Documenting internal controls: identifying

and recording organizational controls has

become common practice for many audit
professionals
By Andreas G. Koutoupis   |   Internal Auditor  -  Oct, 2007

 Print    Get the Mag   Weekly Updates [-] Text Size [+]

THE COMMITTEE OF SPONSORING Organizations of the Treadway Commission
(COSO) defines internal control as a process, effected by the board of directors,
management, and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives. Controls should promote efficiency, reduce the risk of
asset loss, and ensure the reliability of financial statements and compliance with relevant
laws and regulations.

Internal controls include policies, procedures, and practices at every organizational level,
and both management and internal auditors must possess a thorough understanding of
controls to document them. Reasons for documentation vary, but often stem from
regulatory requirements. For example, management in companies listed on the New York
Stock Exchange are required to evaluate and document internal controls periodically to
provide reasonable assurance regarding the reliability of financial reporting. In addition,
The IIA's International Standards for the Professional Practice of Internal Auditing
(Standards) recommends a periodic evaluation of the adequacy of the organization's
control systems, and, in many companies, management and other stakeholders require
an assessment of control effectiveness and efficiency.

Regulatory requirements, professional guidelines, and company mandates provide good

reason for internal auditors to develop control documentation skills. With the right
methods and tools, auditors can achieve a better understanding of controls and help
management determine which documentation methods might best serve organizational
needs.

IDENTIFYING CONTROLS

Before documenting internal controls, auditors need to identify them, as well as consider
the relevant objectives and risks at the entity and process level. Controls must reduce
risk to an acceptable level, but not at excessive cost. Management establishes internal
controls in response to risk, whether viewed as opportunities, uncertainties, or hazards.

Controls can be identified at every level of the organization, across all five COSO
components:

* Control environment.

* Risk assessment.

* Control activities.

* Information and communication.

* Monitoring.
Along each of these areas, auditors can gather risk and control information through
interviews, facilitated sessions, surveys, document examination, analytical procedures,
and observation. The information obtained via these methods becomes the basis for
clearly identifying, documenting, and rating the importance of each control. For this
reason, documentation must be well-organized and consistent.

CONTROL OBJECTIVES

In addition to detailing risks and controls, control documentation needs to identify control
objectives clearly. To better understand the control objectives related to an activity,
process, or system, internal auditors can reference regulatory compliance documentation
from relevant authorities, including capital market regulators and central banks. Auditors
can also leverage freely available Internet resources such as those found on
AuditNet.org and The IIA's Web site, www.theiia.org.

Control objectives may be articulated in a variety of documents, including the

organization's mission statement, strategic plan, business plans, and budgets. Internal
auditors can use a risk and control matrix that incorporates COSO concepts to document
the objectives and the relevant risks identified. Control objectives should be established
mainly for the operating and compliance elements of COSO and should address
information processing objectives:

* Completeness -- what prevents duplicate postings by the system?

* Accuracy -- what ensures accurate data input?

* Validity -- what prevents unauthorized transactions?

* Restricted access -- what ensures data confidentiality?

Control objectives should address specific organizational risks, such as those related to
strategy, operations, reporting, and compliance.

UNDERSTANDING CONTROLS

To document internal controls effectively, internal auditors must understand the flow of
transactions, including how transactions are initiated, recorded, authorized, processed,
and reported. Auditors must also identify and document the risks within the process,
including fraud risk, and identify and document the controls that should be implemented
to manage those risks.

Internal auditors must be able to determine which controls are necessary to the process,
activity, or system under review in light of the risk profile and desired level of control.
Management is responsible for establishing adequate business processes and
measuring performance, as well as determining how best to monitor the operating
effectiveness of enterprise processes and controls. Internal auditors should consider
these responsibilities when documenting either formal (written) or informal
(undocumented) controls.

TYPES OF DOCUMENTATION

Internal control documentation can take various forms, including flowcharts, policy and
procedure manuals, and narrative descriptions. No one particular form of documentation
is required by The IIA's Standards, and the extent of documentation may vary depending
on the complexity of the area. Depending on the nature of the organization, control
documentation may range from generic guidelines to detailed written policies and
procedures.

In most instances, internal auditors use flowcharts supplemented by narrative

descriptions as a starting point for documentation work. Once these items are completed,
auditors often use risk and control matrices for more specific analysis. These methods,
as well as internal control questionnaires (ICQs) and policy and procedure manuals,
constitute the most well-known and commonly used forms of control identification and
documentation.

FLOWCHARTS Auditors use flowcharts to describe the flow of activity through a process,
as well as the relevant documentation. The main output of a flowchart is a process map--
a graphical representation of events performed by a group of people. Process maps can
help auditors better understand business processes; save time on communicating and
confirming business processes with management; identify risks, controls, deficiencies,
and inefficiencies; and develop recommendations for improvements. They enhance
supervisory review and provide a method of recording systems in considerable detail.

NARRATIVE DESCRIPTIONS Narratives describe process flows in written form, without

graphical representations. They provide a useful supplement to flowcharting
documentation by detailing existing practices and thereby minimizing potential
misunderstandings. Independently, however, narrative descriptions do not serve as an
effective tool for process description--they can be lengthy and difficult to review, and
typically are not considered user friendly.

INTERNAL CONTROL QUESTIONNAIRES Completed ICQs list answers to questions

related to the identification and evaluation of internal controls. Effective ICQ documents
comprise a carefully structured, logically sequenced series of questions that help
management and internal auditors document processes and highlight control gaps,
strengths, and weaknesses within a system. Questionnaire results provide a permanent
record of the controls at both an entity and process level. Typically, ICQs present
information in a format that is easy for external parties--such as external auditors and
regulatory review bodies--to understand and help simplify and expedite the control
evaluation process.

RISK AND CONTROL MATRICES Risk and control matrices link controls with control
objectives and related risks. They are designed both to document risks and controls and
to facilitate evaluation of the design and effectiveness of the control system. By obtaining
an initial understanding of the expected controls in a process, internal auditors can
identify gaps between actual controls and specific control objectives and risks.

POLICY AND PROCEDURE MANUALS Policy and procedure manuals establish a

systematic framework and sound guidelines for the specific processes and activities of an
organization, facilitating effective implementation of business strategy on both a strategic
and operational level. Manuals typically incorporate relevant internal controls in writing as
a means of adequately managing organizational risks. Through policy and procedure
manuals, organizations communicate their philosophy on managing specific processes,
ensuring alignment with organizational goals as well as with performance improvement
objectives.
SOUND DOCUMENTATION

There are many techniques internal auditors can use to identify and document internal
controls. Best practice includes the use of flowcharts, narrative descriptions, ICQs, risk
and control matrices, and review of enterprise policy and procedure manuals and other
relevant documentation. Regardless of the specific methods used, auditors should pay
close attention to the control documentation process, as they will rely on these
documents when evaluating controls at a later stage. Control evaluations cannot be
performed effectively unless all key risks and controls are adequately identified and
documented.

ANDREAS G. KOUTOUPIS, MIIA, PIIA, CCSA, is a senior manager at

PricewaterhouseCoopers in Athens, Greece.

To comment on this article, e-mail the author at andreas.koutoupis@theiia.org.

To submit a "Back to Basics" article for consideration, e-mail Internal Auditor's editors at
editor@theiia.org.

 Print    Get the Mag   Weekly Updates

COPYRIGHT 2007 Institute of Internal Auditors, Inc. Reproduced with permission of the copyright holder.
Further reproduction or distribution is prohibited without permission.

Copyright 2007, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

NOTE: All illustrations and photos have been removed from this article.