MANAGING RISK WORKSHEET, PART 2 - pdfcoffee.com internal-auditing-4th-edition-5-pdf-free 1

BUSINESS PROCESSES AND RISKS 5-31

Activities in this category contain minimal risk that is unlikely to occur. Organizations can proceed with these activities as planned.

Activities in this category contain some level of risk that is unlikely to occur. Organizations should consider what can be done to manage the risk to prevent negative outcomes.

Moderate Risk

Activities in this category contain potentially serious risks that are likely to occur. Application of proactive risk management strategies to reduce risk is advised. Organizations should consider ways to modify or eliminate unacceptable risks.

Low Risk High Risk

Activities in this category contain unacceptable levels of risk, including catastrophic and critical injury that are likely to occur. Organizations should consider whether they should eliminate or modify activities that still have an "E" rating after applying all reasonable risk management strategies.

Extremely High Risk tv1arginal

May cause minor injury, illness, property damage, financial loss, and/or result in negative publicity for the organization or institution.

Critical

May cause severe injury, major property damage, significant financial loss, and/or result in negative publicity for the organization and/or institution.

Catastrophic

May result in death.

Negligible

Hazard presents a minimal threat to safety, health, and well-being of participants.

(/)

0:::

...

0 +' u

ro 0..

Unlikely Seldom Occasional Likely Frequent Category ^Unlikely Not likely to occur May occur Quite likely to Likely to occur

to occur. but possible. at times. occur in time. immediately or in a short period of time.

Likelihood that Something Will Go Wrong EXHIBIT 5-A3

RISK MODEL FOR STUDEl'JT ORGANIZATIONS AND ACTIVITIES

16. What practices should organizations follow to ensure effective risk management and control of outsourced business processes?

15. What two axes are typically used in a risk control map? Explain what the two parallel dashed lines in exhibit 5-16 signify.

14. When conducting an assurance engagement, once the objectives are known, what are the three primary steps involved in determining the tests to perform to assess whether the risks threatening the objectives are effectively managed?

13. What are the two basic types of factors typically used when following the risk factor approach?

What other factors are commonly considered?

12. How can the risk factor approach be used to identify areas of high risk in an organization?

11. What is the difference between a key link and a secondary link?

10. What are the four responses an organization can take toward a risk?

5-32 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

9, After a risk assessment is completed, the next steps involve linking the risks to what two things?

8. What are the two common factors used when assessing risks?

7, What are two commonly used methods for documenting processes? Describe each.

6. How does an organization determine the key objectives of a business process?

5. What is the difference between a top-down and bottom-up approach to understanding business processes?

4. What is included in an organization's business model?

3. What are the management and support processes that are common to most organizations?

2. What is a project and how is it different from a business process?

1. What is a business process? What are operating processes?

BUSINESS PROCESSES AND RISKS 5-33 6. Which of the following circumstances would

concern the internal auditor the most?

a. A risk in the lower left corner of quadrant I.

b. A risk in the lower right corner of quadrant II.

c. A risk in the upper left corner of quadrant III.

d. A risk in the upper right corner of quadrant IV.

5. If a risk appears in the middle of quadrant IV in the above risk control map, it means that:

a. There is an appropriate balance between risk and control.

b. The controls may be excessive relative to the risk.

c. The controls may be inadequate relative to the risk.

d. There is not enough information to make a judgment.

4. If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:

a. There is an appropriate balance between risk and control.

b. The controls may be excessive relative to the risk.

c. The controls may be inadequate relative to the risk.

d. There is not enough information to make a judgment.

High Control

Effectiveness Low

(1J u e ra a: u

-~

Vl ..:,:

IV 111

High

Use the chart to answer questions 4 through 6.

3. What is a business process?

a. How management plans to achieve the organization's objectives.

b. The set of connected activities linked with each other for the purpose of achieving an objective or goal.

c. A group of interacting, interrelated, or interdependent elements forming a complex whole.

d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value.

2. Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to:

a. Determine the ability of the activities to produce reliable information.

b. Obtain the understanding necessary to test the process.

c. Document that the process meets internal audit standards.

d. Determine whether the process meets established management objectives.

1. In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization?

a. Advertising budget.

b. Production scheduling.

c. Inventory policy.

d. Product quality.

Select the best answer for each of the following questions.

MULTIPLE-CHOICE

QUESTIONS

15. How does a control manage a specific risk?

a. It reduces the likelihood of the event giving rise to the risk.

b. ^Itreduces the impact of the event giving rise to the risk.

c. ^Itreduces either likelihood or impact or both.

d. ^Itprevents the occurrence of the event.

a. Arrow.

b. Diamond c. Oval.

d. Rectangle.

14. Which flowcharting symbol indicates the start or end of a process?

13. A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing.

What action should the audit team take, considering the outsourcing decision?

a. Cancel the engagement, because the processing is being performed outside the organization.

b. Review only the controls over payments to the third-party provider based on the contract.

c. Review only the company's controls over data sent to and received from the third-party service provider.

d. Review the controls over payroll processing in both the company and the third-party service provider.

b. Outsourced processes should not be included in the internal audit universe.

c. The independent outside auditor is required to review all significant outsourced business processes.

d. Management's controls to ensure the outsourcing provider meets contractual performance

requirements should be tested by the internal audit function.

5-34 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

12. Which of the following is true regarding business process outsourcing?

a. Outsourcing a core, high-risk business process reduces the overall operational risk.

11. A major upgrade to an important information system would most likely represent a high:

a. External risk factor.

b. Internal risk factor.

c. Other risk factor.

d. Likelihood offuture systems problems.

10. In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have:

a. A key link.

b. A secondary link.

c. ^Anindirect link.

d. No link at all.

a. Impact and likelihood.

b. Likelihood and probability.

c. Significance and severity.

d. Significance and control effectiveness.

9. After business risks have been identified, they should be assessed in terms of their inherent:

8. Which of the following symbols in a process map will most likely contain a question?

a. Rectangle.

b. Diamond.

c. Arrow.

d. Oval.

a. I and III.

b. II and IV.

c. I, II, and IV.

d. I, II, III, and IV.

7. Which of the following are business processes?

I. Strategic planning.

II. Review and write-off of delinquent loans.

III. Safeguarding of assets.

IV. Remittance of payroll taxes to the respective tax authorities.

lv1ULTIPLE-CHOICE

QUESTIONS

BUSINESS PROCESSES AND RISKS 5-35 6. Payswell Company, a small manufacturer, has been

in business for 10 years. Senior management is thinking about outsourcing the company's payroll process.

a. What are three important objectives of a payroll process?

b. What are the key risks that threaten the achievement of those objectives?

c. What are the potential benefits of outsourcing the payroll process?

d. What new risks may arise if the process is outsourced?

e. How should Payswell's management:

1. Identify the key controls over the outsourced payroll process?

2. Determine whether those controls are designed adequately and operating effectively?

c. Identify and map the major activities of the process in the order in which they occur.

d. Based on your review of the major activities, which of the risks identified in b. likely have the greatest inherent significance?

a. What are the key objectives of this process?

b. What are the key risks that threaten the achievement of those objectives? Key risks are those that have the highest significance (that is, combination of impact and likelihood).

5. Think about the sales and cash receipts process of a men's or women's clothing store where you shop.

4,. The objectives of Sargon Products' purchasing process are to obtain the right goods, at the right price, at the right time. What are the significant risks to achievement of these objectives?

3. If internal audit resources are limited to

conducting only one audit at a divisional location, should a high-risk process that was audited last year at this location be audited in lieu of a moderately risky process that was last audited four years ago? Explain.

2. What are five of the most important business processes and business risks for a large automobile manufacturer like Toyota?

