Simplifying the Audit Process with FLODocs

The audit process can be a daunting task for any company. It is a complex process that requires precise and errorless documentation. Yet there are things that companies can do to simplify their audit process. First, it is important to understand what are the main things auditors want to know:

  • Have material risks been identified?
  • Have controls been established to mitigate risks?
  • Among these controls, is there strong IT practices that will ensure reliability of the financial data?

Next, auditors conduct two types of audits, Financial and IT. These two types of audits are intertwined. If you don’t have strong general IT controls, then it is difficult for auditors to have confidence in your financial information. Especially since they are dealing with highly customized systems like NetSuite or Salesforce.

With IT controls, auditors expect you to have policies that:

  • Are easy to understand.
  • Mitigate the risk that somebody could do something damaging to the business without proper oversight.
  • Are followed and can be proven true.

Although not all changes to a system have material risks, without FLODocs, auditors expect you to go through and identify each change that was made to the system whether it had:

  • Material risk.
  • The appropriate level of review and management taken place.
  • Changes made that could be traced back to the actual record to prove that your policy is being followed.

This is a manual and time consuming process. Many businesses try to take shortcuts by disregarding certain types of objects. An example of this is with saved searches. These can be very difficult to sort through. Even if it’s true that most saved searches do not have any material risk associated with changing them, changing a saved search that is used as a control in a financial area certainly does.

Similarly, changing a saved search that is tied to scripting, an integration process or a workflow could potentially have material risks associated with them. Overall, these types of approaches do not tend to work effectively.

By implementing FLODocs, this entire path can be completed by:

  • Creating policies that are easy to understand.
  • Having different levels of scrutiny for different types of objects.
  • Providing comprehensive change reporting.

Different objects may not need any approval or testing to change them, such as somebody changing their own saved searches, but some objects might need approval. Yet, some objects such as scripts, workflows or anything associated with a workflow, could need more than an approval, such as an actual formal deployment process.

FLODocs provides all these capabilities. It also provides the automatic assessment of what changes fall into which area, such as automatic matching of changes to the supporting change records, change requests and deployment records. This makes it very straightforward to:

  1. Understand the policies.
  2. Follow the policies.
  3. Audit your compliance with these policies.

For the financial audit, there are two parts:

  1. Auditing the actual finances themselves by making sure things are posted in the right area, and
  2. The part that relates to FLODocs, which is the auditing of the controls themselves.

To get through a controls audit, you must be able to:

  • Identify the control and any changes to the control that occurred during the development period.
  • Prove the control was in fact checked on a sufficiently timely basis to ensure that it did its job correctly.

FLODocs and its companion product FLOAgent can help by:

Allowing you to track material risks directly within NetSuite, creating material risk records and tying those records to the saved searches. For example, starting with the ones you use to monitor data to make sure your controls are being followed.

You can then direct FLOAgent to automatically check those controls for you and automatically log any violations of those controls. Therefore, when the auditors come in, instead of having to check multiple reports, they can now simply check one report. This one report has all the violations that occurred during the development period, most of which have already been reviewed by management and have been cleared.

When auditors come in, you can say with 100 percent confidence, you know every violation of your controls with a list of violations that have been reviewed by management. An example of this is a customer who used these techniques and went from being one of the most criticized companies in their corporate group (in terms of complexity of their audit), to being the global example of audit compliance.

 

If you would like more information about how FLODocs can help simplify your audit process, please contact us at info@flodocs.com.

BlogDavid LinAuditing