You are on page 1of 36

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

1/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

1. Introduction
Main focus of the internal audits during the past years has been the adherence to central
directives and guidelines as well as the efficiency of procedures within commercial and technical
processes and information processing.
We ascertained partly serious or considerable deficiencies. This document gives an overview of
deficiencies that were repeatedly ascertained or that were evaluated as considerable or serious
during the internal audits of the past years. Amongst other effects they may increase the risk of
fraud or hamper the detection of fraudulent actions.
Please check if the following or similar weak points exist in your area of responsibility and start
corrective actions, where needed.
If you have questions, please contact us.

2.

Accounting, Finance and Controlling

2.1

Accounting

2.1.1

Accounts Receivable
A dunning procedure for outstanding amounts does not exist; interests for amounts
overdue are not reclaimed.
Processes to block customers or to take legal measures were not defined.
Postings were not carried out at all or not in a timely manner (e.g. total sum of various
documents entered at the end of the month).

2.1.2

Accounts Payable
Credit notes received from the supplier were not processed in a timely manner.
For the creation of vendor master data the dual review principle was not adhered to; no
separation of functions; a procedure did not exist; mitigating controls were not conducted.
A procedure to create and update vendor data did not exist; too many departments had
authorization to create or change.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

2/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

A posting system or posting books did not exist; Posting were done by other RG based on
monthly excel files.
Invoice Checking
Verification of price or content has not been carried out or the verification of price and
content has been carried out by the same employee (no dual review principle).
Invoices for transportations were not checked according to the dual review principle
(including price check); Invoices were checked after journal and payment release.
The signatory list was not used for invoice checking; Invoice checking was conducted
without sufficient supporting documents (e.g. purchase order); Invoice verification was
conducted by the same employee placing the order.
Invoices were released for payment by unauthorized employees or a regulation to approve
payments of invoices without purchase order PO did not exist.
Processes to prevent double payments of invoices (e.g. adding of invoice number during
posting) were not installed or existing processes were not used.
Invoices with price differences were not automatically blocked in the system or limits to
automatically block invoices with price differences in the system were not set.
Invoices blocked due to price differences were not released according to the dual review
principle.
Bank data were not entered into the IT system based on original supplier documents.
Vendor master data for suppliers with regular payments were not created, invoices were
posted to collective accounts (CpD).
Postings on CpD were not checked according to the dual review principle.
Although vendor master data was available, invoices were posted to CpD accounts.
There was no guideline regarding handling of CpD accounts.
Vendor accounts without movements were not blocked.
Signature specimen were not available for invoice verification.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

3/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Too many payment terms were used.


Price differences (invoice vs. PO) were not detected.
Advances for suppliers were not handled properly (e.g. no internal approval process
defined, advance payment not settled in a timely manner, a PO did not exist).
A process-independent control of all postings without orders was not performed with a
system protocol.
Not all differing payment terms were reported to purchasing.
Invoices with price differences were released without clarification.

Supplier Cash Discounts


Payment terms with cash discounts were not set up in the IT-system; cash discounts were
not used and utilization of cash discounts was not tracked.
There is no systematic tracking of cash discounts.
Discount losses were not monitored; measures to reduce discount losses were not taken
or were not documented.
Invoices were generally paid 30 or 60 days net without using cash discounts; check which
payment is favourable was not performed.

2.1.3

Payments within RBW (Intercompany Payments)


Salaries and expenses were charged twice.
Payments were effected too late or twice; clarifications for double payments, open
positions or not matching prices have not been carried out promptly or not at all.
Wrong payment terms were used.

2.1.4

Fixed Assets
Incorrect depreciation rates were used or MAE were not depreciated at all.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

4/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Asset disposals were not properly approved, not posted or not properly documented.
2.1.5

Balancing
Assets and stock were not considered in the balance sheet.

2.2

Finance

2.2.1

Banks
Bank accounts were not reconciled monthly.
The number of bank connections was not restricted to a minimum.
To give authorization to two employees without power of attorney an approval by the
responsible LD was missing.
The list of authorized signatories for banks was not updated.
Signature stamps were used; thus, signatures can be duplicated.
A separation of authorizations into A and B authorization did not exist.
The number of authorized signatories was not kept to a minimum; bank authorizations
have been too extensive (e.g. raising of credits).
Bank confirmations of authorized signatories did not exist.
The communication to C/FI regarding bank connections and bank accounts was
incomplete or incorrect; the approval for the opening of new bank accounts was missing.