1. How would an oil exploration and production company differ from a global retail company like Wal-Mart in terms of how it organizes business processes?

slipped to an average of 43.8 minutes. For months there have been persistent rumors about bets placed on one driver's notorious reputation for beating the delivery deadline every time.

• Delivery promptness is also dependent on the volume of completed pizzas at any given time and the neigh- borhood traffic pattern. Drivers are initially screened at hire for outstanding traffic violations or other infractions (such as driving while intoxicated). The original site manager posted a large map on the wall so drivers can identify their routes. Mileage is reim- bursed as part of the compensation for using their own vehicles so each driver turns in a mileage log at the end of the shift to indicate both starting and ending mileage. The manager randomly checks the 'recorded starting or ending mileage against the cars' odometers.

• Pizza Inc.'s company policy requires that each location restrict itself to a five-mile service area; however, if an order comes in, the work is never refused. Phone orders occur in predictable patterns, but walk-in orders are more random and less frequent. Scheduling staff to match the anticipated workload is done one week in advance. The average workload during peak hours is 29 orders taken per hour. Orders are manually written on pre-numbered pads. When mistakes are made, the original order ticket is tossed out and a new order form is created to avoid confusion. Information captured includes: date, time of call (or walk in), name, address, phone number, type of crust, and toppings requested. Hand calculators are available to assist with pricing quotes that are told to the customer and recorded on the delivery ticket. Shift managers check every order to ensure that information is complete prior to processing the order.

• Employees who make the pizza are instructed in the proper quantity of ingredients for various standard topping combinations. Frequently, special request orders are received that add items to the standard recipe. Measuring cups are available, but your internal audit team noted on prior visits that when activity reaches peak load, employees generally "know" how much of key ingredients to use. The manager monitors the supply cabinets and refrigerators at the end of the shift to ensure adequate inventory is on hand. Several months ago, the evening shift manager determined that inventory deliveries should be increased to four per week, up from the usual three. Oven temperatures

5-36 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

Pizza Inc., a pizza take-out and delivery chain, is expe- riencing decreasing revenues and steadily losing market share despite favorable market testing of its products/

recipes. The company's strategy has traditionally been defined as gaining increased market share through customer satisfaction. Management has asked your internal audit function to help them understand the reasons for declining sales at the Uptown location and how the decline might be related to internal operations. Your prior internal audit experience and direct observation of work performed at the troubled location identified the following information:

• In 20XX, Pizza Inc.'s corporate office screened this site location prior to construction to ensure that neigh- borhood demographics supported the ideal business environment. This resulted in locating the chain near a suburb where typical residents were in the mid- to upper-middle class income range and who owned homes with three to four bedrooms. Despite the favorable location, the site you are reviewing continues to have gross and operating margins lower than their local competitors.

• On-the-job training is the primary method used by managers to communicate company policy and procedures. However, documented policies and detailed procedures do exist for each key process and are available by request from the shift manager. Employees are typically male (comprising 65 percent of total staff), 17 to 23 years old, with little or no prior work experience at the time of hire. Unscheduled absenteeism is high and part-time shift assignments are rotated frequently to reward those individuals who regularly work as scheduled. The internal audit team noted in last year's review that management has documented an average annual turnover rate of18 percent.

• The shift manager is responsible for ensuring that all pizza orders are completed within the advertised time deadlines, a long-held competitive advantage. Drivers are required to record on a delivery ticket the time of their arrival at the delivery location. This time is compared with the time recorded on the order ticket to calculate total elapsed minutes. Review of the last six month's delivery tickets indicates that the company benchmark delivery cycle time of 25 minutes from

"placing the order to when we're on the doorbell" has

CASE l

BUSINESS PROCESSES AND RISKS 5-37 The internal audit function then uses the Assessment to complete and document the following tasks:

• Identify CPI's entity objectives and the risks that threaten the achievement of those objectives.

• Link the identified objectives and risks, as well as controls designed to mitigate the risks, with the identified entities included in the Primary Dimension.

