ROAD MAP TO CONFIDENT PROCESS MAPPING USING FLOW …€¦ · 7. Design flowcharts as living,...

transcript

Internal Audit, Risk, Business & Technology Consulting

ROAD MAP TO CONFIDENT PROCESS MAPPING USING FLOW CHARTSJanuary 24, 2018

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

AGENDA

03 Introductions

07 Flowchart Formatting Fundamentals

08 Identify the Process

09 Determine Boundaries, Activities, & Sequences

12 Map out Key Actors and Symbols

15 Consistent Formatting & Aesthetics

18 Symbols Legend

20 Control Types

24 Swim Lane Diagram or Linear Flowchart?

27 High Level Summary

31 Process Mapping with a Purpose

32 One-Stop Shop

36 Information Provided by the Entity (IPE)

39 Internal Audit Process Map Uses

43 Operational Processes

45 Living / Breathing Document

47 Question and Answer

48 Contact Information

INTRODUCTIONS

Matt Lorimer is an Associate Director within Protiviti’s Internal Audit and Financial Advisory practice. Matt has over 10 years of internal audit and internal control over financial reporting (Sarbanes-Oxley) experience. Matt has extensive experience in the airline industry as well as gaming and hospitality, manufacturing, communications, oil field services and software industries. Matt assists his clients in validating that business processes are efficient, effective and appropriately designed to mitigate risk. Matt oversees the outsourced internal audit function for an airline client and his experiences have included operational, compliance and financial reporting reviews. His experience relative to internal controls over financial reporting includes leading engagements focused on documenting key financial processes and controls through process maps and narratives, testing internal controls, developing remediation plans and evaluating deficiencies.`

Christina Manuele is a Senior Consultant within Protiviti’s Internal Audit and Financial Advisory Practice. Christina has over 4 years of internal audit and internal control over financial reporting (Sarbanes-Oxley) experience. Christina has experience in the homebuilding, higher education, manufacturing, software, and real estate investment trust (REIT) industries. Christina assists in the performance of Sarbanes-Oxley control testing, documenting key client business processes, reviews of operational and financial reporting procedures, and evaluating deficiencies and suggested action plans.

Today’s Presenters

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.4

Josh Robbins is the Head of Business Development for Lucidchart where he focuses his efforts on building relationships and growing Lucidchart by working with strategic partners. Prior to Lucidchart, Josh worked for Qualtrics and Amazon where he developed and implemented strategies to accelerate growth. He holds an MBA from Cornell University and a Masters in Accounting from Brigham Young University.

Josh RobbinsHead of Business Development

INTRODUCTIONS

FLOWCHART FORMATTING FUNDAMENTALS

1. Identify the process

● Identify the process that needs to be documented/visualized○ Create a new document in Lucidchart or import an existing one from Visio

○ Title the document

○ If teammates are present, share the document and begin collaborating together

● When does the process start?

● When does the process stop?

Tips and Tricks: Fill the first step in the process with a green fill color. Fill the last step in the

process with a red fill color.

2. Determine the boundaries

● Add all relevant activities in the process○ Sequence is not important (but if it helps you brainstorm, go for it!)

○ Decide what level of detail to include

○ Determine who does what, and when it’s done

Tips and Tricks: It’s helpful to have a verb begin the description. It will help you and others

better understand the action/purpose of that step.

3. Brainstorm all activities involved

● Sequence the steps in the correct order○ You may discover additional flows, processes, or levels of detail you want to

explore.

○ Don’t worry about shape symbols. We will focus on that later on.

Tips and Tricks: If there are subprocesses or other states you’d like to document, build them out

on a separate page within Lucidchart.

4. Determine and sequence the steps

5. Map out key actors

Tips and Tricks: Swimlanes help

you effectively organize your

diagram. They can be accessed in

the “containers” shape library.

6. Map flowchart symbols

7. Design flowcharts as living, breathing documents

Tips and Tricks:

1. Designate the Lucidchart document as the

single source of truth

2. Determine appropriate permissions for each

actor/stakeholder

3. Collaborate with all actors/stakeholders

4. @mention the actor on sections or shapes

that need further collaboration

5. Create calendar reminder to review the

diagram on an appropriate cadence

CONSISTENT FORMATTING & AESTHETICS

Process maps serve as a tool for multiple purposes and audiences. As such, they should be clear, concise and easy to follow for all regardless of their prior knowledge of the process or their experience with internal audit / Sarbanes-Oxley. The following should be considered:

Establish a Standardized Format

Shape Sizing and Spacing

Fonts / Capitalization

Flow of Process Steps

CONSISTENT FORMATTING & AESTHETICS - BEFORE

CONSISTENT FORMATTING & AESTHETICS - AFTER

SYMBOLS LEGEND

A legend is the key to ensure your audience is able to understand your process map as you intended.

The legend should be included in your established standardized format and included in all process maps

Consider the default shapes recommended by your flowcharting software or your industry / business function, if applicable

Legend should be color coded to aid comprehension

SYMBOLS LEGEND - EXAMPLE

CONTROL TYPES

Business processes are governed by many different types of controls which can be displayed within your process map. Using different shapes and colors helps the reader quickly identify each control type. Control types may include:

Manual

Automated

Management Review Controls (MRC)

Secondary

External Audit Reliance

CONTROL TYPES

SWIM LANE DIAGRAM OR LINEAR FLOWCHART?

