The recent financial turbulences raise questions on how risk analysis is conducted. Regulatory requirements and professional standards have been introduced in the last decade in order to obtain a more reliable internal control on financial reporting process with a new emphasis on business processes. However, there are no standards yet available on how business processes should be captured for facilitating risk analysis in audit assignments. Representations of business processes have been investigated in the field of business process modeling. There exists a broad spectrum of notations and formalisms with relative strengths and weaknesses. Many of the popular notations build on a graph-based representation where activities of a process are connected with directed arcs defining the control flow. Such notations have been widely adopted for redesigning business processes. But also text-based formats have been defined. Corresponding process specifications define the activities of a process as lists with additional free text information. This raises the question whether the tools and methods for analyzing business process risks in auditing practice is appropriate for its objective. This paper reveals the benefits of adopting business process models for auditors toward understanding a companies business processes and the issues need to be considered for further development. The analysis also shows that practitioners use process models rather for risk elicitation and less in risk assessment.
Ritchi, Hamzah and Mendling, Jan, "Business Process Models for Risk Analysis: Expert View" (2012). CONF-IRM 2012 Proceedings. 49.