SAMPLE OF BUSINESS PROCESS AND CONTROLS …



Sample of Business Process and Controls Documentation

[pic]

Visio Shapes and Custom Properties for Evidence of Process Controls

|Name* | |Description* |

|[pic] |[pic] |Document Title, Scope, Revision, Release Date,|

| | |Editors, Affirmation Team |

| | |Always Sequence 0.0 |

|[pic] |[pic] |Reference to other process documents and to |

| | |full processes outside of the scope of the |

| | |current document. |

| | |Part of processes sequence |

|[pic] |[pic] |Identifies process activity, noting control |

| | |issues and potential gaps, owners and event |

| | |sequence. |

| | |Part of processes sequence |

|[pic] |[pic] |Decision point and criteria for movement |

| | |Part of processes sequence |

|[pic] |[pic] |Grouping allows representation of simultaneous|

| | |events |

| | |Sequence should parent child the sub group of |

| | |activities |

|[pic] |[pic] |Loop limits usually reflect key controls |

| |[pic] |Data Management: What data is |

|[pic] | |used, how is it classified, |

| | |retained, transferred, accessed |

|[pic] |[pic] |List of external documents used to complete |

| | |process, status of use in controls evidence, |

| | |creation frequency, description of use |

| | |Sequence is always 9.9 so that all data |

| | |sources are clustered to the bottom of the |

| | |process report. |

|[pic] |[pic] |Exit and entrance criteria for movement from |

| | |one activity to the next. Where criteria for |

| | |movement is monitored by a system and is |

| | |critical to control activity, this should be |

| | |filled in. Where this is true, there would be|

| | |an expected control. |

|[pic] |[pic] |Trigger and Exit criteria |

| | |Sequence is always 0.1 so that all triggers |

| | |and exit criteria are clustered to the top of |

| | |the process report. |

|[pic] |Control Documentation Object: |

| |Drop down menu choices include common language for defining controls as expressed by ISACA, PCAOB, |

| |PwC, E&Y, KPMG, Deloitte and SANS. Information entered to this area, it is available to controls |

| |reporting for this process. The sequence is used to align the control to the associated activities|

| |that use this control. Where a control is used in multiple instances, it need only be described |

| |once and then mentioned on the activity object. |

| |When a control is inadequate, the issue is identified in the GAP commentary of the activity needing|

| |more stringent control. This forces the relative risk of the control gap to be evident to the |

| |viewer and writer |

| |[pic] |

|[pic] |[pic] |Database name and DBA/SA owners |

| | |Sequence is always 9.8 so that all data sources are|

| | |clustered to the bottom of the process report. |

|[pic] [pic] |Reporting on Activity and then|

| |on Control allows the process |

| |of documenting the flow to |

| |also serve as written summary |

| |of the activity and its |

| |controls. |

Sample Report Output Based in Sample Visio Process – ENTIRELY Ficticious

|Activity table |

|Sequen|Activi|Owner |Activity description |Associated controls |Gap or control |Issue |Affirmation criteria |

|ce |ty | | | |issues | | |

| |title | | | | | | |

|1.3 |Approv|Human |Approval process involves |Known associated |Subjective |  |  |

| |al |resour|selecting all areas met |controls are.... |determination of | | |

| |proces|ces |that support approval with| |personnel review | | |

| |s | |note of on whose authority| |could allow an | | |

| | | |request was approved. | |employee bonus or | | |

| | | |Upon submitting the | |change without | | |

| | | |"approved" button, the | |evidence of proper | | |

| | | |form send automatic | |employee review. | | |

| | | |notification to the | |Lack of time based | | |

| | | |employee manager with | |checking mechanism | | |

| | | |details of compensation | |to determine age of | | |

| | | |change. | |most recent | | |

| | | | | |personnel review | | |

|1.4.1 |  |  |  |  |  |Salary too |Established criteria |

| | | | | | |high or too |for salary values |

| | | | | | |low |applied to approval |

|1.6 |Reject|Human |Notification by email and |Tracking legal reason or|None |  |  |

