INTERNAL AUDIT RISK ASSESSMENT

QUESTIONNAIRE
 Table of Contents
INTERNAL AUDIT RISK ASSESSMENT QUESTIONNAIRE: SAMPLE 1...............................................................3
INTERNAL AUDIT RISK ASSESSMENT QUESTIONNAIRE: SAMPLE 2.............................................................10
INTERNAL AUDIT RISK ASSESSMENT QUESTIONNAIRE: SAMPLE 3.............................................................23

2 Source: www.knowledgeleader.com
 EXECUTIVE SUMMARY

Business risk can be defined as the threat that an event, action or non-action will adversely affect a company’s
ability to achieve its objectives and execute its strategies successfully.

The internal audit risk assessment process is a critical component of effective internal audit planning. It helps
organizations identify, analyze and prioritize potential risks, ensuring that audit resources are allocated to the
areas of greatest concern.

Internal audit departments should perform a risk assessment each year in order to identify and prioritize key risks
for the following year. By understanding the risks that the organization faces, internal auditors can develop an
audit plan that focuses on the areas of highest risk.

The process involves a systematic evaluation of various factors, including the organization's strategic goals,
operational processes, financial performance, and external environment. Key steps include identifying the audit
universe, ranking and scoring the audit universe, evaluating internal controls, prioritizing audit areas, and
developing an audit plan.

In addition to the benefits previously mentioned, regular internal audit risk assessments allow for focused audit
planning, enhanced risk management, improved governance, and more efficient use of resources.

This KnowledgeLeader tool is designed to help you complete a risk assessment within your own organization.
Use the three sample questionnaires to obtain input from the potential “customers” of your internal audit function
and develop a broad, risk-based audit plan for next year.

3 Source: www.knowledgeleader.com
 INTERNAL AUDIT RISK ASSESSMENT QUESTIONNAIRE:
SAMPLE 1

To: (Insert Name)

From: (Insert Name)

Subject: Internal Audit Risk Assessment

Date: (Insert Date)

We have begun the planning process for the (Insert Year) internal audit plan. (Insert Names) have specifically
requested that we solicit your input.

In our efforts to continually build a better company, we perform internal audits to ensure that our people,
processes and technology are operating effectively and efficiently, thereby minimizing exposures for the company.
To develop a broad, risk-based audit plan for next year, internal audit will perform a risk assessment to identify
and prioritize our key risks to best allocate our internal audit resources for (Insert Year).

This risk-based approach is focused on surveys/interviews of a cross-section of management personnel (see

distribution list above) to solicit input from the potential “customers” of an internal audit function. The internal audit
team will interview a select group of surveyed individuals to discuss your opinions on risk areas of the company
and your views on internal audit. These interviews should last approximately one hour and need to be completed
over the next four weeks so we can summarize the results by late (Insert Month).

It is important to focus on those business processes that you know are not working well, as well as the risks and
processes that are important to achieving business objectives. Consequently, a summary process classification
scheme is included to help you think broadly about business processes.

The output from the surveys and interviews will be used to develop an audit plan that creates broad coverage
through a blend of internal audits, control self-assessment and targeted external audit coverage.

Please prepare the attached survey regardless of whether you are having a face-to-face interview. Your candid
feedback is critical to developing an effective audit plan. Thank you in advance for your participation. If you have
any questions, please let me know.

4 Source: www.knowledgeleader.com
 INTERNAL AUDIT FISCAL (INSERT YEAR) RISK ASSESSMENT SURVEY

Interviewee

Title

Area(s) of Responsibility

OVERVIEW:
The purpose is to provide a better understanding of your business and challenges.
• Briefly describe the goals and objectives in your area of responsibility, especially over the next 12-18 months.
(For example: growth through acquisition or new services, fill key positions left vacant by turnover, etc.)
• What are the key risks (operational, financial or technical) that would threaten the achievement of your goals
and objectives? What are the key success factors in achieving your goals and objectives?
− A risk is defined as “the threat that an event or action/inaction will adversely affect an organization or
department’s ability to achieve its business objectives and execute its strategies successfully.” See the
attached business risk model for examples of risks.

Risk Name Examples Rank by Importance

RISK ASSESSMENT:
Identify and prioritize areas that internal audit should consider in the (Insert Year) plan.

Related to Any Related to Any

Risk Assessment Questions Specific Processes or Specific Geographic
Functions? Locations?

Where do the above risks or success factors manifest

themselves? (i.e., in what processes or locations?)

Are there certain processes that are critical to your

business on which you want assurance as to their
operating effectiveness or efficiency?

Are there certain systems that are critical to your

business on which you want assurance as to their
operating effectiveness (security, data integrity, etc.)?

