, premium,
Additions or coverage robustnes
Deletions of limits, s in

514
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Interest) deductibles, claims
periodically exclusions, process
and updates and other key
the terms of provisions of
insurance if each policy.
required. 3. Examine
insurance
policy
documents.
4. Ensure
that policies
are valid, up-
to-date, and
accurately
reflect the
organization'
s details and
coverage.
5. Identify
any gaps or
areas of
underinsuran
ce that need
to be
addressed
(based on
the value
insured vs
actual value
of the asset).
6. Verify that
insurance
premiums are
accurate.
7. For any
damages/los
s verify that
claims are
reported
promptly, and
that
supporting
documentatio
n is provided.
Treasury Forex Hedging I - Treasury 1.Understand Review of 100% None
Manageme Manageme strategy Organizatio Head the Hedging Hedging
nt nt - may not fully n's overall Strategy: Strategies

515
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Hedging offset the hedging Gain a , Policies
underlying strategy, thorough and
exposure, including understandin Procedur
resulting in the g of the es
ineffectivene objectives, organization'
ss. types of s overall
risks being hedging
hedged strategy,
(e.g., including the
currency, objectives,
interest types of risks
rate, being hedged
commodity), (e.g.,
and the currency,
financial interest rate,
instruments commodity),
used for and the
hedging financial
(e.g., instruments
derivatives, used for
options, hedging
forwards) is (e.g.,
clearly derivatives,
documented options,
forwards).
II -
Organizatio 2.Review
n's hedging Hedging
policies, Policies and
procedures, Procedures:
and Examine the
guidelines organization'
are s hedging
comprehens policies,
ive, well- procedures,
defined, and and
aligned with guidelines to
the ensure they
organization are
's risk comprehensi
appetite and ve, well-
strategy. defined, and
aligned with
the
organization'
s risk
appetite and
strategy.

516
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed

Note:
Conducting
an audit of
forex hedging
requires
specialized
knowledge
and expertise
in risk
management,
financial
instruments,
accounting,
and
regulatory
requirements
. Engaging
professionals
with
experience in
foreign
exchange
risk
management
and auditing
can help to
ensure the
audit is
thorough and
effective.
Treasury Forex Risk of The Treasury 1. Review the Approval 100% None
Manageme Manageme entering into Treasury Head documentatio of
nt nt - an Manager n for hedging Hedging
Hedging unauthorize based on instruments transactio
d forward careful and contracts ns
contract, analysis of to ensure
leading to the market, they are
additional decides properly
financial upon the executed,
commitment best course authorized,
s to other of action for and in
parties and the compliance
resulting in Company to with
additional limit loss on accounting
foreign foreign and
exchange exchange regulatory

517
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
loss. fluctuations. standards.
The 2. Evaluate
Treasury the approval
Head process for
authorizes initiating
the Booking hedges,
Confirmatio including
n and proper
forwards a authorization
copy to the levels and
Bank. documentatio
n of
rationale.
3. Verify the
accuracy of
fair value
measurement
s and
accounting
treatment of
hedging
instruments
in
accordance
with
accounting
standards.
Treasury Forex Risk of The Chief Chief 1.Review the Review of 100% None
Manageme Manageme inadequate Financial Financial process for profitabilit
nt nt - review and Officer Officer communicati y of
Hedging analysis on verifies the ng hedge- forward
profitability Profitability related contracts
on account Workings information to
of forward against the relevant
contracts Forward stakeholders,
entered by Contracts including
the entered. senior
Company, management
leading to and the
incorrect Board of
decision Directors.
making and Assess the
resulting in clarity and
additional accuracy of
foreign disclosures
exchange related to
loss. hedges in

518
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
financial
statements.
2. Examine
the
organization'
s process for
periodically
reviewing the
effectiveness
of hedges
and making
necessary
adjustments
based on
changing
circumstance
s.
Treasury Forex Forex Treasury Treasury 1. Examine Reporting 100% None
Manageme Manageme transactions managers Head the process of Foreign
nt nt - MIS and regularly for Currency
Reporting positions reports on communicati Transacti
reported to its Forex ng foreign ons
managemen risk currency-
t may not be managemen related
accurate t activities information to
both within relevant
and outside stakeholders,
of the including
Treasury senior
managers management
organization and the
. On a Board of
monthly Directors.
basis, 2. Assess the
Treasury clarity and
prepares accuracy of
and disclosures
circulates a related to
report that foreign
includes currency
details on transactions
underlying in financial
exposure statements.
data by For the audit
currency period, obtain
and the MIS
exposure reporting on

519
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
type; net Forex
exposure Transactions.
position;
hedge
coverage
levels vs
targets and
forecast
accuracy/va
riance
analysis.
The report
shall further
be validated
and used
for forex
accounting
and
disclosures.
Treasury Forex Forex The Treasury 1. For the Reinstate 100% None
Manageme Manageme reinstateme accounting Head transaction ment of
nt nt - nt may not treatment of during the forex
Reinstate be as per Forex audit period, currency
ment Accounting Reinstatem verify the liability
Standards ent should accurate
be done in valuation of
compliance foreign
with Ind AS currency
21. transactions
in
accordance
with
applicable
accounting
standards.
2. Review the
accounting
treatment for
foreign
currency
gains or
losses and
confirm
compliance
with reporting
requirements
.

