practices and fraud.

When management formally

CHAPTER5 communicates its principles and values, it will
influence the organizational culture and permeate
CONTROLFRAMEWORK
the entire organization.
, a commission was established to Organizational culture is the collection of learned
address fraudulent acts in financial statements. beliefs, traditions, and guides for behavior shared
among members of the organization.
The National Commission on Fraudulent
Financial Reporting, chaired by James C.
Treadway, identified the lack of a comprehensive
internal controls framework.

was formed .
in 1985 to sponsor the commission.

COSO goal was to improve financial reporting

quality through corporate governance, ethical
.
practices, and internal control, with a focus on
Ethics is also closely linked to quality, as
ERM and fraud deterrence.
evidenced in the Volkswagen emissions
violations scandal. An auditor who fails to meet
The 2013 COSO IC-IF contains 17 principles,
accounting standards can cause great damage
stating that an entity can achieve effective
to the firm and the client, as observed in the
internal control by applying all principles to
operations, reporting, and compliance objectives. Xerox and KPMG cases.

CONTROLENVIRONMENT
The workplace environment refers to the
structure, leadership style, and ethical practices
of an organization. It includes the tone at the top,
which is set and promoted by the board of
directors and senior management.
This tone drives ethical conduct within the
organization and helps prevent unethical
The control environment includes activities
related to the competence and development of
personnel, the assignment of authority and
responsibility, and the organizational structure.
Employee reporting lines and accountability
requirements are also shaped by reporting lines,
and these play an important role in the
effectiveness of internal controls.
 Management establishes a risk management
philosophy and the entity's risk appetite, forms a
risk culture, and integrates ERM with related
initiatives. Many managers have come to realize
that the control environment is critical to the
overall corporate image.
Talking about and acting ethically carries
financial benefits.
Understanding and addressing unethical behavior
is essential for auditors to ensure the integrity
and fairness of the organization. Examples of
unethical behavior include an unreasonable
emphasis on bottom-line performance,
high-pressure sales tactics, kickbacks or bribes,
and the failure to comply with laws and
regulations.
Communication, Consistency, and Belief in the
Message
,
as inconsistencies can lead to employees
viewing management as hypocritical. A code of
ethics, code of conduct, and conflict of interest
statement are essential for establishing ethical
conduct. These documents guide employees in
ethical decision-making, motivating them to
conduct themselves ethically. Training should be
provided upon hire and annually to reinforce the
importance of these topics.
Internal audits can be beneficial by
partnering with Human Resources, Legal, IT, and
Loss Prevention to teach employees about
internal audits in other settings.
Form over Substance
The control environment is crucial for an
organization's success, ensuring integrity, ethical
values, independence from management, and a
commitment to attracting, developing, and
retaining competent individuals.
The board of directors plays a vital role in
maintaining internal control quality, setting
expectations, and ensuring smooth information
flow.
The organization should also demonstrate a
commitment to attracting, developing, and
retaining competent individuals, ensuring their
selection, safeguarding, and proper deployment.
By addressing these issues, organizations can
ensure their objectives are met, mitigate risks,
and increase the likelihood of achieving them.
Entity Level Controls
Entity level controls are essential in assessing an
organization's values, systems, policies, and
processes to prevent fraud and encourage proper
conduct.
Key areas of
focus include controls over management override,
risk assessment methodology, centralized
processing, monitoring results of operations, and
financial and operational reporting. Internal
auditors and business leaders can identify
strengths and weaknesses in their entity level
controls by examining factors such as the
organization's code of conduct, disciplinary
action, organizational structure, documentation,
compliance requirements, data and information
availability, and coordination within the
organization's second and third lines of defense.
Internal auditors must understand that behavior
is influenced by their environment and competing
forces, and must work with management to
establish clear performance standards,
communicate rewards and sanctions, and ensure
effective employee management. Organizations
should create a positive environment through
socialization, education, formal/informal systems,
and reinforcement, but should not tolerate
unethical behavior.
Tone in the Middle
Larry Rittenberg, COSO's Chair Emeritus,
emphasizes the importance of understanding the
link between objectives, risks, and controls.
If objectives are not articulated, a deficiency in
the control environment should be brought to the
attention of senior management and the board.
Focusing more on control activities cannot
compensate for a breakdown between senior
management and board oversight. Once
identified, risks should be linked throughout the
organization, providing a chaining mechanism to
trace risks up and down the organization.
Risk assessment is a crucial process for
organizations to identify, analyze, and respond to
potential risks related to their objectives.

