Professional Documents
Culture Documents
Documenting Internal Controls: Identifying and Recording Organizational Controls Has Become Common Practice For Many Audit Professionals
Documenting Internal Controls: Identifying and Recording Organizational Controls Has Become Common Practice For Many Audit Professionals
Internal controls include policies, procedures, and practices at every organizational level,
and both management and internal auditors must possess a thorough understanding of
controls to document them. Reasons for documentation vary, but often stem from
regulatory requirements. For example, management in companies listed on the New York
Stock Exchange are required to evaluate and document internal controls periodically to
provide reasonable assurance regarding the reliability of financial reporting. In addition,
The IIA's International Standards for the Professional Practice of Internal Auditing
(Standards) recommends a periodic evaluation of the adequacy of the organization's
control systems, and, in many companies, management and other stakeholders require
an assessment of control effectiveness and efficiency.
IDENTIFYING CONTROLS
Before documenting internal controls, auditors need to identify them, as well as consider
the relevant objectives and risks at the entity and process level. Controls must reduce
risk to an acceptable level, but not at excessive cost. Management establishes internal
controls in response to risk, whether viewed as opportunities, uncertainties, or hazards.
Controls can be identified at every level of the organization, across all five COSO
components:
* Control environment.
* Risk assessment.
* Control activities.
* Monitoring.
Along each of these areas, auditors can gather risk and control information through
interviews, facilitated sessions, surveys, document examination, analytical procedures,
and observation. The information obtained via these methods becomes the basis for
clearly identifying, documenting, and rating the importance of each control. For this
reason, documentation must be well-organized and consistent.
CONTROL OBJECTIVES
In addition to detailing risks and controls, control documentation needs to identify control
objectives clearly. To better understand the control objectives related to an activity,
process, or system, internal auditors can reference regulatory compliance documentation
from relevant authorities, including capital market regulators and central banks. Auditors
can also leverage freely available Internet resources such as those found on
AuditNet.org and The IIA's Web site, www.theiia.org.
Control objectives should address specific organizational risks, such as those related to
strategy, operations, reporting, and compliance.
UNDERSTANDING CONTROLS
To document internal controls effectively, internal auditors must understand the flow of
transactions, including how transactions are initiated, recorded, authorized, processed,
and reported. Auditors must also identify and document the risks within the process,
including fraud risk, and identify and document the controls that should be implemented
to manage those risks.
Internal auditors must be able to determine which controls are necessary to the process,
activity, or system under review in light of the risk profile and desired level of control.
Management is responsible for establishing adequate business processes and
measuring performance, as well as determining how best to monitor the operating
effectiveness of enterprise processes and controls. Internal auditors should consider
these responsibilities when documenting either formal (written) or informal
(undocumented) controls.
TYPES OF DOCUMENTATION
Internal control documentation can take various forms, including flowcharts, policy and
procedure manuals, and narrative descriptions. No one particular form of documentation
is required by The IIA's Standards, and the extent of documentation may vary depending
on the complexity of the area. Depending on the nature of the organization, control
documentation may range from generic guidelines to detailed written policies and
procedures.
FLOWCHARTS Auditors use flowcharts to describe the flow of activity through a process,
as well as the relevant documentation. The main output of a flowchart is a process map--
a graphical representation of events performed by a group of people. Process maps can
help auditors better understand business processes; save time on communicating and
confirming business processes with management; identify risks, controls, deficiencies,
and inefficiencies; and develop recommendations for improvements. They enhance
supervisory review and provide a method of recording systems in considerable detail.
RISK AND CONTROL MATRICES Risk and control matrices link controls with control
objectives and related risks. They are designed both to document risks and controls and
to facilitate evaluation of the design and effectiveness of the control system. By obtaining
an initial understanding of the expected controls in a process, internal auditors can
identify gaps between actual controls and specific control objectives and risks.
There are many techniques internal auditors can use to identify and document internal
controls. Best practice includes the use of flowcharts, narrative descriptions, ICQs, risk
and control matrices, and review of enterprise policy and procedure manuals and other
relevant documentation. Regardless of the specific methods used, auditors should pay
close attention to the control documentation process, as they will rely on these
documents when evaluating controls at a later stage. Control evaluations cannot be
performed effectively unless all key risks and controls are adequately identified and
documented.
To submit a "Back to Basics" article for consideration, e-mail Internal Auditor's editors at
editor@theiia.org.
COPYRIGHT 2007 Institute of Internal Auditors, Inc. Reproduced with permission of the copyright holder.
Further reproduction or distribution is prohibited without permission.
Copyright 2007, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.
NOTE: All illustrations and photos have been removed from this article.