5._control_i.pdf

8/14/2019 5._control_i.pdf

1/20

STUDY UNIT FIVE

CONTROL I

5.1 Assessing Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

5.2 Control Self-Assessment (CSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65.3 Interim Reports, Disclosure, and Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.4 Auditing Financial Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135.5 Control Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195.6 Study Unit 5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

This is the first of two study units on control. It emphasizes pronouncements of The IIA and certain

theoretical considerations. Study Unit 6 enlarges upon these considerations, especially with regard to

control frameworks. It also extends to the implications of organizational structures and leadership

styles and the management of change and conflict.

Governance, risk, and controlare interrelated concepts that are fundamental to the field of

internal auditing and the work of internal auditors. Study Unit 3 primarily addressed their role in

governance. Study Unit 4 primarily addressed the role of internal auditors in risk management. StudyUnits 5 and 6 relate to control.

According to the definition of internal auditing, internal auditors help an organization accomplish

its objectives by bringing a systematic, disciplined approach to evaluating and improving the

effectiveness of risk management, control, and governance processes. TheGlossaryappended to the

Standards definescontrolas follows:

Any action taken by management, the board, and other parties to enhance riskmanagement and increase the likelihood that established objectives and goals will beachieved. Management plans, organizes, and directs the performance of sufficient actionsto provide reasonable assurance that objectives and goals will be achieved.

Practice Advisory 2100-1provides another definition of control:

Control is any action taken by management to enhance the likelihood that establishedobjectives and goals will be achieved. Controls may bepreventive(to deter undesirableevents from occurring),detective(to detect and correct undesirable events that haveoccurred), ordirective(to cause or encourage a desirable event to occur). The concept ofa system of control is the integrated collection of control components and activities that areused by an organization to achieve its objectives and goals.

The definition in Practice Advisory 2100-1 describes three categories of controls. When such

controls are absent or are too costly relative to their benefits,mitigating (compensating) controls

should be in place. Examples are supervisory review when segregation of duties (a preventive control)

is not feasible or monitoring of budget variances in the absence of transaction processing controls.

One General Performance Standard and one Specific Performance Standard are relevant to all

subunits in this study unit.

2100 Nature of Work The internal audit activity evaluates and contributes to theimprovement of risk management, control, and governance processes using asystematic and disciplined approach.

2120 ControlThe internal audit activity should assist the organization inmaintaining effective controls by evaluating their effectiveness andefficiency and by promoting continuous improvement.

1

Copyright 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
http://www.gleim.com/http://www.gleim.com/


2/20

One Implementation Standard is relevant to the first four subunits.

2120.A1Based on the results of the risk assessment, the internal audit activity should evaluatethe adequacy and effectiveness of controls encompassing the organizations governance,operations, and information systems. This should include:

Reliability and integrity of financial and operational information Effectiveness and efficiency of operations Safeguarding of assets Compliance with laws, regulations, and contracts

Core Concepts

Control is any action to enhance risk management and increase the probability of achievingobjectives. The management functions of planning, organizing, and directing should providereasonable assurance of achieving objectives.

Controls may be preventive, detective, directive, or mitigating.

The IAA evaluates the effectiveness and efficiency of controls and promotes continuousimprovement.

In assurance engagements, the IAA evaluates the adequacy and effectiveness of controls overgovernance, operations, and IS. The evaluation extends to reliability and integrity of information,effectiveness and efficiency of operations, safeguarding of assets, and compliance.

The board is responsible for governance processes and obtaining assurance about riskmanagement and control.

The board relies on management to maintain effective control but reinforces that reliance withindependent oversight.

Internal auditors should determine the extent to which adequate criteria have been established toevaluate controls.

5.1 ASSESSING CONTROL

1. The following Practice Advisory addresses the role of the internal audit activity in evaluatingthe organizations control systems.

a. PRACTICE ADVISORY 2120.A1-1: ASSESSING AND REPORTING ON CONTROLPROCESSES

1. One of the tasks of aboardof directors is to establish and maintain theorganizationsgovernance processesand obtain assurances concerning theeffectiveness of therisk management and control processes. Seniormanagements roleis to oversee the establishment, administration, andassessment of that system of risk management and control processes. Thepurpose of that multifaceted system of control processes is to support people ofthe organization in the management of risks and the achievement of theestablished and communicatedobjectivesof the enterprise. More specifically,thosecontrol processesare expected to ensure, among other things, that thefollowing conditions exist:

Financial and operational information is reliable and possesses integrity.

Operations are performed efficiently and achieve effective results.

Assets are safeguarded.

Actions and decisions of the organization are in compliance with laws,regulations, and contracts.

2 SU 5: Control I



3/20

2. Among the responsibilities of the organizationsmanagersis theassessmentof thecontrol processes in their respective areas. Internal and externalauditorsprovide varying degrees of assurance about the state of effectivenessof the risk management and control processes in select activities and functionsof the organization.

3. Senior management and the audit committee normally expect that thechiefaudit executivewill perform sufficient engagement work and gather otheravailable information during the year so as to form a judgment about theadequacy and effectiveness of the control processes. The chief auditexecutive should communicate that overall judgment about the organizationssystem of controls to senior management and the audit committee. A growingnumber of organizations have included amanagements reporton the systemof internal controls in their annual or periodic reports to external stakeholders.

