A flowchart can be an effective tool for auditing critical business systems and applications such as enterprise resource planning systems (ERP) and service oriented architecture (SOA) systems. Our objective as IT auditors is to get a clear view of the risks and controls in the technology being reviewed.
Wikipedia defines a flowchart as a type of diagram that represents an algorithm or process that shows data and its movement usually with arrows. The flowchart is used widely for analysis, design, documentation and process management.
Auditors can use flowcharts to visually display business processes and the supporting technology. Different aspects of data flows and infrastructure can be emphasized depending on the risks and controls being reviewed.
Events that can be captured in a flowchart include data inputs from a file or database, decision points, logical processing and output to a file or report. Risks and controls in a business process can be documented visually and analyzed.
The traditional shapes used in flowcharts were developed long ago by IBM and other pioneers of information technology. The four basic shapes that are widely used are the square, used for a process (e.g. add, replace, save); a square with a wavy base, used for a document; a diamond, used for a decision point (e.g. yes/no, true/false); and a sideways cylinder, used for data storage (e.g. database).
Other important symbols are start and end symbols represented by circles, ovals or rounded rectangles. Arrows are used to show ‘flow control’ where control passes from a source symbol to a target symbol. A parallelogram is used to represent input and output e.g. data entry from a form, display to user.
In creating flowcharts, there are some basic rules to follow. Start and end points should be clearly defined. The level of detail documented in the flowchart should be appropriate to the subject matter covered. The creator of the flowchart should have a clear understanding of the process and the intended audience should be able to follow the flowchart easily.
In our experience as IT auditors, Microsoft Visio is the best tool for creating flowcharts and analyzing business processes. There are usually vertical columns representing different phases that are part of an overall business process. Interfaces between departments that are automated or manual can be shown.
Flowcharts can also be used to clarify controls on data inputs, processing and outputs. Input controls may consist of edit and validation checks. Processing controls may consist of control totals or milestones. Output controls may consist of error checking and reconciliations. An auditor can then identify areas within a business process with weak or non-existent controls.
An example of technology where flowchart analysis is especially useful is enterprise resource planning software such as Oracle e-Business Suite and SAP. There are input controls made up of specific ‘rules’ to ensure the validity of data. There are process controls on high-risk functions, transactions or forms. There are output controls such as reports and reconciliations.
Another example of complex technology that can be understood through flowcharts is service oriented architecture (SOA). This architecture consists of many web and software components that are integrated to connect service providers with service consumers. ‘Web services’ support specific business processes. Each of these web services will generally have controls on data inputs, processing and output. The flowchart is essential to understand such web services and their integration in a broader environment usually through an Enterprise Service Bus (ESB).
In conclusion, a flowchart can be used by IT auditors to analyze a business process. Different aspects of the process can be emphasized such as risks, controls, interfaces, decision points, technology infrastructure and components. The famous expression of a picture is equal to a thousand words is accurate. A flowchart can capture essential points that verbiage and text cannot easily match. We encourage the IT audit, risk and control communities to use this powerful tool in performing their respective functions.