What Are Operational Audits?

Operational audits are a forward looking process, and are part of many organizations’
ongoing business improvement process toolkit. The findings of operational audits are
intended to diagnose which areas need attention and to safeguard assets by averting
potential future risks. The Operational Auditing Handbook borrows The Institute of
Internal Auditors’ (IIA) definition of an operational audit: “A systematic process of
evaluating an organization's effectiveness, efficiency and economy of operations under
management's control and reporting to appropriate persons the results of the evaluation
along with recommendations for improvement.”
 
While an audit is usually associated with financial matters, operational audits are more
comprehensive and go beyond financial data (although that type of reporting is often
included). The primary information sources are policies and achievements related to the
objectives of the organization.  
 
Operational audits are a ‘deep dive’ into every facet of management. As a result, start-
to-finish time frames can vary from a few weeks to many months, depending on scope,
complexity, and size of the organization, and whether the audit is for the entire entity or
a particular business unit. Unlike financial audits, which are conducted by external
entities, operational audits are often carried out by an internal auditor.

What Is the Objective of an Operational Audit?

“The first step is to establish its objectives,” explains Kandarpa. Objectives can vary
depending on the type of organization and its KPIs, or whether the audit is being
conducted to answer a specific concern from challenges arising in areas like human
resources, customer relations, or manufacturing slow downs. There may also be
government compliance issues to consider such as consumer safety.”
 
Part of the objective should also be to maintain quality in the auditing process. “The
standards that apply are defined by ISO 19011, and that is what I recommend as a best
practice,” says Kandarpa. The graphic below covers the main standard areas that
govern audits:
1. Integrity: Withstand pressures that may be exerted and take care to comply with
any legal requirements.  
2. Fair Presentation: Present all results fairly and report significant concerns.
 3. Due Professional Care: Use diligence, due care, and reasoned judgments in
every situation.
4. Confidentiality: Keep information secure, and protect confidential or sensitive
information.
5. Independence: Maintain impartiality and keep actions and reporting bias-free.
6. Evidence-Based: Depend on a fact-based approach to reach reliable
conclusions.

Understanding the true status of operations is the basis for a healthier, more competitive,
and more profitable organization.  

Benefits of Organizational Audits

Conducted by an internal or external auditor, audits are objective. They supply a fresh
perspective on the good and not-so-good aspects of organizational practices and
processes. The final report should make management aware of problems they might not
have otherwise understood, and gives them a knowledge-base for making
improvements. Executives can also use organizational audit results to motivate team
members and emphasize existing or new goals. Subsequent actions can then lead to
greater profitability, legal compliance, and employee satisfaction in the long term. 
 

Operational audit programs are valuable to four entities:

The Organization can achieve its aims by applying disciplined, systematic methods to

assess and advance the effectiveness of control, risk management, and governance
processes.

 The Individual can continuously improve their ability to apply knowledge and

skills to deliver the intended results.
 The End User or Consumer receives more cost efficient and high-quality
products or services.
 The World benefits from a better, more sustainable future.

Organizations can expect to achieve five primary goals or main advantages by

performing any operational audit: 

 Influence Positive Change: Understand how future processes, policies,

procedures, and other types of management are producing maximum
effectiveness and efficiency.
  Review Internal Controls: Establish the potential impact of successes and
failures in the specialized functional areas of operation.
 Understand Risks: The type of risks associated with business and operational
risk range from business interruption, employee omissions or errors, IT system
failure, product failure, safety and health issues, loss of key employees, fraud,
loss of suppliers, and litigation.
 Identify Improvement Opportunities: As a result of understanding risks,
auditors can determine where to make improvements and how to mitigate risks
and improve opportunities. The broad categories of risk - and where
improvements should occur - are operational risk, financial risk, environmental
risk, and reputational risk.
 Inform Senior Management: The results of the audit should appear in a clear
report that provides objective analysis, appraisals, recommendations, and
pertinent comments concerning the activities reviewed.

Operational Audits Are Continuous Improvement Tools

To meet the challenges of a rapidly changing marketplace and regulatory environment,

companies must continually reinvent the way they do business. As Kandarpa notes,
“The most widely used tools are the plan-do-check-act or Deming Cycle, which the
auditor uses in their own auditing activities.” Organizations should conduct audits
regularly to support continuous improvement and to check the progress of quality
measures recommended in previous audits. 

The internal audit isn’t immune to the pressures organizations can experience, so
auditors need to find innovative means to help their company succeed. Many
companies or specific departments (such as IT) focus on incremental improvement to
improves processes, products, and services, or all three. 
Operational Audit Challenges
When asked about the biggest challenges to conducting operational audits, Kandarpa
says, “Top management support for the auditing program can sometimes be difficult to
obtain, since, by its nature, the process highlights management issues.” He adds,
“There needs to be effective management processes in place to handle conflict
management which may arise due to the audit, and a systems approach to linking
organizational goals and objectives.”

Change Management
Change management needs to be well-handled. The results of the audit will likely lead to
multiple changes, and team members and managers may have difficulty adjusting to
different expectations, processes, personnel, or budgets. Change can also affect teamwork,
but those issues can be mitigated. To learn about how to manage and build strong teams
who can deal with change, review Everything You Need to Know About Team
Assessments.  
 