2.2.2

Payment Transactions
Payment instructions were sent to the bank by unencrypted fax or unprotected disk.
Inter-company settlements by netting were possible but not used.
Payment instructions were issued without appropriate documentation or controls.
Direct debit payments were conducted without the required approvals.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

5/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Reconciliation of account balances between bank accounts and general ledger accounts
were not carried out or were insufficient (e.g. frequency).
Payments were carried out by check or with bank draft although bank transfers were
possible.
Check handling was not conducted in compliance with proper business practices (blank
signature, insufficient tracing of check inventory, checks have been sent to employees
without adequate controls, insecure safe keeping of check portfolio).
2.2.3

Electronic Banking (EB)


The used EB systems were not in line with C/FI Corporate Directive. An approval of
exemption did not exist.
No site specific instruction for the used EB systems was available or the instruction was
incomplete.
A security concept for EB was not in place.
EB users did not sign the required declarations of obligation.
The electronic signature disc was not stored adequately.
Changes of passwords did not take place regularly or were not documented.
The authorizations were not restricted to a minimum.
A separation of authorizations into A and B authorization did not exist.
The list of authorized signatories for EB was not updated; the release of the payment was
conducted by employees without power of attorney for banking.
Employees possessed authorization for the EB system as well as payment relevant
posting rights in the financial accounting system.
The payment file from the pre-system could be altered before payment release (payment
file was stored on a non-secure server and was not protected.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

6/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

A check of the payment file was not performed. The payment file did not contain check
sums, or, if check sums were available, these have not been checked process
independently.
The release of payments was not in line with the dual review principle or checks have not
been documented comprehensibly.

2.2.4

Petty Cash
A site specific procedure did not exist.
Cashier or substitutes were not named.
Payments were approved or paid by the recipient.
Petty cash checks were not conducted or not conducted properly.
Receipt forms did not exist or were incomplete.
Cashier had posting rights for petty cash account in ERP-system; process independent
checks were not conducted.
The amount in the petty cash was too high or not adequately insured.
No updated signature specimen list of authorized persons was available at the cash desk.
Payments were not authorized (signature rules not adhered to).
Ledger for petty cash did not exist or was not sufficient.
Petty cash transactions were not limited to a necessary minimum (e.g. travel expense
advances through petty cash although cashless handling was possible).
Cash advances for employees were not posted or not a followed up.
The physical count did not reflect the actual accounting.
Petty cash transactions were not posted in a timely manner.
Petty cash box or related keys were not stored properly.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

7/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Too many petty cash funds were used.


2.2.5

Reimbursement for Travel Expenses


Reimbursement for travel expenses was released for payment without approval by
authorized employees.
The reimbursement of travel expenses was partly not according to proper accounting
principles (e. g. incomplete, postings were not traceable).
Travel advance payments were not approved, documented or settled properly.
Travel applications were not filled out or not approved by an authorized employee.
Employees used company credit cards for travel expenses which were charged directly to
a company account.

2.3

Controlling

2.3.1

Reporting
Data for MGB reporting have not been calculated correctly (e. g. personnel capacity,
liquidity planning).
Deprecations were calculated wrongly leading to a wrong profit loss calculation.

2.3.2

Cost Calculation
The PHEK calculation process was not correct (e.g. standard times not revised, ratio
targets not included in the PHEK).

2.3.3

Transfer Prices
Framework agreements for supply of goods or services between RG and GB did not exist.
Transfer prices were not agreed upon before delivery or written transfer price agreements
did not exist.
A site specific procedure regarding transfer pricing documentation did not exist.

2.3.4

Investment Calculations
Key figures were not tracked during the investment.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

8/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Required investment calculations were not conducted, were incorrect (e.g. overestimated
cost saving potentials, not all relevant costs considered) or benefit analysis were not
performed.
MAE approval documents were not available or incorrect.

Material Management

3.1

Purchasing

3.1.1

Purchasing Process
The purchasing function, especially price negotiation and supplier selection, was
conducted by requiring departments instead of the purchasing department.
Alternative quotations were not obtained; inquires were not documented sufficiently.
Purchasing decisions were not documented.
PO were not created in the IT system, issued without price information or changed after
issuance without authorization.
Requests for purchase or PO were issued after service was rendered.
There were no requests for quotation for services in more than five years.
Make or buy assessments were not conducted, inquiries for standard capabilities were not
conducted consistently.
Quotations were not comparable (e.g. inquiries without specifications).
Estimated prices were used improperly (e.g. for EZRS) in purchase orders.
Market inquiries were only conducted for new components. Market evaluations were not
performed systematically.
Hard- and Software was not purchased in adherence to CI/PUR guidelines.
For scrap and recyclable materials no inquires were conducted; the order decision was not
comprehensible.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

9/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

An approval process for price changes is not defined.

3.1.2

Agreements with Suppliers


The relevant Bosch purchasing conditions were not added to the purchase orders or the
purchase orders did not refer to these conditions.
CP or GB contracts were not used.
Frame contracts for recurring demands and services were not concluded or not renewed
in time.
Written contracts did not exist.
Quality agreements were not concluded.
Despite of necessity (e.g. SE projects, cleaning), confidentiality agreements were not
concluded with suppliers.
Loan contracts for Bosch owned tooling were not concluded with suppliers.
Payments to suppliers were paid as pre-payments, pre-payment guarantees did not exist.

3.1.3

Supplier Monitoring
Supplier monitoring was not conducted.

3.1.4

Material Cost Report


Projects to achieve cost reduction were not defined; key data, delays and corrective
actions were not monitored.
The price index as reported in the material cost report was calculated incorrectly.

3.1.5

Others
Employees of PUR without appropriate power of attorney signed purchasing contracts.
Supplier assessments were not conducted regularly, not completely or not conducted
frequently enough.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

10/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Statements for Purchasing Cards were not authorized correctly (e.g. missing supporting
documents, signature regulation not adhered to). Unauthorized purchases were made
(e.g. meals, computer equipment). Purchases permitted for card holders were not defined.

