Articles on Internal Auditing

COSO Based Auditing
By Mark R. Simmons, CIA CFE

This article appeared originally in the December 1997 issue of Internal Auditor, the Journal of the Institute of Internal Auditors. It is reproduced here with permission.

The 1992 COSO document, Internal Control Integrated Framework, changed the way we look at internal control. After several significant audit failures occurred during the 1980s, The Committee of Sponsoring Organizations (COSO) formed to redefine internal control and the criteria for determining the effectiveness of an internal control system.

Traditional theories, which primarily addressed financial controls, were broadened substantially. The COSO Framework considers not only the evaluation of hard controls, like segregation of duties, but also soft controls, such as the competence and professionalism of employees. Especially in the United States, these concepts have been adopted by many organizations, as well as by many governmental entities.

Applying COSO to practice is not so simple as adopting it in theory, however. No defined approach exists for auditing "soft" controls like the integrity and ethical values of staff, the philosophy and operating style of management, and the effectiveness of communications. In 1993, when I served as Assistant Director of Internal Audit for a state government agency, my colleagues and I began wrestling with the opportunities - and challenges - that COSO presented. After six months of heavy research, discussion, trial, and error, we began to put COSO concepts into practice by melding them with some of the methods and concepts of total quality management. Over the next four years we continued to develop, refine, and implement the process until we arrived at the following formal methodology.

COSO-BASED AUDITING

The value of COSO-based auditing is that it enables effective evaluation of the soft controls espoused by COSO while avoiding the faulty, negative findings that can sometimes result from traditional audit methods. Customer-focused and outcome-oriented, this method addresses systemic root causes, avoids placing blame, and produces a workable solution - every time. The key steps for successfully applying this method are: understanding COSO, determining control strengths and weaknesses, defining key issues and reportable conditions, validating testimonial evidence, making the final assessment, and identifying corrective actions.

UNDERSTANDING COSOCOSO graph - click for a larger view. Use your browser's back button to return

To begin, one must have a thorough understanding of the case definition of control and the criteria for an effective control system. According to COSO, "Internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations." COSO considers these categories to be over lapping, yet distinct. The effectiveness of an internal control system is measured by its capacity to provide reasonable assurance to the board of directors and management that these three objectives have been met. (Enlarge the COSO graph . Use your browser's back button to return.)

In addition to these goals, COSO identified five interrelated components of internal control:

  1. The control environment, which includes the integrity; ethical values, and competence of an organization's people.
  2. Risk assessment
  3. Control activities.
  4. Information and communication, which encompasses the methods for identifying, capturing, and communicating pertinent information in a time frame that enables people to carryout their responsibilities
  5. Monitoring

These components combine to form an integrated system of controls. To conclude that internal control is effective in any category of objective - operations, financial reporting, or compliance - all five components must be present and functioning.

Our COSO-based audit method is also derived from several premises inherent in COSO. The first is that people in an organization, who daily face the realities of trying to work efficiently and effectively to achieve the goals and objectives set out for them, are in the best position to provide insights into the strengths and weaknesses or their processes.

The second premise is that internal auditors should work in a collegial spirit to identify control problems and develop solutions for improving and strengthening controls. Not only will better solutions result, but buy in will be virtually guaranteed in all but the most difficult situations.

The final premise is that the use of focus groups and affinity processes affords one of the most efficient and effective means of gathering substantial amounts of highly relevant and useful data. These quality management techniques have been proven many times over and across all types off service and manufacturing environments. In my experience they far surpass the traditional, archaic audit methods of gathering information.

DETERMINING CONTROL STRENGTHS AND WEAKNESSES

Armed with an understanding of the tenets of COSO and the three inherent premises, the next steps involves determining the general strengths and weaknesses of controls in the operational area.

  1. COSO chart - click for a larger view - use your browser's back button to returnA series of generic questions based on the COSO Framework are customized and adapted to a specific organizational unit. The basics of all five control components can be covered with 30-50 similar questions. (Enlarge a chart that lists typical questions about the cash receipts control environment. Use your browser's back button to return.)
  2. Depending on circumstances and requirements, such as the audit client's workload and the number of individuals in the audited unit, either a focus group or a series of individual interviews is scheduled. The process of answering the control questions leads unit managers and staff through a self-evaluation that gauges the importance and presence of kev elements of each of the five control components.
  3. The results of these interviews are tabulated and correlated to identify strengths and weaknesses in each of the five control components.

