An approach to defining an internal control regime was outlined in a previous post (see: Defining Internal Controls). When it comes to documenting the control strategy, typically a list is made for each process or process area.
A simple list of controls will include:
- Control objectives
- Risks to be managed
- The internal controls themselves.
Such a list for a Purchase to Pay process (P2P) might look like the Excel example below.
A further step is to map the controls to the process steps, showing where the controls are applied. This is easily done by adding a column and entering details of the process steps.
Where the process has been mapped, it is straightforward to annotate the diagram with the controls, linking them to the process steps where they are applied, as in the example below.
Software such as Visio can used to map the process, and contains ready-defined objects to represent internal controls (in Visio, use the object called "Control transfer").
Add these objects to the process map wherever a control is to be applied. Change the format such as colour and size to help the controls stand out. The controls may be added as a separate layer or overlay to an existing or new map.
To add details of the control, edit the fields to capture the details (in Visio first create a custom set of such details as part of the "Shape Data").
The advantage of this approach is the tight integration of the controls with the process definition and mapping. When considering implementation or process improvement, one can be sure that all details relevant to the process are contained within a single source, in this case the process map.
With software like Visio, it's possible to "report" from the map to create lists of the controls, taking the place of the simple lists illustrated at the start of this post.