Choosing the right managers is crucial as

employees judge an organization's ethical .
conduct based on their boss's actions. Managers
influence workplace dynamics, values, and Management specifies objectives within three
customer satisfaction. categories: reporting, compliance, and operations.

The "tone in the middle" dictates workplace Reporting considerations are arranged in four
conditions, leading to satisfaction, turnover, broad categories: internal/external and
profits, and goal achievement. financial/nonfinancial.

Compliance requirements relate to adherence to

laws and regulations, including contractual terms
and conditions, service level agreements, and
voluntary agreements.
RISKASSESSMENT
Operations pertain to the effectiveness and
efficiency of the organization's operations,
The COSO framework focuses on identifying,
including operational and financial performance
quantifying, analyzing, and managing
goals, safeguarding assets against loss, damage
organizational risks.
or obsolescence, and making sure resources are
Risks are events that can threaten an obtained economically.
organization's ability to achieve its
Management must consider, specify, and analyze
objectives.
the degree to which objectives are aligned with
their strategic priorities to ensure congruence
Risks are assessed based on
and coordination between these objectives.
likelihood and impact. Before risk assessment, it
is crucial to

Examples include an
employee's objectives focused on cost reduction,
a sales department's performance measured on
sales volume, and a manufacturing manager's
goals weighted heavily on lowering unit costs.
Lack of alignment with established laws, rules,
regulations, and standards can lead to trouble
and long-term consequences. Large-scale
problems often invite regulator involvement and
media attention, which can become distracting
and expensive over time. Any discussion about
risk must consider that every entity faces a
variety of risks from internal to external sources.
Business and Process Risk
The risk management process of an organization
involves various risks, including capacity,
execution, supply chain, business interruption,
human resources, product or service failure,
product development risk, cycle time risk, health
and safety risk, leadership risk, outsourcing risk,
competitor risk, catastrophic loss risk, industry
risk, planning risk, organization structure risk,
integrity and fraud risk, reputation risk, data
integrity, infrastructure risk, commerce risk,
access risk, and availability risk.
Capacity risk refers to the inability to meet
demand in the short and long term
Execution risk involves the inability to produce
consistently without compromising quality.
Supply chain risk refers to the inability to
maintain a steady stream of supplies when
needed.
Business interruption risk stems from the
unavailability of raw materials, IT, skilled labor,
facilities, or other resources that threaten the
organization's ability to continue operations.
Human resources risk refers to the lack of
knowledge, skills, and experiences among key
personnel that threatens the ability to achieve
business objectives.
Product or service failure risk involves the failure
of products or services to meet customer
expectations, leading to customer complaints,
warranty claims, returns, field repairs, product
liability claims, litigation, lost revenues, lower
market share, and damage to the business's
reputation.
Product development risk involves ineffective
product development that threatens the
organization's ability to meet or exceed customer
expectations consistently over the long term.
Cycle time risk is the unnecessary activities that
threaten the organization's capacity to develop,
produce, market, and deliver goods and services
in a timely manner.
Health and safety risk involves the failure to
provide a safe working environment for workers
Outsourcing risk involves outsourcing activities
that do not align with the organization's
strategies, objectives, values, and behavioral
standards and expectations.
Technological and Information Technology
Risks
These risks include data and system availability
risk, data integrity risk, system capacity risk, data
integrity, infrastructure risk, commerce risk,
access risk, and availability risk.
Data and system availability risk involves the
uptime of systems and tools to support the needs
of workers, customers, suppliers, and
stakeholders.
Data integrity risk involves the accuracy and
consistency of data stored, processed, retrieved,
and destroyed.
System capacity risk involves optimizing storage
and computing capabilities.
Infrastructure risk refers to the outdated or lack
of IT infrastructure needed to support information
requirements.
Commerce risk involves events that compromise
financial and data flows.
Access risk involves unauthorized use of
confidential information or limited personnel
performance.
Availability risk threatens the continuity of
operations and processes.
are conditions that limit an
organization's ability to obtain, deploy, and retain
suitable numbers of qualified and motivated
workers.
These risks include availability risk, competence
risk, judgment risk, malfeasance risk, motivation
risk, financial risks, environmental risks, political
risks, social risks, and political risks.
These risks can result in poor cash flows,
currency and interest rate fluctuations, and an
inability to move funds quickly and without loss
of value. Examples of financial risks include
resources risk, commodity prices risk, foreign
