5. control i

STUDY UNIT FIVECONTROL I

5.1 Assessing Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25.2 Control Self-Assessment (CSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65.3 Interim Reports, Disclosure, and Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.4 Auditing Financial Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135.5 Control Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195.6 Study Unit 5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

This is the first of two study units on control. It emphasizes pronouncements of The IIA and certaintheoretical considerations. Study Unit 6 enlarges upon these considerations, especially with regard tocontrol frameworks. It also extends to the implications of organizational structures and leadershipstyles and the management of change and conflict.

Governance, risk, and control are interrelated concepts that are fundamental to the field ofinternal auditing and the work of internal auditors. Study Unit 3 primarily addressed their role ingovernance. Study Unit 4 primarily addressed the role of internal auditors in risk management. StudyUnits 5 and 6 relate to control.

According to the definition of internal auditing, internal auditors help an organization accomplishits objectives by bringing a systematic, disciplined approach to evaluating and improving theeffectiveness of risk management, control, and governance processes. The Glossary appended to theStandards defines control as follows:

Any action taken by management, the board, and other parties to enhance riskmanagement and increase the likelihood that established objectives and goals will beachieved. Management plans, organizes, and directs the performance of sufficient actionsto provide reasonable assurance that objectives and goals will be achieved.

Practice Advisory 2100-1 provides another definition of control:

Control is any action taken by management to enhance the likelihood that establishedobjectives and goals will be achieved. Controls may be preventive (to deter undesirableevents from occurring), detective (to detect and correct undesirable events that haveoccurred), or directive (to cause or encourage a desirable event to occur). The concept ofa system of control is the integrated collection of control components and activities that areused by an organization to achieve its objectives and goals.

The definition in Practice Advisory 2100-1 describes three categories of controls. When suchcontrols are absent or are too costly relative to their benefits, mitigating (compensating) controlsshould be in place. Examples are supervisory review when segregation of duties (a preventive control)is not feasible or monitoring of budget variances in the absence of transaction processing controls.

One General Performance Standard and one Specific Performance Standard are relevant to allsubunits in this study unit.

2100 Nature of Work – The internal audit activity evaluates and contributes to theimprovement of risk management, control, and governance processes using asystematic and disciplined approach.

2120 Control – The internal audit activity should assist the organization inmaintaining effective controls by evaluating their effectiveness andefficiency and by promoting continuous improvement.

1

Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com

http://www.gleim.com

One Implementation Standard is relevant to the first four subunits.

2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluatethe adequacy and effectiveness of controls encompassing the organization’s governance,operations, and information systems. This should include:

● Reliability and integrity of financial and operational information● Effectiveness and efficiency of operations● Safeguarding of assets● Compliance with laws, regulations, and contracts

Core Concepts■ Control is any action to enhance risk management and increase the probability of achieving

objectives. The management functions of planning, organizing, and directing should providereasonable assurance of achieving objectives.

■ Controls may be preventive, detective, directive, or mitigating.■ The IAA evaluates the effectiveness and efficiency of controls and promotes continuous

improvement.■ In assurance engagements, the IAA evaluates the adequacy and effectiveness of controls over

governance, operations, and IS. The evaluation extends to reliability and integrity of information,effectiveness and efficiency of operations, safeguarding of assets, and compliance.

■ The board is responsible for governance processes and obtaining assurance about riskmanagement and control.

■ The board relies on management to maintain effective control but reinforces that reliance withindependent oversight.

■ Internal auditors should determine the extent to which adequate criteria have been established toevaluate controls.

5.1 ASSESSING CONTROL

1. The following Practice Advisory addresses the role of the internal audit activity in evaluatingthe organization’s control systems.

a. PRACTICE ADVISORY 2120.A1-1: ASSESSING AND REPORTING ON CONTROLPROCESSES

1. One of the tasks of a board of directors is to establish and maintain theorganization’s governance processes and obtain assurances concerning theeffectiveness of the risk management and control processes. Seniormanagement’s role is to oversee the establishment, administration, andassessment of that system of risk management and control processes. Thepurpose of that multifaceted system of control processes is to support people ofthe organization in the management of risks and the achievement of theestablished and communicated objectives of the enterprise. More specifically,those control processes are expected to ensure, among other things, that thefollowing conditions exist:

● Financial and operational information is reliable and possesses integrity.● Operations are performed efficiently and achieve effective results.● Assets are safeguarded.● Actions and decisions of the organization are in compliance with laws,

regulations, and contracts.

