BUSINESS PROCESSES AND RISKS 5-17 The process helps to manage the risk indirectly.

Secondary Link

After identifying the risks with which a particular process is associated, the asso- ciations should be evaluated as to whether the links are key or secondary. Key links are those in which the process plays a direct and key role in managing the risk. Secondary links are ones in which the process helps to manage the risk indi- rectly. In the example above, critical risk 3 would be judged as a key link, while critical risk 4 may only be considered a secondary link. When the links are viewed The next step is to analyze the processes to determine if there are any associa- tions between the processes and the risks. Returning to the initial process example of getting to an 8:00 a.m. class on time, links between that process (exhibit 5-6) and the seven critical risks listed in exhibit 5-10 can be assessed. There is clearly a direct association between this process and critical risk 3 (oversleeps or is delayed).

There also would be an association with critical risk 4 (does not have needed course materials) because part of getting to the 8:00 a.m. class on time involves gathering needed materials for classes and studying the rest of the day. Critical risk 5 (does not have time to complete all work) and critical risk 6 (unable to understand mate- rial) are clearly not related to this process. They would be related to other processes such as time management, scheduling, and study processes.

to 70 risks. The risk assessment process shown in exhibit 5-8 and exhibit 5-9 can be used to shorten the list of risks. For instance, it might be desirable to limit the risks to which processes are linked to only those risks in cells 7 through 25 (see exhibit 5-8).

K- Key Link

I

~ ^{N t()} "st ^ll) -o ^{r-, E}

S- Secondary ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/.

I

^V)

Link ii

cc

^{ii ii} ii ii ii ii

Process 1

s

t

K

Process 2

s

Process 3 ^I

s

Process 4

K

l ^s

Process 5

s

Process 6

s

^K

Process 7

s s s ^I K

Process 8 K

'

s

Process 9

s

^K

K

Process 10

K

Kj l ^s

Process ¹¹

t s

^K

s

Process n

EXHIBIT 5-11

5-18 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

After the factors have been identified, three other decisions must be made before implementing the model. First, the scale used to assess each factor must be set.

Typically, a three-, five-, or seven-point scale is used. For example, in a three-point scale, 1 may be low, 2 medium, and 3 high. The boundaries on the three catego- ries also can be set for each factor. For example, if one factor is "amount of assets involved," then low (a score of 1) might be less than $500,000, medium (a score of 2) from $500,000 to $10 million, and high (a score of 3) more than $10 million.

Regardless of which scale is selected (a three-, five-, seven-, or n-point scale), the same scale should be used for the assessment of all factors. Exhibit 5-12 shows an example of a IO-factor model using a three-point scale. The 10 factors are divided among three types of risk factors (external, internal, and other). Exhibit 5-12 shows the name of the risk factor in the first column and explanations of what each of the three scores would mean in the second column.

Another, more indirect, approach to linking business processes and risks is through the development of basic risk factors used to evaluate risks across pro- cesses (risk factor approach). Typically, risk factor models identify seven to 15 fac- tors that can be used to assess each process. These factors are not identical to risks in the earlier basic business risk model (exhibit 5-7). They are a higher level of abstraction, one that can be applied to each process. Most models are composed of two basic types of factors, external risk factors and internal risk factors, although other risk factors also may be included. The external risk factors pertain to factors built into the environment and the nature of the process itself. They can be charac- teristics such as relative level of activity, amount and liquidity of assets involved in the process, complexity of the process in terms of number of steps and inputs, level oflegal and regulatory constraints, and so forth. Internal risk factors relate to the extent controls designed into the process assure the process achieves its objectives, performance of the people involved in the activities and in managing the process, and the degree of change in the process and environment in which it operates.

Some models include several additional factors, most commonly: time since the last audit, prior audit results, and specific management concerns.

