In this chapter, you will learn that organizations go through the same type of thought process to plan steps that will help achieve their objectives, including iden- tifying the potential risks to the objectives and managing those risks to acceptable levels. You also will learn how risk assessment techniques and methodology are used by internal auditors to carry out their responsibilities.
In some cases, it may have been personal preference. For example, if you pack your backpack the night before, you can sleep five minutes longer the next morning. In other cases, your choice may have a direct impact on your ability to achieve your objective. For instance, you decided to drive rather than take the bus because the bus is often late or is frequently full and you might have to wait for the next one. In this case, you are exercising the same type of risk management thinking described in chapter 4, "Risk Management."
This is a list of activities you must complete to achieve your objective of getting to class on time. To achieve this objective, you made specific choices from any number of other choices that could have been made. For instance, you could have packed your backpack in the morning instead of doing it the night before, or decided to take the bus to campus instead of driving your car. So, why did you make these choices?
• Walk to the classroom and find a seat.
• At 7:00 a.m., get in your car and drive to campus.
• Find a parking space.
• Walk to the building.
• Get coffee.
You might do the following:
• Put the notes, assignments, and books you will need for tomorrow in your back- pack along with your cell phone and laptop.
• Set your alarm clock for 6:00 a.m. and then go to sleep.
• Get up when your alarm clock rings.
• Get dressed and eat breakfast.
Consider a simple objective as an example. You want to get to tomorrow's 8:00 a.m. class on time. What do you need to do?
The set of connected activities linked with each other for the purpose of achieving one or more business objectives
Business Process
BUSINESS PROCESSES AND RISKS 5-3
What an entity desires to achieve.
When referring to what an organization wants to achieve, these are called business objectives, and may be classified as strategic, operations, reporting, and compliance.
Objectives
---
Management and support processes are the activities that oversee and support the organization's core value-creation processes. While these processes will vary between organizations, they generally are necessary across all industries and support, but do not directly create, the value embedded in the organization's objectives. Management and support processes include those used to adminis- ter the organization's human, financial, information and technology, and phys- ical resources (processes 7 to 10). Such support processes include recruitment, Projects also are frequently used in most organizations to structure nonroutine activities to create assets for the organization's use. For example, a project struc- ture would be used for selection and implementation of a new accounting system, initial implementation of major initiatives, such as what was required to comply with the internal control provisions of the U.S. Sarbanes-Oxley Act of 2002, or construction of a new production facility.
Some organizations may use a different method to organize value-creating activi- ties. This structure, called projects, is used when activities happen over an extended period of time, require a complex sequencing, and are relatively unique in that a specific activity is not done continuously. Examples of organizations that often set up their core activities in this manner are engineering and construction firms;
mining, oil, and gas companies; and defense contractors. Processes 13 and 14 of exhibit 5-2 show the two different types of projects. Process 13 applies when the organization designs and constructs an asset and operates it, as well. For exam- ple, a petroleum company drills and then operates an oil well. Process 14 applies when the organization designs and constructs an asset and hands it off to another organization to operate (for example, a factory or building is constructed by an engineering firm and then transferred to another company for operation). Note that these examples relate to tangible assets. However, the same project approach applies to firms delivering services. In these instances, the "asset" may be intellec- tual property or some other intangible asset.
Operating processes for most organizations include the core processes through which the organization achieves its primary objectives. For a manufacturing com- pany, this would be the processes through which it makes and sells products. For service providers such as a consulting firm or financial institution, it would be the processes by which they market and deliver their services. Government entities such as a city fire department or not-for-profit organizations (for example, the Boy Scouts) also have operating processes through which they deliver services. Once the product or service is designed (processes 1 to 3 in exhibit 5-2), the remaining operating processes (processes 4 to 6) are viewed as essentially continuous, being repeated many times in a business cycle. It is through these processes that organi- zations create value and deliver it directly to their customers.
classification of business activities. There are three types of business activities:
operating processes, management and support processes, and projects. While this exhibit depicts them as separate and distinct processes and activities, the reader should note that they are not independent of one another. For example, the develop strategy activity (process 2) is a more operationally focused element of governance strategic direction that is shown in exhibit 3-3. Strategy development in this oper- ating context may pertain to many of the other activities in exhibit 5-2. Addi- tionally, management and support processes may enable and interact with the operating processes and projects.
