Chapter 7. Business Process Evaluation and Risk Management

- The evaluation of the efficiency and effectiveness of an organization’s IT program involves reviewing the IT governance structure as well as its alignment with the organization’s strategy. The IT organization must also manage the risks associated with ongoing development and operations. The IT organization should have a risk-management program that utilizes internal controls and best practices to mitigate risks to an acceptable level.

- The standard approach to improving business processes is to identify specific areas to be reviewed, document the existing baseline process(s), and identify areas for improvement. After improvement areas have been identified, they should be presented to senior management for prioritization and implementation. Upon implementation of the business processes, the organization
should monitor the new processes against the baseline and establish a continuous improvement process. Known as business process re-engineering (BPR), this usually successfully reduces manual interventions and controls within the organization.

- ISACA defines benchmarking as the continuous, systematic process of evaluating the products, services, and work processes of organizations, recognized as representing best practices for the purpose of organizational improvement.

- ISACA outlines the following steps in a benchmarking exercise:
1. Plan. In the planning stage, critical processes are identified for the benchmarking exercise. The benchmarking team should identify the critical processes and understand how they are measured, what kind of data is needed, and how that data needs to be collected.

2. Research. The team should collect baseline data about its own processes before collecting this data about others. The next step is to identify the benchmarking partners through sources such as business newspapers and magazines, quality award winners, and trade journals.

3. Observe. The next step is to collect data and visit the benchmarking partner. There should be an agreement with the partner organization, a data-collection plan, and a method to facilitate proper observation.

4. Analyze. This step involves summarizing and interpreting the data collected, analyzing the gaps between an organization’s process and its partner’s process, and converting key findings into new operational goals.

5. Adapt. Adapting the results of benchmarking can be the most difficult step. In this step, the team needs to translate the findings into a few core principles and work down from the principles to strategies and action plans.

6. Improve. Continuous improvement is the key focus in a benchmarking exercise. Benchmarking links each process in an organization with an improvement strategy and organizational goals.
Benchmarking partners are identified in the research stage of the benchmarking process.

- This benchmarking methodology assumes that organizations will be able to find partner organizations that will agree to review and observation. In today’s competitive market, most organizations turn to professional consulting companies that have performedv business process re-engineering across industries and use the information gathered during those engagements to compare to their organization.

- Business process re-engineering (BPR) provides an accelerated means of process improvement by assuming that existing business processes do not work; therefore, the re-engineering effort can
focus on a new processes by defining a future state (to be).

- After the future state has been defined, the re-engineering team can create an action plan based on the gap between current processes and the future state. The re-engineering team and management then can create the transition plan and begin to implement the changes. To help ensure the success of the re-engineering effort, determining the scope of areas to be reviewed
should be the first step in the business process re-engineering project.

- An IS auditor should always make sure that a re-engineered business process has not inadvertently removed key controls from the previous control environment.

- Whenever business processes have been re-engineered, the IS auditor should attempt to identify and quantify the impact of any controls that have been removed, or controls that might not work as effectively after a business process changes.

- Generally, the largest impact of re-engineering is on the staff.

- Business process re-engineering often results in increased automation, which results
in a greater number of people using technology.

- A couple emerging business and technology trends illustrate these improvements. The first is customer relationship management (CRM), which focuses on managing detailed customer information. This might include previous transactions and customer requirements, allowing organizations to match customer needs to products and services.

- The second, supply chain management (SCM), is the improvement of an organization’s product and service design, purchasing, invoicing, distribution, and customer service.

- One of the technologies associated with SCM is the process of electronic funds transfer (EFT). EFT is an electronic payment process between buyers and sellers that is very efficient because it reduces paper transactions and manual intervention.

- EFT systems are more efficient than traditional paper checks for accounts payable disbursements.

- After an organization has developed a strategic plan and defined its goals, it must measure its progress toward these goals. Key performance indicators (KPI) are quantifiable measurements that are developed and accepted by senior management. Key performance indicators vary by organization but are created as long-term measurements of an organization’s operational activities against its goals.

- As an example of a goal, the IT organization would expect to deliver services in accordance with service-level agreements (SLA). The IT organization would measure actual service levels against the SLA, identify gaps, and define controls to proactively reduce the service-level failures to meet the SLA.

