Chapter 5 PPT 4th Edition

4 T H EDITION
Internal Auditing:
Assurance &
Advisory Services
Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
CHAPTER 5
BUSINESS PROCESSES AND RISKS
Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
Chapter 5: Business Processes and Risks
LEARNING OBJECTIVES
◼ Understand how organizations structure their
activities to achieve their objectives.
◼ Identify key business processes in an organization.
◼ Obtain an understanding of a given business process
and be able to document it.
◼ Understand basic types of business risks
organizations face.
◼ Identify and assess the key risks to an organization’s
objectives and how they are linked to business
processes.
◼ Develop an audit universe for an organization and
determine an annual internal audit plan based on key
business risks.
◼ Understand how to use risk assessment techniques
within assurance engagements.
◼ Obtain an awareness of the new risks that arise when
an organization outsources some of its key processes.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
STANDARDS RELEVANT TO BUSINESS

PROCESSES AND RISKS
BUSINESS PROCESSES
 How organizations structure their business to implement strategies

and achieve their business objectives
 Set of coordinated activities
 Types of business processes
• Operating processes
• Management and support processes
• Projects
TYPES OF BUSINESS PROCESSES
LEVELS OF PROCESS DESCRIPTION
UNDERSTANDING BUSINESS PROCESSES
◼ For internal auditors to add value and improve

an organization’s operations, they must first
understand the organization’s business model.
The business model includes the objectives of
the organization and how its business processes
are structured to achieve these objectives.
◼ Visit the Tesla Form 10K
https://
www.sec.gov/Archives/edgar/data
/1318605/000156459021004599/t
sla-10k_20201231.htm
◼ There are two common approaches that can help in understanding business
processes and their role in the business model: a top-down approach and a
bottom-up approach.
◼ In the top-down approach, one begins at the organization level with the
organization’s objectives, and then identifies the key processes critical to the
success of each of those objectives.
◼ A process is considered key relative to a specific objective if failure of the
process to function effectively would directly result in the organization not
achieving the objective.
◼ Once the key processes are identified, they are analyzed in more detail, breaking
the process into levels of sub-processes and eventually reaching the activity
level. This approach is effective because it yields a manageable set of critical
processes
◼ The bottom-up approach begins by looking at all processes at the activity level.
Such an approach requires each area of the organization to identify and
document the business processes in which they are involved.
◼ This is done by the people in the area who are responsible for the actual
activities. The identified processes are then aggregated across the organization.
◼ While this approach works well for smaller organizations with a relatively
limited number of processes, it is less effective in large and complex
organizations as it becomes cumbersome to prioritize the significance of each
process relative to the others as the relative significance changes as one moves
to higher levels in the organization.
◼ Once a process is identified, the next step in either the top-down or bottom-up
approach is to determine the key objectives of the process. Determining the key
objectives involves getting answers to questions such as:
■ Why does the process exist?
■ How does the process support the organization’s strategy
and contribute to its success?
■ How are people expected to act?
■ What else does the process do that is important to management?
◼ For an internal auditor, or someone not directly involved in the process, the first
source of information is the process owner and the existing policy and
procedures documentation for the process.
◼ Ideally, the process owner has established formal process objectives that provide
the answers to the four questions above.
◼ If not, the internal auditor will need to work with key people involved with the
process to obtain the necessary information
◼ Once the process objectives are understood, the next step is to understand the
inputs to the process, the specific activities needed to achieve the process
objectives, and the process outputs. To understand how inputs and activities
combine to generate the outputs, existing documents should be reviewed. Such
documents may include, for example:
■ Process procedural manuals.
■ Policies related to the process.
■ Job descriptions of people involved in the process.
■ Process maps that describe the process flow.
◼ Although existing documents are an important start, it is usually necessary to discuss

aspects of the process with the people performing significant activities in the process. The
following questions can be asked of the process owner and other key personnel to help gain
an understanding of the business process:
1. Why does this process exist?
2. Which of the organization’s strategic objectives can the process affect and how?
3. What initiatives does/should the process undertake to help the organization achieve its
strategic objectives?
4. What does the process provide the organization, without which the organization would have a
difficult time being successful?
5. At the end of the day/week/year, what gives employees a sense of accomplishment with their
jobs?
6. What accomplishments tend to get employees recognized by management or internal
customers?
7. How are people who are involved with the process expected to act? What happens if they do
not meet this expectation?
DOCUMENTING
PROCESSES
DOCUMENTING PROCESSES
BUSINESS RISKS
◼ Once the internal auditor obtains an understanding of the organization’s objectives and the
key processes used to achieve those objectives, the next step is to evaluate the business
risks that could impede accomplishing the objectives.
◼ Once the internal auditor obtains an understanding of the organization’s objectives and the
key processes used to achieve those objectives, the next step is to evaluate the business
risks that could impede accomplishing the objectives.
◼ It is helpful to develop an overall risk profile of the organization that identifies the critical
risks to achieving each strategic objective.
◼ There are a number of different tools and methodologies to assist in developing the risk
profile. the assessment of organizational risk remains a very subjective process that
requires experience and sound judgment.
◼ A common approach might be to begin by conducting a brainstorming session with senior
management or, if they are not available, with members of the internal audit function. The
group might start with a generic risk model that depicts the categories and types of risks an
organization might encounter. Such a risk model is presented in the next slide.
BUSINESS RISKS
◼ The various risks are then assessed in terms of impact and likelihood. Impact,
the adverse effect of a risk outcome, is usually assessed on a continuum from
low to high. Typically, this is done in terms of categories using three (high,
medium, low) or five categories. A basic five-category risk model is presented in
the next slide
◼ Likelihood can be evaluated by assessing the odds or probability of the risk
occurring. However, given the subjective nature of these assessments, most
managers and internal auditors are more comfortable expressing likelihood in
less precise categories.
STRATEGIC APPROACH
STRATEGIC APPROACH
EXAMPLE: ONLINE
FINANCIAL SERVICES
COMPANY
BUSINESS RISKS
◼ The next step is to formally link the identified risks to the

