Professional Documents
Culture Documents
AT
TATA MOTORS , LUCKNOW
INTRODUCTION
PROCESS MAPPING
ACTION STEPS
Applicability
Applicabilityto
toTata
TataMotors
MotorsLtd
Ltd
Tata
TataMotors
MotorsLtdLtdhas
haslisted
listedits
itsGlobal
GlobalDepository
DepositoryReceipts
Receipts(GDRs)
(GDRs)ininthe
the
form
formofofAmerican
AmericanDepository
DepositoryReceipts
Receipts(ADRs)
(ADRs)on onthe
theNew
NewYork
YorkStock
Stock
Exchange
Exchange(NYSE).
(NYSE).InInview
viewofofthis
thislisting,
listing,itithas
hasbecome
becomeobligatory
obligatorytoto
comply
complywith
withthe
therequirements
requirementsofofthe theSarbanes
SarbanesOxleyOxleyAct,
Act,2002.
2002.
The focus of SOX is on the processes and systems through which all
transactions are captured and ultimately flow into the financial statements.
There are several requirements of SOX Act. One of the main requirements
is extensive and elaborate documentation of business processes
including evaluation and evidence of tests of controls. In other words
the Crux is Assessment of the effectiveness of the internal control
The external auditors will review the process adopted to ensure that it
would result in accurate financial reporting and give their opinion.
5. Narratives
6. Accounting Entries
7. Key Statistics
8. Key Controls
December 27, 2004 8
1. Business Processes(Col No. 1 of the template)
1. Procurement to Payment
2. Order to Collection
3. Hire to Retirement
4. Production planning to Warranty
5. Inventory (Receipt of Material to Consumption)
6. Fixed Assets (Acquisition – Capitalization – Disposal)
7. Regulatory Cycle
8. Establishment and Business Support (e.g. Information
Technology)
9. Sourcing to Utilization of funds (Treasury)
10. Product Development (ERC)
11. Financial closing and reporting process
A two / three tier flowchart needs to be prepared for each process/ sub-
process
Please note that the auditor will be doing the walkthrough exactly
as per the document provided by you. He would trace a transaction
box by box as per the process chart. Therefore, we need to ensure
that the auditor does not in reality find that the process is anyway
different than that flowcharted, as it would otherwise call for the
whole thing to be redone. To prevent such an eventuality, you need
to do the walkthrough yourself to ensure that the process is
working as it has been flowcharted.
R E C R U IT M E N T
U P D A T IO N O F S A P
M ASTER DATA
PAYRO LL
P R O C E S S IN G IN S A P
HR
BO O K CLO SURE
B A L A N C E S IN S A L A R Y R E L A T E D
S IG N IF IC A N T A C C O U N T S IN
F IN A N C IA L S T A T E M E N T S
END
OFFCYCLE (ANNUAL
PROCESS
5
PAYMENTS) PAYROLL
PROCESSING
Payment to Banks
Process Process
Bank 2I 2G
Statements
Cheques NO Is Posting error
Dispatch of Payslips to Acknowledge Customer free?
Payment Run
Nominees of BKY ment Letter
Employees by Post
Process YES
2K
Posting to
EXIT
Accounting
PAYROLL
Transfer of Live Run
Balances in BKY related Actuarial
Provision for Staff Balance Sheet Balance Sheet
Significant Financial Accounts Valuation of BKY
Welfare Expenses Data to Logistic Process
in Finance Statements Liability
Server Proce 2F
Proce Proce ss 2H
ss 2M ss 2L Proce
ss 2J
The flow chart will provide the complete flow of activities for a
process/ sub-process. However, you need to create a separate
document where you should write a brief narrative of each
process/ sub-process, to explain what happens in each process/
sub-process with appropriate cross-references to the flowchart.
This should be a two column document wherein the first column
contains the description of the process / sub-process along with
the reference no. of the flowchart and the second column
contains a brief narrative of the process / sub-process. The
narrative should indicate, “Who does what, when and how is it
done”. Please write the narrative in simple language. Be brief.
