CHAPTER 3

1. What are the benefits of the internal audit function establishing a risk-based plan when identifying
the priorities of the internal audit activity?

Risk-based auditing is a method of auditing which focuses upon the analysis and management of
risks. It primarily focuses on the inherent risks involved in the activities or process of an organization.
Internal audit functions provide assurance that those risks are being able to manage by the company
effectively and efficiently (Malhotra, 2020).

Internal auditors should establish risk-based plan than what is traditionally used because it
addresses and identify risks with greatest potential impact that could prevent an organization from
achieving its objectives and goals. Establishing a risk-based plan, the internal audit function will set
priorities based on what areas are recognized to be the riskiest in achieving the company’s objectives.
With that, auditors can identify and categorize risks and be able to determine what procedures will be
best suited to control and assess these risks.

2. Describe three ways that internal auditors can better identify the risks related to the area under
review.

Risk Identification is the process of identifying all possible risk and threats that could harm the
organization’s operation and can prevent them to achieve their objectives and goals. Identifying and
assessing risk enables internal auditors to formulate plans to minimize those possible harmful events
before they occur (Watt, 2014).

One of the ways to better identify the risk related to the area under review is to use a prepared
list. Using lists can help an internal auditor to review most common risks that often occur in an
organization and point out new risks that should be included in the assessment which could also impact
the organization. Using checklist to segregate risks can help internal auditors to plan the process of
assessing and minimizing the said risks.

Another way is for the internal auditors to gather sufficient information and conduct research
about the company or organization’s operation. In this way, internal auditors can be familiar to the
activities or processes executed by the organization which will assist them in identifying risks involved in
the assessment how to control it.

It is also useful to include people with a deeper and wider knowledge in analyzing the program
and process to be done. An internal auditor may consider to includes employees with great technical
skills and those employees who have worked for a company or organization for several years. Their
experience over that years and expertise in technical stuff can be a big contribution in several process to
be done in the assessment of risk (Murdock, 2016, p. 64).
3. What are three internal and three external factors affecting a typical organization? How do these
factors affect the future prospects of the organization?

According to Murdock (2016), three of the internal factors that affects one organization are the
personnel, processes, and technology. While on the other hand, economic, natural environment and
social issues are the external factors that affects the organization (p. 71).

Internal factors are those factors inside the organization that are generally under the control of
the organization. These factors influence the organization’s activities, processes and even the
employee’s behavior. However, external factors are those factors that occurs outside the company.
These are uncontrollable factors outside the company but still have significant impact to inside
operations and growth of an organization (How Internal and External Factors Drive Organizational
Change, 2012).

These internal and external factors if not controlled can affect the prospects of an organization.
Ignoring these factors can be a big mistake to any organizations. Companies should have continuous
monitoring of these factors, making proactive changes and continuously to adapt to those changes.
Analyzing and controlling the internal and external factors that affects one’s organization can help them
take advantage of the opportunities available or making threats as an opportunity. Being aware of these
factors that can influence the company can identify threats and can help address them before they
become a real problem to the organizational activities and objectives of the company.

4. Describe an event that has transformed or disrupted an industry and include: (1) An example of an
organization that benefited from that opportunity and (2) an example of another organization that
mismanaged it and suffered losses as a result.

When asked about an event that has transformed or disrupted an industry, the first thing that
come to my mind right now is our present situation we are experiencing which is the outbreak of
coronavirus. During this pandemic, manufacturers of soap, hand sanitizers, alcohol, medical supplies like
masks, face shields and others, have an increase in sale due to the sudden emergence of public
demands. On the other hand, beauty, or wellness services such as beauty parlors, spa salon, and the like
are in a tough position right now since these businesses are dependent on people visiting their stores to
enjoy their services.

