SAMPLE OF BUSINESS PROCESS AND CONTROLS DOCUMENTATION
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SAMPLE OF BUSINESS PROCESS AND CONTROLS DOCUMENTATION
VISIO SHAPES AND CUSTOM PROPERTIES FOR EVIDENCE OF PROCESS CONTROLS
Name* Description*
Document Title, Scope, Revision, Release Date, Editors, Affirmation TeamAlways Sequence 0.0
Reference to other process documents and to full processes outside of the scope of the current document.Part of processes sequence
Identifies process activity, noting control issues and potential gaps, owners and event sequence.Part of processes sequence
Decision point and criteria for movementPart of processes sequence
Grouping allows representation of simultaneous eventsSequence should parent child the sub group of activities
Loop limits usually reflect key controls
Data Management: What data is used, how is it classified, retained, transferred, accessed
Name* Description*
List of external documents used to complete process, status of use in controls evidence, creation frequency, description of useSequence is always 9.9 so that all data sources are clustered to the bottom of the process report.
Exit and entrance criteria for movement from one activity to the next. Where criteria for movement is monitored by a system and is critical to control activity, this should be filled in. Where this is true, there would be an expected control.
Trigger and Exit criteriaSequence is always 0.1 so that all triggers and exit criteria are clustered to the top of the process report.
Control Documentation Object:Drop down menu choices include common language for defining controls as expressed by ISACA, PCAOB, PwC, E&Y, KPMG, Deloitte and SANS. Information entered to this area, it is available to controls reporting for this process. The sequence is used to align the control to the associated activities that use this control. Where a control is used in multiple instances, it need only be described once and then mentioned on the activity object.When a control is inadequate, the issue is identified in the GAP commentary of the activity needing more stringent control. This forces the relative risk of the control gap to be evident to the viewer and writer
Database name and DBA/SA owners
Sequence is always 9.8 so that all data sources are clustered to the
bottom of the process report.
Name* Description*
Reporting on Activity and then on Control allows the process of documenting the flow to also serve as written summary of the activity and its controls.
SAMPLE REPORT OUTPUT BASED IN SAMPLE VISIO PROCESS – ENTIRELY FICTICIOUSActivity table
Sequ
ence
Act
ivity
tit
leO
wne
rActivity
descriptionAssociated
controlsGap or control issues
Issue Affirmation criteria
1.1
Com
pens
atio
n ch
ange
re
ques
tH
uman
reso
urce
s
Fill in all required fields on the "title
here" compensation
change form
Access to change form restricted to managers:
compensation request not
accepted unless through
form
User requesting
their own pay raise
1.1.
1
Existing
employee or new
Change to existing
compensation values is within
this process
1.3
App
rova
l pro
cess
Hum
an re
sour
ces
Approval process involves selecting all areas met that support approval
with note of on whose authority
request was approved. Upon
submitting the "approved"
button, the form send automatic
notification to the employee
manager with details of
compensation change.
Known associated
controls are....
Subjective determinatio
n of personnel
review could allow an
employee bonus or
change without
evidence of proper
employee review. Lack
of time based
checking mechanism
to determine age of most
recent personnel
review
Activity table
Sequ
ence
Act
ivity
tit
leO
wne
r
Activity description
Associated controls
Gap or control issues
Issue Affirmation criteria
1.4
Em
ploy
ee s
uper
viso
r app
rova
l
Em
ploy
ee m
anag
erEmployee supervisor
approval
Po7 Documentation of
standard method for
approval, archiving
and verification
that the supervisor is
making the authorization
vs. A false positive in
the system
1.4.
1
Salary too
high or too low
Established criteria for
salary values applied to approval
1.5
Sal
ary
eval
uatio
n
Fina
nce
Evaluation of salary based in
job responsibilities
and standard industry
compensation benchmarks
Approved salary
benchmark guidelines
Guidelines are not
routinely updated and
might become out
of date
1.6
Rej
ectio
n no
tific
atio
nH
uman
reso
urce
s
Notification by email and system
record of text including nature
of refusal and rule that is violated by
enacting request
Tracking legal reason or
business rule that is used to refuse request
None
Activity table
Sequ
ence
Act
ivity
tit
leO
wne
r
Activity description
Associated controls
Gap or control issues
Issue Affirmation criteria
1.7
Gui
delin
e ex
cept
ion
proc
ess
Hum
an re
sour
ces
Notice to committee
includes the criteria for
exception and limits of monetary
compensation, reason for
request, qualifications of
employee, management
representation
Accounting oversight review of executive
compensation 1.8a
Process is not
presented and
approved by the board of
directors/ process is
not backward
compatible to previous
compensation activity
1.8
Sr.
