Using Flowcharts In IT Audits Of Critical Applications

A flowchart can be extremely useful in auditing critical business applications and systems such as enterprise resource planning systems (ERP) and service oriented architecture (SOA) systems. As IT auditors we are concerned with getting a clear understanding of the risks and controls in the technology under review. Flowcharts facilitate an accurate assessment of an IT environment.

According to Wikipedia, the basic definition of a flowchart is a type of diagram that represents an algorithm or process that shows data and its movement usually with arrows. The use of flowcharts is common in many fields for analysis, design, documentation and process management.

Flowcharts are most useful to visually display business processes and the supporting technology. Auditors can focus on different aspects of data flows and infrastructure in these diagrams depending on the assessment of risks and controls.

Events that can be captured in a flowchart include data inputs from a file or database, decision points, logical processing and output to a file or report. Risks and controls in a business process can be documented visually and analyzed.

Four basic shapes are commonly used to create flowcharts. A square is used for a process (e.g. add, replace, save). A square with a wavy base is used for a document. A diamond is used for a decision point (e.g. yes/no, true/false). A sideways cylinder is used for data storage (e.g. database). These traditional shapes were originally established by IBM and other pioneers of information technology.

Additional shapes include circles, ovals and rounded rectangles for the start and end of a business process. Arrows show ‘flow control’ between a source symbol and a target symbol. A parallelogram represents input and output e.g. data entry from a form, display to user.

In creating flowcharts, there are some basic rules to follow. Start and end points should be clearly defined. The level of detail documented in the flowchart should be appropriate to the subject matter covered. The creator of the flowchart should have a clear understanding of the process and the intended audience should be able to follow the flowchart easily.

Our team of IT auditors, uses Microsoft Visio extensively to create flowcharts and to analyze business processes. A flowchart is usually designed with vertical columns representing different departments or phases that are part of an overall business process. Interfaces between departments can be shown whether automated or manual connections that facilitate the business process.

Flowcharts can clarify the controls on data inputs, processing and outputs. Input controls may include edit and validation checks. Processing controls can be in the form of control totals or milestones. Output controls may consist of error checking and reconciliations. Such a representation on a flowchart allows an auditor to identify areas within a business process with weak or non-existent controls.

An example of technology that can be understood through flowchart analysis is enterprise resource planning software such as Oracle e-Business Suite and SAP. Input controls are set through specific ‘rules’ to ensure the validity of data. Process controls are applied to high-risk functions, transactions or forms. Output controls consist of reports and reconciliations.

Another example of complex technology that can be understood through flowcharts is service oriented architecture (SOA). This architecture consists of many web and software components that are integrated to connect service providers with service consumers. ‘Web services’ support specific business processes. Each of these web services will generally have controls on data inputs, processing and output. The flowchart is essential to understand such web services and their integration in a broader environment usually through an Enterprise Service Bus (ESB).

In conclusion, a flowchart can be used by IT auditors to analyze a business process. Different aspects of the process can be emphasized such as risks, controls, interfaces, decision points, technology infrastructure and components. The famous expression of a picture is equal to a thousand words is accurate. A flowchart can capture essential points that verbiage and text cannot easily match. We encourage the IT audit, risk and control communities to use this powerful tool in performing their respective functions.

References:
Wikipedia. ‘Flowchart’.
Microsoft Visio ‘Help and How-to’ articles.
Understanding SOA Security Design and Implementation. IBM Redbook.