When Frank and Lillian Gilbreth introduced the first process flowchart to a group of engineers in 1921, the innovative method of giving a pictorial view of a process quickly gained admiration in the academic and business worlds. Flowcharts gained popularity over the decades and today are used by many professions. Accordingly, by the 1970s, the International Organization for Standardization (ISO) developed standards around them.
Internal auditors may have mixed reactions about flowcharts. Many will venture to reveal their love-hate relationship as there are often flashbacks to a great amount of time and effort — and, possibly, frustration — in creating, validating, correcting, and recreating flowcharts. Others may refer to the adage, “a picture is worth a thousand words.” Regardless, these diagrams are valuable tools for auditors and have many applications. Currently, technologies such as process mining are revolutionizing the way flowcharts are created and analyzed because of their transparency and the value of information they provide.
In simple terms, a flowchart is a visual representation of a process showing activities and workflow. These illustrations present steps, systems, and information inputs and outputs, all represented by various symbols. In other words, a flowchart is a map that shows specific features in a process and how data, documents, systems, individuals or departments, actions, and decisions flow and interact. In short, flowcharts can make complex information easier to understand.
Several IIA implementation guides mention flowcharts for planning and execution purposes. The most significant are:
- Standard 2201: Planning Considerations
- Standard 2300: Performing the Engagement
- Standard 2310: Identifying Information
- Standard 2320: Analysis and Evaluation
- Standard 2330: Documenting Information
Flowcharts are typically easy to read and understand given the global standardization of symbols. For example, processes are represented by rectangles, decision points by diamonds, manual steps by trapezoids, and databases by cylinders. These symbols are connected by arrows showing the linked activity in the process. Flowcharts may contain short notes or comments to provide additional details and may even include a legend. In addition, flowcharts generally have a structured flow, such as top to bottom or left to right, and contain multipage connectors, if needed, along with start and end points.
Internal auditors use flowcharts in their work for various reasons, including:
- Training and guidance – incorporated in manuals, presentations, and other educational materials, or as part of policies, guidelines, or methodologies to complement or illustrate narrated procedures and requirements.
- Execution and delivery of engagements – to understand processes and controls design during engagement planning, analyze and evaluate information throughout project execution, and support the formulation of results and opinions. For example, auditors use flowcharts to identify control gaps or process inefficiencies or, when appropriate, as concise visuals in reporting.
- Fulfilling requirements – to support organizations that must meet regulatory requirements, such as the U.S. Sarbanes-Oxley Act of 2002, which requires the documentation of business processes and internal controls (e.g., used to complement narratives and risk/control matrices) or to obtain and maintain accreditations such as specific ISO certifications.
While flowcharts are useful for auditors, they also have certain limitations, such as:
- Structure. One of the biggest limitations is that flowcharts tend to focus on a linear flow. They also present a process as intended to be, instead of how a process actually operates.
- Oversimplification. To make it easier for people to understand, flowcharts oversimplify processes and data flows. In addition, when auditors rely exclusively on flowcharts they may miss risks outside the processes, including emerging risks, as well as the critically important soft controls.
- Overcomplication. Just as oversimplification can be an issue, providing too much detail can result in awkward, complex, and non-visually appealing maps.
- Administrative burden. Creating and updating flowcharts requires resources. Revisions may be necessary to create the right diagram when auditors should be spending their time focusing on other areas.
Process mining is a technology and technique used for discovering, monitoring, and improving processes. This method involves extracting recorded data from event logs in information systems and illustrating actual process flows and variations. While traditional flowcharts illustrate an assumed process, process mining provides a representation of the real process. Because process mapping can be fast, fully automated, and repeated, organizations are using the technology in many ways, including conformance checking, identification and analysis of issues, and continuous optimization initiatives.
Process mining has many implications as a way of transforming and innovating how auditors conduct their work. For example, as a computer-assisted audit tool, auditors can use it to obtain and analyze a holistic view of the entire process chain, instead of just sampling. This view is based on actual data, not assumptions, allowing auditors to observe and explore the inner workings of a process to find out what is really happening. With this information, auditors can pinpoint issues, validate deviations or inefficiencies, identify and evaluate root causes, and recommend practical remedial action plans and mitigation strategies. At the same time, audit departments can rethink the audit process, itself, and find efficiencies along the way. This may include reducing or eliminating conventional interviews and walkthroughs, designing innovative continuous monitoring or continuous auditing solutions, and eliminating outdated documentation.
Old Tool, New Tricks
Knowing how to develop and analyze flowcharts is considered basic knowledge for internal auditors. New tools and techniques around process mapping are paving the road for fresher ways to execute and deliver assurance and advisory services. By embracing enabling technologies, auditors can reshape their thinking and provide more in-depth insight and foresight, produce impactful reporting, and deliver valuable support throughout their organizations.