Podcast 93: Writing controls-based procedures during the lockdown

In this episode of the Cherryleaf Podcast, we look at writing controls-based procedures during the lockdown.


Hello and welcome to the Cherryleaf Podcast. We’re back. We had a little break over the summer. We spent it updating some of the courseware for our training courses.

We had a break just to refresh ourselves. I wrote a book children’s book as well. We were planning to restart the podcast a little earlier, but unfortunately things got in the way so apologies for there being such a long gap. That was mainly down to some new project starting. And also there’s some building work going on nearby.

So if you do hear some sounds of construction in the background, apologies for that.

In this episode, I’d like to talk about controls-based procedures and how we’re writing these type of procedures during the lockdown.

So what are controlled based procedures? So you may be familiar with policies and procedures and that is an area that we actually get involved with, as do other people with a technical writing background. Because a lot of it’s about how to do things; who should be doing what. And there’s a great deal of similarity between writing that type of information for procedures and writing it for a user guide or online Help file.

So what are controls-based procedures? How do they differ from normal procedures?

The need to have these types of procedures is typically driven by an organisation deciding that they’re going to have controls-based audits. Companies are audited annually by auditors, and there are different ways in which the auditors can audit the books.

And basically with the controls-based audit, the auditors are relying on the internal controls within the organisation to trust that the information is accurate. If the auditors can prove or be confident that the company’s controls within the business are designed well, and work and meet the objectives that they’re there to do. And that they’re operating in the way that they’re expected to do. It means that they can trust that the information that’s within the financial accounts is accurate and valid.

So organisations are attracted to having controls-based audits because it means there’s less work that the auditors do when they come in to do their auditing. So normally when it comes round to a company being audited by auditors, the auditors will come in and they’ll check the assets that an organisation’s bought actually exists. This is known internally by auditors as “ticking and bonking”. So does a car exist? And they go out there and physically check that that car is actually there and is the correct one that’s recorded on the books of account.

Are the balances in the bank account correct? Are the sales that are made to customers correct? And they will check a number of transactions and contact the customers and check whether the sales invoice related to something that they actually bought. So they check get confirmation from third parties that this information is correct.

And they check that the numbers add up that the calculations for the total amount of sales or costs to a particular budget are correct.

So most of these procedures are within the finance and risk management areas of an organisation.

So by having all of the controls in place, there is less need for the auditors to go in and do all of that checking, which can make the audit faster and cheaper. However, it’s not easy for organisations to get to that point where the auditors have that confidence in their systems. So I’d like to quote from a web page.

From a company called Turnkey consulting about how organisations can get to the point whereby the auditors will be confident that the controls are in place and they can rely on them. So let me quote.

Companies can implement a few simple measures.

  1. A periodic review of applicable business risks ensures that an organization has ongoing transparency and understanding of all those key risks which need to be mitigated, allowing them to identify necessary internal control requirements. This periodic review should be broken down into functional areas and include process owners and other key stakeholders;
  2. Perform regular control gap analyses to evaluate whether a company has controls in place to mitigate those risks identified as part of the periodic risk review, and the output of such reviews should be formally documented and maintained in a Risk and Control Matrix; and
  3. A periodic controls assurance program should be established whereby nominated control owners perform controls testing and/or assessments to conclude on the design and operating effectiveness of their controls. It’s much more desirable to be aware of, and remediate, control-related issues during the course of the year as they happen, rather than wait for problems to be identified by the auditors during year-end, which could ultimately affect their audit approach.

So from this we can see that an organisation needs controls in place and they need to be documented.

And the types of documentation that creates the controls-based procedures will emphasise the controls that an organisation has in place.

This means that controls-based procedures have information on things like:

  • The roles and responsibilities
    • Who is responsible for what?
  • The controls that are in place
    • This can be around the separation of duties and authority.
    • For example, of the person that’s asking for a payment to be made to a supplier is different from the person that is approving the payment and the person who is making the payment from the bank account to the supplier.
    • How any issues are going to be reported.
    • The metrics how things are going to be measured to check whether there is conformance to the controls or not.
    • How often these procedures will be checked.
      • So, for example, how often they will be audited externally or internally?
    • And then the process themselves: what happens, who does what etc.

So from this we can see it’s more about what happens and the controls, and specifically the detail of how to do something.

Cherryleaf offers policies and procedures writing services to organisations.

And with the lockdown, we’ve had two adapts the way in which we do these types of projects, and I thought it would be useful to talk about that aspect we’ve been working recently on a documentation project where we’re writing controls-based procedures for a client.

So with these types of projects they are slightly different from policy writing documents in that the detail can vary quite a lot. An anti-bribery policy for one organisation is going to be pretty much the same as an anti-bribery policy for another. But with processes and procedures and controls-based procedures there’s much more variation on the specifics.

So each procedure typically comes out at about 8 to 10 pages in length, and they tend to be much more focused on the process: the what to do, rather than the nitty gritty, the absolute detail on how things are done.

The main audience for these types of documents tends to be auditors or managers, rather than end users.

They might explain that Person A is responsible for making the payment from the bank system to a supplier, but it won’t necessarily contain the information on which buttons to press, which menus to use, how to log in to the banking system to do that. Typically the approach that we would take would be to have that information in a separate document, and provide a link or a reference from this c-based procedure to the more detailed user guide information on procedure. Have the two linked in that way.

There is more flexibility if the information is online, particularly with systems where you can filter. You can hide information or you can create series of links based on certain criteria. So for example information that is relevant to a particular job role or a particular audience, or for a particular view.

It’s not really possible or much harder to do when you’re taking a document approach, doing things as PDF’s or Word documents.

So there are at the moment, unfortunately a number of Technical Writers, Technical Authors, who are looking for work with the lockdown and the end of follow and so on. Is this an opportunity for them, for you, to extend your marketability and offer services?

In this particular area, well, it maybe. It’s a lot easier, I would say, for a Technical Author to write more traditional procedures about how to do certain things than this. If you were to focus on this particular area, controls-based procedures,  it helps to have a basic knowledge of finance and accountancy. In terms of that, I mean that there are areas within organisation that deal with things like bank, cash and Treasury. The movement of money; that there’s Accounts Payable that you know that Accounts Payable exists and what it does. There are things around dealing with foreign currencies, so if somebody sends you a bill in dollars, how you deal with that? If you’ve got a Sterling account, if you need to pay people in dollars, if you’re receiving money in dollars and you’re in another currency. Issues around that.

And the types of checks and balances that a financial department will have to prevent fraud or to prevent an organisation simply running out of money.

So that’s it for this episode of the Cherryleaf Podcast. If you’re interested in some of the topics that we’ve covered, I suggest you have a look at the web-based version of Microsoft Word and look at the new transcription feature.

You’ll find it under the Dictate icon on the ribbon bar. Click down on that. There’s an option for transcribe, and from there you’ll find a button that says Upload Audio and you can upload the audio file that you want transcribed. At the moment it’s available only in English.

And if you’d like to see some examples of procedures writing that we’ve done, on the Cherryleaf website under the Examples area, we do have some examples. We haven’t got one on controls-based procedures yet, that’s something that we’re planning for the future.

But if you do have any other questions about this area then feel free to contact us. Feel free to contact me. It’s info @ Cherryleaf.com.

Thanks for listening.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.