ROAD MAP TO CONFIDENT PROCESS MAPPING USING FLOW CHARTS

Transcription

1 ROAD MAP TO CONFIDENT PROCESS MAPPING USING FLOW CHARTS January 24, 2018 Internal Audit, Risk, Business & Technology Consulting

2 AGENDA 03 Introductions 07 Flowchart Formatting Fundamentals 08 Identify the Process 09 Determine Boundaries, Activities, & Sequences 12 Map out Key Actors and Symbols 15 Consistent Formatting & Aesthetics 18 Symbols Legend 20 Control Types 31 Process Mapping with a Purpose 32 One-Stop Shop 36 Information Provided by the Entity (IPE) 39 Internal Audit Process Map Uses 43 Operational Processes 45 Living / Breathing Document 47 Question and Answer 48 Contact Information 24 Swim Lane Diagram or Linear Flowchart? 27 High Level Summary 2

3 INTRODUCTIONS Today s Presenters ` Matt Lorimer is an Associate Director within Protiviti s Internal Audit and Financial Advisory practice. Matt has over 10 years of internal audit and internal control over financial reporting (Sarbanes-Oxley) experience. Matt has extensive experience in the airline industry as well as gaming and hospitality, manufacturing, communications, oil field services and software industries. Matt assists his clients in validating that business processes are efficient, effective and appropriately designed to mitigate risk. Matt oversees the outsourced internal audit function for an airline client and his experiences have included operational, compliance and financial reporting reviews. His experience relative to internal controls over financial reporting includes leading engagements focused on documenting key financial processes and controls through process maps and narratives, testing internal controls, developing remediation plans and evaluating deficiencies. Christina Manuele is a Senior Consultant within Protiviti s Internal Audit and Financial Advisory Practice. Christina has over 4 years of internal audit and internal control over financial reporting (Sarbanes-Oxley) experience. Christina has experience in the homebuilding, higher education, manufacturing, software, and real estate investment trust (REIT) industries. Christina assists in the performance of Sarbanes-Oxley control testing, documenting key client business processes, reviews of operational and financial reporting procedures, and evaluating deficiencies and suggested action plans. ` 3

4 INTRODUCTIONS Josh Robbins Head of Business Development Josh Robbins is the Head of Business Development for Lucidchart where he focuses his efforts on building relationships and growing Lucidchart by working with strategic partners. Prior to Lucidchart, Josh worked for Qualtrics and Amazon where he developed and implemented strategies to accelerate growth. He holds an MBA from Cornell University and a Masters in Accounting from Brigham Young University. 4

5 FLOWCHART FORMATTING FUNDAMENTALS

6 1. Identify the process Identify the process that needs to be documented/visualized Create a new document in Lucidchart or import an existing one from Visio Title the document If teammates are present, share the document and begin collaborating together

7 2. Determine the boundaries When does the process start? When does the process stop? Tips and Tricks: Fill the first step in the process with a green fill color. Fill the last step in the process with a red fill color.

8 3. Brainstorm all activities involved Add all relevant activities in the process Sequence is not important (but if it helps you brainstorm, go for it!) Decide what level of detail to include Determine who does what, and when it s done Tips and Tricks: It s helpful to have a verb begin the description. It will help you and others better understand the action/purpose of that step.

9 4. Determine and sequence the steps Sequence the steps in the correct order You may discover additional flows, processes, or levels of detail you want to explore. Don t worry about shape symbols. We will focus on that later on. Tips and Tricks: If there are subprocesses or other states you d like to document, build them out on a separate page within Lucidchart.

10 5. Map out key actors

11 6. Map flowchart symbols Tips and Tricks: Swimlanes help you effectively organize your diagram. They can be accessed in the containers shape library.

12 7. Design flowcharts as living, breathing documents Tips and Tricks: 1. Designate the Lucidchart document as the single source of truth 2. Determine appropriate permissions for each actor/stakeholder 3. Collaborate with all actors/stakeholders the actor on sections or shapes that need further collaboration 5. Create calendar reminder to review the diagram on an appropriate cadence

13 CONSISTENT FORMATTING & AESTHETICS Process maps serve as a tool for multiple purposes and audiences. As such, they should be clear, concise and easy to follow for all regardless of their prior knowledge of the process or their experience with internal audit / Sarbanes-Oxley. The following should be considered: Establish a Standardized Format Shape Sizing and Spacing Flow of Process Steps Fonts / Capitalization 13

14 CONSISTENT FORMATTING & AESTHETICS - BEFORE 14

15 CONSISTENT FORMATTING & AESTHETICS - AFTER 15

16 SYMBOLS LEGEND A legend is the key to ensure your audience is able to understand your process map as you intended. The legend should be included in your established standardized format and included in all process maps Consider the default shapes recommended by your flowcharting software or your industry / business function, if applicable Legend should be color coded to aid comprehension 16

17 SYMBOLS LEGEND - EXAMPLE 17

18 CONTROL TYPES Business processes are governed by many different types of controls which can be displayed within your process map. Using different shapes and colors helps the reader quickly identify each control type. Control types may include: Manual Automated Secondary Management Review Controls (MRC) External Audit Reliance 18

