Chapter 5

Business Processes
Business Processesand
andRisks
Risks

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective 1:
Understand how organizations structure their
activities to achieve their objectives

Faculty of Economics and Business - Accounting Undergraduate Program

 Business Process
Business Process is the set of connected activities
linked with each other for the purpose of achieving an
objective
Three types of business activities:
Operating processes
Management and support processes
Project

Faculty of Economics and Business - Accounting Undergraduate Program

Business Activity: Basic Operating Processes

1. 3. Design
2. Develop 4. Market &
Understand Product or
Strategy Sell
environment service

5. Produce
6. Invoice and deliver
and Collect Product or
Services

Faculty of Economics and Business - Accounting Undergraduate Program

 Business Activity: Management
Support Processes
Manage Human Resources

Manage Financial resources

Manage IT resources

Manage Physical Resources

Manage Compliance with laws and Regulations

Manage External Relationships

Faculty of Economics and Business - Accounting Undergraduate Program

 Business Activity: Projects

Project Scouting Concept Execute

Handof
Operate Design &
and developme
source ( Impleme Operate
(abandon)
nt nt)
Assess
Project Scouting Concept Execute
Deliver Design &
and developme
source ( Impleme Handof
nt nt)
Assess

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective II:
Obtain an understanding of Business Process

Faculty of Economics and Business - Accounting Undergraduate Program

 Understanding Business Processes
To add value and improve an organizations operations,
Internal Auditor must first understand the organizations
business model
Business model includes the objectives of the organization
and how its business processes are structured to achieve
objectives
Business model includes the organizations vision, mission,
and values, products or service, customer or market, supply
and delivery channel
What product or services it will deliver
What customers or markets it will target
Faculty of Economics and Business - Accounting Undergraduate Program
 Understanding Business Processes

While an organizations vision and mission, values and

objectives are relatively stable from year to year, the
internal audit function should still periodically update
its understanding of the organizations strategy
Two common approaches that can help in
understanding business processes:
Top down approach
Bottom up approach

Faculty of Economics and Business - Accounting Undergraduate Program

 Understanding Business Processes
Top down Approach
1. Understanding organizations objectives
2. Identifying key process critical to the success of each
objectives
3. Breaking the process into levels of sub-processes and
reaching the activity level
Bottom up Approach
1. Looking at all processes at the activity level
2. Identifying the business process
3. Determine the key objectives of the process
4. Understanding how inputs and activities combined to
generate outputs Faculty of Economics and Business - Accounting Undergraduate Program
Business Process Objective: Questions

Once business process is identified, IA should

get the answers of following questions:
Why does the process exist?
How does the process support the organizations
strategy and contribute to its success?
How are people expected to act?

Faculty of Economics and Business - Accounting Undergraduate Program

 The inputs and the Business Process

Once the business process objectives are understood,

the next step is to understand the inputs to the
business process
To understand how inputs and activities combine to
generate the outputs, following documents should be
reviewed:
Process procedural manual
Policies related to the process
Job descriptions of people involved in the process
Process maps that describe the process flow
Faculty of Economics and Business - Accounting Undergraduate Program
 Understanding Business Process: Questions to
Process Owner
1. Why does this process exist?
2. Which of the organizations strategic objectives afect the process and
how?
3. What initiatives should the process undertake to help the organization
achieve its strategic objectives?
4. What does the process provide the organization, without which
organization would have a difficult time being successful?
5. What gives employees involved in the process a sense of
accomplishment with their jobs?
6. What accomplishment tend to get employees involved in the process
recognized by management or internal customers?
7. How are people who are involved with the process expected to act? What
happens if they do not meet this expectation?
Faculty of Economics and Business - Accounting Undergraduate Program
Learning Objective III:
Obtain understanding of documenting Business Process

Faculty of Economics and Business - Accounting Undergraduate Program

 Documenting Business Process
Documenting business process is useful for:
Orienting new personnel
Defining areas of responsibility
Evaluating the efficiency of processes
Determining areas of primary concern
Identifying key risk controls
Two common method of documenting business
process:
Process Maps ( High Level Activity and Detailed Level Activity)
Process narratives ( Description over High Level and Detail Activity
Faculty of Economics and Business - Accounting Undergraduate Program
High Level Activity Process Map:
Example

