COMPANY A

Risk Control Matrix - Project Management

Presentation and Disclosure

Valuation and Allocation
Existence or Occurrence

Rights and Obligation

Test Type:
(Inquiry/
Anti-Fraud Operational/ Key/ Control
Process Sub-process Risk Description Control Reference Control Description (Yes/No) Financial Inspection/ Testing Steps: Walkthrough Period: Testing Period Non-Key Frequency: Preparer:

Completeness
Observation/
Re-performance)

There is no business case (cost benefit analysis)

developed before deployment of project leading to During our process understanding with NAME, AVP-F&A and NAME, CEO, we
ineffective and inefficient decision making resulting in understood that the project has been taken over in the mid-way. Hence there Perform an inquiry with NAME, AVP-F&A and NAME, CEO to gain an understanding of the April 1, 2017 - January April 1, 2017 -
Project Management Project Planning unjustifiable and/or unwanted CAPEX by the PM-1 was no business case prepared and presented before execution of pending No Operational Inquiry process. 31, 2018 March 31, 2018 Key One time -
organization. Moreover, it may not define the benefits project for Phase II.
and ROI to be achieved.
 COMPANY A
Control Matrix - Project Management
Test of Design Test of Operating Effectiveness

Information Provide by
Automated / Test of Design
Reviewer: Preventive / Detective Manual Source System Entity (IPE) Management IPE Activities Walkthrough Details: Conclusion Issue Recommendation Summary Test of O/E Conclusion Issue Recommendation Summary
(Yes/No)

There was no business case (cost benefit It is recommended that a comprehensive

Perform an inquiry with NAME, AVP-F&A and NAME, CEO to gain an analysis) developed for effective and business case (cost benefit analysis) should be
- Preventive Manual N/A NA NA understanding of the process. Fail efficient decision making before developed for effective and efficient decision N/A N/A N/A
deployment of project. making before deployment of project in future.
Design Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-1
Control Owner: NAME

Tester: NAME
Reviewer: NAME

There is no business case (cost benefit analysis) developed before deployment of project leading to ineffective and inefficient decision making
Risk Description resulting in unjustifiable and/or unwanted CAPEX by the organization. Moreover, it may not define the benefits and ROI to be achieved.

During our process understanding with NAME, AVP-F&A and NAME, CEO, we understood that the project has been taken over in the mid-way.
Control Description:
Hence there was no business case prepared and presented before execution of pending project for Phase II.

Key/Non-Key Key
Control Frequency: One time
Automated / Manual Manual
Preventive / Detective Preventive
Preparer -
Reviewer -
Sampling Approach: As per the sampling methodology, we have considered one sample for testing the design of the above mentioned control

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing. NA
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data

Walkthrough Details Perform an inquiry with NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.

Conclusion: Fail

Testing Attribute A:

Attribute
A
Sample
Exceptions Noted? Notes Work Paper Reference
N/A N/A N/A N/A N/A

Work papers References:

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
Design Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-2
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Lack of approved project plan and missing or lo

Risk Description
plan.

During our process understanding with NAME,

there was no document available related to the
Control Description: Hence no project plan was prepared for executi
for the Unit III is 31st December 2017 and Unit
decided as May 2018 to complete the project.

Key/Non-Key Key
Control Frequency: One time
Automated / Manual Manual
Preventive / Detective Preventive
Preparer -
Reviewer -
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing. NA
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data
 1) Perform an inquiry with NAME, AVP-F&A and
Walkthrough Details
2) Verified the IM document for the project bud

Conclusion: Fail

Testing Attribute A:

Attribute
A
Sample

N/A N/A

Work papers References:

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
 plan and missing or loose timelines in project plan may disable project tracking leading to delay in execution of rollout

rstanding with NAME, AVP-F&A and NAME, CEO, we understood that the project has been taken over in the mid-way and
available related to the actual completion of project against the initial drawing and BOQ at the time of project taken over.
as prepared for execution of the remaining tasks. As per the Information of Memorandum (IM), schedule completion date
cember 2017 and Unit IV 31st March 2018. agreed and finalized with the lenders Though the overall time line has been
complete the project.

hodology, we have considered one sample for testing the design of the above mentioned control
 th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.
ment for the project budget and agreed tiCOMPANY Aine.

ibute
A
Exceptions Noted? Notes Work Paper Reference
N/A N/A N/A N/A
elay in execution of rollout

aken over in the mid-way and

he time of project taken over.
M), schedule completion date
overall time line has been

ntrol
Work Paper Reference
N/A
Design Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-3
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Risk Description Lack of a documented alternative / contingency

During our process understanding with NAME,

Control Description: for Phase II.

