Audit Knowledge Base

Knowledge of internal controls is the most basic of all internal audit skills. However, auditors are not responsible for internal controls--management is. Auditors are responsible for providing management with information about how internal controls are working.

The formal definition of internal control in the United States comes from the Committee of Sponsoring Organizations of The Treadway Commission's (COSO) Internal Control-Integrated Framework. Auditors must be able to interpret the framework to help management carry out its responsibilities.

Defining Internal Control
 
According to COSO, internal control is a process to provide reasonable assurance of accomplishing objectives. Specifically, it helps achieve objectives relating to reliability of financial reporting, compliance with laws and regulations, and effectiveness and efficiency of operations.

There are five steps, or components, in COSO's internal control framework, all of which are management's responsibility to perform. COSO presents the internal control components as a pyramid, with control environment as the base, risk assessment and control activities the next levels up, information and communication near the top, and monitoring at the peak.

Control Environment

The control environment contains informal, and often intangible, soft controls, such as ethics, integrity, management philosophy, and commitment to competence, as well as more formal controls like organizational structure and assignment of roles and responsibilities. All of the other components of control depend on the solidity of this base. If times are good, and a company's stock price stays high, any weaknesses in the base of the pyramid may not be apparent. However, when times get tough, the control environment may begin to experience pressure resulting from management's desire for consistent earnings, bonuses, and other short-term goals. Thus, internal controls that are adequate during good times may need to be strengthened when times are tough.

Managers and internal auditors need to understand the status of the factors at the base of the pyramid, not to change them, but to consider their impact on the other control components. The nature of many of the soft controls is such that they can only be assessed by the employees. To understand the control environment, auditors interview employees and use self-assessment workshops and questionnaires. When informal controls are included in audit reports, the evidence supporting their status is the result of these self-assessments.

Risk Assessment

During a risk assessment, management identifies and analyzes risks to the achievement of its objectives and forms a basis for determining how the risks should be managed. Management should have identified and initiated measures to mitigate the important risks, based on their probability and impact, before the auditors begin an audit. The auditors should then evaluate the risk assessment process.

It is not feasible for risk assessments to ensure that absolutely all risks have been identified and addressed. The discussions held during the risk assessment process, where a group determines what to do about three or four of the most important risks related to an objective, is the purpose of the control. The control is the actual discussion, not the resulting list of risks. As group members discuss what to do about the risks, they begin to understand the objective better and increase their ability to deal with additional, unknown risks.

Neither the auditors nor anyone else can perform risk assessment in place of the managers and the employees responsible for achieving the objective. However, the auditors can train managers and employees in risk assessment techniques, facilitate workshops to help identify and manage risks, and help the organization establish a common risk language to use in performing an assessment.

Control Activities

The mechanisms management establishes to ensure their directives are carried out, including the activities identified to mitigate risks, are control activities. These controls depend greatly on the activity under consideration. Shipping products, paying bills, waiting on customers, and buying assets are all activities that require specific, activity-based controls. A great deal of activity specific knowledge is required to determine what the controls should be.

COSO's control framework presents a risk control matrix that analyzes activity-level objectives, risks, and controls. This matrix is but one method of establishing control activities. Flowcharting; analyzing the completeness, accuracy, authorization, timeliness, and safeguarding of the input, processing, and output (IPO) of transactions; and strength, weakness, opportunities, and threats (SWOT) analysis are other ways of establishing control activities. There are even complete frameworks, or models, that can be used in this component. Control Objectives for Information Technology (COBIT), Systems Assurance and Control (SAC), Total Quality Management (TQM), and System Development Life Cycle (SDLC) are a few of the mechanisms that can be used for control, depending on the activities involved. COSO's framework is not intended to replace any of these control activities; rather it states that activities need to be controlled and leaves it to management to determine the best way to accomplish that directive.