A helpful tool to help manage change is to use RACI (Responsible, Accountable, Consulted,
Informed) principles to achieve change that may result from an operations audit. Get more
details on how to implement RACI effectively by reading A Comprehensive Project
Management Guide for Everything RACI, which also includes free templates to help teams
cope and flourish during times of change. Operational Auditing Expenses
There are costs involved during and after an audit. If the auditor is a consultant, of
course, there will be fees for their engagement. There is also the cost of having projects
or production slow temporarily when managers and employees are working with the
auditor. If the auditor usually holds another position within the company, there may be a
slowdown in his or her regular job responsibilities. As mentioned, there may be costs
associated with necessary changes.
Auditor Evaluation
Considering the major responsibility of the auditing position (whether the auditor or
auditors are operating internally or externally), Kandarpa believes that “The competence
of the auditor or auditors should be determined based on explicit evaluation criteria.”  

He provides this evaluation checklist to help assist in the selection of the best
candidate: 

Demand for Internal Auditing Experts Is Increasing

As proof that the number of operational audits is increasing, the need for internal auditing
experts is on the rise. Robert Half International has found that the demand for internal
auditors in the United States is going strong and that the need for internal auditors is
growing faster than the average for all occupations through 2024. Demand for the
profession is also mounting in Europe and Asia. 

Different Types of Operational Audits

In addition to overall operational audits, some subcategories cover specific business
functions and operations: 

 Financial Audits or Review: Financial audits focus on financial controls as they relate

to reporting to internal and external governing bodies. Financial statement auditing is the
bailiwick of external auditors. Internal audits complement the work of operational audits,
which includes some form of budget, or a financial review.
 Operational Audits: As noted, operational audits focus on the review and assessment
of single or multiple business processes.
 Department Reviews: Different departments or divisions may run a periodic analysis to
assess the adequacy of controls, how well assets are safeguarded, how resources are
used, and if there is compliance with applicable laws.  
 Information System (IT) Audits: Information systems audits investigate overall
infrastructure and networks, technical operations, data center operation, project
management, and review security status and procedures.
 Investigative Audits: When a company suspects a risk of security breach, or
when one has occurred on the part of an individual or department, there is often
an investigative audit to understand causes and additional background
information and research.
 Compliance Audits: Compliance audits review the level of compliance with
external regulatory requirements or internal policies.
 Marketing Audits: A marketing audit is a broad, precise, and autonomous probe
into the marketing of a company or a business. An audit holds both an external
situation analysis and a thorough review of internal marketing goals, strategies,
capabilities, processes, and systems. The result is actionable recommendations
to improve progress toward stated goals. 
 Follow-Up Audits: After an operational audit report has been issued, it is
standard practice to follow up to evaluate corrective actions, usually within a six
month period.

Operational Audit Process and Checklist

The overall process flow for operational audits, according to Kandarpa, has a set of
steps, which includes the use of PDCA for quality and continuous improvement:

 


Establishing Objectives: Base objectives on management goals and priorities.

Consider the characteristics of products, projects, processes, and any changes
to them. Take into account management system requirements, contractual and
legal requirements, and other requirements. Evaluate suppliers and the needs
and expectations of interested parties, including customers. Take into account
the auditee’s level of performance, risks, previous audit results, and the maturity
of the management system being audited.
 Establishing the Audit Program: Identify the responsibilities of the audit
program manager and establish his or her competence of the person. Determine
the scope and potential risks, then set procedures and identify resources.
  Implementing the Audit Program: Define the objectives, scope, and criteria,
and select the audit team members and assign responsibility to the audit team
leader. Manage the outcome and records.
 Monitoring the Audit Program: Assess conformity with the program, schedule,
and objectives, and then assess the performance of the audit team members and
the ability of the audit teams to implement the plan. Evaluate feedback of all
stakeholders. Some factors can determine the need to modify the program,
including audit findings, the demonstrated level of management system
effectiveness, and changes to the auditee’s management system, standards, and
other requirements.
 Reviewing and Improving the Audit Program: Evaluate if objectives have
been achieved. Use lessons learned as inputs for continual improvement. The
review should consider results and trends, conformity with procedures, the
evolving needs and expectations of interested parties, records, alternative or new
auditing methods, the effectiveness of the measures to address associated risks,
and confidentiality and information security issues relating to the audit program.

Operational Audit Activities

What’s included in a typical audit implementation? Kandarpa provides an overview and
a brief look into the details for each phase:
 Initiating the Audit: Establish initial contact with the auditee and any designated
leaders. Determine the feasibility of the audit and review the assignment to
ensure the objectives are achievable.
 Preparing Audit Activities: Review pertinent documents. Prepare the audit
plan, assign work as needed, and organize necessary action plans and
documents.
 Conducting Audit Activities: Conduct a meeting to confirm that all parties
agree to the proposed plan. Introduce team members to management and each
other. Double check that you can perform the audit actions defined in the plan as
intended. Review documents as needed throughout the process. The team
 should regularly meet to review and exchange information, assess progress, and
reassign work if necessary. 

 Initiating the Audit: Establish initial contact with the auditee and any designated
leaders. Determine the feasibility of the audit and review the assignment to
ensure the objectives are achievable.
 Preparing Audit Activities: Review pertinent documents. Prepare the audit
plan, assign work as needed, and organize necessary action plans and
documents.
 Conducting Audit Activities: Conduct a meeting to confirm that all parties
agree to the proposed plan. Introduce team members to management and each
other. Double check that you can perform the audit actions defined in the plan as
intended. Review documents as needed throughout the process. The team
should regularly meet to review and exchange information, assess progress, and
reassign work if necessary. 

