SAMPLE OF BUSINESS DOCUMENTATION

PROCESS

AND

CONTROLS

C ompensation C hange
C ompensation C hange R equest Form

Need for compensatio change

Known requirement receiv

R eapply or E xception R equest

1.1 C ompensatio C hange R eques

Details for employee com

Employee E nrollment

Employee R equisition

Employee 1.1.1

New E mployee activity

Existing E mploye

Affirmation Team Always Sequence 0. Scope. transferred. . retained.VISIO SHAPES AND CUSTOM PROPERTIES FOR EVIDENCE OF PROCESS CONTROLS Name* Description* Document Title. creation frequency. how is it classified. Release Date. status of use in controls evidence. Part of processes sequence Decision point and criteria for movement Part of processes sequence Grouping allows representation of simultaneous events Sequence should parent child the sub group of activities Loop limits usually reflect key controls Data Management: What data is used. Part of processes sequence Identifies process activity.0 Reference to other process documents and to full processes outside of the scope of the current document. noting control issues and potential gaps.9 so that all data sources are clustered to the bottom of the process report. owners and event sequence. accessed List of external documents used to complete process. Editors. description of use Sequence is always 9. Revision.

there would be an expected control.Name* Description* Exit and entrance criteria for movement from one activity to the next. E&Y. PwC. this should be filled in. PCAOB. The sequence is used to align the control to the associated activities that use this control.8 so that all data sources are clustered to the bottom of the process report. This forces the relative risk of the control gap to be evident to the viewer and writer Database name and DBA/SA owners Sequence is always 9. it is available to controls reporting for this process. Where criteria for movement is monitored by a system and is critical to control activity. Control Documentation Object: Drop down menu choices include common language for defining controls as expressed by ISACA. it need only be described once and then mentioned on the activity object. Information entered to this area. . When a control is inadequate. Deloitte and SANS. KPMG. Where this is true. Where a control is used in multiple instances. Trigger and Exit criteria Sequence is always 0.1 so that all triggers and exit criteria are clustered to the top of the process report. Reporting on Activity and then on Control allows the process of documenting the flow to also serve as written summary of the activity and its controls. the issue is identified in the GAP commentary of the activity needing more stringent control.

the form send automatic notification to the employee manager with details of compensation change.4..6 .1 Existing employee or new Approval process involves selecting all areas met that support approval with note of on whose authority request was approved. Lack of time based checking mechanism to determine age of most recent personnel review Documentation of standard method for approval.3 Employee supervisor approval Employee supervisor approval Employee manager Po7 1.5 Rejection notification Human resources Tracking legal reason or business rule that is used to refuse request 1.. Known associated controls are.4 1. A false positive in the system Salary too high or too low Evaluation of salary based in job responsibilities and standard industry compensation benchmarks Notification by email and system record of text including nature of refusal and rule that is violated by enacting request Salary evaluation Approved salary benchmark guidelines Guidelines are not routinely updated and might become out of date None Change to existing compensation values is within this process Human resources Approval process 1.1 Established criteria for salary values applied to approval Finance 1.1 Access to change form restricted to managers: compensation request not accepted unless through form User requesting their own pay raise 1. Subjective determination of personnel review could allow an employee bonus or change without evidence of proper employee review.1.SAMPLE REPORT OUTPUT BASED IN SAMPLE VISIO PROCESS ± ENTIRELY FICTICIOUS Activity table Activity title Activity description Human resources Owner Sequence Associated controls Gap or control issues Issue Affirmation criteria Compensation change request Fill in all required fields on the "title here" compensation change form 1. Upon submitting the "approved" button. archiving and verification that the supervisor is making the authorization vs..

reconciliation of posted changes and approved changes Reconciliation report to prove ERP systems have received and recorded all changes/ form restriction where approval is not in system record None 2 1. qualifications of employee. . archive. reason for request.8a Process is not presented and approved by the board of directors/ process is not backward compatible to previous compensation activity None Human resources 1. confirmation of send. management representation Accounting oversight committee meets on and approves salary Accounting oversight review of executive compensation 1.8 Compensation management system Fill in all required fields to complete compensation management change request: submit approved change Payroll Payroll system update Payroll record change sent to adp: general ledger reflects new debit amounts based in compensation costs Access to change form restricted to managers: compensation request not accepted unless through form: all fields form validated prior to submit Data transfer security. implemented due diligence and ethics Form controls: policy controls Sr. Mgt.1 Inadequate testing of the reconciliation report: inadequate security on the backend data of tables containing salary compensation data.Activity table Guideline exception process Notice to committee includes the criteria for exception and limits of monetary compensation. Approvals Human resources 1. quorum.7 Human resources Hr system update Hr representative [input details in process here] Meeting announcement.9 Payroll 2.

