Documentation Tools and Techniques
advertisement
Documentation Tools and Techniques Ayesha Hussainbhoy University of Waterloo Waterloo, ON N2L 3G1 June 27, 2014 Table of Contents Executive Summary ........................................................................................................................ 1 Introduction ..................................................................................................................................... 2 Importance to the Professionals ...................................................................................................... 3 Importance to IT Professionals ................................................................................................... 3 Importance to C-Suite Executives .............................................................................................. 3 Importance to Auditors ............................................................................................................... 4 Current Methodologies Available for Documentation ................................................................... 5 Narrative Documentation ............................................................................................................ 6 Internal Control Matrix ............................................................................................................... 6 Data Flow Diagrams ................................................................................................................... 6 Flowcharts ................................................................................................................................... 8 Resource-event-agent (REA) Modeling ................................................................................... 10 IDEF0 Model ............................................................................................................................ 12 Extended event-driven process chain diagrams (EPC) ............................................................. 13 Unified Modeling Language (UML) Activity Diagrams .......................................................... 14 Business Process Diagram – Business Process Modeling Notation ......................................... 15 Does the Type of Documentation Matter? .................................................................................... 17 Conclusion .................................................................................................................................... 20 Bibliography ................................................................................................................................. 21 Executive Summary This report, entitled Documentation Tools and Techniques, provides an analysis and evaluation of several documentation methodologies and their usefulness to different professionals. Effective documentation serves as a tool for management to make decisions, to track the business processes in place, and as evidence for an audit. Methods of analysis in the report include: an overview of the importance of effective documentation for IT professionals, senior executives, and auditors; a brief description of the documentation methodologies available including the advantages and disadvantages of each methodology; and an assessment of the most optimal form of documentation. The objectives for each of the professionals are important to determine the type of documentation required. The objective of IT professionals is to mitigate risk of loss of intellectual capital leading to loss of data; thus it is important to document processes effectively so no information is lost. Senior executives’ objective is to attain information that can help them make well informed decisions; thus documentation should be designed for this purpose. Lastly, the objective of auditors is to perform an effective and efficient audit; therefore documentation should be designed to serve as evidence to support an unqualified opinion. The report compares narrative documentation, which is a written description of the business processes, to various forms of diagrammatic documentation, which uses pictures, tables, or flowcharts to represent a business process. The advantages and disadvantages are presented for each of the documentation methodologies from an audit risk assessment perspective looking at the tools available in the methodology. This analysis is then used to determine whether narrative or diagrammatic documentation is more advantageous for professionals. The report concludes that while diagrams are often better interpreted by people than large volumes of text, the optimal form of documentation depends on the user and their needs. As a result, professionals may need to use a combination of various forms of documentation to meet their objectives and mitigate the deficiencies of the different methodologies. For the purpose of conducting a business process audit research shows that narrative and diagrammatic documentation provide the same results. However, in practice, narrative documentation is most often used to document a business process and controls over the process. Auditors should understand the various documentation methodologies available and their evolution over time so that they can prepare effective documentation and perform a high quality audit. 