Are there any areas that concern you and/or cause

problems or backlogs?

5 Source: www.knowledgeleader.com
 Related to Any Related to Any
Risk Assessment Questions Specific Processes or Specific Geographic
Functions? Locations?

Have you had or do you anticipate any significant

process, systems or people changes that have a
significant impact on the operating or financial control
environment?

Are there any areas of revenue enhancement or cost

savings?

Are there any other areas of risk on which you believe

internal audit should focus?

Considering the areas you noted above, please identify the top three issues for potential internal audit focus.
• (Insert Text)
• (Insert Text)
• (Insert Text)

OTHER COMMENTS
• What are your key expectations of internal audit?
(Insert Text)
• Any other comments/feedback is appreciated.
(Insert Text)

MANUFACTURING BUSINESS RISK MODEL (EXAMPLE)

Environment Risk

Competitor Social/Cultural Technological Innovation Shareholder Relations

Labor Availability Capital Availability Catastrophic Events Globalization

Sovereign/Political Sensitivity Legal Regulatory Financial

Process Risk

Operations Risk Empowerment Risk Financial Risk

• Customer Satisfaction • Accountability • Price: Interest Rate Currency
Equity
• Efficiency/Productivity • Leadership
• Liquidity: Cash Flow
• Capacity • Authority/Limit
Opportunity Cost Concentration
• Inventory • Outsourcing
• Credit: Default Market
• Cycle Time • Performance Incentives Settlement
• Obsolescence • Change Readiness

6 Source: www.knowledgeleader.com
 Process Risk

• Compliance • Communications
• Labor/Employee
Information Processing/
• Product Acceptance Technology Risk
• Product/Service Quality • Relevance
• Environmental • Integrity
• Health and Safety • Access
• Resource Availability • Availability
• Resource Price Volatility • Infrastructure
• Trademark/Brand Name
Integrity Risk
• Management Fraud
• Employee Fraud
• Illegal Acts
• Unauthorized Use
• Reputation

Information For Decision-Making Risk

Operational Financial Strategic

• Product Pricing • Budget and Planning • Environmental Monitoring
• Product Costing • Accounting Information • Business Portfolio
• Contract Commitment • Financial Reporting Evaluation • Valuation
• Performance Measurement • Taxation • Performance Measurement
• Process Alignment • Compensation and Benefits • Organization Design
• Regulatory Reporting • Investment Evaluation • Resource Allocation
• Regulatory Reporting • Planning
• Product Life Cycle

EXAMPLE PROCESS CLASSIFICATION SCHEME

Regional International Companywide

Process Audit/Area Area Area Area Area Area Area Area Area

Budgeting/Forecasting

Financial Reporting

Close the Books

External Reporting

7 Source: www.knowledgeleader.com
 Regional International Companywide

Process Audit/Area Area Area Area Area Area Area Area Area

Provide Internal Information

Treasury

Disbursements

Payroll

Accounts Payable

Travel and Entertainment

Revenue

Sales/Returns and
Allowances

Billing/Pricing/Accounts
Receivable

Credit/Collections

Sales/Marketing

Co-op Advertising

Customer Service

Process Customer Orders

Measure Customer
Satisfaction

Sales Forecasting

Claims Processing

Warranty

Rebates/Discounts

Chargebacks

Fixed Assets/Capital
Expenditures

Procurement

Select and Certify Suppliers

Purchase Production Material

8 Source: www.knowledgeleader.com
 Regional International Companywide

Process Audit/Area Area Area Area Area Area Area Area Area

Purchase Non-Production
Material

Manufacture Products

Management

Operations

Engineering

Quality

Research and Development

Inventory Management

Planning

Production Scheduling

Cost Accounting

Inventory Movement and Control

Receiving

Warehousing

Shipping

Information Technology

Manage Enterprise Support

Systems

Manage Network Operations

Data Integrity/Security

Physical Security

Disaster Recovery Plan

MIS Systems Development

Human Resources

Employee Training and

Development

Benefits

9 Source: www.knowledgeleader.com
 Regional International Companywide

Process Audit/Area Area Area Area Area Area Area Area Area

Bonus Programs

Tax Management

Facilities Management

Environmental Management

Manage Legal and Ethical

Issues

Risk Management

Investor Relations

10 Source: www.knowledgeleader.com
 INTERNAL AUDIT RISK ASSESSMENT QUESTIONNAIRE:
SAMPLE 2

Internal audit is in the process of developing the (Insert Year) risk assessment and audit plan. A key step in this
process is to receive your input as to the actual, inherent and perceived risks existing in the organization. As
management, you have the experience, insight and perspective we need to assist us in effectively determining the
correct level and areas of focus of internal audit procedures. After we receive your initial input, we will meet with
you to discuss it. Your candid input is important and appreciated.