| |ion |resour|system record of text |business rule that is | | | |

| |notifi|ces |including nature of |used to refuse request | | | |

| |cation| |refusal and rule that is | | | | |

| | | |violated by enacting | | | | |

| | | |request | | | | |

|1.8 |Sr. |Human |Accounting oversight |Meeting announcement, |None |  |  |

| |Mgt. |resour|committee meets on and |quorum, archive, | | | |

| |Approv|ces |approves salary |implemented due | | | |

| |als | | |diligence and ethics | | | |

|2 |Compen|Payrol|Fill in all required |Access to change form |None |  |  |

| |sation|l |fields to complete |restricted to managers: | | | |

| |manage| |compensation management |compensation request not| | | |

| |ment | |change request: submit |accepted unless through | | | |

| |system| |approved change |form: all fields form | | | |

| |update| | |validated prior to | | | |

| | | | |submit | | | |

Sample of Control Table:

|Controls |

Sequence |Control Name |Key Control |Automated or Manual |Control Method |Control Program Type |Information Processing Objective |Description of Control Activity |Control Owner |Frequency of Control |Evidence of Control |Control Test Frequency |Evidence Test on Control |Test Plan | |1.1a |Compensation Change Tracking-Refuse Verbal Compensation Change Requests |TRUE |Manual |Authorization |Deterrent |Restricted Access (R) |Refuse requests outside of request form |Human Resource |Real Time By Transaction |list location |Part of Personnel Review Process |list location |list location | |1.3a |Manager Assignment |FALSE |Automated |Configuration Account Mapping |Preventive |  |Manager name is automatically populated at user login by mapping against ID and PeopleSoft employee record |HR |Real Time By Transaction |List location |Part of Internal Audit Cycle |List location |List location | |1.4a |Approval Routing by Registered Manager |FALSE |Automated |Configuration Account Mapping |Preventive |Restricted Access (R) |Employee compensation change is routed to HR system validated current manager |Managers |Real Time By Transaction |list location |Part of Internal Audit Cycle |list location |list location | |1.4b |Salary Threshold form based routing |TRUE |Automated |Interface Conversion |Preventive |Restricted Access (R) |Prevents the manager from over compensating and manages uniform application of guidelines across all requests |Quality Assurance |Real Time By Transaction |list location |Part of Internal Audit Cycle |list location |list location | |1.5a |Salary Guideline Exception Report |TRUE |Automated |Exception/Edit Report |Corrective |Accuracy (A) |Metrics on the percentage of approved compensation change that are within Salary guidelines are evaluated to determine if managers are following instructions and if the compensation guidelines appear to be reasonable. |Executive Management CFO |Quarterly |list location |Part of Internal Audit Cycle |list location |list location | |1.7a |Executive Compensation Review |TRUE |Manual |Management Review |General |Validity (V) |Review of all salary requests to assure that no individual is permitted to earn beyond the payment guidelines as determined for executives and officers |Accounting Oversight |Quarterly |Meeting notes ....[location] |Part of Internal Audit Cycle |Archived reviewed and signed documents in locked file cabinet ....[location] |Physical check by Internal Audit results by quarter ....[location] | |1.7a |Valid Rejection based in business rules fairly applied |TRUE |Automated |Exception/Edit Report |Detailed |Validity (V) |Email is system generated to include exact business rule that would be violated by the request and tracking the end to end delivery of reason for rejection on compensation change. Rejection is sent to requester, not to the employee. |HR |Real Time By Transaction |List location |Part of Internal Audit Cycle |List location |List location | |1.9a |Accurate Employee Transaction |FALSE |Automated |Interface Conversion |Detailed |Accuracy (A) |Items in compensation change request auto populate the HR update form, prompting HR to validate changes. if Information is not complete, HR system cannot update. If items are not recognized in HR records, transaction cannot complete. |HR |Real Time By Transaction |List location |Aligned to Billing Cycle |List location |List location | |1.9b |  |FALSE |  |Reconciliation |  |Accuracy (A) |  |  |  |List location |Part of Internal Audit Cycle |List location |List location | |1.9c |Compensation Review |FALSE |Manual |Management Review |Detective |Accuracy (A) |Monthly review of all compensation change activity and compensation dashboard |Corporate HR |Quarterly |List location |Part of Internal Audit Cycle |List location |List location | |2.0a |Restriction of HR to Compensation Systems |TRUE |Automated |Segregation of Duties |Preventive |Accuracy (A) |HR information is read to the compensation system, but no one in HR has access to compensation system interface. |Finance |Real Time By Transaction |List location |Part of Internal Audit Cycle |List location |List location | |2.1a |Payroll to Compensation Plan Comparison Report |FALSE |Manual |Reconciliation |Corrective |Completeness (C) |Nightly reconciliation of all GL salary compensation values as compared to values in Compensation Management system |Finance |Daily |List location |Part of Internal Audit Cycle |List location |List location | |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download