1|Page 1.0 Introduction A business process is defined as “any system or procedure that an organization uses to achieve a larger business goal”1 and consists of “a series of tasks”2 or activities that are “executed in a specific order”3 to achieve a desired outcome. Corporate executives require a solid understanding of business processes within the organization for the purpose of strategic decision-making and planning objectives. CAS 315 requires auditors to “identify and assess the risks of material misstatement […] through understanding the entity and its environment”4. This includes understanding the business processes employed to effectively operate the business, as well as understanding the controls over these processes. Thus, for the purpose of effectively engaging in the risk assessment process auditors require clear, concise, and thorough documentation of the business processes and their controls. There are two broad types of documentation techniques that can be used to depict business processes within an organization. The first one is narrative documentation, which describes a business process in words, and the second is diagrammatic documentation, which utilizes diagrams or figures to represent a process. Within diagrammatic documentation there are several methodologies available such as internal control matrices, data flow diagrams, flowcharts, resource-event-agent modeling, IDEF0 modeling, extended event-driven process chain diagrams, unified modeling language activity diagrams, and business process diagrams. A brief overview of each of these methodologies is provided in the body of this report. Thus, business professionals, including management and auditors, can use these forms of documentation to gain a better understanding of a business model and its processes. The purpose of this paper is to analyze various documentation tools and techniques and how they can be employed to represent a business process. The analysis includes an assessment of the importance of documentation of business processes for IT professionals, C-suite executives, and auditors by identifying specific requirements and constraints to assess what type of documentation will best meet each of their needs. The report describes the current methodologies available for documentation including a presentation of the advantages and 1 http://publib.boulder.ibm.com/infocenter/dmndhelp/v6rxmx/index.jsp?topic=/com.ibm.wbit.help.bpel.ui.doc/conce pts/cunder.html. 2 Ibid. 3 Ibid. 4 http://edu.knotia.ca.proxy.lib.uwaterloo.ca/knowledge/Home.aspx?productid=1 2|Page disadvantages of each methodology. Using results from previous studies as well as examples from current practice, the report assesses whether the type of documentation used to represent business processes impacts the decisions made by IT professionals, C-suite executives, and auditors. Finally, the report looks at current issues with documentation and provides a conclusion on the best available methodology for audit risk assessment and decision-making for management and executives. 2.0 Importance to the Professionals The following discussion focuses on gaining an understanding of the importance of sufficient and appropriate documentation of business processes for IT professionals, C-suite executives, and auditors, by assessing their key objectives and concerns as professionals. 2.1 Importance to IT Professionals Strong documentation of a company’s business processes is extremely important for IT professionals because it helps to mitigate risk in several areas including: “loss of intellectual capital, data and IT operations, clarity, and momentum”5. Due to the high turnover rate in the IT industry, the loss of intellectual capital is a major concern for IT professionals. In order to prevent a potential loss of data, IT departments should effectively document all knowledge about the various processes and functions of systems. This will minimize the risk of loss of data and reduce future costs that may be required to re-do the work. Documentation is also important in a business recovery situation as it helps to mitigate the loss of data in the case of a disaster. It is important for IT professionals to be able to restore all important information related to business processes and operations quickly and effectively to prevent further loss caused by ceasing of operations. Documentation is also important to prevent miscommunication between IT professionals. Clear documentation provides IT professionals with a benchmark to resolve differences in opinions that may occur. Lastly, documentation also ensures continuing progress for projects by providing “clarity and accountability over job functions, processes and control”6. 2.2 Importance to C-Suite Executives Strong documentation of key business processes is also important to management and senior executives. Documentation of business processes and the controls over these processes enables management to evaluate the system of internal controls in place and serves as evidence 5 6 http://www.isaca.org/Journal/Past-Issues/2012/Volume-4/Documents/12v4-Everybody-Loves-Documentation.pdf Ibid. 3|Page for assessing the effectiveness of these internal controls7. Robust documentation allows management to understand the activities that the organization has undertaken to meet their main objectives. This will help with management decision-making to identify any control gaps in processes and resolve errors. Additionally, effective documentation prepared at the organizational level leads to a more efficient audit process, since the auditor can leverage off the existing documentation8. This in turn results in lower audit costs for the organization. 