5. List three organizations that provide lists of common vulnerabilities useful during a risk assessment.

One of the three organizations that provide lists of common vulnerabilities that can help during
risk assessment is the Federal Emergency Management Agency. This organization come up with the
Mapping Information Platform and Risk Mapping, Assessment and Planning which provides information
and risk assessment tools to strengthen public awareness and generate better decisions about reducing
risk to life and property.
 Another organization is that provides lists of common vulnerabilities is the US Geological
Services (USGS). They provide seismic information that gives awareness to any organization about their
vulnerabilities from fault lines, landslides, volcanic activities, and any other hazards that may occur in
the location of any company.

The National Weather Service also contributes significant information about weather such as
rain, hurricane, air quality, winter storm, flood, marine weather and many more. It is important to be
aware about this information because it can affect the health, safety, and operation of an organization
(Murdock, 2016, p. 72).

6. List three of the benefits of CSA programs.

Control Self-Assessment program is a process of assessing controls which are executed by the
personnel of an organization involved in the area or process that is being assessed (Importance of
Control Self-Assessment (CSA) to Organizations, 2018). There are many benefits that an organization can
enjoy by performing control self-assessments. The obvious one is that an organization can gain deeper
knowledge or insights into its processes and activities. It can help strengthen the internal control of an
organization which in turn, gives guarantee to stakeholders, customers, and other parties about the
reliability of the internal control system of the company.

It strengthen the reliability of the internal controls of an organization by comparing the

information gathered during a CSA process on what the process owners include in the forms and what
internal auditors should consider for the effectiveness of risk control. For this to be effective, CSA
programs requires commination and should be associated with the internal audit results. Put simply,
CSA programs align the objectives of the business with risk and control processes.

CSA programs are designed to address the gap between those people who took up internal
auditing class and those who do not. It consists of questionnaires and any other forms that help
personnel to point out major activities in the production, identify objectives and risk controls and other
significant activities affecting the programs and processes. In this way, managers have the assurance
that employees are aware of the risk of the business and be able to conduct reviews on their internal
controls and the risk associated with it (Murdock, 2016 p. 75).

7. Describe three risks that are unique to each of the following two manufacturing approaches: made
to order (MTO) and made to stock (MTS).

Make to Order (MTO) is a manufacturing process that allows customers to customize their order
based on their specification. The production of the products begins only if there are a confirmed
customer order. Make to Stock (MTS), on the other hand, is a manufacturing process that involves
producing of products based on anticipated customer demand. The process involves forecasting that
helps companies to estimate how many goods to be generate and how many items to supply in the
stock to meet those orders.
 One of the risks when using made to order manufacturing process is that the customer waits
longer. Since it will only begin when there is a confirmed order, customers will have to wait for a while
before receiving the products. Also, this type of manufacturing process gives way to irregular sale
demands like for example, the Christmas decors. Related types of businesses can experience sudden
lulls or massive boom in demands based on seasonal periods. Another risk associated in make to order
processes is that material stock is falling behind. In using make to order manufacturing process, the
company should always be ready and have sufficient materials for the next customer orders.

Unpredictable nature of customer trends is one of the risks to be considered in using the make
to stock manufacturing process. Even though you can forecast demands by analyzing past sales, you
cannot accurately estimate or predict the outcome of your sales. Also, there are many factors and
variables to be considered in estimating products to be manufacture which will result to difficulty in
forecasting sales of an organization. Another is that since products are manufactured in advance in a
make to stock process, there can be a shortage or surplus in the company’s inventory (Make to Order Vs
Make to Stock: The Final Workflow Showdown, 2018).

8. Explain why internal auditors should consider bottlenecks, long cycle times, redundancies, and
reprocessing as operational risks.

Bottleneck refers to a stage in a process where there is limited productive capacity, thereby
delaying, or stopping the flow of operations (Murdock, 2016, p. 77). Literally, bottlenecks work the same
as the bottle itself. The narrow neck interrupts the work productivity which results to delaying the
production process and fails to keep up with the customer demand that is why internal auditors should
also consider this type of operational risk.