Please Complete and Send to Internal Audit By: (Insert Date)

Email Completed Questionnaire To: (Insert Email Address)

Complete By: (Insert Name)

Evaluate each business cycle/process based on your perceived importance to the business strategy (priority) and
the likelihood of control/process issues (risk). (Place an X in one box to rate the priority and one to rate the risk for
each area.)

Priority Risk
Area
High Med Low High Med Low

Administration

Public Relations

Office Services/Facilities

Business Continuity Planning

Other:

Finance

General Accounting

Management Reporting/Financial Planning

Period-End Close Process

External Financial Reporting

Internal Controls

Asset Administration

Tax Accounting

Inventory Accounting

11 Source: www.knowledgeleader.com
 Priority Risk
Area
High Med Low High Med Low

Accounts Payable

Accounts Receivable

Purchasing

Bank Reconciliation

Cash Management

Derivative Accounting

Other:

Human Resources

Employee Relations

Payroll/Compensation

Recruiting

Training

Benefits

Other:

Construction Projects

New Plant Construction and Design

Corporate Projects

Other:

Regulatory and Compliance

Legal

Contract Management

Corporate Administration

Regulatory Agency Management

Government Affairs

Other:

Business Development

12 Source: www.knowledgeleader.com
 Priority Risk
Area
High Med Low High Med Low

Sales and Marketing

Other:

Commodity Risk Management

Commodity Trading

Derivative Transactions and Hedging

Contract Administration

Inventory Management

Other:

Minority Investments

Operations

Accounting

Managing the Relationship

Other:

Plant Operations

Operational Efficiency

Maintenance Program and Equipment Reliability

Physical Security

Safety

Other:

Environmental, Health and Safety (EH&S)

EH&S Management Strategy

EH&S Management System

Pollution Prevention Program

Remediation Projects

Other:

Research and Development

13 Source: www.knowledgeleader.com
 Priority Risk
Area
High Med Low High Med Low

Research and Development Strategy

Other:

Information Technology

Disaster Recovery Planning

Support/Help Desk

Network Technology (Internal)

Network Technology (External, Including the Firewall)

Production Technology

Inventory Systems

Plant Systems

Financial Systems

IT Asset Management

IT Strategy/Governance

Project Management

Data Privacy

Other:

Describe your key objectives/strategies in your area of responsibility for (Insert Year).

Describe any key concerns in your area of responsibility.

Where do you believe the greatest exposure for loss exists?

Describe opportunities you believe exist for profit improvement/cost containment.

Where do you feel internal audit can benefit most?

Comments:

Thank You!

14 Source: www.knowledgeleader.com
 RISK GLOSSARY

ADMINISTRATION

Public Relations
Addresses the process of managing communication between the organization and the public investing
community. This process encompasses the fair disclosure of key issues and company information to the public
without advantage to any particular analyst or investor consistent with the SEC’s Fair Disclosure Regulation.

Protecting and maintaining the company image is of utmost importance. A company’s image or reputation may
become damaged in numerous ways, including environmental issues, restatement to financial statements,
association with poor workplace conditions or unfair trading practices, and regulatory compliance. Once damage
has been done, it can be extremely difficult (if not impossible) to restore.

Further risk includes a decline in investor confidence that may impair the company’s ability to efficiently raise
capital. If current and prospective investors do not understand the company and its core messages and
strategies, they will not have the necessary confidence in the company’s potential to provide sufficient returns on
their investment. The consequences can be severe, as the company will not have the same efficient access as
competitors to the capital it needs to fuel growth, execute strategies and generate future financial returns.

Office Services/Facilities
This area addresses the processes over the day-to-day functioning of corporate location(s) and the ability to
support the administrative needs of the company. Potential risks include the inability to perform simple daily
functions due to breakdowns in various support functions, such as mail distribution, reproduction services and
facility maintenance.

Business Continuity Planning

Business continuity planning (BCM) addresses the risk of the inability to continue/restore critical operations and
processes due to business interruptions. Such interruptions can arise from accidents, weather, work stoppages
and sabotage, and can result in dissatisfied customers and loss of sales, profits and competitive position.

BCM is the development of strategies, plans and actions, which provide protection or alternative modes of
operation for critical business processes during an interruption.

FINANCE

General Accounting
General Financial Statements: This information addresses the process of generating, compiling and
summarizing financial statements and other financial information reported by the company. This information must
fairly present in all material respects the financial condition, results of operations and cash flows of the company.