3.2

Logistics

3.2.1

Material Planning and Procurement


Inventory (e.g. TEF-material, customer returns, promotional material) was not properly
posted, not posted in a timely manner or not posted at all.
Orders at RBW plants were placed by fax or e-mail; the IT interface was not used.
Electronic Data Interchange (EDI) was used insufficiently.

3.2.2

Customer Orders
A regulation for approval of free of charge deliveries did not exist.
There was only one inventory target for all EZRS or different material groups or values
(ABC) were not considered.
The key figure "Delivery Time to Customer" was insufficient; actions to improve the figure
were not defined.

3.2.3

Transportation
Reasons for special deliveries were not analyzed, actions to reduce the number of special
deliveries were not defined.
Costs for special deliveries were not tracked or not analyzed.
Costs for special transports have not been charged to the supplier.

3.2.4

Stock Taking
Too many employees have the authorization to book inventory discrepancies.
Stock taking has not been performed or not been performed completely.
Local cycle counting guidelines did not exist or were not comprehensive.
Inventory discrepancies were not analyzed sufficiently.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

11/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Inventory discrepancies and stock adjustments were not documented sufficiently.


Cycle counting documents showed the actual quantity to count.
Cycle counting staff was also responsible for warehouse administration.
3.2.5

Warehousing
Picking and packaging areas were not separated sufficiently.
The number of "non moving parts" within the warehouse was too high; actions to reduce
this number were not defined or not sufficient.
Access to warehouses was not secured or not regulated.
User authorizations for posting inventory movements (including scrap, inventory
discrepancies) were granted too extensively or granted to externals.
Inventory management was not based on storage locations.
In our spot check, we ascertained (high) inventory discrepancies.
Warehousing was not adequate.

3.2.6

Scrapping
Prices for disposal of raw material (e. g. copper) have not been updated.
Approval for scrapping was missing.
The possibility of selling scrap was not examined.
The approval process for scrapping was not defined.
Reasons for scrapping were not analyzed.
Physical scrapping was not conducted in time or not at all.
Scrap material was not weighed when delivered to the service provider. Thus, credit notes
from the service provider can not be verified.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

12/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Scrap has not been stocked separately or was not marked.


Price verification of the service provider's credit notes was not performed.
3.2.7

External Service Providers


The site security was not set up according the directives.
RBW inventory was not identified properly and stored together with inventory of other
companies.
The required fire protection for warehouses, handled by external service providers, was
not adhered to.
Purchasing and contract negotiations of logistics services were conducted by logistic staff,
not by purchasing.
Contracts were not checked by the legal department.

4.

Sales

4.1

Administration

4.1.1

Customer Master Data


More than one customer number existed for the same customer.
Customer master data was not created or changed according to the dual review principle
and was not based on original documents.
Entry and changes of prices in SAP or EVA was not conducted according to the dual
review principle.

4.1.2

Quotation Process
Purchase order confirmations were not submitted after receiving awarding (Target
agreement, LOI) and purchase orders from the customer.
RB general terms and conditions were not referenced to and liability risks are not
excluded.

From

C/AU

List of Risks and Irregularities

4.1.3

Issue/Amendment

Page

E3

13/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Credit Notes
Credit notes were not analyzed regarding number and reason. Measures to reduce the
number of credit notes were not taken.
Credit notes were issued without prior approval by authorized employees or the dual
review principle was not adhered to.

4.2.

Accounts Receivable Management

4.2.1

Credit Limits
A regular monitoring of credit limits was not performed.
Credit limits were not calculated according to central requirements (e.g. credit limits too
high, not up to date).
Commercial reports on the creditworthiness of customers were not obtained.
The authorization process for credit limits was not defined.
Too many employees had authorization to unblock customer accounts with exceeded
credit limits.

4.2.2

Dunning Process
Follow up on accounts with overdues were not conducted.

4.3

Sales Price Analysis (Cost Disclosure)


Prior to Sales Price Analysis disclosure, customer agreements on rules for carrying out the
individual Sales Price Analysis did not exist. The commercial basis for calculations was
not defined.
It was not ensured that Sales Price Analysis disclosures are conducted in accordance with
C/AS Directive.

Human Resources (HR)

5.1

Administration

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

14/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

HR department was a non restricted area


Rooms and desks of the HR department or payroll department were not locked after
working hours.
The handling of personnel information was not appropriate (e.g. not at a locked place).
Personnel files were incomplete (e.g. missing employment contracts, leave checklists,
power of attorney) or kept in an inconsistent order.
Exit, entry and change checklist did not exist or was incomplete.
Powers of attorney were not limited.
User ID of employee who left RBW was not locked or deleted.
Handling and tracking of company loans to employees was not conducted sufficiently.
5.2

Payroll Processing
Employees could generate personnel master data, enter salary data and generate the
payment file at the same time. Thus, there was no separation of functions.
Payroll processing was conducted by one employee completely in Excel; process
independent checks were not carried out. Thus, there was no separation of functions.
Employees of the HR department were able to change their own personnel data in the ITSystem.
Review of severance calculations not according to dual review principle.
HR did not perform spot checks on payroll data processed by the external service
provider. A change report was not provided.
The payment file for wages and salaries could be altered before payment release (e.g.
payment file was stored on a non secure server or disk and not protected accordingly).
Changes in personnel master data not documented and checked sufficiently.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

15/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Check of payment list before payment was incomplete or unblocking of the payment list is
not organized according to the dual review principle.
Grouping, continuing payments and salary data were incorrectly entered into the payroll
system or data could not be explained.
Housing allowances are paid exempt from tax and social security without proof.
Written contracts for expatriates did not exist. Salary amounts were not traceable.
Terminated employee still got salary payments.

