Professional Documents
Culture Documents
CHAPTER 5
Business Processes and Risks
Internal Auditing: Assurance and Consulting Services, 2nd Edition. 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
Understand how organizations structure their activities to achieve their objectives. Identify key business processes in an organization. Obtain an understanding of a given business process and be able to document it. Understand basic types of business risks organizations face. Identify and assess the key risks to an organizations objectives and how they are linked to business processes. Develop an audit universe for an organization and determine an annual internal audit plan based on key business risks. Understand how to use risk assessment techniques within assurance engagements. Obtain an awareness of the new risks that arise when an organization outsources some of its key processes.
Internal Auditing: Assurance and Consulting Services, 2nd Edition. 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
Exhibit 5-1
Internal Auditing: Assurance and Consulting Services, 2nd Edition. 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA
9/10/2013
A business process is the set of connected activities linked with each other for the purpose of achieving an objective or goal.
9/10/2013
Identify processes & their roles in the firms business model Determine the key objectives of the process Identify the input, activities, output of process Document process Assess business risks Link the risks to business objectives Map risks to the business processes Determine risk response strategies Test the effectiveness of response strategies
Top-down approach
begins at the entity level with the organizations objectives, and then identifies the key processes critical to the success of each of the organizations objectives.
Bottom-up approach
begins by looking at all processes directly at the activity level, and then aggregates the identified processes across the organization
Why does the process exist? How does this process contribute to the success of the organizations strategy? How are people expected to act? What else does the process do that is important to management?
9/10/2013
Review existing documents Interview process owner and other key personnel
Process Maps show the inputs, workflows, process interactions, and outputs in a graphic form.
Risk Risk Assessment identifies and analyzes the relevant risks to the achievement of an organizations objectives, forming a basis for determining how the risks should be managed. Common risk assessment factors are
IA function can build its risk assessment from reviewing (or creating) the organizations risk profile as a starting point for its annual audit planning.
9/10/2013
4 categories 10 sub-categories
Link the identified risks to the specific objectives that each risk may impair. Objective and Critical Risk Matrix
Use Risk by Process matrix to links the risks to business processes and Evaluates the links as
Key Links the processes play a direct and key role in managing the risk Secondary Links the processes helps to manage the risk indirectly
9/10/2013
The number of key links and secondary links for each process The nature of links between risks and processes.
To link business processes and risks through the development of basic risk factors used to evaluate risks across processes.
16
Computing the Weighted Score for each area = the Scores on each factor X Respective weights
17
1. Identifying and Evaluating Specific Risks in each Activity within the Key Process 2. Determining Risk Response Strategies 3. Testing the Effectiveness of Response Strategies
18
9/10/2013
cost reductions, operating effectiveness, or operating efficiency while improving service quality.
19
Document the outsourced process and indicate which key controls have been outsourced. Establish means of monitoring the effectiveness of the outsourced process. Ensure that the internal controls embedded in the outsourced process are operating effectively Periodically reevaluate whether the business case for outsourcing the process remains valid. 20