Documenting internal controls – what you need to know
Most companies agree on the value of documenting internal controls – both in terms of ensuring compliance and keeping the company in control. Well-controlled companies are likely to be more profitable because the management is more capable of taking informed decisions and because the level of compliance is often higher, which makes the risk of expensive risk events or incidents lower.
The right amount of control
Having the right level of internal control is generally a balance – sometimes a difficult one. Too much control is wasted effort, while too little control can hurt in relation to ensuring an informed level of knowledge and ensuring that various compliance standards are followed. Efforts should therefore focus on covering the most relevant risks, no more, no less.
Establishing the right amount of control – the challenges
There is probably an established consensus within each company of how documenting internal control should be conducted, but the level of documentation often fluctuates across the company. In general, working with internal controls poses a line of challenges:
- Keeping one level of documentation: Control performers should seek to establish one level of documentation – specific control reviewers may need another level, but both groups should more or less know what should be done.
- Executive reviewers – or reviewers in Group functions – may struggle with understanding the reasons behind certain elements of the control performance on subsidiary or secondary levels. What is considered natural for those, who set the control requirements may be interpreted very different from one subsidiary company to the next. A factor in this relation is often employee perception or the culture in the company – something that is very different from governance.
- Auditors, internal as well as external, are yet another aspect where the different interpretations of internal controls poses a challenge. Auditors must understand the flow of transactions and the outcome hereof, including how transactions are initiated, recorded, authorized, processed, and reported. They may not have the same deep insight in to company activities, which 1st line employees do, and this insight must therefore come from the documentation presented to them.
- A particular area of difficulty is the depth of review performed in the 1st What do a signature and a tickmark mean? Has the reviewer only just seen the documentation? Is he or she agreeing on the results? What exactly was presented to them?
Impero ensures that the same control narratives are deployed to all control performers. Elements like SOP’s, guidelines, templates and flowcharts can be attached to controls. Depending on your requirements, a review flow can be added to the control flow. Documentation is attached to the control, based on your requirements – and you can ask your auditor for advice, to ensure that all levels are satisfied. You can decide who should have access to your documentation. If you wish for 1st, 2nd and 3rd line, and even your external auditors to have access to the documentation, this can be done in a matter of minutes.
Impero is a cloud-based compliance solution that helps keep track of controls, activities and related tasks. Gathering all work in Impero makes accessing, sharing and creating documentation easy and efficient. Being in the cloud, Impero can be accessed from all kinds of devices: smartphones, tablets and computers, and, thanks to the intuitiveness of the platform, implementation takes no time.