Flowcharts See Revival As Auditing Tool

A picture is worth a thousand words. And that principle can prove very useful in the endless drive for more efficient auditing of internal controls.

Flowcharts—those simple diagrams created to depict how a transaction unfolds—have seen a surge in popularity in the last three years, as internal auditors struggle to find ways to document internal controls over financial reporting. Although born in the era before computers managed financial systems, Sarbanes-Oxley has led to a revival in flowcharts and put them alongside spreadsheets and written narratives as vital tools for SOX compliance.

Hirth

“Because of Sarbanes-Oxley, flowcharting has become more popular,” says Robert Hirth, a managing director at risk consulting firm Protiviti. “Sarbanes-Oxley is all about the controls at the process level. Even though you have financial statements, all of the controls are in the process.”

Neither SOX nor the Committee of Sponsoring Organizations of the Treadway Commission specifically require a flowchart to document a company’s controls; the regulations and guidelines only ask that a company clearly explain the controls and processes it has implemented.

SOX does, however, require that an external auditor complete a walk-through of a company’s processes, meaning the auditor must be able to follow a transaction from start to finish and fully understand every step. The flowchart is one type of documentation used by companies to help the external auditors facilitate that requirement. (Companies also can use a word narrative or a spreadsheet to achieve the same effect.)

Richards

“Flowcharts aren’t the only technique for documenting a business process, but it’s the most common because it’s universally understandable, easy to follow, and can help people explain a complex process in simple terms,” says David Richards, president of the Institute of Internal Auditors. “Flowcharts provide a visual representation of the process so that the internal and external auditors can identify control gaps, as well as pinpoint the key control points that need to be tested.”

Internal auditors’ application of flowcharts for SOX compliance is a natural extension of their use in regular auditing activities, such as those focused on operational improvement. Flowcharts help internal auditors understand a process and provide a solid explanation of any issues to senior management. And as technology has evolved, so has the sophistication of developing flowcharts. So-called “process mapping,” for example, is a form of flowchart that involved illustrating business processes as companies increasingly became automated, Hirth says.

Flowcharts also help auditors identify where potential control weaknesses exist and where risks may be greater, says Richard Chambers, a managing director at PricewaterhouseCoopers. They can be critical for outlining a detailed transaction, particularly during the audit of a program or function that hasn’t been previously, or recently, reviewed, he explains. Flowcharts help auditors take “a new, fresh look at processes and controls and allow them to gain fairly detailed familiarity.”

The graphic produced from flowcharting can also pique the interest of an organization’s senior management, who may adapt its use for other business purposes, Chambers says. “They can use it to help them manage their own processes. Oftentimes, they don’t have the technical skills or resources to flowchart processes.”

Drawing Out A Flowchart Approach

To determine whether a flowchart will be useful, companies should first identify the purpose of the map. This allows them to figure out how much detail will need to be included and the kind of format the chart should take. For example, understanding the general flow of an organization requires less detail than a map of a specific, complex process that requires audit testing, Hirth says.

“Flowcharts aren’t the only technique for documenting a business process, but it’s the most common because it … can help people explain a complex process in simple terms.”

— David Richards, Institute of Internal Auditors

“Thousands of people are doing flowcharts [for SOX], but very few are really skilled at it,” says John Fraser, chief risk officer at Hydro One, an electricity transmission company owned by the Ontario Government in Canada. “I believe, based on personal observation over the years, that billions of dollars are likely being wasted by poor techniques.”

Each flowchart needs to include time and location elements, as well as symbols that depict the flow of a process. This allows readers to be able to identify what is supposed to happen, the people involved in the process, and the timeframe of the transaction, Hirth says.

“You can get a good idea of where bottlenecks can happen” by using these, even for a regular internal audit, Chambers says.

The chart has to tell a story, and the lines used to map direction shouldn’t cross so that the division of duties remains clear. Hirth recommends outlining a process’ broad steps first, and then creating additional maps that drill down into the details of the individual steps. One of the biggest mistakes in flowcharts is providing too much detail so that a reader can’t see the breakdown of each step.

While new technologies have made flowcharting easier, it remains labor-intensive and time consuming, Chambers says. Organizations need to be committed to maintaining the maps so that the information remains current, Richards adds.

Fraser

“A good flowchart done quickly and efficiently might take four hours to do,” Fraser says. “A poor flow chart that has to be redone and corrected can waste a week. What is needed is more research as to best practices and better training methods."

Not everyone believes in using flowcharts for their SOX compliance.

“If you have good control matrices, spreadsheets and narratives, then that should be enough to handle SOX requirements,” says Andrew Ng, director of internal audit and corporate compliance for Magma Design Automation, a software company in Santa Clara, Calif. “At Magma, our control-point details show up in the narratives,” eliminating the need for charts, he says.