Revenue Recognition: This addresses the risks associated with improperly recognizing revenue in the incorrect
accounting period or for the incorrect amount in accordance with U.S. GAAP. Improper revenue recognition can
be carried out by keeping the books open past the end of the accounting period, recording sales when a title
hasn’t officially transferred, recording consignment goods as sales, failing to record offsetting accruals, and
improperly treating gross or net revenue.

Deferred Revenue: This addresses the risk related to recognizing revenue in the incorrect accounting period. As
outlined in the revenue recognition rules, revenue cannot be recognized until delivery has occurred or services
have been rendered. When the product is shipped to customers, the revenue cannot be recognized until proof of
delivery to the customer’s destination. This can be particularly challenging in the direct shipments from the vendor
to the customer for ethanol that is purchased from a third party and resold. This can also be challenging when

15 Source: www.knowledgeleader.com
transfer of a title is dependent on specific delivery or empty date terms, which depend on records from the third-
party terminals.

Management Reporting/Financial Planning

Management reporting addresses the organization’s ability to prepare budgets and internal financial reporting (for
operations) and analyzes variances between budgeted and actual results. Budgeted financial targets and goals
can be potential incentives for fraudulent financial reporting.

Period-End Close Process

This process addresses the organization’s ability to perform a monthly accounting close accurately and timely to
allow for adequate time for budgeting, analysis and external financial reporting.

External Financial Reporting

External financial reporting encompasses risks arising from new financial accounting requirements, historical
application of standards or unique business transactions, and new regulatory requirements. Noncompliance with
SEC reporting deadlines and/or incorrect interpretation of accounting requirements can be costly to the
organization and can negatively impact shareholder value.

Additional risks associated with external financial reporting include financial reports being issued to the public that
include material misstatements or omissions of material facts, thereby making them misleading. Financial
reporting risk usually results from failure to obtain relevant business information from external and internal
sources and assess whether adjustments to or disclosures in the financial statements are required to fairly
present financial position, results of operations, and sources and uses of cash. Financial risk can also result from
inaccurate earnings calculations and/or manipulating earnings to meet established targets.

Internal Control
Internal control addresses the risks associated with the failure to accumulate sufficient relevant and reliable
information to assess the design and operating effectiveness of internal controls over financial reporting. Such
failure would result in inaccurate assertions by management and noncompliance with the Sarbanes-Oxley Act.

Asset Administration
Asset administration addresses the risk of potential overstatement of the total fixed asset balance and/or
inefficient spending if fixed assets are not accurately tracked (includes additions, depreciation, disposals and
impairment assessments of assets).

Tax Accounting
Tax accounting addresses the organization’s ability to ensure that all tax accounting is done in compliance with
federal, state and local guidelines. Noncompliance or late payments could result in severe penalties.

Inventory Accounting
Inventory accounting addresses the risk that inventory is not properly valued due to inadequate procedures and/or
controls. Potential areas that could impact the accuracy of the inventory include physical inventories (plants and
terminals), inventory transfers (trucks, railcars, barges) and inventory control procedures. Further, if freight and
delivery costs are not calculated and applied correctly, this could potentially impact margins and pricing
competitiveness.

Additional inventory valuation risks include calculating inventory reserves (when inventory costs drop below
market value), recording inventory in-transit, recording commodity purchases accurately, calculating ending WIP
balances, and performing accurate inventory counts of raw materials and finished goods.

Accounts Payable

16 Source: www.knowledgeleader.com
Accounts payable address the risk that the accounts payable function is not operating effectively, thereby causing
either an under or overstated liability balance. Potential problem areas that could impact this process include
errors made in the three-way match process, calculating estimated accruals, and potential unrecorded liabilities.

Accounts Receivable
Accounts receivable addresses the risk that accounts receivable balances are not properly stated, thereby
affecting the company’s ability to manage cash flow and identify uncollectible amounts that should be written off.

Purchasing
Purchasing addresses the risks of product shortages and higher costs stemming from the sourcing, procurement
and purchasing decisions that are made. Factors that should be considered when making these decisions include:
• Sourcing options and alternatives (e.g., the population of vendors to choose from and where the vendors are
located)
• Cost factors (e.g., cost structures/tiers, volume-based discounts, etc.)
• Payment terms

These risks can significantly affect the company’s capability to provide competitively priced products to customers
at the time they are wanted.

Also, companies face several risks associated with their procure-to-pay functions. These risks can include:
• Financial leakage due to duplicate payments, pricing/receiving errors and lost discounts
• Internal control and operational risks caused by fraud, lack of contract compliance, and suboptimized sourcing
or processing functions

Bank Reconciliation
Bank reconciliation addresses the organization’s ability to prepare and review monthly bank reconciliations for all
bank accounts, including the resolution of reconciling items.

