Process Documentation and Walkthrough
Once the processes (including IT processes) that impact financial reporting are identified, they must be documented to describe their purpose, control objectives and control activities to achieve those objectives. During initial implementation, this is the most labor intensive phase of the effort. During subsequent years, the level of effort is significantly reduced, but documentation should be updated to ensure that it continues to accurately reflect actual processing and address evolving risks.
This phase requires extensive collaboration among the Company’s Process Owners (management responsible for the functional area) and the implementation team (individuals that will help document the processes to effectively comply with SOX). The Process Owners (and designated team members) provide the knowledge of how their departments operate: the purpose, inputs, outputs, systems, reports, transactional activities, key players, etc. The Precipio Group’s expertise will help the implementation team identify the Control Objectives for each function and activity, and define the Control Activities that are in place (or might be put into place) to achieve those objectives. Control Objectives are the “goals” of the department to ensure that the activities they perform contribute to accurate financial reporting. The Control Activities are the steps taken by Management to ensure that those objectives are being met, and are the subject of audit testing that will be performed to support Management’s (and external auditors’) assessment regarding the effectiveness of internal controls over financial reporting.
The documentation can take many forms, depending on the size of the organization, relative importance of various functions, availability of resources and Management’s philosophy and style. Typically, processes are described in some combination of flowcharts and narratives. Control Objectives and Control Activities are most effectively documented by some form of a matrix that associates the objectives with controls.
The Precipio Group will be happy to discuss with you the pros and cons of various options, and develop a documentation methodology appropriate for your organization. This includes the documentation of IT processes.
The Walkthrough is simply a confirmation of process documentation. Basically, it is a test of a sample of one. To confirm that the documentation accurately reflects the actual processing, that systems, reports, personnel and transactions are accurately referenced and that personnel fully understand their role, the implementation team and auditors perform a Walkthrough of the critical functions and document the results. If necessary, documentation will be revised to reflect actual processing (or perhaps the processing might need to be modified to conform to documentation). Ideally, an activity is walked-through in real time – that is, the auditor observes the activity as it is being performed. When this is not practical, the auditor will review evidence of an activity that was performed in the past. (This is common for activities that are performed quarterly or annually.)
The Precipio Group will assist you in the design of Walkthrough documentation as well as the coordination of, preparation for, and execution of Walkthrough procedures. Since complications and delays can occur if Walkthrough activities deviate significantly from the process documentation, preparation (often including a “dry run”) is a valuable use of time prior to the auditor visit.