E.14 Flowcharting documentation standards

  1. This procedure outlines the overall approach, format, use of symbols, and general documentation standards that Practice Review and Internal Audit (PRIA) will use to document the activity’s major control systems. This procedure is intended to reduce total audit time in the long term. While there is an initial time investment on the front end, subsequent audit time will be reduced to an updating process with limited transaction testing where controls are adequate and have not changed.

  2. Please note that Excel or the standard software package (Visio) used in the Office of the Auditor General of Canada (Office) is presumed to be used for most flowcharting, but occasional use of short manual flowcharts may be efficient in some circumstances. Also, keep in mind that other methods of documentation or combinations thereof may be appropriate; e.g. narratives, matrices, etc.

  3. Major transaction processing systems are defined as transaction groups or cycles. For example:

    1. revenue/billing/receivables/collection
    2. purchasing/receiving/accounts payable/disbursements
    3. payroll/time reporting/payment
    4. production reporting/inventory control
    5. capital asset acquisition, depreciation/amortization/disposal
    6. maintenance scheduling, job management, reporting

  4. The primary purpose of internal audit flowcharting is to identify the key control attributes—those attributes that achieve control objectives in order to assess their adequacy and plan testing of their effectiveness, or to determine where additional information is needed. Flowcharting can efficiently point out cases of under/over control in relation to cost, risk, and processing redundancy. The Office’s external and internal auditing will all benefit after major control and transaction processing systems are documented on their transaction flow and key control points. Such documentation can also be useful in communicating strengths and weaknesses to management.

  5. As an alternative to internal control flowcharting, certain internal audit engagements, particularly consulting ones, may require going well beyond internal controls into more detailed process areas to study work flows, efficiency, duplication, etc. It is important, particularly in communicating to management, to clarify whether it is an internal control flowchart or a more detailed process one in order to prevent misreading.

  6. Internal control flowcharts created by PRIA will highlight, among others, the five general control objectives a system should incorporate to provide reasonable assurance that information is reliable, accurate, and complete, and that controls are adequate to support the attainment of management objectives. These control objectives are:

    1. Authorization—Transactions are authorized by a person with the appropriate level of knowledge and authority to judge whether they are executed in conformity with management's intentions.

    2. Recording—All authorized transactions, including statistics, units, values, etc., are recorded in the appropriate records, accounts, sub-accounts, and operating or accounting period.

    3. Safeguarding—Responsibility for physical custody of assets, security of intellectual property, and security of business information is assigned to specific personnel who are independent of related recordkeeping functions.

    4. Reconciliation—Records are regularly compared with related assets, documents, control accounts, or other reliable comparable data.

    5. Valuation—Recorded values are reviewed for impairment in value (both quality and economic). Write‑downs, allowances, or other adjustments are recorded as appropriate to ensure accurate management data and conformance with Canadian public sector accounting standards.

  7. To promote efficiency and uniformity in the preparation of flowcharts and facilitate the review process, a standard format has been developed. General flowcharting guidelines, flowcharting quality assurance review, and specific flowcharting practices follow. Flowcharts prepared by PRIA should be prepared in accordance with the conventions and documentation provided. Flowcharts should also be prepared logically, concisely, and clearly.

General Flowcharting Guidelines

  1. Clarity and simplicity in presentation are essential. Mistaken use of extreme detail may tend to conceal rather than expose key points. Complexities, such as exception controls, can be better explained in attached memoranda. However, narrative explanations should be kept brief and in point form. In most cases, the combination of the flowchart and a narrative description tends to be far superior to either document alone.

  2. Only transactions/documents with control significance should be shown (i.e. control over authorization, recording, safeguarding, reconciliation, and valuation). This can generally be accomplished by including only those activities within an application where data, transactions, or materials are initialized, changed, or transferred to other departments. For a process to be flowcharted, it must be broken down into its component parts, namely actions and decisions. Also, the name(s) and position(s) of the people performing the transactions should be indicated for each action. The names of each document should also be included within the document symbols.

  3. The auditor usually obtains the information necessary for preparing or updating flowcharts by interviewing personnel about procedures followed by reviewing procedure manuals, existing flowcharts, and other system documentation, and by observing operating and administrative processes. Sample documents are collected and each department involved is questioned about its specific actions and duties. Inquiries can be made concurrently with the performance of transaction reviews, particularly when flowcharts are being updated.

Flowcharting Quality Assurance Review

  1. The internal auditors' findings on control procedures and preliminary conclusions/suggestions for improvement should be tested by a walk‑through or test of transactions and written up in the working papers. Because those who use a system know it best, the auditor should ask those personnel to review and comment on the accuracy of the flowcharts.

  2. Flowcharts should be reviewed by supervisory personnel after responsible site personnel have reviewed them. Flowcharts may be shared with other users. They may also be used for subsequent audit planning procedures.

Specific Flowcharting Practices

  1. To ensure completeness and consistency, the specific internal control objectives must be documented when flowcharting a transaction processing system.

  2. The flowchart should specify the specific internal control points using a large arrow. These control points should be cross‑referenced to the specific control objectives.

  3. Symbols and flow lines should be limited to the nine symbols and one line contained in an area on the chart.

  4. Use the flowcharting standard header (FCHEADER.FCD) as a starting point when preparing your flowchart. Sign, date, and document the flowchart as to cycle/title, segment, location, and file number. The file number should correspond to the audit project number and page of the flowchart.

  5. Start the flowchart in the upper left‑hand corner of the screen and work toward the lower right‑hand corner.

  6. The flowchart begins with the inception of the transaction and ends with its recording to the appropriate operating and/or accounting record, including the general ledger. Indicate with a terminal symbol where processing starts and stops.

  7. The individual and department responsible for each flowchart step should be indicated at the top of the appropriate symbol.

  8. Use action verbs in the flowchart to save space.

  9. Use oversized symbols if the information will not fit within the standard‑sized symbols.

  10. Use connector symbols rather than drawing lines around or over parts of the flowchart.

Last modified:
2018-02-21