GCC Documentation 1266
-
Hi,
I would like to know how to document General Computer Control.
I was told that a documentation should comprise of:- a process flowchart
- a process narative
- a risk control matrix
- a control remediation matrix
Is the process flowchart a mandatory part of the documentation
for all the GCC domains?
Regards.
-
Flowchart is a ‘nice to have’ thing, as it helps you to ‘visualise’ the process. However, look at it from the cost/benefit side. I’ve heard from all Big 4 audit companies that they suggest their clients use EITHER a detailed narrative OR a detailed flowchart. Thus, it is not ‘mandatory’ and it’s up to you to decide.
-
For IT general computing controls, I have used IT policies and procedures and risk control matrix as the bare minimum. In another company, we did naratives and flow charts in addition to the policies and procedures.
I think you can get by with policies and procedures if they are well documented for IT general computing controls. A risk control matrix may also be required.
Typically, I have seen the process naratives and flow charts are used for application and financial controls since there is no other documentaion available.