Process flow

diagrams and other

documentation Contents
1. Audit lessons
2. Process flows
3. Flowcharts
4. Information produced
by entity (IPE)
5. Documentation
Topic 1:
Audit lessons
Audit lessons

 Teams did not sufficiently understand the likely sources of potential

misstatements related to significant accounts or disclosures as part of
selecting controls to test.
 Teams walkthrough procedures were not adequate to verify the
auditor’s understanding of the risks in the company’s processes and to
identify and select for testing controls sufficient to address the risk of
misstatement for the relevant assertions as they were limited to:
– Performing inquiry and observation to confirm that there have been no
significant changes to the processes
– Obtaining an understanding through controls testing and substantive
procedures
– Reviewing walkthroughs performed by the company’s internal auditor who
did not provide direct assistance under the firm’s supervision
– Relying on the auditor’s knowledge and experience obtained from prior
year’s audits.
Topic 2:
Process flows
Process flows

 A process flow generally consists of:

– Following a single transaction from origination through the entity’s
processes, including information systems, until it is reflected in the
entity’s financial records.
– Using the same documents and information technology that entity
personnel use.
– Probing inquiries of the entity’s personnel about their understanding
of what is required by the entity’s prescribed procedures and
controls at the points at which important processing procedures
occur.
– Asking personnel to describe their understanding of the previous and
succeeding accounting or control activities and to demonstrate what
they do to corroborate information at various points in the
walkthrough.
 Combination of inquiry, observation, and inspection
5
Key Points for Understanding the Process

 Cover from the initiation of the transaction to recording in

the financial statement and understand all processing in
between.
 Document and trace the flow of information, not controls.
 Document key points of information, whether in the client’s
narrative or on a flowchart.
 Walk through the IT system, not around it.
 Understand relevant data elements in the process.
 Involve experienced team members for complex areas.
 Don’t get locked into prior year’s documentation.

Walk through processes, not controls!

Obtaining an Understanding

Have you identified and documented:

 All relevant assertions associated with each significant
account and disclosure?
 The flow of transactions related to each relevant assertion?
 The points within the process where a misstatement could
arise that individually or in aggregate with other
misstatements could be material?
 The controls that management has implemented to
address potential misstatements?
It is important that engagement teams are able to answer
these questions and that these answers are reflected in their
documentation.
Walkthrough Documentation

Location where the walkthrough occurred. Consider IT

controls as you
Date(s) the walkthrough occurred. document your
Audit firm interviewer. walkthroughs.
Client interviewee.
Transaction(s) traced, including identifying characteristics
of the transaction(s).
Document(s) reviewed, including identifying characteristics
of the document(s).
Other Considerations
–Probing follow-up question(s) that were asked by the
audit firm interviewer(s) of the interviewee(s), and any
notable responses.
8
Key Attributes of Documentation Related
to IT

Process Level Understanding

 Provides understanding of how specific data elements of
interest are captured and flow through information system
to financial statements.
 Addresses manual and IT processes in a way that avoids
process gaps in documentation.
 Describes relevant activities within IT systems, not just
inputs and outputs.
 Describes and differentiates IT system components to
allow for identification of specific risks.
Topic 3:
Flowcharting
What is Flowcharting?

Flowcharting is used to visually represent client

processes and accounting systems so we can
more easily identify and document the WCGWs
and assess the design of the controls over those
WCGWs.
Flowcharting –
Potential Advantages and Challenges
Advantages: Challenges:
Flowcharting Tips

Identify the output of the system (e.g. General

ledger account, report used by management as the
basis of a high level management review control).

Begin the documentation with the output of the

system, making this a more efficient approach.

Check that all appropriate information has been

linked to the source documentation.

Use active voice in your flowchart processes (i.e.

“The employee enters information into the system”
versus “Information is entered into the system”).

Draw the flowchart such that information flows top

to bottom and from left to right.
Flowcharting Considerations

When creating a process flow diagram, consider:

 Who are the individuals, departments, etc. involved in the process?

 How often is the process performed?
 What are the key activities in the process?
 In what order do the key activities occur?
 Where do the WCGWs reside in the process?
 Which relevant controls address the WCGWs?
 What are the various reports and data elements used in or
generated from the process?
 Which systems are critical to the process?

Begin with the end in mind!

Flowcharting in Excel
Topic 4:
Information produced
by entity
Guidance Note has defined IPE

 The auditing standards do not provide a definition of information

produced by the entity (IPE) or describe what constitutes IPE. IPE is
typically in the form of a "report" which may be either system-
generated, manually-prepared, or a combination of both (e.g., a
download of system accumulated data that is then manipulated in an
Excel spreadsheet).

