PART 1

UNDERSTANDING THE CLIENTS’ BUSINESS, RISKS AND AUDIT IMPLICATIONS

Select a major (BEI) company has significant operations in the restaurant or retail industry. Using the information obtained from
publicly available information/resources (e.g., 10-K, annual report, press releases, company’s web site) complete the
requirements for Part 1 of the project. You may need to exercise some creativity and judgment to fill in gaps in the textual
description of the process analysis.

A. Client Business Model

To obtain an understanding of your company, prepare a model of the client’s business (Use the Client Business Model
Template). The business model will enable you to gain an understanding of the company’s business, global environment, risks
and controls. The model should identify the unique issues that the business faces within its industry/operations and include,
but not limited to the following:
1. Management’s Strategic objectives/goals
2. External Forces that may have an impact on the company (or management’s objectives): focus on environmental and
competitor forces, paying special attention to the significance and implications of the following strategic business risks
and the changing industry environment
3. Key Internal Business Processes (processes designed to carry out management objectives – primary or support)
(e.g., customer service):
4. Internal threats to management’s objectives
5. Markets that the company operate in: geographical and customer
6. Core Services/Products
7. Primary Customers
8. Primary Competitors
9. Strategic partners and alliances (relationships) that are critical to company (e.g., suppliers, government) These
relationships may be critical because they relate to the company’s core competencies (e.g., suppliers), represent
unfulfilled opportunities (e.g., cost savings, increased revenues, fines/sanctions), and/or represent critical vulnerabilities
(e.g., competitor’s actions).

B. Company’s Financial Strength

-Assess the financial condition and performance of the company.

C. Business Processes Risk Analysis (Internal Risk Analysis)

Given the company’s strategies, certain internal processes are considered key business processes. The process is considered to be
critical because (1) it is vital to the strategic success of the organization (i.e.., critical to achieving objectives/goals, (2) it exhibits
high inherent business risk (i.e., extensive external interactions) and/or (3) it may have high risks.

Some of the common business (core and sub-processes) processes for a retail store or restaurant are:
− supply chain management − human resource management − product and service innovation*
− procurement − customer service delivery − regulatory and safety management
− product or service delivery − financial and treasury (cash) inventory management
− food (or product) planning, management − information and technology management
production and replenishment − brand and image delivery − customer acquisition and retention
− merchandise/store layout and design − property acquisition and management

*may include product/menu engineering, research and development, recipe development, maintenance and costing

In preparing a business-process analysis, auditors may construct process maps and assesses internal threats to identify risks that
relate to, or emanate from, key activities performed to advance process objectives. Process (i.e., internal) risks reflect what can go
wrong to keep the client from achieving its process objectives. Process risks arise from various sources, including but not limited
to: governance (authority, leadership, and performance incentives), integrity, compliance, operations (quality technology,
efficiency, and effectiveness), information management, financial management, human resources

