Internal Control & Risk

“Final Report”
Naizak’s Internal Control & Risk
Co-op Advisor:
Dr. HAIDAR MADANI
ERP Supervisor:
Mr. Ahmad Najar
Financial Prospects Consultant
Ezat Mayez Al-Mohammed
200794830
1 | P a g e C O O P R E P O R T - N A I Z A K

Contents
Executive Summary ................................................................................................................... 6
Chapter 1 Company Background ............................................................................................... 7
Corporate level strategy: ........................................................................................................ 7
Functional-Level strategy Competencies Structure:................................................................ 8
Lab Systems Services:........................................................................................................ 8
Engineering Services: ......................................................................................................... 8
IT infrastructure Services: ................................................................................................... 8
Communication Services: ................................................................................................... 9
Enterprise Applications: ...................................................................................................... 9
Training and Education Services:........................................................................................ 9
E-Learning Services:........................................................................................................... 9
Power Services:.................................................................................................................. 9
Business Strength: ................................................................................................................10
Quality:..................................................................................................................................10
Chapter 2 Literature Review......................................................................................................11
3.1. Reporting requirements. .................................................................................................11
3.2. Extent of required internal controls. ................................................................................12
3.3. Extent of understanding needed. ....................................................................................12
3.4. Assessing control risk.....................................................................................................13
Chapter 2 4. (LITERATURE REVIEW II) Introduction on Internal Control and Risk:..................14
4.1. The General Internal Control Functions: .....................................................................15
4.1.1. Preventive Controls..............................................................................................15
4.1.2. Detective Controls ...............................................................................................15
4.1.3. Corrective Controls ..............................................................................................15
4.1.4. Predictive Controls...............................................................................................15
4.2. The Statements on Auditing Standards N. 78 .............................................................16
4.2.1. The Control Environment .....................................................................................16
4.2.2. Risk Assessment .................................................................................................16
4.2.3. Information and Communication ..........................................................................17
4.2.4. Monitoring............................................................................................................18
4.2.5. Control Activities ..................................................................................................18
Chapter 3 (TECHNICAL PART) Naizak internal controls:..........................................................20

5.1. Interviews: ......................................................................................................................23
5.2. Processes Documentation:.............................................................................................25
5.3. Understanding the Expense Management Process:....................................................28
5.4. Collection of Expense Management Process Support Documents:.............................28
5.5. Checking Departure with Abdulkarim Internal Control Policy or inconsistencies..........30
5.6. Documenting the Expense Management Procedure: ..................................................30
5.7. Review of documented Procedure: .............................................................................38
6. Risks:.................................................................................................................................42
6.1. Risk from changes in circumstances:..........................................................................42
6.2. Risk from Computer controls:......................................................................................43
6.2.1. Data entry controls:..............................................................................................43
6.2.2. Data output controls:............................................................................................47
6.3. Risk from Physical controls:........................................................................................47
Chapter 4 Conclusion:...............................................................................................................54
Chapter 5 Appendix ..................................................................................................................55
Chapter 6 Works Cited..............................................................................................................66
Figure 1 project process............................................................................................................22
Figure 2 Portal consists of seven modules; accessed by company clerks, managers, and sales
personal only. ...........................................................................................................................26
Figure 3 Microsoft dynamics ax modules. The modules shown are the viewable modules for the
limited account provided. ..........................................................................................................27
Figure 4 Expnse Report ............................................................................................................29
Figure 5 tracing claims as they get posted and paid..................................................................29
Figure 6 Entering expenses in the expense report and submitting ............................................31
Figure 7 Expense report status .................................................................................................32
Figure 8 Approved "Paid Expenses" being transferred to Journal .............................................33
Figure 9 posting to General Ledger...........................................................................................34
Figure 10 submitting a cash advance request ...........................................................................36
Figure 11 Cash advances approved by the division manager ...................................................37
Figure 12 the Online Documentation of Procedures..................................................................39
Figure 13 an Example of Demo Procedure ...............................................................................40
Figure 14 Search Capability......................................................................................................41
Figure 15 Expense Report, Expense Header. ...........................................................................44
Figure 16 Expense Report Body ...............................................................................................45
Figure 17 New Expense Report ................................................................................................46
Figure 18. Naizak chart of accounts..........................................................................................48
Figure 19...................................................................................................................................49

DFD 1 Epense Management Process.......................................................................................51
DFD 2 Expense Management Process .....................................................................................52
DFD 3 the New Data Flow for Expense management ...............................................................53
DFD 4 Internal Auditing procedure............................................................................................57
Narrative 1 Management Responsibility....................................................................................59
Table 1 general interview questions..........................................................................................24
Table 2 AKH Supply Chain Procedure ......................................................................................64

Table of abbreviations:
MR
Management Representative
VP Vice President
ED Executive Director
ERP Enterprise Resource Planning
AIS Accounting Information System
AKH Abdulkarim Holding
SAS Statements on Auditing Standards

Executive Summary
Purpose
The purpose of this report is to examine and evaluate the internal control system of
Naizak under the supply chain procedures to be applied at the company. The supply
chain procedure The supporting literature for an effective internal control system is the
recommendations of the Committee of Sponsoring Organizations and the Statements
on Auditing Standers 78 which is expressed in the literature review chapter II of this
report.

Chapter 1 Company Background
Established in 1998 as a subsidiary of Al Abdulkarim Group, Naizak Global
Engineering Systems with offices around the Kingdom of Saudi Arabia (Jeddah,
Riyadh, and Khobar) consists of 450 employees. The nature of Naizak’s Business
level strategy is a totally customer driven, investing in talented resources that are
specialized in technology solutions to provide classy services to its customers.
Naizak is a SCM focused, Supply Chain Management, which helped positioning itself
toward holding sophisticated outsourcing initiatives by major Saudi Oil & Gas and
petrochemical companies and research institutes. Naizak has successfully satisfied
theses clients with best-in-class SCM business models using fully integrated technology
solutions. (REF 1.) (REF 2.).
In addition to its in-Kingdom branches, Naizak has a network of offices in Bahrain,
Qatar, and the United Arab Emirates, providing a range of solutions that cover all areas
of industrial processes to businesses of all sizes. Naizak also caters to the specific
needs of energy and industry clients in the Middle East.
Corporate level strategy:
Vision: Excellence through Innovation, Agility and Commitment
Mission: We are a customer focused company that partners with leading suppliers and
transforms performance through Innovation, Quality and Commitment to assist our
customers achieve operational excellence and increase profitability.
Strategic Direction: To Provide Our Customers Solutions That Streamlines Processes
So They Can Focus on Their Core Business (REF 1.).

