Working In Uncertainty
Examples of controls documentation improvement
There are many aspects to the skill of documenting controls clearly and precisely. Here are just two small illustrations of the difference it can make.
1. In this first example, the original control description is from COSO's Internal Control framework (1992), in the Evaluation Tools volume, written to provide specific examples of good practice:
"The company does not have a formal code of conduct, but expectations of employee conduct are included in a manual. This is provided to all new employees."
This feeble flim flam seems designed to put a positive spin and an impressive gloss on a pitiful scrap of information about a weak control. It is difficult to have any confidence in the auditor or the control. Here's how it could have been described:
"The company does not have a written code of conduct regarding acceptable business practices, conflicts of interest, or expected standards of ethical and moral behaviour. Expectations of employees in relation to expense claims, punctuality, and honest accounting are included within the Employee manual that has been given to all new permanent employees since 2007 (i.e. to less than 20% of the total workforce). This material constitutes 2 pages from a 35 page manual."
This provides a more precise, helpful, and credible understanding of the control. Now we know exactly what it is that they do and can judge what effect it might have.
2. As a second example, consider this control description adapted from an actual audit file:
"Management checks are supported by adequate audit trail as required in the SAP Assurance Guidance."
It is hard to know what 'management checks' and 'adequate audit trail' mean, and it's not clear if the SAP Assurance guidance details the checks and audit trail documentation or just has a general requirement for an audit trail for any management checks. Also, the phrase 'audit trail' tends to suggest records that allow financial amounts to be traced through the accounting systems. What is more usual for 'management checks' is that there is some kind of auditable evidence that the checks have been carried out.
One logical alternative to the above description might be as follows:
"The SAP Assurance Guidance states a general requirement for management checks to provide auditable evidence that they have been performed."
This situation is one in which there may well have been an exercise to document all the accounting processes and perhaps this included a check that all controls designed into the processes generated some form of auditable evidence of performance. If so, that could be documented as a control and a test of it might be possible.
Committeee of Sponsoring Organizations of the Treadway Commission (COSO) (1992). Internal Control - Integrated Framework. AICPA.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.
Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.
Words © 2012 Matthew Leitch