Download presentation
Presentation is loading. Please wait.
1
Business Processes and Risks
Chapter 5 Business Processes and Risks
2
Introduction This chapter examines how organizations actually structure their activities to implement their strategies and achieve their business (organizational) objectives. Organizations structure activities into either: Business processes Operating Management and Support Projects Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
3
What is a business process?
A set of connected activities linked with each other for the purpose of achieving an objective or goal. Exhibit 5-2 outlines a basic classification of business activities. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
4
Exhibit 5-2 Once product designed (1-3) 4-6 repeat continuously to add value Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
5
Three types of business processes
Operating processes-core processes through which the organization achieves its primary objectives (make and sell product) Management and support processes-Oversee and support core processes Projects-Some organizations set up their core value-creating activities in the form of projects (e.g., engineering and construction). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
6
Exhibit 5-3 Exhibit 5-3 shows differing levels of process aggregation.
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
7
Step One - Understand Business Objectives:
For internal auditors to add value and improve an organization’s operations, they must first understand the organization’s business model The business model includes the objectives of the organization and how the organization’s business processes are structured to achieve these objectives The model also includes the organization’s vision, mission, and values, as well as sets of boundaries for the organization Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
8
Step Two - Identify Business Processes:
There are two approaches that can be taken to understand business processes and their role in the business model: A top-down approach A bottom-up approach Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
9
Step Two - Identify Business Processes:
Top-down Approach One begins at the entity level, with the organization’s objectives, and then identifies the key processes critical to the success of each of the organization’s objectives. A process is considered to be key relative to a specific objective if failure of the process to function effectively would directly result in the organization not achieving the objective. Objective: Increase shareholder value by delivering growth in earnings (12%), 3/4/5 key, 8 not. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
10
Step Two - Identify Business Processes:
Bottom-up Approach Begins by looking at all processes directly at the activity level Requires each area of the organization to identify and document the business processes in which they are involved. The identified processes are then aggregated across the organization. This approach works well for smaller organizations with a relatively limited number of processes. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
11
Step Three, Identify Key Processes:
Once a process is identified, the next step is to determine the key objectives of the process. Determining the key objectives involves getting the answers to the following questions: (RQ 6) Why does the process exist? How does the process support the organization’s strategy and contribute to its success? How are people expected to act? What else does the process do that is important to management? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
12
Step Three, Identify Key Processes:
For an internal auditor, the first source of information is the process owner and the existing policy and procedures documentation for the process. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
13
Step Three, Identify Key Processes:
Once the process objectives have been identified, the next step is to look at the process inputs and specific activities needed to achieve the objectives (the process outputs). This should include: process procedural manuals policies related to the process job descriptions of people involved in the process any process maps that describe the process flow Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
14
Step Three, Identify Key Processes:
Documentation is required. It should be done by the process owner and people involved in the process. Process documentation can be very effective in (1) orienting new personnel (2) defining areas of responsibility (3) evaluating the efficiency of systems (4) determining areas of primary concern (5) identifying key risks and controls. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
15
Step Three, Identify Key Processes:
Internal auditors must also document their understanding to support their overall assessment of risk and control in the organization and in any specific assurance engagements they would conduct on the process. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
16
Step Three, Identify Key Processes:
There are two commonly used methods for documenting processes: Process maps Flow charts May be high-level or at the detailed-activity level and involve pictorial representations of inputs, steps, workflows, and outputs Also include some accompanying narrative Internal auditors frequently use document flowcharts which depict the flow of documents through specific processing steps Process write-ups Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
17
Exhibit 5-4 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
18
Exhibit 5-5 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
19
Exhibit 5-6 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
20
Video http://auditchannel.tv/video/973/Focus-on-Business-Processes
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
21
Step Four, Identify and Assess Risks Associated with Key Processes:
It is helpful to develop an overall risk profile of the organization that identifies the critical risks to achievement of each strategic risk. Organizations that utilize ERM may already have risk profiles developed by management; if not, the internal audit function will need to create the risk profile as a starting point for its annual audit planning. Once the internal auditor obtains an understanding of the organization’s objectives and the key processes used to achieve those objectives, the next step is to evaluate the business risks that could impede the accomplishments of the objectives. The assessment of organizational risk remains a very subjective process that requires experience and sound judgment Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
22
Step Four, Identify and Assess Risks Associated with Key Processes:
Management might begin the risk assessment process by starting with a generic risk model such as that presented in Exhibit 5-7. The various risks are then assessed in terms of impact and likelihood. (RQ8) This is called a Risk Map or Heat Map (Ex.5-8) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
23
Exhibit 5-7 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