Functional-Level strategy Competencies Structure:
Naizak’s Global Engineering Systems provides its customers’ specialized services that
are realigned with all sectors in the market and manufacturing fields that utilizes
Naizak’s services (REF 3.):
Lab Systems Services: Naizak Research & Lab Systems has emerged as one of the
leading suppliers of analytical lab equipment and testing instruments catering to the
evolving needs of the vast and diversified scientific and research industry in the
Kingdom of Saudi Arabia and other Gulf countries. Naizak Lab Systems is providing
Laboratory Infrastructure Solutions and complete analytical solutions to the wide
ranging analytical industry by associating with world renowned manufacturers/suppliers.
This division of Naizak has successfully won this year a long-term contract with KAUST
as an outsourcing partner to support its research community. KAUST expects to run
more than 40 Lab Centers in 3-4 years. Naizak has successfully designed and
implemented a state of the art integrated solutions like SAP and Chemical
Management applications to provide strong support to KAUST to enhance its
research capabilities.
Engineering Services: Naizak supports the Hydrocarbon Manufacturing like Aramco,
SABIC and Utilities like SEC in both upstream and downstream projects and
operations. Through its technology driven awareness and strategic long-term
partnership with major corporations, Naizak’s clients are provided with complete range
of products of integrated/end-to-end services. Under this Division, Naizak deploys
talented technical resources in three Units; Instrumentation, Control Systems and
Industrial Systems. Industrial Systems Division today plays a key role in presenting
cutting edge technology to support growing Refining & Petrochemical in the region.
Naizak invests significantly in this area through providing Local Contents to help its
major clients in the technical support area – there are teams on ground working on
many initiatives that resulted in signing corporate Agreements with the aforementioned
clients.
IT infrastructure Services: Naizak provides data infrastructure solutions through
partnering with world renowned companies such as Fujitsu Siemens, Hitachi,
Symantec, Adic, The service also, includes full helpdesk support and after sales
services. For example, Naizak are the outsourced Partner to Saudi Aramco, SABIC,
and Petrorabigh. In implementing solutions like the Lab Information System

Management (LIMS) that is heavily depending on latest help desk solution from BMC
called “Remedy.”
Communication Services: Naizak communication services established to provide
turnkey solutions to the ever growing telecom sector. Naizak aims to provide premium
service that extends into many domains of telecom services, through partnership with
Alcatel, Riverbed, Cisco, Hirschman, Aruba, and Huawei.
Enterprise Applications: Naizak supplies configurable multifaceted software solutions
to improve organizational and operational efficiency. In addition, Naizak provide
Enterprise Resource and Planning (ERP) systems such as SAP and Microsoft
Dynamics. Naizak is a SAP Preferred Solution/Implementation Partner.
Training and Education Services: Naizak as an Authorized Training Partner of SAP,
equipped with State of the art technology training facilities in Al-Khobar, Saudi Arabia
and Dubai to provide quality trainings for Corporate Organizations and individual on
various functionalities of SAP, Pink Elephant’s ITIL Training and DNV’s industrial Safety
Training.
E-Learning Services: Naizak is very strong in e-Learning and it has a long history of
providing e-Learning solutions to companies Like Saudi Aramco and SABIC. Naizak
has major partnership with major organization worldwide that provide e-Learning
curriculum.
Power Services: Naizak provides the Power Sector in the region with bundle of
services offered in Two Divisions; Power System, which is specialized in the turnkey
supply, installation, commissioning, integration and maintenance/field service of
equipment and systems related to Power Generation, Transmission, Distribution and
Control and SCADA systems (DCS, EMS, and DMS.) The other division is Electrical,
which provides integrated SCM services along with advanced electrical materials supply
to major clients like Aramco, SABIC, and SEC.

Business Strength:
Naizak as a service provider realigns its Corporate Strategic Directions with best-in-
class practice. Naizak adopt contemporary organization structure while fully putting
change management into practice. Naizak tailors Supply Chain business model for its
clients’ projects capitalizing on the company new ERP system (Microsoft-Dynamics
AX 2009) through Project Accounting functionality Naizak’s proven services ensures
on-time service that can only be achieved from internally investing in technology
solutions to help us turn out high performance. Naizak Executive Management places
great emphasis on such high performance enabling tools when serving Naizak’s
customers.
Quality:
Customer, partner and employee satisfaction are essential components of realizing
Naizak’s vision. Naizak’s quality objectives include:
• Listening to Customers
• Improving Through Best Practices and Methodologies
• Developing Human Resources
• Exceeding Expectations
A testament to Naizak’s success is that Al Abdulkarim Holding ranked amongst Saudi
Arabia’s Top 100 Companies.
• A top 100 Saudi Company with a turnover in excess of US$ 500 Million.
• Gulf's largest supplier of electrical, electromechanical, telecommunication,
instrumentation, oilfield components and equipment.
o Over One Million square feet warehouse facility
o Over 35 years of experience in the region
o 1500+ Employees
• Awarded Saudi Arabian Oil Company (Saudi Aramco) Best Supplier Award in
2002.

Chapter 2 Literature Review
The difference between Public and Nonpublic Companies in Evaluating, Reporting, and Testing
Internal Controls (REF 4.):
Most of the auditing standers are enforced on public companies because of the fraud
cases found, such as the scandal between Enron and Arthur Andersen (REF 10). In
response, the IACPA have created several new statements on Auditing standards,
such as SAS 96, SAS 98, and SAS 99 which generally deals with:
• The extent of documentation needed in an audit,
• Auditor judgments of significance,
• Changes made on GAAS regarding audit risk and materiality,
• And the changes made on auditor’s responsibility to search for fraud and
information gathering for an audit.
These enforcements are made to insure the transparency of the financials for the
investors and other stakeholders too. It is also required for non-public companies to
be audited to insure that the financials reflect their financial position to be trusted for
banks as an instance, or to the IRS in the US or the Zaka body here in Saudi.
Internal controls in both public and non-public companies play an important role in
identifying the audit risk. The following shows the difference between public and non-
public company in evaluating, reporting, and testing internal controls.
3.1. Reporting requirements.
The most important difference related to internal controls between public and
nonpublic company audits is the lack of a requirement for an audit of internal
controls over financial reporting for nonpublic companies. The auditor,
therefore, focuses on internal control only to the extent that is needed to do a
quality audit of financial statements.
The auditor is required by auditing standards to issue a report on significant
deficiencies and material weaknesses in internal control to the audit committee or
other senior management, the same as for public companies.

3.2. Extent of required internal controls.
Both in public and non-public companies the establishment of internal controls is a
management responsibility. If the control environment or documentation is
inadequate, the auditor may decide to withdraw from the engagement or issue a
disclaimer of opinion. Also this applies to nonpublic companies is to understand the
importance of effective controls to reduce the likelihood of errors and fraud, and to
improve effectiveness of the accounting system.
Abdulkarim Co., on the other hand, has formalized policies for its operations in
manuals through its Quality and Audit Department. These documents are
called the Supply Chain Manual and the Supply Chain Procedure (SCM and
SCP), these policies highlights:
• competent, trustworthy personnel with clear lines of authority
• proper procedures for authorization, execution, and recording of transactions
• adequate documents, records, and reports
• physical controls over assets and records
• limited degree independent checks on performance
3.3. Extent of understanding needed.
Auditing standards require that the auditor obtain a sufficient understanding of
internal control to assess control risk. In practice, the procedures to gain an
understanding of internal control vary considerably from client to client. For
nonpublic clients, many auditors obtain a level of understanding sufficient only to
assess:
1. Whether the statements are auditable.
2. Evaluate the control environment for management's attitude toward internal
control and financial reporting.
3. Determine the adequacy of the client's accounting system.
For larger clients it is more efficient to perform tests of controls increased than
substantive tests because of the huge amounts of transactions.
It is common in every Naizak department to have its own reliable narratives
and flowcharts. These narratives and flowcharts assists the auditor obtain a
sufficient understanding of internal control to assess control risk.