Cash Management
Cash management addresses the risk of losses incurred as a result of the inability to fund the operational or
financial obligations of the business. In extreme cases, poor cash/liquidity management can lead to default or loss
of production (i.e., a company may be unable to meet its net funding requirements or changes in interest rates,
and economic conditions adversely affect cash flows through higher interest costs or lower interest income).

Derivative Accounting
Derivative accounting addresses the risk that derivatives are not properly accounted for due to inadequate
procedures and/or controls. Potential areas that could impact the accuracy of derivatives include accounting for
derivative instruments and hedging activities in accordance with FAS 133.

HUMAN RESOURCES

Employee Relations
This function addresses employee-related matters, including the administration, supervision and evaluation duties
over maintaining employer-employee relationships that contribute to satisfactory productivity, motivation, morale
and discipline. Responsibilities include providing guidance, consultation and assistance to management and
employees on employee relations matters, and advising on grievances and appeals, adverse actions, employee
discipline, and related matters.

Equal Employment Opportunities/Employment Discrimination: The following federal laws prohibit job
discrimination:

17 Source: www.knowledgeleader.com
• Title VII of the Civil Rights Act of 1964 (Title VII), which prohibits employment discrimination based on race,
color, religion, sex or national origin.
• The Equal Pay Act of 1963 (EPA), which protects men and women who perform substantially equal work in the
same establishment from sex-based wage discrimination.
• The Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of
age or older.
• Title I and Title V of the Americans with Disabilities Act of 1990 (ADA), which prohibit employment
discrimination against qualified individuals with disabilities in the private sector and state and local
governments.
• Sections 501 and 505 of the Rehabilitation Act of 1973, which prohibit discrimination against qualified
individuals with disabilities who work in the federal government.
• The Civil Rights Act of 1991, which provides monetary damages in cases of intentional employment
discrimination.

Fair Labor Standards Act (FLSA)/Wage and Hours: The Fair Labor Standards Act (FLSA) establishes
minimum wage, overtime pay, recordkeeping and child labor standards affecting full-time and part-time workers in
the private sector and federal, state and local governments. Covered nonexempt workers are entitled to a
minimum wage of not less than $X an hour. Overtime pay at a rate of not less than one and one-half times their
regular rates of pay is required after 40 hours of work in a workweek.

Payroll/Compensation
Payroll/compensation addresses risks related to the payroll function, including the following:
• Time and attendance information, employee information and payroll/tax withholdings accuracy and
completeness
• Payroll accruals preparation for accounting purposes
• Payroll reports reconciliation to ensure accurate uploads/updates to the general ledger.
• Critical system processes integrity that helps ensure accuracy and completeness of overall payroll data
• Outsourcing payroll and HR-related functions through third parties.

Recruiting
Recruiting addresses the process of recruiting, hiring and retaining employees that have the requisite knowledge,
skills and experience needed to ensure that critical business objectives are achieved. The following questions
should be considered as part of this area:
• Are qualifications/requirements and salary appropriately set for job openings?
• Are appropriate background checks being performed?
• Could resources be shifted toward the retention of current employees to reduce recruiting costs of new
employees?

Training
Training addresses the risk that employees do not have sufficient training to perform their duties adequately. This
includes training for new hires as well as ongoing training to address continuing education requirements and
support ongoing advancement. The following questions should be considered as part of this area:
• Are employees provided with the appropriate level of training to allow them to succeed in new positions and
advance within the company?
• Is evidence of completion of required HR-related training included in the employee’s personnel file or otherwise
documented?
• Is training appropriately designed to ensure that employees are learning company policies and applicable laws
and regulations associated with their job functions?

18 Source: www.knowledgeleader.com
Benefits
These address the benefits-related processes, such as benefit plan setup and administration, eligibility,
remittance of health insurance and other premiums, health benefit billing and reimbursement, benefit accruals,
and 401k enrollment/administration/match funding/loans and withdrawals/terminations. The associated risks
involve the accuracy and completeness of information used in these processes as well as the integrity of data and
the ability to make changes to the data.

CONSTRUCTION

New Plant Construction and Design

The process of taking on major capital projects presents various risks, particularly around the management of
contractual, financial, operational and organizational requirements. Proper processes and controls need to be in
place to address the following:
• How well is costs/monitoring overall project progress managed (e.g., managing change orders from
contractors)?
• Are contractual requirements being met (e.g., meeting project milestones/deadlines)?
• Have contingencies been properly addressed/mitigated (e.g., indemnification provisions in the contract,
processes to address claims/litigation, etc.)?