520
 Treasury Management

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Treasury Forex Mechanisms Compliance Treasury Gain Complian 100% None
Manageme Manageme to ensure areas Head understandin ce to
nt nt - compliance related to g of the Forex
Complianc may not be foreign applicable related
e robust. currency forex regulation
transactions compliance s
are adhered requirement
to for the entity.
supported Ensure that
with all the
adequate applicable
documentati compliances
on. are adhered.
Examples of
common
compliance
consideratio
ns related
to foreign
currency:
FEMA, Anti-
Money
Laundering
(AML) and
Know Your
Customer
(KYC),
Taxation
and
Withholding,
Customs
and Trade
Compliance
, Transfer
Pricing,
Intellectual
Property
and
Royalties,
Data
Privacy and
Cross-
Border Data
Transfer,
Export
Controls
and

521
Internal Audit Checklist

Final Sub- Risk Control Control Test Attribute Sample Data analytics
process Description Owner Performed s tested size performed
Sanctions
etc.

Note: These
requirement
s may vary
based on
the
jurisdiction,
industry,
and specific
circumstanc
es of the
organization
.

522
 Checklist 26
Borrowings
Final Sub- Risk Control Control Test Attributes Sample Data
process Description Owner Performed tested size analytics
performed
Borrowin Initializatio NA NA NA 1. Obtain the Overview NA 1. Analyse
gs n Standard and borrowings
Operating Understandi to detect
Procedures ng of anomalies,
relating to Borrowings unusual
borrowings. patterns, or
From the Trial unauthorized
Balance and activities.
the relevant 2. Identify
GLS, identify outliers or
the list of discrepancie
borrowing s that may
(Opening warrant
balances, new further
borrowings investigation
etc.) .
Understand 3. Develop
the nature of Key
the Performance
borrowings, Indicators
such as the (KPIs) to
purpose, type measure
(term loans, treasury
revolving performance
credit, bonds, , such as
etc.), and cash
terms and conversion
conditions cycle, return
(interest rates, on
maturity dates, investments,
repayment or debt
schedules, ratios, etc..
etc.). 4. Monitor
KPIs over
time to
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
identify
trends and
deviations.
5. Analyze
interest
expense
trends over
time to
identify any
significant
fluctuations
or deviations
from
expectations
.
Borrowin Borrowing Unauthorize Every Treasury 1. Obtain and Authorizatio 100% None
gs Authorizati d debts are borrowing Head review the n of
on and made in the should be organization's Borrowings
Approval company's approved borrowing
name as per the policies,
authorizat procedures,
ion matrix and guidelines
(and the to understand
approval the framework
limits) within which
There borrowings are
clear conducted.
guideline 2. Review the
s for the borrowing
types and authorization
amounts and approval
of process to
borrowing ensure that it
s that is in line with
require the
higher organization's
managem governance
ent structure and
approval. clearly defines

524
 Borrowings

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
Approval roles and
levels for responsibilities
modificati for borrowing
on of decisions.
existing 3. For the
borrowing borrowings of
s are the company
clearly check whether
laid they were
down. approved as
per the
authorization
matrix
Borrowin Interest and Interest on Managem Treasury 1. Assess the Review of 100% None
gs Principal borrowings ent Head organization's expenses
Payments (or such reviews interest rate associated
other periodic risk with Debt
transactions financial management
as reports, strategies,
redemption, with including the
conversion comparis use of hedging
of debt or ons to instruments, to
accrual of budgeted mitigate
interest) may amounts exposure to
not be timely or other interest rate
or accurately financial fluctuations.
recorded. data, for 2. Ensure that
reasonabl the
eness of Management
expenses reviews
associate reasonablenes
d with s of expenses
debt. associated
Unusual with debt
variances 3.For the
are borrowings as
researche on the date of
d and the audit (or
corrected during the

525
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
as audit period) :
necessar i) check
y. whether the
Reviews interest and
could principal
include: payments
- Interest made in
expense accordance
- Interest with the terms
expense of the loan
by debt agreements.
facility, ii) Check
including whether there
effective is a process to
rates reconcile
- interest and
Accrued principal
interest payments with
payable. loan
agreements
and
amortization
schedules.
iii) Ensure that
the accounting
entries for
interest
expense and
principal
payments
accurately
recorded.
iv) Check that
the borrowings
are accurately
reflected on
the balance
sheet,
including their
current and

526
 Borrowings

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
long-term
portions
v) Ensure that
borrowing
transactions
properly
documented,
including
contracts,
agreements,
and
amendments.
vi) Evaluate
the accuracy
and
completeness
of borrowing-
related
expenses,
such as
arrangement
fees, legal
fees etc. and
the
capitalization
and
amortization of
the same.
Borrowin Loan Borrowing All Treasury 1. Ensure that Compliance 100% None
gs Agreement covenants covenant Head the loan with Debt
Compliance may not be restriction agreements Covenants
adequately s are reviewed to
met resulting formally ensure that
in liabilities monitored the terms and
severe then , and conditions are
that complianc accurately
accounted in e is reflected in the
normal assessed organization's
course regularly financial

527
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
by a records.
cross 2. Check
section of whether the
managem covenants,
ent terms, and
including restrictions
legal, outlined in the
accountin loan
g and agreements
treasury are being
personnel monitored to
. ensure
Questions compliance
or grey 3. Ensure that
areas are there is a
escalated process to
to legal notify relevant
counselor parties in case
for of potential
additional covenant
considera breaches.
tion and
advice.
Borrowin Segregatio Lack of Segregati Treasury 1. Ensure that Segregation 100% None
gs n of Duties segregation on of Head adequate of Duties in
of duties duties is segregation of Borrowings
over key enforced duties
cash/funds through maintained
activities. organisati between
onal individuals
structures responsible for
, user initiating,
access in authorizing,
the and recording
treasury/p borrowing
ayment transactions
systems
and
procedura

