Internal Control Documentation Tips

Since I teach a lot of internal control seminars, people are asking me how to ‘idiot proof’ their systems against fraud. Sorry- it can’t be done. As long as humans are prone to error, people will find ways to beat systems- it’s in our nature to improvise, adapt, and overcome problems we face. That having been said, I have come across some innovative ways to document and search for weaknesses in internal controls over the last couple of years.

The keys I have seen are to keep things understandable and focus on the average reader. Sure, you’ll want to mention the location of key database files in UNC codes (think names like \\luther\apps\appname\database.mdb), but keep the overview focused on the big picture. If you find yourself creating diagrams on large format paper, you need to break things up. My experience has been that your average retail/wholesale/manufacturing company user can’t comprehend a diagram on large format paper – it’s just sensory overload.

Because half of the people viewing your diagrams are visual learners, it’s important to use diagrams, flowcharts, and color. I have a flowchart template for Excel which is available from my website, The visual items make it easier to grasp the whole system without getting initially bogged down in the details.

Color can be used in listings of duties to identify potential segregation issues, Three colors of highlighters – one blue, one yellow, and one orange – can be used to identify tasks as either access to assets, recordkeeping, or approval/override, The lists of duties by employee can then be reviewed, and if an employee has more than one color highlighting in their list of duties for, say, the revenue cycle, the duties should be reviewed to see if they are consistent with each other.

[Posted with hblogger 2.0 from a Sprint Treo 650]