Once the risk by process matrix is complete, it can be used by the internal audit function to determine which engagements should be included in the function's annual audit plan. A first step could be to count the number of key and secondary links for each process. The number and nature oflinks between risks and process will influence the type of internal audit that may be conducted. For example, a pro- cess with key links to several risks may be a good candidate for a comprehensive audit of the entire process. Alternatively, if a risk has key links to several processes, it may be more appropriate to conduct an audit of all such processes to provide assurance regarding the risk as a whole. Considerable experience is necessary to make these judgments. Also, a cycle for auditing each process could be established based on the impact and likelihood of the related risks. For example, processes with a key link to one or more critical risks or to several high and moderate risks may be audited on a one- or two-year cycle, and those with only secondary links to critical and high risks on a three-, four-, or five-year cycle. Consideration also should be given to past audit results. For instance, even a process on a three- or four-year cycle should be audited before its cycle ends if the prior audit identifies significant issues.

across a particular risk, there should be one or two processes (at most three) iden- tified as having key links and any number of additional processes identified as having secondary links.

5-19 BUSINESS PROCESSES AND RISKS

10 10 15 10

5

10 10 10 10

10

r

Weighted Score X Weight

1. No internal control or compliance issues in last audit 2 - Minor internal control or compliance issues in last audit 3. Significant internal control or compliance weaknesses

in last audit

1 - No concerns expressed

2 • Some concerns expressed by senior management 3 - Notable concerns expressed by senior management

or board

1 • No significant change in last 12 months

2 • Some changes in process or key personnel in last 12 months 3 · Major change in business and process or new IT sys-

tem in last 12 months

1 • No internal control or compliance issues in past two years

2 - Instances of fraud, internal control weakness, or compliance failures, but none significant in the past two years

3 · Significant fraud, internal control weakness, or compli- ance failures in past two years

T

1 · Mature risk and control system

2 • Stable risk and control system with moderate changes 3 · Significant changes to risk and control system 1 - Few requirements or generally unregulated 2 • Some legal. regulatory, or external requirements 3 · Significant number of and/or complexity of requirements 2 - Process affects 3% to 15% of the organization's activities 3 - Process affects more than 15% of the organization's

activities

1 · Process affects less than 3% of the organization's activities

1 - Simple, routine assignments make up process 2 • Requires several steps and interaction of multiple people 3 · Multiple steps, requiring coordination of multiple individ-

uals both within the process and with other processes 1 • Operating unit/direct customer

2 - Divisional/limited set of customers 3 - Organization/national press l · Less than $500,000 2 • From $500,000 to $5 million 3 · Greater than $5 million

Score (1·3) Description

OVERALL RISK SCORE

10. Prior audit results 9. Management concerns OTHER FACTORS 8. Significant changes in oper-

ations, processes, personnel, or technology 7, Internal control

effectiveness 6. Internal control stability INTERNAL FACTORS 5, Legal/regulatory/external

requirements

4. Size of process/operation 3. Complexity

2, Visibility l. Assets at risk EXTERNAL FACTORS

Risk Factor

FACTORS, DESCRIPTIONS, WEIGHTINGS, AND SCORES 1:. \I!-! l ·~ :-, 1_ ! ,_,

I,· ! ^{1 J \ /} ! /\ ^{t -}

r (-,

^{l-~ 1 \ 1:-,} ~ :- -, '-; r \ ~: ,--i

5-20 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

Business Processes and Risks in the Assurance Engagement The approach to identifying business processes and risks discussed up to this point also applies at the engagement level. Recall the example presented earlier in this chapter (exhibit 5-10)-the mission to gain the necessary knowledge and skills to be successful in an entry-level internal audit position and the five objec- tives established to accomplish this mission. Suppose a student's parents wanted Some internal audit functions prefer not to make judgments using total scores, but they look at the scores by factor (external, internal, other). This can be done by assigning a low, medium, or high rating to each factor. Note that the range of scores varies based on the number of individual factors in each category (5, ^3, and 2 in the current example) and differences in weightings. Thus, in the model pre- sented in exhibit 5-12, the total external risk score can range from 50 through 150, the total internal risk score from 30 through 90, and the total other factors score from 20 through 60. Given these ranges, a low rating for external risks may be scores ofless than 90 and a high rating may be scores of 125, or greater. A low rat- ing for internal risks may be scores ofless than 50 and a high rating may be scores of 75 or greater. A low rating for other factors may be scores ofless than 35 while a high rating may be scores of 50 or greater. Exhibit 5-13 illustrates visually how this might be displayed to help determine the audit cycle. As before, the process can be placed on a cycle of one, two, three, or more years.

As an alternative to assigning each process to an audit cycle, prioritizing processes can be done by sorting the processes by their risk scores and selecting the ones with the highest scores to include in the internal audit plan until available hours for the planning period have been exhausted. If such an approach is used, it is important to note when the process was last audited. One technique for doing this is to add time since the last audit as one of the risk factors. For example, in the model presented in exhibit 5-12, this factor would be added as a factor under Other Factors and could be scored 1 - process audited in the past 12 months, 2 - process audited in the past 12 to 36 months, and 3 - process has not been audited in the past 36 months.

The final decision relates to how the risk factors are combined. Most risk factor approaches use a weighted-additive model-each factor score is multiplied by a fac- tor weight and summed across factors to give an overall risk score (exhibit 5-12). For example, overall scores can range from 100 through 300 and can be interpreted as low risk (scores below 150), medium risk (scores from 150 through 239), and high risk (scores 240 and greater). The ranges of scores may be adjusted once the distri- bution of scores over all processes is determined. The categories can then be used to assign each process an audit cycle of one, two, three, or more years. Thus, if a pro- cess is assigned to a two-year cycle, it would be scheduled for audit every two years.

The next decision pertains to the relative importance (or weight) of one factor to another. If each risk factor is considered to be of equal importance, they may be given the same numeric weighting. Usually, weighting is done by assigning num- bers from O through 100, so the sum of weights equals 100. Thus, if there are five risk factors and each of the factors is considered to be of the same importance, each factor will be assigned a weight of 20. In the risk factor model shown in exhibit 5-12, the internal control stability factor is given a weight of 5, which means it is considered only half as important as the assets at risk factor (weight of 10) and only one-third as important as the significant changes factor (weight ofl5).

BUSINESS PROCESSES AND RISKS 5-21 1. Studying for exams.

2. Reading the assigned materials.

3. Completing class assignments and projects.

4. Eating meals.

5. Paying tuition and other bills.

6. Listening and taking notes in class.

7. Selecting and registering for the appropriate classes.

8. Exercising.

9. Cleaning the apartment.

10. Getting to the first class of the day on time.

some assurance that the mission and objectives would be accomplished and asked an older sibling, recently graduated and working as an internal auditor, to visit the student and perform an internal audit. This begins with the student and the sibling sitting down and listing a number of activities and processes the student carries out to achieve the mission:

:,;50

50 to 150 30 to 90 20 to 60

Potential Range of Scores

INTERNAL

EXTERNAL OTHER

RISK LEVEL Process n Process 11 Process 10 Process 9 Process 8 Process 7 Process 6 Process 5 Process 4 Process 3 Process 2

Process 1

Other Internal

External

RISK ANALYSIS BY BUSINESS PROCESS EXHIBIT 5-13

l~ISK FACTOR APPROACH

5-22 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

After the response strategies have been determined, and both before and after the strategies have been tested for effectiveness, an overview of the risk response strategies can be obtained by creating a risk control map, which plots risk signif- icance (in this example, impact and likelihood are combined to create low, mod- erate, and critical significance) against control effectiveness. This is illustrated in exhibit 5-16 using the specific risks from exhibit 5-14 for process 10 (getting to the first class of the day on time). The risk control map shows where there is an appro- priate balance between risk and the control; that is, more effective controls over critical risks (high-impact and likelihood) than low risks (low-impact and low chance of occurrence). Risks falling between the two dashed parallel lines (risks 4, 8, 1, 3, and 6) are shown to be appropriately balanced. Above and left of the dashed lines on the map (risk 7), the control/risk relationship is not appropriately balanced; the response strategy does not appropriately mitigate the risks. On the other hand, below and right of the dashed lines are a number of risks that may be over-controlled (5, 9, and 2). They represent situations in which efficiencies might be gained by reducing the resources devoted to the related controls.