528
 Borrowings

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
l
document
s. There
should be
an
effective
segregati
on of key
duties
including
dealing,
settlemen
t, and
accountin
g/reconcil
iation.
These
segregati
ons need
to be
further
strengthe
ned if the
treasurer
executes
transactio
ns. This
segregati
on is
reinforced
through
procedure
s
document
ation and
position
descriptio
ns
Borrowin Compliance Whether the To ensure Board of Review of the Compliance 100% None

529
Internal Audit Checklist

Final Sub- Risk Control Control Test Attributes Sample Data

process Description Owner Performed tested size analytics
performed
gs Company's that the Directors Minutes of the with Debt
Board of funds are Meeting of the Covenants
Directors borrowed Board of
have by Directors.
approved specific
the loan authority
limit? and for
specific
purpose.

530
 Checklist 27
Direct and Indirect Taxation & GST
Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
Direct Related Payment to Defined 1. Check 1. All related 1. Payment Whether the unit
Taxation Party related process for the Approvals parties to Related has incurred any
Transaction party may approval of approval for Party vis-à- expenditure to a
not be at related party for evaluations, vis non- person specified
arm’s length payment payment to 2. related party in Clause (b) of
price that includes related Supporting 2. Excess Section 40A(2) of
the party and for payment Income Tax Act,
following: supporting evaluations without any 1961. Verify
- technical documents special whether they are
and thereof. qualification, reasonable and
commercial 2. Check achievement not excessive
evaluation approval or having regard to
by cross for experience. fair market value
functional commercial of such goods/
teams evaluation services/
- approving and facilities.
authority, supporting
- justification documents
for thereof.
transaction 3. Check
with single justification
party such for
as special exceptions,
qualification, if any,
achievement approval
or from the
experience. Board /
< Members,
as required
by
regulations
including
Companies
Act 2013
and SEBI.
Direct Cash Payment to Payment in 1. Check 1. All the Data Whether the unit
Taxation Payment vendors in cash shall the Cash Approvals cash Analytics to has made any
cash be Ledger for for cash payments be done on cash payments
prohibited or payments payment all expenses against expenses
minimized made including above Rs. 10,000
2. Check cash book (or Rs. 35,000 for
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
that cash to ensure goods carriages)
payment is compliance. in contravention
authorised Data of Section 40A
3. Verify analysis (3)/ 3A of Income
cash needs to be Tax Act, 1961,
payment is done to i.e., payment
not ensure the otherwise than
exceeding payments through account
the limits are not split payee cheque or
in a manner account payee
that this can bank draft
contravene
the
provisions.
Direct Payment Payment There shall 1. Check 1. All such Check the Whether the unit
Taxation within due may not be be system the due Supporting payments 'Due Date of has certain
dates made within for payment dates for documents payment' vs. payables in the
due dates in timely various 2. 'actual date form of tax, duty,
manner payments Approvals of payment'. cess or fees,
2. Check employer
whether contribution to
the provident fund
payment is and other funds,
made bonus, interest or
within the loan and
due date. borrowings from
banks and public
financial
institutions, etc.
Verify whether
such payments
have actually
been made on or
before the due
date of filing of
Income Tax
Return otherwise
the same will be
disallowed under
Section 43B of
Income Tax Act,
1961.
Direct Repayment Payment Such 1. Check 1. All such Data Whether the unit
Taxation of loans/ may be payment the cash Approvals payments Analytics to has repaid loans/
advances/ made in shall not be Ledger for for cash be done on advances/

532
 Direct and Indirect Taxation & GST

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
deposits cash made in payments payment all expenses deposits in cash
cash made including of Rs. 20,000 and
2. Check cash book above in
that cash to ensure contravention of
payment is compliance. Section 269T of
authorised Data Income Tax Act,
3. Verify analysis 1961.
cash needs to be
payment is done to
not ensure the
exceeding payments
the limits. are not split
in a manner
that this can
contravene
the
provisions.
Direct Receipt of Receipt may Such receipt 1. Check 1. All such Data Whether the unit
Taxation loans/ be taken in shall not be the cash Approvals receipt Analytics to has received
advances/ cash accepted in Ledger for for cash be done on loans/ advances/
deposits cash payments receipt all expenses deposits in cash
received. including of Rs. 20,000 and
2. Check cash book above in
that cash to ensure contravention of
receipt is the Section 269SS of
authorised. compliance. Income Tax Act,
3. Verify Data 1961.
cash analytics to
receipt is be done to
not ensure the
exceeding payments
the limits. are not split
in a manner
that this can
contravene
the
provisions.
Direct Furnishing PAN may Take the Check the PAN card 30 Verify whether
Taxation of PAN by not be given self-attested PAN of copy of the vendor's the compliance of
vendors or may be copy of PAN vendor in vendors PAN Section 206AA of
incorrect. card the system Income Tax Act,
with the 1961 has been
copy of made with
PAN Card. regards to
furnishing of