At the end of this stage, the five components of control have been used as the criteria to identify the strengths and weaknesses of the system. Some basic conclusions can also he formulated, such as whether managers and staff share the same perceptions regarding operations and controls in their area. If not, the risk that controls may not be working properly rises significantly. If management and staff are more or less in agreement, the business risk is not as great.

DEFINING A REPORTABLE CONDITION

It is necessary to determine the nature of a reportable condition and identify the most important control issues for executive and line management. The best way to make this determination is to ask executive and line management separately to describe situations that have caused, or are likely to cause, an error, omission, or irregularity of such significance that immediate corrective action would he needed to mitigate the business risk and potential damage to the organization. A reassessment of business risk can then be made based on whether or not executive management and line management are in agreement. Again, if there is general agreement, risk is lowered because there is both communication and consensus. Disagreement indicates potentially higher risk because it may impact negatively on control environment and risk assessment issues.

VALIDATING TESTIMONIAL EVIDENCE

At this point in the process, the internal auditors have determined the strengths and weaknesses of the system; whether or not line management and staff are in agreement as to the state of control; the criteria for reportable conditions; and whether or not executive management and line management concur with regard to the most important control issues and concerns.

However, the internal auditors now must address the question of whether they have been misled during the interviews or focus group sessions. In order to confirm the testimonial evidence, documentary evidence or some other form of independent corroboration must be obtained. Depending on the circumstances and time frame, the following strategies may be effective:

  • Interview customers and suppliers of the unit under review to identify problems and successes.
  • Evaluate written policies and procedures.
  • Take statistical or judgment samples for attribute or variables testing.
  • Identify industry standards or best practices for the type of operation under review.
  • Use written procedures to prepare process flow charts, identify key control points, and test for evidence of the presence of control.

These corroboration activities, in conjunction with the previously obtained testimonial evidence, enable the auditor to:

  1. Confirm the presence and effectiveness of identified strengths in each of the control components.
  2. Confirm the weaknesses in each of the control components.
  3. Determine whether significant weaknesses are counter-balanced or mitigated by any outside, independent controls.
  4. Determine, where strengths have not been confirmed and where weaknesses are not independently balanced, whether or not any reportable conditions have occurred.

MAKING THE FINAL ASSESSMENT

If reportable conditions have occurred, further assessment is necessary. If reportable conditions have occurred, but, through the course of normal business operations they have been identified, corrected, and not allowed to become persistent or pervasive, there is a strong likelihood that all five components of control are present and effective. In this case, executive management can be reasonably sure that business objectives can be attained, and that future reportable conditions are likely to be detected and corrected in the course of normal operations.

On the other hand, operations are not under control when reportable conditions:

  • Have occurred and gone undetected.
  • Are persistent, as evidenced by their appearance in current and prior periods or elsewhere in the organization.
  • Are pervasive, there by seriously imperiling the safeguarding of assets.
  • Have seriously jeopardized the achievement of operating, reporting, or compliance objectives.

If reportable conditions are discovered during the audit that have not been detected and corrected in the course of normal operations, or if one or more of the control components is absent or seriously flawed, then reasonable assurance is highly suspect. It would be unlikely that a reportable condition would he detected and readily corrected under such circumstances.

IDENTIFYING CORRECTIVE ACTION

Depending on the situation, the final step will he either to identify actions needed to correct material deficiencies, or to identity; improvement opportunities for correcting non-material deficiencies and improving system strengths. The most efficient and effective way to identify such actions is through auditor-directed focus groups, since those involved in the process are generally better informed and better positioned to develop worktable solutions than the auditor whose exposure to the operational issues is often limited. Use of such groups partners the control expertise of the auditor with the operational expertise of the auditee.

A CLEAR ADVANTAGE

Anyone who has ever been involved in a difficult decision-making process will recognize the advantages of the COSO-based approach, and the possible disadvantages of the traditional audit appoach. The COSO-based method can produce a comprehensive and balanced picture of the entire control system in a relatively short period of time. More importantly; significant issues can be diagnosed in a collegial manner, enabling management to Focus on finding solutions rather than fixing blame. In the end, the COSO-based audit process offers internal auditors the opportunity to move their organizations along the continuum from imperfect to perfect control in a constructive way; thus helping to ensure continued organizational health and well-being.

The following case-study contrasts traditional and COSO-based auditing.

COSO-Based Auditing — A Case Study

A government operational unit had come under intense scrutiny after several adverse incidents attracted the attention of executive management. A traditional independent internal review resulted in several negative findings, all centered around the types of operational and monitoring controls that auditors are accustomed to examining. All comments were highly critical of the operation's line management.

