It is very important for Big 4 IT consultants like me to understand the clients business processes before we can help them in identifying controls. To understand a business process, I normally follow a systematic way. So irrespective of the fact whether the process is IT related or not I would approach business process understanding as under:

- Review the available documentation, user manuals, input documents, flowcharts, description of controls, risks if available.
- Interview key process owners, managers, IT personnel, system users, process users etc.
- Finally, I would review existing standard reports, exceptions available for the process.

Following the above methodical process ensures that as an auditor / consultant, I have a through understanding of the process. I normally try and identify information sources which can help me understand the process better. Thus, rather than taking a traditonal approach, I find it better to take a proactive forward looking approach in understanding the business process. The better the understanding of the business process that one has, the better one would be able to point out risk & controls within the process. Identifying key risks and controls is the next logical step after process understanding. It also becomes easy to test the controls once you have an understanding of the process.

Related Posts

Testing Controls in Absence of Evidence
Internal Audit Charter & SOX
CPA's Role in SOX Compliance
Automated Vs Manual Controls