currency risk, liquidity risk, market risk, and
political risks.
Environmental risks involve the actual or
potential threat of negative effects on the
environment by emissions, wastes, and resource
depletion. Examples include energy and other
resources risk, natural disaster risk, pollution risk,
transportation risk, and pandemic risk.
Political risks involve the effects that political
decisions, events, or conditions can cause when
they affect the profitability of a business or the
ability to operate freely. Examples include
regulations and legislation risk, public policy risk,
and instability risk.
Social risks involve dynamics where an issue
affects stakeholders who can form negative
perceptions that can cause damage to the
organization. Examples of social risks include
demographics risk, privacy risk, CSR
requirements, and mobility.
Risk assessment requires management to
consider the impact of possible changes in the
external environment and within their own
business model that could make internal control
ineffective. This includes clearly articulating
objectives relating to operations, reporting, and
compliance so any risks to those objectives can
be identified and assessed.
Effectiveness relates to the achievement of
objectives and the degree to which these are
achieved.
Identifying business goals is essential for internal
auditors, as it involves obtaining these from
process owners during the planning phase.
The IIA Standards state that internal auditors
must consider the objectives of the activity being
reviewed, the means by which the activity
controls its performance, and the significant risks
to the activity, its objectives, resources, and
operations. If goals have been defined but are
inadequate, internal auditors should engage
management to develop improvements.
The SMARTER model
It helps to remember the elements of
well-developed goals, which are specific,
measurable, achievable, relevant, time-bound, and
evaluated. Specific goals make it easier for
managers and employees to focus their energy,
resources, and priorities on accomplishing them.
Measurable goals are easier to link their
completion to performance monitoring and
rewards mechanisms, as they help to measure
the degree of success accomplishing the related
goal.
Achievable goals are more motivating and
aligned with the mission and strategy of the
organization, the process, and the individual.
They build confidence and serve to motivate
those involved to pursue something great. Goals
should have milestones and checkpoints that
allow the person responsible for their completion
to witness progress. Relevant goals should be
aligned with the organization's mission and
strategy, and should be relevant to the
employee's career or job description.
Time-bound goals require commitment from both
the individual and the person overseeing the goal.
Goals should precipitate a plan to accomplish the
goal, creating a sense of urgency and time
pressure. The combination of goals, plans, and
deadlines brings out the talents in people and
can be leveraged among all involved.
Goals must be evaluated to determine if they
meet the SMARTER elements and if they meet
ethical and ecological considerations. Unethical
actions justified by the manager or others are
commonplace in some locales, and ignoring the
environmental impact of business actions is also
unfortunate and is increasingly shown
disapproval by stakeholders. By using the
SMARTER model, internal auditors can help
managers perceive the value of their work and
improve overall performance.
Rewards should be commensurate
with the effort put into the task and the outcome
achieved. Managers should also reward the
successful completion of tasks and the effort put
into them, showing how the work satisfies the
needs of organizational stakeholders.
Millennials are idealistic and want to understand
the big picture, so managers should reward the
successful completion of tasks and the effort put
into them. Internal auditors should link audit tests
to business objectives, linking everything they do
to a risk, which in turn is linked to a business
objective. This helps mitigate the potential
likelihood and impact of these risks.
Internal auditors should examine the functioning
of programs and processes to ensure that the
design and performance of these activities are as
expected and make recommendations for
improvement. Anomalies detected during audit
testing should be presented in that context, as
they allow risks to materialize, which jeopardize
the successful accomplishment of a particular
objective.
The topic of fraud and corruption has gained
attention over the past few years, with alarming
statistics about fraud. The IIA's Standards include
specific reference to fraud, emphasizing the
importance of internal auditors having sufficient
knowledge to evaluate the risk of fraud and how
it can be committed. Areas of focus related to
fraud include material omission or misstatement
of reporting, inadequate safeguarding of assets,
and corruption.
Assessing risk on a formal and informal basis is
essential for organizational success, and internal
auditors can help raise awareness by highlighting
some exposures.
External
factors like demographic shifts, technological
advances, and low interest rates can help achieve
business objectives. The Millennial generation,
who are comfortable with technology and adapt
to change, can be a valuable asset.
Technological advances like cloud computing
and broadband enable remote work, reducing
costs, and generating revenues.
ControlActivities