533
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
PAN.
Direct TDS related TDS related Timely 1. Check 1. Any 4 To analyse Verify the
Taxation matters non compliance that TDS is Supporting months all the compliance of
compliances deducted documents expense issues relating to
as per 2. accounts / TDS on salary,
appropriate Approvals payments rent, commission,
rates data to interest, payment
2. Check ensure TDS to contractor,
that provisions payment of fees
payment of have been to professional/
TDS is correctly technical person,
paid on applied. sales of goods
time 3. etc. and observe
Check TDS the following:
return is o Deduction of
submitted TDS at correct
on time. rate.
4. Check o Deduction and
TDS Deposit of TDS
certificates within time.
issued to o Filing of TDS
the return in time and
vendors on as per procedure
time. prescribed.
o Issue of TDS
certificate.
o Receipt of Form
15G/ 15H and
entry in system.
o Filing of Form
15G/ 15H with
Income Tax
Department as
per Rule 29C of
Income Tax
Rules, 1962.
Direct TCS related TCS related Timely 1. Check 1. Any 4 To analyse Verify whether
Taxation matters non- compliance that TCS is Supporting months receipt Tax Collected at
compliance collected documents accounts / Source (TCS) at
as per 2. data to the prescribed
appropriate Approvals ensure TCS rates on sale
rates provisions consideration of
2. Check have been Alcoholic Liquor,
that correctly Tendu leaves,
payment of applied. Timber, forest

534
 Direct and Indirect Taxation & GST

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
TCS is produce, scrap,
paid on minerals, parking
time 3. lot, toll plaza,
Check TCS mining and
return is quarrying, motor
submitted car, foreign
on time. currency,
4. Check overseas tour
TCS package, goods
certificates are collected as
issued to per section 206C
the and observe the
vendors on following:
time. o Collection of
TCS at correct
rate.
o Collection and
Deposit of TCS
within time.
o Filing of TCS
return in time and
as per procedure
prescribed.
o Issue of TCS
certificate.
Indirect Registration Registration Proper Check Registration All (1) Whether the
Taxation related non- Compliance registration Certificates certificates entity has
compliance compliance registration
as per law certificates for the
principal place
and separate
registrations for
all other places.
Ensure that
simultaneous
registration under
CGST/ SGST/
IGST is taken in
the same state
and places of
business in other
states. PAN
based registration
is compulsory
except for non-
residents.

535
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
(2) Whether the
details of
business are
correctly and
completely
mentioned/
declared in the
Registration
Certificate.
(3) Whether the
principal place of
business has
been correctly
declared in the
Registration
Certificate and all
places of
business in other
states in the
respective
Registration
Certificates.
(4) Whether all
the products,
traded/
manufactured
have been
declared in the
Registration
certificates
Indirect Issue of Issue of Proper issue Check PO, 50 (1) Ensure that
Taxation Invoice invoice not of Invoice process of Invoices invoices time of supply of
as per law issue of and goods shall be
invoice agreements earlier of: - Date
of issue of invoice
by the supplier
- due date for
issue of invoice
by the supplier, -
date on which
payment to be
entered in books
of supplier and
date on which
payment is
credited in the

536
 Direct and Indirect Taxation & GST

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
bank account of
supplier.
(2) Whether
invoice or bill is
not issued
without supply of
goods and/ or
services.
(3) Whether
invoice or bill is
not issued
without supply of
goods and/ or
services.
(4) Whether
taxable goods are
transported with
the E Way Bill
along with
invoice/delivery
challan, etc.
(5) Whether
invoice is raised
under E Invoicing
system if turnover
in a year exceeds
5 crores.
(6) Whether
Letter of
Undertaking is
filed for export
without payment
of duty.
(7) Whether
original invoice is
available in case
of cancelled
invoice
(8) Whether
receipt voucher is
issued to the
customers in
case of advance
received against
services and GST
is paid on the
same.

537
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
(9) Whether
payment voucher
is issued to the
vendors in case
of services or
goods covered
under RCM.
(10) CGST &
SGST or IGST is
charged as per
the Place of
Supply Provisions
on the invoice.
(11) Whether
invoice has been
signed by the
authorised
person.
Indirect GST Filing of Proper filing Check GST All returns (1) Whether all
Taxation Returns incorrect of GST GST Returns Monthly Returns/
GST returns Returns Returns Quarterly/ Annual
Return have been
filed with all
Annexure within
the prescribed
time or within the
extended period
as per Form
GSTR-1 to Form
GSTR-11 as
prescribed under
Return Rules
(Proposed). Tally
it with both the
monthly
payments and as
well as the ledger
entries of the
relevant dates.
(2) Review the
return and check
whether the
return is accurate
as to input credit,
output tax
payable,

538
 Direct and Indirect Taxation & GST

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
valuation of
goods and carry
forward of credit,
etc.
(3) whether the
returns filed are
complete and
accurate in all
respect and has
been validated by
other person.
Indirect Valuation Incorrect GST is Check Invoices 50 to check (1) Whether GST
Taxation and Rates rate of GST charged on Invoices to invoices system level (Goods and
or valuation correct ensure controls on Service Tax) has
value and correct using the been charged on
as per rates and rates and sale of goods
proper rates valuation modification. traded/
manufactured at
correct rates.
(2) Whether GST
has been charged
on sale of waste
product/
discarded
product/ assets at
correct rates.
(3) Whether GST
has been charged
on sale of fixed
assets at correct
rates.
(4) If the rates
applied are
different, take a
copy of the
authority/
notification under
which such
change is
approved. For
example:
Composition
Scheme, GST
Notifications, etc.
(5) Log of
changes in the

