Upload
shawn-paes
View
230
Download
0
Embed Size (px)
Citation preview
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 1/14
SAMPLE OF BUSINESS PROCESS AND CONTROLSDOCUMENTATION
1.1 CompensationChange Request
Compensation Change
Need for compensation
change
Known requirement received in email
1.3 Approval Process
Employee
1.1.1
EmployeeRequisition
Existing Employee
CompensationChange Complete
Inputs to General Ledger
Details for employee compensation
1.4 Employee Supervisor
Approval
1.5 HR Salary Evaluation
Supervisor signoff
Exception Review
1.9 HR System Update
Manager and Employee notifiedof compensation change
2.0 Compensation
Management System
Update
Employee compensation
adjusted in HR records
2.1 Payroll System
Update
Rejectionto requester
1.9
A
1.9
C
1.1
A
Secure datatransfer
2.0A
2.1
A
1.4
A
1.5A
1.4
B
Refer to NewEmployee Process
New Employee activity
General Ledger System
RunBook
Compensation ChangeRequest Form
Sample
FinanceReport 1
ERP SystemRunBook
Exception
Policy
EmployeeEnrollment
Close
1.4.1 Salary
Threshold
Standard
salary
1.1
2B
Instructions to Run Activity and Control Reports:
Activity Description Table:
Use Control Key to Select all Activ ity objects,
= Process Activ ity, Parent Process, Decis ion and Termination objects [Box, Double Bar Box, Diamond, Ellipse];
Go to Top Toolbar to click on “Tools”, “Reports” and check box for -“Drawing Specific Reports”
Highlight the – “Activ ity Description Table” Report; S elect -Run and output to either HTML or EXCEL; Save As [Activit y
Report Name] in your desired folder
Controls Table:
Use Cont rol Key to Select all C ontrol Objects,
= Control Objects, Documents, Data Objects [Left Triangle, Paper Symbol…] Select Tools; Reports; Drawing Specific
Reports; Controls Report Table; Run; Save as your Controls title in your own file location
Sr. MGTOversight
Meeting Notes
ERP System
GL System
Inadequateauthority to
approve
Reapply or
ExceptionRequest
1.6 Rejection Notification
1.7 1.7 Guideline Acct
Oversight ExceptionProcess
1.8 Sr. Mgt. Approvals
Documented exception
review scheduled
Meets
CompensationGuidelines
1.3
A
salary/pay
grade or changeexceeds HR
approval permissions
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 2/14
VISIO SHAPES AND CUSTOM PROPERTIES FOR EVIDENCE OF PROCESSCONTROLS
Name* Description*
Process TitleDate:
Affirmation Team:
Document Title, Scope,Revision, Release Date, Editors,
Affirmation TeamAlways Sequence 0.0
Parent Process(indicates another process diagram)
Reference to other processdocuments and to full processesoutside of the scope of thecurrent document.
Part of processes sequence
Identifies process activity, notingcontrol issues and potentialgaps, owners and eventsequence.
Part of processes sequence
#.# Decision
Decision point and criteria for movement
Part of processes sequence
Grouping Box
Grouping allows representationof simultaneous events
Sequence should parent childthe sub group of activities
Loop Limit
Loop limits usually reflect keycontrols
Data Management:What data is used,how is it classified,
retained, transferred,accessed
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 3/14
Name* Description*
List of external documents usedto complete process, status of use in controls evidence,creation frequency, description
of useSequence is always 9.9 so thatall data sources are clustered tothe bottom of the process report.
Exit and entrance criteria for movement from one activity tothe next. Where criteria for movement is monitored by asystem and is critical to controlactivity, this should be filled in.Where this is true, there wouldbe an expected control.
Trigger and Exit criteriaSequence is always 0.1 so thatall triggers and exit criteria areclustered to the top of theprocess report.
Control Documentation Object:
Drop down menu choices include common language for defining controlsas expressed by ISACA, PCAOB, PwC, E&Y, KPMG, Deloitte and SANS.Information entered to this area, it is available to controls reporting for thisprocess. The sequence is used to align the control to the associatedactivities that use this control. Where a control is used in multipleinstances, it need only be described once and then mentioned on theactivity object.
When a control is inadequate, the issue is identified in the GAPcommentary of the activity needing more stringent control. This forcesthe relative risk of the control gap to be evident to the viewer and writer
0.0a
Database
Database name and DBA/SAowners
Sequence is always 9.8 so that alldata sources are clustered to the
bottom of the process report.