2.3 Importance to Auditors Effective documentation of a business’s systems and processes is essential for an internal and external auditor to understand the key business processes in order to evaluate the risks associated with each process. In particular, documentation of internal controls is crucial in establishing that a company has effectively designed and implemented internal controls over various business processes. A key objective of audit firms is also efficiency; thus, auditors should keep in mind the risk of over-documenting, which can be extremely time-consuming and costly for the firm. Organizations often prepare their own documentation of their business processes to identify gaps in controls, to understand their processes so that they can improve operating efficacy, and to reduce potential errors in their system9. Thus, auditors can leverage this documentation in preparing their own documentation to efficiently evaluate the risks associated with the business processes and controls at an organization. Deloitte recommends that auditors employ a riskbased approach in determining which processes in an organization need to be documented10. The audit team can identify the financial statement accounts and business processes with the highest risk and document controls over these processes. This will control the extent of the testing performed and improve the efficiency of the audit. Audit documentation, which is contained within audit working papers, is a record of the work performed by auditors to support their overall conclusion. At the completion of the audit, the firm issues an unqualified opinion stating that the financial statements and the related accounts are free from material misstatement. Thus, it is essential that all evidence obtained is 7 http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/dd736aeff60fb110VgnVCM100000ba42f00a RCRD.htm 8 Ibid. 9 Ibid. 10 Ibid. 4|Page clearly and thoroughly documented for the purpose of performing a good quality audit. Consequently, for audit documentation to be useful and to serve the purpose and objectives of auditors it should meet the following broad criteria: 1) Documentation needs to be correctly associated “to the appropriate subject and audit objective”11; 2) Interviews conducted should be documented to record the details of the interview including: the topic discussed, the person interviewed, and the time and location the interview took place; 3) Auditors must document any observation of work performed; 4) Data obtained from an information system, either directly or indirectly, should be documented. The data obtained should contain the appropriate annotation so that files can be tracked to its original source; 5) Auditors should avoid using generic templates for documentation and instead document as much detail about the information system (especially if the system does not fit an available template); 6) Auditors should be constantly revising their documentation, adding comments, and resolving issues and deficiencies with the documentation; 7) Documentation should be reviewed constantly and comments from the review should also be documented; 8) All copies of the report, including all drafts, should be included in documentation12. Thus, auditors should bear in mind the above requirements when documenting key business processes as part of the risk assessment procedures in order to perform a high quality audit. 3.0 Current Methodologies Available for Documentation There are several methodologies available for documentation that are grouped under two broad categories: narrative documentation and diagrammatic documentation. The following discussion provides a brief description of each of the documentation methodologies and an assessment of their effectiveness in business process modelling. In particular, the discussion is from an audit risk assessment perspective. Auditors are concerned primarily about the flow of information through the business processes and the controls over these processes. Thus, the 11 12 http://www.isaca.org/Journal/Past-Issues/2002/Volume-3/Pages/The-Necessity-for-Documentation.aspx Ibid. 5|Page discussion focuses on the availability or shortage of constructs relating to controls, risks, and information flow when assessing the effectiveness of each method for audit risk assessment. 3.1 Narrative Documentation Narrative documentation provides a high-level overview of each process in a business. The narrative typically includes a written description of the key controls over a particular transaction or process, the personnel responsible for executing the controls, and key application and system controls13. An advantage of narrative documentation is that it can provide as much or as little information based on the needs and objectives of the users. This flexibility leads to potentially lower costs of documentation and therefore greater efficiency. Since narrative documentation does not have restrictions due to limited constructs, every aspect of the business process including activities, controls, and flow can be depicted. However, narrative documentation is often less user friendly, providing more data than the user can effectively process at a time. 3.2 Internal Control Matrix An internal control matrix is used to document the control system at an organization in a tabular format. The matrix shows control activities that a company has in place to meet specific control objectives and the associated financial statement assertions and risks. The matrix also helps conclude on the design and operating effectiveness of the control14. An advantage of an internal control matrix is that it details the internal controls in place for various processes and associates the risks inherent to each of these processes. This way the auditor can assess if controls over processes are operating effectively and the risks that need to be mitigated through substantive testing. However, a limitation of an internal control matrix is that it does not illustrate the flow of information through the organization. 