SAMPLE OF BUSINESS PROCESS AND CONTROLS

DOCUMENTATION
Compensation Change 1.4 Employee Supervisor
1.4
A
Approval

Supervisor signoff
Compensation Change Need for compensation
Request Form change

1.4.1 Salary 1.4

Known requirement received in email Threshold B
1.1
A
Reapply or 1.1 Compensation
Exception Change Request Inadequate Exception Review
Request authority to
approve
Details for employee compensation
1.5
1.5 HR Salary Evaluation A 1.6 Rejection Notification

Employee Employee Employee

Enrollment Requisition 1.1.1

Standard
salary salary/pay
New Employee activity Existing Employee
grade or change
1.3 Meets exceeds HR
Refer to New A Compensation approval permissions
Employee Process 1.3 Approval Process Guidelines

1.7 1.7 Guideline Acct

Manager and Employee notified Oversight Exception
of compensation change Process
1.9 Rejection
A to requester
1.1 Documented exception
1.9 HR System Update review scheduled
2B
1.9
C
ERP System Employee compensation
Secure data adjusted in HR records 1.8 Sr. Mgt. Approvals
transfer
ERP System 2.0 Compensation 2.0
RunBook Management System A
Update

Inputs to General Ledger

Sample Sr. MGT Exception
Finance Oversight Policy
Report 1 Meeting Notes
2.1 Payroll System 2.1
Update A
GL System

Close
General Ledger Compensation
System Change Complete
RunBook

Instructions to Run Activity and Control Reports:

Activity Description Table:
Use Control Key to Select all Activity objects,
= Process Activity, Parent Process, Decision and Termination objects [Box, Double Bar Box, Diamond, Ellipse];
Go to Top Toolbar to click on “Tools”, “Reports” and check box for -“Drawing Specific Reports”
Highlight the – “Activity Description Table” Report; Select -Run and output to either HTML or EXCEL; Save As [Activity
Report Name] in your desired folder
Controls Table:
Use Control Key to Select all Control Objects,
= Control Objects, Documents, Data Objects [Left Triangle, Paper Symbol…] Select Tools; Reports; Drawing Specific
Reports; Controls Report Table; Run; Save as your Controls title in your own file location
VISIO SHAPES AND CUSTOM PROPERTIES FOR EVIDENCE OF PROCESS
CONTROLS
Name* Description*

Document Title, Scope, Revision,

Release Date, Editors, Affirmation Team
Always Sequence 0.0
Process Title
Date:
Affirmation Team:

Reference to other process documents

and to full processes outside of the
Parent Process scope of the current document.
(indicates another Part of processes sequence
process diagram)

Identifies process activity, noting control

issues and potential gaps, owners and
event sequence.
Part of processes sequence

Decision point and criteria for movement

Part of processes sequence
#.# Decision

Grouping allows representation of

simultaneous events
Sequence should parent child the sub
Grouping Box group of activities

Loop limits usually reflect key controls

Loop Limit

Data Management: What

data is used, how is it
classified, retained,
transferred, accessed

List of external documents used to

complete process, status of use in
controls evidence, creation frequency,
description of use
Sequence is always 9.9 so that all data
sources are clustered to the bottom of
the process report.
 Exit and entrance criteria for movement
from one activity to the next. Where
criteria for movement is monitored by a
system and is critical to control activity,
this should be filled in. Where this is
true, there would be an expected control.

Trigger and Exit criteria

Sequence is always 0.1 so that all
triggers and exit criteria are clustered to
the top of the process report.

Control Documentation Object:

Drop down menu choices include common language for defining controls as expressed by
ISACA, PCAOB, PwC, E&Y, KPMG, Deloitte and SANS. Information entered to this area, it
is available to controls reporting for this process. The sequence is used to align the control
to the associated activities that use this control. Where a control is used in multiple
instances, it need only be described once and then mentioned on the activity object.
When a control is inadequate, the issue is identified in the GAP commentary of the activity
needing more stringent control. This forces the relative risk of the control gap to be evident
to the viewer and writer

0.0
a

Database name and DBA/SA owners

Sequence is always 9.8 so that all data
Database sources are clustered to the bottom of the
process report.