Mgt
. A
ppro
vals
Hum
an re
sour
ces Accounting
oversight committee meets on and approves
salary
Meeting announcement,
quorum, archive,
implemented due diligence
and ethics
None
1.9
Hr s
yste
m u
pdat
e
Hum
an re
sour
ces
Hr representative [input details in
process here]
Form controls: policy controls
Reconciliation report to
prove ERP systems
have received and recorded all
changes/ form
restriction where
approval is not in
system record
2 Com
pens
atio
n m
anag
emen
t sy
stem
upd
ate
Pay
roll
Fill in all required fields to complete
compensation management
change request: submit approved
change
Access to change form restricted to managers:
compensation request not
accepted unless through form: all fields form validated prior to submit
None
Activity table
Sequ
ence
Act
ivity
tit
leO
wne
r
Activity description
Associated controls
Gap or control issues
Issue Affirmation criteria
2.1
Pay
roll
syst
em u
pdat
e
Pay
roll
Payroll record change sent to
adp: general ledger reflects
new debit amounts based in
compensation costs
Data transfer security,
confirmation of send,
reconciliation of posted
changes and approved changes
Inadequate testing of the reconciliation
report: inadequate security on
the backend data of tables
containing salary
compensation data.
SAMPLE OF CONTROL TABLE:Controls
Sequ
ence
Control Name
Key
Con
trol
Aut
omat
ed o
r Man
ual
Con
trol
Met
hod
Con
trol
Pro
gram
Typ
e
Info
rmat
ion
Proc
essi
ng
Description of Control
Activity
Con
trol
Ow
ner
Freq
uenc
y of
Con
trol
Evid
ence
of C
ontr
ol
Con
trol
Tes
t Fre
quen
cy
Evid
ence
Tes
t on
Con
trol
Test
Pla
n
1.1a
Compensation Change Tracking-Refuse Verbal Compensation Change Requests TR
UE
Man
ual
Aut
horiz
atio
n
Det
erre
nt
Res
trict
ed A
cces
s
Refuse requests outside of request form
Hum
an R
esou
rce
Rea
l Tim
e B
y Tr
ansa
ctio
n
list l
ocat
ion
Par
t of P
erso
nnel
R
evie
w P
roce
ss
list l
ocat
ion
list l
ocat
ion
1.3a
Manager Assignment
FALS
E
Aut
omat
ed
Con
figur
atio
n A
ccou
nt M
appi
ng
Pre
vent
ive
Manager name is automatically populated at user login by mapping against ID and PeopleSoft employee record H
R
Rea
l Tim
e B
y Tr
ansa
ctio
n
List
loca
tion
Par
t of I
nter
nal A
udit
Cyc
le
List
loca
tion
List
loca
tion
1.4a
Approval Routing by Registered Manager
FALS
E
Aut
omat
ed
Con
figur
atio
n A
ccou
nt
Map
ping
Pre
vent
ive
Res
trict
ed A
cces
s (R
)
Employee compensation change is routed to HR system validated current manager M
anag
ers
Rea
l Tim
e B
y Tr
ansa
ctio
n
list l
ocat
ion
Par
t of I
nter
nal A
udit
Cyc
le
list l
ocat
ion
list l
ocat
ion
Controls
Sequ
ence
Control Name
Key
Con
trol
Aut
omat
ed o
r Man
ual
Con
trol
Met
hod
Con
trol
Pro
gram
Typ
e
Info
rmat
ion
Proc
essi
ng
Description of Control
Activity
Con
trol
Ow
ner
Freq
uenc
y of
Con
trol
Evid
ence
of C
ontr
ol
Con
trol
Tes
t Fre
quen
cy
Evid
ence
Tes
t on
Con
trol
Test
Pla
n
1.4b
Salary Threshold form based routing
TRU
E
Aut
omat
ed
Inte
rface
Con
vers
ion
Pre
vent
ive
Res
trict
ed A
cces
s (R
)
Prevents the manager from over compensating and manages uniform application of guidelines across all requests Q
ualit
y A
ssur
ance
Rea
l Tim
e B
y Tr
ansa
ctio
n
list l
ocat
ion
Par
t of I
nter
nal A
udit
Cyc
le
list l
ocat
ion
list l
ocat
ion
1.5a
Salary Guideline Exception Report
TRU
E
Aut
omat
ed
Exc
eptio
n/E
dit R
epor
t
Cor
rect
ive
Acc
urac
y (A
)
Metrics on the percentage of approved compensation change that are within Salary guidelines are evaluated to determine if managers are following instructions and if the compensation guidelines appear to be reasonable. E
xecu
tive
Man
agem
ent C
FO
Qua
rterly
list l
ocat
ion
Par
t of I
nter
nal A
udit
Cyc
le
list l
ocat
ion
list l
ocat
ion
Controls
Sequ
ence
Control Name
Key
Con
trol
Aut
omat
ed o
r Man
ual
Con
trol
Met
hod
Con
trol
Pro
gram
Typ
e
Info
rmat
ion
Proc
essi
ng
Description of Control
Activity
Con
trol
Ow
ner
Freq
uenc
y of
Con
trol
Evid
ence
of C
ontr
ol
Con
trol
Tes
t Fre
quen
cy
Evid
ence
Tes
t on
Con
trol
Test
Pla
n
1.7a
Executive Compensation Review
TRU
E
Man
ual
Man
agem
ent R
evie
w
Gen
eral
Val
idity
(V)
Review of all salary requests to assure that no individual is permitted to earn beyond the payment guidelines as determined for executives and officers A
ccou
ntin
g O
vers
ight
Qua
rterly
Mee
ting
note
s ...
