Chapter 5: Business Processes and Risks Flashcards
In assessing organizational risk in a manufacturing organization, which of the following would have the greatest long-range impact on the organization?
a. Advertising budget.
b. Production scheduling.
c. Inventory policy.
d. Product quality.
D is the best answer. Product quality presents the most significant risk to the long-term success of a manufacturing organization. Advertising budget, production scheduling, and inventory policy have secondary and short-term impacts on long-term objectives, but alone would not determine long-range success.
Internal auditors often prepare process maps and reference portions of these maps to narrative descriptions of certain activities. This is an appropriate procedure to:
a. Determine the ability of the activities to produce reliable information.
b. Obtain the understanding necessary to test the process.
c. Document that the process meets internal audit standards.
d. Determine whether the process meets established management objectives.
B is the best answer. Process mapping is a tool used to gain the necessary understanding that supports the internal auditor’s testing approach. A process map itself cannot determine whether the system can produce reliable information; that requires additional assessment and evaluation. Also, it does not doc-ument whether or not the systems meet international auditing standards (in fact, auditing standards have to do with what the auditors do, not characteristics of the control system itself). Finally, the pro-cess map itself does not determine whether the system meets management’s objectives; that requires further assessment and evaluation.
What is a business process?
a. How management plans to achieve the organization’s objectives.
b. The set of connected activities linked with each other for the purpose of achieving an objective or goal.
c. A group of interacting, interrelated, or interdependent elements forming a complex whole.
d. A finite endeavor (having specific start and completion dates) undertaken to create a unique product or service that brings about beneficial change or added value.
B is the best answer. Business processes are activities related to each other with the intent of achieving an objective or goal.
Which of the following are business processes?
I. Strategic planning.
II. Review and write-off of delinquent loans.
III. Safeguarding of assets.
IV. Remittance of payroll taxes to the respective tax authorities.
a. I and III.
b. II and IV.
c. I, II, and IV.
d. I, II, III, and IV.
C is the best answer. All of these choices could be part of an organization’s business processes. Safe-guarding of assets is an important control objective, but it is not a business process.
Which of the following symbols in a process map will most likely contain a question?
a. Rectangle.
b. Diamond.
c. Arrow.
d. Oval.
B is the best answer. A diamond symbol represents a decision that is made; therefore, a question is typically included in the symbol
After business risks have been identified, they should be assessed in terms of their inherent:
a. Impact and likelihood.
b. Likelihood and probability.
c. Significance and severity.
d. Significance and control effectiveness.
A is the best answer. Inherent impact and likelihood are the common risk assessment criteria.
In a risk by process matrix, a process that helps to manage a risk indirectly would be shown to have:
a. A key link.
b. A secondary link.
c. An indirect link.
d. No link at all.
B is the best answer. When a process manages a risk in an indirect manner, it is considered a second-ary link.
A major upgrade to an important information system would most likely represent a high:
a. External risk factor.
b. Internal risk factor.
c. Other risk factor.
d. Likelihood of future systems problems.
B is the best answer. An important information system upgrade would represent a significant change in operations, processes, personnel, or technology, which is factor #8 in exhibit 5-12.
Which of the following is true regarding business process outsourcing?
a. Outsourcing a core, high-risk business process reduces the overall operational risk.
b. Outsourced processes should not be included in the internal audit universe.
c. The independent outside auditor is required to review all significant outsourced business processes.
d. Management’s controls to ensure the outsourcing provider meets contractual performance requirements should be tested by the internal audit function.
D is the best answer. Outsourcing a business process does not allow management to abdicate respon-sibility for ensuring the process operates effectively. Therefore, performance requirements should be built into the outsourcing contract.
A company has recently outsourced its payroll process to a third-party service provider. An audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the outsourcing. What action should the audit team take, considering the outsourcing decision?
a. Cancel the engagement, because the processing is being performed outside the organization.
b. Review only the controls over payments to the third-party provider based on the contract.
c. Review only the company’s controls over data sent to and received from the third-party service provider.
d. Review the controls over payroll processing in both the company and the third-party service provider.
D is the best answer. Management of the company is still accountable for the risks, so controls at the third-party processor and the user organization are both important. As the controls at the third party and the user organization interact, both must be reviewed. Although the process is being performed outside the organization, the third party is an extension of the organization’s payroll process. The risk here may actually increase because an external party controls part of the control environment.
Which flowcharting symbol indicates the start or end of a process?
a. Arrow.
b. Diamond
c. Oval.
d. Rectangle
C is the best answer. An oval is used to indicate the start or end of a flow.
How does a control manage a specific risk?
a. It reduces the likelihood of the event giving rise to the risk.
b. It reduces the impact of the event giving rise to the risk.
c. It reduces either likelihood or impact or both.
d. It prevents the occurrence of the event.
C is the best answer. A control can reduce event likelihood, or reduce the event impact, or both. In each case, the risk is lessened.
What is a business process?
A business process is the set of connected activities linked with each other for the purpose of achiev-ing an objective or goal
What are operating processes?
Operating processes are the core processes through which the organization achieves its primary objectives.
What is the difference between a top-down and bottom-up approach to understanding business processes?
A top-down approach begins at the entity level with the organization’s objectives, and then identifies the key processes critical to the success of each of the organization’s objectives. A bottom-up approach begins by looking at all processes directly at the activity level, and then aggregates the identified pro-cesses across the organization.