Once specific risks have been identified, the next step is to determine how these risks are managed and if the response is effective in reducing them to an acceptable level. As mentioned earlier, there are four general responses: avoid, reduce, share, and accept. Within processes, most often the response to a specific risk is either to accept the risk or attempt to reduce it through controls. The topic of controls is addressed in more detail in chapter 6, "Internal Control," and subsequent chapters.

However, to complete the discussion of the risks in our process example, exhibit 5-14 shows two additional columns in the risk matrix. The sixth column indicates the risk response strategy and the seventh specifies how one might gain assurance that the response strategy (in particular, the control) was effective at managing the risks.

Risk evaluation also can be displayed using a risk map to prioritize risks within the key process. Those in the upper right quadrant of the risk map would be the most critical, while those in the lower left quadrant would be of relatively low con- cern. A risk map for the risks identified in exhibit 5-14 is shown in exhibit 5-15.

On the risk map, impact and likelihood are combined to determine if the risk is of critical, moderate, or low significance.

The next step is to identify and evaluate specific risks in each activity or subpro- cess within the key process. The internal auditor/sibling does this by placing each activity on a matrix and listing a description of each risk down the side of the page as shown in exhibit 5-14. Each risk statement describes an event that may adversely affect the activity's or subprocess's ability to achieve its goals. The poten- tial impact of the event is then identified and evaluated by its seriousness. Finally, the likelihood of the event is assessed. The first five columns of exhibit 5-14 depict this information in a partially completed risk/control matrix for the first four activities and nine associated risks involved in getting to campus on time for class.

Process 10, getting to the first class of the day on time, will be the focus of this example. The internal auditor/sibling begins by asking the student a series of ques- tions about how preparations for the next day are conducted and about getting up in the morning and going to class. The student explains that, although classes are held only on Monday, Wednesday, and Friday this semester, the first class begins at 8:00 a.m. After answering all the questions asked, the internal auditor/sibling creates a process map and asks if it represents the information provided. The stu- dent suggests a few changes, producing the process map shown in exhibit 5-6.

An objective examination of evidence for the purpose of providing an independent assessment on gover- nance, risk management, and control processes for the organization,

Assurance Engagement

BUSINESS PROCESSES AND RISKS 5-23

I

^{c "1J}

I

^"'

CJ') ^Cl) 0 c ~ E

Cl) ·~ ^cc QJ 0

QI c _QI

..

_u µ ^{O QJ} c ..r: 0

:I Cl) c ^{..Q QJ} > "1J O ~ ^{µ L} (l)

0- ^Cl) _QI QI t: ^{L CJ) w..r:}

> 2 ~ .s ^{QJ µ}

c Cl) :;; ^{--" QJ} ₂ "'"'

e

..c Cl) .B ^0..0

u 4 ^{u QJ ,::, ,!!? QJ u}

~ ^{QI c}

c ^{µ ..}

,._ 0 ro.!!? QJ

~E ^QJ

ti= ^{.,..r: >} i:

0 LJ.I ^{..r: a.} .=.::::: ~ ^•- ~~ ^L e:

... _-;;; ^:,·- _CTµ ^{QJ ..}

--" > c ^..0

u ^{-0 c :,} 0 ~

..

⁰

QI ,!, CJ) "1J

Cl) QJ c ^QJ

c ^c ·c :;; E

0 ..r: ⁰ 0 ^,: ₀ ⁰ e

a. ^{a. E} a.

Cl) ai ^c a. >- ^:::

QI ^u ·- ^:,

2

^e

E rn E

c:::: ^a. QJ W..>< ~·.;::; ^{L C µ-"} .. u ^u

..

~

~

.~

^{µ a. -" "' », u}

..

^a.

a.

^{.. c O µ (I) CJ) ..0 -ou} ₅ ⁰ _E ^{µ a.}

a.

E _"' ^"1J "' ^c c:::: <i ^{Q) u} u - <l'...o "'-" ,: u

..

