With the introduction and recognition of Internal Control - Integrated Framework as the authoritative work on internal control, many auditors are reevaluating and rethinking the meaning of internal control and how to go about auditing control systems. The purpose of this article is to summarize and compare audit objective concepts embodied in the Standards for the Professional Practice of Internal Auditing and the Integrated Framework for Internal Control. We will begin with a review of the pertinent Standards, followed by a summary of the concepts found in the Integrated Framework. We will also incorporate the concept of "materiality" as it is discussed in the The Internal Auditor's Role in Management Reporting on Internal Control, a research report published by the Research Foundation of the Institute of Internal Auditors, and then draw conclusions about the interrelationships that exist.
At guideline 300.06.4, the Standards for the Professional Practice of Internal Auditing (the SPPIA) describes the overall system of controls as "the integrated collection of control systems developed by the organization to achieve its objectives and goals".
At guideline 300.05 the SPPIA states that the primary objective of internal controls is to provide reasonable assurance to managers that:
1. Financial and operating information is accurate and reliable;
2. Policies, procedures, plans, laws and regulations are complied with;
3. Assets are safeguarded against loss and theft;
4. Resources are used economically and efficiently; and
5. Established program/operating goals and objectives will be met.
Standard 300 of the SPPIA defines the scope of Internal Auditing as encompassing:
The examination and evaluation of the adequacy and effectiveness of internal control systems (i.e., assessing the degree to which controls actually provide the reasonable assurance that managers need; and
The examination and evaluation of the quality of performance in carrying out assigned responsibilities (i.e., assessing the degree to which the organization has achieved the goals and objectives set out by management).
Thus, under the SPPIA, there are five possible objectives that an internal audit might have:
An internal audit could encompass all five audit objectives (a full scope audit) ; or only one or a few of the five audit objectives (a limited scope audit). Audit scope could be further limited by only assessing and evaluating the adequacy of controls (i.e., the degree to which the controls provide reasonable assurance); or by only assessing and evaluating the effectiveness of the controls (i.e., the degree to which the controls actually function as management intended).
To meet the audit objectives, internal auditors evaluate the things managers do to plan, organize and direct activities and operations. Guideline 300.07 of the SPPIA states that "planning and organizing involve the establishment of objectives and goals and the use of such tools as organization charts, flow charts, procedures, records and reports to establish the flow of data and the responsibilities of individuals for performing activities, establishing information trails, and setting standards of performance. Directing involves certain activities to provide additional assurance that systems operate as planned. These activities include authorizing and monitoring performance, periodically comparing actual with planned performance, and appropriately documenting these activities."
Guideline 300.03 of the SPPIA further elaborates on directing activities. It states that "Authorizing includes initiating or granting permission to perform activities or transactions. Authorization implies that the authorizing authority has verified and validated that the activity or transaction conforms with established policies and procedures. Monitoring encompasses supervising, observing and testing activities and appropriately reporting to responsible individuals. Monitoring provides an on-going verification of progress toward achievement of objectives and goals. Periodic comparison of actual to planned performance enhances the likelihood that activities occurred as planned. Documentation provides evidence of the exercise of authority and responsibility; compliance with policies, procedures, and standards of performance; supervising, observing and testing activities; and verification of planned performance."
The reasonable assurance that managers need comes about when managers plan, organize and direct in such a way that in the normal course of doing business, cost-effective actions are taken to minimize the risk that undesired outcomes will occur, and maximize the likelihood that desired outcomes will occur.
Having evaluated how managers have planned, organized and directed the activities of the organization, the internal auditors then express an opinion as to whether or not the controls reviewed provide managers with the necessary reasonable assurance that goals and objectives will be achieved (the adequacy of controls); and whether the controls reviewed function as intended to maximize the likelihood that the desired results will be achieved (the effectiveness of the controls).
The Framework defines internal control in a slightly different way. The Framework says that internal control is a broadly defined process, effected by people, designed to provide reasonable assurance regarding achievement of the following three objectives that all businesses strive for:
Under "Effectiveness and Efficiency of Operations", the Framework includes: compliance with policies, procedures, and plans; safeguarding assets; economical and efficient use of resources; reliability of operating data and reports; and achieving goals and objectives.
The approach presented in the Framework goes directly to the one key issue of any business - is there reasonable assurance of achieving the mission, goals, objectives and desired outcomes of the organization, while adhering to laws and regulations; and can the organization accurately report the outcomes of its operations to the public and interested third parties.
The scope of Internal Auditing remains the same when approaching controls from the perspective of the Framework. That is, the audit scope encompasses:
The examination and evaluation of the adequacy and effectiveness of internal control systems and
The examination and evaluation of the quality of performance in carrying out assigned responsibilities.
Under the Framework, however, there are three basic audit objectives:
Each of these objectives has five components of control:
Under the Framework, "internal control can be judged effective if management has reasonable assurance that they understand the extent to which the organizations objectives are being met; the extent to which financial reports are being reliably prepared; and the extent to which applicable laws and regulations are being complied with". This judgement of effectiveness results "from an assessment of whether the five components of control are present and functioning effectively. Their effective functioning provides the reasonable assurance regarding achievement of the three primary business objectives". The components therefore form the criteria for effective control. All five components must be present and effective in order for management to have the reasonable assurance needed.
