Back a couple of years ago, I went through a process to document each control across my company. For example, took a revenue control (cash receipts recorded to the GL are agreed to bank activity - just an example), and documented each step the control owner follows to execute the control. In my previous company, and when I was in the big 4, this was not a requirement or best practice really. In a nutshell, we documented the design of each control in detail. Our external auditors pretty much said this was required. Do you have the same in your companies for controls? Or do you just have risk and control matrices and that's what the ext auditors go by (we also have RCMs, but the design documentation is additional)?
------------------------------
Raymond Rengifo
Director - SOX Compliance
Tredegar Corporation
------------------------------