Obras principales

ERM provides a framework for internal auditors to better understand risks both in individual departments and throughout their enterprise or organization. An understanding of these potential risks will allow an internal auditor to devote more time to higher-risk areas and then develop audit procedures to review, test, and evaluate controls in higher-risk areas. This requires a multiple-step audit process. Given an auditor’s basic understanding of the risk management pro-cess, risk-based auditing requires a four-step process:

1. Define the processes covering an organization’s operations.

2. Rank and score processes on the basis on their relative risks.

3. Assess process risks with an emphasis on higher-risk areas.

4. Initiate actions to install controls over higher-risk processes.

The above four basic processes can be used to understand and assess relative risks in an organizational unit, whether a single department, the entire enter-prise, or beyond. The concept here is similar whether an internal auditor is plan-ning and deciding on which areas are candidates for an audit or a senior manger is focusing management attention on higher-risk areas. Understanding and focusing attention on these higher-risk areas is an important component of risk analysis. There is some level of risk associated with every business process or operation, but time and resource constraints require that we cannot look at all of them. This section discusses an approach for ranking and evaluating process risks in an organization. While the ERM framework allows risk assessments on an almost global scale, looking at the organization in total, at its competitors and more, internal auditors typically focus only on the risks within their organiza-tion or even the operating unit where internal audit has responsibility.

(a) Define Organization Processes

Internal auditors often think in terms of their audit universe, the number of audit-able entities within the organization—the number of areas that can be subject to potential audit. This audit universe concept is discussed in the Chapter 13 dis-cussion on organizing the internal audit function and on internal audit planning.

The step here is to define all major processes within the entity, areas that may be subject to internal audit. Understanding the concept of a process is perhaps the important first step here. Processes are the systematic activities by which an organization conducts its affairs. For a vendor account payable operation, pro-cesses are more than just the individual payment transactions and the support-ing automated application; the process is the steps from receivsupport-ing and mailsupport-ing the remittance received to delivery of payment. While a process will usually cover that entire accounts payable operation, it is sometimes valid to separate certain unique payable transactions as separate processes.

Defining that list of processes requires the participation of a wide group of people in the organization, internal audit, information systems, quality assur-ance, and both manager and staff in the area being evaluated. If an organization

has not already gone through a process definition, a good first step is to get a senior management team to help sell this process identification exercise on a functional area by functional area basis. Exhibit 5.2 provides a framework for understanding organizational risks. The management team here should not focus on just an individual area, such as the accounting department, but across broad areas of operations.

(b) Rank and Score Processes Based on Relative Risk

An initial step is to develop some type of scoring or evaluation process to look at each of the identified processes and to rate them based on a consistent set of risk-related factors. There is no one correct scoring formula to use here; the various factors and scoring process depend on the types of processes being reviewed.

Exhibit 5.3 is an example of such a scoring system used for selecting new sys-tems under development to select for internal audit preimplementation reviews.

The idea is to establish a set of factors to consider, assign each a relative critical-ity score, and then to calculate a weighted relative risk score for that process.

There is no one correct list or set or procedures. The idea is for internal audit to meet with management and discuss what areas or processes are jointly considered to be relatively riskier. It is sometimes best to derive a fairly lengthy list of factors to limit any bias in the process. If this is done as a single exercise, all processes under consideration should be scored. The same system should be used on an ongoing basis as new processes are launched and considered for risk-based analysis.

(c) Assess and Identify Higher-Risk Processes

The next step here is to apply factors and calculate the relative risk scores for all of the processes reviewed. This is an exercise that sometimes yields unexpected results. That is, internal audit and the team that established the risk factors and

EXHIBIT 5.2

Framework for Understanding Organizational Risk

Source: Robert R. Moeller, Sarbanes-Oxley and the New Internal Auditing Rules, © copyright 2004, John Wiley & Sons. Used with permission.

EXHIBIT 5.3 RIsk Scoring Factors Example

EXHIBIT 5.3 (CONTINUED) RIsk Scoring Factors Example

their relative scores may find some unexpected results. A process that has been considered relatively high risk may score lower than others. This may require some rethinking of the risk scoring process, but will typically mean that a pro-cess appears to have a higher or lower risk than was originally assumed.

(d) Initiate Actions and Install Controls for Higher-Risk Processes

The final step is to initiate plans to review and otherwise audit the identified higher risk areas. For internal audit this ties directly in to the internal audit plan-ning procedures discussed in Chapter 13. Internal audit can use this same type of exercise to help organization management to assess and identify higher risk areas under ERM.

5.6 UNDERSTANDING RISKS FOR MORE EFFECTIVE