4. The chief audit executive should develop aproposed engagement planfor thecoming year that ensures that sufficient information will be obtained to evaluatethe effectiveness of the control processes. The plan should call forengagements or other procedures to gather relevant information aboutall major

operating units and business functions. The engagement plan should alsogive special consideration to those operations most affected byrecent orexpected changes. Those changes in circumstances may result frommarketplace or investment conditions, acquisitions and divestitures, orrestructures and new ventures. The proposed plan should beflexibleso thatadjustments may be made during the year as a result of changes inmanagement strategies, external conditions, or revised expectations aboutachieving the organizations objectives.

5. In determining the proposed engagement plan, the chief audit executive shouldconsiderrelevant workthat will be performedby others. To minimizeduplication and inefficiencies, the work planned or recently completed bymanagementin its assessments of controls and quality improvement processesas well as the work planned by theexternal auditorsshould be considered indetermining the expected coverage of the audit plan for the coming year.

6. Finally, the chief audit executive should evaluate thecoverage of theproposed planfrom two viewpoints: adequacyacross organizational entitiesandinclusionof a variety of transaction and business-process types. If thescopeof the proposed engagement plan is insufficient to enable the expressionof assurance about the organizations control processes, the chief auditexecutive should inform senior management and the audit committee of theexpected deficiency, its causes, and the probable consequences.

7. The challenge for the internal audit activity is to evaluate the effectiveness of theorganizations system of controls based on the aggregation ofmany individualassessments. Those assessments are largely gained from internal auditing

engagements, managements self-assessments, and external auditors work.As the engagements progress, internal auditors shouldcommunicate, on atimely basis, the observations to the appropriate levels of management so thatprompt action can be taken to correct or mitigate the consequences ofdiscovered control discrepancies or weaknesses.

SU 5: Control I 3



4/20

8. Three keyconsiderations in reaching an evaluationof the overalleffectiveness of the organizations control processes are

Weresignificant discrepancies or weaknessesdiscovered from theaudit work performed and other assessment information gathered?

If so, werecorrections or improvementsmade after the discoveries?

Do the discoveries and their consequences lead to the conclusion that apervasive conditionexists, resulting in an unacceptable level ofbusiness risk?

Thetemporary existenceof a significant control discrepancy or weaknessdoes not necessarily lead to the judgment that it is pervasive and poses anunacceptable residual risk. The pattern of discoveries, degree of intrusion, andlevel of consequences and exposures arefactors to be consideredindetermining whether the effectiveness of the whole system of controls is

jeopardized and unacceptable risks exist. Thereport of the chief auditexecutiveon the state of the organizations control processes should bepresented, usually once a year, to senior management and the audit committee.

9. The reportshould emphasize the critical role played by the control processes inthe quest to achieve the organizations objectives, and it should refer to majorwork performed by internal audit and to other important sources of informationthat were used to formulate the overall assurance judgment. Theopinionsectionof the report is normally expressed in terms ofnegative assurance;that is, the engagement work performed for the period and other informationgathered did not disclose any significant weaknesses in the control processesthat have a pervasive effect. If the control deficiencies or weaknesses aresignificant and pervasive, the assurance section of the report may be aqualified or adverse opinion, depending on the projected increase in the levelof residual risk and its impact on the organizations objectives.

10. The target audiences for the annual reportare senior executives and auditcommittee members. Because these readers have divergent understandings ofauditing and business, the chief audit executives annual report should be clear,concise, and informative. It should be composed and edited to beunderstandable by them and targeted to meet theirinformational needs. Itsvalue to these readers can be enhanced by includingmajor recommendationsfor improvement and information about current control issues and trends, suchas technology and information security exposures, patterns of controldiscrepancies or weaknesses across business units, and potential difficulties incomplying with laws or regulations.

11. Ample evidence exists of anexpectation gapsurrounding the internal auditactivitys work in evaluating and providing assurance about the state of controlprocesses. One such gap exists between management and the auditcommittees normally high expectations about the value of internal auditing

services and the internal auditors more modest expectations that derive fromknowledge of practical limitations on audit coverage and from self-doubt aboutgenerating sufficient evidence to support an informed and objective judgment.The chief audit executive should be mindful of the possible gap between what ispresumed by the report reader and what actually happened during the year. Heor she should use the report as another way to address different mental modelsand to suggest improving the capacity of the function or reducing the constraintsto access and audit effectiveness.

4 SU 5: Control I



5/20

PA Summary

Theboard is responsible forgovernance processesand obtaining assuranceabout riskmanagement and control. Senior managementoversees theestablishment, administration, and assessment of risk management and control

processes. The purpose of control is to support risk management andachievement of objectives. Control ensures (1) the reliability and integrity ofinformation; (2) efficient and effective performance; (3) safeguarding of assets;and (4) compliance with laws, regulations, contracts.

Each managerassesses control in his/her area. Auditorsprovide assuranceabout the effectiveness of risk management and control.

The CAEshould gather sufficient information to judge the adequacy andeffectiveness of control. This judgment should be communicated to seniormanagement and the board. Also, amanagement report on controlmay beincluded in annual or periodic reports to external parties.

The IAAsproposed engagement planshould provide sufficient information toevaluate control. The plan should be flexible enough to permit adjustments during

the year and should cover all major operations and functions. It also should givespecial consideration to operations most affected by recent or expectedchanges. Furthermore, the plan should considerrelevant workthat will beperformedby others, including (1) managements assessments of control andquality processes and (2) the work planned by external auditors.

The planscoverageshould be adequate across organizational entities andinclusive of transaction and business-process types. If thescopeof the plan isinsufficient to give assurance about control, the CAE should inform seniormanagement and the audit committee about causes and probable consequencesof the insufficiency.

