Documenting Controls

What gets measured gets done! After describing the control in great and glorious detail, remember to answer the below questions when documenting controls:

When? What triggers the need for this control? A transaction, an event? Does it happen every day, week, month, year?

Why? Adults need to know why! Otherwise, they won’t make implementing the control a priority.

Who? Name an accountable party responsible for designing and implementing the control. Don’t name names. Instead, identify and document a particular role just in case individuals change roles.

Tools? Do you need any specific technology, tools or skill sets to implement the control? How can the tools be accessed?

Exceptions. In what cases can this control be bypassed or overridden? From time to time, we need to break the rules in order to get where you want to go.

More Detailed Questions to Answer

In order to truly refine documenting controls, I highly recommend answering all the questions below:

What is the control?
What is the control objective?
Why is the control important? Give the control a broader context and describe, in detail, how the task contributes to organizational goals.
Any guidelines, specifications or constraints related to this control?
Any deadlines or specific timelines to implement the control or achieve the control objective?
When is the control applicable? For example, is there a trigger? A time of day? Upon a certain transaction?
Any quality standards?
Any budget limitations or cost considerations?
Does this control impact profitability or other financial goals?
Any specific tools or technology needed?
Who is responsible for achieving the control objective?
Any specific skill sets necessary to achieve the control objective?
Any other specific resources necessary?
What are the expected outcomes? Rather, what does success look like?
Any related deliverables to evidence the achievement of the control objective or implementation of the control?
Any related KPI or performance measures? For this purpose, consider the whole family of performance metrics including input, process, output and outcome metrics.
Which component addresses the COSO model?
What challenges or obstacles exist to achieve the control objective? What strategies mitigate these challenges or overcome these obstacles?
Are there any dependencies or collaborations required to achieve the control objective?
Is this a key control? In other words, is it a priority over other controls?
Are there any special instructions or preferences?
If so, how are these expectations communicated to responsible parties and stakeholders?
How often will this control be evaluated and improved?
Any consequences for not implementing this control? Any rewards for achievement of the control objective?
What are exceptions to this control? Under which circumstances should it be bypassed?
Any supporting documentation necessary to illustrate the control more clearly?
What are the definitions of terms and acronyms?
What feedback mechanisms exist for this control and control objective? How are unintended consequences considered and addressed?

Want to learn more?

Join me for the two-day Internal Controls Workshop scheduled for April 24-25. In this interactive 8-hour live webinar, you will learn how to define risks and apply controls to mitigate them – without creating a burdensome bureaucracy.

Can’t make it to the live webinar or prefer to take your CPE self-study? In that case, check out the Internal Controls Bundle! In this helpful set of courses, I explain how the Green Book simply mirrors the COSO model, but written for application in government since it spells out an ideal internal control structure. I use easy-to-understand terms and lots of practical examples for you to ace the model once and for all! Individually, these courses sell for $210. Purchased as a bundle, they sell at the discounted price of $135 for 11 hours of Yellow Book qualifying CPE credit. Can’t beat that!

Documenting Controls