Controls are actions established through policies
and procedures to mitigate the likelihood and/or
impact of risks. They are performed at all levels
of an organization, at various stages within
processes and over the technological
infrastructure. Controls can be manual,
performed by individuals using tangible items, or
automated, performed by computer and
electronic systems without direct human
interaction. Some controls are a combination of
manual and automated, requiring both a system
component and human follow-through.
The rate of dependence on IT has increased
substantially over the past few decades, and
most activities involve the use of computers to
some degree or another. Organizations often
struggle with the lack of consistency in the
performance of control activities due to the
implementation process not aligning with
performance evaluation measures, supervision,
training, disciplinary actions, and rewards.
Control activities can be categorized as
preventive, detective, directive, and
compensating.
Preventive controls act before errors or
omissions can occur and reduce the likelihood
and/or impact of the event.
Detective controls identify errors or anomalies
after they have occurred and alert the need for
corrective action.
Directive controls are temporary controls
implemented to redirect employee actions,
sometimes referred to as corrective controls,
when an undesirable action has occurred.
Compensating controls are put in place when a
control is not where it is expected as proper
design would stipulate.
Internal auditors are generally tasked with
verifying that processes, programs, and their
related controls have been designed
appropriately and that those controls are
operating as intended.
Ensuring that controls are
designed effectively and implemented effectively
is crucial for maintaining organizational
effectiveness.
Information and Communication
The fourth component of the COSO IC/IF model
focuses on the flow of information within an
organization. It involves clear, consistent, timely,
and purposeful directions from the top, feedback
from employees, and lateral flows of information
between individuals and units. Communication is
crucial for effective functioning, decision-making,
problem-solving, and change-management
processes. It provides workers with important
information about their jobs, the organization,
and each other, improving motivation, building
trust, and engendering engagement. Internal
communication occurs on multiple levels,
including interpersonal, group-level, and
organizational-level. Information is necessary for
internal control activities, such as reconciliations,
inventory counts, and inventory counts.
Communication should be continuous, iterative,
and share necessary information to maximize its
utility. Internal and external communications can
follow various patterns, and organizations should
support management efforts to increase the
production, analysis, dissemination, and use of
information for better decision-making and
organizational effectiveness. The free flow of
information is essential for understanding new or
changed events in the operating environment and
preventing management from operating in a
vacuum.
Organizations face increasing risks and
modifications to their internal control systems
due to changing business dynamics. Outsourced
service providers, financial institutions, and
intermediaries provide diverse and complex
information sources, which can disrupt
operations and reduce revenues. Social media
has become an essential part of organizations'
communications infrastructure, connecting
employees, customers, vendors, supporters, and
detractors. As data flows expand beyond pairs
and involve intermediaries, organizations must
ensure the compatibility, quality, speed, and
reliability of all information.
Outsourcing can create operational risks,
strategic risks, and composite risks. Outsourcing
organizations must manage these risks and
ensure clients are protected and financial
statements are correct. To ensure acceptable risk
levels, organizations can have their own internal
or external auditor review the service provider or
provide reports to clients. Organizations also
have numerous third-party intermediaries that
play a crucial role in their business operations
and interactions with governments. Companies
must conduct due diligence and investigate their
third parties before contracting them,
understanding their roles, responsibilities, and
potential risks.
The hiring organization must manage third-party
monitoring and use technology to assist in this
process. Service providers can provide
standardized audit reports for customers to use
in risk assessment. The Statement on Standards
for Attestation Engagements (SSAE) No. 16,
Reporting on Controls at a Service Organization,
replaced SAS 70 in 2010. There are three types of
SOC reports: SOC 1 (Report on Controls at a
Service Organization Relevant to User Entities'
Internal Control over Financial Reporting), SOC 2
(Report on Controls at a Service Organization
Relevant to Security, Availability, Processing
Integrity, Confidentiality, or Privacy), and SOC 3
(Trust Services Report for Service Organizations).
Monitoring Activities
Monitoring activities are ongoing evaluations
used to assess the functioning of internal control
components. These evaluations can be cyclical
or ongoing, depending on the risk assessment
and previous evaluations. The criteria used
during these reviews are based on internal
requirements and external criteria. Monitoring
should be viewed holistically, considering other