- To ensure that KPIs are understandable and do not detract from the organization’s mission, they should be kept to a minimum of three to five. The use of KPIs provides management with a compass that allows for course corrections in meeting organizational goals and a communication
tool for the entire organization defining the importance of achieving these goals.

- Another way to measure organizational performance is the balanced scorecard. The balanced scorecard is a management tool that clarifies an organization’s goals, and defines actions and the measurement of those actions to meet goals. The balanced scorecard differs from previous methodologies, in that it combines measurement of all business processes. This allows managers
to see the organization from many different perspectives and identify areas for improvement.

- ISACA defines the application of the balanced scorecard to IT as a three-layered structure that addresses the four perspectives through the following.
Mission:
➤ To be a preferred supplier of information systems
➤ To deliver effective and efficient applications and services
➤ To obtain reasonable business contribution of IT investments
➤ To develop opportunities to answer future challenges

- Application controls are used to ensure that only accurate, complete, and authorized data
is entered into a system. These controls can be either manual or automated and ensure the following:
➤ Valid, accurate, and complete data is entered into the system.
➤ Processing of data is accurate and performs the function(s) it was created for.
➤ The processing of data and results meet expectations.
➤ The data is maintained to ensure validity, accuracy, and completeness.

- Manual controls include checks performed by IT staff and IS auditors such as the review of error logs, reconciliations, and exception reports. Automated controls include programming logic, validation and edit checks, and programmed control functions.

- The IS auditor should use a combination of manual review (system documentation and logs), observations, integrated test facilities, and embedded audit modules. The IS auditor must review application controls, data integrity controls, and controls associated with business systems and components. These components might include electronic data interchange (EDI) and electronic funds transfers (EFT).

- In reviewing application controls, the IS auditor should review the following
areas:
➤ Input/output controls
➤ Input authorization
➤ Batch controls
➤ Processing control procedures
➤ Processing
➤ Validation
➤ Editing
➤ Output controls
➤ Critical forms logging and security
➤ Negotiable instruments logging and security (signatures)
➤ Report distribution
➤ Balancing and reconciliation

- An IS auditor must first understand relative business processes before performing an application audit. This can be accomplished by reviewing the business plan, the IT strategic plan (long and short term), and organizational goals.

- In auditing input and output controls, the auditor must ensure that all transactions have been received, processed, and recorded accurately, and that the transactions are valid and authorized. The auditor should review access controls and validation and edit checks. It is important to remember that in an integrated environment, the output of one system could be the input to another system. Input/output controls should be implemented for both the sending and receiving applications.

- Some systems employ an automated control to provide authorization for data exceptions.
An example is a sales transaction in which the price of the product is being reduced. The salesperson might not be authorized to reduce the price, but an automated request could be sent to a supervisor. The supervisor would then log in with a second-level password to authorize the price change.

- A second-level password is an automated process to facilitate the approval of transaction
data exceptions.

- Automated access controls include the following:
➤ Online controls—Authorized individuals or systems are authenticated before performing sensitive functions
➤ Client identification—Specific workstations and individuals are authenticated before performing sensitive functions

- A batch control transaction summarizes totals of transactions within a batch. This transaction can be based on monetary amount, total items, total documents, or hash totals. These totals can be compared to the source documents to ensure that all items have accurate input. In addition, control totals ensure that the data input is complete and should be implemented as early as data
preparation to support data integrity. Hash totals are generated by selecting specific fields in a series of transactions or records. If a later summation does not produce the number, this indicates that records have been lost, entered or transmitted incorrectly, or duplicated.

- Hash totals are used as a control to detect loss, corruption, or duplication of data.

- Data validation is used to identify errors in data regarding completeness, inconsistencies, duplicates, and reasonableness. Edit controls perform the same function as data-validation controls but are generally used after data has been entered but before it is processed.

- Data-Validation Edits and Controls
A sequence check ensures that data falls within a range sequence and that no values are missing or outside the sequence range. An example would be to ensure that all check numbers in a system fall within an acceptable range (such as 1–100) and that all checks fall within that range, with no missing checks.

- A limit check verifies that the data in the transaction does not exceed a predetermined limit.

- A range check verifies that data is within a predetermined range of values. An example would be a check to ensure that the data falls between two dates (such as 1/1/2005 and 6/1/2005).