 Collecting and Verifying Information: After you receive the audit documents,

review the information sources. Audit the evidence and evaluate it against the
audit criteria. Review conclusions.
 Generating Audit Findings: The findings will conform or not conform with audit
criteria. For a non-conforming finding, record the supporting evidence. Review
the information with the auditee to ascertain if the evidence is correct. The team
should meet to review findings at designated and/or appropriate audit stages.
 Conducting the Audit Activities: Before the closing meeting to review findings,
the audit team should confer and collect information against objectives. The team
should agree on conclusions, prepare recommendations, and discuss follow-up.
Have a closing meeting facilitated by the team leader to present the findings and
conclusions.
 Preparing and Distributing the Audit Report: The team leader reports the
results with a complete, accurate, concise, and clear audit record, and delivers it
within the agreed period. In case of a delay, auditee and program manager
should discuss why it happened. The report must be dated, reviewed, and
approved based on agreed upon procedures. Distribute the report as defined in
the plan to the appropriate recipients.
 Completing the Audit: Work is complete when all planned audit activities are
accomplished. Documents are kept or destroyed based on the procedures and
applicable requirements set at the beginning of the audit. If disclosure is
 necessary, inform the audit client and auditee as soon as possible. Add lessons
learned from the audit to the continual improvement process. 

Operational Auditing Checklists

When asked about using checklists, Kandarpa explains, “Checklists vary based on the
purpose, audit type, and audit criteria. However, the audit process and auditing
principles remain constant.”  

Here’s a checklist that you can use as a framework. Each part of the checklist will likely
need to be broken down into separate activities - plan, do, check, and act - based on
the size and scope of your particular operational audit. To help organize more granular
activities, you’ll find downloadable templates later in this article.
Operational Audit and Audit Plan Examples
To see what operational audit processes and documentation looks like in practice,
we’ve included some examples.

Government Audits: For entities of any size - from cities to the United States federal
government - the documentation is made available to the public in the interest of
transparency.
Non-Government Audits: By definition, audits are proprietary, internal processes that
an organization’s management uses for its own improvement. They are released for
public viewing based on the organization’s discretion.
Financial audits: This type of audit provide an opinion about whether or not financial
statements are true based on accounting standards for the benefits of tax authorities,
customers, investors, and regulators.  
-------------------

An operational review program is an internal process designed to help teams, across all
departments and geographies, work together toward common organizational goals.

Audit Programme
An audit program is a set of directions that the auditor and its team
members need to follow for the proper execution of the audit. After
preparing an audit plan, the auditor allocates the work and prepares a
program which contains steps that the audit team needs to follow
while conducting an audit. Thus, an auditor prepares a program that
contains detailed information about various steps and audit procedures
to be followed by the audit.

Audit Programme
An audit program provides a basic plan for the audit team regarding the
entity’s business, its size, how to conduct the audit, allocation of work
among team members and the estimation of time within which it should
complete the work.
It contains details regarding the relevancy of evidence, materiality level,
risk tolerance, measure of the sufficiency of the evidence. Thus,
programs enhance the accountability of the audit team and its members
for the work performed by them.

An auditor may revise the audit program if he considers it necessary due

to prevailing circumstances. The size of the entity, type of business
or services in which entity deals, applicable laws, the effectiveness of
internal controls, and various other relevant factors, also affect an audit
program.

Thus, an auditor prepares an audit program according to its scope of

work. The minimum essential work to be performed is the Standard
Programme. However, there is no set audit standard program applicable
in all the circumstances.

Audit working papers document the activities that the audit program

performs. Audit working papers support the work performed by the
auditor for providing assurance that the audit was performed in
accordance with all the applicable standards on auditing (SA’s). It helps
the auditor in the proper execution of audit work.

An audit program covers various steps of auditing in an audit program

like the assessment of internal control, ascertaining accuracy and
reliability of books of accounts, inspection, vouching and verification,
valuation of assets and liabilities, scrutiny of accounts, presentation of
financial statements, and submission of reports and related disclosures.

Advantages of the Audit Programme

1. An audit program helps in ensuring that all-important areas are
considered while conducting the audit.
 2. An audit program helps an auditor in the allocation
of work among its team members according to their skills and
competency.
3. It enhances the accountability of audit team members towards
work performed by them
4. An audit program also reduces the scope for misunderstanding
among team members regarding the performance of audit
work.
5. It helps the auditor in checking the status of audit work, its
progress, how much it is left for performance while conducting
the audit.
6. Auditor prepares audit working papers which contains a record
of various audit procedure applied which serves as evidence
against the charge of negligence.
7. Audit program enables the auditor to keep a record of useful
information specifically for future audit and references.

Disadvantages of Audit Programme

1. Rigidity: There is no set standard audit program that can be
applied in the case of every entity. However, programs differ
for different types of entities. Every entity has its own
problems. Therefore, we cannot apply for a single audit
program in the case of all business entities.
2. Reduces the Initiative of Efficient Staff: – A program reduces
the initiatives of efficient and competent staff. Thus, staff
members cannot make changes in the audit plan and cannot
make suggestions to it.
 3. Audit Work becomes Mechanical: The program becomes
mechanical when it ignores other aspects like internal control.
4. Overlooking New Areas: A program may overlook the new
areas. With the change in time and technology, new problems
may arise which an audit program may not consider.