The evaluation of control combinesmany individual assessments.Communication of engagementobservationsshould be timely.

Theoverall evaluationof control considers whether (1) significant weaknesses ordiscrepancies exist, (2) corrections or improvements were made, and (3) apervasive condition leading to unacceptable risk exists.

Whetherunacceptable riskexists because the effectiveness of the whole systemof controls is jeopardized depends on the (1) pattern of discoveries, (2) degree ofintrusion, and (3) level of consequences.

The CAEs report on the organizations control processes should be presented,usually once a year, to senior management and the audit committee. Theopinionsection usually expressesnegative assurance. But, a qualified or adverseopinion is expressed if the control deficiencies or weaknesses are significant andpervasive.

The report should be clear, concise, and informative and targeted to theneedsof

senior management and the audit committee. It should containmajorrecommendations about current control issues and trends.

The CAE should be aware of the expectation gap. One such gap is betweenhigh expectations about the value of internal auditing and the auditors moremodest expectations based on limitations on audit coverage and doubt aboutgenerating sufficient evidence to support an informed judgment. Another gap liesbetween what is presumed by the report reader and what actually happened.Thus, the CAE should use the report to suggest improving the capacity of the auditfunction or reducing the limits on access and audit effectiveness.

SU 5: Control I 5



6/20

5.2 CONTROL SELF-ASSESSMENT (CSA)

1. The following Practice Advisory describes self-assessment methods and the role of theinternal auditors in the process.

a. PRACTICE ADVISORY 2120.A1-2: USING CONTROL SELF-ASSESSMENT FORASSESSING THE ADEQUACY OF CONTROL PROCESSES

1. Senior managementis charged with overseeing the establishment,administration, and evaluation of the processes of risk management andcontrol. Operating managersresponsibilities include assessment of the risksand controls in their units. Internal and externalauditorsprovide varyingdegrees of assurance about the state of effectiveness of the risk managementand control processes of the organization. Both managers and auditors have aninterest in using techniques and tools thatsharpen the focus and expand theefforts to assess risk management and controlprocesses that are in placeand to identify ways to improve their effectiveness.

2. A methodology encompassingself-assessment surveys and facilitatedworkshopscalled CSA is a useful and efficient approach for managers and

internal auditors to collaborate in assessing and evaluating control procedures.In its purest form, CSAintegrates business objectives and risks with controlprocesses. Control self-assessment is also referred to as control/riskself-assessment or CRSA. Although CSA practitioners use a number ofdiffering techniques and formats, most implemented programsshare some keyfeatures and goals. An organization that uses self-assessment will have aformal, documented processthat allows management and work teams, whoare directly involved in a business unit, function, or process, to participate in astructured manner for thepurposeof

Identifying risks and exposures Assessing the control processes that mitigate or manage those risks Developing action plans to reduce risks to acceptable levels Determining the likelihood of achieving the business objectives

3. The outcomesthat may be derived from self-assessment methodologies are

People in the business units becometrainedand experienced inassessing risksandassociating control processeswith managingthose risks and improving the chances of achieving business objectives.

Informal, soft controlsare more easily identified and evaluated.

People are motivated to takeownershipof the control processes intheir units, and corrective actions taken by the work teams are often moreeffective and timely.

The entire objectives-risks-controls infrastructure of an organization issubject to greatermonitoring and continuous improvement.

Internal auditorsbecome involved in and knowledgeable about theself-assessment process by serving as facilitators, scribes, and reportersfor the work teams and as trainers of risk and control concepts supportingthe CSA program.

6 SU 5: Control I



7/20

Internal audit activity acquiresmore informationabout the controlprocesses within the organization and can leverage that additionalinformation in allocating their scarce resources so as to spend a greatereffort in investigating and performing tests of business units or functionsthat have significant control weaknesses or high residual risks.

Managements responsibilityfor the risk management and controlprocesses of the organization is reinforced, and managers will be lesstempted to abdicate those activities to specialists, such as auditors.

The primary role of the internal audit activity will continue to include thevalidation of the evaluation processby performing tests and theexpression of its professional judgment on the adequacy andeffectiveness of the whole risk management and control systems.

4. The wide variety of approachesused for CSA processes in organizationsreflects the differences in industry, geography, structure, organizational culture,degree of employee empowerment, dominant management style, and themanner of formulating strategies and policies. That observation suggests thatthe success of a particular type of CSA program in one enterprise may not be

replicated in another organization. TheCSA process should be customizedto fit the unique characteristics of each organization. Also, it suggests that aCSA approach needs to bedynamicand change with the continualdevelopment of the organization.

5. The three primary forms of CSA programs are facilitated team workshops,surveys, and management-produced analysis. Organizations often combinemore than one approach.

6. Facilitated team workshopsgather information from work teams representingdifferent levels in the business unit or function. The format of the workshop maybe based on objectives, risks, controls, or processes.

Objective-based formatfocuses on the best way to accomplish abusiness objective. The workshop begins byidentifying the controlspresently in placeto support the objective and then determining theresidual risks remaining. The aim of the workshop is to decide whetherthe control procedures are working effectively and are resulting in residualrisks within an acceptable level.

Risk-based formatfocuses onlisting the risksto achieving anobjective. The workshop begins by listing all possible barriers, obstacles,threats, and exposures that might prevent achieving an objective and thenexamining the control procedures to determine if they are sufficient tomanage the key risks. The aim of the workshop is to determine significantresidual risks. This format takes the work team through theentireobjective-risks-controlsformula.

