Clifton Gunderson

The Future of Money - Are We Headed For A Cashless Economy?

IRS Continues To Expand Its E-File Options

Lower Valuations May Be A Silver Lining In The Dark Economic Clouds

Digital Filing Mandate

The Importance of Documenting Internal Controls in Writing

1-888-CPA-FIRM
e-mail
www.cliftoncpa.com
 
 
 

« Back  |  Spring 2010

Write It Down — The Importance Of Documenting Internal Controls In Writing

“If it’s not written down, it doesn’t exist.”

So goes the mantra of the executive charged with documenting and implementing internal controls. In today’s paperless, wireless, digital business environment, there are even more compelling reasons for documenting not only how controls are designed to work, but also evidence that controls are being implemented and are functioning effectively.

In the real world, many officials prefer to simply put controls in place and let them operate. This preference is not usually out of any underlying nefarious intent. Instead, it may be necessitated by a lack of resources, or by an official who does not understand the credibility created by a written document.

When asked to attest to the effectiveness, or verify the design and implementation, of an organization’s internal controls, auditors need to see written documentation that the controls are designed to be effective, and be able to gather evidence that they have been implemented and are working effectively.

The Importance of Written Documentation

Public companies are required by regulations — Sarbanes-Oxley among them — to formalize control procedures in writing. Privately held companies and other organizations also have an interest in the benefits that result from formalizing and documenting their internal control procedures. By establishing, monitoring and continuously updating written documentation of internal control policies and procedures, management can:

  • Enhance guidance for implementation of controls
  • Reduce the risk of errors and fraud
  • Address higher risk areas to mitigate the related risks of error or fraud
  • Address conflicting duties, including segregation of duties’ issues
  • Provide evidence that the controls are designed to operate effectively
  • Provide a basis for training new personnel

Written documentation should address a complete process from beginning to end. The documentation should specifically address and highlight areas where errors may be more likely to occur in the financial reporting process, and the internal control processes and procedures that have been designed to prevent them. Documentation may be considered sufficient when it:

  • Addresses specific risks of errors (or fraud) in a process, or where controls are needed
  • Describes the controls to prevent and detect identified risks
  • Indicates who should perform these controls, including who should perform the control when the person with primary responsibility is away
  • Indicates how the control will be performed
  • Describes what physical evidence, or documentation, is maintained to show that the controls have been performed (e.g. signing a document to indicate approval)
  • Describes what physical evidence will remain, if any, to provide evidence that controls are implemented as designed

Where to Begin?

An organization should begin by considering the processes that provide the greatest exposure to risk, whether it is from an undetected error, or from intentional fraud.

An example would be the risk/exposure that payments may be made to unauthorized vendors. Identify what controls are in place to mitigate this risk, including who is responsible for the control, and how the performance of the control is documented. Let’s say that a person outside of the accounts payable processing function requests a new vendor set up. This is approved and established in the accounting system by an employee who is not involved in the check disbursement process, such as the credit manager. The documented control processes might require that the accounts payable personnel make payments only to vendors that have been established in the system, or pre-authorized.

Continue this procedure to ensure that controls are in place to mitigate the risks of error or fraud for all key processes in the organization. It is important to understand, however, that the process does not end here. Processes and controls must be continually re-evaluated for the changing control environment. Today, changes in technology often necessitate changes in internal control processes. Ensure that controls as designed have been implemented by those responsible for their performance.

Internal controls are all about mitigating exposure to risks, but remember that even a strong internal control environment is not absolute assurance that the organization will remain free from error or fraud. However, failure to prioritize internal controls is likely to result in errors, or even fraud, in financial reporting.

Who Has Authority to Authorize?

On an audit of a small company, the audit professional was discussing approval of disbursements with the CFO, who was relatively new to the company. When asked, the CFO was able to provide the names of four people who could approve purchase orders and invoices for payment. In later discussions with the accounts payable clerk, the auditor learned of eight people in varying departments who were actually approving invoices for payment. When this was brought to the attention of the CFO, he did not agree with some of the eight individuals whom the accounts payable clerk believed were authorized to approve invoices. Discussions began immediately to develop written policies on these and other control issues.

In a sense, both lists were correct, because neither was formally documented. Discrepancies like this create risk and open the door to fraud and errors in financial reporting.
Color bar