OVERVIEW:

  • Describe the four types and levels of documentation, their value, and to whom they hold valuable. 
  • Describe the basic elements in a record retention and destruction system. 
  • Describe the source program library management system (SPLMS) and its role in controlling application development. 
  • Describe the conditions under which record must be retained versus the conditions under which they must be destroyed. 
  • Give examples of the conditions under which each type of documentation would be valuable. 
  • Give examples of the value of quality documentation to organizations. 

I. Program Library, Documentation and Record Management 

A. Source code programs are normally maintained in a library under secure storage (the source program library, or SPL) that is maintained by a file librarian. The library, or an archive of the library, should be off-site and built to deal with fires, floods, and other natural disasters. It (obviously) must include the same logical and physical controls as are built into the organization’s other data processing and storage sites. 

B. When new programs are developed or old programs modified, the SPLMS manages the migration from the application development test environment to the active production library. 

C. The SPLMS makes sure that only valid changes are made to the system by checking for all necessary authorizations, and for program modifications, by comparing the new source code to the old source code. Only after verification does the program migrate to the SPL. 

D. Authorized versions of major programs should be maintained in a secure, off-site location. (The external auditor frequently maintains these files.) 

II. Purpose of Documentation

A. Documentation of Accounting System is Required:

  1. It is required by law, as mentioned, in the Foreign Corrupt Practices Act and SOX
  2. To build and evaluate complex systems 
  3. For training
  4. For creating sustainable/survivable systems
  5. For auditing (internal and external)
  6. For process (re-engineering)

III. Levels of Documentation - Four levels of documentation should be maintained; documentation at each level generally includes flowcharts and narrative descriptions. These levels of documentation are mentioned below: 

  • Systems Documentation - 
    • This type of documentation overviews the program and data files. It also overlooks the processing of logic and interactions with each other’s programs and systems. It often includes narrative descriptions, flowcharts and data flow diagrams. It is also used primarily by systems developers and it can also be useful to auditors. 
  • Program Documentation -
    • A program documentation is a detailed analysis of the input data, the program logic, and the data output consists of program flowcharts, source code listings, and record layouts etc. It is used primarily by programmers; program documentation is an important resource if the original programmer is unavailable. 
  • Operator Documentation (Also called the “Run Manual”) -
    • In large computer systems, operator documentation provides information necessary to execute the program such as the required equipment, data files, and computer supplies, execution commands, error messages, verification procedures, and an expected output; used exclusively by the computer operators. 
  • User Documentation - 
    • Describes the system from the point of view of the end user, provides instructions on how and when to submit data and request reports, procedures for verifying the accuracy of the data and correcting errors.

NOTE: All of the preceding controls are general and preventive. 

IV. Forms of Documentation - 

Multiple forms of documentation facilitate the process of creating, documenting, auditing and evaluating accounting systems. Important forms of documentation include the following: 

A. Questionnaires - Ask about the use of specific procedures.

B. Narratives - Text descriptions of processes. 

C. Data Flow Diagrams (DFDs)

  1. Portray business processes, stores of data, and flows of data among these elements
  2. Often used in developing new systems
  3. Use simple, user-friendly symbols (unlike flowcharts)
  4. For example, a DFD for the delivery of goods to a customer would include a symbol for the warehouse from which the goods are shipped and a symbol representing the customer. It would not show details, such as computer processing and paper output. 

D. Flowcharts 

  1. For example, system flowcharts, present a comprehensive picture of the management, operations, information systems and process controls embodied in business processes. 
  2. Often used to evaluate controls in a system
  3. Too complicated and technical for some users. DFDs are easier to understand. 

E. Entity-Relationship (E-R) Diagrams - Model relationships between entities and data in accounting systems. 

F. Decision Tables - Depict logical relationships in a processing system by identifying the decision points and processing alternatives that derive from those decision points. 

V. Record Retention and Destruction

A. Source documents, preferably in electronic form, must be retained as required by organizational policy, business needs, external or internal audit requirements, or applicable law (e.g. the IRS or HIPPAA) or regulation. 

B. Organizations must have a plan to make sure that retained records are kept confidential and secure often under the logical control of the originating departments. 

C. In some cases, laws, regulations or good business practices require the regular, systematic destruction of old records such as medical or credit histories, juvenile or criminal records. Record destruction must follow a systematic, controlled process and must not be haphazard (e.g. thrown into a dumpster). 

  1. For example, privacy laws in about 31 U.S. states require that personal records be destroyed after a fixed time period.