539
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
system relating to
rates, application,
etc.
Indirect Books of Records as Proper Check the Books of (1) Whether all
Taxation accounts per GST law records are books of Accounts the records and
may not be maintained accounts Books of
maintained. Accounts,
required to be
maintained, are
available at the
location.
(2) Whether
books of account
and other
documents are
kept, maintained
and retained in
accordance with
the provisions of
this Act
Indirect Input Tax Avail and Only eligible Check ITC Invoices 10-50 (1) Whether the
Taxation Credit (ITC) utilize in ITC is taken invoices invoices unit has
eligible ITC with proper p.m. purchased goods
documents. only from the
registered dealer.
GST registration
number should be
there on invoices
and Tax Invoices
must be in
prescribed format
as per the Invoice
Rules.
(2) Whether full
credit of GST is
availed till date,
that is input credit
of GST for all the
purchases is
available in the
electronic credit
ledger.
(3) Whether GST
credit is correctly
carried forward

540
 Direct and Indirect Taxation & GST

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
from previous
month to next
month in every
Monthly Return
as well as Annual
Return.
(4) Whether ITC
is correctly
claimed on input
and capital
purchases
eligible for
claiming input
credit, i.e.,
whether the input
tax carried is in
books only based
on proper Tax
Invoice from the
vendor with GST
Number and all
other relevant
details mentioned
on the invoice.
(5) Whether Input
tax credit taken
and/ or utilized is
against actual
receipt of goods
and/ or services
(6) Whether ITC
is reversed on
goods distributed
as free samples /
gifts / goods lost /
stolen / destroyed
/ written-off /
donations made
etc
(7) ITC is availed
as per conditions
mentioned in
Section 16 of the
CGST Act and
rules thereof.
Also, the same
shall be cross-

541
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
checked with
GSTR-2B &
GSTR-2A.
(8) Blocked ITC
as per Section 17
(5) of the CGST
Act, 2017 shall
not be availed.to
check system
level controls on
maintaining
vendor master,
system level
controls in
ensuring
programing on
whether input
credit can be
taken or not etc.,
should also be
checked.
Indirect Payment Payment of Payment of Check Challan All (1) Whether the
Taxation within due GST not on GST on time Challans challans unit has
dates time reconciled the
variance between
GST payable as
shown in books of
accounts and the
amount paid.
Variances should
be documented
and corrective
action to be
taken.
(2) Whether the
unit maintains
acknowledged
Tax challan and
deposit of CGST,
SGST and IGST
is made under the
correct head of
account.
(3) Whether the
unit deposits GST
(CGST/ SGST/

542
 Direct and Indirect Taxation & GST

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
IGST) dues within
due dates under
properly filled
challan/ Bank
Transfer with
proper
acknowledgement
and check that
the amount
appears on
Electronic Credit
Ledger.
(4) Ensure GST
payment would
become due,
earliest of
conditions
mentioned:
(i) receipt of
advance
(ii) issuance of
invoice
(iii) completion of
supply.
(5) Ensure that
CGST/ SGST/
IGST payment is
paid by 20 th of
the succeeding
month on monthly
basis for
taxpayers and on
quarterly basis for
composition tax
payer.
(6) Whether
amount collected
as tax
erroneously in
contravention to
the provisions of
this Act is due to
the credit of the
appropriate
Government,
(7) Whether the

543
Internal Audit Checklist

Process Sub- Risk Control Test Attributes Sample Data Process Metrics
process Description Performed tested size analytics
performed
compliance of tax
to be paid under
reverse charge
mechanism is
done,

544
 Checklist 28
Corporate Social Responsibility
Process Sub-process Risk Control Test Performed Attributes Sample Data
Description tested size analytics
performed

CSR CSR Committee Non- CSR committee 1. Ensure that 1. Minutes of 100% NA
compliance is constituted as constitution of CSR
with per Companies CSR Committee Committee
provisions of Act as per Meeting.
Companies Companies Act, 2. Approval on
Act, 2013 2023. CSR Policy of
2. All the Company.
policies and 3. Approval on
projects projects
undertaken are undertaken.
passed through 4. CFO
CSR Certificate for
Committee. CSR.
3. Check that
Certificate
issued by CFO
relating to CSR
Expenditure for
the year.

CSR Projects Projects Independent 1. Check 1. Independent 100% NA

undertaken practitioners whether Practitioner’s
under report is Independent Report of all
partnership obtained. Practitioner’s partners.
with NGO's Credentials of all Report on such 2. Detailed
or other CSR Partners partners is study on
CSR Groups are checked. obtained as per background of
may leads to Utilisation law. every CSR
misutilisation certificate is 2. Check the Partner.
of funds. obtained from credentials of all 3. News related
NGO. CSR Partners - to every CSR
whether the partner in
activity being previous
carried out by years.
them is 4. Utilisation
permissible certificate
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attributes Sample Data

Description tested size analytics
performed
under the CSR obtained from
Act, does the NGO
NGO have a
registration
certificate, do
they offer
income tax
exemptions, do
they have
audited financial
statements, are
they having
enough
experience to
handle the
proposed
projects, are
they on panel
with any
national CSR
hub, are they
eligible to carry
out the
proposed CSR
activities, or do
they have any
achievements or
awards to their
credit.
3. Check the
persons on
board of such
CSR Partner
and their
credibility.
4. Ensure that
the respective
CSR Partner
does not have
any past black

546
 Corporate Social Responsibility

Process Sub-process Risk Control Test Performed Attributes Sample Data

Description tested size analytics
performed
image or
relation to any
scandal.
5. Check
whether
utilisation
certificate is
obtained from
NGO on regular
basis and also
check for
authenticity of
the certificate.

