15–9. Create a Control Standards Manual
Auditors are trained to have a good idea of which control standards should be attached to a business process. However, the managers who supervise those processes typically have no idea of which controls are involved. This can result in inadvertent changes to processes by managers who are simply trying to devise more efficient systems, which in turn results in adverse findings by auditors when they conduct reviews.
A reasonable solution is to create a control standards manual for use by process managers. The manual should note the internal control objectives to be met for each business process, as well as the specific procedures used to meet those objectives. The manual can also note how different control points support each other, and what happens when specific controls are removed from the process. The manual can include flowcharts of the processes, noting each control point, as well as forms used in the process. Any reports arising from a process should be noted, describing what information managers should review that can bolster the control objectives. Clearly, this can be an exceedingly dry document (except to internal auditors!), so an audit staff person should walk managers through the manual to highlight its key points. Also, whenever an audit team arrives for any type of review, they should always bring with them the latest version of the control standards manual, making a point of highlighting key changes to it. Only by this constant ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access