GCC Documentation 1266

  • Hi,
    I would like to know how to document General Computer Control.
    I was told that a documentation should comprise of:

    • a process flowchart
    • a process narative
    • a risk control matrix
    • a control remediation matrix
      Is the process flowchart a mandatory part of the documentation
      for all the GCC domains?

  • Flowchart is a ‘nice to have’ thing, as it helps you to ‘visualise’ the process. However, look at it from the cost/benefit side. I’ve heard from all Big 4 audit companies that they suggest their clients use EITHER a detailed narrative OR a detailed flowchart. Thus, it is not ‘mandatory’ and it’s up to you to decide.

  • For IT general computing controls, I have used IT policies and procedures and risk control matrix as the bare minimum. In another company, we did naratives and flow charts in addition to the policies and procedures.
    I think you can get by with policies and procedures if they are well documented for IT general computing controls. A risk control matrix may also be required.
    Typically, I have seen the process naratives and flow charts are used for application and financial controls since there is no other documentaion available.

Log in to reply