specific objectives that each risk may impair. This helps to
ensure that all key risks, and the resulting impact, have been
identified.
STRATEGIC APPROACH
MAPPING RISKS TO THE BUSINESS PROCESSES
◼ From the ERM perspective discussed in chapter 4, the next step would be to
develop appropriate responses to each risk. There are five responses an
organization can take:
■ Acceptance. No action is taken to decrease risk impact or likelihood. The
organization is willing to accept the risk at the current level rather than spend
valuable resources deploying one of the other risk response options.
■ Avoidance. A decision is made to exit or divest of the activities giving rise to the
risk. Risk avoidance may involve, for example, exiting a product line, deciding not
to expand to a new geographical market, or selling a division.
■ Pursuit. Exploit the risk if taking such a risk is advantageous to the organization
or is necessary to achieve a particular business objective.
■ Reduction. Action is taken to reduce the risk impact, likelihood, or both. This
involves a myriad of everyday business decisions, such as
implementing controls.
MAPPING RISKS TO THE BUSINESS PROCESSES
◼ To select appropriate response strategies effectively, an understanding of how

risks relate to the organization’s business processes is necessary. Internal
auditors also must establish the links between risks and business processes to
determine whether the risks are being managed to appropriate levels within
management’s response strategies and to identify where in the organization the
critical risks reside.
◼
Key Link The process plays a direct and key role in managing the risk. For
example, in a company selling products online, a critical risk would be computer systems outages, in which
case business could not be conducted. The resumption and recovery process would have a key link to this
risk.
◼ Secondary Link The process helps to manage the risk indirectly. An example of
secondary risk would be to the hiring, retention, and development of human resources to manage the
system.
◼ Once the risk by process matrix is complete, it can be used by the internal audit function to
determine which engagements should be included in the function’s annual audit plan.
BUSINESS PROCESS APPROACH
BUSINESS PROCESS APPROACH
RISK FACTOR/AUDIT UNIVERSE

APPROACH
Definition of audit universe

Audit universe: the activities that the internal auditing function has identified
as auditable subjects, activities, units or functions.
Things to consider:
• audit charter
• mandatory coverage
• organization's formal structure
RISK FACTOR APPROACH
RISK FACTOR APPROACH
EXAMPLE
Risk Control Matrix
EXAMPLE
EXAMPLE

Chapter 5 PPT 4th Edition

Uploaded by

Copyright:

Available Formats

Chapter 5 PPT 4th Edition

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 5 PPT 4th Edition

Uploaded by

Copyright:

Available Formats

4 T H EDITION

Internal Auditing: Assurance &Internal

BUSINESS PROCESSES AND RISKS

Internal Auditing: Assurance &Internal

STANDARDS RELEVANT TO BUSINESS

 How organizations structure their business to implement strategies

TYPES OF BUSINESS PROCESSES

LEVELS OF PROCESS DESCRIPTION

UNDERSTANDING BUSINESS PROCESSES

◼ For internal auditors to add value and improve

UNDERSTANDING BUSINESS PROCESSES

UNDERSTANDING BUSINESS PROCESSES

UNDERSTANDING BUSINESS PROCESSES

UNDERSTANDING BUSINESS PROCESSES

UNDERSTANDING BUSINESS PROCESSES

UNDERSTANDING BUSINESS PROCESSES

◼ Although existing documents are an important start, it is usually necessary to discuss

◼ The next step is to formally link the identified risks to the

MAPPING RISKS TO THE BUSINESS PROCESSES

MAPPING RISKS TO THE BUSINESS PROCESSES

◼ To select appropriate response strategies effectively, an understanding of how

BUSINESS PROCESS APPROACH

BUSINESS PROCESS APPROACH

RISK FACTOR/AUDIT UNIVERSE

Definition of audit universe

RISK FACTOR APPROACH

RISK FACTOR APPROACH

Risk Control Matrix

You might also like