5.3

Data Protection
For the payroll system, neither an authorization nor a security concept existed.
All employees connected to BCN could access the drive where personnel data was
retained.
Payroll data files were stored on local hard disks; data encryption or hard disk password
did not exist.
Employees processing personnel related data did not sign the required declaration of
obligation.
Confidentiality agreements for externals with access to Bosch information have not been
concluded.
Payroll was handled by EDL, no contracts existed, no definition of respective EDLemployees and authorizations, no confidentiality agreements.
Payments were posted as cost in a collective vendor account stating the name of the
employee to whom the amount is paid. Thus, personal data are accessible to employees
outside HR.

5.4

Temporary Employment
Within the purchase process for external service provider the G13 Central Directive
"Fremdvergabe von Arbeiten" is not adhered to.
Contracts with service provider for temporary employees were missing or incomplete.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

16/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Some necessary documents for leased personnel were missing (e. g. individual contracts,
work permit).
Briefing of leased personnel in work safety were not conducted or documented.
Confidentiality agreements of leased employees did not exist.
5.5

Signature Regulations
External binding correspondence contains one or no signature. Respective approvals by
LD or G did not exist. Approvals at the appropriate level are not obtained.
Signature list was not complete, not available or not updated. Specimen signature of
authorized employees was not available.
Existing signature regulations are incomplete, signature regulations did not exist or
internal signature rules are not in accordance with respective directives (e.g. RB/GF 110).
Statement "This document is legally valid without a signature" was missing, if signature
was waived.
Internal signature rules are not adhered to (e.g. unauthorized signatories, exceeding
limits).
Registration in the Commercial Register was not updated.

5.6

Others
Employees exceed the maximum working hours per day.
Personnel performance appraisals were not, not on a yearly basis or only conducted for
managers or not filled or signed accordingly.
Employees were at the same time suppliers but without approval from the management; in
some cases, the employees where also involved in the procurement process.

Export Control
ZR/ZE Central Directive June 9, 2004 "Control of Export and technical Assistance with
reference to foreign countries" was not adhered to (e.g. no respective guideline, no
documentation, Ez not classified regarding mandatory approval).

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

17/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Foreign trade and customs officers were not appointed.


Foreign trade and customs officers were not sufficiently qualified (e.g. no know-how
regarding execution of export control).
Trainings were not conducted.

Quality Management

7.1

Quality Management System


Quality management did not report to the responsible management.

7.1.1

Principles of Product Liability


Product liability training was not conducted or not repeated, or for new employees not
conducted, or responsibility for product liability training is not defined.
Risk in case of product liability because of lack of traceability, missing or deficient
document retention or record keeping, missing or deficient version management (missing
previous versions of documents).
Function tests were not performed according to specification, final test benches were not
secured against unauthorized access.
Frame contracts did not cover aspects of product liability.

7.1.2

Keeping Records
Traceability for performed product audits did not exist.
Work instructions were not regularly reviewed or updated.

7.1.3

Environmental and Quality System Audits


Regular QZ audits were not performed.
8D-Tracking for Q-Audits was not performed. Documentation about release of Q-Audit did
not exist.
Internal audits did not cover ESD-relevant items.

From

C/AU

List of Risks and Irregularities

7.1.4

Issue/Amendment

Page

E3

18/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Concessions
The form used did not comply with the CDQ, relevant data (e. g. cause, effect, risk
assessment, documentation of measures) were missing.
Concessions had expired, were repeatedly prolonged, multiple issued or closed without
corrective actions being taken (especially for drawing changes).
Concessions were partly incomplete or not approved properly (e.g. repeated concessions,
approval not by management).
Concessions emitted after already introduced changes or special treatment.
Tracking of concessions and action items respectively was not performed.

7.1.5

Control of Measuring and Test equipment


Calibration intervals were not adhered to; calibration intervals did not consider frequency
of use; not calibrated gauges in use; tolerances for gauges were missing.
Gauge capability studies were not performed or performed incorrectly. Software system
was not traceable.
Regularly used test equipment was not listed.
Calibration intervals were not adhered to; calibration intervals did not consider frequency
of use.

7.1.6

Engineering Changes
Changes were done without necessary customer's approval.

7.1.7

Quality complaints
Protective measure against possible customer's harm were not extended to all products in
supply chain (e.g. Eastern Europe).

7.2

Quality management methods

7.2.1

Quality assessments

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

19/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Specific guidelines were not approved by C/QM.