Control-based formatfocuses on how well thecontrols in place are

working. This format is different from the two above becausethefacilitator identifies the key risks and controlsbefore the beginning ofthe workshop. During the workshop, the work team assesses how wellthe controls mitigate risks and promote the achievement of objectives.The aim of the workshop is to produce an analysis of the gap betweenhow controls are working and how well management expects thosecontrols to work.

SU 5: Control I 7



8/20

Process-based formatfocuses on selected activities that are elements ofa chain of processes. The processes are usually a series of relatedactivities that go from some beginning point to an end, such as the varioussteps in purchasing, product development, or revenue generation. Thistype of workshop usually covers the identification of theobjectives of thewhole process and the various intermediate steps. The aim of the

workshop is to evaluate, update, validate, improve, and even streamlinethe whole process and its component activities. This workshop formatmay have a greater breadth of analysis than a control-based approach bycovering multiple objectives within the process and by supportingconcurrent management efforts, such as reengineering, qualityimprovement, and continuous improvement initiatives.

7. The survey form of CSA uses a questionnaire that tends to ask mostly simpleYes/No or Have/Have Not questions that are carefully written to beunderstood by the target recipients. Surveys are often used if the desiredrespondents are too numerous or widely dispersed to participate in a workshop.They are also preferred if the culture in the organization may hinder open,candid discussions in workshop settings or if management desires to minimize

the time spent and costs incurred in gathering the information.

8. The form of self-assessment called management-produced analysescovers most other approaches by management groups to produce informationabout selected business processes, risk management activities, and controlprocedures. The analysis is often intended to reach an informed and timely

judgment aboutspecific characteristics of controlprocedures and iscommonlyprepared by a team in a staff or support role. The internal auditormay synthesize this analysis with other information to enhance theunderstanding about controls and to share the knowledge with managers inbusiness or functional units as part of the organizations CSA program.

9. All self-assessment programs assume that managers and members of the work

teams possess anunderstanding of risks and control conceptsand usethose concepts in communications. For training sessions, to facilitate theorderly flow of workshop discussions and as a check on the completeness of theoverall process,organizations often use a control framework, such as theCOSO(Committee of Sponsoring Organizations) andCoCo(Canadian Criteriaof Control Board) models.

10. In the typical CSAfacilitated workshop, a report will be largely created duringthe deliberations. A group consensus will be recorded for the various segmentsof the discussions, and the group will review theproposed final reportbeforethe end of the final session. Some programs will use anonymous votingtechniques to ensure the free flow of information and viewpoints during theworkshops and to aid in negotiating differences between viewpoints and interest

groups.

8 SU 5: Control I



9/20

11. Internal audits investment in some CSA programsis fairly significant. Itmay sponsor, design, implement and, in effect, own the process; conduct thetraining; supply the facilitators, scribes, and reporters; and orchestrate theparticipation of management and work teams. In other CSA programs,internal audits involvement is minimal, serving as interested party andconsultant of the whole process and as ultimate verifier of the evaluations

produced by the teams. In most programs, internal audits investment in theorganizations CSA efforts is somewhere between the two extremes describedon the previous page. As the level of internal audits involvement in the CSAprogram and individual workshop deliberations increases, thechief auditexecutive should monitor the objectivity of the internal audit staff, takesteps tomanage that objectivity(if necessary), andaugment internal audittestingto ensure that bias or partiality do not affect the final judgments of thestaff. Standard 1120states: Internal auditors should have an impartial,unbiased attitude and avoid conflicts of interest.

12. A CSA programaugments the traditional role of the internal audit activityby assisting management in fulfilling its responsibilities to establish and maintainrisk management and control processes and to evaluate the adequacy of that

system. Through a CSA program, the internal audit activity and the businessunits and functionscollaborate to produce better informationabout how wellthecontrol processes are workingand how significant theresidual risksare.

13. Although providing staff support for the CSA program as facilitator andspecialist, the internal audit activity often finds that itmay reduce the effortspent in gathering information about control procedures and eliminatesome testing. A CSA program should increase the coverage of assessingcontrol processes across the organization, improve the quality of correctiveactions made by the process owners, and focus internal audits work onreviewing high-risk processes and unusual situations. It can focus onvalidating the evaluation conclusions produced by the CSA process,synthesizing the information gathered from the components of the organization,

and expressing its overall judgment about the effectiveness of controls to seniormanagement and the audit committee.

SU 5: Control I 9



10/20

PA Summary

Senior managementoversees the processes of risk management and control(RMC). Operating managersassess risks and controls in their units. Auditorsprovide assurance about the effectiveness of RMC processes. All want to

(1)sharpen the focus of, and expand efforts to assess, RMC processes and(2) improve their effectiveness.

Control self-assessment (CSA) is a collaboration between managers and auditorstoevaluate control. CSAintegrates business objectives and risks withcontrol processes. Programs vary but share key features. Aformal,documented process allows those directly involved to participate in (1) identifyingrisks and exposures, (2) assessing relevant controls, (3) developing plans, and(4) estimating the probability of achieving objectives.

Outcomesof CSA may include (1)trainingin assessment of the objectives-risks-controls infrastructure, (2) recognition of softcontrols, (3) willingness to takeownership of control that results in more effective and timelycorrective action,(4) greater monitoring and continuous improvement, (5) greaterinternal auditor

knowledge of CSA, (6)more informationabout control and betterallocation ofresources to audits of control, (7) reinforcement of managementsresponsibility for control, and (8) continuation of the IAAs primary role invalidation of the evaluation processby testing and expressing judgment on theadequacy and effectiveness of the RMC process.

Thevariety of approaches used for CSA reflects the differences amongorganizations. Accordingly, the CSA process should be customized to fit theorganization. CSA also should change as the organization develops.

Thefacilitated team workshopform of CSA may be based on (1) objectives,(2) risks, (3) controls, or (4) processes. Afinal reportshould reflect the groupconsensus.

Objective-based formatfocuses on the best way to accomplish an objective. It

identifies relevant controlsand determines theresidual risks. The aim is todecide whether controls are effective and result in acceptable residual risks.

Risk-based formatfocuses onlisting the risksof achieving an objective andexamining the controls to determine whether they suffice to manage the key risks.The aim is to determine significant residual risks.

Control-based formatdiffers becausethe facilitator identifies the key risks andcontrolsbefore the workshop begins. The work team assesses how well thecontrols mitigate risks and promote the achievement of objectives. The aim is toanalyze the gap between actual and expected performance of controls.

Process-based formatfocuses on selected activities in a chain of processes. Theprocesses are a series of related activities from a beginning to an end, such as thesteps in purchasing. This workshop format identifies theobjectives of the whole

process and the intermediate steps. The aim is to improve the whole processand its activities. This format may have greater breadth than a control-basedapproach. It covers multiple objectives within the process and supports suchefforts as reengineering, quality improvement, and continuous improvement.

Thesurveyform of CSA uses a simple questionnaire. Surveys are often usedwhen a workshop is impracticable, the culture may hinder open discussions, or thetime spent and costs incurred must be minimized.

Themanagement analysisform of CSA often addresses specific aspects ofcontrol and is prepared by support staff. The internal auditor may combine thisand other information to better understand controls and to share knowledge withmanagers.

10 SU 5: Control I



11/20

CSA programs assume anunderstanding of risk and control concepts. Thus,CSA often uses acontrol framework, e.g., COSO or CoCo, that facilitatestraining and discussion and serves as a check on the completeness of theprocess.

Internal audits involvementin CSA may range from ownership of the process to

service as a consultant. As involvement in the CSA program and workshopdeliberations increases, the CAE should monitor the objectivity of the internalaudit staff,manage that objectivity (if necessary), and augment testingtoensure that bias does not affect final judgments.

The IAA and business units collaborate in CSA to producebetter informationabout the effectiveness of controls and the significance of residual risks.

A CSA program mayreduce the audit effortdevoted to control. It should increasethe coverage of control assessments, improve the quality of corrective action, andfocus audit work on reviewing high-risk processes and unusual situations.

5.3 INTERIM REPORTS, DISCLOSURE, AND CERTIFICATION

1. The following is adapted from a Practice Advisory. It covers the role of internal auditors withrespect to certain legislative and regulatory requirements. These enactments areresponses to scandals that have undermined investor confidence.

a. The strength of all financial markets depends oninvestor confidence. Eventsinvolving allegations of misdeeds by business executives, independent auditors, andother market participants have undermined that confidence. In response to thisthreat, a growing number oflegislative bodies and regulatory agenciesin variouscountries have passed legislation and regulations affectingdisclosuresandfinancial reporting.

b. Recommended actions for internal auditors. The following actions and

considerations are offered to internal auditors as value-added services that can beprovided regardinginterim financial reports, disclosures, and managementcertifications.

1) The internal auditors rolein such processes may range from initial designerof the process to participant on a disclosure committee, to coordinator or liaisonbetween management and its auditors, or to independent assessor of theprocess.

2) All internal auditors involved in interim reporting and disclosure processesshould have a clearly defined role and evaluate responsibilities with appropriateIIAConsulting and Assurance Standardsand with guidance contained inrelatedPractice Advisories.

3) Internal auditors should ensure that organizations have aformal policyand

documented proceduresto govern processes for interim financial reports,related disclosures, and regulatory reporting requirements. Appropriatereviewof any policies and procedures by attorneys, external auditors, and otherexpertscan offer additional comfort that policies and procedures arecomprehensive and accurately reflect applicable requirements.

SU 5: Control I 11



12/20

4) Internal auditors should encourage organizations to establish adisclosurecommitteeto coordinate the process and provide oversight to participants.Representatives fromkey areas of the organizationshould be represented onthe committee, including key financial managers, legal counsel, riskmanagement, internal audit, and any area providing input or data for theregulatory filings and disclosures. Normally the chief audit executive (CAE)

should be a member of the disclosure committee. Consideration should begiven to the CAEs status on the committee. CAEs who serve as committeechairs or regular or voting members need to be aware of independenceconsiderationsand are advised to review IIA Standards and related PracticeAdvisories for guidance and required disclosures. Status as an ex-officiomember normally would not create independence problems.

5) Internal auditors shouldperiodically review and evaluateinterim reportingand disclosure processes, disclosure committee activities, and relateddocumentation and provide management and the audit committee with anassessment of the process and assurance concerning overall operationsand compliance with policies and procedures. Internal auditors whoseindependence may be impaired due to their assigned role in the process should

ensure that management and the audit committee are able to obtainappropriate assurance about the process fromother sources. Other sourcescan include internal self-assessments as well as third parties such as externalauditors and consultants.

