SAMPLE OF BUSINESS PROCESS AND CONTROLS DOCUMENTATION
1.4 1.4 Employee Supervisor Compensation Change A Approval
Supervisor signoff Compensation Change Need for compensation Request Form change 1.4.1 Salary 1.4 Known requirement received in email Threshold B 1.1 A Reapply or 1.1 Compensation Exception Change Request Inadequate Exception Review Request authority to approve Details for employee compensation 1.5 1.5 HR Salary Evaluation A 1.6 Rejection Notification
Employee Employee Employee Enrollment Requisition 1.1.1 Standard salary New Employee activity Existing Employee salary/pay grade or change 1.3 Meets exceeds HR Refer to New A Compensation approval permissions Employee Process 1.3 Approval Process Guidelines
1.7 1.7 Guideline Acct Manager and Employee notified Oversight Exception of compensation change Process 1.9 Rejection A to requester 1.1 Documented exception 1.9 HR System Update 2B review scheduled 1.9 C Employee compensation ERP System 1.8 Sr. Mgt. Approvals Secure data adjusted in HR records transfer ERP System 2.0 Compensation 2.0 RunBook Management System A Update
Inputs to General Ledger Sample Sr. MGT Exception Finance Oversight Policy Report 1 2.1 Payroll System 2.1 Meeting Notes Update A GL System
Close General Ledger Compensation System Change Complete RunBook
Instructions to Run Activity and Control Reports : Activity Description Table : Use Control Key to Select all Activity objects, = Process Activity, Parent Process, Decision and Termination objects [Box, Double Bar Box, Diamond, Ellipse]; Go to Top Toolbar to click on “Tools” , “Reports” and check box for -“Drawing Specific Reports” Highlight the – “Activity Description Table” Report; Select -Run and output to either HTML or EXCEL ; Save As [Activity Report Name] in your desired folder Controls Table: Use Control Key to Select all Control Objects, = Control Objects, Documents, Data Objects [Left Triangle, Paper Symbol…] Select Tools; Reports; Drawing Specific Reports; Controls Report Table ; Run; Save as your Controls title in your own file location VISIO SHAPES AND CUSTOM PROPERTIES FOR EVIDENCE OF PROCESS CONTROLS
Name* Description*
Document Title, Scope, Revision, Release Date, Editors, Affirmation Team Process Title Date: Always Sequence 0.0 Affirmation Team:
Reference to other process documents and to full processes Parent Process outside of the scope of the (indicates another current document. process diagram) Part of processes sequence
Identifies process activity, noting control issues and potential gaps, owners and event sequence. Part of processes sequence
Decision point and criteria for movement #.# Decision Part of processes sequence
Grouping allows representation of simultaneous events Sequence should parent child Grouping Box the sub group of activities Loop limits usually reflect key controls Loop Limit
Data Management: What data is used, how is it classified, retained, transferred, accessed Name* Description*
List of external documents used to complete process, status of use in controls evidence, creation frequency, description of use Sequence is always 9.9 so that all data sources are clustered to the bottom of the process report. Exit and entrance criteria for movement from one activity to the next. Where criteria for movement is monitored by a system and is critical to control activity, this should be filled in. Where this is true, there would be an expected control. Trigger and Exit criteria Sequence is always 0.1 so that all triggers and exit criteria are clustered to the top of the process report.
Control Documentation Object: Drop down menu choices include common language for defining controls as expressed by ISACA, PCAOB, PwC, E&Y, KPMG, Deloitte and SANS. Information entered to this area, it is available to controls reporting for this process. The sequence is used to align the control to the associated activities that use this control. Where a control is used in multiple instances, it need only be described once and then mentioned on the activity object. When a control is inadequate, the issue is identified in the GAP commentary of the activity needing more stringent control. This forces the relative risk of the control gap to be evident to the viewer and writer
0.0 a
Database name and DBA/SA owners Sequence is always 9.8 so that all Database data sources are clustered to the bottom of the process report. Name* Description*
Instructions to run reports : Reporting on Activity Activity Description Table : Use Control Key to Select all Activity objects, and then on Control = Process Activity, Parent Process , Decision and Termination objects [Box, Double Bar Box, Diamond, Ellipse]; allows the process Go to Top Toolbar to click on “Tools” , “Reports” and check box for -“Drawing of documenting the Specific Reports” Highlight the – “Activity Description Table” Report flow to also serve as Select -Run and output to either HTML or EXCEL Save As [Activity Report Name] in your desired folder written summary of Controls Table : the activity and its Use Control Key to Select all Control Objects, = Control Objects, Documents, Data Objects [Left Triangle, Paper Symbol…] controls. Select Tools; Reports; Drawing Specific Reports; Controls Report Table ; Run; Save as your Controls title in your own file location SAMPLE REPORT OUTPUT BASED IN SAMPLE VISIO PROCESS – ENTIRELY FICTICIOUS Activity table r e e l
e Activity Associated Gap or Issue Affirmation c t i n n t
description controls control criteria e w y u t O i issues q v e i t S c A t s 1 s .
