One of the fundamental activities carried out by internal control specialists and internal auditors is the mapping of operational processes that will be evaluated.
First of all, it is
important to understand that an operational process is a set of tasks logically
organized with the aim of delivering products or services that add value. It
allows management to better allocate resources, actions, and decisions to achieve
strategic goals and objectives. Thus, it becomes clear that a process only
makes sense if it is connected to the company's strategy.
Another important point is
that each process must have a responsible manager who handles the management
functions — that are planning, organizing, directing, executing, and
monitoring. This manager is also responsible for risk management and the
internal control system of the process.
Process mapping is an
essential practice both when modeling new processes and when assessing existing
ones, to verify if they are efficient, effective, and economical. Additionally,
mapping is indispensable for analyzing whether the internal control system is
sufficient to keep risks at acceptable levels, aligned with the organization's
risk appetite.
In a performance or
operational audit, mapping is part of the planning phase.
Nowadays, it is very common
to use the BPM methodology to design processes, but it does not clearly
distinguish between a task and an internal control. As a result, the outcome
often looks more like a block diagram than a flowchart that is useful for a more
precise evaluation.
This article aims to
propose a reflection: how can we improve this mapping, making it simpler and,
at the same time, more effective for evaluating both the process and the
internal control system?
The first point concerns
the way the process is mapped. It works better when conducted through planned
interviews with those who perform the tasks on a daily basis. In these
interviews, the specialist or auditor needs to have the skills to clearly
identify what a task is and what is a control.
Put simply:
- An internal control is an action aimed
     at reducing the probability of a risk materializing. For example: reviewing, checking, recalculating, approving,
     authorizing, among others.
- A control is a decision point: if everything
     is correct, the process continues; if not, it returns for correction. In
     the flowchart, the control should be represented by a diamond shape (also
     known as a gateway).
On the other hand:
- A task is an execution action, such as
     recording, demonstrating, archiving, or relating information. In the flowchart, it is represented by a rectangle.
With this, notice how we
can simplify: it is enough to use three symbols to create the flowchart:
- A circle to mark the beginning and end
     of the process,
- A rectangle for the tasks,
- And a diamond for the controls.
This model makes the
flowchart clearer, more objective, and easier to use in the evaluation.
I personally like to use
the "swimlane" format in the flowchart, where horizontal bands
indicate the roles or functions involved in the process. This helps to better
visualize whether there is a good segregation of responsibilities, which is essential
to avoid failures.
Keep in mind: the flowchart
must always represent the process as it is currently carried out, not as we
would like it to be. Therefore, after mapping, it is essential to validate it
through a "walkthrough", that is, walking through the process together
with the person responsible, to confirm that what is described is accurate.
In the end, we will have a
clear view of:
- All the tasks of the process,
- All the existing internal controls.
These elements are the
basis for assessing:
- Whether the process is efficient and
     effective,
- Whether the internal control system is
     sufficient and effective.
All internal controls
identified must be recorded in the internal control matrix, where they will be
organized to facilitate analysis.
I am often asked: “Is it
necessary to identify risks in the flowchart?” My answer: it is not mandatory,
but there is also no problem in doing so. If you wish, you can include this
information, linking it to the process risk matrix.
I hope this article has
helped you reflect on the topic and, perhaps, improve your process of mapping
operational processes.
I wish you great success
and, Be Happy!