Instructions to run reports: Reporting on Activity and

Activity Description Table: then on Control allows
Use Control Key to Select all Activity objects,
= Process Activity, Parent Process, Decision and Termination objects [Box, Double the process of
Bar Box, Diamond, Ellipse]; documenting the flow to
Go to Top Toolbar to click on “Tools”, “Reports” and check box for -“Drawing also serve as written
Specific Reports”
Highlight the – “Activity Description Table” Report summary of the activity
Select -Run and output to either HTML or EXCEL and its controls.
Save As [Activity Report Name] in your desired folder
Controls Table:
Use Control Key to Select all Control Objects,
= Control Objects, Documents, Data Objects [Left Triangle, Paper Symbol…]
Select Tools; Reports; Drawing Specific Reports; Controls Report Table; Run; Save
as your Controls title in your own file location
SAMPLE REPORT OUTPUT BASED IN SAMPLE VISIO PROCESS – ENTIRELY
FICTICIOUS
Activity table
Activity description Associated Gap or control Issue Affirmation
  strequege chanation pensCom Activity title
Sequence

Owner controls issues criteria

1.1

Human resources

Fill in all required Access to change User requesting    

fields on the "title form restricted to their own pay
here" compensation managers: raise
change form compensation
request not
accepted unless
through form
 
1.1.1

      Existing Change to existing

employee compensation
or new values is within this
process
1.3

ssproceoval Appr

Approval process Known associated Subjective    

resourcesHuman

involves selecting all controls are.... determination of

areas met that support personnel
approval with note of review could
on whose authority allow an
request was employee bonus
approved. Upon or change
submitting the without evidence
"approved" button, the of proper
form send automatic employee
notification to the review. Lack of
employee manager time based
with details of checking
compensation mechanism to
change. determine age
of most recent
personnel
review
  valapprovisor superoyee Empl
1.4

Employee manager

Employee supervisor Po7 Documentation    

approval of standard
method for
approval,
archiving and
verification that
the supervisor is
making the
authorization vs.
A false positive
in the system
1.4.1

      Salary Established criteria

too high for salary values
or too low applied to approval
ationevaluy Salar
1.5

Finance

Evaluation of salary Approved salary Guidelines are    

based in job benchmark not routinely
responsibilities and guidelines updated and
standard industry might become
compensation out of date
benchmarks

Notification by email Tracking legal None    

and system record of reason or business
text including nature rule that is used to
 of refusal and rule that refuse request
is violated by enacting
request

Hr system update Sr. Mgt. Approvals Guideline exception process

1.7

Human resources
Notice to committee Accounting Process is not    
includes the criteria oversight review of presented and
for exception and executive approved by the
limits of monetary compensation 1.8a board of
compensation, reason directors/
for request, process is not
qualifications of backward
employee, compatible to
management previous
representation compensation
activity
1.8

Human resources Human resources

Accounting oversight Meeting None    

committee meets on announcement,
and approves salary quorum, archive,
implemented due
diligence and ethics
1.9

Hr representative Form controls: Reconciliation    

[input details in policy controls report to prove
process here] ERP systems
have received
and recorded all
changes/ form
restriction where
approval is not
in system record
2

Payroll
Payroll system update Compensation management system update

Fill in all required Access to change None    

fields to complete form restricted to
compensation managers:
management change compensation
request: submit request not
approved change accepted unless
through form: all
fields form validated
prior to submit
Payroll
2.1

Payroll record change Data transfer Inadequate    

sent to adp: general security, testing of the
ledger reflects new confirmation of reconciliation
debit amounts based send, reconciliation report:
in compensation costs of posted changes inadequate
and approved security on the
changes backend data of
tables
containing
salary
compensation
data.
 1.
1.
1.
1.
1.