e Fill in all required Access to User e 1 c r u fields on the "title change form requesting u q o e
r here" restricted to their own pay s
e e r compensation managers: raise
g n n change form compensation a a h m
c request not u
n H accepted o i t unless through a s form n e p m o C
1 . Existin Change to 1 .
1 g existing employ compensation ee or values is within new this process s s 3 . s e Approval process Known Subjective 1 e c r c involves selecting associated determinatio u o r o all areas met that controls are.... n of p s
l e r
a support approval personnel
v n
o with note of on review could a r p m whose authority allow an p u A
H request was employee approved. Upon bonus or submitting the change "approved" without button, the form evidence of send automatic proper notification to the employee employee review. Lack manager with of time based details of checking compensation mechanism change. to determine age of most recent personnel review Activity table r e e l
e Activity Associated Gap or Issue Affirmation c t i n n t
description controls control criteria e w y u t O i issues q v e i t S c A l r 4 a . e Employee Po7 Documentati v 1 g o a
r supervisor on of n p a p approval standard a m
r method for e o e s
i approval, y v o r l archiving and e p p
m verification u E s
that the e
e supervisor is y o
l making the p authorization m
E vs. A false positive in the system
1 . Salary Established 4 .
1 too criteria for high or salary values too low applied to approval 5 n e . c
o Evaluation of Approved Guidelines i 1 t n
a a salary based in salary are not u n l i job benchmark routinely a F v
e responsibilities guidelines updated and
y
r and standard might a l industry become out a
S compensation of date benchmarks s 6 n . e
o Notification by Tracking legal None i 1 c t r
a email and system reason or u c i o f
i record of text business rule s t e o r including nature that is used to
n
n
n of refusal and rule refuse request a o i m t that is violated by u c e H j enacting request e R s s 7 . s e Notice to Accounting Process is 1 e c r c committee oversight not u o r o includes the review of presented p s
e n r criteria for executive and
o i n t exception and compensation approved by a p e m limits of monetary 1.8a the board of c u x
H compensation, directors/ e
e reason for process is n i l request, not backward e d i qualifications of compatible to u
G employee, previous management compensatio representation n activity Activity table r e e l
e Activity Associated Gap or Issue Affirmation c t i n n t
description controls control criteria e w y u t O i issues q v e i t S c A
s 8 . . e
t Accounting Meeting None 1 c g r oversight announcement, u M
o
. committee meets quorum, s r e S r on and approves archive,
s l n
a salary implemented a v m o due diligence r u p
H and ethics p A s 9 e . t
e Hr representative Form controls: Reconciliatio 1 a c r d [input details in policy controls n report to u p o u
process here] prove ERP s e m
r systems
e t n
s have a y s m
received and r u H H recorded all changes/ form restriction where approval is not in system record l l 2 e t
o Fill in all required Access to None r a y d fields to complete change form a p P u
compensation restricted to
m management managers: e t
s change request: compensation y s
submit approved request not t
n change accepted e
m unless through e
g form: all fields a
n form validated a
m prior to submit
n o i t a s n e p m o C Activity table r e e l
e Activity Associated Gap or Issue Affirmation c t i n n t
description controls control criteria e w y u t O i issues q v e i t S c A l l 1 e . t
o Payroll record Data transfer Inadequate r 2 a y d change sent to security, testing of the a p u P
adp: general confirmation of reconciliation
m ledger reflects send, report: e t
s new debit reconciliation of inadequate y s
amounts based in posted changes security on l l
o compensation and approved the backend r y
a costs changes data of tables