Corporate Projects
The process of taking on capital projects, such as corporate remodeling, presents various risks particularly around
the management of contractual, financial, operational and organizational requirements. Proper processes and
controls need to be in place to address the following:
• How well is costs/monitoring overall project progress managed (e.g., managing change orders from
contractors)?
• Are contractual requirements being met (e.g., meeting project milestones/deadlines)?
• Have contingencies been properly addressed/mitigated (e.g., indemnification provisions in the contract,
processes to address claims/litigation, etc.)?

REGULATORY AND COMPLIANCE

Legal
Legal addresses the risk that a company’s transactions, contractual agreements, and specific strategies and
activities are not enforceable under applicable law. Changes in laws and litigation claims and assessments can
also result in increased competitive pressures and significantly affect a company’s ability to efficiently conduct
business. For example, uncontrolled litigation and punitive damages can cause tremendous uncertainty in
decision making and create potentially unacceptable liabilities for businesses. Other examples of specific areas
with legal implications include:
• Anti-Trust Violations: Fraudulent practices that eliminate competition or restrain trade usually lead to
excessive prices (e.g., price-fixing, pricing discrimination, vendor collusion, etc.).
• Environmental Laws and Regulations: Activities covered by federal, state and local environmental agencies
are addressed, including hazardous waste disposal, California Proposition 65, Toxic Substance Control Act,
etc.

Contract Management
Contract management addresses the process of tracking the outstanding contractual commitments so that the
legal and financial implications of decisions to enter into incremental commitments can be appropriately
considered by decision makers. The risks related to this process include legal liability associated with contract

19 Source: www.knowledgeleader.com
clauses, the ability to uphold/enforce contract requirements, and the financial/legal exposure of committing the
company to binding agreements.

Corporate Administration
Corporate administration addresses the process of identifying, controlling, monitoring and reporting the regulatory
and compliance risks, concerns and issues identified. This includes the identification and recognition of new
regulations and the procedures put in place to ensure compliance.

Regulatory Agency Management

Regulatory Agency Management addresses the risk that regulatory requirements will not be addressed by the
company and fines and penalties will be assessed.

Government Affairs
Government Affairs addresses the risks of doing business in an industry where government involvement may
have a large influence. The risks of government affairs include the risk of not obtaining government funding or
support.

Foreign Corrupt Practices: FCPA and OECD Convention: The U.S. Foreign Corrupt Practices Act of 1977
("FCPA" or the "Act") prohibits U.S. companies, their subsidiaries, and their officers, directors, employees and
agents from bribing "foreign officials" and also requires U.S. companies that issue debt or equity to maintain
internal accounting controls and to keep books and records that accurately reflect all transactions.

BUSINESS DEVELOPMENT

Sales and Marketing

Sales and marketing address the risk of identifying or not identifying new sales opportunities and endeavors as
they present themselves. This includes the risks involved in a new relationship with a minority interest, an
acquisition, a new customer or even new governmental programs.

COMMODITY RISK MANAGEMENT

Commodity Trading
Commodity trading addresses the overall risk that arises in commodity purchases and sales. This includes the
administration of commodity trading as it relates to entering into and executing transactions as well as managing
and monitoring transactions.

Derivative Transactions and Hedging

Derivative transactions and hedging address the ability to effectively manage the risk of volatility of commodity
pricing through derivative and hedging transactions in accordance with the company’s risk management policy.
This also includes the risk that derivative instruments and hedging transactions are not reported accurately in
accordance with FAS 133.

Contract Administration
Contract administration addresses the process of tracking the outstanding contractual commitments so that the
legal and financial implications of decisions to enter into incremental commitments can be appropriately
considered by decision makers. The risks related to this process include legal liability associated with contract
clauses, the ability to uphold/enforce contract requirements, and the financial/legal exposure of committing the
company to binding agreements. This also includes the back-office functions of monitoring the contracts for
purchases and sales once they have been entered. Risks include inaccurate or unfavorable decisions due to poor
monitoring and management.

20 Source: www.knowledgeleader.com
Inventory Management
Inventory management addresses the risks associated with inventory movement, sales, production volume,
security, etc.

MINORITY INVESTMENTS

Operations
Operations address the risk that operations at companies where Company X has a minority interest may not be
operating at the level consistent with Company X and may have a negative operational impact on Company X.

Accounting
Accounting addresses the risk that the accounting at companies where Company X has a minority interest in may
not be in accordance with GAAP or consistent with Company X policies, or the accounting may have a negative
financial impact on Company X.

Managing the Relationships

Relationship management addresses the risk that the relationship between Company X and all minority
investments is operating in a way that allows positive communication, and Company X has reasonable input into
the major operational and business decisions of the minority investment.