4b Salary Threshold form based routing 1.1. 4a Approval Routing by Registered Manager 1. 1a SAMPLE OF CONTROL TABLE: Sequence Control Name Compensation Change TrackingRefuse Verbal Compensation Change Requests Manager Assignment TRUE Automated Interface Conversion Preventive Restricted Access (R) FALSE Automated Configuration Account Mapping Preventive Restricted Access (R) FALSE Automated Configuration Account Mapping Preventive TRUE Manual Authorization Deterrent Restricted Access (R) Refuse requests outside of request form Key Control Automated or Manual Control Method Control Program Type Information Processing Objective Description of Control Activity Controls Quality Assurance Real Time By Transaction list location Part of Internal Audit Cycle Part of Internal Audit Part of Internal Audit Cycle Part of Personnel Cycle Review Process list location list location List location list location list location Manager name is automatically populated at user login by mapping against ID and PeopleSoft employee record Employee compensatio n change is routed to HR system validated current manager Prevents the manager from over compensatin g and manages uniform application of guidelines across all requests Managers Real Time By Transaction list location HR Real Time By Transaction List location list location List location Human Resource Real Time By Transaction list location Control Owner Frequency of Control Evidence of Control Control Test Frequency Evidence Test on Control list location Test Plan . 3a 1.

Rejection is sent to requester...[location] Accounting Oversight Management Review Validity (V) Quarterly General Manual TRUE list location Automated Corrective Quarterly TRUE . Review of all salary requests to assure that no individual is permitted to earn beyond the payment guidelines as determined for executives and officers Email is system generated to include exact business rule that would be violated by the request and tracking the end to end delivery of reason for rejection on compensatio n change.. 5a Salary Guideline Exception Report Metrics on the percentage of approved compensatio n change that are within Salary guidelines are evaluated to determine if managers are following instructions and if the compensatio n guidelines appear to be reasonable. 7a Executive Compensation Review Part of Internal Audit Cycle Meeting notes ...[location] 1..[location] List location 1... not to the employee.Controls 1. Executive Management CFO Part of Internal Audit Cycle Exception/Edit Report Accuracy (A) list location list location Archived reviewed and signed documents in locked file cabinet . 7a Valid Rejection based in business rules fairly applied Part of Internal Audit Cycle Real Time By Transaction Exception/Edit Report List location List location Automated Validity (V) Detailed TRUE HR Physical check by Internal Audit results by quarter ..

9a Accurate Employee Transaction Items in compensatio n change request auto populate the HR update form. 1a Payroll to Compensation Plan Comparison Report Completeness (C) Reconciliation List location List location Corrective Finance Manual FALSE Daily Monthly review of all compensatio n change activity and compensatio n dashboard HR information is read to the compensatio n system. prompting HR to validate changes. 0a Segregation of Duties Restriction of HR to Compensation Systems Part of Internal Audit Cycle 2. 9c Compensation Review Real Time By Transaction 2. but no one in HR has access to compensatio n system interface. if Information is not complete. If items are not recognized in HR records. Real Time By Transaction Part Aligned to Billing Cycle of Inter Rec Interface Conversion oncili ation Detailed Accu Accuracy (A) racy List List location locat ion List List location locat ion List location List location List location Part of Internal Audit Cycle Part of Internal Audit Cycle Corporate HR Management Review 1. transaction cannot complete. 9b 1. HR system cannot update.Controls 1. Nightly reconciliation of all GL salary compensatio n values as compared to values in Compensati on Management system Accuracy (A) List location Accuracy (A) List location List location Automated Preventive Finance TRUE List location Detective Quarterly Manual FALSE List List location locat ion FAL FALSE SE Automated HR .

Sign up to vote on this title
UsefulNot useful