P containing salary compensatio n data. SAMPLE OF CONTROL TABLE: Controls g n i s l s o y l l r e e c l t a o p c n o n r u y o t r e o r t d r n T n u
l e a n o C P o
q o n o h e m M n n r n e t C
c t a C r w a r e o o f r l
i n n Description f F o O t t o
g M P
e o o t
l s a
o l d t u Control Name of Control y s C e r o e
o s e m c q e r T t r P c r t y e
e
Activity n t T a l n e o n e T e l n S f o e o c K m u o o r n d I t r n o C q i t C t e e n e v n u r v d o E i i o F t A C v c C E e j b O l t ) n n e n n n E a n w R c
1. Compensati o Refuse o o o o i i i i i u U ( r e e t t t t t
r i n u r R c a a s a a
1 on Change requests v a o e c c c z s a T e i t s s r o o o e M l l l
a Tracking- e outside of e R
n c o
t t t l D c R a h s s s
Refuse request t r e i i i A l l l n u n T
a
Verbal d form n A y o e m t B Compensati s
u c r i e r e H on Change t m P s i
f e
Requests T
o l R
t a r e a R P s s e c o r P
d g e n n e n n E R l v e o o 1. Manager n Manager o o i c S i i i i i t H t t t t t y L p a n c 3 Assignment name is a a a p C A e a c c c m a t F s v o o o i o l
a automatic l l t n e d M t t t r
u a u t ally s s s r P i i i A n A T L L L
u populated l y o a c B at user n
r c e e A t
login by m n i n I
o mapping T f i
t l o
a a
against ID t r r e u a
and R g i P f PeopleSof n o t C employee record ) s n d g e n n e n E l r v R e o o o o 1. Approval n Employee i c S i i i i i t ( e t t t t t
y L p a g n c a 4 Routing by s compensa a a p a C A c c c e s a m a n t F s v o o o e i o
a Registered tion l l l t a
n e c d M t t t r
u c a u t M Manager change is s s s r P i i i A A l l l n A
T
u l
d routed to y o a e c t B HR n
r c c i e e r A t t
system m s n i n I
e o validated T f i
t l R o
a a
current t r r e u a
manager R g i P f n o C Controls g n i s l s o y l l r e e c l t a o p c n o n r u y o t r e o r t d r n T n u
l e a n C o P o
q o n o h e m M n n r n e t C
c a t r C w a r o e o f r l
i n n Description F f o t O t o g M P e o o t
l s a
o l d t u
Control Name of Control y s C e r o e
o e s m c q e r T t r P c r t y e
e
Activity n t T a l
n e o n e T e l S n f o e c o K m u o o r n d t I r n o C q i t C t e e n e v n u v r d o i E i o t F A C v c C E e j b O ) n e n d n e e n n E l R v c o e o o o 1. Salary o Prevents c i i i i i i ( U t t t t t t n
y s a c R n s a 4 Threshold r the a a a C r s a c c c e T e
m t u s v v e o o o i o
b form based manager l l l s t n c e n d t t t r s u c a o u
routing from over s s s r P A i i i A A l l l
A C
T
y l
d compensa t e y i a l e c t B n
ting and a
a r c f i u e e r r t t manages Q e m s n t i I
e n
uniform T f I
l R o
a
applicatio t r e a
n of R guidelines P across all requests t ) y e n d e n n r E l l O A r v
1. Salary e Metrics on o o o o i c ( i i i U t F t e t t t p y t a c R y C a a a r
5 Guideline e the
C e c c c c t T a m r R t a n o o o i r u o
a Exception percentag l l l r t t
i e d o t t t u Q u d u s s s C Report c e of m i i i A l l l E A c e /
l
A approved g n a a o i n n
t compensa r a p e t
e tion M n c I
x change e f v E o i
t
that are t u r c within a e P Salary x guidelines E are evaluated to determine if managers are following instruction s and if the compensa tion guidelines appear to be reasonabl e. Controls g n i s l s o y l l r e e c l t a o p c n o n r u y o t r e o r t d r n T n u
l e a n C o P o
q o n o h e m M n n r n e t C
c a t r C w a r o e o f r l
i n n Description F f o t O t o g M P e o o t
l s a
o l d t u
Control Name of Control y s C e r o e
o e s m c q e r T t r P c r t y e
e
Activity n t T a l
n e o n e T e l S n f o e c o K m u o o r n d t I r n o C q i t C t e e n e v n u v r d o i E i o t F A C v c C E e j b O l l t ] ] ] ) y e E w l l a a h n n n V r
1. Executive r Review of e c u ( U g o o o i e i i i i e y t n t t t v R y s r 7 Compensati n all salary t a r a a a C e i T a e c c c e t d i M R u a on Review i requests v o o o G l l l l d t [ [ [ Q a O . . . n u . . to assure . V . . . e A g . . .