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 4/14
Name* Description*
Instructions to run reports:
Activity Description Table:
Use Control Key to Select all Ac tivity objects,
= Process Activ ity, Parent Process, Decision and Termination objects [Box, Double
Bar Box, Diamond, Ellipse];
Go to Top Toolbar to click on “Tools”, “Reports” and check box for -“Drawing
Specific Reports”
Highlight the – “Activity Description Table” Report
Select -Run and output to either HTML or EXCELSave As [Activity Report Name] in your desired folder
Controls Table:
Use Control Key to Select all Control Objects,
= Control Objects, Documents, Data Objects [Left Triangle, Paper Symbol…]
Select Tools; Reports; Drawing Specific Reports; Controls Report Table; Run; Save
as your Controls title in your own file location
Reporting on Activityand then on Controlallows the processof documenting the
flow to also serve aswritten summary of the activity and itscontrols.
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 5/14
SAMPLE REPORT OUTPUT BASED IN SAMPLE VISIO PROCESS – ENTIRELYFICTICIOUS
Activity table
S e q u
e n c e
A c
t i v i t y
t i t l e O
w n e r Activity
description Associated
controlsGap or control
issues
Issue Affirmationcriteria
1 . 1
C o m p e n s a
t i o n c
h a n g e
r e q
u e s
t
H u m a n r e s o u r c e s Fill in all required
fields on the "titlehere"
compensationchange form
Access tochange formrestricted tomanagers:
compensationrequest not
accepted unlessthrough form
User requesting
their own payraise
1 . 1 . 1
Existingemploy
ee or new
Change toexisting
compensationvalues is within
this process
1 . 3
A p p r o v a
l p r o c e s s
H u m a n r e s o u r c e s Approval process
involves selectingall areas met thatsupport approval
with note of onwhose authority
request was
approved. Uponsubmitting the
"approved" button,the form send
automaticnotification to the
employeemanager with
details of compensation
change.
Knownassociated
controls are....
Subjectivedeterminationof personnelreview could
allow anemployeebonus or
changewithout
evidence of proper
employeereview. Lackof time based
checkingmechanism
to determineage of most
recentpersonnel
review
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 6/14
Activity table
1 . 4
E m p
l o y e e s u p e r v
i s o r a p p r o v a
l
E m p
l o y
e e m a n a g e r
Employeesupervisor
approval
Po7 Documentation of
standardmethod for
approval,archiving and
verificationthat the
supervisor ismaking the
authorizationvs. A false
positive in thesystem
1 . 4 . 1
Salarytoo high
or toolow
Establishedcriteria for
salary valuesapplied to
approval
1 . 5
S a
l a r y e v a
l u a
t i o n
F i n a n c e Evaluation of
salary based in job responsibilities
and standardindustry
compensationbenchmarks
Approved salarybenchmarkguidelines
Guidelinesare not
routinelyupdated and
mightbecome out
of date
1 . 6
R e
j e c
t i o n
n o
t i f i c a
t i o n
H u m
a n r e s o u r c e s Notification by
email and systemrecord of text
including nature of refusal and rule
that is violated byenacting request
Tracking legalreason or
business rulethat is used torefuse request
None
1 . 7
G u
i d e
l i n e e x c e p
t i o n p r o c e s s
H u m a n r e s o u r c e s Notice to
committeeincludes the
criteria for exception and
limits of monetarycompensation,
reason for request,
qualifications of employee,
managementrepresentation
Accountingoversight review
of executivecompensation
1.8a
Process isnot presentedand approvedby the boardof directors/
process isnot backwardcompatible to
previouscompensatio
n activity
1 . 8
S r .
M g
t .
A p p r o v a
l s
H u m a n r e s o u r c e s Accounting
oversightcommittee meetson and approves
salary
Meetingannouncement,
quorum,archive,
implementeddue diligence
and ethics
None
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 7/14
Activity table
1 . 9
H r s y
s t e m
u p
d a
t e
H u m a n r e s o u r c e s Hr representative
[input details inprocess here]
Form controls:policy controls
Reconciliation report to
prove ERPsystems havereceived andrecorded all
changes/form
restrictionwhere
approval isnot in system
record
2
C o m p e n s a
t i o n m a n a g e
m e n
t s y s
t e m
u p
d a
t e
P a y r o
l lFill in all requiredfields to complete
compensationmanagement
change request:
submit approvedchange
Access tochange formrestricted tomanagers:
compensation
request notaccepted unlessthrough form: all
fields formvalidated prior
to submit
None
2 . 1
P a y r o
l l s y s
t e m
u
p d a
t e
P
a y r o
l lPayroll record
change sent to
adp: generalledger reflects
new debitamounts based in
compensationcosts
Data transfer security,
confirmation of send,
reconciliation of posted changes
and approvedchanges
Inadequatetesting of the
reconciliationreport:
inadequatesecurity on
the backenddata of tables
containingsalary
compensation data.
