Browse Auditing and Attestation (AUD)

Using Walkthroughs, Flowcharts, and Narratives to Document Controls

Feb 7, 2025

How auditors document control understanding through walkthroughs, flowcharts, and narratives.

On this page

Walkthroughs, flowcharts, and narratives help auditors understand how transactions move from initiation to recording. The documentation is useful only if it connects process steps to assertions, control points, responsible parties, IT dependencies, and exceptions.

For AUD, these tools support risk assessment and control understanding. A walkthrough traces one transaction or a small selection through the process. A flowchart shows the process visually. A narrative explains the process in writing and can capture context that a diagram omits.

What Each Documentation Method Does

Documentation method Best use Common AUD trap
Walkthrough Confirm that the documented process exists and controls are implemented Treating one walkthrough as full operating-effectiveness testing
Flowchart Show sequence, handoffs, decision points, documents, and approvals Drawing process steps without identifying control points
Narrative Explain roles, systems, frequency, exceptions, and rationale Writing a description that does not link controls to risks
Combined approach Use walkthrough evidence to validate a flowchart or narrative Relying on stale documentation after process or system changes

The auditor chooses the method based on complexity. A simple cash disbursement process may be clear in a narrative. A complex order-to-cash cycle with system interfaces, credit approvals, shipping, invoicing, and collections may need a flowchart plus a narrative.

Walkthroughs

A walkthrough traces a transaction from initiation through authorization, processing, recording, and reporting. The auditor may use inquiry, observation, inspection, and reperformance while following the transaction path.

Walkthroughs help the auditor understand:

  • Whether the process described by management actually exists.
  • Whether controls are designed to address relevant risks.
  • Whether controls have been implemented.
  • Which documents, systems, reports, and people are involved.
  • Where errors, overrides, or exceptions could occur.
  • Whether IT dependencies affect manual or automated controls.

A walkthrough is not the same as a test of operating effectiveness. It can support understanding of design and implementation, but relying on a control usually requires additional evidence about consistent operation over the relevant period.

Flowcharts

Flowcharts are most useful when a process has multiple handoffs, systems, documents, approvals, or decision points. A good audit flowchart does more than show movement. It identifies control points and risk points.

    flowchart TD
	    A["Invoice received"] --> B["Match to purchase order and receiving evidence"]
	    B --> C{"Match within tolerance?"}
	    C -- "Yes" --> D["Approve for payment"]
	    C -- "No" --> E["Route exception for review"]
	    E --> F{"Exception resolved?"}
	    F -- "Yes" --> D
	    F -- "No" --> G["Hold invoice and investigate"]
	    D --> H["Record payable and schedule payment"]

In this example, the decision points matter because they show where controls should operate. The auditor would ask who reviews exceptions, what evidence supports resolution, whether system tolerances can be changed, and whether held invoices are monitored.

Narratives

A narrative explains the process in words. It is especially useful for describing judgment, exception handling, frequency, responsible parties, system names, report names, and why a control addresses a risk.

A strong narrative usually identifies:

  • The transaction source and initiation point.
  • The roles responsible for authorization, recording, custody, and review.
  • Documents, reports, and system screens used.
  • Manual and automated controls.
  • Frequency of controls.
  • Exception handling.
  • Segregation-of-duties considerations.
  • Financial statement assertions affected.

The weakness of a narrative is that it can hide complexity. If the process has many branches, a flowchart may reveal gaps more clearly.

Documentation Quality

Control documentation should be current, risk-linked, and reviewable. The auditor should be able to read the documentation and understand what risk the control addresses and how the auditor confirmed implementation.

Documentation item Why it matters
Process owner Supports inquiry and accountability
System or report used Identifies IT dependencies and report-reliability needs
Control objective Links the control to an assertion or risk
Control performer and reviewer Supports segregation-of-duties evaluation
Frequency Determines expected evidence and sample population
Evidence retained Shows whether the control can be tested
Exception process Indicates whether failures are investigated and resolved

Inquiry alone is generally not enough. The auditor should corroborate process understanding through observation, inspection, or reperformance where appropriate.

Example: Inventory Adjustment Process

A warehouse supervisor can enter inventory adjustments in the inventory module. The accounting department receives a weekly adjustment report and reviews unusual items. The auditor performs a walkthrough for one adjustment from warehouse initiation through accounting review.

