Write It Down — The Importance Of Documenting Internal Controls
“If it’s not written down, it doesn’t exist.”
So goes the mantra of the executive charged with documenting and
implementing internal controls. In today’s paperless, wireless,
digital business environment, there are even more compelling reasons
for documenting not only how controls are designed to work, but
also evidence that controls are being implemented and are functioning
In the real world, many officials prefer to simply put controls
in place and let them operate. This preference is not usually out
of any underlying nefarious intent. Instead, it may be necessitated
by a lack of resources, or by an official who does not understand
the credibility created by a written document.
When asked to attest to the effectiveness, or verify the design
and implementation, of an organization’s internal controls, auditors
need to see written documentation that the controls are designed
to be effective, and be able to gather evidence that they have been
implemented and are working effectively.
The Importance of Written Documentation
Public companies are required by regulations — Sarbanes-Oxley among
them — to formalize control procedures in writing. Privately held
companies and other organizations also have an interest in the benefits
that result from formalizing and documenting their internal control
procedures. By establishing, monitoring and continuously updating
written documentation of internal control policies and procedures,
- Enhance guidance for implementation of controls
- Reduce the risk of errors and fraud
- Address higher risk areas to mitigate the related risks of error
- Address conflicting duties, including segregation of duties’
- Provide evidence that the controls are designed to operate effectively
- Provide a basis for training new personnel
Written documentation should address a complete process from beginning
to end. The documentation should specifically address and highlight
areas where errors may be more likely to occur in the financial
reporting process, and the internal control processes and procedures
that have been designed to prevent them. Documentation may be considered
sufficient when it:
- Addresses specific risks of errors (or fraud) in a process,
or where controls are needed
- Describes the controls to prevent and detect identified risks
- Indicates who should perform these controls, including who should
perform the control when the person with primary responsibility
- Indicates how the control will be performed
- Describes what physical evidence, or documentation, is maintained
to show that the controls have been performed (e.g. signing a
document to indicate approval)
- Describes what physical evidence will remain, if any, to provide
evidence that controls are implemented as designed
Where to Begin?
An organization should begin by considering the processes that
provide the greatest exposure to risk, whether it is from an undetected
error, or from intentional fraud.
An example would be the risk/exposure that payments may be made
to unauthorized vendors. Identify what controls are in place to
mitigate this risk, including who is responsible for the control,
and how the performance of the control is documented. Let’s say
that a person outside of the accounts payable processing function
requests a new vendor set up. This is approved and established in
the accounting system by an employee who is not involved in the
check disbursement process, such as the credit manager. The documented
control processes might require that the accounts payable personnel
make payments only to vendors that have been established in the
system, or pre-authorized.
Continue this procedure to ensure that controls are in place to
mitigate the risks of error or fraud for all key processes in the
organization. It is important to understand, however, that the process
does not end here. Processes and controls must be continually re-evaluated
for the changing control environment. Today, changes in technology
often necessitate changes in internal control processes. Ensure
that controls as designed have been implemented by those responsible
for their performance.
Internal controls are all about mitigating exposure to risks, but
remember that even a strong internal control environment is not
absolute assurance that the organization will remain free from error
or fraud. However, failure to prioritize internal controls is likely
to result in errors, or even fraud, in financial reporting.
Who Has Authority to Authorize?
On an audit of a small company, the audit professional was discussing
approval of disbursements with the CFO, who was relatively new to
the company. When asked, the CFO was able to provide the names of
four people who could approve purchase orders and invoices for payment.
In later discussions with the accounts payable clerk, the auditor
learned of eight people in varying departments who were actually
approving invoices for payment. When this was brought to the attention
of the CFO, he did not agree with some of the eight individuals
whom the accounts payable clerk believed were authorized to approve
invoices. Discussions began immediately to develop written policies
on these and other control issues.
In a sense, both lists were correct, because neither was formally
documented. Discrepancies like this create risk and open the door
to fraud and errors in financial reporting.