<i ^QJ u ^u

..=,:

^{c L _r: c (I) V)} U ^(I) L ^.. ru <i ^(I) u ^u <i ^(I) u ^{u -;;;} a. ^{µ :, V) 0} u ^Q)

"'O 0 _CJ')

..c 0 c

-

_QI ^:;; 111 ^E :, ^E :, ^E :, ^E :,

~ c:::: ^'ti (I) ^J,; en ^'ti (I) ^..r: .<:!> ,: ,: 'o ^(I) 'o ^(I) ,:

:.J ^{L 5: L I ...J 0 ...J 0 L L ...J 0}

...

u CJ')

(ti c _{E E E}

a. ^{:;; :, :, :,}

E c:::: ^{(ti 'o Q) ,: ,: ..r:} .<:!> ^..r: -"' ^{'o (I) 'ii QJ ..r:} .<:!> ^..r: .<:!>

L ...J ⁰ ...J ⁰ I I L L I I

"'

...

^-;;;

u ^u

111 ^(I) -£ "' "'

a. ^-"

..

^{°3 "'} _"' "'

..

_"'

E ^E 0 _ai ^:,.. "' ^u "' ^u "' "'

..

"' "' u

(I) "1J .E

'E _.B

~ ^> ~

111 'iii ^{0 "1J} "1J :,.. :,.. 2

:;; _c ^µ "' _c ^u

_e

e: ^c

..

^c

..

^"O

.. ..

^"1J _~

'ii ^{:, a. a. µ QJ}

.B "' ^{c Q) )( "'}

QI a.-i" ^Q) x

"' ^..0

u ,: ~ ^{Q) (I) (I)}

"'

...

^{~o (I) Q) 0}

"' ~ ^{c c u L}

0 ~ ,: :a ^-"-o QJ µ (I) ⁰

(I) "1J "1J

"' "'

c.. ...J~ ^{"'(I) oµ} ::,

..

c ...J"' ^µ:, «>..r: 0 > 0 > i= i=

e

e L _"' L _"'

i::.

.:::

"'

^-"

·:

_~ ⁰⁾

...

'c

c -" "' ^(I) c ^{a. QI} .;

"O -£ ~

QI 0 ^{..c 0} c E

"'

^{"' QI "O}

E ^,: _QI ^a.

..

_c ~ ^{0) c} a. (I) .B ⁰ CJ) 2

"'

QI ^E a ai u ,: a "' c -~ ^:, -;;; (I) ~ 2 "O ^{(I) a.}

...

^{(ti ..c} .s ^{"1J a} "1J _.B a c "' e

...

^-" u :i :i E :i 0 .; ^µ a a. ^(I) E ^{L Q. QJ N}

(/) "' a. a. ^'ti ~ ^a

"' ^{0) "1J (I) .. QI a}

Q) l: vi ^{-.; QJ}

~ _{Cl) .B} .B .B .B 0 .B ^ti=-;;; 5i

"' ^.; "'

it

"' ^µ "' ^{CJ) L (I) µ a c QJ a a} "'

ii

.; "' Olµ ^{L C} e' L Q. ^{QI CJ)} 0 ^Q) ,: :a

..

^{I,/) w,e} ·u ^{"'µ c-" L U ..r: QJ} .,,

O QJ 0 tf ..!!! ⁰ c 0 :, :, <1l :,

LL E ^{LL LL a. ::,} 0"' ^{f- ..0 0..}

,..:

"'

^{,,; s;}

'°

^{-0 ,..: o:i 0-}

...

¹¹⁾ 11) >-

.£

0 a, a, 11)

>- ^u ~ a, ¹¹⁾ -" u a.

... 0 c "' ~ ^::,

'> ^...

_{a. ..c}

^·-

^u 0 -",: ^a. E • ^{"O .;}

:;; u ....c ...

...

^u <1J ^a L ^{L E} co ^(I) 0

~ a. ^{CQ L ~ ro ...}

<( :, _{-" a <i O} .B ^a. _QI

(/) _{0.. f-} u _"' E _a µo ^{(I) ..} _(.') a ~

V)"' VJ

EXHIBIT 5-14

RISl</COt'-ITROL MATRIX FOR PROCESS 10:

GETTING TO AN 8:00 A.N. CLASS ON TINE

5-24 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES