Business Process Modeling Approaches in the Context of Process Level Audit Risk – Assessment: An Analysis and Comparison
Discussant’s Comments
Author’s stated motivation or justification for the work done
Business process modeling as it relates to the audit process is a very relevant topic for discussion and analysis, especially in today’s world where we as auditors are expected even more to understand how business processes work so that we are in a better position to identify where key control points are (both detective and preventative) that address related audit risks.
I imagine, all audit firms, post-Enron, went through a period of re-examination whereby audit approaches were examined, review processes were examined, and as part of this, ways to obtain a more thorough understanding of audit risks and financial reporting risks and fraud risks were investigated. As well, audit firms have had to readjust their
processes and procedures to ensure compliance with requirements of the PCAOB. Although I would assume most firms are past the initial reaction, audit techniques continue to evolve and larger firms certainly continue to support and invest in their national offices / research centres to help ensure audit quality is at it’s highest.
Theoretical support for the article
The author has appropriately identified the need for business process models and appropriately quoted existing auditing standards.
One of the author’s key assumptions (page 5) “that business operations can be usefully decomposed into business processes” is critical in assessing where significant activities are being performed. This concept ties nicely into the determination of what activities are involved in producing information used in financial reporting.
Also, I would agree with the study from O’Donnell and Schultz (2003) who “found that audit seniors were better able to identify risks when using audit evidence organized by business process relative to seniors making the same judgments using audit evidence organized by transaction cycle” if the audit senior was fully able to distinguish between a business process with no impact on internal controls over financial reporting (ICOFR) and one with significant ICOFR impact. Businesses can be extremely complex and having a typical transaction cycle guide you through the relevant business processes can be helpful.
Also, I agree with the perspective provided by Bell et al (1997) suggesting that
understanding the sequence of events is important as well as the flow of material (page 28) – this makes sense from a Revenue Recognition perspective – has the service been delivered? Whereas, Knechel (2001) suggests only that the flow of information needs to be considered, and does not mention the need for understanding the sequence of activities constituting a process. Understanding relevant activities is critical to identifying relevant risks and controls – from an audit perspective, those that impact ICOFR; those that help prevent or detect fraud.
Minor Observations
On page 6, the author seems to dispel the use of conventional auditing approaches which decompose business processes into transaction cycles citing that each cycle can be
viewed as including multiple business processes relevant to cycle objectives. However, I’m not sure I understand the argument made, through the use of Arens’ et al example of the Sales & Collection including processing customer orders, granting credit, shipping goods, and processing sales returns, and activities to record the transactions. To me, that’s describing a transaction cycle (with the exception that the example did not include some other typical processes associated with the Sales & Collection cycle, such as Invoicing and Cash Receipts).
Also, I agree that the ISO/DIS 19440 items not mentioned in Bell et al (1997) or Knechel (2001) can not be readily linked to the needs of an auditor when performing risk
assessment at the process level, with the exception of ‘Description’ since auditors will always benefit from a clear description of the process when obtaining their understanding of that process (page 12).
Research method deployed
The paper is well structured and well researched. The approach to gather the required research is described clearly on page 3 and is a combination of examining existing audit standards, audit textbooks, and related material on audit approaches. A comparison was made of the business process constructs and concepts noted in the audit literature to those applied in international standards related to business processes to see if they contained any relevant constructs not evident in the audit literature. Finally, the author researched 7 business process modeling approaches comparing each one to the relevant constructs identified in the international standards to see which modeling approach best suited an auditor’s needs for audit risk assessment.
Observation
The one element that is admittedly missing is ‘what exactly an auditor needs to
understand about a business process, and how the information needs to be combined to form appropriate inferences’ (page 32). This could have been considered as part of this study.
Analysis of results
The author’s use a series of tables to analyse the results of research performed was effective and the body of the report effectively reference the tables when necessary to reinforce points being made. Overall, I found the analysis logical with persuasive conclusions. Specifically, I agree with the author’s analysis that ‘none of the modeling conventions reviewed have the full range of constructs’ (page 29) found in the ISO and GERAM modeling frameworks. As well, I concur that the author’s analysis of modeling conventions led the author to appropriate conclusions on which of the conventions would ‘provide the most complete coverage of the constructs needed for analyzing audit risk at the business process level’ (page 29).
Study conclusions
Overall, I agree with the author’s views and base conclusions. The author used the research and analysis of results to reach initial conclusions and then introduced other considerations, which serve to link the author’s argument that future studies are necessary. My only reservation as a practitioner is that the study was done without consultation of what is purported to be it’s key stakeholder, the auditor. That said, the
requirement of what exactly an auditor needs to understand about a business process will change as our business environment changes including the changing expectations of our clients, users of financial statements, and regulators. For example, in today’s
environment, there is a stronger emphasis on fraud controls than the pre-Enron era.
I believe that, many of the models presented have their own benefits even though none represent a perfect fit. No matter which model chosen, one that depicts the key
characteristics of a process in relation to their impact on the creation, capture, and reporting of financial information will be of some use to auditors. I think it’s also fine that the diagrams alone ‘cannot show the linkages of particular risks to a given objective’ (page 27) as long as those diagrams are supplemented by strong textual documentation that addresses gaps not covered in the diagrams. Considering whether business process models should be more diagrammatic or more-text based is a difficult question to answer, but may not be relevant if the resulting document provides the information required by an auditor – from review of the paper, I believe the author and I share the view that some combination of the two is preferable. Consistent, with Knechel’s (2001) suggestion that it is important that each process risk be linked to the related controls and performance indicators, the author has stated that an appropriate business modeling convention should explicitly capture these relationships. I believe that no matter what model is used the resulting documentation should accomplish this and, very likely, the more comprehensive document will be that which consists of a combination diagrammatic flows and
Present or potential contribution to accounting knowledge.
In assessing the present or potential contribution to accounting knowledge contributed by this paper, I can initially think of three potential benefactors (and there may be more). First, I think university students heading into the profession will gain invaluable insights into process modeling techniques, which is becoming an increasingly important part of the audit today. Historically, junior resources in audit firms are not equipped with business process analysis skills (at least to the extent they should be). Thus, secondly, having a base of new students each year that know more about business process analysis will benefit audit firms. Finally, I also see the benefit of business process modeling extending to clients, especially as they prepare for SOX certification. A large number of organizations, regardless of complexity and size, have been struggling to prepare for certification – some of items that organizations have difficulty doing is identifying relevant risks (those that impact financial reporting), identifying significant or key controls to address those risks and ultimately adequately testing those controls. I believe knowledge of the right business process modeling techniques that help address audit risks will help their SOX compliance efforts be more focused, more complete and more
