Entities develop and maintain documentation for their internal control system for a number of reasons. One is to provide clarity around roles and responsibilities, which promotes consistency in adhering to the entity's practices, policies, and procedures in managing the business. Effective documentation assists in capturing the design of internal control and communicating the who, what, when, where, and why of internal control execution, and creates standards and expectations of performance and conduct. Another purpose of documentation is to assist in training new personnel and to offer a refresher or reference for other employees. Documentation also provides evidence of the conduct of internal control, enables proper monitoring, and supports reporting on internal control effectiveness, particularly when evaluated by other parties interacting with the entity, such as regulators, auditors, or customers. Documentation also provides a means to retain organizational knowledge and mitigate the risk of having the knowledge within the minds of a limited number of employees.

Management must also determine how much documentation is needed to assess the effectiveness of internal control. Some level of documentation is always necessary to assure management that each of the components and relevant principles is present and functioning and components are operating together. This may include, for example, documents showing that all shipments are billed or that periodic reconciliations are performed. Two specific levels of documentation requirements must be considered in relation to external financial and non-financial reporting:

There may still be instances where controls are informal and implied through management actions and decisions. This may be appropriate where management is able to obtain evidence captured through the normal conduct of the business that indicates personnel regularly performed those controls. However, it is important to keep in mind that controls, such as those embedded within monitoring activities or risk assessments, cannot be performed entirely in the minds of senior management without some documentation of management's thought process and analyses.

The level and nature of documentation can also vary by the size of the organization and the complexity of the control. Larger entities usually have a more extensive system of internal control and greater complexity in business processes, and therefore typically find it necessary to have more extensive documentation, such as in-depth policy and procedure manuals, flowcharts of processes, organizational charts, and job descriptions. Smaller entities often find less need for formal documentation. In smaller companies, typically there are fewer people and levels of management, closer working relationships, and more frequent interaction, all of which promote communication of what is expected and what is being done. Consequently, management of a smaller entity can often determine that controls are in place through direct observation.

Documentation of internal control should meet business needs and be commensurate with circumstances. The extent of documentation supporting the presence and functioning of each of the components and relevant principles of internal control and components operating together is a matter of judgment, and should be done with cost-effectiveness in mind. In addition, the organization may benefit from some form of formal documentation that enables management to reflect on the rationale for the judgment and alignment with entity objectives.