.[loc
atio
n]
Par
t of I
nter
nal A
udit
Cyc
le
Arc
hive
d re
view
ed a
nd s
igne
d do
cum
ents
in
lock
ed fi
le c
abin
et ..
..[lo
catio
n]
Phy
sica
l che
ck b
y In
tern
al A
udit
resu
lts b
y qu
arte
r ....
[loca
tion]
Controls
Sequ
ence
Control Name
Key
Con
trol
Aut
omat
ed o
r Man
ual
Con
trol
Met
hod
Con
trol
Pro
gram
Typ
e
Info
rmat
ion
Proc
essi
ng
Description of Control
Activity
Con
trol
Ow
ner
Freq
uenc
y of
Con
trol
Evid
ence
of C
ontr
ol
Con
trol
Tes
t Fre
quen
cy
Evid
ence
Tes
t on
Con
trol
Test
Pla
n
1.7a
Valid Rejection based in business rules fairly applied
TRU
E
Aut
omat
ed
Exc
eptio
n/E
dit R
epor
t
Det
aile
d
Val
idity
(V)
Email is system generated to include exact business rule that would be violated by the request and tracking the end to end delivery of reason for rejection on compensation change. Rejection is sent to requester, not to the employee. H
R
Rea
l Tim
e B
y Tr
ansa
ctio
n
List
loca
tion
Par
t of I
nter
nal A
udit
Cyc
le
List
loca
tion
List
loca
tion
Controls
Sequ
ence
Control Name
Key
Con
trol
Aut
omat
ed o
r Man
ual
Con
trol
Met
hod
Con
trol
Pro
gram
Typ
e
Info
rmat
ion
Proc
essi
ng
Description of Control
Activity
Con
trol
Ow
ner
Freq
uenc
y of
Con
trol
Evid
ence
of C
ontr
ol
Con
trol
Tes
t Fre
quen
cy
Evid
ence
Tes
t on
Con
trol
Test
Pla
n
1.9a
Accurate Employee Transaction
FALS
E
Aut
omat
ed
Inte
rface
Con
vers
ion
Det
aile
d
Acc
urac
y (A
)
Items in compensation change request auto populate the HR update form, prompting HR to validate changes. if Information is not complete, HR system cannot update. If items are not recognized in HR records, transaction cannot complete. H
R
Rea
l Tim
e B
y Tr
ansa
ctio
n
List
loca
tion
Alig
ned
to B
illin
g C
ycle
List
loca
tion
List
loca
tion
1.9b
FALS
E
Rec
onc
iliat
ion
Acc
ura
List
lo
catio
n
Par
t of
Inte
rnal
List
lo
catio
n
List
lo
catio
n
1.9c
Compensation Review
FALS
E
Man
ual
Man
agem
ent R
evie
w
Det
ectiv
e
Acc
urac
y (A
)
Monthly review of all compensation change activity and compensation dashboard C
orpo
rate
HR
Qua
rterly
List
loca
tion
Par
t of I
nter
nal A
udit
Cyc
le
List
loca
tion
List
loca
tion
Controls
Sequ
ence
Control Name
Key
Con
trol
Aut
omat
ed o
r Man
ual
Con
trol
Met
hod
Con
trol
Pro
gram
Typ
e
Info
rmat
ion
Proc
essi
ng
Description of Control
Activity
Con
trol
Ow
ner
Freq
uenc
y of
Con
trol
Evid
ence
of C
ontr
ol
Con
trol
Tes
t Fre
quen
cy
Evid
ence
Tes
t on
Con
trol
Test
Pla
n
2.0a
Restriction of HR to Compensation Systems
TRU
E
Aut
omat
ed
Seg
rega
tion
of D
utie
s
Pre
vent
ive
Acc
urac
y (A
)
HR information is read to the compensation system, but no one in HR has access to compensation system interface. Fi
nanc
e
Rea
l Tim
e B
y Tr
ansa
ctio
n
List
loca
tion
Par
t of I
nter
nal A
udit
Cyc
le
List
loca
tion
List
loca
tion
2.1a
Payroll to Compensation Plan Comparison Report
FALS
E
Man
ual
Rec
onci
liatio
n
Cor
rect
ive
Com
plet
enes
s (C
)
Nightly reconciliation of all GL salary compensation values as compared to values in Compensation Management system Fi
nanc
e
Dai
ly
List
loca
tion
Par
t of I
nter
nal A
udit
Cyc
le
List
loca
tion
List
loca
tion
Related Documents