Solved Example For You

Question: Write a program for the audit of cash. 

Ans.  A program for cash involves the following:-

 Checking of the opening balance

 The checking of petty cash
 The checking cash book
 Checking cash receipt and payment voucher
 Authorization for cash payments
 Comparison with the bank statement
 Surprise check of cash balance
 Cash summary
 Examination of direct deposits by the third parties

Audit Program for Sale/Sale Return

The Audit Program for Sale/Sale Return involves the review and check of the following
−
 Complete accounting system right from the receiving of sale orders from
customers to the receiving of payment from customers against the generated
sale invoice.
  Indirect Taxation entries like VAT/CST/Excise and Service Tax as applicable.
 Stock valuation.
 Generation and approval of credit notes.
 Provision for doubtful and bad debts.
 Accounting entries for installment received, interest elements and unrealized
profit in case of sale made on hire-purchase system.

Audit Program for Purchase/Purchase Return

The Audit Program for Purchase/Purchase Return involves the review and check of the
following −
 Complete accounting system right from the issuance of purchase orders to
suppliers till the payment to suppliers/creditors against the purchase invoice.
 Checking of department-wise material requisition slips.
 Authorization of requisition slips and purchase orders.
 Comparison of quantity and rate of purchase bills with purchase order.
 Material inward record with purchase bills.
 Checking of Stock register.
 Checking of purchase return note with purchase bills.
 Impact of Indirect Taxation entries on the Cost of Purchase or Input Tax Credit
account, CENVAT Account for VAT/CST/Excise and service Tax as applicable.

Audit Program for Cash/Bank

The Audit Program for Cash/Bank involves the review and check of the following −
 Check posting and balancing of Cash book.
 Check petty cash book if maintained.
 Check cash receipt with cash book.
 Check cash payment voucher with relevant support bills.
 Authorization of cash payments.
 Check accounting for cheques/demand draft received.
 Check cash withdrawal entries with Bank statements and entries in cash book.
 Checking of direct deposit into bank by parties.
 Checking of bank reconciliation.
 Physical verification of cash.

Audit Program for Salary/Wages

The Audit Program for Salary/Wages involves the review and check of the following −
 Collect organization chart and list of officers.
 Authorization of above list of employees with salary.
 Review employment contracts of the employees.
 Compare authorized salary with expense account.
  Collection of information about stock option, bonus plan or other incentives as
applicable to employees.
 Scanning of stock register and stock issue record about issuance or reservation
of shares to employees.
 Review Salaries, incentives, bonus and compensation etc. with basic evidence.
 Check and review legal formalities as applicable to organization such as E.S.I/
provident fund/TDS etc.

What are the governance processes?

Governance processes are defined by the Institute of Internal Auditors definition:
Governance processes deal with the procedures utilized by the representatives of the
organization’s stakeholders to provide  oversight of risk and control processes
administered by management. The  monitoring  of organizational  risks  and
the  assurance  that controls adequately mitigate those risks both contribute directly to
the achievement of organizational goals and the preservation of organizational value.
Those performing governance activities are  accountable  to the organization’s
stakeholders for effective stewardship.

business process governance

Business process governance, also called process governance or business
process management (BPM) governance, is the use of rules to manage BPM
programs and initiatives. 

Business process governance involves setting standards and priorities for

BPM efforts, identifying BPM governance leaders and defining BPM project
participants’ roles, all to improve BPM strategies. The ultimate goal of both
business process governance and BPM is to optimize an
organization’s business processes and make workflow more efficient and
effective.
Business process governance includes the establishment of internal BPM
centers of excellence or competency centers to share process-
improvement best practices and spread awareness of BPM standards and
priorities. Governance also works to monitor and document both the
successes and shortcomings of an organization’s BPM initiatives. Business
process governance is often overseen by teams made up of both business
and IT professionals.

PROCESS GOVERNANCE

Process governance is a major issue, and yet often forgotten and overlooked by
organizations.

In short, we can say that process governance is the way in which a company can
consolidate the process management initiatives within standards, rules, and guidelines
that all go together towards a common goal.

The term governance alone can be understood as the ability to target and orchestrate joint
efforts with the authority and acceptance of all.

In the context of process governance, its purpose is to prevent isolated and disconnected
management initiatives from processes contributing only small, localized results. It is
necessary for process improvements to add value to the supply chain in a consistent,
systematic and integrated manner, given the strategic plan set by the top management of
the company.

Objectives of process governance

We can summarize the role of process governance in a company with 10 major goals:

1. Standardize process initiatives.

2. Encourage the alignment of these initiatives.
3. As a result, encourage continuous improvement of business processes.
4. Define roles and responsibilities of the processes.
5. Determine who has the power to decide the procedures.
6. Become a more agile organization in response to the emergence of changes.
7. Promote the quality of process initiatives.
8. Change management processes on a daily application of culture.
9. Align management processes with the strategic objectives of the company.
 10. Ensure that the processes office coordinates these initiatives and gives the necessary
support to all areas involved.

