Articles on Internal Auditing

Internal Audit Objectives: A Comparison of the Standards with the Integrated Framework for Internal Control

By Mark R. Simmons, CIA CFE

With the introduction and recognition of Internal Control - Integrated Framework as the authoritative work on internal control, many auditors are reevaluating and rethinking the meaning of internal control and how to go about auditing control systems. The purpose of this article is to summarize and compare audit objective concepts embodied in the Standards for the Professional Practice of Internal Auditing and the Integrated Framework for Internal Control. We will begin with a review of the pertinent Standards, followed by a summary of the concepts found in the Integrated Framework. We will also incorporate the concept of "materiality" as it is discussed in the The Internal Auditor's Role in Management Reporting on Internal Control, a research report published by the Research Foundation of the Institute of Internal Auditors, and then draw conclusions about the interrelationships that exist.

The Definition of Internal Control Objectives Under the Standards

At guideline 300.06.4, the Standards for the Professional Practice of Internal Auditing (the SPPIA) describes the overall system of controls as "the integrated collection of control systems developed by the organization to achieve its objectives and goals".

At guideline 300.05 the SPPIA states that the primary objective of internal controls is to provide reasonable assurance to managers that:

1. Financial and operating information is accurate and reliable;

2. Policies, procedures, plans, laws and regulations are complied with;

3. Assets are safeguarded against loss and theft;

4. Resources are used economically and efficiently; and

5. Established program/operating goals and objectives will be met.

Audit Objectives Under the Standards

Standard 300 of the SPPIA defines the scope of Internal Auditing as encompassing:

The examination and evaluation of the adequacy and effectiveness of internal control systems (i.e., assessing the degree to which controls actually provide the reasonable assurance that managers need; and

The examination and evaluation of the quality of performance in carrying out assigned responsibilities (i.e., assessing the degree to which the organization has achieved the goals and objectives set out by management).

Thus, under the SPPIA, there are five possible objectives that an internal audit might have:

  • to determine whether controls over financial and operating data provide managers with reasonable assurance that the financial and operating data is accurate and reliable (i.e., that information gathering and reporting has been properly planned, organized and directed);
  • to determine whether controls over compliance with policies, procedures, plans, laws and regulations provide managers with reasonable assurance that proper compliance actually occurs (i.e., that compliance activities have been properly planned, organized and directed);
  • to determine whether controls over assets provide managers with reasonable assurance that assets exist and are protected against loss that could result from theft, fire, improper or illegal activities, or exposure to the elements (i.e., that activities associated with asset acquisition, recording, storage, use and disposal have been properly planned, organized and directed);
  • to determine whether controls over operations provide managers with reasonable assurance that resources are used efficiently and economically (i.e., that the organization is doing things the best way). The objective then, is to determine whether operating standards have been established for measuring economy and efficiency (i.e., that activities have been properly planned); and whether operating standards are understood and are being met , whether deviations from operating standards are identified, analyzed and communicated to those responsible for corrective action, and whether effective corrective action has been taken (in summary, whether activities have been properly directed); and
  • to determine whether controls over operations and programs provide managers with reasonable assurance that the operations and programs are being carried out as planned, and that the results of operations are consistent with established goals and objectives (i.e., whether activities have been planned, organized and directed so that the organization does the right things). SPPIA Guideline 350.01.8 elaborates on this. It says that the audit objectives, then, are to determine whether "the objectives and goals established by management are adequate and have been effectively articulated and communicated; whether the desired level of results is being achieved; whether factors that inhibit satisfactory performance and results are identified, evaluated, and controlled; whether management has considered alternative courses of action to achieve desired results; whether an operation or program complements, duplicates, overlaps or conflicts with other operations or programs; whether controls for measuring and reporting the accomplishment of objectives and goals are adequate; and whether an operation or program is in compliance with applicable policies, procedures, plans, laws and regulations."