5-4 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
Source, Adapted from Protiviti Inc. a leading provider of internal audit and business and technology risk consulting services (www.protiviti.com) This Process Classification Scheme may be found on Protiviti's KnowledgeLeader (www.knowledgeleader.com), a subscription-based website that provides information, tools, templates, and resources for internal audit and risk management professionals.
Handoff Execute
, (Implement) I Design &
Source Scouting
Concept (Identify and
Assess) Development 14. Project
Deliver
Hand off (Abandon) Operate
Execute . (Implement) Design &
Source
P . Scou~ng
13. reject (ldentif and Concept
<fl Operate A Y ) ' Development
+-' ssess
u
(1.1
0 ,._
Q.
12. lvfanage External Relationships 11. lvfanage Compliance with Laws and Regulations
10. lvfanage Physical Resources
9. lvfanage Information and Technology Resources 8. lvfanage Financial Resources
7. lvfanage Human Resources
<I) (1.1
<I)
<I) (1.1
u 0
I..
Q.
+' ....
0 Q.
Q.
:::i (/)
"1J
c ro
+' c
(1.1
E (1.1
rn ro
c ro
L
6. Invoice and Collect 5. Deliver Service
5. Produce Product
<I) (1.1
<I)
<I) (1.1
u 0 I..
Q.
rn c :.;::;
ro I..
(1.1 Q.
0
I 4. lvfarket
&Sell 3. Design Product
or Service 2. Develop
Strategy t. Understand
Environment
EXHIBIT 5-2
BASIC CLASSIFICATION OF BUSINESS ACTIVITIES
BUSINESS PROCESSES AND RISKS 5·5 Refers to how management. plans to achieve the organization's objectives.
Strategy
For publicly traded companies, external sources of this information also may be available. For example, regulatory filings in the United States, such as the Form 10-K filing with the U.S. Securities and Exchange Commission (SEC), include information about objectives and key risks. In addition, analysts' reports may Understanding Business Processes
For internal auditors to add value and improve an organization's operations, they must first understand the organization's business model. The business model includes the objectives of the organization and how its business processes are structured to achieve these objectives. The model is defined by the organization's vision, mission, and values, as well as sets of boundaries for the organization- what products or services it will deliver, what customers or markets it will tar- get, and what supply and delivery channels it will use. While the business model includes high-level strategies and tactical direction for how the organization will implement the model, it also includes the annual goals that set the specific steps the organization intends to undertake in the next year and the measures for their expected accomplishment. Each of these is likely to be part of internal documen- tation that is available to the internal auditor.
Exhibit 5-2 illustrates business processes from a high-level perspective. Each of these 14 classification types also can be depicted as more discreet sets of activ- ities. Exhibit 5-3 illustrates this point. For example, a retail organization may depict its general sales process at the highest level for processes 4, 5, and 6.
A specific type of sale may be a retail sale, which includes processes whereby the customer selects goods, pays for goods with cash or a promise to pay, and accepts possession of goods. Since retail sales may be made in a store setting or over the internet, more detailed processes can be designed for those unique activities. The level of detail used to depict these processes will vary depending on the desired level of documentation. If an overview is desired, the high-level depiction shown at the top of exhibit 5-3 is sufficient. If a more detailed level is desired, the middle or lower examples shown in exhibit 5-3 may be more appro- priate. In some instances, subprocesses may be shown at even more detailed levels than those shown in exhibit 5-3, For example, the "store sale" process of entering information into the cash register could involve a number of subpro- cesses such as updating inventory numbers, recording sales revenue, and open- ing the cash drawer. Both the high-level and detailed approaches can be valuable to internal auditors, as discussed in the next section.
accounting, cash management, payroll, purchasing, etc. These processes also will encompass the organization's compliance program (process 11). This cate- gory also includes processes the organization uses to manage its external rela- tionships (process 12) such as those with suppliers, customers, governmental entities, and regulators, as well as relations with capital markets and venture and alliance partners. Finally, while not specifically depicted in this exhibit, the activities involved in organizational governance that set the strategic direction of the organization and provide oversight of the organization as discussed in chapter 3 also could be considered organizational support processes. Exam- ples of governance processes include strategic planning, the organization's compliance and ethics program, activities of the board and board committees, the enterprise risk management (ERM) program, and various monitoring and assurance activities.