The walkthrough shows that:

  • The system allows several warehouse users to enter adjustments.
  • The weekly report is generated automatically.
  • Accounting reviews large adjustments but does not review small recurring adjustments.
  • The report parameters can be changed by the warehouse supervisor.
  • Evidence of review is inconsistent.

This documentation changes the risk assessment. The issue is not only that inventory adjustments exist. The risk is that unauthorized or unsupported adjustments may affect existence, completeness, and valuation of inventory. The auditor may need to evaluate user access, report reliability, review-control design, and substantive inventory procedures.

Common Exam Traps

  • Treating a walkthrough as a full test of operating effectiveness.
  • Relying on inquiry alone to understand implementation.
  • Creating process documentation that does not identify control points.
  • Ignoring IT dependencies in a process that uses system reports or automated approvals.
  • Failing to update documentation after system or personnel changes.
  • Documenting what should happen under policy without identifying what actually happens in practice.

Key Takeaways

  • Walkthroughs validate understanding of design and implementation.
  • Flowcharts show sequence, handoffs, decisions, and control points.
  • Narratives explain context, roles, frequency, exceptions, and rationale.
  • Documentation must link controls to risks and assertions.
  • Current-year process changes can make prior-year documentation unreliable.

Walkthroughs, Flowcharts, and Narratives Quiz

### What does a walkthrough generally trace? - [x] One transaction or a small selection from initiation to recording - [ ] Every transaction in the population - [ ] Only the final journal entry after year-end - [ ] Only the auditor's planned substantive procedures > **Explanation:** A walkthrough usually follows one transaction or a small selection through the process to understand design and implementation. ### Which method is best for showing complex handoffs, approvals, and decision points? - [ ] Management representation letter - [x] Flowchart - [ ] Bank confirmation - [ ] Attorney letter > **Explanation:** Flowcharts visually show process sequence, branches, documents, and control points. ### What is a primary advantage of a narrative? - [ ] It proves that controls operated effectively all year. - [x] It explains process steps, roles, systems, exceptions, and control rationale in writing. - [ ] It replaces all flowcharts for complex processes. - [ ] It eliminates the need to identify assertions. > **Explanation:** Narratives provide written context that may not fit cleanly into a diagram. ### Which flowchart symbol commonly represents a decision point? - [ ] Rectangle - [x] Diamond - [ ] Oval - [ ] Straight line only > **Explanation:** A diamond typically represents a decision or branching point. ### What should process documentation help the auditor identify? - [x] Segregation-of-duties conflicts, missing approvals, and relevant control points - [ ] The exact dollar amount of all misstatements - [ ] The final audit opinion without further evidence - [ ] The client's preferred benchmark for materiality > **Explanation:** Documentation helps identify where controls address risks and where gaps may exist. ### Which is a common documentation pitfall? - [x] Describing policy without confirming what actually happens in practice - [ ] Updating documentation after system changes - [ ] Linking controls to assertions - [ ] Identifying system-generated reports used in the process > **Explanation:** Audit documentation should reflect actual implementation, not merely written policy. ### How can a walkthrough and flowchart work together? - [x] The walkthrough validates the process, and the flowchart depicts the sequence and control points. - [ ] The flowchart eliminates the need to understand control design. - [ ] The walkthrough is performed only after the audit report is issued. - [ ] They are never used on the same process. > **Explanation:** The two methods are complementary: one validates the process and the other depicts it. ### Which process is often suitable for a narrative rather than a detailed flowchart? - [x] A simple process with few steps and limited branching - [ ] A global ERP conversion with multiple interfaces - [ ] A complex revenue cycle with many exception paths - [ ] A multi-location inventory transfer process > **Explanation:** Narratives are efficient for simple processes where a flowchart would add little clarity. ### True or False: A walkthrough by itself usually provides full evidence that a control operated effectively throughout the period. - [ ] True - [x] False > **Explanation:** A walkthrough helps with understanding design and implementation; reliance usually requires additional operating-effectiveness evidence. ### True or False: Process documentation should identify IT dependencies when automated controls or system reports are used. - [x] True - [ ] False > **Explanation:** IT dependencies affect whether automated controls and system-generated reports can be relied on.
Revised on Monday, June 15, 2026
ITGCs & App Controls
Control Limitations