5a
4b
4a
3a
1a
Sequence

Salary
Salary

Report
Change
Change

Manager
Approval
Manager
Tracking-

Requests

Guideline
Exception
Routing by
Registered
Assignment

based routing
Refuse Verbal
Compensation
Compensation
Control Name

Threshold form
TRUE TRUE FALSE SEFAL TRUE Key Control

dAutomate tedAutoma dAutomate atedAutom Manual Automated or Manual

ReportEdit Exception/ nConversioInterface MappingAccount on Configurati MappingAccount on Configurati Authorization Control Method
SAMPLE OF CONTROL TABLE:

Corrective Preventive Preventive Preventive Deterrent Control Program Type

Accuracy (A) (R)Restricted Access Restricted Access (R)   (R)Restricted Access ObjectiveInformation Processing

the
and

within
Salary
record

ng and
current
Refuse

uniform
Controls

that are
name is

requests
requests

manager
manager
Manager

validated

manages

across all
from over
employee
outside of

Employee
against ID

Metrics on
Activity

on change
on change

application
PeopleSoft

HR system
is routed to

percentage

compensati
compensati
compensati
by mapping
y populated
of Control

of approved
automaticall

at user login
Description

of guidelines
Prevents the
request form

Executive Quality Assurance Managers HR Human Resource Control Owner

Quarterly Real Time By Transaction Real Time By Transaction Real Time By Transaction Real Time By
Frequency of Control
Transaction

list location list location list location List location list location
Evidence of Control

Part of Internal Audit Part of Internal Audit Cycle Part of Internal Audit Cycle Part of Internal Audit Cycle Part of Personnel
Control Test Frequency
Cycle Review Process

list location list location list location List location list location
Evidence Test on Control

list location list location list location List location list location
Test Plan
 Management CFO
guidelines
are
evaluated to
determine if
managers
are following
instructions
and if the
compensati
on
guidelines
appear to be
reasonable.

Management Review

Validity (V)

Part of Internal Audit Cycle

List location Archived reviewed and signed documents in

TRUE

Meeting notes ....[location]

Quarterly
Accounting Oversight
Manual

General
1. Executive Review of

List location Physical check by Internal Audit results by

7a Compensation all salary
Review requests to

locked file cabinet ....[location]

assure that
no individual

quarter ....[location]
is permitted
to earn
beyond the
payment
guidelines
as
determined
for
executives
and officers
TRUE

HR
Validity (V)
Automated

Detailed

Real Time By Transaction

List location

Part of Internal Audit Cycle

Exception/Edit Report

1. Valid Rejection Email is

7a based in system
business rules generated to
fairly applied include
exact
business
rule that
would be
violated by
the request
and tracking
the end to
end delivery
of reason for
rejection on
compensati
on change.
Rejection is
sent to
requester,
not to the
employee.
Aligned to Billing Cycle
HR
Accuracy (A)
tedAutoma

Detailed

Real Time By Transaction

List location

List location

List location
FALSE

1. Accurate Items in
nConversioInterface

9a Employee compensati
Transaction on change
request auto
populate the
HR update
form,
prompting
HR to
validate
changes. if
Information
is not
complete,
HR system
cannot
update. If
items are
 2.
2.
1.
1.

9c

1a
0a
9b
 

Plan
HR to

Report
Review

Systems

Payroll to

Comparison
Restriction of

Compensation
Compensation
Compensation
FALSE TRUE FALSE FALSE

Manual Automated Manual  

Reconciliation Segregation of Duties ReviewManagement Reconciliation

Corrective Preventive Detective  

Completeness (C) Accuracy (A) Accuracy (A) Accuracy (A)

 

on
on
not

the
HR
in HR

salary
cannot

Nightly
Monthly
records,

t system
values in
interface.
is read to

access to
complete.

in HR has

n of all GL
on system
on change

but no one
dashboard

on system,
transaction
recognized

information
activity and

compensati
compensati
compensati
compensati
compensati

reconciliatio
review of all

Compensati

Managemen
compared to
on values as
Finance Finance Corporate HR  

Daily Real Time By Transaction Quarterly  

List location List location List location List location

Part of Internal Audit Cycle Part of Internal Audit Cycle Part of Internal Audit Part of Internal
Cycle Audit Cycle

List location List location List location List location

List location List location List location List location