Limits of process documentation: narratives, flowcharts, and other process descriptions constitute only one component of internal control evaluations.PROCESS DOCUMENTATION represents an integral part of many audit departments' approach to control reviews. In light of mandated control attestations imposed by the U.S. Sarbanes-Oxley Act See SOX. of 2002, many companies--and their audit departments--are documenting more processes than ever before. Today's heightened reporting requirements and control-related imperatives demand that auditors fully examine the purpose and intended result of documenting a process. Although documentation can be a valuable tool, it is best used only for specific types of control evaluations. Auditors need to understand the limitations of process documentation and recognize the need to supplement documentation techniques with methods of identifying a full range internal controls. UNDERSTANDING THE OBJECTIVES The word process in process documentation refers to the steps a transaction follows through an organization's systems, applications, and people. The documentation consists of a narrative, flowchart, or some other description of the way the process works. Process documentation is not required by Sarbanes-Oxley, nor is it a significant feature of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework. Instead, it is a method auditors have developed to demonstrate their understanding of a process and to provide increased reliability on their identification of process-flow controls. Both COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) and Sarbanes-Oxley include provisions for control identification, but not the documentation of a process. Internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. document processes to identify one specific type of internal control--the procedures that help ensure data is entered, manipulated, and output in a complete, accurate, authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: , timely, and safeguarded manner. This method of analysis results in a list of control objectives that the process flow should achieve--such as "Be sure all transactions are authorized"--and it is one of many possible ways to analyze process flow. Auditors use process documentation to determine how their clients control the flow of data and achieve control objectives. Often, evaluators then identify the risks that threaten achievement of each control objective and document the responses--or "controls"--that prevent or detect these risks. A PIECE OF THE PUZZLE When evaluating internal controls, auditors need to recognize that identifying process controls constitutes only one aspect of the overall evaluation. For example, if a company adheres to COSO's Internal Control-Integrated Framework, process flow documentation only sets the stage for addressing two of the framework's components: activity-level Risk Assessment and Control Activities. Process documentation does little to address the remaining COSO components of control--Control Environment, Information and Communication, and Monitoring--or the entity-level objectives and risks a company faces in achieving its objectives. To evaluate internal control fully against the COSO framework, these additional components need to be documented and analyzed an·a·lyze tr.v. an·a·lyzed, an·a·lyz·ing, an·a·lyz·es 1. To examine methodically by separating into parts and studying their interrelations. 2. Chemistry To make a chemical analysis of. 3. as well. Process documentation only provides an evaluator with enough information to identify an activity's potential risks, as well as the established responses to those risks. Responses might include measures such as information technology (IT) edits, user identifiers (operating system) user identifier - 1. (Or "uid", "user id") A number or name which is unique to a particular user of a computer or group of computers which share user information. The operating system uses the uid to represent the user in its data structures, e.g. , and batch balancing. Once processes have been documented, the evaluator must identify the procedures--or Control Activities--management has in place to ensure the responses are actually carried out. Control Activities operate at a higher level than process flow--they constitute the means by which management knows activity or process-level responses to risks are working. Examples of Control Activities include segregation segregation: see apartheid; integration. of duties, top-level reviews, reconciliations, key performance indicators Key Performance Indicators (KPI) are financial and non-financial metrics used to quantify objectives to reflect strategic performance of an organization. KPIs are used in Business Intelligence to assess the present state of the business and to prescribe a course of action. , policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , and IT program change controls. Many evaluation teams confuse con·fuse v. con·fused, con·fus·ing, con·fus·es v.tr. 1. a. To cause to be unable to think with clarity or act with intelligence or understanding; throw off. b. process flow controls (which are typically responses to risks) with COSO's Control Activities (which are the measures taken to ensure risk responses are working as intended). When this occurs, evaluators are likely to identify numerous, detailed controls, causing them to lose the advantage of conducting a high-level review of the organization's Control Activities. ALTERNATIVE METHODS Although process documentation is probably the most common method of identifying process-level controls, many alternative approaches exist. For example, COSO's Risk Assessment and Control Activities Worksheet--or Risk/Control Matrix (RCM RCM Reliability-Centered Maintenance RCM Royal College of Music RCM Royal Conservatory of Music RCM Royal Canadian Mint RCM Reliability Centered Maintenance RCM Revenue Cycle Management RCM Regional Climate Model RCM Ring-Closing Metathesis )--facilitates control identification using an activity's objectives and risks, rather than process narratives or flowcharts. While the RCM is often misperceived as a requirement, COSO emphasizes that the matrix is not a required format and that it is not intended as a preferred method of documenting objectives and risks. When completed by process workers, an RCM seldom needs to be supplemented with flowcharts or narratives--the workers already understand their own processes, can identify risks and controls easily, and can self-assess their activities. Workers can describe the most important steps in the process, identify potential risks, and detail the preventive preventive /pre·ven·tive/ (pre-vent´iv) prophylactic. pre·ven·tive or pre·ven·ta·tive adj. Preventing or slowing the course of an illness or disease; prophylactic. n. measures in place to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. those risks, without having to
produce written documentation. Although items such as desk manuals and
procedure guides are important to the control process, they should
ultimately exist for the workers, not the auditors. Insufficient process
documentation is a potential control weakness that should be remedied by
the work unit instead of by those performing the evaluation.