6) Internal auditors shouldrecommend appropriate improvementsto thepolicies, procedures, and process for interim reporting and related disclosuresbased on the results of an assessment of related activities. Recommendedbest practicesfor such activities may include all, or components of, thefollowing tools and procedures, depending on the specific process used byeach organization:

a) Properly documented policies, procedures, controls, and monitoringreports

b) Interim period checklist of procedures and key control elementsc) Standardized control reports on key disclosure controls

d) Management self-assessments (such as CSA)

e) Sign-offs or representation statements from key managers

f) Review of draft regulatory filings prior to submission

g) Process maps to document the source of data elements for regulatoryfilings, key controls, and responsible parties for each element

h) Follow-up on previously reported outstanding items

i) Consideration of internal audit reports issued during the period

j) Special or specifically targeted reviews of high-risk, complex, and problemareas, including material accounting estimates, reserve valuations,off-balance sheet activities, major subsidiaries, joint ventures, andspecial-purpose entities

k) Observation of the closing process for the financial statements andrelated adjusting entries, including waived adjustments

l) Conference calls with key management from remote locations to ensureappropriate consideration of and participation by all major components ofthe organization

m) Review of potential and pending litigation and contingent liabilities

n) CAE report on internal control, issued at least annually and possibly morefrequently

o) Regularly scheduled disclosure and audit committee meetings

12 SU 5: Control I



13/20

7) Internal auditors should compare processes for complying with legal orregulatory requirements for interim reporting and disclosures with those forassessing and publicly reporting oninternal controls. Processes designed tobe similar or compatible will contribute to operational efficiencies and reducethe likelihood or risk for problems and errors to occur or go undetected. Whileprocesses and procedures may be similar, it is possible that the internal

auditors role may vary. In some organizations, the work of internal auditorsmay form the basis formanagements assertionsabout internal control. Butin other organizations internal auditors may be called upon toevaluate arequired assessment by management.

a) The nature of internal audits work, and of its use, can potentially affectthe treatment or degree ofrelianceplaced upon the internal auditorswork by theexternal auditor. Internal auditors should ensure that eachparticipants role is clarified and activities are coordinated and agreedupon with management and the external auditors.

b) In organizations in whichmanagement conducts its own assessmentof controls as the basis for an opinion, internal auditors should evaluatemanagements assessment and supporting documentation.

c) Internal auditors should evaluate how internal audit report comments areclassified and ensure thatcomments that may be subject to disclosurein interim reports or an annual report on internal controls areappropriately communicatedto management and the audit committee.Extra care should be taken to ensure such comments are adequatelyresolved in a timely manner.

5.4 AUDITING FINANCIAL REPORTING

1. The Practice Advisory in this subunit complements the material in the prior subunit. It tooaddresses the internal auditors role in responding to requirements for organizations to

improve their governance and financial reporting processes.a. PRACTICE ADVISORY 2120.A1-4: AUDITING THE FINANCIAL REPORTING

PROCESS

1. The published reports ofcorporate governance failuresin various countriesunderscore the need for change to achieve greateraccountability andtransparencyby all organizations -- profit-making, nonprofit, andgovernmental. Senior management, boards of directors, internal auditors, andexternal auditors are the cornerstones of the foundation on which effectiveorganizational governance is built. Theinternal audit activityplays a key rolein support of good organizational governance; it has a unique position to assistin improving an organizations operations by evaluating and improving theeffectiveness of risk management, control, and governance processes. Recentinitiatives have put the spotlight on the need forsenior managementto bemoreaccountablefor the information contained in an organizations financialreports. Senior management and the audit committee of many organizationsare requesting additional services from the internal audit activity toimprove thegovernance and financial reporting processes. These requests includeevaluations of the organizations internal controls over financial reporting andthe reliability and integrity of its financial report.

SU 5: Control I 13



14/20


15/20

Reporting on the Effectiveness of Internal Control

6. The CAE should provide to the audit committee internal auditsassessment ofthe effectiveness of the organizations system of controls, including its

judgment on theadequacy of the control model or design. A governingboard must rely on management to maintain an adequate and effective internal

control system. It will reinforce that reliance withindependent oversight. Theboard or its audit (or other designated) committee should ask the followingquestions, and the CAE may be expected to assist in answering them.

(a) Is there a strong ethical environment and culture?

Do board members and senior executives set examples of highintegrity?

Are performance and incentive targets realistic, or do they createthe excessive pressure for short-term results?

Is the organizations code of conduct reinforced with training andtop-down communication? Does the message reach the employeesin the field?

Are the organizations communication channels open? Do all levelsof management get the information they need?

Is there zero tolerance for fraudulent financial reporting at any level?

(b) How does the organization identify and manage risks?

Is there a risk management process, and is it effective? Is risk managed throughout the organization? Are major risks candidly discussed with the board?

(c) Is the control system effective?

Are the organizations controls over the financial reporting processcomprehensive, including preparation of financial statements,related notes, and the other required and discretionary disclosures

that are an integral part of the financial reports? Do senior and line management demonstrate that they accept

control responsibility?

Is there an increasing frequency of surprises occurring at thesenior management, board, or public levels from the organizationsreported financial results or in the accompanying financialdisclosures?

Is there good communication and reporting throughout theorganization?

Are controls seen as enhancing the achievement of objectives or asa necessary evil?

Are qualified people hired promptly, and do they receive adequatetraining?

Are problem areas fixed quickly and completely?

SU 5: Control I 15



16/20

(d) Is there strong monitoring?

Is the board independent of management, free of conflicts ofinterest, well informed, and inquisitive?

Does internal audit have the support of senior management and theaudit committee?