1. Prepare a Business Process Analysis for the two (2) most critical business processes (from the key business processes
identified above). Your analysis should focus on the key business processes – the processes which are critical to the company
achieving its strategic objectives. These key/core processes will also be critical to the audit and which is likely to have a
significant impact on the audit procedures and evidence that an auditor utilizes during the course of the engagement.
a. Using the Business Process Analysis Template, provide the following:
i. Description and objectives of the process (i.e., what the company needs to achieve within the process to advance its
overall strategic objectives.)
ii. Explain why each of the business processes identified above are important to company’s strategies.
 iii. Critical Success Factors
iv. Key performance indicators (KPIs): financial and non-financial quantitative measurements, used by an entity or
auditor, to evaluate performance in terms of the defied business objectives focusing on three dimensions: cycle time
(efficiency), process, quality, and process cost. KPIs can provide evidence as to whether specific process risks are
being controlled effectively and success. KPIs can also provide auditors with evidence about particular assertions and
used to develop expectations.
v. Inputs needs (i.e., the elements, materials, resources or information needed to complete the activities in the process,
make decisions or improved the process)
vi. Central business activities that comprise the process (the central activities related to the client’s processes that must
be performed to enable the company to make better decisions related to physical actions or to monitor and improve
the process and achieve its objectives/strategy.).
vii. Outputs produced (i.e., end result of the process – the product, deliverable, information or resource that is produced.)
viii. Class of Transactions: Identify and evaluate the accounting transactions that are affected by the activities within each
process. Separate the transaction into the following categories: (1) routine transactions, (2) nonroutine transactions,
and (3) accounting estimates. (Routine transactions are rarely a source of significant audit risk because they typically
are well controlled in organizations and can be easily evaluated by the auditor. Nonroutine transactions and estimates
typically are the major sources of risk to an auditor.)
ix. Identify the riskS that threaten objectives. Many of the strategic risks will influence the risks within each process.
x. Controls Linked to Risks: Identify information, evidence, controls (procedures, activities and policies) that
suggest/acknowledges that management is aware of the risks and has controls/activities in place to
mitigate/management risks. How does the identified controls help mitigate/management specific risks?
xi. Evaluate the financial statement implications if these risks are not managed and controlled effectively.
Example:
How Control Potential Audit
Potential Management Mitigates the Key Performance Implications
Core Process Process Risks Controls Linked to Risk Specific Risk Indicators (See below)
●
Brand Failure to ● Comparison ● Customer retention
Management monitor shopping
Process competition
GUIDELINES FOR SUBMISSION OF PROJECT
• The final report submitted for evaluation should consist of the items listed below.
1. Cover Page (include: Company name, Team Members’ Name and Contact Information, Course Section)
2. Part 1
3. Appendix (contain other relevant information) [Optional]
4. References:
• information sources, databases, infobases and other reference sources used for your analysis. In general you
should document your research strategy. If you are using information from the Internet, your cite should include
the exact web address/link.

• No hard front or back binding materials should be used to secure the project (Suggestions: spiral binding, staple, or other
such binding that allows for folding/turning)
• Please label and number your responses to correspond to the requirements.
• Be prepared to fully discuss the company based on the guidelines given.
• The responses should be prepared in lay terms based on your evaluation of the relevant information obtained.
• Although the majority of the project’s grade will be based on the informational content, a considerable percent of the
grade is based on the quality of communication (e.g., organization, sentence structure, grammar, spelling, etc.)
 Company Name
Client Business Model
Strategic Objective(s)

Goals

Product and Services Lines

Primary Customers

Primary Competitors

Markets that the company operate in: geographical and customer

Strategic Partners and Alliances (relationships) that are Critical to the Company

Environment and Industry Overview (including recent changes)

Recent Changes in TMH’s Business Practices, etc

External Forces that may have an impact on the company (or management’s objectives/goals):

Key Internal Business Processes (processes to carryout objectives – primary or support)

Internal Forces that may impact the company (management’s objectives/goals)

Other Information
 Strategic Risk Assessment Template
(complete a separate template for each identified EXTERNAL business risk/threat)
Company Name:
Strategic Objective:

Critical Success Factors:

To succeed, an organization needs:

Business Risk/Threat [including Impact/Implications and Likelihood (high, low, moderate)]:

Source of Threat:

Activity Likely to be Affected:

Control Objective(s):

Specific Audit Objective(s):

Potential Key Controls Related to identified Business Risks:

Audit Risks (e.g., Potential Financial Impact):

Audit Implications (Audit Response) to each identified Risk (e.g., planned audit activities or tests of financial statement
assertions):
 Business Process Analysis Template
(complete a separate template for each key process)
Client Name:
Process:
Description and Objective(s) of Process:

Critical Success Factors:

Key Performance Indicators:

Inputs:

Key Business Activities:

Outputs:

Identify the classes of transactions that are likely affected by the activities within each process: Specify the transaction type
as either routine, non-routine transaction or accounting estimation:
Class of Transaction Transaction Type Account(s) Impacted

Identify and evaluate at least TWO (2) Risks that may negatively impact the Business Process:

Identify TWO (2) Key Controls Over/Related to each identified process risk (use format below):
Key Control Assertion(s) Type* Nature^

Potential Tests of Controls (Be Specific, identify one test (other than observation or inquiry) for each identified control):

Potential Implication on Planned Evidence (i.e., Substantive Testing): If the controls are (are not) operating effectively, what is the effect on
planned substantive tests? Consider risks of misstatement of specific assertions and expectations about the financial statements.
1. Identified controls are operating effectively:

2. Identified controls are not operating effectively:

*Specific whether the internal control is a preventive (P) or detective (D) mechanism.
^Specific whether the internal control is manual (M), automated (A) or combination (C).