24
Risk/Heat Map Impact, the adverse effect of a risk outcome, is usually assessed in terms of categories (high, medium, low) or 5-categories such as in Exhibit 5-8. Likelihood can be evaluated by assessing the odds of the risk impact occurring (3- or 5-category). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
25
Exhibit 5-8 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
26
Exhibit 5-9 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
27
Risk/Heat Map This is usually done by senior management and operations managers with the advice of internal audit. The next step is to formally link the identified risks to the specific objectives that each risk may impair. This helps to ensure that all key risks, and the resulting impact, have been identified. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
28
Exhibit 5-10 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
29
Step Five, Identify Risk Responses:
The next step is to map the identified risks to the business processes to develop appropriate responses to each risk (avoid, reduce, share, accept). (RQ10) Processes are linked to processes by means of a Risk by Process Matrix (Exhibit 5-11). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
30
Step Five, Identify Risk Responses:
The links should be evaluated as to whether they are key or secondary. Key links are those in which the process plays a direct and key role in managing the risk. Secondary links manage the risk indirectly. Once the risk by process matrix is complete, it can be used by the internal audit function to determine which engagements should be included in the functions’ annual audit plan. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
31
Exhibit 5-11 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
32
Step Five, Identify Risk Responses:
Processes with a large number of key links to several risks may be a good candidate for a comprehensive audit. Alternatively, the risk factor approach can be used (Exhibit 5-7). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
33
Step Five, Identify Risk Responses:
The next step is to identify and evaluate specific risks in each activity or subprocess within the key process. This is done through the use of a Risk/Control Matrix (Exhibit 5-14). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
34
Exhibit 5-14 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
35
Step Five, Identify Risk Responses:
After the response strategies have been determined, and both before and after the strategies have been tested for effectiveness, an overview of the risk response strategies can be obtained by creating a risk control map, which plots risk significance (impact x likelihood) against control effectiveness. The risk control map shows where there is an appropriate balance between risk and control. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
36
Exhibit 5-15 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
37
Business Process Outsourcing
Business process outsourcing (BPO) is the act of transferring some of an organization’s business processes to an outside provider to achieve cost reductions while improving service quality and efficiency. Even though function may be outsourced, it is critical that management and the internal audit function ensure an adequate system of internal controls exists with the outsource vendor. The third-party provider may wish to provide a SOC 1 or 2 report. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
38
SOC 1 reports: Type 1 – A report on management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Type 2 – A report on management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Use of SOC1 reports is restricted to the management of the service organization, user entities, and user auditors. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
39
SOC 2 report: Is similar to a SOC 1 report
A Type 1 or Type 2 report may be issued and the report provides a description of the service organization's system. For a Type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
40
SOC 2 report: SOC 2 reports specifically address one or more of the following five key system attributes: Security - The system is protected against both physical and logical unauthorized access. Availability - The system is available for operation and use as committed or agreed. Processing integrity - System processing is complete, accurate, timely and authorized. Confidentiality - Information designated as confidential is protected as committed or agreed. Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity's privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
41
SOC 2 report: SOC 2 reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization- such as management, BOD, customers of the service organization, regulators, business partners, suppliers and others. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
42
SOC 3 Reports: Are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information, and the confidentiality or privacy of that information but do not have the need for or the knowledge necessary to make effective use of a SOC2 Report. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
43
Unlike a SOC1 report, which is only an auditor-to-auditor communication, SOC2 reports are generally restricted use report (at the discretion of the auditor using the guidance in the standard) and SOC 3 reports (in all cases) will enable the service organization to share a general use report that would be relevant to current and prospective customers or as a marketing tool to demonstrate that they appropriate controls in place to mitigate risks related to security, privacy, etc. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
44
CASE 1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
45
Example: List Pizza Inc.’s Key Processes:
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
46
Example: What is Pizza Inc.’s strategy?
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
47
Example: Complete the Risk/Control Matrix for Pizza Inc.:
PLANNING PHASE PERFORMANCE PHASE Activity or Subprocess Within Key Process Risk Statement Potential Impact Likelihood Rating Risk Response Technique for Assessing Effectiveness Control Effective-ness 1. 2. 3. 4. 5. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
48
Example: Prepare a Risk Map For Pizza Inc.
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
49
Example: Prepare a Risk Control Map For Pizza Inc.
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
50
Exhibit 5-1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
51
Exhibit 5-12 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
52
Exhibit 5-13 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
53
Exhibit 5-16 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
54
Exhibit 5-17 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
55
Exhibit 5-A1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
56
Exhibit 5-A2 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
57
Exhibit 5-A3 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
58
Add slides as desired Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.