Narratives/flowcharts - required? 2476
Hoiya last edited by
Are companies ‘required’ to have flowcharts and/or narratives?
Up to now, I have been treating them as a natural part of the process, in that the narrative and/or flowchart would tend to be the best place to start the assessment process. But is there anything stopping a company from starting right at the RCM, forgoing the narrative/flowchart, and still be deemed to have an effective evaluation system of internal controls?
milan last edited by
The SOX Act does not specifically require SOX process documentation…flowcharts, process narratives, RCMs, etc. However, the auditor that performs the SOX audit will require written documentation that provides an understanding or overview of the client’s internal controls over financial reporting (ICFR).
So the answer is quite clear in the language of the SOX act, but interpreted by the auditors somewhat inconsistently. In the end, lack of SOX process documentation might not prevent you from having proper ICFR, but might preclude the auditor to form an opinion regarding the design of the controls.
If your objective is to comply with SOX quickly, you lack resources, time, or ability to develop process documentation, you might be able to develop thorough RCMs that provide a basic description of the key control and relative components (FS Assertion, Risk Assertion, Control Objective, Frequency of Control, Type of Control, and FS Account(s) impacted).
RCMs that are reasonably accurate, complete, and address the relevant factors for consideration in a SOX audit should be adequate and especially if you would like to fast-track the compliance effort.
Some audit firms prefer flowcharts because if they are properly developed, they are simple to follow for the staff auditor or noob that must ‘convert’ it into the auditor-prepared controls understanding document and/or SOX audit test plan.
Sorry for the long reply, but thought it better to provide explanation for the rationale than a simple yes/no answer based on a strict interpretation of the SOX Act.
gmerkl last edited by
As Milan said. No they are not required. Neither the act, nor the SEC’s rules for section 404 require to document all processes through narratives and flowcharts.
The only place that talks about documentation is PCAOB Auditing Standard no. 5. As far as I recall documentation refers to internal control. Internal control includes risk assessment, control activities and other controls. A lack of documentation of key controls and associated risk assessments may be considered by the auditor to be a control deficiency.
Some auditors want to take it easy and not do the work of interviewing the company’s employees about processes, or observe how they are done. If the auditor’s manager back at the home office who reviews their work wants to see an audit work paper with the whole process, then it is more convenient to find an electronic copy of a narrative or flowchart and just copy and paste it. But gaining an understanding through interviews or observing may take more time than reading a document. In addition, documentation is useful for the company for complex procedures, which happen infrequently during the year and can otherwise be easily forgotten. Furthermore, documentation is also useful and may be more efficient for training new employees.
In conclusion, it is not required, but it may make sense for the company to do it.
Denis last edited by
I would echo the comments from milan and gmerkl
You do not REQUIRE flowcharts or narratives. However, most organisations do NEED these things. You need them because they make life simpler and improve the efficiency and integrity of the end product i.e. the RCM.
harrywaldron last edited by
I agree with these 3 experts Some key reasons why they are helpful:
- As, 'a picture is worth a ‘000 words’ – flowcharts or other diagrams are always beneficial in conveying complex controls or procedures to outside entities (e.g., external SOX auditor)
- They provide good documentation
- In developing these, it may provide new ideas for improving a process or control that you might not see otherwise.
Thus in the past few years, Visio has become a favorite tool, as you can produce professional looking flowcharts and process flow diagrams