Business Processes

An Audit Universe of Business Process

How do auditors decide upon the most appropriate way to define their universe of audit review
projects?

One way would be to separate the “productive” or commercial aspects of the business (such as
manufacturing or sales) from the support or infrastructure activities (such as accounting, photocopying
or security).

The simplest (although not necessarily the best) way to define the audit universe is to look at the
internal telephone directory. This will identify the discrete departments and may, if viewed alongside
any organisation charts, lend a definable form to the company.

Two apparent advantages of using this “departmental” or “functional” basis for defining audit reviews
are:
(1) the area under review is clearly bounded, and
(2) reporting lines to responsible management are clear-cut.

It is unlikely that any one department, system or activity will operate in complete isolation, but each will
need to interact with other data and systems in order to be fully effective. Auditors should be aware of
these points of interaction and satisfy themselves that the data moving between systems is consistent,
complete and accurate, so that the subsequent processes are undertaken on a reliable basis.

However, dividing up the audit universe for review purposes into a number of business processes, rather
than according to how the organisation is structured into departments, divisions, operating units, HQ
functions and so on, has great potential to reveal opportunities to improve economy, efficiency and
effectiveness.

The auditor who chooses the business process method of defining the scope of audit reviews is faced
with the need to identify all the relevant managers responsible for the activities within the scope of the
engagement. This will be necessary in order to ensure that they are duly consulted about the review and
so the auditor is clear about the reporting lines for the report and auditor’s recommendations.

The main benefit of this approach is that it should encompass all the relevant issues and aim to provide
reassurance to management on the effectiveness of the internal control measures in place across the
whole process. On the down side, this method requires auditors to plan very carefully how they
approach the engagement and to ensure that the fieldwork is adequately coordinated in order to
initially identify and consider all the risks and control issues, which will potentially span a number of
organisationally separate areas.
Six Ubiquitous Processes
1. The Revenue Process
Related to those activities that exchange the organisation’s products and services for
cash, and therefore include (inter alia) the following elements:
• credit granting;
• processing orders;
• delivery and shipping;
• billing to customers;
• maintaining accurate and reliable inventory records;
• the activities associated with accounts receivable;
• bad debt (including pursuing debtors and writing off balances);
• reflecting the related transactions correctly in the accounting systems.

2. The Expenditure Process

Those activities/systems that acquire goods, services, labour and property; pay for
them; and classify, summarise and report what was acquired and what was paid. For
example:
• ensuring that suppliers are stable, reliable and able to provide the appropriate
goods/services on time, at the right price and to the required quality;
• the requisitioning of goods, services, corporate assets and labour;
• receiving, securely storing and correctly accounting for goods;
• all the activities associated with accounts payable (e.g. matching orders to suppliers’
invoices and confirming the accuracy of pricing, etc.);
• recruiting and correctly paying staff;
• ensuring that all taxes due are correctly calculated and disbursed;
• ensuring that all the related accounting records are accurate, up to date and
complete.

3. The Production/Conversion Process

In this context, the term “conversion” relates to the utilisation and management of
various resources (inventory stock, labour, etc.) in the process of creating the goods and
services to be marketed by the organisation. The key issues in this process include
accountability for the movement and usage of resources up to the point of supply which is
then dealt with in the revenue cycle. Conversion cycle activities include product
accounting/costing, manufacturing control, and stock management

4. The Treasury Process

This process is fundamentally concerned with those activities relating to the
organisation’s capital funds, such as:
• the definition of the cash requirements and cash flow management;
• allocation of available cash to the various operations;
• investment planning;
• the outflow of cash to investors and creditors (i.e. dividends).
 5. The Financial Reporting Process
This process is not based on the basic processing of transactions reflecting economic
events, but concentrates upon the crucial consolidation and reporting of results to various
interested parties (i.e. management, investors, regulatory and statutory authorities).

6. The Corporate Framework Process

This process incorporates those activities concerned with ensuring effective and
appropriate governance processes and external accountability. It is to do with the
development and maintenance of values, culture and ethics, and effective management,
strategic, infrastructure and control frameworks that should aim to give form to the
underlying direction, structure and effectiveness of an organisation. This category can also
include issues such as specific industry regulations and compliance.

An Alternative, More Detailed Classification of Business Processes

1. Cash process: The flow of cash into the business principally through payments from customers, the
custodial function with regard to that cash and the conversion of the cash in settlement of debts due
principally to suppliers.
2. Information process: The gathering of data and its conversion into information; the analysis of that
information leading to decisions which in turn result in data on performance.
3. Integrity process: “[the] controls over the creation, implementation, security and use of computer
programs, and controls over the security of data files. These controls, technically referred to as integrity
controls, constitute a cycle because they operate continuously from the time programs are instituted
and data are introduced into the computer records.”
4. Launching a new product process: The cycle that includes market research, R & D, provision of
necessary finance, tooling up (or the equivalent), commencement of production and the sales launch. 5.
Payments process:* “Transaction flows relating to expenditures and payments and related controls over
(among other activities) ordering and receipt of purchases, accounts payable, and cash disbursements.”
6. Planning and control process: Planning a course of action, executing that action, measuring the
results, comparing actual performance with planned performance and deciding upon corrective action.
7. Production process:* “Transaction flows relating to production of goods or services and related
controls over such activities as inventory transfers and charges to production for labour and overhead.”
8. Product life process: Commencing with the processes of launching a new product, through the routine
production phase, product revision and relaunch, product price adjustments, and termination or decline
of the product line.
9. Revenue process:* “Transaction flows relating to revenue generating and collection functions and
related controls over such activities as sales orders, shipping, and cash collection.”
10. Time process:* “Not strictly related to transaction flows, this cycle includes events caused by the
passage of time, controls that are applied only periodically, certain custodial activities, and the financial
reporting process.”

THE HALLMARKS OF A GOOD BUSINESS PROCESS

The following are some of the hallmarks of a sound business process:
1. designed to meet objectives which are clear;
2. has regard to competitive issues;
3. performance can be (and is) measured;
4. unsatisfactory performance is rectified;
5. activities are completed in a timely way;
6. processes are cost effective;
7. controls are “preventative” rather than merely “permissive”;
8. as few “movements”/“stages” as possible;
9. unnecessary steps have been eliminated;
• nothing is done which is unimportant to the achievement of objectives;
10. proper authorisations;
11. controls positioned as early as possible in the process;
12. documented;
13. has an audit trail;
14. right people doing the right job;
15. room for adaptation;
16. defines risks within the process itself.