In a corollary and separate review an holistic assessment of the entire control system was performed over a three-week period using the COSO-based methodology. Interviews were used to identify control strengths and weaknesses, with the five COSO control components serving as a "standard."

The interviews measured management and staff perceptions about the importance of key control elements and the degree to which those individuals perceived those elements to be effective. This guided self-analysis indicated significant problems regarding objective-setting, risk analysis, and the acquisition of data required for informed decision making and oversight monitoring. The interviews also suggested that a substantial number of other control elements were present, such as a high level of ethics and competence, a sound management philosophy and operating style, an effective organizational structure, sound delegation of authority and responsibility and adequately designed and implemented procedures.

TRADITIONAL VERSUS COSO-BASED

Trying to reconcile the negative findings of the traditional audit with the findings of the COSO-based review creates something of a conundrum. A comparison of the two approaches may help to resolve the enigma.

  • The COSO-based approach disclosed that the underpinning of effective controls - the ethics and competence of people, management's philosophy and operating style, the organizational structure, delegation of authority and responsibility and written policies and procedures - were all sound. The traditional audit work didn't discover this, however. Instead, because the auditors disagreed with several operational decisions and results, the traditional audit fixed blame on the management and staff for failing to meet their responsibilities effectively.
  • The COSO-based approach disclosed that the operational unit's management and staff had not been receiving a clearly-defined message about executive management’s current objectives. As a result, the line manager's risk management activities addressed what they perceived to be desired outcomes, rather than those actually sought. The line manager and staff were effectively hacking away at the bushes and vines of their operational jungle and making steady progress. Unfortunately, they were in the wrong jungle. The traditional audit work never discovered this.
  • Equally important, the COSO-based review disclosed that information required for informed decision-making was not available. Data wasn't accurate or reliable, and the management information systems were outdated and virtually useless. Traditional audit techniques disclosed that reports due to interested outside parties were not being prepared, but they did not determine the reason behind the problem or offer any solutions.
  • The COSO-based approach disclosed that line management had effective, although informal, processes for monitoring operations and outcomes, and that they regularly brought significant issues to the attention of executive management. COSO-based methods also discovered that while contract managers were not directly performing traditional monitoring activities over ongoing projects, most did have some means for effective monitoring. Generally, these alternative controls or processes compensated for the lack of traditional monitoring practices. This finding helped focus attention on management activities that would help individual contract managers move toward effective oversight. The traditional audit did not address any monitoring or oversight activities.
  • One of the primary functions of the operational unit centered on contract procurement and award. The COSO-based approach indicated that the relevant policies, procedures, and processes were well planned and implemented. The final decision process occurred over a two-day period and involved about 15 staff and managers, as well as an outside consultant. There was substantial give-and-take, disagreement, and discussion in an open forum of staff and line management before final decisions were made. In other words, a concerted and conscientious effort was made to arrive at decisions that were both reflective of the perceived desires and objectives of executive management, and worthy of pursuit based on those objectives and goals.

The COSO-based approach further determined that almost 6o percent of the bid proposals received were rejected-and appropriately so-at the staff level. Of the 40 percent that were recommended for award, executive management decided to proceed with all but one, despite the concerns raised by the traditional auditors. The COSO-based approach also indicated that several decisions viewed by the traditional auditors as "bad" were the result of miscommunicated management objectives and lack of adequate information systems support identified in the COSO-based review.

Traditional audit techniques disclosed that none of the award decisions were fatally flawed, and that the files contained review summary and scoring sheets, as well as documentation of the range of opinions expressed regarding the proposals. However, the traditional auditors paradoxically found that the organization did not always adequately document the final decisionmaking process, nor did those in the organization provide "sufficient" disclosure of all facts to executive management when they sought final authorization. Other file documentation and decision issues also were reported by the traditional auditors and were the primary basis for many of the negative audit findings.

A BETTER WAY

In this case study, the traditional audit concluded that many of the award recommendations were "had"; that the award decision process was seriously, although not fatally, flawed; and that the line manager and staff had "failed" in meeting their obligations. The traditional auditors, how-ever, offered no explanation as to the causes, nor did they correctly identify the real problems regarding objective-setting, risk analysis, and the acquisition of data required for informed decision-making and oversight monitoring.

In the end, the traditional audit did not produce effective recommendations for executive management because it failed to provide perspective on the overall system of control. In fact, executive management's decision to proceed with the award recommendations, even after taking into account all of the concerns raised by the traditional audit, indicates a serious weakness in the traditional audit's focus and perspective.

 

Copyright © 1997 The Institute of Internal Auditors

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com