TeamMate Practice Case Exercise 1:

Assessment

CPI's internal audit function uses the Assessment area in TeamMate+ to develop its annual risk-based internal audit plan. The planning process begins with the internal audit function's understanding of the organization, which is documented in Assessment using the Dimen- sion viewer. The Primary Dimension is a representation of the audit universe, that is, all the organizational units (entities) the internal audit function can audit. Second- ary Dimensions of Accounts and the COSO Framework allow audit management to look at the Risk Assessment in different ways.

CASE 3

Select a company that has undergone an initial public offering within the last five years and obtain the prospec- tus (these are usually available on the company's website, EDGAR for companies listed on the U.S. stock exchanges, or other information services).

A. What is the business strategy and business model?

B. Identify the strategic objectives.

C. Identify the key risks.

D. Construct a matrix with the strategic objectives on the Y axis and the critical risks on the X axis. For each objective, indicate which key risk applies.

E. Discuss which risk you think the internal audit function should set as the highest priority.

CASE 2

I. Based on your observations and opinion of the potential effectiveness of the current risk response activities to address risks in the critical process you selected, create recommendations to mitigate the existing risks and improve performance.

As leader of the internal audit team, you have agreed to:

A. Identify and list the key processes used by Pizza Inc.

at their individual site locations.

B. Determine IO business risks for the typical site location and assess the impact and likelihood of these risks.

C. Link the business processes to the business risks.

Determine which are key versus secondary links.

(Complete a risk by process matrix-exhibit 5-11.) D. Select a key process (one you consider critical to the

success of an individual site location) and create a detailed-level process map of the activities.

E. Identify the specific risks associated with the activities of the key process (that is, the process you selected for process mapping). (Complete the risk portion of a risk/control matrix-exhibit 5-14.)

F. Map the identified risks according to their inherent impact and likelihood of occurrence. (Complete a risk map-exhibit 5-15.)

G. Based on the case facts provided above, identify controls (actions management currently takes) to mitigate the identified risks and put them on the risk/control matrix (in the risk response column- exhibit 5-14).

H. Determine techniques for assessing the effectiveness of the existing controls. (Complete the last column in the risk/control matrix-exhibit 5-14.)

Your internal audit team determined, after reviewing information received from various external sources and reading Pizza Inc.'s internal communications on strategy, mission, and vision, that linking the business risks to business processes will assist Pizza Inc.'s CEO, chief financial officer, and chief operating officer with identify- ing the critical business processes and key success factors for each process.

are monitored closely to ensure that pizzas are prop- erly cooked. Employees who bake the pizza rely on a centrally located wall clock to time the various combinations. There are cooking guidelines posted for each standard topping combination with instructions on what to do if a pizza is overcooked. Generally these are available to employees for snacking.

• All employees are responsible for ensuring the baked pizzas are cut, boxed, hand-labeled for delivery, and assigned to the next available driver. (Drivers work in a first-in/first-out method.)

Submit a brief write-up indicating the results of your research to your instructor.

Utilize the KnowledgeLeader website and perform the following:

A. Authenticate to the KnowledgeLeader website using your username and password.

B. Perform research and identify the circumstances under which obtaining a SOC report is justified.

Explain the differences between a SOC 1 and a SOC

2 report. Determine when it would be appropriate to obtain a SOC 1 report versus a SOC 2 report.

guidance to service auditors when assessing the internal control of a service organization and issuing a Ser- vice Organization Controls (SOC) report. There are two types of service organization controls reports. A Type ¹ SOC report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type 2 SOC report includes the information contained in a Type 1 service report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review (usually six months). SSAE 16 reporting can help service organizations comply with Sarbanes-Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting. Examples of service organizations are insurance and medical claims proces- sors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations, and clearinghouses.

5-38 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

Dalam dokumen pdfcoffee.com internal-auditing-4th-edition-5-pdf-free 1 (Halaman 189-197)