Risk Management / Internal Controls (3-4 single-spaced pages)
Your company, Medical Devices R Us, is a medical device product design and manufacturing company with $3 billion in annual sales. The company has been in business for 30 years. The medical devices industry is very competitive with short product life cycles and worldwide competition. The company's business has been growing at 5% a year for the last 10 years with about 20% of that growth occurring in Asia.
Medical Devices R Us has historically designed and manufactured all its products in the U.S. The company is considering outsourcing some of their product design and manufacturing to a company in Taiwan. The company in Taiwan has been designing and manufacturing their own medical devices for less than ten years. Currently their products are not as high value-added as the ones from Medical Devices R Us. At present none of the products manufactured by the company in Taiwan directly compete with those of Medical Devices R Us.
The internal auditing department has been asked to perform a review prior to a final decision being made. In order to understand the industry and current trends, you should do research. Some research recommendations are as follows
1) Professional organizations in this field
2) 10-K filing from companies in this industry
3) Web sites of regulators (for the U.S. it would be the FDA).
4) Articles and blogs dealing with outsourcing
You are encouraged to identify your own information sources.
Your report must cover all of the following items:
1) What are the key business objectives for Medical Devices R Us? You are free to make assumptions but base it on some research of the industry and clearly note your assumptions in your paper.
2) There are a lot of risks you can cite in this case. In this section I want you to cover the following:
a) In your opinion what are the five most significant business risks involved in this outsourcing decision and why?
b) Describe the significance of each of these risks and the potential impact on the company if there is a risk event.
The ISO 31000 definition is "An event could be one occurrence, several occurrences, or even a nonoccurrence (when something doesn't happen that was supposed to happen). Events are sometimes referred to as incidents or accidents. Events always have causes and usually have consequences."
Your business risks should be related to the achievement of the business objectives. Do not do a cut and paste from your sources!
3) How should each risk identified in part 2 be managed? What internal controls do you recommend be implemented and why? Be specific.
4) Assuming the company decides to go ahead with this arrangement, where can internal auditing add value going forward?