Do you want to streamline inefficient processes in your business? The sources of bottlenecks in a company are information silos, poor reporting, manual processes, and redundancy. According to an IDC report, poorly optimized processes can cost you 20%-30% of annual revenue.

The good news: you can conduct a business process audit based on a risk-based model within your company, identify the highest risks, and implement organization-wide steps to mitigate them.

First, let’s have a quick primer on these terms.

What Is a Process Audit?

A business process audit is a series of steps conducted to inspect the processes of an organization to analyze whether they help achieve the desired objectives.

Unlike a financial audit, any individual with an understanding of and access to the business processes (although an experienced and qualified internal auditor is the best candidate) can undertake a business process audit.

Finally, a business process audit can inspect a specific function, program, product line, or team.

What Is a Risk-Based Audit Approach?

Auditors traditionally adopted the controls-based approach: they inspected the compliance of processes to an established set of criteria.

A risk-based model approaches the audit according to a baseline audit that helps underpin the highest risks to the organization. The internal auditor can narrow the scope, prioritize organizational risks, and support company management more efficiently.

Here is a complete guide to conducting a successful business process audit.

Business Process Audit Checklist: A Step-by-Step Guide

Assemble the Core Audit Team

The core audit team should consist of the Audit Director, Lead Auditor, and a Junior Auditor.

The role of the Audit Director is to approve the policies, procedures, and standards of the business process audit, and develop an overarching audit program. The Audit Director’s key responsibility is to oversee the Internal Audit team to ensure on-track progress and success of the process audit. The ideal Audit Director has demonstrated capability in audit work and has worked closely with senior management in the past.

It is relevant to mention that the COSO 2013 Internal Control-Integrated Framework, the gold standard to comply with the Sarbanes-Oxley (SOX) compliance purposes, can be leveraged by the Audit Director to create the overall audit program. For more information, refer to KPMG’s whitepaper on the framework.

The Lead Auditor has the following key responsibilities:

Prepare the audit plan
Select the team members and identify other key stakeholders
Sign off on concrete roles and responsibilities for the Audit team
Submit the audit report with key findings to company management

The Junior Auditor’s key role is to assist the Lead Auditor by:

Supporting them in delivering the audit reviews
Participating in the fieldwork and conducting interviews with auditees alongside the lead auditor

Plan the Audit

The core team should answer the following questions to ensure the project has a clear set of objectives.

How will the audit assist the board or executive management in meeting business objectives while protecting the organization?
Is this a new process audit or a re-audit? Has a similar audit been conducted in the past? In case of a re-audit the previously identified risks should be considered in the new audit plan.
What enterprise risk(s) does the audit address?

Align With Key Stakeholders

The Audit Team should confer with the following stakeholders:

The CFO/CTO/COO of the company, or a relevant stakeholder in the executive committee, should be aligned with the Audit Director on the objectives and success criteria of the business process audit
An external subject matter expert (SME) or guest auditor will be aligned with the changing business landscape and help auditors ensure the key processes and controls are in order.
A business process expert can help auditors get a better overview of the business or function. The Audit Team can define the audit scope according to the expert’s insights. Note: the business process expert should not have any overlaps with the auditees, as this will be a conflict of interest
Data Analytics support: A data-driven audit approach enables more reliable decision-making. It is imperative to include your organization’s DA (data analytics) team to assist in the following:
- Scoping: Analysts can crunch historical and real-time data to help identify the problem areas. With the data-driven insights from the DA team and the expertise of the business process expert and SME, the audit scope can be underpinned.
- Assist with fieldwork: The trends identified through DA can shape the direction of your fieldwork and interviews with auditees.
- Insight generation: The data collected during fieldwork can be analyzed further to understand sentiment and forecast trends through regression models

Collaborative business meetings should ideally be conducted one to two quarters in advance. The business process expert and DA team should be allowed to confer separately (with the audit team’s signoff) as an understanding of the business context is key to effective analysis.

Define the Audit Scope

Around a quarter in advance, the audit scope should be narrowed down by the auditors after audit sampling, and taking inputs from the experts and DA team. The Audit Director does the final sign-off on the scope.

The scoping stage is concluded after the preparation of the initial audit plan. The plan should define and highlight:

The area(s) within the process that are in scope (Governance, Strategy, Roles and Responsibilities, Internal Documentation, Risk Management, etc.)
Objectives and key metrics
Controls in place to meet the aforementioned objectives
Audit Hypotheses for each area within the process
Test plan to validate audit hypotheses
Documentation required

It is prudent to create a RACI matrix for the agreed-upon stakeholders and agree upon timelines for each audit phase.

Obtain Documents and Data Access

The following documents and data should be requested:

Process documents
Org chart
Data repositories
Business reporting solutions
Applications used in the process
Master data for the process under audit

This step is usually long and tedious. The bigger the organization, the messier the documentation.

The audit team can enlist the help of the data analytics team in obtaining documentation and requesting access to relevant data and applications. The timeline allotted to this step should be no longer than a month (ideally, two to three weeks).

The documentation obtained will be instrumental in informing the subsequent audit program. The auditors should follow a data-informed approach and use the data to analyze trends and sample audit data.

If the data collection is speedy, the DA team can perform advanced analytical operations to detect anomalies, forecast metrics, and create impactful visualizations and reporting solutions.

Prepare for Fieldwork

Following the initial scoping, documentation, sampling, and analysis, the audit team should have an internal meeting to update the audit plan. The Lead Auditor and Junior Auditor should create process flow outlines and questionnaires in preparation for the interviews.

Note: It is important to set a positive tone in the interview questionnaires: demystify the audit process, encourage questions, and work with the auditees to establish trust and transparency.

Fieldwork

The fieldwork phase is where the rubber hits the road. Lasting approximately 1-2 weeks, this is the phase where the Lead Auditor, Junior Auditor, and Guest Auditor interview stakeholders, perform testing and random sampling, and gain on-field context on the business and risks.

During this phase, a useful tool is to create a survey questionnaire for the auditees: with each question linked to different audit hypotheses. The responses to the survey can be analyzed by the DA team to validate audit hypotheses and help auditors underpin their findings with a data-based approach. Survey analysis is an effective and anonymous way to assess customer sentiment and provide an avenue to express their outlook on various aspects of the process.

Audit Reporting

The reporting phase (1-2 weeks) encompasses the final testing, conclusive meetings, and report creation based on the audit findings.

Agreed-upon actions, action owners, and ETAs are documented in the report. The audit report should provide a comprehensive overview of the areas of the process assessed, the maturity of processes in each area, the evidence underpinning the insights, and – most importantly – a rating scale determining each area as high, medium, and low risk.

The auditor can recommend follow-up actions, and (if required) prescribe a re-audit for highlighted areas of the process, or in certain instances, the process as a whole.

It is relevant here to highlight the Process Maturity Model, where different areas are flagged in five categories: ad-hoc, repeatable, defined, managed, and optimized. This model can be relevant for new programs in an organization, particularly in IT or digitization processes, as these are more iterative than others.

This report is created through the joint effort of the auditors and the Audit Director. After the final sign-off, it is submitted to the accountable member of the executive committee along with insights and recommendations.

Conclusion

A proper business process audit cannot be executed without a good audit team.

The ideal audit team should have a thorough understanding of the business objectives and compliance standards. They should be able to accept insights from process and data experts and incorporate these into their fieldwork. Finally, the auditor must understand the balance between asking difficult questions and preserving the human touch with the auditees.

The internal audit team you choose for your business may drive decision-making in strategic areas. When leveraged correctly, timely process audits can drive a positive impact on your organization and take you closer to your business goals.