components such as the control environment,
risk assessment, and information and
communication. Employee surveys can help
assess the state of ethics, risk assessment, and
information and communication. Monitoring
helps management understand how all
components of internal control are being applied
and enhances organizational effectiveness.
IT plays a crucial role in organizational success,
and organizations should consider IT as a
business service partner rather than just a
back-end support unit. The Information Systems
Audit and Control Association (ISACA) has
addressed the gap in IT considerations through
the COBIT framework, which includes strategic
direction, project management, purchases, and
training end users. The COBIT framework
addresses more than technical subjects and
includes critical managerial and
accounting/financial activities.
ISO, an independent nongovernmental
organization, provides world-class specifications
for products, services, and systems to ensure
quality, safety, and efficiency. It has published
over 19,000 international standards and related
documents, covering various industries. ISO 9000
and ISO 31000 are popular standards for quality
management and risk management, providing
guidance and tools for organizations to ensure
consistent meeting of customer requirements
and continuous improvement.
ISO also facilitates communication and the
setting of expectations between organizations,
complementing COSO's components and helping
internal auditors supplement their audit programs.
 By understanding and implementing these
standards, organizations can ensure their IT
operations align with their business needs and
achieve long-term success.
ITIL is a comprehensive framework for IT service
management that focuses on organizational
structure, skill requirements, and standard
management procedures. It provides templates,
checklists, and downloads for quick
implementation and helps organizations achieve
predictable service levels. ITIL v3 was published
in 2007 and updated in 2011. It addresses
service strategy, design, transition, operation,
event and incident management, request
fulfillment, and continual service improvement.
Successful companies that have implemented
ITIL include Procter & Gamble, Caterpillar,
Nationwide Insurance, and Capital One. Key goals
include streamlining service delivery, developing
repeatable procedures, reducing service incidents,
implementing standards, ensuring future
capacity, defining clear service targets, and
accurately allocating costs.
The CMMI is a process improvement appraisal
program developed by Carnegie Mellon University,
used in various areas such as project
management, software development, and
performance improvement. It has five maturity
levels: Initial, Repeatable, Defined, Managed, and
Optimized. Internal control frameworks, such as
COSO and COBIT, are used for planning, analysis,
decision-making, and monitoring. Planning is a
crucial aspect of classical management,
involving formulating detailed plans to achieve
the optimum balance between needs and
resources. COSO and COBIT frameworks provide
guidance and a roadmap for organizations to
structure and run effectively. Managers should be
taught about these frameworks and have their
performance measured based on the quality of
internal controls in their areas of responsibility.
This would reinforce the importance of internal
controls and reduce compensation for
non-performance.
CHAPTER 6
Histograms
are charts that display the frequency distribution
of numerical data using rectangles representing
intervals. They represent the probability
distribution of a continuous variable and are used
to assess the distribution of data. Histograms
provide a fluid view of transactions, helping
auditors understand the dynamics affecting the
process under review. They can be used to plot
sales revenues, vehicle serviced, and more,
providing a more comprehensive understanding
of the data.
Control Chart
Process owners are responsible for setting the
structure of their processes and programs,
establishing goals, identifying risks, and
designing controls to mitigate them. Monitoring
these controls provides valuable information
about their strengths and weaknesses, and helps
management identify anomalies that require
intervention. Control charts are a tool used to
document this monitoring, plotting and studying
how a process changes over time. They are one
of the seven basic tools of quality and are often
less used by internal auditors. Control charts help
auditors determine if a process is stable and
under control, predict future performance, and
identify the source of problems. By setting upper
and lower control limits and observing patterns,
internal auditors can increase the sophistication
of their data analytics and support their findings
with measurable data.
The Pareto principle, also known as the 80/20
rule, suggests that 80% of events' effects are
caused by 20% of their causes. Pareto diagrams
organize data and prioritize improvement efforts
by focusing on major root causes. They organize
data by constructing bars and ranking items in
importance.
FISH BONE
The fishbone diagram, also known as the cause
and effect diagram or Ishikawa diagram, is a
useful tool for internal auditors to identify the root
causes of problems. This method, which is binary
in nature, helps auditors treat issues from a
binary perspective, focusing on what should have
been done, verifying consistency, reporting no
findings, and recommending future practices.
However, when dealing with operational issues,