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 8/14
SAMPLE OF CONTROL TABLE:
Controls
S e q u e n c e
ControlName
K e y C o n t r o l
A u t o m a t e d o r M a n
u a l
C o n t r o l M e t h o d
C o n t r o l P r o g r a m T
y p e
I n f o r m a t i o n P r
o c e s s i n g
O b j e c t i v e
Description of
ControlActivity
C o n t r o l O w n e r
F r e q u e n c y o f C o n
t r o l
E v i d e n c e o f C o n t
r o l
C o n t r o l T e s t F r e q u e n c y
E v i d e n c e T e s t o n C o n t r o l
T e s t P l a n
1.1a
Compensation ChangeTracking-
RefuseVerbalCompensation ChangeRequests
T R U E
M a n u a
l
A u t h
o r i z a
t i o n
D
e t e r r e n
t
R e s
t r i c t e d A c
c e s s
( R )
Refuserequestsoutside of
requestform
H u m a n R
e s o u r c e
R e a
l T i m e
B y
T r a
n s a c
t i o n
l i s t l o c a
t i o n
P a r t o
f P e r s o n n e
l R e v
i e w
P r o c e s s
l i s t l o c a
t i o n
l i s t l o c a
t i o n
1.3a
Manager Assignment
F A L S E
A
u t o m a
t e d
C o n
f i g u r a
t i o n
A c c o u n
t M a p p
i n g
P
r e v e n
t i v e
Manager name isautomatic
allypopulatedat user login bymappingagainst IDandPeopleSof temployeerecord
H R
R e a
l T i m e
B y
T r a n s a c
t i o n
L i s
t l o c a
t i o n
P a r t o
f I n t e r n a
l A u
d i t C y c
l e
L i s
t l o c a
t i o n
L i s
t l o c a
t i o n
1.4a
ApprovalRouting byRegisteredManager
F A L S E
A u t
o m a
t e d
C o n
f i g u r a
t i o n A
c c o u n
t
M a p p
i n g
P r e
v e n
t i v e
R e s
t r i c t e d A c c
e s s
( R )
Employeecompensationchange isrouted toHRsystemvalidatedcurrentmanager
M a
n a g e r s
R e a
l T i m e
B y
T r a n
s a c
t i o n
l i s t l o c a
t i o n
P a r t o
f I n t e r n a
l A u d
i t C y c
l e
l i s t l o c a
t i o n
l i s t l o c a
t i o n
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 9/14
Controls
1.4b
SalaryThresholdform basedrouting
T R U E
A u
t o m a
t e d
I n t e r f a
c e
C o n v e r s
i o n
P r e v e n
t i v e
R e s
t r i c t e d A c c e s s
( R )
Preventsthemanager from over compensa
ting andmanagesuniformapplication of guidelinesacross allrequests
Q u a
l i t y A s s u r a n c e
R e a
l T i m e B
y T r a n s a c
t i o n
l i s t l o c a
t i o n
P a r t o
f I n t e r n
a l A u
d i t C y c
l e
l i s t l o c a
t i o n
l i s t l o c a
t i o n
1.5a
SalaryGuidelineExceptionReport
T R U E
A u
t o m a
t e d
E x c e p
t i o n
/ E d i t R e p o r t
C o r r e c
t i v e
A c c u r a c y
( A )
Metrics onthepercentage of approvedcompensationchangethat arewithinSalaryguidelinesareevaluatedtodetermineif managersare
followinginstructions and if thecompensationguidelinesappear tobereasonable.