Under the Framework, an internal audit could encompass all three audit objectives (a full scope audit) ; or only one or two of the audit objectives (a limited scope audit).
Audit scope could be further limited by assessing only one or a few of the five control components. However, doing so could prevent the internal auditor from expressing an opinion as to the effectiveness of controls for the particular audit objective. Under the Framework, all five components must be present and operating effectively in order for management to have the necessary reasonable assurances. The internal auditor can not express an opinion as to the existence of reasonable assurance unless all five components are assessed. However, if a review of only one or a few of the components demonstrated that a component was missing or ineffective, the system of control could not provide the necessary reasonable assurance, and the auditor could so state in an opinion.
To meet the audit objectives under the Framework, internal auditors evaluate the elements of the five components of control:
1. For the Control Environment Component auditors assess
2. For the Risk Assessment Component auditors assess
3. For the Operational Control Activities Component auditors assess
4. For the Information and Communications Systems Component auditors assess
5. For the Effective Monitoring Component auditors assess
The objective of an internal audit is to form an opinion as to whether control systems provide managers with reasonable assurance that desired business outcomes will be achieved. To reach this conclusion, the auditor has to consider the issue of materiality. An effective control system should prevent, or detect and correct, "material" errors, omissions, fraud or other adversities that impact on achieving desired business outcomes.
The Internal Auditor's Role in Management Reporting on Internal Control, a research report published by the Research Foundation of the Institute of Internal Auditors, defines materiality as "any condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization".
According to the research report, the control processes for identifying material weaknesses are working if, during the course of routine operations, the control system successfully identifies and addresses:
non-persistent and non-pervasive weaknesses that have caused, or are likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.
Material weaknesses are persistent if the same problem appeared in prior periods; or the same problem has arisen elsewhere in the organization.
Material weaknesses are pervasive if the effects of the problem seriously imperil safeguarding of assets; or the effects of the problem seriously imperil the achievement of operating, reporting or compliance objectives.
A condition is "serious" if it has caused, or is likely to cause, errors, omissions, fraud or other adversities that increase business risk and possible consequent damages to the organization, but does not require senior managers to undertake immediate corrective actions to mitigate the associated impact on operations or outcomes.
This suggests that auditors have five decision options regarding a professional opinion about the system of controls:
Items three through five above are "Reportable Conditions". A "reportable condition" means that:
The research report indicates that as long as the control process identifies and corrects the problem, or assesses the consequences of inaction, regarding reportable conditions and material weaknesses, then it is unlikely that the reportable condition will be material and pervasive or persistent. If this is the case, then the control system is working. However, if the reportable conditions and material weaknesses were detected by the audit, but not by the control system, then the auditor should evaluate the circumstances and consider issuing a qualified or adverse opinion in the report.
It is the auditor's professional judgement that determines what "serious" and "material" actually mean in the context of a given audit. How does the auditor determine this? There are several ways, depending on the specific circumstances. Some examples are:
The threshold for reportable conditions should be evaluated during the planning phase of the audit work; discussed with senior management; and discussed with the responsible manager at the entrance conference. Prior to initiating substantive audit work, the auditor should have a clear and agreed upon definition of what will constitute a reportable condition for the activity or function being reviewed.
Both the SPPIA and the Framework address the ways that managers plan, organize and direct the organization's activities. Both seek to evaluate whether or not managers have reasonable assurance that risks will be minimized and the likelihood of achieving desired results maximized. The SPPIA approaches control from the auditor's perspective. The Framework approaches control from the manager's perspective. A full scope review under the Framework is more comprehensive than a full scope review under the SPPIA. This results from the concepts embodied in each of the Framework's five components of control.
For example, under the Framework's Control Environment component, in addition to reviewing how resources are organized and how authority and responsibility are assigned, there is a requirement to assess the ethics, integrity and competence of management and employees; the degree of training and development afforded to managers and employees; and the degree of attention and direction that management provides.
The Framework's Risk Assessment component takes an approach to analyzing objective setting and risk assessment that significantly expands on the concepts found in the SPPIA. The same is true for the approach taken in the Framework's Information and Communications Systems component.
The Framework's Operational Control Activities component and Effective Monitoring component most closely match the traditional issues evaluated through internal audits - establishment and execution of policies and procedures designed to achieve objectives; and monitoring/reporting activities designed to determine effective implementation of those policies and procedures.
As an integral part of establishing audit objectives, the auditor should clearly define the threshold for reportable conditions and materiality. In the traditional paradigm, the internal auditor would most likely to this unilaterally, based on professional judgement. When auditing under the Framework, defining materiality might be better accomplished with the active participation and agreement of management.
By using the manager's perspective, the Framework elevates the level at which internal auditors look at internal control. It moves internal auditing from the more traditional operational level to a strategic level. The beauty of the Framework is that although there is a shift in emphasis, it can be applied to audits of entire organizations, or to audits of individual organizational units, at a strategic level. The Framework provides the internal auditor with an excellent methodology for adding significant value to the organization, while maintaining compliance with the Standards for the Professional Practice of Internal Auditing.Copyright © 1995 Mark R. Simmons, All rights reserved