11 12 13 14 15
16 17 18 19 20 21 22 23
CONTROL INFORMATION
Control Control Nature of Type of Frequenc Key Anti Performer Financial Assessment Remediat Remediat Walkthro
Objective Description Control Control y of Control Fraud Statement of Design of ion steps ion ugh
(Preventive (Manual or Control (Y/N) Control Assertions Control(Test required, Schedule summary
or Automated) (Y/N) of Design) if any (Date
Detective) and reason when)
PASS/ FAIL
24 25 26 27 28 29 30 31 32 33
TESTING INFORMATION
Test of Testing Sample Results Supporting Conclusi Gaps in What is the Remediation Remediation
Control Strategy Tested of test of Documentati on operating alternate control steps Schedule
(Y/N) control on and its Fail/Pass effectivenes (if there is failure required, if (Date when)
location s of controls of the control) any
34 35 36 37 38 39 40 41 42
RETESTING INFORMATION
Test of Testing Sample Results Supporting Gaps in operating Remediation Remediation Final
Control Strategy Tested of test of Documentation effectiveness of steps required, Schedule Conclusion
(Y/N) control and its location controls if any (Date when)
There may exist many control activities for a particular risk or control
objective. Conversely, a control activity can cover more than one
control objective/risk.
The one who exercises the control, is the performer of the control.
Depending upon the type of control, the performer of control can be
identified.
If the control is manual, the performer of control is the person
exercising the control. If the control is automated, the performer of
control is the system.
i. Preventive Automated
TEST OF DESIGN
ii. Detective Automated (TOD)
iii. Preventive Manual
iv. Detective Manual
Contd…
By their nature ‘automated’ controls are reliable and need less oversight
than the ‘manual’ controls and preventive controls have preference over
detective controls at the process level. It is preferable to have more controls
in the category of preventive and automated. In case it is not possible to
shift from 4 to 1, compensating/ supplementary controls should be
instituted to improve the reliability of the control.
Note:
1. A detailed description of the shortcoming in the design of control, if
any, should be documented at the time of assessment of design of
control.
Example
i. Segregation of duties
ii. Removal of excess authorizations
Conducting a walkthrough:
1. Take a transaction at random
2. Start at the origin of the transaction.
3. Identify the documents and the data fed in the system
4. Check for the correctness and completeness of the data
5. Check for the authorizations and signatures of the proper authorities
as indicated in the process document
6. Check for the evidence of records being kept and the backup
papers being stored for reference.
7. Check whether all the steps in the process as indicated in the
process map and the narrative occur and in the same sequence.
8. Check whether all the controls indicated in the process map are
working and effective.
9. Document all your observations and conclusion.
After you complete the testing and finalise the results of the same, these
need to be documented and retained for the review by the
management and the external auditors
Identify the gaps which need to be plugged so that the control works
the way it should.
ELSE
YOU NEED TO DETERMINE
THE LEVEL OF DEFICIENCY
December 27, 2004 58
Level of Deficiency – Operating Effectiveness of Controls
The ineffective controls can be graded based on the severity.
Internal Control Deficiency:
An internal control deficiency exists when the design or operation of a
control does not allow management or employee, in the normal course of
performing their assigned functions, to prevent or detect misstatement on a
timely basis.
Significant Deficiency:
A significant deficiency is an internal control deficiency that adversely
affects the entity’s ability to initiate,record, process or report external
financial data reliably.
Material weakness:
A material weakness is a significant deficiency that, by itself or in
combination with other significant deficiencies, results in more than a
remote likelihood that a material misstatement of the annual or interim
financial statements will not be prevented or detected.
December 27, 2004 59
Important Things to remember
1. We need to do walkthrough at three stages
• Once when we are doing the flowcharts – to ensure that the flowchart
depicts exactly the way process is moving and no other way.
• Second time when we are doing Risk identification – as a process to
do it.
• Finally when we are doing the testing of the controls – to check
effectiveness of the controls.
3. We need to ensure that the auditor does not find any difference between
the flowchart and the process in reality. Also, the auditor does not identify
any significant risk which we have not been able to foresee.Else it would
call for significant re-work.
• After you complete the entire cycle for a process / sub-process – review by
an independent agency like Internal Audit
• Remediation and re-testing if any deficiencies are found
• Re-check by an Independent Agency
• Final Audit by Statutory Auditors