Previous | Table of Contents | Next |
IT auditors should determine whether the narratives and diagrams provided by the internal customers (i.e., the auditees) are adequate to describe the application that they are reviewing. If these are adequate, the auditors probably have no reason to prepare their own documents. However, if the narratives and diagrams are inadequate, IT auditors should prepare new workflow diagrams.
Diagramming is a process used to develop a symbolic representation of a situation or activity. These symbolic representations were originally used to document the logic that underlay the processing within an application, and they later became part of the standard toolkit for the IT auditor. Because of technological advances, particularly in the personal computer arena, diagrams are a standard tool for anyone needing to document or demonstrate a situation or process.
The person coining the phrase that a picture is worth a thousand words would have been more accurate to say that a picture could be worth a thousand words if it were drawn correctly. A well-developed diagram emphasizes the critical elements and processes in an application, identifies the decision points and range of possible alternatives, and indicates the persons either responsible for or involved with the process.
The IT auditor should develop diagrams to meet one or more of the following objectives:
A flowchart can depict any process that is made up of a series of steps. The process being depicted does not have to be automated. For example, diagrams can be used to describe the process of managing an audit department, conducting an audit, writing an audit report, or traveling between the internal audit home offices and the location that is going to be audited. The IT auditor often prepares diagrams that depict the way in which manual or automated processes work, which is the reason for referring to them as workflow diagrams.
The workflow diagram should symbolically depict all of the elements required to understand a particular situation or process. An IT auditor might wish to describe the process of performing an audit to the personnel in a location soon to be audited.
Clearly describing the audit process in advance may help to address any concerns of the auditees. For example, as shown in the workflow diagram in Exhibit 31-1 if the event to be diagrammed was how to conduct an audit, the first step might be initiating an audit assignment, setting the audit objectives, planning the fieldwork and staffing, etc., until the audit report is issued and the files closed, which would be a likely final step in the audit process.
The IT auditor should begin the workflow diagramming process by determining the exact boundaries of the process to be diagrammed. Without boundaries, a diagramming project can extend into many other areas that could prevent a timely conclusion of the assignment originally approved.
Having set the boundaries for the assignment, the IT auditor begins by identifying the high-level components or steps making up the process being reviewed. This step does not have to be documented by using a diagramming software tool. Some IT auditors find that drawing this top-level diagram, as in the workflow diagram show in Exhibit 31-2, by hand or by describing it in a brief narrative is just as effective.
The IT auditor can then begin to diagram each top-level component. Each component should be broken down into its direct and indirect components. The direct components of a process are most often either actions or decisions. An action involves the performance of an activity by one or more persons, one or more machines, or a combination of the two. Some examples of an activity include: receiving a document in the mail; or entering new or changed information into a system, or a program checking for logical flags on orders to identify any that are due for shipment. A decision point occurs whenever there is more than one possible processing path, and one of those paths is chosen based on a condition or a test. Most of these decision points have only two alternativestrue or false or greater than or less than a threshold value, for example. However, many other situations exist that have more than two alternatives. One example is a company with four levels of signing authority. The workflow diagrams shown in Exhibits 31-3 and 31-4 depict two different but both acceptable ways for diagramming the situations just described.
Exhibit 31-1. Basic Audit Process Workflow Diagram
The IT auditor must select between alternatives, such as those based on personal preference along with any other diagramming considerations arising in that specific situation. The indirect components of the workflow diagram depict the inputs and outputs related to the activity being diagrammed. The inputs and outputs are often significant or necessary to the process being diagrammed, requiring their depiction in the diagram. Examples of indirect components include an order form sent in by a customer that someone takes and uses as the basis for entering a new order into the system. The order form is a trigger that initiates the entry process that may be followed by the issuance of an order confirmation. The confirmation takes no action and makes no decision, but is an important element of the overall order handling process.
Exhibit 31-2. High-Level Flowchart Workflow Diagram
The IT auditor also must determine what level of sophistication is appropriate in any given situation. He or she can choose from a simple or limited set of shapes and increase the text portion of the diagram to present the information and specification the reader requires. A simple set of diagramming shapes, discussed in the following paragraphs, is depicted in Exhibit 31-5.
If the IT auditor chooses to omit the indirect elements of a situation or process, only two shapes may be required for the workflow diagram: a rectangle depicts an action and a diamond represents a decision. Exhibit 31-6 shows a diagram that uses only these two shapes to illustrate the complete process of auditing a computerized application.
Exhibit 31-3. Sample Workflow Diagram
Alternatively, the IT auditor can select a set of shapes based on the idea that each shape will have a very specific meaning, so that anyone reviewing the diagram receives much of their information from just the shapes and the sequence in which they appear. One example of a more extensive set of diagramming shapes appears in Exhibit 31-7.
The IT auditors selection of a set of diagramming shapes usually makes a significant difference in the diagram. In Exhibit 31-8, one portion of an application audit process can be diagrammed using only two shapes; that same process can be rediagrammed using a more extensive set of shapes. The contrast in terms of effect on the reader is clear: a more specific diagram communicates more information by using less text. Ultimately, the IT auditor must determine what is the appropriate type of diagram and what shapes should be used.
Exhibit 31-4. Sample Workflow Diagram
Exhibit 31-5. Simple Shape Set
The IT auditor should also consider adding narrative text directly onto the workflow diagrams or to draft separately, at least, a short narrative that can be easily related to the diagram. In the example workflow diagram depicting the process of conducting an audit, it is easier to understand the reasons or logic that support the actions if that information is presented in a complementary narrative, as shown in Exhibit 31-9, instead of being omitted from the diagram.
Previous | Table of Contents | Next |