The IT auditor should consider following a four-step process as one way to acquire the ability to place appropriate reliance on the work of others, to gain the necessary level of understanding about the system, and to comply with professional standards related to the application under review:
- Step 1: Obtain existing workflow diagrams and supporting documentation.
- Step 2: Check the timeliness and completeness of the information.
- Step 3: Examine the workflow diagrams for errors or omissions.
- Step 4: Review the workflow diagrams with the appropriate client (i.e., auditees) or IT personnel.
Obtain Existing Workflow Diagrams and Supporting Documentation. The IT auditor should request all appropriate documentation required to support the workflow diagrams, which may include one or more from the following list of supporting items.
- A narrative description of the significant application processes and controls, if not for the entire system
- Documentation for user training and reference purposes
- Detailed program documentation
- Application backup and recovery procedures
- Record layouts
- Sample reports
The IT auditor should be aware that the preceding is not intended to be an all-inclusive list.
Check the Timeliness and Completeness of Information. The IT auditor should verify the completeness and timeliness of the documentation offered by answering these questions:
- Are all system changes reflected in the existing workflow diagrams?
- Do the workflow diagrams and narrative descriptions match?
- Were any proposed changes included in the diagrams that were never implemented in the system?
- Do the workflow diagrams and narrative description represent a system that meets the objectives of system users?
The answers to these questions should give the IT auditor a sense of the accuracy of the available documentation. The auditor generally should avoid using documentation that is out of date. In that case, the auditor should probably develop new workflow diagrams, unless, of course, the required changes are minor.
Examine the Workflow Diagrams for Possible Problems. The IT auditor should examine the workflow diagrams and supporting documentation, looking for the types of problems that could occur within the system. These problems can be summarized as minor errors, exclusion of elements that exist as part of the production activity, or inclusion of elements that are not actually part of the production activity or that are not being complied with by the involved personnel.
Review the Workflow Diagrams with End User or IT Personnel. During this step, the IT auditor should describe his or her understanding of the system to appropriate company personnel to obtain their feedback. The company personnel should then determine whether the IT auditor appears to have an adequate understanding of the system, while correcting any apparent misapprehensions.
RECOMMENDED PRACTICES FOR DEVELOPING WORKFLOW DIAGRAMS
The IT auditor has a single standard to establish a measurable compliance level within the terms of workflow diagramming technique. Although this is true, there are benefits to following certain basic principles for all workflow diagrams that are prepared:
- Use automated diagramming software if at all possible.
- Establish and use a single set (or limited number of sets) of diagramming shapes.
- Start the workflow diagram in the upper left-hand corner of the paper and work toward the lower right-hand corner.
- Use the connector symbol rather than drawing lines around or over parts of the diagram.
- Date the diagram and indicate who prepared it.
- Verify the correctness of the diagram with the individual or department responsible for the area under review.
- Indicate through a terminal symbol where processing starts and stops.
- Use text notes to clarify what the various processes mean.
- Use oversized symbols if the information will not fit within the standard-sized symbol.
- Divide the process into steps if possible and indicate those steps on the workflow diagram,
Problems to Avoid in Creating Workflow Diagrams
Although creating workflow diagrams offers the auditor many advantages, the following problems associated with this process must be taken into account.
- Workflow diagrams do not inherently indicate the frequency of processing. It is possible on the same diagram to have processing that occurs continuously (e.g., on an online terminal), daily, and monthly without clear differentiation. (This can be clarified either in a note or in the narrative description if necessary.)
- Workflow diagrams can quickly become out of date. If the auditor is using an existing diagram, it must be determined when it was developed and whether any changes have been made since.
- Workflow diagrams may show inconsistent levels of detail. Because the developer of the diagram uses it as a tool, processes that are well understood by the developer may appear as one or two process symbols, while less well-understood processes may be exploded into 30 or 40 shapes.