PLANT OPERATIONS

Operational Efficiency
Operational efficiency addresses the overall risks associated with plant operations, including the following:
• Compliance with policies and procedures
• Inventory movement and controls:
− Receiving
− Inventory control
• Sale of wet distillers’ grain and other co-products

Maintenance Program and Equipment Reliability

This addresses the risks surrounding an efficient and effective maintenance program at the plant. Without the
appropriate procedures in place to monitor equipment reliability, the potential for equipment breakdown and
failure increases and the risk of loss due to operational downtime occurs. This also includes the risk of inability to
make timely and efficient repairs.

Physical Security
Physical security considerations within the plant are addressed, including locked access points, security gates
and security guards, secured ethanol tank loadout, alarms, and monitoring devices, such as security cameras.

Safety
Safety addresses worker health and safety risks as they relate to workers’ compensation liabilities and the
potential for severe financial loss due to noncompliance with related laws.

ENVIRONMENTAL, HEALTH AND SAFETY (EH&S)

EH&S Management Strategy

21 Source: www.knowledgeleader.com
This addresses the risks associated with the overall company strategy to address EH&S risks throughout the
organization as well as the strategy and process for addressing future EH&S risks as they arise.

EH&S Management System

The risk that the system is unable to monitor and manage environmental, health and safety risks is addressed.

Pollution Prevention Program

This program addresses the specific risks associated with pollution and pollution prevention. If the risk of pollution
(air, water, noise, etc.) is not managed, the company can face negative publicity, which could result in an impact
on company revenue.

Remediation Projects
Remediation projects address the risk that the company does not respond to or is not prepared to respond to
EH&S issues as they arise. This includes the actual remediation of issues as well as any resulting public
communications.

RESEARCH AND DEVELOPMENT

Research and Development Strategy

The risk surrounding the strategy for research and development programs is addressed. This includes risks
arising from changing regulations, evolving products and industry needs, production efficiency, and competitor
strategy.

INFORMATION TECHNOLOGY

Disaster Recovery Planning

Disaster recovery planning addresses the risk of the inability to sustain operations, provide essential products and
services, or recover operating costs as a result of a major disaster. The inability to recover from such events in a
world-class manner could damage the company’s reputation, ability to obtain capital, and investor relationships.

Disaster recovery planning is the process of planning for the recovery of critical processes and systems in an
emergency situation based on business and stakeholder requirements and industry best practices.

Support/Help Desk
The help desk addresses the function of providing technical support to business users to facilitate their ability to
carry out their day-to-day responsibilities. Such support includes application troubleshooting, password resetting,
and new/upgraded applications installation. An ineffective help desk/support function would lead to inefficiencies
on the part of the business users because of an inability to carry out their day-to-day tasks.

Information Security Administration

This addresses the risks related to security threats, vulnerabilities and exposures that face every organization.
The security administration function of a company’s IT department is critical to the protection of its information and
systems. Adequate processes need to be in place to control access to systems, data or information. The key risk
surrounding this function is the inappropriate access to systems, data or transactions (either by company
personnel or outsiders), resulting in either the loss of data/information integrity or disclosure and/or misuse of
confidential information.

Network Technology (Internal)

Network technology addresses the risk that internal computers and/or networks are not effectively managed,
resulting in performance or capacity issues to business users. If critical processes performed by computer and/or

22 Source: www.knowledgeleader.com
network operations personnel are not executed in accordance with described procedures and time frames, which
could lead to incomplete or inaccurate information processing.

Network Technology (External, Including the Firewall)

Network technology addresses the risk that external networks are not effectively managed, resulting in
performance or capacity issues to business users. This also includes the risk that firewalls may be inadequate,
which could result in the loss of company information.

Production Technology
The risk that the production technology used is not adequate or may include inefficiencies is addressed, which
could negatively impact the company from reduced production.

Inventory Systems
Inventory systems address the risk that the system in place is insufficient to manage shipments, deliveries and the
movement of inventory within the plant.

Plant Systems
Plant systems address the key applications and systems that support all functions of the plant, including
production and inventory control systems.

Financial Systems
Financial systems address the risk that the financial systems used are not robust enough to capture all
transactions for the organization. This results in the use of manual processes, which are more susceptible to
error.

IT Asset Management
IT asset management addresses the practice of instituting, managing and controlling IT capital expenditures,
employee and asset productivity, and the business risk associated with IT assets. Companies must understand
and control the cost of IT ownership, as well as have the means to track and manage IT assets. An effective IT
asset management process can reduce complexity in an IT organization, resulting in increased productivity of
employees and assets.

