Comprehensive Guide to System Documentation, DFDs, and Internal Controls in Business Cycles

Documentation

A formal record describing a system or process.

Reasons for documenting processes

To comply with laws, troubleshoot, train, improve, and ensure internal controls.

Sarbanes-Oxley Act (SOX)

A law requiring internal control documentation.

Systems documentation

Shows how systems interact and exchange data.

ERD vs DFD

ERD = data at rest; DFD = data in motion.

Program documentation

Describes program logic for maintenance and troubleshooting.

Operator documentation

Instructions to run and control batch programs.

User documentation

Guides end-users on system usage.

Benefits of documentation

Knowledge transfer, standardization, improvement, and better audits.

Narratives

Written system/process descriptions often paired with flowcharts.

Types of flowcharts

Document, System, Program, and Process flowcharts.

DFD

A diagram showing data movement through processes, stores, and entities.

Levels of DFDs

Level 0 (context), Level 1 (main functions), Level 2 (details).

What a DFD excludes

Who performs processes and time aspects.

Guidelines for drawing flowcharts

Top-down, left-right, clear labels, connectors, refine for readability.

HR and payroll business cycle

Acquisition and payment processes.

HR vs Payroll focus

HR = managing people; Payroll = paying them.

Payroll outsourcing

To reduce risk and use experts like ADP.

Payroll internal controls

Authorization, accuracy, remittance, and data protection.

Employee onboarding

Integrating new hires into company systems and culture.

Main onboarding risks

Unauthorized access and incomplete setup.

Directional testing purpose

To check data consistency and find unauthorized access.

Key HR datasets

System Listing, HR Listing, and HR Term Listing.

Employee termination

Includes resignation, firing, retirement, or death.

Termination control focus

Recover assets, remove access, process benefits.

Termination directional testing

Compare HR Term Listing with access removal dates.

Access removal rule

System access must be removed within 24 hours.

Purchasing and payments processes

Belong to resource acquisition and payment cycle.

Purchase requisition

Internal request to obtain goods or services.

Purchase order (PO)

External document authorizing purchase from vendor.

Bid rigging

Collusion to predetermine contract winners for kickbacks.

Purpose of receiving report

Verify goods received match purchase order.

Three-way match

Match PO, receiving report, and vendor invoice.

Main fraud risks in payables

Fake vendors, sequential invoices, duplicate invoices.

Shell company

Fake vendor created by an employee to receive payments.

Sequential invoice risk

Vendor may have no other customers, potential fraud.

Duplicate invoice risk

Vendor may double bill to receive extra payment.

Vendor address match risk

Vendor shares address with employee—potential fraud.

SOX

The law that requires companies to establish and assess internal controls

ERD

Shows data at rest

Document Flowchart

Shows document movement

Level 0 DFD

Represents a context overview

DFDs

Do not show who performs tasks

Acquisition and Payment Cycle

HR and Payroll are part of this process

Key Payroll Control

Independent review of payroll calculations

Onboarding Controls

Ensure authorized system access

Unauthorized Access Risk

Occurs if a system user appears in access lists but not HR listings

Access Removal Timeline

Should be removed within 24 hours after termination

Purchase Requisition Initiator

Any department needing goods

Purchase Order

External authorization sent to vendor

Receiving Report

Verifies quantities and condition of goods received

Sequential Invoices Red Flag

Indicates a shell company

Shared Address with Employee

Indicates fraud risk

Duplicate Invoices Risk

May lead to double payment