An internal audit could encompass all five audit objectives (a full scope audit) ; or only one or a few of the five audit objectives (a limited scope audit). Audit scope could be further limited by only assessing and evaluating the adequacy of controls (i.e., the degree to which the controls provide reasonable assurance); or by only assessing and evaluating the effectiveness of the controls (i.e., the degree to which the controls actually function as management intended).

How Audit Objectives are Met Under the Standards

To meet the audit objectives, internal auditors evaluate the things managers do to plan, organize and direct activities and operations. Guideline 300.07 of the SPPIA states that "planning and organizing involve the establishment of objectives and goals and the use of such tools as organization charts, flow charts, procedures, records and reports to establish the flow of data and the responsibilities of individuals for performing activities, establishing information trails, and setting standards of performance. Directing involves certain activities to provide additional assurance that systems operate as planned. These activities include authorizing and monitoring performance, periodically comparing actual with planned performance, and appropriately documenting these activities."

Guideline 300.03 of the SPPIA further elaborates on directing activities. It states that "Authorizing includes initiating or granting permission to perform activities or transactions. Authorization implies that the authorizing authority has verified and validated that the activity or transaction conforms with established policies and procedures. Monitoring encompasses supervising, observing and testing activities and appropriately reporting to responsible individuals. Monitoring provides an on-going verification of progress toward achievement of objectives and goals. Periodic comparison of actual to planned performance enhances the likelihood that activities occurred as planned. Documentation provides evidence of the exercise of authority and responsibility; compliance with policies, procedures, and standards of performance; supervising, observing and testing activities; and verification of planned performance."

The reasonable assurance that managers need comes about when managers plan, organize and direct in such a way that in the normal course of doing business, cost-effective actions are taken to minimize the risk that undesired outcomes will occur, and maximize the likelihood that desired outcomes will occur.

Having evaluated how managers have planned, organized and directed the activities of the organization, the internal auditors then express an opinion as to whether or not the controls reviewed provide managers with the necessary reasonable assurance that goals and objectives will be achieved (the adequacy of controls); and whether the controls reviewed function as intended to maximize the likelihood that the desired results will be achieved (the effectiveness of the controls).

Definition of Internal Controls Under the Integrated Framework for Internal Control

The Framework defines internal control in a slightly different way. The Framework says that internal control is a broadly defined process, effected by people, designed to provide reasonable assurance regarding achievement of the following three objectives that all businesses strive for:

  1. Effectiveness and efficiency of operations
  2. Reliability of financial data and reports
  3. Compliance with laws and regulations

Under "Effectiveness and Efficiency of Operations", the Framework includes: compliance with policies, procedures, and plans; safeguarding assets; economical and efficient use of resources; reliability of operating data and reports; and achieving goals and objectives.

The approach presented in the Framework goes directly to the one key issue of any business - is there reasonable assurance of achieving the mission, goals, objectives and desired outcomes of the organization, while adhering to laws and regulations; and can the organization accurately report the outcomes of its operations to the public and interested third parties.

Audit Objectives Under the Integrated Framework for Internal Control

The scope of Internal Auditing remains the same when approaching controls from the perspective of the Framework. That is, the audit scope encompasses:

The examination and evaluation of the adequacy and effectiveness of internal control systems and

The examination and evaluation of the quality of performance in carrying out assigned responsibilities.

Under the Framework, however, there are three basic audit objectives:

  • to determine whether controls provide reasonable assurance of effective and efficient operations;
  • to determine whether controls provide reasonable assurance as to the reliability of financial data and reports; and
  • to determine whether controls provide reasonable assurance of compliance with laws and regulations.

Each of these objectives has five components of control:

  • A sound Control Environment;
  • A sound Risk Assessment Process;
  • Sound Operational Control Activities;
  • Sound Information and Communications System; and
  • Sound Monitoring Practices

Under the Framework, "internal control can be judged effective if management has reasonable assurance that they understand the extent to which the organizations objectives are being met; the extent to which financial reports are being reliably prepared; and the extent to which applicable laws and regulations are being complied with". This judgement of effectiveness results "from an assessment of whether the five components of control are present and functioning effectively. Their effective functioning provides the reasonable assurance regarding achievement of the three primary business objectives". The components therefore form the criteria for effective control. All five components must be present and effective in order for management to have the reasonable assurance needed.