Do the internal and external auditors have and use open lines ofcommunication and private access to all members of seniormanagement and the audit committee?

Is line management monitoring the control process?

Is there a program to monitor outsourced processes?

7. Internal controls cannot ensure success. Bad decisions, poor managers, orenvironmental factors can negate controls. Also, dishonest management mayoverride controlsand ignore or stifle communications from subordinates. Anactive and independent governing board that is coupled with open and truthfulcommunications from all components of management and is assisted bycapable financial, legal, and internal audit functions is capable of identifyingproblems and providing effective oversight.

Roles for the Internal Auditor

8. The CAE needs to review internal audits risk assessment and audit plans forthe year ifadequate resourceshave not been committed to helping seniormanagement, the audit committee, and the external auditor with theirresponsibilities in the upcoming years financial reporting regimen. Thefinancial reporting processencompasses the steps to create the informationand prepare financial statements, related notes, and other accompanyingdisclosures in the organizations financial reports.

9. The CAE should allocate internal audits resources to the financialreporting, governance, and control processes consistent with theorganizations risk assessment. The CAE should perform procedures thatprovide alevel of assuranceto senior management and the audit committeethat the controls surrounding the processes supporting the development offinancial reports areadequately designed and effectively executed. Thecontrols should be adequate to ensure the prevention and detection ofsignificant errors, irregularities, incorrect assumptions and estimates, and otherevents that could result in inaccurate or misleading financial statements, relatednotes, or other disclosures.

10. The following lists suggest topics that the CAE may consider in supporting theorganizationsgovernance process and the oversight responsibilitiesof thegoverning board and its audit committee (or other designated committee) toensure the reliability and integrity of financial reports.

(a) Financial Reporting Providing information relevant to the appointment of the

independent accountants.

Coordinating audit plans, coverage, and scheduling with theexternal auditors.

Sharing audit results with the external auditors.

16 SU 5: Control I



17/20

Communicating pertinent observations with the external auditorsand audit committee about accounting policies and policy decisions(including accounting decisions for discretionary items andoff-balance-sheet transactions), specific components of the financialreporting process, and unusual or complex financial transactionsand events (e.g., related-party transactions, mergers and

acquisitions, joint ventures, and partnership transactions). Participating in the financial reports and disclosures review process

with the audit committee, external auditors, and seniormanagement; evaluating the quality of the financial reports,including those filed with regulatory agencies.

Assessing the adequacy and effectiveness of the organizationsinternal controls, specifically those controls over the financialreporting process; this assessment should consider theorganizations susceptibility to fraud and the effectiveness ofprograms and controls to mitigate or eliminate those exposures.

Monitoring managements compliance with the organizations codeof conduct and ensuring that ethical policies and other procedures

promoting ethical behavior are being followed; an important factor inestablishing an effective ethical culture in the organization is whenmembers of senior management set a good example of ethicalbehavior and provide open and truthful communications toemployees, the board, and outside stakeholders.

(b) Corporate Governance

Reviewing corporate policies relating to compliance with laws andregulations, ethics, conflicts of interest, and the timely and thoroughinvestigation of misconduct and fraud allegations.

Reviewing pending litigation or regulatory proceedings bearing onorganizational risk and governance.

Providing information on employee conflicts of interest, misconduct,fraud, and other outcomes of the organizations ethical proceduresand reporting mechanisms.

(c) Corporate Control

Reviewing the reliability and integrity of the organizations operatingand financial information compiled and reported by the organization.

Performing an analysis of the controls for critical accounting policiesand comparing them with preferred practices (e.g., transactions inwhich questions are raised about revenue recognition oroff-balance-sheet accounting treatment should be reviewed forcompliance with appropriate generally accepted accounting

standards). Evaluating the reasonableness of estimates and assumptions used

in preparing operating and financial reports.

Ensuring that estimates and assumptions included in disclosures orcomments are in line with underlying organizational information andpractices and with similar items reported by other companies, ifappropriate.

Evaluating the process of preparing, reviewing, approving, andposting journal entries.

Evaluating the adequacy of controls in the accounting function.

SU 5: Control I 17



18/20

PA Summary

Corporate governance failuresunderscore the need for greater accountabilityand transparencyby all organizations. Senior management, boards, andauditors are the basis for effective governance. Many organizations are

requesting additional services from the IAA to improve the governance andfinancial reporting processes, including evaluations of controls over financialreporting and the reliability and integrity of financial reports.

The core role of the CAE is to ensure that the audit committee receives thesupportand assurance servicesit needs and requests. One of its primary objectives isoversight of financial reportingto ensure reliability and fairness. The IAAtypically performs sufficient work and gathers other information to form anopinion on the adequacy and effectiveness of control. The CAEcommunicates that evaluation to the committee, which evaluates the report andmay incorporate its conclusion in its report to the governing board.

The IAAswork plans and specific assurance engagements beginwithidentification of risk exposuresand its work plan is based on the risks and the

assessment of the RMC processesthat mitigate those risks. Among thematters considered are (1) new businesses, products, and systems; (2) jointventures and partnerships; (3) restructurings; (4) estimates, budgets, andforecasts; (5) environmental issues; and (6) compliance.