Not all mandatory participants attended quality assessments.
QB were either not, not in a timely manner or incompletely executed.
QB questionnaires are incomplete.
In case of negative QB results, risk analysis or the required review were missing.
Different QA levels were combined.
Measures were not defined, the implementation of measures was not tracked
systematically.
QB were not signed by the responsible person; the management was not involved in case
of negative QB results.
Projects were finally released despite of negative ratings at QB4.

7.2.2

FMEA
FMEA was incompletely performed (e. g. missing risk priority number (RPZ) and
measures).
FMEA were not or insufficiently updated (e. g. in case of new defects, additional
components and process changes).
FMEA ratings were inconsistent (e.g. for the same failure effect).
Not all required persons were involved in FMEA conduction.
Required signatures were missing.
Measures had not been defined although RPN was greater than threshold.
Measures were not implemented on schedule or documentation was not updated.
Requirements for FMEA were not met.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

20/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

FMEA were not or not sufficiently performed.


RPZ were not identified.
Failure effects did not include customer impact.
For measures no due dates or responsible employees were not defined.
Internal Procedures did not comply with CDQ.
Special characteristics were not marked.

7.2.3

8D Systematic
8D systematic for working on detected failures was not applied adequately (e. g. no risk
analysis, failure analysis in 8D-reports were incomplete, 8D reports are not signed).
8D reports were not concluded in a timely manner.
Corrective actions have not been introduced; no preventive actions to avoid reoccurring of
defects have been established.
8D reports have not been issued.
Costumer agreement was not requested.
8D were not in IQIS or there is no customer independent RB documentation.

7.2.4

Statistic
Quality control charts were used incorrectly; control limits were missing or wrong.
Measurement values were outside control limits or tolerance and no measures initiated.
Samples were not taken after events such as tool changes. Actions and events such as
tool changes or machine breakdown were not documented.
Capability studies were not conducted; the quantity of measured parts is too low.
Capability values were not sufficient.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

21/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Technical Functions

8.1

Core, Key and Standard Capabilities


Core, key and standard capabilities were not or not correctly defined.

8.2

Maintenance
Maintenance costs were not followed up by machine.
Preventive maintenance was not conducted in a timely manner.

8.3

MAE-Acceptance
For new MAE or after reconstruction or relocation, acceptances were not performed.
A procedure for safety release of MAE did not exist.
Measure processing was not executed consistently; final acceptances were not executed
or not documented.
HSE was not involved in the planning and approval process for new MAE.
A regular inspection of safety related MAE was not performed.
Free accessible electrical cabinets were either unlocked or open.
Safety acceptance has been given despite considerable safety deficiencies at MAE.
MAE safety releases were not conducted.
A plan to release existing MAE was not available.
Risk assessments were not conducted or not updated.
Acceptance check Reports were not filled in completely.
MAE were not labelled with inspection tags.

8.4

Machine and Process Capability


Machine- and process capability were not or not correctly calculated.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

22/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

For non-capable machines the tolerances, for which capability could be achieved, have
not been calculated; analysis of effects on the product have not been conducted.
Cognitions from the process development of the prototype construction have not been
transferred sufficiently into the processes of the series manufacturing.

8.5

Industrial Engineering

8.5.1

Wage System
The sum of VT and additional salary parts for payment led to a stable performance
efficiency over several months.
Wide variance of performance efficiency without systematic analysis of reasons.
Unrealistically high additional salary parts were planned and used.
Elements of bonus salaries do not correspond with actual determined values.
Determination of bonus salaries was not correct or not reproducible documented.

8.5.2

Standard Times (VT)


VT were not or not updated in a timely manner.
Delay allowance-studies were not carried out or not updated or not documented in a timely
manner.
VT were estimated improperly.
VT is expressed in different units (e.g. hours per 100 pieces or hours per 1k pieces) and
not correctly rounded.
Inadequate software was used to analyze and document VT.
A performance index was not used in REFA time studies.
Not enough repeating measurements were carried out in time studies.
Change-over documentation and analysis were not done.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

23/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Process deficiencies regarding absorption of productivity reserves.


There was no sufficient line balancing.

Research and Development

9.1

Core, Key and Standard Capabilities


A documentation representing decision making if a variant had to be treated as a separate
project or as an amendment to an existing project did not exist.
Core, key and standard capabilities are not defined or not communicated. It cannot be
ensured, that respective make or buy decisions are correctly evaluated.
Recording of development resources is inadequate.

9.2

Documentation of Trial Conditions


The documentation of test results is incomplete (e.g. drawing number, tolerances missing,
missing tester name, test date).
Test plans were incomplete.
The number of parts tested was too low and did not tally the agreed number.
No measures were defined after failed tests (customer tolerances are not met, customer
approval is not obtained, risk analysis for failed tests was not performed).
Tests were performed or documented with delay.
Tests were not conducted in accordance to the test specification.
Measurement uncertainties associated with test results were not evaluated or not
documented.
Capability of measurement equipment was not evaluated or test equipment used was not
capable.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

24/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

10

Project Management

10.1

Planning and Administration


Project agreement was either not or not sufficiently carried out.
Guidelines for project management (e.g. estimation of development effort) did not exist.
Risk management was not sufficiently implemented.
Essential documents for project management (e.g. QA) did not exist.
Project resources were planned too low.
Project categories were not defined; projects were assigned to incorrect project categories
(e.g. to variant category instead of platform project category).
Project schedules were not updated or incomplete.
Open non-compliances were not sufficiently tracked.
Reasons for project acceptance were not documented.