In short, process governance should be able to promote the guidance and direction of process
management to create synergy between initiatives and continuous improvement. For this
purpose, it can make use of some initiatives.

Initiatives of process governance

 Definition and control of rules and guidelines.
 Establishment of procedures.
 Establishment of tools to use. Check out this tool for process modeling.
 Make the overall objectives of the process clear.
 Definition of business rules.
 Determination of the forms of measurement and control.
 Create rules for the organization of processes.
 Define structures and levels.
 Direct the methodologies in process management.
 Establish the value chain as a beacon for process management.

Through these initiatives and to achieve the objectives indicated above, there are three
levels of responsibility:

1. Direct execution (in some cases) and control of business processes.

2. Coordination, assistance, and overview of management processes.
3. To promote and ensure the integrity and reliability of the processes in the company as
a whole.

As can be seen, the degree of responsibility increases from the first level, more
operational, through to the second, management, and to a more strategic third level,
where alignment with the top management of the company is essential.

Defining process governance

Now that we have a clearer vision of process governance, we can look at a definition:

“It is a framework that organizes and defines these elements: roles

and responsibilities, standards, tasks, organizational structure,
goals, mechanisms of control and evaluation mechanisms; in order
to facilitate management processes as an everyday management
element in organizations in order to improve the performance of
their processes. “ Daniel Barroso Barros

Process governance model

Finally, we present a governance model of the processes proposed by Korhonen on 4
levels:

Committee procedures: strategic level

 Works with the macro processes.
 Responsible for alignment with corporate strategy.
 Selection and prioritization of projects in process.
 Resource allocation.
Office processes: tactical level
 Train and support the implementation of projects.
 Define methods, standards, tools and rules.
 Determine and maintain process architecture.
Group Manager processes: tactical level
 The “owner” of the process.
 Track performance.
 Lead projects with these processes.
Group project manager: operational level
 Operates in the daily processes and is also responsible for its implementation.

As you have seen, the concept of process governance is a kind of guardian of your
company’s integrity and should maintain its consistency with the organization’s goals. To
implement it correctly, the use of appropriate and current BPM tools is essential.

Business Process Management is more than a tool, is a methodology that, if well

implemented, can understand your company in details that you never thought possible. In
understanding, it can cut costs, increase profitability, improve communication, bring
effectiveness, and much more BPM benefits!

Everybody knows that BPM is a powerful method that can solve your company’s
problems while making it grow. However, what are some real life and proven BPM
benefits? That is what we will approach next.
5 BPM benefits that will make you want to
implement it now
1 – Wastage reduction
When we talk about wastage, we mean all kinds of wastage. Resources, money, time,
efforts, all these are essential for a company and must be wisely allocated. If this does not
happen, the product/service may be delivered, but not on the most effective way. This
causes client’s dissatisfaction, loss of money and disorganization.

With BPM, the processes are scanned and understood, thus making it easier to spot
bottlenecks and improvement points. We cannot fix what we cannot understand, and
BPM brings the best tool to understand the company: process mapping. To map a process
is to organize all the steps, participants and information that the process holds. This will
result in a better allocation of resources and removal of redundant tasks and therefore in a
wastage cut. This is a priceless benefit of Business Process Management.

2 – Better visibility and higher control

BPM works with tools that turn process automation into reality. All the steps before that,
like mapping, modeling, executing and optimizing will result in processes that are so
effective that they can be automatically spread through all the organization. Process
automation is all about getting the most optimized and effective processes of your
company and making them automatic, thus reducing human interaction and
increasing transparency.

Once the processes are automatized, they become available to all the staff. Everybody can
visualize and understand the process and their role in it. The manager has access to all the
information, can see in which step the process is and what everybody is doing. This BPM
benefit will clearly result in more organized processes, more transparent actions and more
effective results.

Understand deeply: Process automation.

3 – Reduced costs and higher profitability

If we reduce wastage, we reduce costs. If we control more a process, making sure it
does not take any unnecessary step or unwanted action, we increase revenue. It is as
simple as that. The process of implementing BPM into your company can be long and
apparently complex, but once your team is on board and the goals are set, the increase of
productivity is a certain benefit.

See: how to reduce costs with BPM.

4 – Compliance and safety

A sometimes forgotten BPM benefit is safety for your company. BPM tools and
software give managers and shareholders control over the entirety of the
processes. It also assists organizations documenting and implementing internal policies
and controls. There is no doubt that this makes a company safer, more organized and
reliable.

5 – Better communication
Common employees’ complaint is about the lack of information, unsafety about
what exactly is expect of them and absence of communication between sectors. With
BPM, this will radically change, as all the information is easily accessed and updated by
all. The roles, as well, are determined and clear, making the job much more organized
and the expectations controlled.

The benefits of Business Process Management can take some time to appear. However,
they are lasting and dependable. The whole culture of the company must change to
receive the BPM methodology and really embrace it. With the control that the method
offers, it is easy to measure just how much the company improved and grew! Now
that you know the benefits Business Process Management can bring, see how to
successfully implement it here!

RISK MANAGEMENT PROCESSES

The 5 Step Risk Management Process

Implementing a risk management process is vital for any organization. Good risk
management doesn’t have to be resource intensive or difficult for organizations to
undertake or insurance brokers to provide to their clients. With a little formalization,
structure, and a strong understanding of the organization, the risk management process can
be rewarding.

