Articles on Internal Auditing

A COSO Audit-Process Outline
Compiled by Mark R. Simmons, CIA CFE

1. Planning

Conduct research and planning to gain an understanding of the area being examined. Discuss proposed audit with senior management to identify important work objectives, and events or outcomes that would constitute reportable conditions, for the entity to be reviewed.

2. Survey/Development of a Control Model

a. Through interviews and/or focus groups, meet with entity managers to:

  • identify important work objectives and events or outcomes that would constitute reportable conditions
  • identify critical success factors for each work objective
  • rank or rate the relative importance or impact of each success factor in contributing to objective achievement. (This results in a risk assessment. It identifies the nature and significance of risks associated with the activities the managers are responsible for)
  • for the important success factors, identify existing management systems and practices (control activities) which either improve the likelihood of success or measure the extent to which objectives are being achieved.

b. Randomly select and organize 50%-100% of the entity's employees at all levels below management into focus groups of up to ten to evaluate the information obtained in step (a) above (each group should require about four hours).

  • distribute in advance the results of information gathered in step (a) above.
  • outline The audit role and approach to assessing the state of control; the process to be used; what to expect; what not to expect; and how it fits in with achieving the objective of the audit review (15 minutes)
  • conduct a control environment assessment by discussing the state of values and ethics in the entity and the division/department as a whole. This serves as an ice-breaker; encourages free expression of ideas to someone who is a conduit to top management; and serves as a basis for future assessment of the department's ethical climate (about 30 minutes)
  • have each group rank the objectives, rate the importance of critical success factors, assess the adequacy and effectiveness of the activities and measurements in place to assure success. Support opinions with strong examples. Solicit other success factors, activities and measures that were not identified by management. Analyze the strengths and weaknesses of the activities and practices (control mechanisms) that are relied on to attain the work objectives (focus on the positive strengths first, then the negative weaknesses) (about 120 minutes).

c. Each group evaluates the overall quality of activities and measurements (controls) by applying a risk acceptance index (about 60 minutes)

  • appropriate to perceived level of risk
  • lacking in that different activities/measurements, or a different balance or mix of activities/measurements is needed.
  • excessive in that activities/measurements are overly burdensome in relation to the perceived risk.
  • for issues other than "appropriate", identify ways to rectify the situation, and prioritize the proposed solutions.

d. At the closure,the auditor has participants complete an anonymous evaluation form to assess the process. Incorporate a section to determine whether the participant agrees with what was said publicly, and invite comments/concerns that the participant may have been reluctant to voice publicly. Material returned to the auditor should not be shared in raw form to maintain anonymity
(about 15 minutes).

e. The auditor compares the information obtained in each work group to confirm that conditions identified actually exist (both positive and negative).

3. Examination/Evaluation

  • Use traditional audit techniques to verify, quantify, and document (or refute) serious or material conditions.
  • If a serious or reportable condition is confirmed to exist, advise responsible manager as soon as possible; narrow the audit scope to establish the extent of the problem, the impact, and corrective actions needed (i.e., identify how often the problem occurs, how much is at risk ($), where and when the problem is occurring, and who is causing the problem or allowing it to occur.

4. Reporting

  • capture all the relevant data and report on key issues (either verbal briefing, in writing, or both)
  • discuss with senior managers to identify any additional work they would like done
  • identify inter-department concerns that other senior managers need to be made aware of
USING THE COSO AUDIT PROCESS ADDS VALUE BY:
  • Supporting Strategic Planning Through an Overview of Operational Strengths and Weaknesses
  • Challenging Objectives
  • Focusing on Critical Success Factors
  • Assessing Management Systems and Practices that Guide the Organization Toward Fulfilling Its Mission
  • Helping to Improve the efficiency of Planning and Priority Setting at the Operational Level
  • Encouraging Full Employee Participation
  • Improving Employees' Understanding of the Nature and Importance of Control
  • Acknowledging the Value of Teamwork to Identify and Solve Problems
  • Providing All Levels of the Organization on Opportunity to have Input to Process Improvement
  • Helping to Identify the Usefulness of Performance Indicator
Copyright © 1996 Mark R. Simmons, All rights reserved

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com