- Key verification is an edit check ensuring input integrity by having initial input re-entered by a second employee before the transaction can occur.

- Data edits are implemented before processing and are considered preventative integrity controls.

- During the review of input processing, the IS auditor can compare the transaction journal to authorized source documents. The transaction journal records all transaction activity and provides the information necessary for detecting unauthorized input from a terminal and completeness of transactions.

- Processing controls ensure that data is accurate and complete, and is processed only through authorized routines. The processing controls can be programmed controls that detect and initiate corrective action, or edit checks that ensure completeness, accuracy, and validity. Processing controls also include manual controls, such as these:
➤ Manual recalculation—Periodic sample transaction groups can be recalculated to ensure that processing is performing as expected.
➤ Run-to-run totals—These verify data values throughout the various stages of application processing. They are an effective control to detect accidental record deletion in transaction-based applications.

- Data is stored in the form of files and databases. Data integrity testing ensures the completeness, accuracy, consistency, and authorization of data.

- Two types of tests are associated with data integrity:
➤ Referential integrity tests—Referential integrity works within a relational data model within a database and ensures that the relationships between two or more references are consistent. If the data in one reference is inserted, deleted, or updated, the integrity to the second reference is maintained through the use of primary and foreign keys.
➤ Relational integrity tests—These tests ensure that validation (either application or database) routines check data before entry into the database.

- The purpose of EDI is to promote a more efficient and effective dataexchange process by reducing paper, errors, and delays. In using EDI, organizations with dissimilar computer systems facilitate the exchange and transmittal of information such as product orders, invoices, and business documents.

- A communications handler is an EDI component that transmits and receives documents.

- Functional acknowledgments can be implemented in the EDI interface to provide efficient
data mapping. functional acknowledgment is a message transmitted from the receiver of an
electronic submission to the sender; it notifies the sender that the document was received/processed or was not processed. Functional acknowledgments provide an audit trail for EDI transactions.

- IT governance encompasses the information systems, strategy, and people. This control helps ensure that IT is aligned with the organization’s strategy and goals. The board of directors and executive officers are ultimately accountable for functionality, reliability, and security within IT governance.

- In the development of a risk-management plan, ISACA states that the organization
must do the following:
➤ Establish the purpose of the risk-management program. In establishing the purpose for the program, the organization will be better prepared to evaluate the results and determine its effectiveness.
➤ Assign responsibility for the risk-management plan. To ensure the success of the risk-management plan, the organization should designate an individual or team responsible for developing and implementing the risk-management plan. The team should coordinate efforts across the organization in identifying risks and defining strategies to mitigate the risk.

- As stated in Chapter 1, “The Information Systems (IS) Audit Process,” risk can be defined as the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level (mitigation), and maintaining that level of risk.

- In developing the risk-management plan, the organization should identify organizational
assets as well as the threats and vulnerabilities associated with these assets. After identifying potential vulnerabilities, the IS auditor should perform a business impact analysis (BIA) of the threats that would exploit the vulnerabilities.

- The IS auditor can use qualitative or quantitative analysis during the BIA to assess the potential impacts, or degree of loss, associated with the assets. Quantitative impacts are easily measured because they can result in a direct loss of money, opportunity, or disruption. Qualitative impacts are harder to measure because they result in losses associated with damage to reputation, endangerment of staff, or breach of confidence.

- The controls, called countermeasures, can be actions, devices, procedures, or techniques. After the organization has applied controls to the asset, the remaining risk is called residual risk.

- The organization’s management sets acceptable risk levels; if the residual risk falls below that level, further controls are not required. The IS auditor can evaluate this control to see
whether an excessive level of control is being used. The removal of excessive controls can result in cost savings to the organization.

- In most organizations, the executive director works with the board of directors to define the purpose for the risk-management program. In clearly defining the risk-management program goals, senior management can evaluate the results of risk management and determine its effectiveness. The risk-management team should be utilized at all levels within the organization and needs the help of the operations staff and board members to identify areas of risk and to develop suitable mitigation strategies.

- By comparing and cross-indexing transaction data from multiple databases, data mining can be used to determine suspicious transactions that fall outside the norm.

- When storing data archives offsite, data must be synchronized to ensure backup data completeness.