Key/Non-Key Key
Control Frequency: One time
Automated / Manual Manual
Preventive / Detective Preventive
Preparer -
Reviewer -
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing.
report, spreadsheet)? NA
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data
Walkthrough Details Perform an inquiry with NAME, AVP-F&A and N

Conclusion: Fail

Testing Attribute A:

Attribute
A
Sample

N/A N/A

Work papers References:

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
ternative / contingency plan for unforeseen events can result in project delays and incurred costs.

rstanding with NAME, AVP-F&A and NAME, CEO, we understood that there is no alternative / contingency plan available

hodology, we have considered one sample for testing the design of the above mentioned control
NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.

ibute
A
Exceptions Noted? Notes Work Paper Reference
N/A N/A N/A N/A
costs.

/ contingency plan available

ntrol
Work Paper Reference
N/A
Design Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-4
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Risk Description Lack of project budget approval before executio

Control Description: During our process understanding with NAME,

report. Further Management has taken a target

Key/Non-Key Key
Control Frequency: One time
Automated / Manual Manual
Preventive / Detective Preventive
Preparer -
Reviewer -
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query NA
spreadsheet testing.
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data
 1) Perform an inquiry with NAME, AVP-F&A and
Walkthrough Details
2) Verified the IM document for the project bud

Conclusion: Pass

Testing Attribute A: Evidence of IM document

Attribute
A
Sample

N/A Y

Work papers References:

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
pproval before execution of project may result into cost overrun.

rstanding with NAME, AVP-F&A and NAME, CEO, we understood that there is an over all budget of INR xxx. as per the IM
ment has taken a target to complete the project within INR xxxx.

hodology, we have considered one sample for testing the design of the above mentioned control
 th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.
ment for the project budget and agreed tiCOMPANY Aine.

nt

ibute
A
Exceptions Noted? Notes Work Paper Reference

The IM document is a
confidential document
Y Yes hence was not provided a N/A
copy. It has been duly
verified at Plant
get of INR xxx. as per the IM

ntrol
Work Paper Reference

N/A
Operating Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-4
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Risk Description Lack of project budget approval before executio

Control Description: During our process understanding with NAME,

report. Further Management has taken a target

Key/Non-Key Key
Control Frequency: One time
Automated / Manual Manual
Preventive / Detective Preventive
Preparer -
Reviewer -
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query NA
spreadsheet testing.
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data
 1) Perform an inquiry with NAME, AVP-F&A and
Walkthrough Details
2) Verified the IM document for the project bud

Conclusion: The design effectiveness could not be tested a

Testing Attribute A: Evidence of IM document

Attribute
A
Sample

Work papers References:

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
pproval before execution of project may result into cost overrun.

rstanding with NAME, AVP-F&A and NAME, CEO, we understood that there is an over all budget of INR xxx. as per the IM
ment has taken a target to complete the project within INR xxxx.

hodology, we have considered one sample for testing the design of the above mentioned control
 th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.
ment for the project budget and agreed tiCOMPANY Aine.

could not be tested as there are no samples for the year.

nt

ibute
A
Exceptions Noted? Notes Work Paper Reference
get of INR xxx. as per the IM

ntrol
Work Paper Reference
Design Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-5
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Absence of monitoring of performance KPIs cou

Risk Description
budget overruns.

Performance measurement KPIs have been est

defined:
1. Overall Progress S-Curve
2. Overall Monthly Progress %
3. Construction Monthly Progress %
4. Procurement Monthly Progress %
Control Description: 5. Civil Performance
6. Boiler Performance
7. BOP Performance
8. Package wise Progress%
9. Manpower Actual Mobilization Curve

Performance against defined KPIs are currently

Key/Non-Key Key
Control Frequency: Monthly
Automated / Manual Manual
Preventive / Detective Detective
Preparer Project Technical Team
Reviewer CEO
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing. NA
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data
 1) Perform an inquiry with NAME, AVP-F&A and
Walkthrough Details 2) Randomly select a sample
3) From the selected sample, verified the identi

Conclusion: Pass

Testing Attribute A: Evidence of perfomance measurement KPIs hav

Attribute
A
Sample
COMPANY A : Phase II December 2017 progress report Y

Work papers References:

PM 5.1 COMPANY A : Phase II December 2017 progress

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
f performance KPIs could lead to non measurement and non achievement of goals and objectives, including cost and

ent KPIs have been established with respect to non financial parameters. Noted that the following KPIs have been

ve
ess %
Progress %
Progress %

%
bilization Curve

fined KPIs are currently being monitored and reviewed by CEO on a monthly basis.

hodology, we have considered one sample for testing the design of the above mentioned control
th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.
mple
mple, verified the identification and monitoring of KPIs

measurement KPIs have been established with respect to non financial parameters.

ibute
A
Exceptions Noted? Notes Work Paper Reference
Y No N/A PM 5.1

ecember 2017 progress report

tives, including cost and

owing KPIs have been

ntrol
Work Paper Reference
PM 5.1
Operating Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-5
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Absence of monitoring of performance KPIs cou

Risk Description
budget overruns.