In addition to the COSO matrix, there are several other methods of identifying, documenting, and evaluating process-level controls. Common approaches include: * Analyzing controls over input, processing, and output. This approach is set forth in the IT Governance Institute's Control Objectives for Information and Related Technology (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ) and is aimed specifically at auditing information technology. * Analyzing an activity's strengths, weaknesses, opportunities, and threats (SWOT). Because many companies use SWOT analysis SWOT Analysis A tool that identifies the strengths, weaknesses, opportunities and threats of an organization. to evaluate operational areas, this approach can help align align (  līn),v to move the teeth into their proper positions to conform to the line of occlusion. the audit effort with the tools used by the rest of the organization. * Using internal control evaluation checklists. Pre-defined lists of internal controls for typical activities and processes are widely available and provide an excellent starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for identifying controls. * Conducting facilitated workshops or surveys. Control self-assessment sessions can also be used to identify controls. When workshops include process workers, control identification can be both efficient and informative, enabling workers to gain additional knowledge about processes by discussing them with each other. With any of these methods, evaluations conducted exclusively by individuals who are not part of the process under review usually need to be accompanied by flowcharts, enabling evaluators to identify controls and demonstrate that they know enough about the process to reliably perform the evaluation. When this occurs, the total amount of time required to identify controls can be double or triple the time process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance would take, because outside individuals must first learn the process and identify the controls before conducting the evaluation. The ideal scenario occurs when process employees have already identified their most important controls in company desk manuals, policies, or other documents. Most likely, more and more companies will develop these types of "permanent documentation" in the coming years, particularly in light of ongoing SarbanesOxley compliance efforts. DOCUMENT WISELY Although process documentation is a widely used control-identification tool, internal control evaluators are not required by laws or standards to document processes at a detailed level. The U.S. Public Accounting Oversight
Oversight may refer to:
Please [ improve this article] or discuss the issue on the talk page. are required to "understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported and to identify the points within the process at which a misstatement--including a misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state ment n. due
to fraud--related to each relevant financial statement assertion could
arise." This requirement certainly calls for documentation of
financial processes, but not at a detailed level. Similar requirements
have existed for years in the American Institute of Certified Public
Accountants With over 330,525 CPA members (in August 2006), the American Institute of Certified Public Accountants (AICPA) is the largest professional organization of Certified Public Accountants (CPAs) in the United States of America. Statement on Auditing Standard No. 78, and neither this
standard nor AS2 require detailed processflow documentation.
While flowcharts and narratives can facilitate control evaluation, they can also lead to unnecessary expenditures. In fact, process documentation, especially when carried out in great detail for routine processes, is a primary driver behind criticisms of Sarbanes-Oxley Section 404 efforts. Many surveys that examined year one of Section 404 compliance indicate that companies over-documented and over-tested routine data flow areas. Process documentation techniques need to be applied judiciously ju·di·cious adj. Having or exhibiting sound judgment; prudent. [From French judicieux, from Latin i . Documentation via flowcharts and narratives can yield important information, but it can only help evaluators locate specific types of controls. Moreover, other available tools may be more effective than process documentation for identifying these controls. When considering the use of process documentation techniques, auditors should always keep the limitations, and alternatives, in mind. To submit a "Back to Basics" article for consideration, or to request coverage of an introductory-level internal audit topic, please e-mail Larry Hubbard at Larry@LHubbard.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion