Articles on Internal Auditing

COSO - The Framework for Internal Control:
A Strategic Approach to Internal Audits
Compiled by Mark R. Simmons, CIA CFE

In 1992, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants and the Financial Executives Institute issued a jointly prepared body of work entitled Internal Control - An Integrated Framework. This authoritative document identifies the fundamental and essential objectives of any business or government entity: economy and efficiency of operations, including safeguarding of assets and achievement of desired outcomes; reliability of financial and management reports; and compliance with laws and regulations.

To achieve quality, processes must first be in control. To improve quality, controlled processes must be measured and evaluated to identify obstacles to success. Effective internal control opens the door that leads to achievement of success. The approach presented by the Framework goes directly to the one key issue of any business - is there reasonable assurance of achieving our mission, objectives, goals and desired outcomes, while adhering to laws and regulations; and can we accurately report our success and outcomes to the public and interested third parties.

The Framework describes a unified approach for evaluation of the internal control systems that management has designed to provide reasonable assurance of achieving the fundamental business objectives described above.

What is Internal Control?

Internal control is a broadly defined process, effected by people, designed to provide reasonable assurance regarding the achievement of the following three objectives that all businesses strive for:

1. Economy and efficiency of operations, including achievement of performance goals and safeguarding of assets against loss;

2. Reliable financial and operational data and reports; and

3. Compliance with laws and regulations

What is Needed to Help Assure the Achievement of these Primary Business Objectives ?

A. A SOUND CONTROL ENVIRONMENT

* Managers and employees who possess integrity, ethical values and competence;

* Management's philosophy and operating style;

* Proper assignment of authority and responsibility;

* Proper organization of available resources;

* Proper training and development of people; and

* Proper attention and direction from senior management.

B. A SOUND RISK ASSESSMENT PROCESS

* An awareness of and ability to deal with the risks and obstacles to successful achievement of business objectives;

* Establishment by management of a set of objectives that integrate all the organization's resources so that the organization operates in concert; and

* Identification, analysis and management of the risks and obstacles to successful achievement of the three primary business objectives.

C. SOUND OPERATIONAL CONTROL ACTIVITIES

* The establishment and execution of policies and procedures to help ensure effective implementation of the actions identified by management as being necessary to address risks and obstacles to achievement of business objectives.

(These control activities help ensure that management's directives are carried out; occur at all levels of the organization; and in all activities, units and functions. Examples include authorizations, reviews of operating performance, security of assets, and segregation of duties.)

D. A SOUND INFORMATION AND COMMUNICATIONS SYSTEM

* Information systems produce reports, containing operational, financial and compliance related information, that make it possible to run and control a business. They deal with internally generated data as well as the external activities, conditions and events necessary to informed business decision making and external reporting.

* The organization's people must be able to capture and exchange the information needed to conduct, manage and control operations.

* Pertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities.

* Effective communication must flow down, up and across the organization. (This includes a clear message from top management to all personnel that control responsibilities must be taken seriously.)

* All personnel must understand their own role in the internal control system, as well as how their individual activities relate to the work of others.

* All personnel must have a means of communicating significant information upstream.

* There must be effective communication with external parties.

E. EFFECTIVE MONITORING

* The entire control system must be monitored to assess the quality of the system's performance over time.
(Ongoing monitoring, which should occur in the normal course of operations, includes such things as regular management and supervisory activities; and actions personnel take in performing their duties.)

* Internal deficiencies should be reported upstream, with serious matters reported to top management.

* There should also be separate, independent evaluations of the internal control system. The scope and frequency of these independent evaluations depend primarily on the assessment of risks and obstacles, and the effectiveness of ongoing monitoring procedures.

Collectively, the three primary business objectives and the five components needed to achieve those objectives constitute the internal control framework.

How Can We Assess the Effectiveness of the Internal Control System?

When looking at any one of the three primary business objectives, all five components of the control system must be present and functioning effectively in order to conclude that internal controls over operations are effective.

While internal control is a process, its effectiveness is a state or condition of the process at a fixed point in time. When an internal control system meets the following standard, it can be deemed "effective":

"Internal Control can be judged effective for each of the three business objectives if management have reasonable assurance that they understand the extent to which the organization's objectives are being met; financial and management reports are being prepared reliably; and applicable laws and regulations are being complied with."

Determining whether a particular internal control system is "effective" is a subjective judgement resulting from an assessment of whether the five components of control are present and functioning effectively. Their effective functioning provides the "reasonable assurance" regarding achievement of the primary objectives. The components thus form the criteria for effective control.

Internal audits can use the Framework to focus on three different levels of control:

1. Strategic
planning, organizing and directing activities that address achieving the long range mission and objectives of the entity under review.

2. Tactical
planning, organizing and directing activities that address achieving short term (annual) objectives and goals of the entity under review that lead to success in achieving the entity's strategic mission and objectives.

3. Operational
planning, organizing and directing controls that address the day- to-day operations of the entity.

Using a survey tool based upon the five components, internal audits can be conducted at a strategic, rather than operational, level. These strategic internal audits can be designed to gather testimonial and documentary evidence to either support achievement of the standard for effective internal control; or to identify to senior managers deficiencies and improvement opportunities for achieving effective internal control. Essentially, this means assessing planning activities; the means of measuring accomplishment; the reliability of data used to benchmark, report and measure; and the resources used to achieve outcomes. The Framework approach provides an ideal vehicle for adding value to the organization.

Some specific issues that internal auditors might look at include:

  • Management Plans
  • Management Objectives
  • Communication of Desired Outcomes and the Policies and Procedures to achieve outcomes
  • Written Standards to Measure Achievement of Desired Outcomes
  • Assignment of Responsibility and Granting of Authority
  • Budget vs Workloads
  • Staffing Efficiency
  • Communications
  • Process Measurement
  • Corrective Actions Taken and Measures of Success
  • Outcome Measurement and Reporting Systems

To accomplish strategic internal audits most effectively, the audit process should start at the top of the organization with interviews of senior executives. This provides for a professional assessment at the highest levels of operation; a benchmark against which to compare lower level strategic internal control activities; and a clear message of support for the strategic internal audit process.

Copyright © 1995 Mark R. Simmons, All rights reserved

Home | Bio | Internal Auditing | Fraud Investigation | Request to Reprint | Privacy | Site Map

© 1996-2013 Mark R Simmons, CIA, CFE. All rights reserved. Updated 25-Mar-2013