Internal Control Documentation: Tips & Best Practices

Internal Control. Business, Technology, Internet and network concept

The PCAOB has been focusing heavily on internal control documentation. In order to ensure auditors can efficiently navigate the control assessment process, control owners need to be more rigorous with documentation.

As experts in helping organizations build robust internal controls and safeguard their people, processes, and systems from threat, our team has outlined some essential tips and best practices to establish internal control documentation success and efficiency.

What is Internal Control Documentation?

Internal control documentation is a central component of a company’s governance and risk management framework and involves the creation of detailed records and descriptions of the internal controls present within an organization.

This includes the policies, procedures, and mechanisms that are put into place to ensure operational efficiency, financial reporting reliability, and compliance with laws and regulations.

Internal Control Documentation Tips & Best Practices for Success

To begin, note who prepared the documentation and who reviewed it in order to clearly indicate the segregation between the preparer and the reviewer.

Add a date to sign-offs to indicate the timeliness of the review and keep evidence of review notes and follow-up questions to indicate review effectiveness.

In addition, maintain a review checklist as a reminder of all the items to review. A checklist also helps to prevent loss of knowledge and necessary checks when the review transitions to a different owner. It is best to notate reviews throughout the workpapers rather than merely signing off on the checklist.

Each audit firm use its own terminology for data and spreadsheets. Typical terms and acronyms used: Information Produced by the Entity (IPE), Key Reports and Spreadsheets, Information Used in the Control (IUC) and key sources of information.

Best practices for documenting review of data

To ensure internal control efficacy, it is essential to check that any data being utilized is complete and accurate. This can be done by:

  • Reviewing the parameters used to generate the reports or data. For example, is the date range, period, or any other filters used appropriate for purposes of the specific control?
  • Comparing record counts of exported data to generated queries.
  • Tying the total of the data to a general ledger account.

The reviewer also needs to document the review of the process used to ensure completeness and accuracy of data and obtain screenshots to evidence review if report does not clearly show dates, record counts etc.

For expert insight into how to establish reliable and effective methods for managing Information Produced by the Entity (IPE), head to our blog: 4 Steps to Achieving IPE Confidence for SOX Compliance.

Best practices for documenting review of spreadsheets

Spreadsheets can range from simple lists to complex calculations. To ensure proper documentation, indicate the review of:

  • Accuracy of input. This is all information entered in the spreadsheet – whether typed, copied, or imported.
  • Accuracy of calculations.
  • Completeness of data used in the spreadsheet.

Best practices for documenting review of estimates and assumptions

Internal control estimates and assumptions involve judgement, which introduces ambiguity and increases audit risk. Add any additional documentation regarding the considerations in determining the appropriateness of the estimates and/or assumptions.

If any of these were determined during discussions or meetings, document a brief note while the information is fresh to note who, when, and what was discussed and any conclusions reached.

Final Thoughts on Internal Control Documentation Tips & Best Practices

When companies take the time to develop a structured approach to internal control documentation, they can best ensure their internal controls are properly designed, implemented, and optimized while emboldening their risk management strategy. Additionally, well documented controls usually result in more efficient audits.

If your organization is looking for additional support to ensure your internal controls function well and are properly documented, our experienced team of risk specialists at Bridgepoint Consulting are here to help you with:

  • Creating a robust system of internal controls.
  • Documenting internal controls.
  • Identifying and mitigating risks.
  • Providing an understanding of how risks can impact your organization.
  • Conducting risk assessments.
  • Assisting with compliance with laws and regulations.
  • Creating an action plan to address the risks not mitigated.
  • Implementing industry-leading IT security and compliance controls and safeguards.