3.3 Data Flow Diagrams Data flow diagrams (DFD) are a form of documentation that represents the source and destination of data in a graphical form. Data flow diagrams are typically used to show the flow of data through a company’s information system. Thus a DFD provides an overview of the system including where the data comes from, how it flows through, the processes performed on the data, 13 http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/dd736aeff60fb110VgnVCM100000ba42f00a RCRD.htm 14 Ibid. 6|Page and where the information goes15. DFD’s use functional decomposition enabling processes to be further sub-divided. Hence, DFD’s can provide an overview of the entire system as well as a more detailed view of the processes and activities within a system16. DFD’s are created for two primary purposes: (1) to provide a logical view showing the process and data flows; or (2) to provide a physical view showing the organizational units that perform the process17. Exhibit I: An illustration of a DFD18 A DFD has two primary advantages in business process risk assessment: (1) It is easy to construct a DFD given the appropriate tools; and (2) DFD’s are flexible and can be constructed to either present abstract or more detailed information of a process depending on the user’s needs19. DFD documentation also has several weaknesses, that is, DFD’s do not show the flow of control and do not have separate constructs to depict controls20 (see Exhibit II for the constructs available for DFD’s). However, controls can be shown as a process construct or 15 http://wps.prenhall.com/bp_romney_ais_11/86/22157/5672264.cw/index.html http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 17 http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc38088.1610/doc/html/rad1232026266 129.html 18 Ibid. 19 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 20 Ibid. 16 7|Page decision tables to show the sequence of controls. Additionally, DFD’s do not have separate constructs to capture resources, objectives, or risks21. Exhibit II: Constructs available in a data flow diagram22 3.4 Flowcharts Similar to data flow diagrams, flowcharts depict the flow of data through an information system, but it also provides information about the timing of processes. There are three main types of flowcharts: document flowcharts, which describe the flow of information between departments; system flowcharts, which depict the relationship between inputs, processing, and outputs of a system; and program flowcharts, which describe the sequence of logical operations performed in a computer program23. This discussion focuses on the use of system flowcharts to depict business processes and outlines the advantages and disadvantages of using system flowcharts for this purpose. 21 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc38088.1610/doc/html/rad1232026266 129.html 23 http://wps.prenhall.com/bp_romney_ais_11/86/22157/5672264.cw/index.html 22 8|Page Exhibit III: System flowchart for an inventory system24 As previously described, a system flowchart shows the inputs, outputs, processing, and storage of information within an entity and the relationship between them. A major advantage of system flowcharts is that they show how the main components of a system fit together and their interaction, thus capturing the flow of information through the system25. However, there is often ambiguity with system flowcharts as they can be interpreted differently by different people. This is because the model uses standard input and output constructs – that is, there are no specific accounting transaction or control constructs26 (refer to Exhibit IV for the system flowchart symbols). Thus, the system flowchart must be accompanied with a note describing the purpose and objective of the flowchart so that it can be interpreted in the same way by all users. 24 http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc38088.1610/doc/html/rad1232026266 129.html 25 http://www.hit.ac.il/staff/leonidM/information-systems/ch37.html 26 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 9|Page Exhibit IV: System flowchart symbols27 3.5 Resource-event-agent (REA) Modeling The inputs and outputs of events in the REA model are resources; thus, the key constructs of the REA model are “economic resources, economic events, and agents”28. The REA model demonstrates an exchange of events – that is, it consists of one event in which a resource is consumed paired with another event in which a resource is increased. Thus, the REA model demonstrates the relationship of resources to an event and associates the event to a particular organizational unit. Since the REA model employs inputs and outputs that are resources, and not information, DFD models or system flowcharts can be used within a REA model to depict the activities of a particular event29. 