Faculty of Economics and Business - Accounting Undergraduate Program

Detailed Level Activity Process Map:
Example

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective IV:
Understanding basic types of business risks

Faculty of Economics and Business - Accounting Undergraduate Program

 Business Risk: Understanding
Understanding of the organizations business risk will
determine the extent to which the internal audit
function will be able to fulfill its mission and add value
to the organization
Its helpful to develop an overall risk profile of the
organization that identifies the critical risks to
achievement of each strategic objective
Internal audit function can build its risk assessment
from the organizations risk profile

Faculty of Economics and Business - Accounting Undergraduate Program

 Basic Business Risks
Strategic Risks

Compliance Risks

Reporting Risks

Operation Risks

Faculty of Economics and Business - Accounting Undergraduate Program

 Basic Business Risk
Strategic Risk Compliance risk Reporting Risks

External Internal External Internal External Internal

Changes in Reputation Contractual Ethics Accounting Budgeting
law and and financial
regulations reporting
Competition Strategic Regulatory policies Taxation Performance
focus measures
Change in Customer Litigation Fraud and Internal
market satisfaction illegal acts control and
dynamics regulatory
Industry governance permits reporting

technology

Faculty of Economics and Business - Accounting Undergraduate Program

 Basic Business Risk
Operational Risks
Process People Financial
Supply chain capacity Manpower supply Interest rates
Process execution Leadership Foreign currency exchange

Health and human safety Performance incentives Capacity

Business continuity Empowerment Concentration
Cycle time Change readiness Capital availability
Catastrophic events communications Cash management
Lack of product innovation Commodity pricing

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective V:
Understand Risk Assessment Model

Faculty of Economics and Business - Accounting Undergraduate Program

 RISK ASSESSMENT MODEL

Extreme 15 19 22 24 25
High 10 14 18 21 23
Medium 6 9 13 17 20
Low 3 5 8 12 16
IMPAC Negligibl 1 2 4 7 11
T e
Remote Unlikely Possible Probable Certain
(0%-10%) (10%- (25% (50%- (90%-
25%) -50%) 90%) 100%)
IMPACT LIKELIHOOD Critical Risks
Extreme > 100 Million, Threatens ongoing existence
High $25 - $100 Million, difficult to achieve business High Risks
Objectives Moderate
Medium $5 - $25 Million, achieving some business Risks
objectives challenging Low Risks
Low $1 - $5 Million, some undesirable outcomes Faculty of Economics and Business - Accounting Undergraduate Program
 IDENTIFICATION OF CRITICAL RISKS
Extreme Catastrophic Availability
events Economics
governance Business
Continuity
High Changes in laws Reputation, Privacy
and regulations technology,
industry competition,
strategic focus customer
satisfaction, cash
management
IMP Medium concentration
ACT Low Health and Taxation, Foreign
safety Commodity Pricing currency,
Permits supply chain
Negligib
le
Remote Unlikely Possible Probabl Certain
(0%-10%) (10%-25%) (25% -50%) e (90%-
Faculty of Economics and Business(50%- 100%) Program
- Accounting Undergraduate
 OBJECTIVES AND CRITICAL RISK MATRIX
Mission: Gain the CRITICAL RISK
necessary
CR1 CR2 CR3 CR4 CR5 CR6 CR7
knowledge and skills Becomes Forgets oversleep Does not Does not Unable to Experienc
to be successful in ill deadline have have understa e social
an entry level course time to nd distractio
internal audit materials complete material n
position all work
1. Attend all X X
class

2. Be on time X X X
for each class
OB 3. Do X X X X
JE assigned
reading prior
CT to the class
IV 4. Complete X X X X X X
ES all
assignments
on time Faculty of Economics and Business - Accounting Undergraduate Program
 RISK BY PROCESS MATRIX
K Key Risk Risk 2 Risk 3 Risk 4 Risk 5 . Risk
S- 1 m
Secondary
Process 1 K K K
Process 2 K S K
Process 3 S
Process 4 S S S S
Process 5 S K
Process .. S K S
Process n K