Risk management does require some investment of time and money but it does not need to
be substantial to be effective. In fact, it will be more likely to be employed and maintained
if it is implemented gradually over time. 

The key is to have a basic understanding of the process and to move towards its
implementation.

The 5 Step Risk Management

Process
1. Identify potential risks 
What can possibly go wrong?

The four main risk categories of risk are hazard risks, such as fires or injuries; operational
risks, including turnover and supplier failure; financial risks, such as economic recession;
and strategic risks, which include new competitors and brand reputation. Being able to
identify what types of risk you have is vital to the risk management process.

An organization can identify their risks through experience and internal history, consulting
with industry professionals, and external research. They may also try interviews or group
brainstorming, as discussed in this Project Manager article 8 New Ways to Identify Risks .

It’s important to remember that the risk environment is always changing, so this step
should be revisited regularly. 
2. Measure frequency and severity 
What is the likelihood of a risk occurring and if it did, what would be the impact?

Many organizations use a heat map to measure their risks on this scale. A risk map is a
visual tool that details which risks are frequent and which are severe (and thus require the
most resources). This will help you identify which are very unlikely or would have low
impact, and which are very likely and would have a significant impact.

Knowing the frequency and severity of your risks will show you where to spend your time
and money, and allow your team to prioritize their resources.

More details on risk maps can be found in our blog posts on the topic:  The Importance of
Risk Mapping  and How to Build a Risk Map.
3. Examine alternative solutions 
What are the potential ways to treat the risk and of these, which strikes the best balance
between being affordable and effective? Organizations usually have the options to accept,
avoid, control, or transfer a risk.

Accepting the risk means deciding that some risks are inherent in doing business and that
the benefits of an activity outweigh the potential risks.

To avoid a risk, the organization simply has to not participate in that activity.

Risk control involves prevention (reducing the likelihood that the risk will occur) or
mitigation, which is reducing the impact it will have if it does occur.

Risk transfer involves giving responsibility for any negative outcomes to another party, as
is the case when an organization purchases insurance. 
4. Decide which solution to use and implement it 
Once all reasonable potential solutions are listed, pick the one that is most likely to achieve
desired outcomes.

Find the needed resources, such as personnel and funding, and get the necessary buy-in.
Senior management will likely have to approve the plan, and team members will have to be
informed and trained if necessary.

Set up a formal process to implement the solution logically and consistently across the
organization, and encourage employees every step of the way.
5. Monitor results 
Risk management is a process, not a project that can be “finished” and then forgotten
about. The organization, its environment, and its risks are constantly changing, so the
process should be consistently revisited.
Determine whether the initiatives are effective and whether changes or updates are
required. Sometimes, the team may have to start over with a new process if the
implemented strategy is not effective. 

If an organization gradually formalizes its risk management process and develops a risk
culture, it will become more resilient and adaptable in the face of change. This will also
mean making more informed decisions based on a complete picture of the organization’s
operating environment and creating a stronger bottom line over the long-term.

ClearRisk's cloud-based Claims, Incident, and Risk management system allows

organizations to better control their risk management activities. We are proud to help our
customers introduce new risk management initiatives and lower the cost of risk. Interested?
Learn more below. 

INTERNAL CONTROL PROCESSES

The seven internal control procedures are separation of duties, access controls, physical
audits, standardized documentation, trial balances, periodic reconciliations, and approval
authority.

Separation of Duties
Separation of duties involves splitting responsibility for bookkeeping, deposits,
reporting and auditing. The further duties are separated, the less chance any single
employee has of committing fraudulent acts. For small businesses with only a few
accounting employees, sharing responsibilities between two or more people or
requiring critical tasks to be reviewed by co-workers can serve the same purpose.

Accounting System Access Controls

Controlling access to different parts of an accounting system via passwords, lockouts
and electronic access logs can keep unauthorized users out of the system while
providing a way to audit the usage of the system to identify the source of errors or
discrepancies. Robust access tracking can also serve to deter attempts at fraudulent
access in the first place.
Physical Audits of Assets
Physical audits include hand-counting cash and any physical assets tracked in the
accounting system, such as inventory, materials and tools. Physical counting can
reveal well-hidden discrepancies in account balances by bypassing electronic records
altogether. Counting cash in sales outlets can be done daily or even several times per
day. Larger projects, such as hand counting inventory, should be performed less
frequently, perhaps on an annual or quarterly basis.

Standardized Financial Documentation

Standardizing documents used for financial transactions, such as invoices, internal
materials requests, inventory receipts and travel expense reports, can help to maintain
consistency in record keeping over time. Using standard document formats can make
it easier to review past records when searching for the source of a discrepancy in the
system. A lack of standardization can cause items to be overlooked or misinterpreted
in such a review.

Daily or Weekly Trial Balances

Using a double-entry accounting system adds reliability by ensuring that the books are
always balanced. Even so, it is still possible for errors to bring a double-entry system
out of balance at any given time. Calculating daily or weekly trial balances can provide
regular insight into the state of the system, allowing you to discover and investigate
discrepancies as early as possible.

Periodic Reconciliations in Accounting Systems

Occasional accounting reconciliations can ensure that balances in your accounting
system match up with balances in accounts held by other entities, including banks,
suppliers and credit customers. For example, a bank reconciliation involves comparing
cash balances and records of deposits and receipts between your accounting system
and bank statements. Differences between these types of complementary accounts
can reveal errors or discrepancies in your own accounts, or the errors may originate
with the other entities.