Under the Framework, an internal audit could encompass all three audit objectives (a full scope audit) ; or only one or two of the audit objectives (a limited scope audit).

Audit scope could be further limited by assessing only one or a few of the five control components. However, doing so could prevent the internal auditor from expressing an opinion as to the effectiveness of controls for the particular audit objective. Under the Framework, all five components must be present and operating effectively in order for management to have the necessary reasonable assurances. The internal auditor can not express an opinion as to the existence of reasonable assurance unless all five components are assessed. However, if a review of only one or a few of the components demonstrated that a component was missing or ineffective, the system of control could not provide the necessary reasonable assurance, and the auditor could so state in an opinion.

How Audit Objectives are Met Under the Framework

To meet the audit objectives under the Framework, internal auditors evaluate the elements of the five components of control:

1. For the Control Environment Component auditors assess

  • whether managers and employees possess integrity, ethical values and competence;
  • whether the nature of management's philosophy and operating style is appropriate;
  • whether there is proper assignment of authority and responsibility;
  • whether there is proper organization of available resources;
  • whether there is proper training and development of people; and
  • whether there is proper attention and direction from management.

2. For the Risk Assessment Component auditors assess

  • whether management has established a set of objectives that integrate all the organization's resources so that the organization operates in concert;
  • whether there is an awareness of and ability to deal with the risks and obstacles to successful achievement of business objectives; and
  • whether management identifies, analyzes and manages the risks and obstacles to successful achievement of business objectives.

3. For the Operational Control Activities Component auditors assess

  • whether management has established and executed policies and procedures to help ensure effective implementation of the actions they have identified as being necessary to address risks and obstacles to achievement of business objectives;

4. For the Information and Communications Systems Component auditors assess

  • whether the information system produces the financial, operational and compliance reports needed to run the business;
  • whether the reports that are produced deal with internal and external activities, conditions and events necessary to informed business decision making and external reporting;
  • whether the organizations people are able to capture and exchange the information they need to conduct, manage and control operations;
  • whether pertinent information is identified, captured and communicated in a form that enables people to effectively carry out their responsibilities;
  • whether communications flows in all directions throughout the organization;
  • whether management has made it clear to all employees that control responsibilities are to be taken seriously;
  • whether employees understand their own roles in the internal control system, as well as how their individual activities relate to the work of others;
  • whether all employees have the means of communicating significant information upstream; and
  • whether their is effective communication with external parties.

5. For the Effective Monitoring Component auditors assess

  • whether the entire control system is monitored to assess the quality of the system's performance over time;
  • whether there is on-going monitoring in the normal course of doing business, such as regular supervisory and management activities, and actions employees take in performing their normal duties;
  • whether internal deficiencies are reported upstream, with serious matters reported directly to top management;
  • whether there are separate, independent evaluations of the internal control system.

The Role of Materiality in Meeting Audit Objectives

The objective of an internal audit is to form an opinion as to whether control systems provide managers with reasonable assurance that desired business outcomes will be achieved. To reach this conclusion, the auditor has to consider the issue of materiality. An effective control system should prevent, or detect and correct, "material" errors, omissions, fraud or other adversities that impact on achieving desired business outcomes.

The Internal Auditor's Role in Management Reporting on Internal Control, a research report published by the Research Foundation of the Institute of Internal Auditors, defines materiality as "any condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization".

According to the research report, the control processes for identifying material weaknesses are working if, during the course of routine operations, the control system successfully identifies and addresses:

non-persistent and non-pervasive weaknesses that have caused, or are likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.

Material weaknesses are persistent if the same problem appeared in prior periods; or the same problem has arisen elsewhere in the organization.

Material weaknesses are pervasive if the effects of the problem seriously imperil safeguarding of assets; or the effects of the problem seriously imperil the achievement of operating, reporting or compliance objectives.

A condition is "serious" if it has caused, or is likely to cause, errors, omissions, fraud or other adversities that increase business risk and possible consequent damages to the organization, but does not require senior managers to undertake immediate corrective actions to mitigate the associated impact on operations or outcomes.

This suggests that auditors have five decision options regarding a professional opinion about the system of controls:

  1. The system is well controlled - there are virtually no internal control weaknesses; (or)
  2. The system is highly satisfactory - there are opportunities for improvement, but no reportable conditions; (or)
  3. The system is marginally satisfactory - the audit identified a serious condition, but it has NOT caused, or is NOT likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization; (or)
  4. The system is unsatisfactory - the audit identified a serious condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.; or
  5. The system is unreliable - the audit identified a persistent or pervasive serious condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.

Items three through five above are "Reportable Conditions". A "reportable condition" means that:

  • the problem is serious, but not material; or
  • the problem is material but not persistent or pervasive; or
  • the problem is material and persistent or pervasive.

The research report indicates that as long as the control process identifies and corrects the problem, or assesses the consequences of inaction, regarding reportable conditions and material weaknesses, then it is unlikely that the reportable condition will be material and pervasive or persistent. If this is the case, then the control system is working. However, if the reportable conditions and material weaknesses were detected by the audit, but not by the control system, then the auditor should evaluate the circumstances and consider issuing a qualified or adverse opinion in the report.

It is the auditor's professional judgement that determines what "serious" and "material" actually mean in the context of a given audit. How does the auditor determine this? There are several ways, depending on the specific circumstances. Some examples are:

  • Discussions with senior management, line managers and staff, and suppliers and customers of the audit client;
  • The auditor's experience and knowledge of control systems and related risks;
  • The requirements of laws and regulations;
  • The exposure to fraud, waste or abuse; and
  • The monetary value or impact of goods, services, transactions, events or outcomes.

The threshold for reportable conditions should be evaluated during the planning phase of the audit work; discussed with senior management; and discussed with the responsible manager at the entrance conference. Prior to initiating substantive audit work, the auditor should have a clear and agreed upon definition of what will constitute a reportable condition for the activity or function being reviewed.

Conclusions

Both the SPPIA and the Framework address the ways that managers plan, organize and direct the organization's activities. Both seek to evaluate whether or not managers have reasonable assurance that risks will be minimized and the likelihood of achieving desired results maximized. The SPPIA approaches control from the auditor's perspective. The Framework approaches control from the manager's perspective. A full scope review under the Framework is more comprehensive than a full scope review under the SPPIA. This results from the concepts embodied in each of the Framework's five components of control.

For example, under the Framework's Control Environment component, in addition to reviewing how resources are organized and how authority and responsibility are assigned, there is a requirement to assess the ethics, integrity and competence of management and employees; the degree of training and development afforded to managers and employees; and the degree of attention and direction that management provides.

The Framework's Risk Assessment component takes an approach to analyzing objective setting and risk assessment that significantly expands on the concepts found in the SPPIA. The same is true for the approach taken in the Framework's Information and Communications Systems component.

The Framework's Operational Control Activities component and Effective Monitoring component most closely match the traditional issues evaluated through internal audits - establishment and execution of policies and procedures designed to achieve objectives; and monitoring/reporting activities designed to determine effective implementation of those policies and procedures.

As an integral part of establishing audit objectives, the auditor should clearly define the threshold for reportable conditions and materiality. In the traditional paradigm, the internal auditor would most likely to this unilaterally, based on professional judgement. When auditing under the Framework, defining materiality might be better accomplished with the active participation and agreement of management.

By using the manager's perspective, the Framework elevates the level at which internal auditors look at internal control. It moves internal auditing from the more traditional operational level to a strategic level. The beauty of the Framework is that although there is a shift in emphasis, it can be applied to audits of entire organizations, or to audits of individual organizational units, at a strategic level. The Framework provides the internal auditor with an excellent methodology for adding significant value to the organization, while maintaining compliance with the Standards for the Professional Practice of Internal Auditing.

Copyright © 1995 Mark R. Simmons, All rights reserved

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com