Using Flowcharts In IT Audits Of Critical Applications

A flowchart can be extremely useful in auditing critical business applications and systems such as enterprise resource planning systems (ERP) and service oriented architecture (SOA) systems. As IT auditors we are concerned with getting a clear understanding of the risks and controls in the technology under review. Flowcharts facilitate an accurate assessment of an IT environment.

According to Wikipedia, the basic definition of a flowchart is a type of diagram that represents an algorithm or process that shows data and its movement usually with arrows. The use of flowcharts is common in many fields for analysis, design, documentation and process management.

Flowcharts are most useful to visually display business processes and the supporting technology. Auditors can focus on different aspects of data flows and infrastructure in these diagrams depending on the assessment of risks and controls.

Events that can be captured in a flowchart include data inputs from a file or database, decision points, logical processing and output to a file or report. Risks and controls in a business process can be documented visually and analyzed.

Four basic shapes are commonly used to create flowcharts. A square is used for a process (e.g. add, replace, save). A square with a wavy base is used for a document. A diamond is used for a decision point (e.g. yes/no, true/false). A sideways cylinder is used for data storage (e.g. database). These traditional shapes were originally established by IBM and other pioneers of information technology.

Additional shapes include circles, ovals and rounded rectangles for the start and end of a business process. Arrows show ‘flow control’ between a source symbol and a target symbol. A parallelogram represents input and output e.g. data entry from a form, display to user.

In creating flowcharts, there are some basic rules to follow. Start and end points should be clearly defined. The level of detail documented in the flowchart should be appropriate to the subject matter covered. The creator of the flowchart should have a clear understanding of the process and the intended audience should be able to follow the flowchart easily.

Our team of IT auditors, uses Microsoft Visio extensively to create flowcharts and to analyze business processes. A flowchart is usually designed with vertical columns representing different departments or phases that are part of an overall business process. Interfaces between departments can be shown whether automated or manual connections that facilitate the business process.

Flowcharts can clarify the controls on data inputs, processing and outputs. Input controls may include edit and validation checks. Processing controls can be in the form of control totals or milestones. Output controls may consist of error checking and reconciliations. Such a representation on a flowchart allows an auditor to identify areas within a business process with weak or non-existent controls.

An example of technology that can be understood through flowchart analysis is enterprise resource planning software such as Oracle e-Business Suite and SAP. Input controls are set through specific ‘rules’ to ensure the validity of data. Process controls are applied to high-risk functions, transactions or forms. Output controls consist of reports and reconciliations.

Another example of complex technology that can be understood through flowcharts is service oriented architecture (SOA). This architecture consists of many web and software components that are integrated to connect service providers with service consumers. ‘Web services’ support specific business processes. Each of these web services will generally have controls on data inputs, processing and output. The flowchart is essential to understand such web services and their integration in a broader environment usually through an Enterprise Service Bus (ESB).

In conclusion, a flowchart can be used by IT auditors to analyze a business process. Different aspects of the process can be emphasized such as risks, controls, interfaces, decision points, technology infrastructure and components. The famous expression of a picture is equal to a thousand words is accurate. A flowchart can capture essential points that verbiage and text cannot easily match. We encourage the IT audit, risk and control communities to use this powerful tool in performing their respective functions.

Wikipedia. ‘Flowchart’.
Microsoft Visio ‘Help and How-to’ articles.
Understanding SOA Security Design and Implementation. IBM Redbook.

UML Diagrams As A Tool For A Software Development Team

As we progress into the 21st century, our reliance on computer and information systems to facilitate business is greater than ever before. The global market is much too convoluted and relentless to be run on manpower and note-taking alone; software systems are crucial to a company when handling large amounts of data processing, customer transactions, or client databases. As such, their development and maintenance has become a key component in successful company operations.

To structure, plan, and control the development of these systems, a software development life cycle (SDLC) is developed and adhered to. Different methodologies have evolved to be applied for different purposes, based on technical, organizational, project and team needs, but generally all will use some combination of the following stages:

• Problem analyzing
• Market research
• Requirements analysis
• Design
• Implementation (coding)
• Testing
• Deployment
• Maintenance and bug fixing

How strictly this order is followed, and what level of planning and documentation is reached, will depend on the requirements of the business and capabilities of the software. A ‘waterfall’ approach to the SDLC would see each of these stages carried out in linear order, with detailed planning and risk assessment before coding is even begun. The ‘agile’ approach involves a lot less planning and documentation, and focuses more on coding and continuous re-testing, ideal for a smaller system, or one where new components are being added as an ongoing process.

Modeling software development using UML diagrams

While going through each stage of the SLDC, it can be useful, and necessary, to produce a visual model of that process. A diagram of this kind presents a graphical view of a software system’s structure, components and relationships, which allows the designer to organize and predict certain outcomes, as well as share system information with collaborators and clients.

The accepted standard used when modeling a system is known as Unified Modeling Language (UML), a generic set of notations that are used when creating UML diagrams. These notations can visually represent requirements, subsystems, logical and physical elements, and structural and behavioral patterns, that are especially relevant to systems built using an object-oriented style.

