Chapter 5: Business Processes and Risks Flashcards

1
Q

In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization?

a. Advertising budget.
b. Production scheduling.
c. Inventory policy.
d. Product quality.

A

D is the best answer. Product quality presents the most significant risk to the long-term success of a manufacturing organization. Advertising budget, production scheduling, and inventory policy have secondary and short-term impacts on long-term objectives, but alone would not determine long-range success.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to:

a. Determine the ability of the activities to produce reliable information.
b. Obtain the understanding necessary to test the process.
c. Document that the process meets internal audit standards.
d. Determine whether the process meets established management objectives.

A

B is the best answer. Process mapping is a tool used to gain the necessary understanding that supports the internal auditor’s testing approach. A process map itself cannot determine whether the system can produce reliable information; that requires additional assessment and evaluation. Also, it does not doc-ument whether or not the systems meet international auditing standards (in fact, auditing standards have to do with what the auditors do, not characteristics of the control system itself). Finally, the pro-cess map itself does not determine whether the system meets management’s objectives; that requires further assessment and evaluation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a business process?

a. How management plans to achieve the organization’s objectives.
b. The set of connected activities linked with each other for the purpose of achieving an objective or goal.
c. A group of interacting, interrelated, or interdependent elements forming a complex whole.
d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value.

A

B is the best answer. Business processes are activities related to each other with the intent of achieving an objective or goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following are business processes?

I. Strategic planning.

II. Review and write-off of delinquent loans.

III. Safeguarding of assets.

IV. Remittance of payroll taxes to the respective tax authorities.

a. I and III.
b. II and IV.
c. I, II, and IV.
d. I, II, III, and IV.

A

C is the best answer. All of these choices could be part of an organization’s business processes. Safe-guarding of assets is an important control objective, but it is not a business process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following symbols in a process map will most likely contain a question?

a. Rectangle.
b. Diamond.
c. Arrow.
d. Oval.

A

B is the best answer. A diamond symbol represents a decision that is made; therefore, a question is typically included in the symbol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

After business risks have been identified, they should be assessed in terms of their inherent:

a. Impact and likelihood.
b. Likelihood and probability.
c. Significance and severity.
d. Significance and control effectiveness.

A

A is the best answer. Inherent impact and likelihood are the common risk assessment criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have:

a. A key link.
b. A secondary link.
c. An indirect link.
d. No link at all.

A

B is the best answer. When a process manages a risk in an indirect manner, it is considered a second-ary link.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A major upgrade to an important information system would most likely represent a high:

a. External risk factor.
b. Internal risk factor.
c. Other risk factor.
d. Likelihood of future systems problems.

A

B is the best answer. An important information system upgrade would represent a significant change in operations, processes, personnel, or technology, which is factor #8 in exhibit 5-12.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is true regarding business process outsourcing?

a. Outsourcing a core, high-risk business process reduces the overall operational risk.
b. Outsourced processes should not be included in the internal audit universe.
c. The independent outside auditor is required to review all significant outsourced business processes.
d. Management’s controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.

A

D is the best answer. Outsourcing a business process does not allow management to abdicate respon-sibility for ensuring the process operates effectively. Therefore, performance requirements should be built into the outsourcing contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision?

a. Cancel the engagement, because the processing is being performed outside the organization.
b. Review only the controls over payments to the third-party provider based on the contract.
c. Review only the company’s controls over data sent to and received from the third-party service provider.
d. Review the controls over payroll processing in both the company and the third-party service provider.

A

D is the best answer. Management of the company is still accountable for the risks, so controls at the third-party processor and the user organization are both important. As the controls at the third party and the user organization interact, both must be reviewed. Although the process is being performed outside the organization, the third party is an extension of the organization’s payroll process. The risk here may actually increase because an external party controls part of the control environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which flowcharting symbol indicates the start or end of a process?

a. Arrow.
b. Diamond
c. Oval.
d. Rectangle

A

C is the best answer. An oval is used to indicate the start or end of a flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does a control manage a specific risk?

a. It reduces the likelihood of the event giving rise to the risk.
b. It reduces the impact of the event giving rise to the risk.
c. It reduces either likelihood or impact or both.
d. It prevents the occurrence of the event.

A

C is the best answer. A control can reduce event likelihood, or reduce the event impact, or both. In each case, the risk is lessened.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a business process?

A

A business process is the set of connected activities linked with each other for the purpose of achiev-ing an objective or goal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are operating processes?

A

Operating processes are the core processes through which the organization achieves its primary objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the difference between a top-down and bottom-up approach to understanding business processes?

A

A top-down approach begins at the entity level with the organization’s objectives, and then identifies the key processes critical to the success of each of the organization’s objectives. A bottom-up approach begins by looking at all processes directly at the activity level, and then aggregates the identified pro-cesses across the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does an organization determine the key objectives of a business process?

A

The key objectives for a process can be identified by determining the following for the process:

a. Why does the process exist?
b. How does this process contribute to the success of the organization’s strategy?
c. How are people expected to act?
d. What else does the process do that is important to management?

17
Q

What are two commonly used methods for documenting processes? Describe each.

A

The two common methods used to document processes are process maps and process write-ups. Pro-cess maps show the inputs, workflows, process interactions, and outputs in a graphic form. A process write-up is a narrative description of how the process works.

18
Q

What are the two common factors used when assessing risks?

A

The two common risk assessment factors are impact of the event if it occurs and the likelihood of the event’s occurrence.

19
Q

What are the four responses an organization can take toward a risk?

A

The four strategies an organization can take to respond to risk are: a. Controlling the risk (mitigating the risk) by reducing the likelihood of the event taking place, by reducing its impact, or both. For example, the airbags in a car reduce the impact of a collision in terms of the risk that a passenger in the car would be injured.

b. Transferring (sharing) the risk to (with) other organizations. For example, a farmer transferring some of the risk of bad weather causing a low crop yield to an insurance company by buying crop insurance.
c. Accepting the risk. In this case, the organization takes its chances that risk events will be tolerable.
d. Avoiding the risk by not engaging in the activity.