3.4. Assessing control risk.
The most important difference in a nonpublic company in assessing control risk is
the ability to assess control risk at maximum for any or all control related objectives.
The auditor can make that assessment for any objective whether the:
1. Internal controls does not exist or ineffective, or
2. It is more costly to perform tests of controls than the cost reductions that would
result from reduced substantive tests.
As with public company audits, it is useful for auditors to use a control risk matrix for
nonpublic company audits to assess the extent of tests of controls needed.
Whenever the auditor assesses control risk below maximum, the auditor must
perform tests of controls to support that control risk assessment. The auditor will not
perform tests of controls when the auditor assesses control risk at maximum, either
because of:
1. Inadequate controls, or
2. Because it is inefficient to test those controls.
When control risk is assessed below the maximum, the auditor designs and performs
a combination of tests of controls and substantive procedures. This shows that tests
of controls vary, based on the auditor's assessment of control risk.
In contrast, the number of controls tested by auditors to express an opinion on
internal controls for a public company is significantly greater than that tested solely
to express an opinion on the financial statements. To express an opinion on
internal controls for a public company, the auditor:
1. Obtains an understanding of the client’s control risk, and
2. Performs tests of controls for all significant account balances, classes of
transactions, and disclosures and related assertions in the financial
statements.

Chapter 2 4. (LITERATURE REVIEW II) Introduction on Internal
Control and Risk:
In the 1980s COSO was formed, Committee of Sponsoring Organizations, to address the
frauds at that era. The organizations that sponsored, and do sponsor, this entity include
Financial Executives International (FEI), the Institute of Management Accountants (IAA),
the American Accounting Association (AAA), AICPA, and the IIA. (REF 5.)
The Committee created what is known as internal controls as the best deterrent to fraud, the
committee decided to focus on an effective model for internal controls from a management
perspective, which have created the COSO Model. The AICPA adopted the COSO model
into auditing standard with the adoption of SAS No. 78 Consideration of Internal
Control in a Financial Statement Audit. (REF 6.)
The establishment and maintenance of an internal control system is a management
obligation. The internal control system has four broad objectives to achieve:
A risk is the potential threats of the organization’s assets. An exposure is the cause of
absence or weakness in the internal control system. Exposures increase the firm's risk to
financial loss or damage, such risks are:
1. The destruction of assets both physical assets and information.
2. The theft of assets.
3. The corruption of information or the information system.
4. The disruption of the information system.
The internal control system is a system that protects the organization from undesirable
events. The system should provide reasonable assurance that the four broad objectives of
internal control are met, reasonable assurance against:
1. Attempts at unauthorized access to the firm's physical assets and information,
1.Safeguard assets of the firm.
2.Accuracy and reliability of accounting records and information.
3.Promote efficiency in the firm's operations.

2. Fraud perpetrated persons both in and outside the firm,
3. Errors due to employee lack of skill,
4. Faulty computer programs, and corrupted input data; and playful acts, such as
unauthorized access by computer hackers and threats from computer.
4.1. The General Internal Control Functions:
The internal control consists of four levels of control: preventive controls, detective
controls, corrective controls, and predictive controls. (REF 7.)
4.1.1. Preventive Controls
Preventive controls are techniques designed to reduce the occurrence of undesirable
events; by setting prearranged or desired actions and thus eliminating irregular events.
For example,
1. A well-designed data entry screen is an example of a preventive control.
2. The logical layout of the screen into zones that permit only specific types of data,
such as:
Such controls force the data entry clerk to enter the required data and prevent needed
data from being omitted.
4.1.2. Detective Controls
Detective controls are devices, techniques, and procedures designed to identify and
expose departure from pre-established standards that escape preventive controls.
4.1.3. Corrective Controls
Corrective actions are taken to reverse the effects of detected errors (fixing the
problem), after that they have passed both preventive and detective controls.
4.1.4. Predictive Controls
Predictive controls are the forecasting and evaluation of risk that may cause future
undesirable events.
Customer
name
• Alphabetical
Address
• Numeric
• Alphabetical
Items sold
• Numeric
Quantity
• Numeric

4.2. The Statements on Auditing Standards N. 78
Statement on Auditing Standards No. 78 (SAS 78) conforms to the recommendations of the
Committee of Sponsoring Organizations (COSO). Internal control as defined in SAS 78
consists of five components: (REF 6.) (REF 8.)
4.2.1. The Control Environment
The control environment is the tone of the organization and the awareness of
management and employees over internal controls (REF 8.). It has several important
elements:
• The integrity and ethical values of management
• The structure of the organization
• The participation of the organization's board of directors and the audit com-
mittee, if one exists
• Management's philosophy and operating style
• The procedures for delegating responsibility and authority
• Management's methods for assessing performance
• External influences, such as examinations by regulatory agencies
• The organization's policies and practices for managing its human resources
“SAS 78 requires that auditors obtain sufficient knowledge to assess the attitude
and awareness of the organization's management, board of directors, and owners
regarding internal control”.
4.2.2. Risk Assessment
Risk assessment is the process of identifying, analyzing, and managing risks relevant
to financial reporting. Risks can arise out of changes in circumstances, such as the
following (REF 8.):
• Changes in the operating environment.
The Control Environment
Risk Assessment
Information And Communication
Monitoring
Control Activities

• New personnel who possess a different or inadequate understanding of internal
control
• New or reengineered information systems that affect transaction processing
Significant and rapid growth that strains existing internal controls
• The implementation of new technology into the production process or information
system that impacts transaction processing
• The introduction of new product lines or activities with which the organization has
little experience
• Organizational restructuring resulting in the reduction and/or reallocation of per-
sonnel such that business operations and transaction processing are affected
• Entering into foreign markets that may impact
• Adoption of a new accounting principle that impacts the preparation of financial
statements
“SAS 78 requires that auditors obtain sufficient knowledge of the organization's risk
assessment procedures to understand how management identifies, prioritizes, and
manages the risks related to financial reporting”.
4.2.3. Information and Communication
The accounting information system consists of the records and methods used to
initiate, identify, analyze, classify, and record the organization's transactions and to
account for the related assets and liabilities (REF 8.).
In connection with the organization's operations and to prepare reliable financial
statements, an effective accounting information system will do the following:
• Identify and record all valid financial transactions
• Provide timely information about transactions in sufficient detail to permit proper
classification and financial reporting
• Accurately measure the financial value of transactions so their effects can be
recorded in financial statements
• Accurately record transactions in the time period in which they occurred
SAS 78 requires that auditors obtain sufficient knowledge of the organization's information
system to understand these aspects:
• The classes of transactions that are material to the financial statements and how
those transactions are initiated
• The accounting records and accounts that are used in the processing of material
transactions
• The transaction processing steps involved from the initiation of an economic event to
its inclusion in the financial statements
• The financial reporting process used to prepare financial statements, disclosures, and
accounting estimates

4.2.4. Monitoring
As part of management responsibility, management must monitor the quality of
internal control design and operation over its intended function; wither by separate
procedures or by ongoing activities (REF 8.).
An organization's internal auditor’s map monitors the entity's activities in separate
procedures. They gather evidence of control adequacy by:
1. Testing controls
2. Communicating control strengths and weaknesses to management.
3. Providing recommendations for improvement to controls.
4.2.5. Control Activities
A Control activity is a progression to ensure that appropriate actions are taken to deal
with identified risks. Control activities can be grouped into two distinct categories:
computer controls and physical controls (REF 7.).
Computer controls which relate specifically to the IT environment and IT auditing, fall
into two broad groups:
1. General controls such as controls over the data center, organization databases,
system access, systems development, and program maintenance.
2. Application controls ensure the integrity of specific systems such as sales order pro-
cessing, accounts payable, and payroll applications.
Physical controls relate primarily to traditional accounting systems that employ manual
procedures. However, an understanding of these control concepts also gives insight to the
risks and control concerns associated with the IT environment. Such Physical control
activities are:
1. Transaction Authorization
2. Segregation Of Duties
3. Supervision
4. Accounting Records
5. Access Control
6. Independent Verification

Transaction Authorization: to ensure that all material transactions processed by the
information system are valid and in accordance with management's objectives.
Segregation o f Duties: Effective segregation of accounting duties is achieved when
authorization, recording, and custody functions are separated.
Supervision: segregation of duties for small scale organizations can be difficult.
Therefore, organizations that lack sufficient personnel, management can compensate
with close supervision.
Accounting Records: The traditional accounting records of an organization consist of
source documents, journals, and ledgers. These records provide an audit trail of economic
events; to trace the transaction through all phases.
Access Controls: The purpose of access controls is to ensure that only authorized
personnel have access to the firm's assets.
Independent Verification: are independent checks of the accounting system to identify errors
and misrepresentations.
Through independent verification procedures, management can assess:
1. The performance of individuals
2. The integrity of the transaction processing system
3. The correctness of data contained in accounting records.
Examples of independent verifications include:
• Reconciling batch totals at points during transaction
processing
• Comparing physical assets with accounting records
• Reconciling subsidiary accounts with control accounts
• Reviewing management reports (both computer and manually generated)
that summarize business activity

Chapter 3 (TECHNICAL PART) Naizak internal controls:
In an ERP environment all aspects of company operations are integrated with its
traditional AIS, accounting information system; therefore, integrating both the
financial and nonfinancial operating data of a company. Quality information is one
of the competitive advantages for an organization. In AIS the quality of information
provided is vital to the success of the system.
The main users of the accounting information in NIAZAK are the decision makers
since the company is characterized as a Private Sector Company. The upcoming
section is determination on whether the accounting system is set to provide accounting
information quality to the decision makers under SAS 78.
Performance evaluations on departments in Naizak are rated on their profit generation,
and therefore every department in Naizak is a Profit Center where managers are
responsible for the revenues and cots of their departments. Other departments in
Naizak that support the profit departments are accounted as a cost centers and the
expenses in conjunction are distributed evenly among the profit departments.
Abdulkarim Co. formalized policies and procedures in manuals through its Audit and
Quality Department to be the guidelines for its business Internal Controls and Quality
Assurance, Supply Chain Manual and the Supply Chain Procedure (SCM/SCP);
all affiliates are required to follow these policies and procedures. The policies and
procedures are audited by Abdulkarim Co. Audit and Quality Department on
quarterly bases. These policies highlight:
• Competent, trustworthy personnel with clear lines of authority
• Proper procedures for authorization, execution, and recording of transactions
• Adequate documents, records, and reports
• Physical controls over assets and records
• Regular independent checks on performance
• Quality assurance under ISO 9001:2002.

My coop program took place at Naizak Microsoft Dynamics Department. The
department provides ERP financial and non-financial solutions for both clients and all
Abdulkarim Co. affiliates. The team I was assigned to is the team responsible for
customizing the ERP systems to the clients’ traditional AIS. The team consisted of: two
financial consultants, three system engineers, four programmers, and a web developer.
The ERP team director assigned me with the group who were working on the supply
chain management project after an approval from the Internal Audit and Control
Department at Abdulkarim. The team consisted of; employees from the Audit
Department, Accounting Department, and ERP Department. The project is an Audit of
Supply Chain Procedures of the Departments at Naizak assigned by the Internal Audit
and Control of AKH.
The Internal Audit and Control Department at Abdulkarim performs Audits and
implements controls of all Abdulkarim affiliates by:
1- Setting control projects or internal audits and deadlines, then
2- formulate teams from different departments depending on the projects or audits,
then
3- Sets responsibilities, project manager, account auditors, material auditors,
control auditors, IT auditors.
4- The Internal Audit and Control Department personal supervises these projects,
and
5- Meetings are held on regular basis throughout the audits of projects.
The project is seen as improvements in corrective action of the current business
procedures at Naizak, and an improvement in preventive action against future risks. It
is also used to communicate the later approved and controlled procedures to all Naizak
employees using online documents of procedures. This is shown in the (Appendix, DFD
4 Internal Auditing procedure and Narrative 1 Management Responsibility).

The project task was to set documentations of the policies and procedures including
corrections of Naizak business line in accordance with Abdulkarim Co. policies and
procedures of Internal Control. The project main objectives are:
1- Document general policies and procedures for all Naizak departments that
define the Internal Control System and the business procedure.
2- Document department specified procedures depending on the department
business line.
3- The policies and procedures must be accessible for both company employees
and clients.
4- The documents must be in hard copy and an online web access, called
“Robohelp project”
The project work was distributed among the team members, all departments in Naizak
were to be visited. On a daily basis work would need to visit multiple departments in
different locations and meet up with department managers, supervisors, and clerks. The
following processes show the project work flow (Error! Reference source not found.):
1- Interview department
about transaction
operations and processes.
2- Document the operations
and processes
3- Collect support
document, narratives, or
flowcharts if available.
4- Check for any departure
with Abdulkarim Internal
Control Policy or
inconsistencies.
5- Any possible corrections
would be submitted for
review.
6- Documenting the
collected data as
procedures and policies.
7- Approval of documents is
a must, from the Dep.
concerned , AKH Auditing
and Quality Control Dep.,
and Owner Mr. Khalid
Abdulkarim.
8- The Cocuments will be
Stated as "Controlled
Documents"
9- Documents will be built
on a company website.
Figure 1 project process

5.1. Interviews:
The interviews are conducted with the department’s clerk for the reason that every
department in Naizak has one clerk who records department Sales, employee expense
claims, and employee advanced payments requests, then the accounting department
process these transactions with its supported documents. Actually all these
transaction, which have been entered by the department clerk, are viewed in the
system as Transaction Journals and as a General Journal. These transactions as they
are entered they are pending verification from the accounting department and pending
to be posted to the General Ledger. As I have mentioned earlier in the report that
departments in Naizak are profit and cost centers. Therefore, as an internal control
policy of AKH is to standardize the transaction processes in every Naizak department,
e.g. expense sheet forms, travel expense sheet. The departments I was assigned to
document its transaction operations and possess are the:
At every department there are general questions at the interview to get an
understanding of the type of work, business processes, and transactions handled. Here
are samples of the interview questions (Table 1 general interview questions 1):
Lab Information
System Management
(LIMS)
Instrumentation
IT

Table 1 general interview questions
LIMS
“Clerk”
Instrumentation Sales
Dep. “Clerk”
IT “Clerk”
What is your job at the
department?
Enter general
department
transactions, and
follow up.
Enter general
department
transactions, and
follow up.
Enter general
department
transactions, and follow
up.
What type of
transactions do you
handle? Give examples.
1. Employee
related
expenses.
2. Cash advances.
3. P.O.’s
4. Outsource
Contracts.
1. Employee related
expenses.
2. Cash advances.
3. P.O.’s
4. Outsource
Contracts.
1. Employee
related
expenses.
2. Cash advances.
3. P.O.’s
What type of employee
expenses do you enter
into the system?
1. Visa
2. Transportations
3. Hotel fees
4. Annual
vacations
5. Housing
6. Seminars
7. Business trips
1. Visa fees
2. Transportations
3. Hotel frees
4. Annual vacations
5. Housing
6. Seminars
7. Business trips
1. Visa frees
2. Transportations
3. Hotel fees
4. Annual vacations
5. Housing
6. Seminars
7. Business trips
What type of P.O.’s do
you enter into the
system?
1. Office
expenses.
2. Software.
3. Equipment.
1. Equipment
2. Office expenses
1. Software
2. Equipment
Office expenses.
What does your dep.
use outsourced
contracts for?
Most our sales are for
lab systems
implementation, and
so it is entered as job
orders. Some sales
require additional
workforce or
equipment in the
implementation phase.
Some sales require
additional workforce or
equipment in the
implementation phase.

5.2. Processes Documentation:
After a general understanding of the type of transactions are dealt with in each
department, we would ask the clerk to enter a sample of transactions from different
types. These transactions are entered from the company portal, which is a part of the
Microsoft Dynamics AX module Figure 3.
Introducing the Microsoft Dynamics AX Portal:
The portal, Figure 2, consists of seven modules which are the modules of Microsoft
dynamics ax 2009:
1- Finance.
2- Sales.
3- Purchase.
4- Employee Services.
5- Human Recourses.
6- Project.
7- Compliance.
Employer Services:
The Employee Services consist of two main applications for entering transaction; the
Manage Expenses and the Request for Advanced Payments refer to (Figure 2). In the
manage expenses the clerk enters expenses such as:
• Flight expenses.
• Project allowance.
• Bonus Costs.
• Car maintenance expense.
• Car rental expense.
• Car service expense.
• Conference registration and
frees.
• Custom duty.
• Gasoline.
• Hotel costs.
• Hotel expenses.
• Housing allowance expenses.
• Installation allowance expenses.
• Installation materials.
• Internet expenses
• Laundry.
• Loans.
• Meals expenses.
• Medical
• Miscellaneous.
• Office supplies.
• Overtime.
• Parking fees
• Penalties charges.
• Phone expense.
• Masion Project Expenses.
• Railway expense.
• Sales Return expense.
• Salaries KAUST Flores.
• Taxi expenses.
• Service termination allowance.
• Tools expenses.
• Vacation allowance expense.
• Visa fees.

Figure 2 Portal consists of seven modules; accessed by company clerks,
managers, and sales personal only.

Figure 3 Microsoft dynamics ax modules. The modules shown are the viewable modules for
the limited account provided.

5.3. Understanding the Expense Management Process:
Any claims from employees are submitted to their department clerk such as business
trips, providing customer services, after service visits, or paid vacations. The clerk in
turn collects required documents from the employee such as invoices, or advanced
payment requests. Then, the clerk enters these claims using the Expense Management
module in the portal and creates an Expense Report. After that he would create a form
that sums all information about the claim and attaching it to the invoices for example.
The claims are then would be pending the department Director approval. The
Department director would check these claims, for example, checking claims of
employees implementing a service according to the project number which describes the
contract and the assigned employees for the task and the duration of the task. All these
information are visible to the Department director from the Project Manager Module in
Microsoft Dynamics AX. After that the department director has approved the claims, the
clerk collects the approved claims forms and sends it to the accounting department. The
accounting department validates these claims and check if these claims are applicable
for the department budget. Then the accounting department manager would approve
these claims. All approved claims from the department manager would be pending to be
posted to the general ledger. A payment request in the same time will be initiated from
the expense accountant to the company cashier; this payment would be paid in cash
from the cashier or as a bank transfer. Then at the end of the day a General Journal of
cash payment would be created.
Note: only department director approved claims are then reflected in the system as an
expense.
5.4. Collection of Expense Management Process Support Documents:
After I have interviewed the three departments (LIMS, Instrumentation, and the IT
departments) I would collected some screen snapshots of different claims. Then, record
the expense reports numbers to trace these transactions in the system and as these
claims get paid. Some employees were not cooperative in providing documents. Such
documents I was not being able to collect:
• Contracts and job orders.
• Cash forms such as: payment request, cash journals
Here is part of the support documents collected:
1. Claim forms that are attached with the invoices or other supporting documents.
(Appendix, Forms, Form 1 and Form 2)
2. Expense Reports Snapshots. Refer to Figure 4 and Figure 5.

Figure 4 Expnse Report
Figure 5 tracing claims as they get posted and paid

5.5. Checking Departure with Abdulkarim Internal Control Policy or
inconsistencies:
Since the Expense Management is a general procedure it is not mentioned at all in
the AKH S.C.P. (Appendix, AKH Supply Chain Procedure, Table 2). However, we
are required to document a procedure for the expense management to be controlled
in Naizak.
5.6. Documenting the Expense Management Procedure:
Documenting the Expense Management Procedure is a sample of what have been
documented during the coop period. Here I will show the documented procedure for
expense claims and advanced payments:
Receiving expense claims from employees:
This part covers expense claims but neither petty cash nor employee’s loans.
Receive expenses claim:
• Employee submits their invoices to the clerk “department sectary”
• Clerk enters portal, reviews and enter the invoices, submits them where the
status will show “SUBMITTED” and attach them (Figure 6), then it goes to
the division manager for approval.
• Once approved, the report status will be changed to “Approved” (Figure 7).
• Clerk will print the report (Appendix, Forms. Form 1 Form 2) and then give it to
cashier.
• Cashier checks the claim number then prepares for payment.
Pay and post expense claim:
• Cashier will deduct the total amount from his account in case of cash advance
or pay it in cash then the transaction status will change to “PAID”.
• Employee signature is a must.
• Accountant will check expenses report with status “PIAD” to transfer it to
general ledger for posting.
Record expense claim:
• On AXAPATA from the expense management details, junior accountant will
search for approved requests. (Figure 8)
• Junior Accountant will transfer the expenses journal to general ledger module
then the Senior Accountant will approve and post (Figure 8 and Figure 9), then
the transaction status will change to “POSTED”

Figure 6 Entering expenses in the expense report and submitting

Figure 7 Expense report status

Figure 8 Approved "Paid Expenses" being transferred to Journal

Figure 9 posting to General Ledger.

Request for cash advance:
This part covers expense claims but neither petty cash nor employee’s loans
Request cash advances:
• Clerk login to NAIZAK portal then submits a cash advance request for the
employee with full details about the advance purposes (Figure 10)
• Division manager approves the request.
Paying and posting advance payments:
• Once the advance payment have been approved by the division manager
the status will be shown as “APPROVED” then it should be recorded in the
cash flow by NAIZAK’s cashier, the request status should be changed to
“ORDERED”.
• The cashier will check the cash slow status then he will change the request
status to “READY TO PAY”.
• While issuance of the cash, NAIZAK’s cashier will change the request status
to “PAID”.
• Employee’s signature is a must.
• Accountant will check cash advances report with status “PAID” to transfer it
to general ledger for posting.
Releasing cash advances on Dynamics AX:
• The accountant will go to expense management then cash advance details
and search for approved requests.
• Junior accountant will transfer the expenses journal to the general ledger
module then the senior accountant will approve and post, the transaction
status will be shown as “POSTED”.

Figure 10 submitting a cash advance request

Figure 11 Cash advances approved
by the division manager

5.7. Review of documented Procedure:
Any documented procedures will be reviewed in the weekly meetings and then
submitted to the Internal Auditing and Control department for review and approval.
Weekly meetings are made to discuss any improvement in the procedures, such
improvements:
• Any risk in commenting fraud.
• Any gaps in entering unintentional errors in the system.
• Any suggestions for improvements in the accounting cycle.
• Any suggestions for generalized forms for all departments.
Some of the most important discussion made in meetings that I took a big role in solving
these problems faced, is that most departments in Naizak are not being able to enter all
expense claims with regard to the huge amounts being submitted in some seasons.
Moreover, a lot of employees are complaining that their expense claims are taking
month to be paid back. I’ll well discuss the function I took to solve this problem in the
risk section. 6.3 Risk from Physical controls:.
After that the documented procedures have been approve, I’m required from my side to
enter these documentations as a manual for employees to be accessible from a
website. The program used called ROBOHELP; the program transforms written
documents to a website that the user can make a search for a procedure and the results
will show detailed documentation, processes to follow, and pictures from the system
(AKH SCM Website). (Figure 12 the Online Documentation of Procedures, Figure 13 an
Example of Demo Procedure, and Figure 14 Search Capability).
The advantage from the online help is as a preventive procedure and part of the
company in training its employees to make sure that all employees are following
company procedures, such as required documents, and how transactions should be
entered into the system; this prevents employees from entering wrong transactions
unintentionally, or missing required documents. It also shows the responsibilities
required for each transaction authorization as described in the Abdulkarim Supply Chain
Procedure (Appendix, Narrative 1, and Table 2). Therefore it’s a process of merging the
AKH SCP and all what have been mentioned above.

Figure 12 the Online Documentation of Procedures

Figure 13 an Example of Demo Procedure

Figure 14 Search Capability

6. Risks:
As defined earlier in the report risk is the potential threats of the organization’s assets;
and an exposure is the cause of absence or weakness in the internal control system.
Exposures increase the firm's risk to financial loss or damage. Section 6 well deal with
identified Risk in Naizak AIS from changes in circumstances, Computer controls,
Physical controls.
6.1. Risk from changes in circumstances:
Naizak business line haven’t changed for the past 5 years, the company haven’t
changed its operation. Moreover Naizak employment turnover is very low, and most if
not all the employees at Naizak are skillful which is mandatory for service companies.
Naizak has a Computerized Accounting Information System “ACCURA”. However, they
just lately this year 2010 they purchased the license of installing and reselling “Microsoft
Dynamics AXAPTA” the new ERP solution. The ERP Department in Khobar provides
solutions for both the company’s end users and its clients. The solution was brought to
reduce the paper work and communicate data for Naizak’s departments.
The plan is to work in parallel on both systems until they phase-out of the old system.
Currently double transaction recording and manual paper work have dramatically
increased. Changes from one system to another can cause transaction errors which we
have been encountering at the ERP Departments. And especially when the employees
are introduced to a new system it’s very often to have miss entered transaction by the
users. The new system have experienced 5 restoring’s this year, which as well, have
created errors in the database. Nevertheless, the company has increased personal
6.1. changes in
circumstances
6.2. Computer
controls
6.3. Physical
controls

training programs, and no employee at Naizak is authorized to use the system until they
pass all training programs. Other risks arise from the reallocation of employees from
departments, and even sometimes employees at Naizak work at Abdulkarim and vice
versa.
6.2. Risk from Computer controls:
Risk from computer controls arises from General Controls and Application controls.
In General Controls Naizak has two secured sites that store the database as a
prevention of data loss or data corruption. The database is recoverable after work
hours for the reason of the time to recover possible corrupted data or data loss. Only
the authorized personal in the ERP department and the IT department have access
to the database. Moreover, only the ERP database Administrator has access for
setting the system from the Microsoft AXAPTA authorization console.
However, in Application controls risk is found in the online portal, which is a web-
based application for entering part of the transactions and getting them approved
such as the Expense management. Under applications controls, data entry controls
and data output controls are presented:
6.2.1. Data entry controls:
Data entry controls are part of the preventive controls, which are meant to avoid
problem before they occur, input validation tests fall into:
Field check Sign check Limit check Range check
Completeness
check
Reasonableness
test
Batch totals:
•Financial total
•Hash total
•record count

Although the problems which are found in the input controls related to
the expense claims form and the advance payments form, the risk is
high which include:
• Miscalculated totals.
• Opportunity to commit fraud, by creating expense reports for
expenses that did not yet happen or didn’t happen at all!
However, the powerful feature of the form is that most fields are
dropdown menus, in other words, most of the fields are predefined for
the user.
The data entry risks are described in the Expense Management Figure
16 and Figure 15. As I have pointed these risks to my director during
meetings, I have been ask to solve this problem by designing a new
form to be implemented and built in the portal
Figure 15 Expense Report, Expense Header.
The clerk user name
is used to enter
expense claims and
advances for the
department
employees!
Reasonablene
ss test failed.
The expense
date can be
before the
invoice date!