Depending on the process map format you choose it can emphasize how duties are segregated (swim lane) or the order in which each step occurs (linear). Advantages of the two types include:

Linear Process Maps• Process chronology• Easier to follow

Swim Lane• Clarity and accountability• Information flow• Separate departments / parties that may not work in

a linear sequence (i.e. simultaneous process steps)• Highlight redundancies and bottlenecks

SWIM LANE

LINEAR

HIGH LEVEL SUMMARY

Some process maps are significantly longer than others and can involve multiple departments or complex sub-processes. Adding a high level overview can help the reader to understand what the overall process entails, how the sub-processes are connected as well as help the reader to pinpoint areas they want to focus on within the map. The summary map may include:

Sub-Process Titles

Page Number References

Links to Sub-Process Pages

HIGH LEVEL SUMMARY

PROCESS MAPPING WITH A PURPOSE

ONE-STOP SHOP

Sarbanes-Oxley and Internal Audit process maps utilize information from multiple sources such as risk and control matrices (RCM), process narratives, policies and procedures, IT system documentation, etc. The process map itself can be used to house the following information, acting as a “one-stop shop”:Process Owners

Critical System Interfaces and Reports

Third Party Service Providers

In-Scope Applications

Controls

ONE-STOP SHOP

INFORMATION PROVIDED BY THE ENTITY (IPE)

In recent years external audit firms have required an increased focus to be placed on information provided by the entity (also known as, internally prepared evidence, completeness and accuracy validation or electronic audit evidence). As a result, this information is generally included within Sarbanes-Oxley and Internal Audit process documentation such as process maps. IPE information displayed may include:

Unique Symbol to Easily Identify

Source of Documentation

Report / Query / Spreadsheet Names

INTERNAL AUDIT PROCESS MAP USES

During the course of a traditional internal audit control gaps and process improvement opportunities are often identified and can be displayed within the process map. This can be done similarly to how controls are displayed and also can link to the related risk and control matrix (RCM) or other applicable documentation:

Unique Symbol to Easily Identify from Existing Controls

Include in Legend

Can be Included in Summary Page (i.e., One-Stop Shop)

Risk #

Risk Name

Control #

Control Name

Control Significance

Control Type

Control Frequency

Invoices may not be appropriately reviewed and approved.

1 Invoices are reviewed and approved prior to payment per the Signature Authority Policy. Primary Preventative Ongoing

2Monthly, the P-Card Packet containing the Receipt Submission Log and associated invoices is reviewed and approved per the Signature Authority Policy as part of the monthly P-Card Reconciliation.

Primary Detective Monthly

2.Telecom usage may be inefficient or not cost-effective.

3 Voice and wireless devices are configured according to approved request. Primary Preventative Ongoing

4 Data services are installed according to the specifications noted in the survey performed by the Project Manager. Primary Preventative Ongoing

5A Wireless Policy Acceptance form is signed by each new user of a company-owned wireless device acknowledging receipt of and agreement to Company XYZ Wireless Device Policy and is maintained on file by Analyst, Technology.

Primary Preventative Ongoing

6 Monthly, the Analyst, Technology reviews the Server List to monitor for inactivity. Secondary Detective Monthly

Control Gap 1

Invoice system expenses are not formally reviewed to identify inappropriate or inefficient spend. N/A N/A N/A

Telecom expenses may not be completely or accurately recorded.

7 Telecom-related journal entries are reviewed and approved by a manager or above prior to posting. Primary Preventative Monthly

8 Reclassification journal entries are prepared and posted to correctly allocate telecom expenses across business groups. Primary Detective As Needed

Control Gap 2

Telecom Models are not updated regularly to reflect changes to cost center mapping. N/A N/A N/A

OPERATIONAL PROCESSES

Process maps can be used for more than just SOX and internal audit projects and have value from a policy and procedure perspective. Additionally, external audit firms have started to request that certain non-financial or non-control focused processes be included within Sarbanes-Oxley documentation as background information. Process maps can also be utilized to display:

Step by Step Processes to be Followed by Employees• Checklists• Forms

Desktop Procedures / Manuals

OPERATIONAL PROCESSES

LIVING / BREATHING DOCUMENT

Process maps are constantly changing and it can be hard to keep track of what was revised from version to version. This information can be maintained within the document and be updated on an on-going basis:

Document History

Listing of Major Changes

Approval by Process Owners or Internal Audit Management

LIVING / BREATHING DOCUMENT

CONTACT INFORMATION

Matt LorimerAssociate Directormatt.lorimer@protiviti.com

4127 East Van Buren Street, Suite 210Phoenix, Arizona 85008Office: (602) 683-4142

Christina Manuele Senior Consultant christina.manuele@protiviti.com

4127 East Van Buren Street, Suite 210Phoenix, Arizona 85008Office: (602) 683-4130

Josh RobbinsHead of Business Developmentjrobbins@lucidchart.com

Office: (385) 257-8162

Chris BrasherDirector of Marketingcbrasher@auditboard.com

Office: (877) 769-5444 x 743

ROAD MAP TO CONFIDENT PROCESS MAPPING USING FLOW …€¦ · 7. Design flowcharts as living,...

Documents