5-6 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
Goods Shipped to
Customer Confirmation
Sent to Customer
Store Sale
Customer Sales Clerk Selects
Enters Sales Customer Customer Goods and
Into Cash Pays Sales Receives
Goes to Clerk Goods
Checkout Register
LOW
Internet Sale Level of Process
Depiction
Customer Customer Payment
Logs on to Customer Enters
Arranqernents Places Order Payment
Website
Information Approved
!
HIGH
Customer Accepts Possession of
Goods Pays for Goods
with Cash or Promise to Pay Customer Selects
Goods
Retail Sale
Invoice and Service S", Deliver
Service 4, Market and
Sell
General Sale EXHIBIT 5-3
LEVELS OF PROCESS DEPICTION
There are two common approaches that can help in understanding business processes and their role in the business model: a top-down approach and a contain an external perspective on the organization's strategies. While an orga- nization's vision, mission, values, and objectives are relatively stable from year to year, the internal audit function should still periodically update its understanding of the organization's strategy. Usually, this would be done annually when review- ing the yearly goals for the organization and executive management.
BUSINESS PROCESSES AND RISKS 5.7 Begins by looking at all processes directly at the activity level, and then aggregates the identified processes across the organization.
Bottom-Up Approach
Begins at the entity level with the organization's objectives, and then identifies the key processes critical to the success of each of the organization's objectives
Top-Down Approach ---
For an internal auditor, or someone not directly involved in the process, the first source of information is the process owner and the existing policy and procedures documentation for the process. Ideally, the process owner has established formal process objectives that provide the answers to the four questions above. If not, the internal auditor will need to work with key people involved with the process to obtain the necessary information.
• How are people expected to act?
• What else does the process do that is important to management?'
Once a process is identified, the next step in either the top-down or bottom-up approach is to determine the key objectives of the process. Determining the key objectives involves getting answers to questions such as:
• Why does the process exist?
• How does the process support the organization's strategy and contribute to its success?
The bottom-up approach begins by looking at all processes at the activity level.
Such an approach requires each area of the organization to identify and document the business processes in which they are involved. This is done by the people in the area who are responsible for the actual activities. The identified processes are then aggregated across the organization. While this approach works well for smaller organizations with a relatively limited number of processes, it is less effective in large and complex organizations as it becomes cumbersome to prioritize the sig- nificance of each process relative to the others as the relative significance changes as one moves to higher levels in the organization.
bottom-up approach. In the top-down approach, one begins at the organization level with the organization's objectives, and then identifies the key processes crit- ical to the success of each of those objectives. A process is considered key rela- tive to a specific objective if failure of the process to function effectively would directly result in the organization not achieving the objective. For example, if a specific objective was to increase shareholder value by consistently delivering growth in operating earnings (historically, 12 percent per year), then-refer- ring to the high-level processes in exhibit 5-2-processes 3, 4, and 5 may be key, whereas some of the support processes, such as process 8, manage financial resources, may not be. It is important to note that, while processes may not be key to one specific objective, they may be key to another. Thus, in the example above, while the monthly accounting closing process might not be a key process to the earnings growth objective, it may be a key process for an organizational objective such as "provide reliable and timely financial information." Once the key processes are identified, they are analyzed in more detail, breaking the pro- cess into levels of subprocesses and eventually reaching the activity level. This approach is effective because it yields a manageable set of critical processes. It is usually undertaken by a team of individuals with a broad perspective of the organization but not with detailed knowledge of each area. As a result, there is the potential to overlook processes that ultimately prove to be critical but are omitted in the top-down approach.
5-8 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES
Business process must be documented. Typically, documentation is prepared by the process owner and people involved in the process. However, there are instances when process owners neglect documentation because of the daily demands of their jobs or because they do not see the value of formal documenta- tion. While not completing the process documentation may have little immediate consequence, maintaining a set of up-to-date process documentation for all key