Approval Authority Requirements

Requiring specific managers to authorize certain types of transactions can add a layer
of responsibility to accounting records by proving that transactions have been seen,
analyzed and approved by appropriate authorities. Requiring approval for large
payments and expenses can prevent unscrupulous employees from making large
fraudulent transactions with company funds, for example.

Internal controls summary

Internal control is a process, effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance:

 That information is reliable, accurate and timely

 Of compliance with applicable laws, regulations, contracts, policies and procedures
 Of the reliability of financial reporting
Internal controls are intended to prevent errors and irregularities, identify problems and
ensure that corrective action is taken. In many cases, process owners within your
department perform controls and interact with the control structure on a daily basis,
sometimes without even realizing it because controls are built into operations.  

Control definition reflects certain fundamental concepts:

 Internal control is a process. It is a means to an end, not an end in itself.

 Internal control is effected by people. It is not merely policy manuals and forms, but also
people at every level of an organization.
 Internal control can be expected to provide only reasonable, not absolute, assurance to
an entity’s management and board.
Internal controls are established to further strengthen:

 The reliability and integrity of information

 Compliance with policies, plans, procedures, laws and regulations
 The safeguarding of assets
 The economical and efficient use of resources
 The accomplishment of established objectives and goals for operations or programs

Internal control structure
The internal control structure is derived from the way management runs an operation or
function and is integrated with the management process. Although the components
apply to the entire University, small and mid-size departments may implement them
differently than large ones do. Together, they are designed to provide reasonable
assurance that overall established objectives and goals are met.

The internal control structure consists of five inter-related components:

 Control environment – The control environment sets the tone of an organization,
influencing the control consciousness of its people. Control environment factors include
(1) the integrity, ethical values and competence of the entity's people; (2) management's
philosophy and operating style; (3) the way management assigns authority and
responsibility and organizes and develops its people; and (4) the attention and direction
provided by the University. Additional examples are:
o Tone from the top
o University policies
o Organizational authority
 Risk assessment – Risk assessment is the identification and analysis of relevant risks to
achievement of the objectives, forming a basis for determining how the risks should be
managed. Examples include:
o Monthly meetings to discuss risk issues
o Internal audit risk assessment
o Formal internal departmental risk assessment
 Control activities – Control activities are the policies and procedures that help ensure
management directives are carried out. They include a range of activities as diverse as
approvals, authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties. Additional examples are:
o Purchasing limits
o Approvals
o Security
o Specific policies
 Information and communication – Pertinent information must be identified, captured and
communicated in a form and timeframe that enable people to carry out their
responsibilities. Information systems produce reports containing operational, financial
and compliance-related information that makes it possible to run and control the
organization. Effective communication also must occur in a broader sense, flowing
down, across and up the organization. Examples include:
o Vision and values or engagement survey
o Issue resolution calls
o Reporting
o University communications (e.g., emails, meetings)
 Monitoring – Internal control systems need to be monitored, a process that assesses
the quality of the system's performance over time. This is accomplished through ongoing
monitoring activities, separate evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. Internal control deficiencies should be
reported upstream, with serious matters reported to top management and the Regents.
Examples include:
o Monthly reviews of performance reports
o Internal audit function
Internal control types
Different risks and environments require different controls. The control types described
below can be used in combination to mitigate risks to the organization.

Preventive and detection controls

 Preventive controls attempt to deter or stop an unwanted outcome before it
happens. Examples include use of passwords, approval, policies and procedures.
 Detection controls attempt to uncover errors or irregularities that may already have
occurred. Examples include reconciliations, monitoring of actual expenses vs. budget,
prior periods and forecasts.

Hard vs. soft controls

 Hard controls are formal and tangible. Examples include organizational structure,
policies, procedures and segregation of duties
 Soft controls are informal and intangible. Examples include tone at the top, ethical
climate integrity, trust and competence

Manual vs. automated controls

 Manual controls are manually performed, either solely manual or IT-dependent, where a
system-generated report is used to test a particular control.
 Automated controls are performed entirely by the computer system.

Key vs. secondary controls

 Key controls are those that must operate effectively to reduce the risk to an acceptable
level.
 Secondary controls are those that help the process run smoothly but are not essential.
To identify the correct control(s) to implement, you must know what risks are
present. To know what risks are present, you need to understand what objectives are
being sought.  Therefore, Objectives → Risks→ Controls.

Internal controls in my department

Control activities within your department may include the following:
  Implementing segregation of duties where duties are divided (segregated) among
different people, to reduce the risk of error or inappropriate actions. No one person has
control over all aspects of any financial transaction.
 Making sure transactions are authorized by a person delegated approval authority when
the transactions are consistent with policy and funds are available.
 Ensuring records are routinely reviewed and reconciled, by someone other than the
preparer or transactor, to determine that transactions have been properly processed.
 Making certain that equipment, inventories, cash and other property
are secured physically, counted periodically and compared with item descriptions shown
on control records.
 Providing employees with appropriate training and guidance to ensure that they (1) have
the knowledge necessary to carry out their job duties, (2) are provided with an
appropriate level of direction and supervision and (3) are aware of the proper channels
for reporting suspected improprieties.
 Making sure University- and departmental-level policies and operating procedures are
formalized and communicated to employees. Documenting policies and procedures and
making them accessible to employees helps provide day-to-day guidance to staff and
promotes continuity of activities in the event of prolonged employee absences or
turnover.
Remember, everyone in your department has responsibility for internal controls.