l n t
that no r m i s a t e e e e t n n t n r
g individual r i u o a a e b t o n
n is u a c n a q c I g c
permitted f n y M i e A l t o b i
f e
to earn t
r s e t d l beyond a e M u P k s
the c e r o l
payment t i n i d guidelines u s t A
as n l e determine a n m r u d for e t c o n executive I
d
y d
s and b
e k officers n c g i e s h
c d
l n a a
c i d s e y h w e P i v e r
d e v i h c r A Controls g n i s l s o y l l r e e c l t a o p c n o n r u y o t r e o r t d r n T n u
l e a n C o P o
q o n o h e m M n n r n e t C
c a t r C w a r o e o f r l
i n n Description F f o t O t o g M P e o o t
l s a
o l d t u
Control Name of Control y s C e r o e
o e s m c q e r T t r P c r t y e
e
Activity n t T a l
n e o n e T e l S n f o e c o K m u o o r n d t I r n o C q i t C t e e n e v n u v r d o i E i o t F A C v c C E e j b O t ) d n n e n n d r E R l V o o 1. Valid e e Email is o o o c i i l ( i i U t H i t t t t p y a c R a y a a a
7 Rejection e system t t C i a c c c T
m e R t s d o o o i
o i l
a based in generated l l t t l D n
i d t t t u a a d u
business to include s s s r i i i A V E A T / L L L
rules fairly exact l n y a o i B n
applied t business
r p e e t
e rule that m n c i I
x
would be T f
l E o
a
violated t r e a
by the R request P and tracking the end to end delivery of reason for rejection on compensa tion change. Rejection is sent to requester, not to the employee. Controls g n i s l s o y l l r e e c l t a o p c n o n r u y o t r e o r t d r n T n u
l e a n C o P o
q o n o h e m M n n r n e t C
c a t r C w a r o e o f r l
i n n Description F f o t O t o g M P e o o t
l s a
o l d t u
Control Name of Control y s C e r o e
o e s m c q e r T t r P c r t y e
e
Activity n t T a l
n e o n e T e l S n f o e c o K m u o o r n d t I r n o C q i t C t e e n e v n u v r d o i E i o t F A C v c C E e j b O ) d n n e n n d n E R l A o o e e o o 1. Accurate o Items in c i i S l ( i i i t H i t t t t y s L a c a y a a a 9 Employee r compensa t C A c a c c c e
m e s F a v o o o g o l
a Transaction tion l l r t D n
n n t t t u i u a l o s s s l c change r i i i i A C c T L L L
B
A request e y o c t B
auto
a f d e r
populate e e m t n i n g
the HR T I i
l l A update a e
form, R prompting HR to validate changes. if Informatio n is not complete, HR system cannot update. If items are not recognize d in HR records, transactio n cannot complete.
) n e n n n E l A o 1. o o o c i S i ( i i t t t t y L y a a a 9 a i C A l c c c c
i t F a o o o i c l
b l l r
d n t t t u u o s s s c i i i c A c L L L
e l A a R n r e t n I
f o
t r a P Controls g n i s l s o y l l r e e c l t a o p c n o n r u y o t r e o r t d r n T n u
l e a n C o P o
q o n o h e m M n n r n e t C
c a t r C w a r o e o f r l
i n n Description F f o t O t o g M P e o o t
l s a
o l d t u
Control Name of Control y s C e r o e
o e s m c q e r T t r P c r t y e
e
Activity n t T a l
n e o n e T e l S n f o e c o K m u o o r n d t I r n o C q i t C t e e n e v n u v r d o i E i o t F A C v c C E e j b O l ) y e n e n n E w l R l a A r v o 1. Compensati Monthly o o e i c i S u ( i i H i t e t t t
y t L n v c y a a a r
9c on Review review of e a C A e t e c c c c a t t a F a o o o i M R u l
e all r l l r
d t t o t t u Q D n u s s s p c compensa i i i r e A c L L L
o l
A tion m a C e n
g change r a e t
n activity n a I
and f M o
compensa t r
tion a dashboar P d ) s n n e n n d e e E l A c e v o o 2. Restriction e HR o o c i i i i ( i i U t t t t t n t t y a c R u n y a a a 0 of HR to informatio a C c a c c c e T n
m D i t
s v a o o o i o f l
a Compensati n is read l l r F t n
e d o t t t r u u
a u s s s
on Systems c to the r i i i P n A A c T L L L
o
l i
A compensa t y a a B tion n
g r e e e t r system, m n g i I
e
but no T f
S l o
a
one in HR t r e a
has R access to P compensa tion system interface. l ) y n e n n n e e E l l a i v C c o 2. Payroll to o Nightly o o i c i S u i i i ( a t t t n t t
y L n c s a a a a a 1 Compensati reconciliat D i a C A l e s c c c n
i r i t F e o o o i M r c l
a on Plan ion of all l l F
n d o n t t t e u o s s s
Comparison C GL salary t i i i c A e L L L
l e Report compensa l p a R n m tion r o e
values as t C n I
compared f o
to values t r
in a Compens P ation Managem ent system