Projects Projects are Ensure that all Check projects 100% NA

undertaken selected from the projects and match
are as the list given in going on for a them to
described schedule VII of Financial Year projects
under Companies Act are as per mentioned
Schedule VII projects under Schedule
and are described in VII of
eligible for Schedule VII of companies act
CSR Companies Act.
expenditure,
if not may
lead to
disallowance
and penalty

Projects Projects are Check the Check projects 100%

undertaken selected from nature of and match
are not the list given in projects them to
related to schedule VII of undertaken and projects
business Companies Act see if this is mentioned
related to under Schedule
business activity VII of
companies act
and also check
whether these
are in any ways
related to

547
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attributes Sample Data

Description tested size analytics
performed
business
activity

CSR Projects are Check for Project reports 100% NA

Projects selected after Controversies to of all projects.
undertaken adequate due any project is
are not diligence aimed around
controversial it's target areas
which can which can be
offend some checked through
consumers CSR Project
and lad to Reports.
criticizing of
company

CSR All the All the expenses Check Bank 50% NA

Expenditure expenditure are approved by supporting of all Statements of
done is valid CSR committee. the payments CSR,
and not Adequate with their bank Beneficiary ID
leads to supporting payment proofs, of every CSR
wrong documents are approvals and Project, Invoice
payment. attached with beneficiary Supporting.
invoices. names.
Check sample
invoices in
details along
with all
approvals and
supporting to
ensure
authenticity of
expenses.

Expenditure CSR expenses Compare the Financials of 100% NA

done on are closely actual amount the Company
CSR is in monitored by spent on CSR to
excess to CSR committee. amount required
requirement to be spent as
of Law which per law and
could have define a
been spent deviation level

548
 Corporate Social Responsibility

Process Sub-process Risk Control Test Performed Attributes Sample Data

Description tested size analytics
performed
on profitable to save
opportunities opportunity cost
, more of company.
employees,
research,
technology,
etc., an
opportunity
cost.
OR
Expenditure
done on
CSR is less
in
comparison
to amount to
be spent on
CSR as per
law which
may lead to
penalties in
future.

CSR Unspent Delay in CSR funds Check bank Bank 100% NA

Amount transferring utilisation is statement and Statement.
of unspent closely see whether
amount to monitored by unspent amount
Prescribed CSR committee if any is
fund under transferred to
Schedule VII prescribed fund
may lead to within the
Consequenc defined
es as per timelines
law.

CSR Accounting Tax CSR accounting 1. Ensure that Income Tax 100% NA
Implications is done by Expenses under Computation
of CSR persons having donation are not and Financials
Expenditure adequate claimed as CSR
which can knowledge and Expenditure.
affect same is 2. Ensure that

549
Internal Audit Checklist

Process Sub-process Risk Control Test Performed Attributes Sample Data

Description tested size analytics
performed
Income Tax reviewed by Expenses done
payment. head F&A under CSR
Expenditure are
not taken as
deduction while
computing
Income Tax
under Sec 80G.
3. Check that
CSR
Expenditure is
reversed while
computing
taxable income.

Assessment/ Benefits are Third party/in - 1. Take report of Assessment/su 100% NA

Survey Reprot not reaching house assessment/sur rvey report
on Effectiveness to the target assessment/ vey done and
audience. survey is done see if there is
on regular basis any adverse
to take feedback finding and
on the project action taken on
the same

550
 Checklist 29
Human Resources – Hire to Retire
Process Sub-process Risk Control Test Attributes Sample Data
Description Performed tested size analytics
performed
Hiring Staff Planning Risk of not The Company Whether the Planning 100%
planning the should plan for Company has
need for staff the resource planned for the
or staff requirements at resource
movement, the beginning of requirements
which later the year and have in consultation
could be a a strategy with HR and
bottleneck in accordingly. relevant
the operations. operations
Risk of hiring a team.
greater
number of
resources than
required or not
hiring
adequate
resources.
Hiring Staff Planning Risk of HR Head should Review of how Creating new 100%
creating approve any the new job positions.
positions or position or positions is
designations designations as created or
which are not per organisation amended.
approved. hierarchy and
also the job
descriptions.
Where new
positions are
created to ensure
the organisation
hierarchy and job
description is
amended or
incorporated, as
the case may be,
it should be duly
approved.
Hiring Communication Risk of not The HR Head Whether there Communication 100%
on Need of communication should have a is a strategy in
Internal Audit Checklist

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
Resources. through the strategy on place to
right channels whether to go for communicate
to ensure that campus the need for
the need for interviews the resources.
the resources (freshers),
is adequately internal
publicised. references, web
portals, social
media or HR
consultants to
communicate the
need for the
resources.
Recruitment Short-listing Risk of not Ensuring that the Review of the Process of Sample
Candidates selecting the short-listed process of short-listing
right candidates meet short-listing
candidates for the criteria of job candidates.
interview. description and
qualifications.
Recruitment Interview Risk of hiring Company should Whether Documentation Sample
candidates interview the interviews are of interview.
without candidates before being
assessing their hiring. The conducted and
skill sets. interview could be documented
a single interview with the
or multiple rounds results.
depending on the Typically, the
need which also Company
includes (a) should have a
academic / standard
technical (b) checklist to
Personal round rate (a)
etc., communication
(b) punctuality
(c.) dress code
(d) academic
qualification
etc., and note
down the
results of
interview.
Recruitment Selecting the Risk of hiring Company should Process of Process of Sample
candidates ensure that for selecting the selecting

