Wording of Control Descriptions and narrative 2602



  • Is it okay to word controls and narratives in such a way that it is extremely generic. For example ‘The cash reconciliation is performed by an appropriate finance individual’ ?
    I know a manager who wishes to do this for all of our documentation so that our external auditors cannot fail us on the basis of wording of who performs the control (e.g. Revenue Manager vs Director of Accounting, etc).
    They want to apply this to our entire narrative so that you can never tell exactly who is responsible for what.



  • I would not advocate this approach.
    Controls should not fail on wording, they should fail on how well, or not, they are performed.
    Who performs, and reviews, a control is extremely important as if that individual is not appropriate the control can fail.
    A sensible convention is to indicate the ‘who performs’ by title rather than the individual’s name.



  • I agree with Dennis that using generic position titles instead of names is appropriate. Every organization should have individuals assigned to specific controls. The narrative documents who those people are. By using titles instead of names, you don’t have to update the document every time someone changes positions, only when there is an organization change as to which position is responsible for a control.
    In addition, you need to be specific on control ownership to support proper Segregation of Duties.



  • We are currently using titles, not names in our documentation. The problem is that the manager wishes to remove titles, and have the entire narrative along the lines of ‘payroll team prepares recon, appropriate payroll team member review, etc’. I’m not sure if I agree with her approach.



  • There are no rules governing how the narratives are written up. Having the titles makes it easier for an outside reviewer or tester to understand who does what and how well SOD is working.



  • I think that answers my question. Thanks.



  • We are currently using titles, not names in our documentation. The problem is that the manager wishes to remove titles, and have the entire narrative along the lines of ‘payroll team prepares recon, appropriate payroll team member review, etc’. I’m not sure if I agree with her approach.
    I agree with you. Doing it this way is horribly generic and removes value from the work.
    I don’t think it protects you from any findings that your auditor would have around the effectiveness of the control.


Log in to reply