19 CONTROL TYPES 19

20 CONTROL TYPES 20

21 CONTROL TYPES 21

22 SWIM LANE DIAGRAM OR LINEAR FLOWCHART? Depending on the process map format you choose it can emphasize how duties are segregated (swim lane) or the order in which each step occurs (linear). Advantages of the two types include: Linear Process Maps Process chronology Easier to follow Swim Lane Clarity and accountability Information flow Separate departments / parties that may not work in a linear sequence (i.e. simultaneous process steps) Highlight redundancies and bottlenecks 22

23 SWIM LANE 23

24 LINEAR 24

25 HIGH LEVEL SUMMARY Some process maps are significantly longer than others and can involve multiple departments or complex sub-processes. Adding a high level overview can help the reader to understand what the overall process entails, how the sub-processes are connected as well as help the reader to pinpoint areas they want to focus on within the map. The summary map may include: Sub-Process Titles Page Number References Links to Sub-Process Pages 25

26 HIGH LEVEL SUMMARY 26

27 HIGH LEVEL SUMMARY 27

28 HIGH LEVEL SUMMARY 28

29 PROCESS MAPPING WITH A PURPOSE

30 ONE-STOP SHOP Sarbanes-Oxley and Internal Audit process maps utilize information from multiple sources such as risk and control matrices (RCM), process narratives, policies and procedures, IT system documentation, etc. The process map itself can be used to house the following information, acting as a one-stop shop : Process Owners In-Scope Applications Critical System Interfaces and Reports Third Party Service Providers Risks Controls 30

31 ONE-STOP SHOP 31

32 ONE-STOP SHOP 32

33 ONE-STOP SHOP 33

34 INFORMATION PROVIDED BY THE ENTITY (IPE) In recent years external audit firms have required an increased focus to be placed on information provided by the entity (also known as, internally prepared evidence, completeness and accuracy validation or electronic audit evidence). As a result, this information is generally included within Sarbanes-Oxley and Internal Audit process documentation such as process maps. IPE information displayed may include: Unique Symbol to Easily Identify Source of Documentation Report / Query / Spreadsheet Names 34

35 INFORMATION PROVIDED BY THE ENTITY (IPE) 35

36 INFORMATION PROVIDED BY THE ENTITY (IPE) 36

37 INTERNAL AUDIT PROCESS MAP USES During the course of a traditional internal audit control gaps and process improvement opportunities are often identified and can be displayed within the process map. This can be done similarly to how controls are displayed and also can link to the related risk and control matrix (RCM) or other applicable documentation: Unique Symbol to Easily Identify from Existing Controls Include in Legend Can be Included in Summary Page (i.e., One-Stop Shop) 37

38 INTERNAL AUDIT PROCESS MAP USES 38

39 INTERNAL AUDIT PROCESS MAP USES 39

40 INTERNAL AUDIT PROCESS MAP USES Risk # Risk Name Control # Control Name Control Significance Control Type Control Frequency 1. Invoices may not be appropriately reviewed and approved. 1 2 Invoices are reviewed and approved prior to payment per the Signature Authority Policy. Monthly, the P-Card Packet containing the Receipt Submission Log and associated invoices is reviewed and approved per the Signature Authority Policy as part of the monthly P-Card Reconciliation. Primary Preventative Ongoing Primary Detective Monthly 3 Voice and wireless devices are configured according to approved request. Primary Preventative Ongoing 4 Data services are installed according to the specifications noted in the survey performed by the Project Manager. Primary Preventative Ongoing 2. Telecom usage may be inefficient or not cost-effective. 5 A Wireless Policy Acceptance form is signed by each new user of a companyowned wireless device acknowledging receipt of and agreement to Company XYZ Wireless Device Policy and is maintained on file by Analyst, Technology. Primary Preventative Ongoing 6 Monthly, the Analyst, Technology reviews the Server List to monitor for inactivity. Secondary Detective Monthly Control Gap 1 Invoice system expenses are not formally reviewed to identify inappropriate or inefficient spend. N/A N/A N/A 3. Telecom expenses may not be completely or accurately recorded. 7 8 Control Gap 2 Telecom-related journal entries are reviewed and approved by a manager or above prior to posting. Reclassification journal entries are prepared and posted to correctly allocate telecom expenses across business groups. Telecom Models are not updated regularly to reflect changes to cost center mapping. Primary Preventative Monthly Primary Detective As Needed N/A N/A N/A 40

41 OPERATIONAL PROCESSES Process maps can be used for more than just SOX and internal audit projects and have value from a policy and procedure perspective. Additionally, external audit firms have started to request that certain non-financial or non-control focused processes be included within Sarbanes- Oxley documentation as background information. Process maps can also be utilized to display: Step by Step Processes to be Followed by Employees Checklists Forms Desktop Procedures / Manuals 41

42 OPERATIONAL PROCESSES 42

43 LIVING / BREATHING DOCUMENT Process maps are constantly changing and it can be hard to keep track of what was revised from version to version. This information can be maintained within the document and be updated on an on-going basis: Document History Listing of Major Changes Approval by Process Owners or Internal Audit Management 43

44 LIVING / BREATHING DOCUMENT 44

45 CONTACT INFORMATION Matt Lorimer Associate Director 4127 East Van Buren Street, Suite 210 Phoenix, Arizona Office: (602) Christina Manuele Senior Consultant 4127 East Van Buren Street, Suite 210 Phoenix, Arizona Office: (602) Josh Robbins Head of Business Development Office: (385) Chris Brasher Director of Marketing Office: (877) x

46 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.