TYPES OF INTERNAL CONTROLS

OVERVIEW
There are two basic categories of internal controls – preventive and detective. 
An effective internal control system will have both types, as each serves a
different purpose.  As you perform routine processes, or when you are
thinking of implementing a new procedure or process, it is important to ask
the following questions to help determine the appropriate control:

 What could go wrong?

 What steps have been taken to ensure that something does not go
wrong?
 How can you verify that nothing went wrong?
The answers to these questions will enable you to better target the type of
control that is needed.
PREVENTIVE CONTROLS
Preventive controls aim to decrease the chance of errors and fraud before they
occur, and often revolve around the concept of separation of duties. From a
quality standpoint, preventive controls are essential because they are proactive
and focused on quality.
Examples of preventive controls include:

 Separation of duties
 Pre-approval of actions and transactions (such as a Travel
Authorization)
 Access controls (such as passwords and Gatorlink authentication)
 Physical control over assets (i.e. locks on doors or a safe for
cash/checks)
 Employee screening and training (such as the PRO3 Series to
increase employee knowledge)

DETECTIVE CONTROLS
Detective controls are designed to find errors or problems after the
transaction has occurred.  Detective controls are essential because they
provide evidence that preventive controls are operating as intended, as well as
offer an after-the-fact chance to detect irregularities.

Examples of detective controls include:

 Monthly reconciliations of departmental transactions

 Review organizational performance (such as a budget-to-actual
comparison to look for any unexpected differences)
 Physical inventories (such as a cash or inventory count)

All businesses, whether they are corporates or SMEs, need some level of
internal control over their finances to ensure they stay on the right side of the
law. As well as ensuring the efficiency and accuracy of accounting and
financial reporting, internal controls, procedures and systems are key to
ensuring businesses and their employees deal with their money in a legal and
responsible way.

Within accounting, there are seven internal control procedures that need to be
followed to ensure a business’s finances are fully legal and compliant. This
article will explain more about internal control systems and how you can
ensure your accounts meet their requirements, starting with the definition of
internal control.

What is internal control?

To ensure a business’s finances are being run correctly and legally, a set of
internal controls are put in place. As well as making sure each set of accounts
are legal and compliant, internal controls give out policies and procedures in
place to protect an organisation’s assets and ensure any individuals operate
within the laws, regulations and ethics of a company.

Primarily, internal controls are put in place within the structure of an

organisation to minimise any risks to the company, reduce the number of
errors and ensure operations run effectively according to any set rules or
regulations. The larger an organisation is, the larger the internal control
system that needs to be in place to ensure its operations are fully compliant.

What is an internal control framework?

An internal control framework is a set of processes a business has in place to
ensure all of its operations, specifically its financial operations, comply with
laws and regulations. A thorough and effective internal control system will
enable a company to perform effectively while ensuring its finances and
accounts are run with full integrity.

Within larger organisations, an internal control framework will include

processes and procedures that cover all stages and levels of the business,
from the board of directors to junior employees. Stages within the internal
control framework may include IT regulations, controls around asset
protection and rules for individual employees to protect the organisation
against theft and fraud.

In these companies, there is usually a team of internal auditors whose role is

to oversee these processes and procedures to ensure they’re functioning
effectively without reducing the overall efficiency of an organisation. There
may even be internal control in auditing teams to ensure complete
compliance and integrity.

Internal control examples

Internal control in auditing and accountancy are the most common examples
seen in all sizes of businesses. To ensure a company’s finances are fully
compliant and follow all laws and regulations, there are seven internal
controls that can be put in place:
 Separation of duties: this involves giving jobs within the accounting
process to different employees. This can include critical tasks being
reviewed by colleagues or having specific duties, such as bookkeeping
and deposits, being designated to different employees within a team.
 Accounting system access controls: to minimise the likelihood of fraud
or errors, businesses can control accounting systems via restricting
access via different user accounts, passwords and electronic logs. This
also enables businesses to track and monitor access to the accounting
system.
 Physical audits of assets: from hand-counting cash to taking inventories
of equipment, counting assets physically gives extra reassurance and
ensure there’s no discrepancies in account balances and electronic
records.
 Standardised financial documentation: by having a system and template
for invoices, internal request and expense reports, companies can
ensure there’s consistency within their record keeping and reduce the
likelihood or errors or discrepancies to appear.
 Daily or weekly trial balances: by running trial balances on a regular
basis, companies can gain insight into the status of their system and
ensure any discrepancies are picked up and dealt with as early as
possible.
 Periodic reconciliations in accounting systems: similar to trial balances,
reconciliations ensure balances match up across different systems,
banks, suppliers and customers. Any errors or discrepancies can then be
revealed quickly and easily.
 Approval authority requirements: assigning particular managers the
responsibility of authorising specific types of transactions adds an extra
 layer of control and reduces the likelihood of errors or fraudulent
claims.
Although these seven internal controls may not be used in all types of
businesses, they’re an example of the types of internal control systems that
can be put in place to ensure a company’s finances are compliant and lawful.