Performance measurement KPIs have been est

defined:
1. Overall Progress S-Curve
2. Overall Monthly Progress %
3. Construction Monthly Progress %
4. Procurement Monthly Progress %
Control Description: 5. Civil Performance
6. Boiler Performance
7. BOP Performance
8. Package wise Progress%
9. Manpower Actual Mobilization Curve

Performance against defined KPIs are currently

Key/Non-Key Key
Control Frequency: Monthly
Automated / Manual Manual
Preventive / Detective Detective
Preparer Project Technical Team
Reviewer CEO
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing. NA
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data
 1) Perform an inquiry with NAME, AVP-F&A and
Walkthrough Details 2) Randomly select two samples
3) From the selected samples, verified the iden

Conclusion: Pass

Testing Attribute A: Evidence of perfomance measurement KPIs hav

Attribute
Sample A
COMPANY A Phase II June 2017 progress report Y
COMPANY A Phase II January 2018 progress report Y

Work papers References:

PM 5.1 COMPANY A Phase II June 2017 progress repor
PM 5.2 COMPANY A Phase II January 2018 progress re

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
f performance KPIs could lead to non measurement and non achievement of goals and objectives, including cost and

ent KPIs have been established with respect to non financial parameters. Noted that the following KPIs have been

ve
ess %
Progress %
Progress %

%
bilization Curve

fined KPIs are currently being monitored and reviewed by CEO on a monthly basis.

hodology, we have considered two samplea for testing the effectiveness of the above mentioned control
th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.
samples
mples, verified the identification and monitoring of KPIs

measurement KPIs have been established with respect to non financial parameters.

ibute
A Exceptions Noted? Notes Work Paper Reference
Y No N/A PM 5.1
Y No N/A PM 5.2

ne 2017 progress report

nuary 2018 progress report
tives, including cost and

owing KPIs have been

oned control
Work Paper Reference
PM 5.1
PM 5.2
Design Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-6
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Risk Description Incorrect or delayed reporting on KPI performa

Control Description: AVP - F&A sends the monthly Progress Snap Sh

Key/Non-Key Key
Control Frequency: Monthly
Automated / Manual Manual
Preventive / Detective Detective
Preparer Project Technical Team
Reviewer CEO
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing. NA
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data

1) Perform an inquiry with NAME, AVP-F&A and

Walkthrough Details 2) Randomly select a sample
3) From the selected sample, verified the timel
Conclusion: Pass

Testing Attribute A: Evidence of monthly progress snap shots

Attribute
A
Sample

COMPANY A : Phase II November 2017 progress report Y

Work papers References:

PM 6.1 COMPANY A : Phase II November 2017 progres

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
orting on KPI performance may lead to delay in decision making

nthly Progress Snap Shots to the higher management post CEO review.

hodology, we have considered one sample for testing the design of the above mentioned control

th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.

mple
mple, verified the timely intimation to the higher management
gress snap shots

ibute
A
Exceptions Noted? Notes Work Paper Reference

Y No N/A PM 6.1

ovember 2017 progress report

ntrol
Work Paper Reference

PM 6.1
Operating Effectiveness Testing Procedures
Location: Plant
Process: Project Management
Control Reference: PM-6
Control Owner: NAME

Tester: NAME
Reviewer: NAME

Risk Description Incorrect or delayed reporting on KPI performa

Control Description: AVP - F&A sends the monthly Progress Snap Sh

Key/Non-Key Key
Control Frequency: Monthly
Automated / Manual Manual
Preventive / Detective Detective
Preparer Project Technical Team
Reviewer CEO
Sampling Approach: As per the sampling methodology, we have con

If IPE, document the testing procedures below:

IPE Type (i.e., canned report, IT customized report, query
spreadsheet testing. NA
report, spreadsheet)?
If IPE is validated, discuss the procedures performed in this NA
control to validate the completeness and accuracy of data

1) Perform an inquiry with NAME, AVP-F&A and

Walkthrough Details 2) Randomly selected 2 samples
3) From the selected samples, verified the time
Conclusion: Pass

Testing Attribute A: Evidence of monthly progress snap shots

Attribute
A
Sample

COMPANY A Phase II October 2017 progress report Y

COMPANY A Phase II January 2018 progress report Y

Work papers References:

PM 6.1 COMPANY A Phase II October 2017 progress re
PM 6.2 COMPANY A Phase II January 2018 progress re

Legend:
Y Control attribute achieved (pass)
X Control attribute not achieved (exception)
N1, N2, N3…. Testing Note
N/A Not Applicable
orting on KPI performance may lead to delay in decision making

nthly Progress Snap Shots to the higher management post CEO review.

hodology, we have considered two samples for testing the effectiveness of the above mentioned control

th NAME, AVP-F&A and NAME, CEO to gain an understanding of the process.

samples
mples, verified the timely intimation to the higher management
gress snap shots

ibute
A
Exceptions Noted? Notes Work Paper Reference

Y No N/A PM 6.1

Y No N/A PM 6.2

tober 2017 progress report

nuary 2018 progress report
oned control
Work Paper Reference

PM 6.1

PM 6.2