When a process is first constructed, the internal audit staff is typically consulted, and they advise that certain control points be installed to guard against various risks. The trouble is that business unit managers are not as well versed in the reasons for controls, and so may be tempted to eliminate some of them in their pursuit of more streamlined processes. The result may indeed be more efficient systems, but at the cost of having riskier systems.
To keep this tinkering from occurring, consider creating a control standards manual for the business unit managers. This manual lays out the control objectives that are to be met by each process, and the specific procedure steps needed to ensure that those objectives are met. A more comprehensive manual might even describe how the various procedure steps interlock to provide overlapping controls, as well as what can happen if any of the control points are removed from the system. There may also be flowcharts in the manual that give a more visual viewpoint on how processes flow, as well as the forms that are to be used at various stages within the process, and any reports issued as part of the process.
While a control standards manual may be one of the least energizing documents that a business unit manager may be forced to read, its importance should be continually emphasized, so that managers understand that they must follow it, or risk censure by the internal audit staff. Hopefully, the result may be a set of controls that are consistently applied throughout an organization.