Setting the Scope of Your Documentation Project

Identifying the Core


The essential starting point for determining the extent of documentation you should include in your project is a clear statement of your objectives. Regardless of whether you are formally reporting on your controls or not, you should initially cast a broad net across your entity and reduce the focus on the exclude accounts or transactions streams only as evidence concludes that risks are low. The new COSO guidance emphasizes this as a precursor to risk assessment since the identified risks relate to the objectives.

To meet the minimum documentation standards expected for any project, you probably can cut out the very minor (trivial) revenue streams and locations that individually are clearly insignificant in terms of assets, revenues, and income. Unfortunately, there is no consensus on where a bright-line minimum might be. Early on, auditors working with large public clients were bludgeoned into including just about everything with a dollar sign in the reporting on internal controls project because of the early interpretations of the guidance in Public Company Accounting Oversight Board (PCAOB) Auditing Standard (AS) No. 2. Now that that standard has been replaced (AS No. 5) with a more risk-based standard than the original. Nonpublic companies follow similar guidance ...

Get Internal Control Audit and Compliance: Documentation and Testing Under the New COSO Framework now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.