Internal & Performance Auditing

by David R. Hancox, CIA, CGFM

Internal Control – Week 4 & 5 ©

Internal Control – Integrated Framework

COSO Report of the Treadway Commission

1. The 5 Sponsoring Organizations
   • American Accounting Association
   • American Institute of Certified Public Accountants
   • Institute of Internal Auditors
   • Institute of Management Accountants
   • Financial Executives Institute
2. Definition
   • Internal Control
     • It is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
       • Effectiveness and efficiency of operations
       • Reliability of financial reporting
       • Compliance with applicable laws and regulations
3. Definition reflects certain fundamental concepts
   • It’s a process. It’s a means to an end, not an end in itself
   • It’s effected by people. It’s not merely policy, procedures, forms
   • It can provide only reasonable – not absolute assurance
   • It’s geared to achieving objectives in one or more separate but overlapping categories
4. Internal control consists of 5 interrelated components:
   • Control environment
   • Risk assessment
   • Control activities
   • Information and Communication
   • Monitoring
5. Control Environment Factors
   • Integrity & Ethical Values
     • The corporate culture
     • Codes of conduct
     • Acceptable business practices
   • Incentives & Temptations
     • Emphasis on short term results
     • Pressure to meet unrealistic performance targets
     • High performance-dependent rewards
     • Upper & lower cutoffs on bonus plans
   • Providing and communicating moral guidance
     • Most effective way – by example
     • Codes of conduct
   • Commitment to competence
     • People doing the job have:
       • Knowledge & skills needed to do tasks
       • Training & experience
     • Job descriptions
   • Board of Directors or Audit Committee
     • Tone at the top
       • Active involvement of the Board
       • Independence from management
       • Frequency of meetings
       • Sufficiency of information for monitoring
   • Management’s Philosophy & Operating Style
     • Extent & type of risk taking
     • Formally vs. informally managed company
     • Frequency of interaction between management and staff
     • Attitudes and actions towards financial reporting
   • Organizational Structure
     • Defining key areas of authority and responsibility
     • Appropriate lines of reporting
     • Centralized vs. Decentralized
   • Assignment of Authority & Responsibility
     • Capable of dealing with organization’s goals & objectives
     • Appropriateness of control related procedures
     • Appropriate number of people to carry out functions
   • Human resource policies & procedures
     • Extent of policies & procedures for:
       • Hiring
       • Training
       • Promoting
     • Adequacy of employee background checks
6. Risk Assessment Factors
   • Focus on management’s process for :
     • Setting objectives
     • Risk analysis
     • Managing change
   • Entity-Wide Objectives
     • Related to the entity’s mission
     • Communicated to all staff
     • Strategies are related to objectives
     • Consistency of objectives between categories
   • Broad categories to consider:
     • Operations objectives
     • Financial reporting objectives
     • Compliance objectives
   • Operations objectives
     • Achieving basic mission
     • The fundamental reason for the entities existence
     • Directed at enhancing effectiveness and efficiency
   • Financial reporting objectives
     • fair presentation
     • completeness
     • valuation or allocation
     • full disclosure
   • Compliance objectives
     • meet environmental requirements
     • meet health and safety requirements
     • meet tax reporting requirements
   • Risk Analysis
     • Includes:
       • Estimating the significance of the risk
       • Assessing the likelihood the risk will occur
       • Determining how the risk should be managed
7. Other risk considerations
   • Mechanisms to identify risks from external sources
   • Mechanisms to identify risks from internal sources
   • Identify risks at significant activity-level objectives
   • Thoroughness of risk analysis process
8. Managing Change
   • Processes in place to anticipate and deal with:
     • changing operating environment
     • new personnel
     • new or revamped information systems
     • rapid growth
     • new technology
     • new lines, products, services
     • restructuring
9. Control Activity Factors
   • Three Categories
     • Operations
     • Financial Reporting
     • Compliance
   • Types of Controls
     • Preventive
     • Detective
     • Safeguarding
   • The range and variety of control activities
     • Top level reviews
       • Compare actual performance to:
         • Budgets
         • Forecasts
         • Prior Periods
         • Competitors
     • Direct Functional or Activity Management
       • Review performance reports
       • Reconciliations
       • Trends
       • Statistics
       • Activity reports
     • Information Processing
       • Check:
         • Accuracy
         • Completeness
         • Authorization
     • Physical Controls
       • Physically secure
         • Equipment
         • Inventories
         • Securities
         • Cash
         • Other assets
     • Performance Indicators
       • Relating different sets of data to one another
       • Analysis of relationships
       • Investigate variances
     • Segregation of Duties
     • Policies and procedures
     • Controls over information systems
       • Financial, compliance and operational
       • Large & small systems
     • General Controls
       • Data center operations
       • Systems software acquisition and maintenance
       • Access security
       • Application systems development & maintenance
     • Application Controls
       • Complete
       • Accurate
       • Authorized
       • Valid
10. Information & Communication Factors
    • Strategic & Integrated Systems
      • Information should relate to mission
      • Information should relate to mission
    • Information Evaluation Factors
      • Content is Appropriate
        • Is the needed information there?
      • Information is timely
        • Is it there when required?
      • Information is current
        • Is it the latest available?
      • Information is accurate
        • Are the data correct?
      • Information is accessible
        • Can it be obtained easily by appropriate parties?
    • Communication Evaluation Factors
      • Are employee duties and control responsibilities communicated effectively?
      • Are there established channels for people to communicate suspected improprieties?
      • Is management receptive to employee suggestions on ways to enhance productivity, quality or other improvements?
      • Is there adequate communication across the organization? Is the information communicated complete, timely and sufficient to enable people to discharge their responsibilities effectively?
      • Is there open and effective channels of communication with customers, suppliers and other external sources? Are changing customer needs communicated?
      • Are outside parties made aware of the entity’s ethical standards?
      • Is there timely and appropriate follow-up action by management resulting from communications with others?
11. Monitoring – Evaluation factors
    • Extent to which personnel, carrying out regular activities, obtain evidence as to whether the system of internal controls works as intended.
    • Extent communications from external parties indicate problems.
    • Periodic comparisons of amounts recorded with physical assets
    • Responsiveness of management to internal and external auditor recommendations.
    • Effectiveness of internal audit activities
    • Scope and frequency of evaluations of the internal control system.
      • Appropriateness of evaluation process
      • Methodology is logical and appropriate
      • Adequate documentation
12. Limitation of Internal Controls
    • Judgment
    • Breakdowns
    • Management override
    • Collusion
    • Costs vs. Benefits

    Useful web site

Homework

1. Read Chapter 5 in Government Performance Audit in Action.

1. Behind the tale of accounting chicanery at WorldCom lies the untold detective story of three young internal auditors, who temperamentally didn’t fit into WorldCom’s well-known cowboy culture. Ms. Cooper, 38 years old, headed a department of 24 auditors and support staffers, many of whom viewed her as quiet but strong willed. She grew up in a modest neighborhood near WorldCom’s headquarters and had spent nearly a decade working at the company, rising through its ranks. Mr. Morse, 41, was known for his ability to use technology to ferret out information. The third member of the team was Glyn Smith, 34, a senior manager under Ms. Cooper. In his spare time he taught Sunday school, took photographs and bicycled. His mom had taught him and Ms. Cooper accounting at Clinton High School.Using the Wall Street Journal, research the role the internal auditors played in ferreting out the fraud at WorldCom. Write a paper describing the fraud that occurred and how the internal auditors found it.