10.2

Economic Efficiency
Assignment of project cost was incomplete or not project specific.
Project costs were not tracked adequately (e.g. no tracking of cost elements).
An approval procedure for exceeded project budget was missing.

11

Production

11.1

ESD - Protection
Employees not trained for ESD or annual repetition not executed.
Forbidden materials (e. g. plastic film, bottles) were within the ESD Protected Area (EPA).
Signposting of ESD protected areas was not sufficient; access to ESD protected area
without ESD check (e.g. employees, internal or external service).

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

25/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

ESD release of annual check of MAE or items of minor value were not carried out or not
documented.
Defined personnel ESD-protection (e.g. wrist straps) were not or incorrectly used.
Measuring device for ESD checks were not available or inadequate or not used daily with
documentation.
Measuring of floor resistance was not carried out according to RB Standard N55 or
Certificate was not available.
MAE were not or not properly grounded (e.g. trolleys, rework bench).
ESD coordinator was not appointed.
Visitors neither received protection nor were informed about adequate behaviour within
the EPA.
Handling or storage of ESD critical components was performed without protective
measures.
Aids for material handling were not conforming to RB standard N55.
Electrostatic dissipation (resistance) was not within the required limits.
No ESD Audits were conducted or internal audits did not cover ESD-relevant items.
Information to customer regarding product related ESD issues was not documented.
11.2

Quality Inspections
Products were approved with parameters out of specification. Scales had inappropriate
precision.
Material destined for quality inspections is stored in the incoming area without being
marked sufficiently.
Regular checks of inspection equipment by means of adjusting pieces before each shift
were not performed.
Quality checks were not or only partly performed. A plan does not exist.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

26/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Components which do not pass tests in production are not marked and not clearly
separated.
Sample size did not consider the lot size and the long term quality performance; all
samples are taken from the same packaging unit.
Tolerances for Q-Audits are estimated and not released by management.
11.3

Statistical Process Control (SPC)


Production process was not mastered. Capability studies were not conducted; the quantity
of measured parts was too low. Stability tests wee not performed.
SPC control limits were not defined correctly. Reaction plan is not defined. SPC cards are
not or not completely filled-out.
Sampling is incorrect, control charts are not available, no reference to used measuring
equipment.
Capability analyses are not conducted or not performed for process changes after SOP.
References to gauges were not documented.

11.4

Wages
Performance efficiency was not calculated correctly.
Reasons for additional wages were not or not reproducible documented.
Differences of calculated and charged bonus salary were not or not reproducible
documented.

12

Work Safety and Environmental Protection

12.1

Organization
HSE did not report directly to plant management.
An employee responsible for preparation and practical implementation of fire safety and
avoidance or for work safety and environmental protection was not appointed.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

27/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

The entrepreneurial responsibilities were not transferred in writing.


12.2

Work Safety
Plant safety tours were not conducted.
Measures and corrective actions for work safety were not defined or not tracked.
Initial safety trainings were not conducted or not documented.
Electrical safety checks were not conducted or overdue.
Forklifts were not secured against unauthorized use.
Gas bottles were not protected against toppling.
Safety instructions were not available at work places; a work place related instruction was
not conducted.
Access to critical areas was not limited or the limitation was not adhered to.
Maximum loading capacity of shelves was unknown or not signposted.
Electrical cabinets were unlocked, open or not accessible.
Regular inspections of fork lifts, cranes, hoisting devices or ladders were not conducted.
Pallets were kept in gangways or stored in an upright position.
First aid equipment was not available, incomplete or validation of content was expired.
One employee was working alone without a dead man security device.
Protection equipment was not available or not in use.

12.3

Fire Protection and Emergency Control


Measures and corrective actions for fire protection and emergency control were not
defined or not tracked.
Fire protection measures (e.g. alarm system) were not present or released.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

28/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Vetting of fire-extinguishing systems were missing or outdated.


Emergency exits were locked, blocked or were not adequate (too narrow, door opened
inwards), signposting of escape routes were missing.
Flammable material was stored nearby critical areas.
Emergency numbers were not displayed on the telephones.
No training was provided for employees regarding handling of fire extinguishing systems
(e.g. fire extinguishers, CO2).
Access to fire extinguishers (FE) was blocked or FE were missing, signposting of FE were
missing.
Heating devices ware placed on combustible boards.
Non-smoking-areas were not defined, not signposted or not adhered to.
Charging devices or industrial vehicles to be charged were not sufficiently distanced, on all
sides, from materials that pose a hazard (e.g. combustible and explosive substances).
Emergency Plan
Emergency plan did not exist or was not sufficient.
Site was not classified according to C/PS systematic.
Meeting points were unknown, not signposted or not accessible; civil protection exercises
were not performed or not documented.
12.4

MAE Releases
MAE were not released by HSE after purchase, retrofit or relocation.
Vetting of MAE were missing.
Security inspections were not performed.
Risk analyses were not performed or were not sufficient.
HSE is not involved in purchase and release process.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

29/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

MAE are not labelled with inspection stickers.