Figure 17 is the recommend form which have been designed using
Microsoft InfoPath (Expense Report Form) and later updated on
Microsoft .NET. The form has a validity check at the employer name
field and employer number field. And the employer number field has a
limit check of 5 digits and that the first digit must be a latter. Both fields
must be completed before proceeding in the reports which is the field
check. To save time, the form was decided that it will automatically
retrieve and complete employee information after that he longs in. this
information is retrieved from the Microsoft outlook mail server which
contains all employers information. In the form there is a very important
reasonableness check which is that the report date must be after the
transaction date, for the reason that an employer can not have an
expense report while he did not yet encounter the expense. Other
features of the form are currency rates are calculated automatically as
well as calculating the total amount of the transactions.
Financial Total
manually
calculated, which
leave risk of
miscalculation
Doesn’t contain
financial total “Data
Entry Control”
Figure 16 Expense Report Body

Financial Total
automatically
calculated
Reasonableness
: cannot be
greater than the
expense report
date
Automatically calculated to
insure validity of input
Automatically
completed from the
server, where an
employee can be
working in more than
one department.
• Field check
• Limit check
• Range check
• Validity check
• Reasonableness check
Must be 5 digits the
first starts with “N” or
“A”, where “N” for
NAIZAK and “A” for
AKH.
Validity
check
Figure 17 New Expense Report

6.2.2. Data output controls:
One of the risks in data transmission problems are when the input doesn’t
provide the desired or intended outcome, for instance, entering an invoice for
supplies while the systems records the transaction as prepaid rent.
User review of output: internal auditors should test the system output for
reasonableness, completeness, and that they are in the intended use.
I was entering some invoices in the on a copy of the current system and tracing
the invoices until the transactions end at the general ledger. One of the output
errors found; when I was entering some expenses such as “Food Exp.” or
“GassExp.”, after I approve them and post them to the general ledger, the
amounts would be record in the general ledger in a different account.
Some amounts would be recorded as an asset account, for instance “Office
supplies”. I have made sure of the account number in Naizak chart of accounts I
found that some of the accounts have the same account number but with
different account title or name. Refer to the account number “7210015003” in
both Figure 9 and Figure 18.
6.3. Risk from Physical controls:
Relate primarily to traditional accounting systems that employ manual procedures.
Segregation o f Duties is part of the physical controls and effective segregation of
accounting duties is achieved when authorization, recording, and custody functions
are separated.
When implementing a trace out for a sample of expense claims in the system, I
found that for some expense claims the clerk who enters the expense claims in the
system is the same person who takes custody of cashing the money for the
employees, and hands the money to the employee. When I was investigating this
issue between the clerk and the cashier I found the flowing through an interview
(Figure 19).

Figure 18. Naizak chart of accounts

Gaps in segregation of duties functions are found in (DFD 1 and DFD 2).
In DFD 1 at the employee section, the employee submits the invoices to the clerk. At
the clerk section the clerk calculates total expenses for the invoices and enters the
amount on an electronic form, then prints the form and attaches it with the invoices.
After that, he logs into his portal under the expense management and creates an
expense report, then enters the invoices titles and amounts. As soon as, the clerk posts
the expense report, AXAPTA expense file will get updated and the report status will
show on the manager’s portal as pending approval. The manager then checks the
invoices which applies for payment then approves the relevant invoices, at this state the
invoices status will show as pending payment. The accounting department expense
accountant validates the amounts then enters these invoices to the AXAPTA expense
management as in (Figure 2) and (Figure 8) as entering a journal entry. After that they
get approved by the account manager, they automatically get posted from the general
journal to the general ledger master file, the invoices status then will show posted. The
department clerk checks his portal for claims with status posted as in (Figure 7) then
goes to the accounting department with the expense report numbers and asks for the
payment slip. The expense accountant queries for the expense reports numbers and
validates if its status is posted, if so, he will print the payment slip and settles the claim
to the project account payable which this expense for. The expense accountant may
print the payment slip as a bank transfer or cash payment upon request. The clerk goes
Q to Clerk: “why would not the employees cash out the money
themselves or have the amount bank transferred?”
Clerk A: “For convenience purposes, when employees are working in the
field; they ask us to finish the paper work and cash out the money and we
would keep the money with us ready for them to take it”
Q to Clerk: “Do the employees get to review the claim and sign a paper
that they have received the money?
Clerk A: “No”.
Interview
Figure 19

to the cashier and handles the payment slip and the cashier handles the money. The
clerk in this action has entered the transaction and took custody of the transaction as
taking the money.
Other than the risk in segregation of duties, the problem mentioned at (5.7 Review of
documented Procedure: P.38) that; most departments in Naizak are not being able to
enter all expense claims with regard to the huge amounts being submitted in some
seasons, until the next month and even in some cases it would take two month for these
expenses to be entered. Therefore, this causes risk in the basic principles in GAAP
which is realizing expenses when they occur; and how do we realize these expenses is
by recording them in the books “or in the ERP”. Moreover, these claims are material to
the projects “Job Order” they undertake.
Therefore, the monthly statements are not as transparent as they should be. In addition,
a lot of employees are complaining that their expense claims are taking month to be
paid back, and in most of the times they would be in another region in the kingdom
working. In most cases the expenses they encounter are more than half of their salaries
in the company. Some of them would pay flight tickets to come back to submit their
claims or drive back with company cars as I have heard some of these stories. This
means more costs on the company too. To solve the problem I had to find where the
problem is; is it because the department clerk being lazy to enter these claims? Or is it
because of the huge amounts of submitted claims.
I’ve took the time during interviews to measure the time taken to enter one invoice in the
system. And as a result it took 30 minutes to enter 10 invoices, on average 3 minutes to
enter one invoice. I have made a statistical analysis on the number of claims submitted
every day in the past 12 month and found that the standard deviation was 300 invoices
“claims” per day. So, if we multiply the average time to enter one invoice by the 300
standard deviation we would get 15 hours to enter all these invoices. The solution can
be then is to increase the amount of clerks in every department from one to say three
and so dividing the work. However, I was trying to get to a new solution that would
reduce cost on the departments too.
The solution was that every employee should have an account on the portal to enter his
expense claims, however the IT department told me that each account costs 200$ as
license to Microsoft. Therefore I came out with designing a new expense report form to
be accessible by the employee’s email account and password; and that’s why I made
that form too, other than input controls (Figure 17) and designed the new dataflow of
how to process employee claims (DFD 3) and in this sense this in the same time solve
the problem with segregation of duties where the clerk does not enters the transaction
and cash the money at the same time. In DFD 3 his responsibility is only to validate and
cash the money if the employee asks him to.

Employee
(Pending Validation)
Clerk
(Pending Approval)
Dep. Manager
(posted)
Accounting Dep.
(paid)
DFD 1 Epense Management Process
Invoices
A
Attach
Enter
Expenses
(Create
Report)
Validate
Total
Expense
s
Update
Expense
Reports
“Pending
Validation”
Approve
and Post
Update
General
Journal
AXAPTA
General
Ledger.
Expense
management
Portal
Admin Form
“Expense report
#”
Print
Admin
Form
Expense
Report
AXAPTA
Expense
Reports
Expense
Report
Validate
“Approved”
& Post

Clerk Accounting Dep. “Cashier”
(Payment)
DFD 2 Expense Management Process
AXAPTA
Project exp.
Employer’s
EXP.
Query EXP.
Approved
Reports
Invoices
Admin Form
“EXP report
number”
Settle EXP.
ACCT
Payable
Payment
Slip
Bank transfer
Cash out
payment
A

DFD 3 the New Data Flow for Expense management
Employee
(Pending Validation)
Clerk
(Pending Approval)
Dep. Manager
(posted)
Accounting Dep.
(paid)
Enter
Expenses
(Create
Validate
and post
HTML
Exp.
Report
Post &
Generate
Reference
#
Immigrate
Online
Expense
Form
Invoices
AXAPTA
Expense
Reports
Expense
Report
Approve
and Post
Validate
and Post
Expense
Report
AXAPTA
General
Journal
Update
General
Journal
Update Expense
Reports
“Pending
Validation”
Generate
HTML
Code
Print
Exp. Report
Attach
Papers

Chapter 4 Conclusion:
n the absence of internal controls or weakness in internal controls,
catastrophic out comes will cause threats and risks to the company’s
assets, whether on the bases of information and communication or on
control activities. That’s why Abdulkarim Internal Auditing and control
Department performs these projects to increase the effectiveness on
internal controls on all its subsidiaries and affiliates. Likewise, as has been
mentioned in SAS 78 that the best deterrent to fraud is internal controls.
The accounting information system in an ERP environment makes it harder
to the internal auditor in assuring and assessing the internal controls.
Therefore, there must be auditors who have knowledge in both internal
controls and IT. The Risks found in Naizak is a classical example in
segregation of duties, input controls, and output controls. Moreover,
internal control improvements are an ongoing cycle; there is no point at
which the internal controls would be satisfied because of the evolvement of
business and technology, and therefore the company should perform
ongoing improvements in the system as part of, or with the internal audits.
I

Chapter 5 Ap
pendix

AKH Data Flow Diagrams

DFD 4 Internal Auditing procedure
Audit Plan Development
- Date and time of each audit location
- Scope of the audit (activities to audit)
- Basis for the audit (requirements)Audit checklist
The completed audit Checklist becomes a
formal report for the Audit Department and
Management to Review.
Audit Schedule Development
An audit schedule is developed by Audit Department and approved by the
General Manager. All functions and/or departments within COMPANY's
operations are audited once per year minimum. The schedule is based on
quarterly audits and altered when an activity's importance requires increased
audits.
Audit Checklist
Audit Team and the Quality Assurance review applicable
documentation (including previous audit reports), and develop audit
checklists.
Conduct Audit
The audit Team determines the overall effectiveness of the Internal Control System using the audit checklists
and previous audit results.
Audit Results/Corrective Action
The Audit Team reviews audit findings for verification while completing the Audit Checklist Report and determines if a
Corrective Action Report form is required.
Then the Audit Checklist Report is reviewed with the auditee(s). Corrective Action are then assigned and
implemented without undue delay
Program Review
Internal Audit Department views all reports and adjusts Internal Control System
documentation and audit schedules accordingly.
Internal Audit
System

AKH Narrative

RESPONSIBILITY 4. PROCESS FLOW:
MR 4.1 The audit policy of the company shall be communicated to
all employees through training, posters etc.,
4.2 Following completion of each Internal Audit program the
management shall review the overall effectiveness of Quality
System in its operation.
MR / ED / VP 4.2.1 Management Review Meeting shall be scheduled in
consultation with ED/VP. The frequency of review shall be at
least once in a year. This meeting will be presided over by the
ED/VP.
4.3 The meeting agenda shall be presented but not limited to the
following:
a. Completion of actions identified in last meeting
b. Trends in internal audit & status of corrective actions
c. Status of corrective actions based on CPARs raised
d. Status of preventive actions
e. Review of achievements in audit objectives
f. New objectives for the coming period (for company & depts.)
g. Improvements
h. Effect of changes made in the system
i. Potential effects of future changes planned
j. Adequacy of resources any other item.
MR 4.4 During review, if any need to change or improve the system is
identified (e.g.: possible because of a change in working
practice) then that shall be recorded on the Management
Review Report with Action Plan, responsible person / section
and completion date(s).
4.5 Management Review Report shall be distributed to members of
the meeting.
4.5.1 Management Review Report also shall be distributed to those
who are assigned for the implementation of corrective action.
4.6 To ensure that the required changes/ improvements are
carried out within specified time, follow-up action shall be
carried out and the status shall be recorded.
4.7 Where necessary the documents shall be revised to reflect
working practices.
Narrative 1 Management Responsibility

Naizak’s Forms

Form 1 Administrative Request

Form 2 Travel Expense Sheet

AKH Supply Chain
Procedure

# Clause Ref. Process Description
Procedure Ref.
1. 4.2.3 Document and Data Control AKHC-QP-005
2. 4.2.4 Records Control All procedures
3. 5.2, 8.2.1 Customer Satisfaction Survey AKHC-QP-021
4. 5.6 Management Responsibility AKHC-QP-001
5. 6.2.2 Training AKHC-QP- 018
6. 7.2.2,7.2.3 Inquiries/Quotations & Contract Review
Contract review (Industrial Systems)
Contract review (IT Solutions Provider)
SAP Academy
Call Centre
AKHC-QP-003
AKHC-QP-003A
AKHC-QP-003B
AKHC-QP-003C
AKHC-QP-003D
7. 7.4 Purchasing
Supplier Approval
AKHC-QP-006
AKHC-QP-006A
8. 7.5.1,7.5.2 Process control (Industrial Systems) AKHC-QP-009A
9. 7.5.5 Receiving Inspection AKHC-QP-010
10. 7.5.5 Receiving and Storage of Material
Packaging and Delivery
Expediting
Shipping
LDOR
AKHC-QP- 015
AKHC-QP- 015A
AKHC-QP- 015 B
AKHC-QP- 015C
AKHC-QP- 015D
11. 8.2.2 Internal Audit AKHC-QP-017
12. 8.3 Non-conforming product AKHC-QP-013
13. 8.5.2 , 8.5.3 Corrective And Preventive Action AKHC-QP-014
14. 8.4 Quality performance analysis AKHC-QP-020
Table 2 AKH Supply Chain Procedure

Progress Reports

Chapter 6 Works Cited
REF 1. Retrieved from About Nizak: http://www.naizak.com/NAIZAK/About_Us.html
REF 2. Retrieved from About AKH: http://www.akh.com.sa/
REF 3. Retrieved from booklits, Nizak Marketing Department
REF 4. Retrieved from Auditing and Assurance Services "An Integrated Approach" e11, Alvin A.
Arens
REF 5. Retrieved from http://www.sox-online.com/coso_cobit_coso.html, Abount COSO
REF 6. Retrieved from http://itknowledgeexchange.techtarget.com/compliance-
governance/tag//sas-78/, SA 78, understanding the relationship
REF 7. Retrieved from Accounting Information Systems e10, Marshall B. Romney.
REF 8. Retrieved from books.google.com, google online books, Accounting Information
Systems e6, James A. Hall.
REF 9. Retrieved from AKH, SCP and SCM
REF 10. Retrieved from, http://faculty.mckendree.edu/scholars/2004/stinson.htm, by
McKendree University Journal of Undergraduate Research

Internal Control & Risk

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Internal Control & Risk

Similar to Internal Control & Risk (20)

Recently uploaded

Recently uploaded (20)

Internal Control & Risk