27 http://www.hit.ac.il/staff/leonidM/information-systems/ch37.html http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 29 Ibid. 28 10 | P a g e Exhibit V: A depiction of a business process using a REA model30 A major strength of the REA model is the simplicity of the underlying metamodel, which provides detailed guidance on “what should be modeled and how it should be represented”31. In addition, a main focus of the REA model is to model accounting systems. Thus, the model can be used to trace risk to a class of transactions, clearly defining the objective of the business process and the economic nature of the event being modeled. The REA model differs from other models that depict business processes since they focus on the economic essence of transactions instead of the physical reality by employing an economic or value chain perspective32. However, the REA model does not have constructs to model risk associated with a process, constructs for controls to address the risks, nor does it capture the flow of controls33. However, as mentioned previously, other models such as a system flowchart can be used to depict flow of controls of an event in the REA model, thus mitigating the limitations of the model. 30 https://www.msu.edu/user/mccarth4/G&M-maintext.htm http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 32 Ibid. 33 Ibid. 31 11 | P a g e 3.6 IDEF0 Model The IDEF0 models processes, activities, transformation of inputs to outputs, controls over the transformation, and resources needed for the process34. The model also depicts the flow of information or materials between processes, thus demonstrating the dependence between processes. The IDEF0 model decomposes a process based on functions – that is, it shows “the process as one activity with all inputs and outputs”35 and then shows a separate level with a decomposition of the process into several activities. A major advantage of the IDEF0 model is that its shows all of the resources, inputs, outputs, as well as the controls of each process. However, the IDEF0 model has several limitations. The model does not illustrate the flow of control between functions in the model or the sequence in which the activities occur. However, this limitation can be addressed by “arrang[ing] activities in an appropriate order on a page to represent their proper sequence”36. Additionally, there are no constructs for accounting transactions, performance measures, or links to a specific operational unit (refer to exhibit VI for the constructs available in the IDEF0 model). However, this limitation can be overcome by representing the organizational unit as a resource required to operate a particular function37. Exhibit VI: Shows the interrelation and constructs in the IDEF0 model38 34 Ibid. Ibid. 36 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 37 Ibid. 38 http://www.idef.com/IDEF0.htm 35 12 | P a g e 3.7 Extended event-driven process chain diagrams (EPC) The basic EPC model consists of activities, events, and connectors to show the flow of controls between the activities and events. Thus, the model depicts a business process showing the complete chain of activities in response to particular events. The extended EPC also models “objects, data inputs and outputs, and organizational units performing the function”39. Exhibit VII: EPC Activity Diagram for a billing process40 A major strength of the EPC model is that it is simple to understand. However, the EPC model also does not have specific constructs to model controls or resources required for a particular activity, however, activity constructs can be used to represent a control to compensate for this limitation41. 39 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf http://www.visual-paradigm.com/VPGallery/bpmodeling/ 41 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 40 13 | P a g e Exhibit VIII: The notation available for EPC activity diagrams42 3.8 Unified Modeling Language (UML) Activity Diagrams UML activity diagrams include the activities of a business process as well as the flow of control between the activities, showing the linkage of activities to form a process. In a UML activity diagram, an activity commences when the previous activity ends and conditions are met. The conditions serve as decision points to determine which activity will occur depending on the decision made – that is, the UML diagram shows sequence of activities. Guard conditions are used to show the flow of control and determine which activity comes first in the sequence. However, activities can also occur in parallel and swimlanes are used in the UML diagram to show the partition43. 42 43 http://www.visual-paradigm.com/VPGallery/bpmodeling/ http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 14 | P a g e Exhibit IX: An example of a UML activity diagram44 Activity diagrams however do not allow for the modeling of resources used in a process or controls distinct from an activity. However, an extended UML diagram is a process diagram that shows the “goals of the process, materials used and provided by the process, resources needed for the process, and controls for the process”45. Activity diagrams are simple to read and create due to the small number of symbols. However, the activities and decision points are often not well defined in the model. However, due to the simplicity of the model, the symbols often do not precisely define the meaning of the activities being depicted46. 