Faculty of Economics and Business - Accounting Undergraduate Program

 RISK FACTOR APPROACH
Risk Factor Description Sore X Weighte
(1-3) Weight d
Score
INTERNAL FACTORS
1. Assets at 1 less than $500.000 10
Risk 2 from $500.000 - $5 million
3 Greater than $5 million
2. Visibility 1 Operating unit / direct 10
customer
2 Divisional / limited set of
customers
3 Organizational / national
press
3. Complexity 1- simple, routine assignments 10
2 requires several steps and
interaction of multiple people
3 multiple steps, requiring
coordination of multiple Faculty of Economics and Business - Accounting Undergraduate Program
 RISK FACTOR APPROACH
Risk Factor Description Sore X Weighte
(1-3) Weight d
Score
EXTERNAL FACTORS
1. Internal 1 Mature risk and control system 10
Control 2 stable risk and control system
Stability 3 significant changes to risk and control
system
2. Internal 1 No internal control or compliance 10
Control issues in past two years
effectiveness 2 instances of fraud, internal control
weakness, compliance failure, but none
significant in the past two years
3 significant fraud, internal control
weakness, compliance failure, in the past
two years
3. Significant 1- No significant change in last 12 months 10
Changes in 2 some changes om process or key
Operations personnel in last 12 months
3 major change in business and process
Faculty of Economics and Business - Accounting Undergraduate Program
 RISK FACTOR APPROACH
Risk Analysis by Business Process
EXTERNAL INTERNAL
Process 1
Process 2
Process 3
Process 4
Process 5
Process ..
Process n

Faculty of Economics and Business - Accounting Undergraduate Program

 Risk Response Options

Avoidance Exit or divest of the activities

Action is taken to reduce the impact,

Reduction likelihood or both

The risk impact or likelihood is reduced by

Sharing transferring or otherwise sharing a portion of
the risk

No action is taken to afect risk impact of

Acceptance likelihood

Faculty of Economics and Business - Accounting Undergraduate Program

 Risk Control Matrix for Process
Activity Risk Statement Potential Impact Likelihoo Risk Technique
impact rating d rating response for
assessing
efectivenes
s
Pack 1. Forgets to pack Loss point Medium Medium Accept -
backpack homework for late work
for assignments Unable to Low high Always Call phone to
tomorrow 2. Forgets to put in receive or keep cell test location
cell phone make calls phone in
3. Forget to shut Late Low Low backpack -
down and pack because of Accept
laptop delay with
shutdown
Set alarm 1. Forget to turn on Oversleep High High Turn on alarm Inquire and
for 5.00 alarm and miss in morning observe to find
a.m. 2. Power goes out class High Low when getting out if this is
during the night Oversleep up being done
and miss Second observe
class battery
powered
alarm clock
Go to bed 1. Unable to get to Tired next Medium Low Accept -
sleep day
2. Goes to bed too Medium Medium Accept -
late to get Tired next Faculty of Economics and Business - Accounting Undergraduate Program
sufficient sleep day
 Risk Control Map

III IV

Risk significant

I II

Control Effectiveness

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective VI:
Understand risks of outsources business process

Faculty of Economics and Business - Accounting Undergraduate Program

Business Process Outsourcing : Understanding

Business Process Outsourcing is the act of transferring

some an organization's business processes to an
outside provider to achieve cost reductions while
improving service quality and efficiency

It is critical that management and the internal audit

functions ensure an adequate system of internal
controls exists with the outsource vendor

Faculty of Economics and Business - Accounting Undergraduate Program

Risk Management and Control of Outsources
Business Process
Document the outsourced process and indicate which key
controls have been outsourced
Ensure there are means of monitoring the efectiveness of
the outsourced process
Obtain assurance that internal controls embedded in the
outsourced process are operating efectively
Periodically reevaluate whether the business case for
outsourcing the process remains valid

Faculty of Economics and Business - Accounting Undergraduate Program