IT Strategy and Governance

IT strategy and governance is the comprehensive management of the IT organization in alignment with board
requirements, compliance requirements and business expectations. It provides the framework for the assessment
and monitoring of operations, investments, effectiveness and compliance of the entire IT organization. IT
governance is not a singular view or assessment of IT environments or activities and is not a specific tool or
enabling technology. IT governance requires ongoing activities that each organization must initiate, communicate
and manage continually.

Project Management
Project management addresses the risks related to the management, execution and control of IT projects and
project management offices (PMOs). The following elements make up a robust project management function:
reporting, training, process development and deployment, tool selection, mentoring and coaching, resource
management, and project management.

Without an effective project management function, critical company projects may get off track and key user needs
may not be met, thus resulting in wasted efforts, significant cost overruns or possible abandonment.

Data Privacy

23 Source: www.knowledgeleader.com
Data privacy addresses the risk that data obtained in the normal course of business is not maintained securely.
This includes personal information for employees, customers and suppliers.

24 Source: www.knowledgeleader.com
 INTERNAL AUDIT RISK ASSESSMENT QUESTIONNAIRE:
SAMPLE 3

Internal audit performs this risk assessment to identify and prioritize key risks to best allocate the internal audit
resources for the next year. Please consider the processes, functions or locations listed below in preparation for
our risk assessment discussion. We are interested in your evaluation of the materiality and/or strategic importance
to the business as well as your perception of the likelihood or concern that problems could occur within this
process or location because of control weaknesses. For example, process X may rank as high (four or five) in the
materiality to the business but may rate low (one or two) as an area of concern for you.

Materiality/Importance to Concern of Control/Process

Business Strategy Issues

Low Medium High Low Medium High

Key Process/Function
1 2 3 4 5 1 2 3 4 5

Operational Processes

Capital/Operating Leases

Code of Conduct

Company Policy Compliance

Fixed Asset Control

Injury, Illness and Protection Plan

Intellectual Property

Litigation Management

Mergers and Acquisitions

Physical Security

R&D

Records Management

Regulatory Compliance

Remote Location Controls

Reputation Risk

Risk Management/Loss
Prevention

Shareholder Relations

25 Source: www.knowledgeleader.com
 Materiality/Importance to Concern of Control/Process
Business Strategy Issues

Low Medium High Low Medium High

Key Process/Function
1 2 3 4 5 1 2 3 4 5

New Business/Location Startup

and Expansion

SOA/Corporate Governance

Revenue Processes

Accounts Receivable

Billing

Cash Receipts/Applications

Credit Assessment/Monitoring

Credit Collection/Bad Debt

Credit Memo Process

Customer Satisfaction
Monitoring/Quality Assurance

Customer Support

Forecasting

Intercompany/Interbusiness Unit
Sales and Transfer Pricing

Job Order/Project Setup

Revenue Recognition

Royalties

Sales/Lead Generation

Sales Contracts

Third-Party Alliances

Expenditure Processes

Accounts Payable/Cash
Disbursements

Capital Assets

Facilities Leases

26 Source: www.knowledgeleader.com
 Materiality/Importance to Concern of Control/Process
Business Strategy Issues

Low Medium High Low Medium High

Key Process/Function
1 2 3 4 5 1 2 3 4 5

Financing Decision Processes

Purchasing/Purchase Order

Receiving

Supplier Management

Time and Expenses Reporting

Travel and Entertainment

Vendor Negotiation and Setup

Treasury Processes

Cash and Investment

Management

Derivatives

Financing Arrangements

Foreign Currency Management

Insurance

Transfer Pricing

Financial Reporting Processes

Budgeting/Forecasting

GL Closing/Consolidation process

Management Reporting/MIS

Tax Compliance

Information Systems Processes

Applications/Database
Management

Business Continuity Planning

Data Access/Security

Key Business Application

27 Source: www.knowledgeleader.com
 Materiality/Importance to Concern of Control/Process
Business Strategy Issues

Low Medium High Low Medium High

Key Process/Function
1 2 3 4 5 1 2 3 4 5

Network Management

Project Management

System Strategy/Planning

Payroll/Personnel Processes

Commission/Bonus Plan

Compensation and Benefits

Management

Employee Satisfaction Monitoring

HR Records Management

Payroll Processing

Performance Assessment

Recruitment

Stock Plan Management

Training

Company X Locations and Reason(s) for Concern

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

28 Source: www.knowledgeleader.com
 Materiality/Importance to Concern of Control/Process
Business Strategy Issues

Low Medium High Low Medium High

Key Process/Function
1 2 3 4 5 1 2 3 4 5

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

Location:

Reason(s) for Concern:

29 Source: www.knowledgeleader.com