E x e c u
t i v e
M a n a g e m e n
t C F O
Q u a r t e r l y
l i s t l o c a
t i o n
P a r t o
f I n t e r
n a
l A u
d i t C y c
l e
l i s t l o c a
t i o n
l i s t l o c a
t i o n
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 10/14
Controls
1.7a
ExecutiveCompensation Review
T R U E
M a n u a
l
M a n a g
e m e n
t R e v
i e w
G e n e r a
l
V a
l i d i t y ( V )
Review of all salaryrequeststo assurethat no
individualispermittedto earnbeyondthepaymentguidelinesasdetermined for executives andofficers
A c c o u n
t i n g
O v e r s
i g h t
Q u a r t e r l y
M e e
t i n g n o t e s . . . .
[ l o c a
t i o n
]
P a r t o
f I n t e r n
a l A u
d i t C y c
l e
A r c
h i v e
d r e v
i e w e
d a n
d s i g
n e
d d o c u m e n
t s i n l o c
k e
d f i l e c a
b i n
e t
. . . .
[ l o c a
t i o n
]
P h y s
i c a
l c
h e c
k b y
I n t e r n a
l A u
d i t r e s u
l t s b y q u a r
t e r . . . .
[ l o c a
t i o n
]
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 11/14
Controls
1.7a
ValidRejectionbased inbusinessrules fairly
applied
T R U E
A u
t o m a
t e d
E x c e p t
i o n
/ E d i t R e p o r t
D e
t a i l e d
V a
l i d i t y ( V )
Email issystemgeneratedto includeexact
businessrule thatwould beviolatedby therequestandtrackingthe end toenddelivery of reason for rejectiononcompensationchange.Rejectionis sent torequester,not to theemployee.
H R
R e a
l T i m e B
y T r a n s a c
t i o n
L i s t l o c a
t i o n
P a r t o
f I n t e r n
a l A u
d i t C y c
l e
L i s t l o c a
t i o n
L i s t l o c a
t i o n
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 12/14
Controls
1.9a
AccurateEmployeeTransaction F
A L S E
A u
t o m a
t e d
I n t e r f a
c e
C o n v e r s
i o n
D e
t a i l e d
A c c u r a c y
( A )
Items incompensationchangerequest
autopopulatethe HRupdateform,promptingHR tovalidatechanges.if Information is notcomplete,HRsystemcannotupdate. If items arenotrecognized in HRrecords,transaction cannotcomplete.
H R
R e a
l T i m e B
y T r a n s a c
t i o n
L i s t l o c a
t i o n
A l i g n e
d t o B i l l i n g
C y c
l e
L i s t l o c a
t i o n
L i s t l o c a
t i o n
1.9
b
F A L S E
R e c o n c i
l i a t i o n
A c c u r a c y
( A )
L i s t l o c
a t i o n
P a r t o
f I n t e r n a l
A u
d i t
C y c
l e
L i s t l o c
a t i o n
L i s t l o c
a t i o n
1.9c
Compensation Review
F A L S E
M a n u a
l
M a n a g e
m e n
t R e v
i e w
D e
t e c
t i v e
A c c u r a c y
( A )
Monthlyreview of allcompensation
changeactivityandcompensationdashboar d
C o r p o r a
t e H R
Q u a r t e r l y
L i s t l o c a
t i o n
P a r t o
f I n t e r n a
l A u
d i t C y c
l e
L i s t l o c a
t i o n
L i s t l o c a
t i o n
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 13/14
Controls
2.0a
Restrictionof HR toCompensation Systems
T R U E
A u
t o m a
t e d
S e g r e g
a t i o n o
f D u
t i e s
P r e v e n
t i v e
A c c u r a c y
( A )
HRinformation is readto thecompensa
tionsystem,but noone in HRhasaccess tocompensationsysteminterface.
F i n a n c e
R e a
l T i m e B
y T r a n s a c
t i o n
L i s t l o c a
t i o n
P a r t o
f I n t e r n
a l A u
d i t C y c
l e
L i s t l o c a
t i o n
L i s t l o c a
t i o n
2.1a
Payroll toCompensation PlanComparisonReport
F A L S E
M a n u a
l
R e c o n c
i l i a t i o n
C o r r e c
t i v e
C o m p
l e t e n e s s
( C )
Nightlyreconciliation of allGL salarycompensationvalues ascomparedto valuesinCompensationManagementsystem
F i n a n c e
D a
i l y
L i s
t l o c a
t i o n
P a r t o
f I n t e r n a
l A
u d i t C y c
l e
L i s
t l o c a
t i o n
L i s
t l o c a
t i o n
8/8/2019 Sample of Business Process and Controls Documentation[1]
http://slidepdf.com/reader/full/sample-of-business-process-and-controls-documentation1 14/14