 Examples of different forms of reports include:

– Standard "out of the box" or default reports or templates
– Custom-developed reports that are not standard to the application and that
are defined and generated by user-operated tools
– Output from end-user applications such as automated spreadsheets
– Entity-prepared analyses, schedules and spreadsheets that are manually
prepared by entity personnel either from information generated from the
entity’s system or from other internal or external sources
Understanding IPEs

 IPE typically consists of three elements: (1) source data, (2) report logic, and
(3) parameters.
– Source Data: The information from which the IPE is created. This may include data
maintained in the IT system (e.g., within an application system or database) or
external to the system (e.g., data maintained in an Excel spreadsheet or manually
maintained), which may or may not be subject to general IT controls. For example, for
a report of all sales greater than Rs. 1,000,000, the source data is the database of all
sales transactions.
– Report Logic: The computer code, algorithms, or formulas for transforming,
extracting or loading the relevant source data and creating the report. Report logic
may include standardised report programs, user-operated tools (e.g., query tools and
report writers) or Excel spreadsheets, which may or may not be subject to the general
IT controls.
– Report Parameters: Report parameters allow the user to look at only the information
that is of interest to them. Common uses of report parameters including defining the
report structure, specifying or filtering data used in a report or connecting related
reports (data or output) together.
Auditor considerations of IPE

 The following considerations related to accuracy and completeness of IPE may

assist the auditor in obtaining an appropriate understanding to plan the testing
approach to IPE:
– Not all data is captured.
– The data is input incorrectly.
– The report logic is incorrect.
– The report logic or source data could be changed inappropriately or without
authorisation.
– The user-entered parameters entered are incorrect.

 Evaluating IPEs: The auditor is required to "evaluate whether the IPE is

sufficiently precise and detailed for purposes of the audit“. If the IPE is not
sufficiently precise or detailed for the purpose, it is likely that the auditor cannot
use it as audit evidence; however, the auditor may work with the entity to
determine if the original IPE can be modified by the entity to meet his or her
needs or identify other audit evidence to achieve the intended purpose.
Test Controls over the C&A of IPE Used
in MRC
1 2 3
Has team obtained an
understanding of how
Have all relevant data each data element is
Has team identified all
elements used in the initiated, processed,
relevant WCGWs
operation been and reported as IPE
related to IPE?
identified? (focus on
completeness and
accuracy)?

4 5 6
If there are
Has management
Are controls over deficiencies in
appropriately
completeness and controls over
identified relevant
accuracy of IPE completeness and
controls around the
designed accuracy of IPE, are
completeness and
appropriately? effective
accuracy of each data
Operating effectively? compensating
element?
controls tested?
Testing Controls over IPE – Key Points

 Test the design and operating effectiveness of the controls

over completeness and accuracy of IPE used in MRCs.
 Determine the flow of each relevant data element, identify
the related WCGWs and test the related controls.
 Failure to have effective controls over completeness and
accuracy of the IPE generally renders the MRC ineffective.
 Ineffective GITCs generally render the MRC ineffective.
Topic 5:
Documentation
CFO Financial Forum Opinion Poll

Which of the following best describes your organization’s

documentation of business processes and controls?

10% 11% Primarily use flow charts: 11%

Primarily use narratives: 27%

Use combination of narratives and flow charts: 52%

27%
Document only controls, not processes: 10%
52%

Ensure that management has documented in writing its control policies and
procedures for all relevant business processes.
23
Documentation

 Effective documentation of the organization’s system of internal control is

necessary to:
– Provide evidence of its effectiveness
– Enable proper monitoring
 Effective documentation is also useful:
– For assigning responsibility and accountability to employees
– Training new and experienced employees who implement and monitor the
controls
– Promoting consistency across the organization
– Retaining organizational knowledge
 Higher level of documentation necessary when management asserts effectiveness
of internal controls to regulators, shareholders and other third-parties
– Expanded documentation on design and operating effectiveness of controls
– Expanded documentation in areas involving significant judgment
24
Documentation: CFO Financial Forum Opinion Poll

What additional effort is required to improve your documentation of

ICOFR?
4% No incremental effort: 4%
21% Some incremental effort: 56%
Significant incremental effort: 19%
Not sure: 21%

19%
56%

Documentation of existing and enhanced processes and controls is expected to be one of

the main areas of additional effort when transitioning to IFCs

25
Thank you

26