Procedure for safety release of MAE was not sufficient.

12.5

Hazardous Substances

12.5.1 Administration
The required release process for hazardous substances (e.g. avoidance examination,
permission of use) was not adhered to.
Lists of hazardous material in use were incomplete or not up to date.

12.5.2 Storage
Joint storage with oxidizing materials.
HS were not protected against access.
Hazardous substances were stored or disposed improperly.
Hazardous substances were not labelled.
Maximum quantity that was kept at workstations was not defined or exceeds defined
limits.
Maximum storage time of HS was expired.
Spill containments did not exist.
Sign postings did not exist.
12.5.3 Handling of Hazardous Substances
Material safety data sheets were not available or not up to date.
No systematic hazard determination was established.
Training of employees handling hazardous substances was not carried out.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

30/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Hazardous substances (e.g. highly toxic) were handed out without restrictions.

13

Plant Security

13.1

Plant Protection
Responsibility for plant safety not defined, no security service installed, no organization of
security, no security concept, or no annual safety report available.
Insufficient capacity of guards, or presence of guards on duty not according to
specification, or plant security duties were not performed "full time" (24 hours per day).
No or insufficient specification of services for outsourced plant security services, or
outdated instructions, or insufficient check of contract fulfilment, or no certificates of
competence of employees.
Instruction for carrying out plant security service was not available at operating unit or
were incomplete.
Patrols were not performed in the required frequency.
Regular checks of daily reports of safety tour performed by external security service
providers were not conducted.
Key box in guard house was not secured against unauthorized access.

13.2

Admission Control
Badges did not exist.
Administration of badges was insufficient (too many badges issued, or access time not
limited, or badges not assigned to existing names, or no deactivation of missing or
collected badges, or no collection of temporary badges).
System for placing of badge authorization was not protected by password, or the
password is not regularly changed or data backups were not available.
The Burglar alarm system (BAS) was defective, not activated or not connected to a
monitoring station (or no overview of active and deactivated codes of BAS, or no
documentation about placing or cancelling of codes to employees existed or the password
was openly accessible).

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

31/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

No or insufficient process for permission of entrance to secured areas established (e.g. no


documentation of permission for entrance, or no safety against multiple usage of badges
or card readers can be compromised).
RB-entrance control was not conducted for rented areas for production or storage or for
rented areas in plant to external company, therefore externals could enter uncontrolled
and undetected.
Insufficient control of gate admittance for externals (no or incomplete visitor badges or
visitor badges are not visibly worn, no re-collection of visitor passes, or for external service
providers badge controls and checks of vehicles and bags are not conducted, or a
contractor log book does not exist).
Control of gate admittance for employees was insufficient (e.g. admittance to premises for
employees and vehicles without check, or no regulation to show badges, or no conducting
of checks of bags).
Undetected entrance to factory area was possible due to unlocked gates or windows, or
emergency exits which can be opened from outside, or not or partly not controlled gates
and doors.
Undetected leave of factory via emergency exits (no alarm) or underground parking was
possible.
Gate passes for objects did not exist.
Undetected entrance to buildings within the factory area due to open emergency exits was
possible.

13.3

Inner Safety
Undetected entrance to sensitive areas like storage, server room etc. during work time for
unauthorized third party was possible.
Externals could stay on site longer than required and after working hours.
Protection of notebooks and other mobile equipment against theft was not conducted.
A location security concept did not exist.

From

C/AU

List of Risks and Irregularities

13.4

Issue/Amendment

Page

E3

32/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

External Safety
Surveillance equipment was defective or switched off (e.g. camera, VCR), or amount of
monitors was not sufficient, or no videotaping existed, or storage of surveillance was too
short.
Fencing of factory was not sufficient (e.g. fence too small or damaged, or fence with
sizable gaps, or fence covered by vegetation, or no safety against climb over, or
dilapidated building as boundary).
Protection against burglary for buildings placed at the edge of the site was not sufficient.
There was no or insufficient conducting of security services like patrol, inspection of fence
and doors to defects, or recording of defects, or the reaction to alarms was not sufficient.

13.5

Locking System
No or insufficient key management (e.g. number of available keys, including master key,
unknown, or not conform with documents, or facility keys stored in unlocked cupboards, or
partly missing keys, or no central locking system, or system not updated, no inventory of
keys).