552
 Human Resources – Hire to Retire

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
candidate without key positions say candidates. candidate.
assessing their Manager and
skill sets. above, the
selection is
carried out by at
least 2 staff to
ensure there is
agreement on the
candidate's
suitability.
Recruitment Fixing Risk of Company should Fixing Remuneration Sample
Remuneration agreeing to a have a standard remuneration
remuneration policy on to the
not remuneration to candidates.
commensurate be paid for each
to the job or designation.
skill set. Unless it is an
exceptional case
where the
management
decides for higher
remuneration due
to lack of
resources/skill set
in the market, or
talent exhibited by
the candidate
etc.,
Master Master Risk of details All employee Review of the Completeness Sample
Document Documentation of employees related details personal files of
not available should be of the Documentation.
in a singular maintained in a employee and
place leading system (software ensuring its
to risk of using / application) or in completeness.
incorrect data hard copy files for
for payroll and each employee.
other The file should
calculations. contain (a)
Employee CV /
Resume (b)
Interview Result
(c.) Copy of
appointment letter

553
Internal Audit Checklist

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
(d) Statutory
details like
nomination for
gratuity and
provident fund (e)
Acknowledgement
by the employee
on Code of
Conduct (f) Tax
details etc.,
Performance Monitoring Risk of not Company should Review of how Performance Sample
Review monitoring do an annual the Review.
whether the performance performance is
employee is review (may be reviewed and
working up to half-yearly also if how KPI's are
the expected required). The given to the
standards. Head of the staff.
Low Department and
performance the immediate
would impact manager should
productivity. review the
performance with
the key
performance
indicators and
give feedback on
improvement.
Training Training and Risk of Company should Review of Training. Sample
Upskilling employees not ensure there is a training
knowing how training calendar schedule,
to work with prepared and they attendance,
new recruit either appointment of
technology or internal experts,
new skills consultants or feedback
would lead to external received,
Company consultants inclusion of
delivering a /experts to train seeing
lower quality staff on different whether the
service / good domain. training has
and could be helped in
'out of market'. achieving KPI
etc.,

554
 Human Resources – Hire to Retire

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
Disciplinary Ensuring Risk of Company should Review of how Disciplinary Sample
Action compliance employees not have a policy on the Company Action being
with Code of knowing how action to be taken has ensured taken.
Ethics and to work with for violation of compliance
Policies. new Code of Ethics with Code of
technology or and non- Ethics and
new skills compliance with Company's
would lead to Company's policies and
Company policies / procedures
delivering a procedures. including
lower quality review of how
service / good the disciplinary
and could be cases are
'out of market'. handled.
Promotion Promoting the Risk of Company should Review of the Process of Sample
right candidate employee not have a policy on promotion promoting
being circumstances process and employee.
promoted as when an whether the
per the employee gets management
Company's promoted and has reviewed
policy / what are the skill set,
practice / parameters to be knowledge
judgement of considered. level,
the experience,
management and
leading to performance
dissatisfaction of the
of employee employee in
leading to past before
lower promotion is
productivity. given. If it is a
management
discretion, the
same needs to
be
documented.
Increments Changes in Risk of Company should Review of the Process of
remuneration. employee not have a policy on increment giving
giving circumstances process and increments to
increments as when an whether the employee.
per the employee gets management
Company's increments and has reviewed
policy / what are the skill set,

555
Internal Audit Checklist

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
practice / parameters to be knowledge
judgement of considered. level,
the experience
management and
leading to performance
dissatisfaction of the
of employee employee in
leading to past before
lower increment is
productivity. given. If it is a
management
discretion, the
same needs to
be
documented.
Full and Termination Risk of not All Full and Final Review of the Review of 100%
Final formalities. paying the settlement should full and final settling
Settlement employees be calculated by settlement employee
dues like HR and reviewed process and dues.
Gratuity, by another staff ensure that all
Leave (Accounts the dues are
Encashment Department). paid within the
etc., or Further, the statutory
incorrect Company should guidelines /
payment to the ensure that all the company's
employees. departments policies.
concerne
provided 'no
objection'
including IT (for
laptops / cell
phones / internet
connections),
Administration (to
deactivate
physical access),
Payroll (to ensure
all loans are
recovered and
there are no
payables), etc.,

556
 Checklist 30
Human Resources – Payroll Management
Process Sub-process Risk Control Test Attributes Sample Data
Description Performed tested size analytics
performed
Payroll Attendance Risk of The presence Review of Attendance Sample
Calculation recording remunerating of an the basis
an employee employee in attendance depending
without the office system and on the
ensuring should be also review number of
attendance to monitored whether the employees,
work. through an software / industry
attendance hardware etc.,
management systems are
system either working as
bio-metric or specified or
face desired.
recognition or
manual
signature
record, as
required by
law /
company's
policy. Any
late comings
to the Office
should be
explained by
the employee
and the Head
of the
Department /
Manager
should
approve the
same. If there
are
continuous
late comings,
there has to
be a policy on
the action to
be taken i.e.,
fixed amount
to be
deducted
 Internal Audit Checklist