The most effective control guidance is theInternal Control IntegratedFramework, by the Committee of Sponsoring Organizations (COSO). But anotherrecognized and credible modelmay be used unless the law requires otherwise.Control isdefined broadly. It is not limited to accounting control and financialreporting. Other aspects of the businessare important, such as resourceprotection, efficiency and effectiveness, and compliance. These factors also affectfinancial reporting. Control ismanagements responsibilityand requireseveryones participation. The framework is tied to business objectivesand

should beadaptable. The IAAs report on control assesses effectiveness but also includes a judgment on

theadequacy of the control model or design. The board relies on managementto maintain effective control but reinforces that reliance with independentoversight. The board should ask, and the CAE assist in answering, questionsabout (1) the ethical environment and culture, (2) how risks are identified andmanaged, (3) the effectiveness of control, and (4) the strength of monitoring.

Internal controls cannot ensure successbecause bad decisions, poor ordishonest managers, or environmental factors can negate controls. The CAEmust review the risk assessment and audit plans for the year if adequateresources have not been committed to the financial reporting regimen. Thefinancial reporting process involves creating information and preparingstatements, notes, and disclosures in financial reports. IAA resourcesshould beallocated to financial reporting, governance, and control processes in accordancewith the riskassessment.

Audit procedures should provideassurancethat controls over financial reportingare adequately designed and effectively executed. Controls should ensure theprevention and detection of significant errors, irregularities, incorrect assumptionsand estimates, and other events that could misstate financial statements, notes, ordisclosures.

The CAE considers many factors related to financial reporting, corporategovernance, and corporate control when supporting the governance process. Thepurpose is to ensure the reliability of financial reports.

18 SU 5: Control I



19/20

5.5 CONTROL CRITERIA

1. This subunit addresses the first element of the control process: establishing standards forthe program or operation to be controlled. The topic is covered in three AssuranceImplementation Standards, two Consulting Implementation Standards, and two PracticeAdvisories.

2. 2120.A2 Internal auditors should ascertain the extent to which operating and programgoals and objectives have been established and conform to those of the organization.

3. 2120.A3 Internal auditors should review operations and programs to ascertain the extentto which results are consistent with established goals and objectives to determine whetheroperations and programs are being implemented or performed as intended.

4. 2120.A4 Adequate criteria are needed to evaluate controls. Internal auditors shouldascertain the extent to which management has established adequate criteria to determinewhether objectives and goals have been accomplished. If adequate, internal auditorsshould use such criteria in their evaluation. If inadequate, internal auditors should workwith management to develop appropriate evaluation criteria.

a. PRACTICE ADVISORY 2120.A4-1: CONTROL CRITERIA

1. Internal auditors should evaluate the established operating targets andexpectations and should determine whether those operating standards areacceptable and are being met. When such management targets and criteria arevague,authoritative interpretationsshould be sought. If internal auditors arerequired to interpret or select operating standards, they should seekagreementwith engagement clientsas to the criteria needed to measure operatingperformance.

PA Summary

Internal auditors should evaluateoperating targets and expectations and

whether they are acceptable and being met. If operating criteria are vague, theIAA seeksauthoritative guidance. If the IAA must interpret or select criteria,agreement with the client should be sought.

5. 2120.C1 During consulting engagements, internal auditors should address controlsconsistent with the engagements objectives and should be alert to the existence of anysignificant control weaknesses.

SU 5: Control I 19



20/20

6. 2120.C2 Internal auditors should incorporate knowledge of controls gained from consultingengagements into the process of identifying and evaluating significant risk exposures of theorganization.

a. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FORFORMAL CONSULTING ENGAGEMENTS

The following is the portion of this comprehensive Practice Advisory relevant toStandards 2120.C1 and 2120.C2:

14. Internal auditors should be observant of the effectiveness of risk managementand control processes during formal consulting engagements. Substantial riskexposuresormaterial control weaknessesshould be brought to the attentionof management. In some situations, the auditors concerns should also becommunicated to executive management,the audit committee,or theboardof directors. Auditors should use professional judgment (a) to determinethe significance of exposures or weaknesses and the actions taken orcontemplated to mitigate or correct these exposures or weaknesses and (b) toascertain the expectations of executive management, the audit committee, andboard in having these matters reported.

PA Summary

In formal consulting engagements,material risk exposures and controlweaknessesobserved should be reported, in some cases,to executivemanagement, the audit committee, or the board.

5.6 STUDY UNIT 5 SUMMARY

1. The board establishes the governance process and obtains assurance about the system of

risk management and controls. Senior management oversees establishment,administration, and assessment of that system. Each manager assesses control in his/herarea. Auditors provide assurance about the effectiveness of risk management and control.The CAE should gather sufficient information to judge the adequacy and effectiveness ofcontrol. This judgment should be communicated to management and the board. Also,management may report on control to external parties.

2. CSA is a collaboration between managers and internal auditors to evaluate control.Programs vary but share key features. A formal, documented process allows those directlyinvolved to participate in (a) identifying risks and exposures, (b) assessing relevantcontrols, (c) developing plans, and (d) estimating the probability of achieving objectives.

3. An organization may be subject to legal and regulatory requirements for interim reports,disclosures, and management certifications. Applicable laws or regulations also mayrequire management to report on controls. The internal auditors roles in these processesmay vary from designer of the process to an assessor of the process.

4. The IIAs favored control framework is the COSO model, but other frameworks may beappropriate. It (a) defines control broadly, (b) stresses all important aspects of thebusiness, (c) states that management is responsible for control, and (d) ties the frameworkto business objectives.

5. If operating criteria are vague, the IAA seeks authoritative guidance. If the IAA mustinterpret or select criteria, agreement with clients should be sought.

20 SU 5: Control I

5._control_i.pdf

Documents

Transcript of 5._control_i.pdf