3.9 Business Process Diagram – Business Process Modeling Notation Business process modeling notation (BPMN) is a standardized notation designed to be easy to understand by all business users. The business process diagram (BPD) is contained within the BPMN and uses a flowchart to display the flow of control and order of activities 44 http://www.visual-paradigm.com/VPGallery/bpmodeling/ http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 46 Ibid. 45 15 | P a g e within a process. BPD can be designed and broken down to provide more or less detail of a process depending on the user needs. The BPD portrays the order and sequence of activities and can also show the flow of information between organizations using connection symbols 47. Exhibit X: Example of a BPD diagram48 A major advantage of the BPMN is that it is the closest in “depicting how business analysts think of processes”49. While the sequence in which the activities occur is clearly depicted in the BPMN, the resources required for an activity are not shown. In addition, there are no specific constructs for controls over activities (refer to Exhibit XI for the construct in BPD), but these can be modeled as activities50. 47 Ibid. http://www.visual-paradigm.com/VPGallery/bpmodeling/ 49 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 50 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 48 16 | P a g e Exhibit XI: Constructs available in BPD51 4.0 Does the Type of Documentation Matter? When documenting business processes, an organization must determine whether the documentation should be primarily narrative or diagrammatic or a combination of the two. Research shows that diagrammatic documentation is used to depict business processes “when they are intended for use by people rather than computers”52. Within the broad category of diagrammatic documentation, every methodology has its advantages and disadvantages. Thus, organizations should utilize a combination of the different models in order to capitalize on the advantages of the model and find a solution that best meets their needs. Certain characteristics of a diagrammatic representation make a model superior; these criteria include: The model should be easily interpretable by its users, that is, there should be limited to number of interpretations possible The important concepts and relationships should be explicit and clearly evident from the diagram. Irrelevant information should be excluded from the diagram to avoid misunderstanding or information overload. 51 52 The diagram should enable users to infer information allowing them to make decisions. http://www.visual-paradigm.com/VPGallery/bpmodeling/ http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf 17 | P a g e A clear description of the model constructs, that is, what each of the symbols in the model represent. Ultimately, it is important to consider the users, their knowledge of the models as well as their needs when determining whether a diagrammatic model, narrative documentation, or a combination of the two should be used. While IT professionals and senior executives use various forms of documentation to describe their business processes to best serve their needs for decision making and analysis, the requirements for auditors are much more stringent since the documentation serves as audit evidence to support an opinion. Studies and textbooks state that “[a]udit documentation of business processes tend to be largely, although not exclusively, text based” with an exception of system flowcharts that are occasionally used53. A study was performed to analyze the effectiveness of two methods, narrative and diagrammatic documentation, for documenting business processes in order to assess risks and controls. The results of the study indicate that “textual representation of a business process can lead to the same outcome as a diagrammatic representation”54. When comparing the use of business process modeling languages (BPML) in a business process audit, a study done notes that none of the common BPML’s are used in a business process audit and instead firms employ their own software or do not use any BPML’s using office software such as Microsoft Word or Excel or Powerpoint. However, amongst the most common BPML, EPC is used most frequently. The results of this study are shown in Exhibit XII. Exhibit XII: Most common BPML used in business process audits55 53 http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf http://accounting.uwaterloo.ca/uwcisa/resources/Business%20Process%20Modeling%20Sept%2015%20jeb-1.pdf 55 http://www.wiso.unihamburg.de/fileadmin/wiso_fs_wi/Publikationen/Modellierung_2014_Towards_Auditors__Pr eferences_on_Documentation_Formats_in_Business_Process_Audits.pdf 54 18 | P a g e Additionally, the study looks at whether auditors are more likely to use one or several forms of documentation. The results in Exhibit XIII illustrate that for all audit areas, auditors prefer using a single form of documentation. However, in areas such as process flow and controls, which are the focus of this report, auditors are more likely to use more than one form of documentation. Exhibit XIII: Formats of documentation in business process audits56 Finally, the study looks at the format of documentation; in particular, if narratives, tabular documentation, graphical documentation, or no documentation is preferred for various areas of audit. The results presented in Exhibit XIII illustrate that for documentation of process flow, which is the basis of this report, the preference of auditors is evenly split between graphical and narratives57.This is consistent with the findings presented by Boritz, Borthick and Presslee that note no preferential difference between narrative and diagrammatic documentation. Exhibit XIV: Split between graphical, tabular, and narrative documentation for audit concepts58 56 http://www.wiso.unihamburg.de/fileadmin/wiso_fs_wi/Publikationen/Modellierung_2014_Towards_Auditors__Pr eferences_on_Documentation_Formats_in_Business_Process_Audits.pdf 57 Ibid. 58 http://www.wiso.unihamburg.de/fileadmin/wiso_fs_wi/Publikationen/Modellierung_2014_Towards_Auditors__Pr