Cycle time refers to the reduction in the time and related costs essential for products to be
produced or service to move through part or all supply chain. Long cycle times can result because of
inefficient flow of production. Internal auditors should also consider assessing this kind of operational
risks because if not, the business will incur additional insignificant costs. On the other hand, considering
this kind of operational risk can lessen the time used in the production cycle which will open to more
opportunities and minimize cost.

One of the risks which internal auditors should consider when it comes to production are the
redundancies. Repetition of works can delay the normal production and affects the image of the
organization that is why it should be included in assessing operational risks.

Reprocessing is the treatment done to materials with unacceptable quality. It is executed by

repeating the same process steps done in the production of the said goods. Internal auditors should also
consider this type of operational risk because it can also result to incurring additional insignificant risk
and create more waste since not all products can be subject to reprocessing.
9. What are the risk implications of outsourcing? Explain why management must remain vigilant even
if a process and related activities have been outsourced to another organization.

Outsourcing is a business practice in which an organization hires a third party to perform tasks
or provides services for the company. Companies use outsourcing to cut labor costs, such salaries for its
personnel, overhead, equipment, and technology (Twin, 2020).

Outsourcing provides benefits like reducing expenses, minimizing costs, boosting of productivity
and efficiency, increased focus on core competencies and many more. Even though it has many benefits,
outsourcing also carries some risk like language and cultural barriers, time zone differences, lack of
control, the risk of supply chain disruption, and poor quality (Murdock, 2016, p. 80).

Management must be careful in outsourcing processes and activities of the organization

because first, security threat can rise when multiple parties or many people can access sensitive data or
confidential information of the said organization. This can lead to fraud, identity theft and any other
similar threats that can impact the whole status of the organization. To avoid this, internal auditors, or
the company itself should have effective and efficient risk control and management.

10. What are some of the practices expected of organizations to fight corruption and support

efforts to decrease institutional corruption?

Corruption, as defined by Murdock (2016), occurs when a person with such authority acts in bad
faith and for the purpose of personal gain or benefit (p. 83). It is bad for the society as well as to
businesses because it gives rise to financial, operational, and even reputational risks. Companies should
implement effective anti-corruption measures to minimize these risks.

One of the ways to fight corruption and support efforts to decrease institutional corruption is for
the organization to implement anti-corruption programs and policies throughout the company. If there
are existing anti-corruption programs and policies already, try to update it and identify what is working
or not. Organization should also be able to communicate the status of the company or its activities to
stakeholders and other external parties with transparency and should be fair represented. In that way,
internal auditors can see to it if there are any anomalies and check if the company is free from
corruption.
REFERENCES:

Malhorta, Varun. (2020, July 25). What is a risk-based audit? Retrieved from
https://www.quora.com/What-is-a-risk-based-audit

Watt, Adrienne. (2014, August 14). Project Management. Victoria, B.C.: BCcampus. Retrieved from
https://opentextbc.ca/projectmanagement/

How Internal and External Factors Drive Organizational Change. (2012, October 4). Retrieved from
https://study.com/academy/lesson/how-internal-and-external-factors-drive-organizational-change.html

Importance of Control Self-Assessment (CSA) to Organizations. (2018, April 3). Retrieved from
http://wsm.co.uk/blog/importance-of-control-self-assessment-csa-to-oragnisations/

Make to Order vs. Make to Stoc: The Final Workflow Showdown. (2018, December 19). Retrieved from
https://katanamrp.com/blog/make-to-order-vs-make-to-stock/

Twin, Alexandria. (2020, July 5). Outsourcing. Retrieved from

https://www.investopedia.com/terms/o/outsourcing.asp#:~:text=Outsourcing%20is%20the%20business
%20practice,as%20a%20cost%2Dcutting%20measure

Murdock, Hernan. (2016). Operational auditing: Principles and techniques for a changing world. Boca
Raton, FL: CRC Press.