control, and governance
How Do I ... Document Internal Controls?
Internal control documentation can take various forms. In most instances, internal auditors use flowcharts supplemented by narrative descriptions as a starting point. Once these items are completed, auditors often use risk and control matrices for more specific analysis. These methods, as well as internal control questionnaires (ICQs) and policy and procedure manuals, constitute the most well-known and commonly used forms of control identification and documentation.
Flowcharts describe the flow of activity through a process, as well as the relevant documentation. The main output is a process map — a graphical representation of events performed by a group of people. Process maps can help auditors better understand business processes; save time on communicating and confirming business processes with management; identify risks, controls, deficiencies, and inefficiencies; and develop recommendations for improvements.
Narrative Descriptions provide a useful supplement to flowcharting documentation by detailing existing practices and thereby minimizing potential misunderstandings. Independently, however, narrative descriptions do not serve as an effective tool for process description — they can be lengthy and difficult to review, and typically are not considered user friendly.
ICQs list answers to questions related to the identification and evaluation of internal controls. Effective ICQ documents comprise a carefully structured, logically sequenced series of questions that help management and internal auditors document processes and highlight control gaps, strengths, and weaknesses within a system. Questionnaire results provide a permanent record of the controls at both an entity and process level.
Risk and Control Matrices are designed both to document risks and controls and to facilitate evaluation of the design and effectiveness of the control system. By obtaining an initial understanding of the expected controls in a process, internal auditors can identify gaps between actual controls and specific control objectives and risks.
Policy and Procedure Manuals establish a systematic framework and sound guidelines for the specific processes and activities of an organization. Manuals typically incorporate relevant internal controls in writing as a means of adequately managing organizational risks. Through these manuals, organizations communicate their philosophy on managing specific processes, ensuring alignment with organizational goals as well as with performance improvement objectives.
Adapted from "Documenting Internal Controls," by Andreas G. Koutoupis, MIIA, PIIA, CCSA (Internal Auditor, "Back to Basics" (October 2007).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.