eferences_on_Documentation_Formats_in_Business_Process_Audits.pdf 19 | P a g e In practice, the most common form of documentation used by auditors to depict business processes and discuss controls over these processes is narratives. Ernst & Young LLP, an external audit firm, provides its staff with narrative templates for each of the significant classes of transactions in a business. Some of these include: the purchase and payable cycle and the sales and receivable cycle. Audit staff at Ernst & Young can then use the transaction cycle templates to depict the various business processes for an audit client. The templates include a description of the transaction cycle including the activities in the process, control over these activities, and the flow of information through the cycle. It is the responsibility of the auditor to clearly document the entire business process and identify the related risks associated at each stage of the process with each control. However, we need to be cognisant of the risk related to using templates of narratives for businesses that have unique business process that cannot fit into a particular template. When choosing a form of documentation, auditors also need to keep in mind the overall objective for audit firms to perform an effective and efficient audit. 5.0 Conclusion Since documentation is crucial to professionals, it is important for auditors to obtain a solid understanding of the key business processes of a business so that they can provide effective documentation. This will enable auditors to meet the audit guidelines and perform effective audits, as well as comply with management goals for presenting the business process. This means that professionals need to understand different documentation methodologies, so that they can accurately depict a business process. This includes understanding the limitations of each of the aforementioned methodologies so that various approaches can be combined if necessary to meet the user’s needs. This includes effective methods of combining narrative and diagrammatic documentation in order to best represent a business process. Thus, professionals are constantly required to learn new conventions and tools and update their documentation techniques to meet the various needs of the profession. 20 | P a g e Bibliography Bellehumeur, A. (2012). Everybody Loves Documentation. Retrieved June 22, 2014, from ISACA Journal - Past Issues: http://www.isaca.org/Journal/Past-Issues/2012/Volume4/Documents/12v4-Everybody-Loves-Documentation.pdf Boritz, E. J., Borthick, F. A., & Presslee, A. (2010, September 15). UWCISA - University of Waterloo Centre for Information Integrity and Information Systems Assurance. Retrieved June 11, 2014, from Narrative versus Diagrams: The Impact of Alternative Business Process Representations on Auditor Risk and Control Assessments: http://accounting.uwaterloo.ca/uwcisa/resources/Business%20Process%20Modeling%20 Sept%2015%20jeb-1.pdf Carnaghan, C. (2005, September). UWCISA. Retrieved June 11, 2014, from Business Process Modelling Approaches in the Context of Process Level Audit Risk Assessment: An Analysis and Comparison: http://accounting.uwaterloo.ca/uwcisa/symposiums/symposium_2005/Carnaghan.pdf CPA Canada. (2014, May 30). CPA Canada Handbook - Assurance. Retrieved June 22, 2014, from Knotia.ca: http://edu.knotia.ca.proxy.lib.uwaterloo.ca/knowledge/Home.aspx?productid=1 Deloitte LLP. (n.d.). Deloitte. Retrieved June 8, 2014, from Documenting internal control over financial reporting: http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/dd736aeff60fb110V gnVCM100000ba42f00aRCRD.htm Geerts, G. L., & McCarthy, W. E. (n.d.). Using Object Templates from the REA Accounting Model to Engineer Business Processes and Tasks. Retrieved June 23, 2014, from Michigan State University: https://www.msu.edu/user/mccarth4/G&M-maintext.htm Holon Institute of Technology. (n.d.). System Flowcharts. Retrieved June 15, 2014, from Holon Institute of Technology Website: http://www.hit.ac.il/staff/leonidM/informationsystems/ch37.html IBM Corporation. (2005). Business Processes. Retrieved June 22, 2014, from IBM: http://publib.boulder.ibm.com/infocenter/dmndhelp/v6rxmx/index.jsp?topic=/com.ibm.w bit.help.bpel.ui.doc/concepts/cunder.html 21 | P a g e Knowledge Based Systems Inc. (2010). IDEF0 Function Modeling Method. Retrieved June 23, 2014, from Integrated DEFinition Methods: http://www.idef.com/IDEF0.htm Romney, M. B., & Steinbart, P. J. (2012). PowerPoint Presentations. Retrieved June 15, 2014, from Pearson: Accounting Information Systems Eleventh Edition: http://wps.prenhall.com/bp_romney_ais_11/86/22157/5672264.cw/index.html Sayana S., A. (n.d.). ISACA Journal. Retrieved June 11, 2014, from The Necessity of Documentation: http://www.isaca.org/Journal/Past-Issues/2002/Volume-3/Pages/TheNecessity-for-Documentation.aspx Schultz, M., & Mueller-Wickop, N. (2013). Towards Auditors' Preferences on Documentation Formats in Business Process Audits. Retrieved June 22, 2014, from http://www.wiso.unihamburg.de/fileadmin/wiso_fs_wi/Publikationen/Modellierung_2014_Towards_Auditors __Preferences_on_Documentation_Formats_in_Business_Process_Audits.pdf Sybase. (2012, January 30). Data Flow Diagram (DFD). Retrieved June 23, 2014, from Sybase: http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc38088.1610/ doc/html/rad1232026266129.html Visual Paradigm. (n.d.). Business Process Modelling Diagrams. Retrieved June 23, 2014, from VP Gallery: http://www.visual-paradigm.com/VPGallery/bpmodeling/ 22 | P a g e