Using UML during the modeling process has a number of benefits – for one, the entire development team can share information and collaborate using common language, diagrams and software, something that’s not possible when using a more task-specific programming language. It allows team members to create system ‘blueprints’, creating diagrams that show system as a unified whole, but also allowing the option to break that system down into component parts or processes.

Currently on version 2.5, UML supports 14 different diagram techniques that are seen as industry standard. These diagrams are broadly divided into two categories; first are static structure diagrams, that describe the physical structure of a system. Then there are behavior diagrams, that depict behaviors and interactions of various system components. Here is a brief description what each diagram is and how it can be applied:

Static structure diagrams

Class diagrams – divides objects into ‘classes’, i.e. parts that share common attributes. Class defines the methods and variables of that object, and diagrams depict relationships and source code dependencies between them.

Component diagrams – displays system components (physical or logical), interfaces and ports, and the connections between them. Allows analysts to replace and system check individual parts rather than designing the process from scratch.

Composite structure diagrams – shows the internal structure of a specific class, the role each element plays in collaboration with others, and how this affects how the class interacts with outside elements.

Deployment diagrams – models the physical deployment of artefacts (software systems) on nodes (normally hardware, e.g. laptop, mobile phone). Execution environment nodes are a ‘node within a node’, a software computing resource that displays hardware characteristics.

Object diagrams – represent a system overview. Similar to a class diagram, the take a snap-show of a system structure at a particular moment in time.

Package diagrams – packages are formed when UML elements are grouped together – classes, objects, use cases, components or nodes. A package diagram shows this grouping, and dependencies between packages that make up a system. An example of use would be when modeling complex source code; packages are used to represent the different layers of code.

Profile diagrams – operates at the metamodel level to show stereotypes as classes, and profiles as packages. Allows the developer to create custom packages.

Behavior diagrams

Activity diagrams – can be said to resemble a flowchart, showing steps in a software process as a workflow. Binary choices from each step, yes/no, true/false, make this a useful medium to describe software and coding logic.

State machine diagrams – describes the current state of a machine, which values are acting upon it. It shows what actions the nodes of a software system take, dependent on explicit events.

Use case diagrams – shows an actual example of system usage. Helps define requirements for a software system, and can describes any possible form of interactions between users and that system.

Interaction diagrams

Communication diagrams – displays the interaction between objects in terms of a set of sequenced messages. It’s used to create a birds-eye view of the collaboration between several objects, for a common purpose within the system.

Interaction overview diagrams – like an activity diagram in that it shows a workflow through a system, but simplifies complex patterns by making each step a nest of interactions within the larger overview of an activity.

Sequence diagram – useful to describe object interactions in a specific time sequence. Can consist of parallel ‘life lines’ that depict an objects state at any given moment, and the sequence of time ordered events that affect that state. From a software perspective, developers use this diagram can show simple run-time scenarios.

Timing diagram – depicts the behaviors of a given set of objects through a certain period of time.

5 Important Business Analyst Software Programs

Specialists in the business sector have come up with some excellent software that are meant to aid any business in analyzing its data and producing the necessary output. Here five great programs for analyzing business information.

The first one is the PathMaker Software, the latest version is PathMaker 6.1, and this program constitutes a number of management tools that are generally associated with the current management and productivity of a firm. The software provides a number of organizing and management tools, which are:

• Organize your project tool

• Meeting support tool

• Flowchart tool

• Cause and effect tool

• Form design tool

• Consensus builder tool

• Force field diagram tool

• Data analyst tool

The second one is the Business Strategy Software, the software is meant to analyze and plan one’s business. It incorporates the following:

• Business insight, which makes use of major outcomes of a given analysis that are used in developing strategies to create competition within an organization.

• Quick insight, it helps the management to access a comprehensive assessment of an upcoming commodity or service, this way the management will be maximizing their chances of success prior to the general market.

The third one is the Statistics Software; this software do carry out a number of prevailing statistical evaluations. It incorporates the following:

• PathMarker 6.1, as discussed above, this software has a number of strong tools that can be effectively used for statistical analyses.

• Analyze-it, it incorporates an excel add-in, the software manipulates the spreadsheet and turn it into a strong statistical engine, at the same time it retains the spreadsheet’s user interface. The software offers; descriptive statistics, correlation and multiple linear regression functions, group comparison and ANOVA.

The fourth one is Business Process Management Software; this software is meant for documenting, simulating, re-engineering and business analyzing processes. The software incorporates the following:

• allCLEAR Flowcharter, it is an easy way to document business processes

• Mindjet MindManager 6 Basic, used for planning, sharing, organizing, and visual brainstorming.

• allCLEAR Analyzer, incorporates allCLEAR Flowcharter, in addition it makes use of sophisticated processing analysis tools.

• Mindjet MindManager 8 Pro, aids in organizing, visualizing, and communicating ideas, info, and tasks.

• Microsoft Visio 2007 Standard, meant to design and distribute flow charts.

The fifth one is Quality Management Software; this software is meant for handling the business management in the most effective manner. It incorporates:

• PathMaker

• ISOlutioner, it is used to develop quality manuals effectively.

These are just a few of the choices available out of the multitude of business analysis software programs. This should, however, give you an idea of what is available to fit your needs.