the answer may not be straightforward. Many
operational issues are caused by a combination
of people, process, and technology issues, so
auditors should attempt to identify the root
causes of these conditions. The six categories
used are people, methods, machines, materials,
measurements, and environment. The diagram
can be categorized based on the type of
organization or environment being analyzed.
When preparing the fishbone diagram, it
becomes clearer why the problem exists and how
a number of root causes impact multiple
categories. The top two or three items that have
the biggest influence on the effect are identified,
similar to the 80/20 rule. The fishbone diagram is
a useful tool for identifying root causes and
exploring solutions to problems. It aids in
problem-solving and can be used in conjunction
with the CCCER model for documenting internal
audit findings.
Internal auditors often face pushback from
clients when recommending corrective actions,
which can be due to insufficient testing or
communication. Force field analysis can help
prevent this by identifying the forces for and
against a course of action, evaluating the pros
and cons of a decision, and understanding the
client's perspective. This tool can help resolve
conflict of opinions, compare pros and cons, and
evaluate the strength and weaknesses of an idea,
product, or project. To use force field analysis,
write a T at the top of a piece of paper.
A force field analysis is a tool used to analyze the
influence of change on an organization. It
involves writing driving forces that support the
change initiative, such as lower costs, faster
speed, and increased customer satisfaction, and
restraining forces that prevent it. Factors such as
implementation costs, complexity, and conflicting
priorities can be scored based on their influence.
The strategy employed can either strengthen the
support forces or manage the opposing forces.
Force Field Analysis is a useful tool for auditors
to understand client priorities, challenges, and
concerns. It helps prepare arguments to address
objections, demonstrating understanding and
removing objections. This tool can be used as a
visual aid during presentations, promoting
engagement and addressing misunderstandings.
Flowcharts are a useful tool for auditors to
understand and analyze processes. They
represent workflows in visual form, allowing
auditors to identify defects such as bottlenecks,
rework, delays, and underutilized personnel.
Flowcharts are diagrams that represent the
movement of documents from left to right, with
symbols such as rectangular boxes, diamonds,
arrows, and ellipses. They are typically horizontal
and can be drawn top-down. Cross-functional
flowcharts show the steps and actors performing
activities, allowing auditors to identify
responsibility and decision-making.
They can help identify
efficiencies, handoffs, and control points, making
them easier to identify and understand.
Microsoft Visio, SmartDraw, Flowcharter, Edraw,
and RF Flow are popular flowchart software
packages. They offer user-friendly features like
automatic connection points, drag and drop, snap-
to tools, and grid lines. Flowcharting software
also allows for customization, such as text font,
size, and color. While auditors may initially find it
time-consuming, over time, the process becomes
faster and more accurate.
The As Is diagram is a tool used by auditors to
document the current state of a process,
including time, bottlenecks, production volume,
and delays. It
and lead to employee frustration. It also helps
auditors understand the context of the program
or process, identifying higher risk areas, and
ensuring transactions are completed promptly.
This helps in identifying potential issues and
addressing them effectively.
The As Is map is a useful tool for understanding
and assessing the performance of a process. It
helps identify anomalies and corrective measures,
allowing internal auditors and management to
compare before and after results. To draw an
effective As Is map, determine the boundaries of
the process, identify steps through consensus,
walk the process chronologically, use appropriate
symbols, test for completeness, look for problem
areas as a team, and show details.
An As Is map is crucial for auditors to understand
the current process and identify the desired
output or outcome.
. Automation can provide time and
labor savings, while simplifying tasks can
improve efficiency.
Performance standards help shape priorities and
measure the success of the process. Outputs are
measured in terms of volume, while outcomes
are measured in the short, medium, and long term.
Organizations should focus more on outcomes
in the twenty-first century, focusing on customer
satisfaction, retention, and image. This approach
helps organizations improve their processes and
overall business performance.
When reviewing processes, it is essential to
identify areas for improvement. Backlogs, which
are uncompleted work, can pose challenges
when meeting deadlines or ensuring customer
satisfaction. Cycle time, the total time from the
start to the end of a process, is a general
expectation. It includes process time specific to
each activity and waiting time between boxes.
Stop watches document the time it takes to
process various steps in a flowchart, while
systems data capture user ID, date, and time
every time a user accesses a transaction record.
Samples allow auditors to test financial and
compliance controls, checking for accuracy,
completeness, authorization, and
business-relatedness.