14

Information Technology

14.1

User Authorizations
The installed user authorization concepts were insufficient (e.g. overview authorizations of
employees).
Approval of user authorizations was given by not authorized persons (Master of the Data
not involved); assignment and changes of authorizations were not documented.
History of users and authorizations was not available.
User authorizations were not adjusted in case of employees' transfer to a new assignment
or leave.
Critical administrative user authorizations (CAA) were not reduced to the necessary
minimum, not approved by the SAP System Owner or approvals were expired out of one
year's validity.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

33/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Critical functional user authorizations (CUA) or critical combinations of user authorizations


(CCA) were not reduced to the necessary minimum, not approved by the Master of the
Data or approvals were expired out of one year's validity.
Critical functional user authorizations (CUA) and critical combinations of authorizations
(CCA) were not or not completely defined for non SAP applications (e.g. EVA).
Crossover CCA (e.g. Pxx, EVA) were not defined; approval and control processes were
not installed.
Too many users had full system control.
Mitigating Controls for CCA were not conducted.
When allocating roles a check on CCA is not conducted.
Employees are using group user IDs without individual SAP license.
Employees had more than one user account in SAP.
The license type of SAP user accounts was not correct.
Naming conventions for e-mail addresses (e.g. External, Limited) were not adhered to.
Nonpersonal user accounts were created for temporary user and not checked
appropriately.
Role allocation based on C/ISP Standard "Security of SAP-systems" was not documented
adequately and role allocation in the system did not adhere to aforementioned standard.
The current RB-AIS version was not or not completely (e.g. localisation) installed.
The security audit log was not activated or could be deleted by too many employees
(beside system owners).
User accounts were not disabled automatically (e.g. 180 days after last use or 30 days
after exceeding password expiration).
14.2

Data Protection and Information Security


DSO or DSP were not named.

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

34/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Employees were not trained by DSP, ISP trainings were not documented.
The IS concepts of departments were incomplete or not updated yearly.
A yearly IS self check of DSP was not conducted.
Measures of DSO audits or IS self checks were not worked off.
Authorizations for the access to departmental and project directories, intranet pages as
well as on applications were not limited to the necessary minimum.
Security class 2 and 3 data was transmitted without encryption or was stored unprotected
on the network and intranet.
Screen savers were not activated or not password protected.
The assignment of protection classes for data, applications and equipment was
incomplete or did not adhere to the requirements of the C/ISP standard.
The regulation of approval of external network connections to BCN (e.g. involvement of
ISP, G-approval) was not completely adhered to.
Password settings (e.g. length, change intervals) were not in accordance with the C/ISP
Standard "Password and Login Rules".
Network login IDs and passwords were not secured (e.g. taped to computer); authorization
forms for network group accounts did not exist.
The scrapping or the return of IT components did not adhere to the ISP Standards.
Emergency concepts did not adhere to the C/ISP Standards.
Laptop computers remained unlocked on desk during absence or after working hours.
Declarations of obligation were not handled sufficiently (e.g. not existing, not reviewed
annually, not signed or not signed in a timely manner).
Personal data storage did not adhere C/ISP regulations.
Non-standard software, not approved by CI, was installed on share drives.

From

C/AU

List of Risks and Irregularities

14.3

Issue/Amendment

Page

E3

35/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

Server Security and Infrastructure


Access control for data centres or server rooms were insufficient or access possible for
too many employees respectively service providers. Doors were not locked or not
equipped with a self locking system. A visitor log was not maintained.
Fire protection was not as requested for the respective security class (e.g. smoke sensor,
fire extinguisher, fire suppression system; surveillance false floor).
Doors, walls or floor of data centres did not meet the required fire resistance or were not
smoke-tight.
Combustible material (fire load) was stored in data centres.
Emergency power supply was not available or checks were not documented.
Servers were not sufficiently protected against water damage (e.g. water pipe without any
water detection devices).
Electrical installations were not appropriate (e. g. power supply extension cable on raised
floors).
Operation and emergency manual for LAN and servers were incomplete (e.g. system
recovery times not defined, documentation was missing). Risk analysis was not
performed. Changes were not communicated and not approved. Regular tests were not
performed.
Server was not located in appropriate facilities.
Administrators were not nominated in a written form. Access rights for administrators were
not time-limited. Declarations of obligation did not exist. The password for the
administrator account was not in line with the password rules.
Server und network were not secured sufficiently against unauthorized access (e.g.
emergency password was not updated regularly, externals had unsecured access).
Server protection classes in conformity with the requirements of the users did not exist or
were not documented. Masters of the Data were not defined for all data on the servers.
The backup processes were not performed properly (e.g. no backups were performed or
the storage of the backup media was not sufficient).

From

C/AU

List of Risks and Irregularities

Issue/Amendment

Page

E3

36/36

Our Reference

Date

C/AUC, C/AUT

March 10, 2008

IP rooms were signposted as "Computer" rooms. Escapes and safety passages were not
signposted.
Annual self-check audits were not conducted.
Training regarding safety measures for automatic fire extinguishing devices using gas was
not conducted.

15

Internal Controls (IC)


Internal controls were not, incompletely or not conducted in a timely manner.
IC were not conducted process independently (e.g. conducted by employees with posting
rights).
The executed internal controls were not or not properly documented (e.g. list of checked
invoices).
Documentation of executed IC is not kept for two years.
The execution of the IC and the deficiencies were not or not in a timely manner reported to
the commercial director/president (e.g. with management information list), the signature
from the commercial director was not given or IC list to management is not
comprehensive.
Measures for deficiencies were not defined or were incomplete, not or not sufficiently
tracked or not tracked in a timely manner, or not effective.
IC were not performed correctly.

You might also like