9/10/2013

CHAPTER 5
Business Processes and Risks
Internal Auditing: Assurance and Consulting Services, 2nd Edition. 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

Chapter 5 Learning Objectives

Understand how organizations structure their activities to achieve their objectives. Identify key business processes in an organization. Obtain an understanding of a given business process and be able to document it. Understand basic types of business risks organizations face. Identify and assess the key risks to an organizations objectives and how they are linked to business processes. Develop an audit universe for an organization and determine an annual internal audit plan based on key business risks. Understand how to use risk assessment techniques within assurance engagements. Obtain an awareness of the new risks that arise when an organization outsources some of its key processes.

Internal Auditing: Assurance and Consulting Services, 2nd Edition. 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

Exhibit 5-1

Internal Auditing: Assurance and Consulting Services, 2nd Edition. 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

9/10/2013

Business Process Definition

A business process is the set of connected activities linked with each other for the purpose of achieving an objective or goal.

Types of Business Processes

Operating processes Management & Support processes Projects

Business Processes vs. Projects

Duration Uniqueness of Nature

Understand Business Process

Required information sources At various levels of details

9/10/2013

Understand Business Process

Identify processes & their roles in the firms business model Determine the key objectives of the process Identify the input, activities, output of process Document process Assess business risks Link the risks to business objectives Map risks to the business processes Determine risk response strategies Test the effectiveness of response strategies

Understand Processs Role in the Business Model

Top-down approach

begins at the entity level with the organizations objectives, and then identifies the key processes critical to the success of each of the organizations objectives.

Bottom-up approach

begins by looking at all processes directly at the activity level, and then aggregates the identified processes across the organization

Determine the Processs Key Objectives

Why does the process exist? How does this process contribute to the success of the organizations strategy? How are people expected to act? What else does the process do that is important to management?

9/10/2013

Identify the Processs I/O & Activities

To understand how inputs and activities combined to generate outputs, IA can

Review existing documents Interview process owner and other key personnel

Document Business Processes

Common methods used to document processes:

Process Maps show the inputs, workflows, process interactions, and outputs in a graphic form.

Process Write-Up is a narrative description of how the process works.

Assess Business Risks

Risk Risk Assessment identifies and analyzes the relevant risks to the achievement of an organizations objectives, forming a basis for determining how the risks should be managed. Common risk assessment factors are

IA function can build its risk assessment from reviewing (or creating) the organizations risk profile as a starting point for its annual audit planning.

9/10/2013

Tools to Develop Risk Profile

Business Risk Model

To break down potential risk into

4 categories 10 sub-categories

Risk Assessment Model

The Combination of Impact and Likelihood determines the importance of risks.

Link Risks to Business Objectives

Link the identified risks to the specific objectives that each risk may impair. Objective and Critical Risk Matrix

Map Risks to the Business Processes

Use Risk by Process matrix to links the risks to business processes and Evaluates the links as

Key Links the processes play a direct and key role in managing the risk Secondary Links the processes helps to manage the risk indirectly

Determine proper risk response strategy

9/10/2013

Scope Engagement in IAs Audit Plan

The type of internal audit will be determined by:

The number of key links and secondary links for each process The nature of links between risks and processes.

Apply the Risk Factor Approach

To link business processes and risks through the development of basic risk factors used to evaluate risks across processes.
16

Implement the Risk Factor Approach

Identifying a set of common (generic) Risk Factors

External factors, Internal factors, and other factors

Score each process on the factors

Score on a scale for each factor (for example, 1 to 3).

Determining the Weight (i.e., the relative importance) of the factors

Using a 100-point weighting scheme

Computing the Weighted Score for each area = the Scores on each factor X Respective weights

Sum for the process to give a Risk Score.

17

Apply Risk Assessment in Assurance Engagement

1. Identifying and Evaluating Specific Risks in each Activity within the Key Process 2. Determining Risk Response Strategies 3. Testing the Effectiveness of Response Strategies

18

9/10/2013

Assess the Risks of Business Process Outsourcing

Business Process Outsourcing

Transferring some of an organizations business processes to an outside provider to achieve

cost reductions, operating effectiveness, or operating efficiency while improving service quality.

19

Best Practice of Outsourcing

Document the outsourced process and indicate which key controls have been outsourced. Establish means of monitoring the effectiveness of the outsourced process. Ensure that the internal controls embedded in the outsourced process are operating effectively Periodically reevaluate whether the business case for outsourcing the process remains valid. 20