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
from salary or
leave to be
deducted,
etc.
Payroll Leave Risk of Company Whether the Compliance Sample
Calculation Management granting should have leave credit with the basis
leaves to a policy for and Policy. depending
employee leaves utilisation is on the
which is not including as per number of
as per casual leave, company's employees,
Company's medical or policy. industry
policy or sick leave, etc.,
without maternity and
approval. paternity
leave,
emergency
leave, etc.
Based on the
policy the
leave applied
by the
employee
should be
approved by
the
designated
authority.
Payroll Payroll Risk of 1. The input 1. Payroll Accuracy and 100%
Calculation Processing processing data provided details to be completeness
payroll with by the HR to traced to the of payroll
incorrect the payroll master/ processing.
input data. includes: personal file
(a) of each
Attendance employee to
(b) leave ensure that
details (c.) the payroll
specific processing is
additions/ accurate.
deletions 2. Review of
(d) Changes head count
in master file, reconciliation
etc. Payroll and variance
department of payroll.
would
process the
salaries

558
 Human Resources – Payroll Management

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
based on the
updated
employee
master data
including any
information
provided by
HR
accordingly.

2. Analytical
procedure of
Head Count
to be done to
ensure that
the difference
between last
month's
payroll and
current
month's
payroll is
explained.
Payroll Payroll Risk of Company Review of Operating 100%
Calculation disbursement payroll being should the payroll effectiveness
disbursed to ensure that processing of payroll.
the wrong all the payroll including the Processing
person. Risk disbursement process of
of Fraud of is through transfer of
disbursing banking files between
payroll to a channels departments
wrong bank only. The and ensuring
account. payroll maker-
statement checker
prepared by concept is
the payroll effective.
department
should be
reviewed by
the Accounts
department
and then
send a list
containing list
of employees
and payment

559
 Internal Audit Checklist

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
to be made to
the treasury
team. The
treasury team
should
disburse the
payroll based
on the
authorisation
matrix given
to the bank.
Payroll Payroll Risk of Company Review of Compliance 100%
Calculation disbursement incorrect should compliance with Labour
statutory ensure that of (a) Laws
deductions the statutory Accuracy of
deductions deductions
are deducted (b)
and remitted Punctuality
to the of making
designated remittances
authority of to the
the Government.
Government
within the
timeline
stipulated by
law.
Payroll Payroll Risk of non- Company Recovery of Compliance 100%
Calculation disbursement deduction of should loans given with
loan amount ensure that to employees Company's
given to any loan is as per the policies.
employee given to Company's
employee is policy.
deducted
from the
payroll as per
the sanction
terms.
Payroll Outsourcing Risk of third- Company Review of Due Diligence 100%
Function of Payroll party service should do the vendor
Outsourced Function provider not due diligence onboarding
being able to of the vendor procedure
render the before and due
service as selecting for diligence on
desired. outsourcing the quality of
payroll the service

560
 Human Resources – Payroll Management

Process Sub-process Risk Control Test Attributes Sample Data

Description Performed tested size analytics
performed
processing. that the
vendor
renders.
Payroll Internal Risk of third- Company Review of Review of 100%
Function Controls at party service should the Audit Report
Outsourced third party provider not ensure (as independent and observing
vendor being able to part of auditor's for
location. render the contract) that report on the discrepancies.
service as the service internal
desired. provider's control exists
internal in the service
controls are organisation.
subjected to
independent
audit and
such audit
report is
made
available for
review by the
company.

561
 Checklist 31
Foreign Currency Transactions
Process Sub-process Risk Description Control Test Performed Attributes tested
Foreign Currency Transaction Risk Cost effective The method of Check whether FCT Contracts and
Transactions method is not used payment of import payment is made Policy
for payment of duty is selected in accordance with
duty. after due diligence guidelines
so that the risk prescribed by the
may be mitigated Company. If not,
Ineffective foreign
and can implement then check the
currency risk
hedging strategies. payment mode in
management
Eligibility for sample contracts
system.
Merchandise and compare the
Exports from India cost of undertaking
Scheme (MEIS) Foreign Currency
can be explored. Transaction.

Currency hedging Hedging is done Check hedging Hedging document

is not done. on the basis t of terms and for each contract,
current market conditions are Supporting of
trend and outlook satisfied while Actual payment
of market. making payment. and rates thereof.
Booking rate is Regular monitoring Compare spot rate Booking rate
higher than the of terminal and with rate of
current Spot Rate cross checking of booking and
rates before Check, if any,
booking is done. deviation.
-To obtain rates
from bank and
make comparison
between rates
offered by different
bankers.
Excess payout due Close monitoring is Check whether any ERP date along
to currency done on payout. change in foreign with Foreign
fluctuation. currency rate is Currently
immediately fluctuation details
updated in ERP.
Transaction Risk Adequate terms During export, Review of export Export contracts
not mentioned in payment terms contract and check
export contract. may include credit whether
terms with rates companies’
 Foreign Currency Transactions

which mitigates the interest is

adverse effect of adequately
change in forex protected.
rates due to time
delay in execution
of transaction and
receipt of payment.
<
Adequate due Parties with which Check credit rating Crisil database or
diligence is not transactions are of a company on reports of company
done for export undertaken should Crisil or with any from respective
parties have credibility in other credit credit agency.
market so that agency.
payment is not
defaulted.
Translation Risk Non-compliance In preparation of Check Financial Ind AS 21 and
with provision of consolidated Statement Financial
Ind AS Financial conversion with Ind Statement of
Statement, there is AS 21. foreign subsidiary
a risk of translation as consolidated.
of Financial
Statements of
subsidiaries in
currency of
holding company.

563