2 SU 5: Control I



2. Among the responsibilities of the organization’s managers is the assessmentof the control processes in their respective areas. Internal and externalauditors provide varying degrees of assurance about the state of effectivenessof the risk management and control processes in select activities and functionsof the organization.

3. Senior management and the audit committee normally expect that the chiefaudit executive will perform sufficient engagement work and gather otheravailable information during the year so as to form a judgment about theadequacy and effectiveness of the control processes. The chief auditexecutive should communicate that overall judgment about the organization’ssystem of controls to senior management and the audit committee. A growingnumber of organizations have included a management’s report on the systemof internal controls in their annual or periodic reports to external stakeholders.

4. The chief audit executive should develop a proposed engagement plan for thecoming year that ensures that sufficient information will be obtained to evaluatethe effectiveness of the control processes. The plan should call forengagements or other procedures to gather relevant information about all majoroperating units and business functions. The engagement plan should alsogive special consideration to those operations most affected by recent orexpected changes. Those changes in circumstances may result frommarketplace or investment conditions, acquisitions and divestitures, orrestructures and new ventures. The proposed plan should be flexible so thatadjustments may be made during the year as a result of changes inmanagement strategies, external conditions, or revised expectations aboutachieving the organization’s objectives.

5. In determining the proposed engagement plan, the chief audit executive shouldconsider relevant work that will be performed by others. To minimizeduplication and inefficiencies, the work planned or recently completed bymanagement in its assessments of controls and quality improvement processesas well as the work planned by the external auditors should be considered indetermining the expected coverage of the audit plan for the coming year.

6. Finally, the chief audit executive should evaluate the coverage of theproposed plan from two viewpoints: adequacy across organizational entitiesand inclusion of a variety of transaction and business-process types. If thescope of the proposed engagement plan is insufficient to enable the expressionof assurance about the organization’s control processes, the chief auditexecutive should inform senior management and the audit committee of theexpected deficiency, its causes, and the probable consequences.

7. The challenge for the internal audit activity is to evaluate the effectiveness of theorganization’s system of controls based on the aggregation of many individualassessments. Those assessments are largely gained from internal auditingengagements, management’s self-assessments, and external auditor’s work.As the engagements progress, internal auditors should communicate, on atimely basis, the observations to the appropriate levels of management so thatprompt action can be taken to correct or mitigate the consequences ofdiscovered control discrepancies or weaknesses.

SU 5: Control I 3



8. Three key considerations in reaching an evaluation of the overalleffectiveness of the organization’s control processes are

● Were significant discrepancies or weaknesses discovered from theaudit work performed and other assessment information gathered?

● If so, were corrections or improvements made after the discoveries?● Do the discoveries and their consequences lead to the conclusion that a

pervasive condition exists, resulting in an unacceptable level ofbusiness risk?

The temporary existence of a significant control discrepancy or weaknessdoes not necessarily lead to the judgment that it is pervasive and poses anunacceptable residual risk. The pattern of discoveries, degree of intrusion, andlevel of consequences and exposures are factors to be considered indetermining whether the effectiveness of the whole system of controls isjeopardized and unacceptable risks exist. The report of the chief auditexecutive on the state of the organization’s control processes should bepresented, usually once a year, to senior management and the audit committee.

9. The report should emphasize the critical role played by the control processes inthe quest to achieve the organization’s objectives, and it should refer to majorwork performed by internal audit and to other important sources of informationthat were used to formulate the overall assurance judgment. The opinionsection of the report is normally expressed in terms of negative assurance;that is, the engagement work performed for the period and other informationgathered did not disclose any significant weaknesses in the control processesthat have a pervasive effect. If the control deficiencies or weaknesses aresignificant and pervasive, the assurance section of the report may be aqualified or adverse opinion, depending on the projected increase in the levelof residual risk and its impact on the organization’s objectives.

10. The target audiences for the annual report are senior executives and auditcommittee members. Because these readers have divergent understandings ofauditing and business, the chief audit executive’s annual report should be clear,concise, and informative. It should be composed and edited to beunderstandable by them and targeted to meet their informational needs. Itsvalue to these readers can be enhanced by including major recommendationsfor improvement and information about current control issues and trends, suchas technology and information security exposures, patterns of controldiscrepancies or weaknesses across business units, and potential difficulties incomplying with laws or regulations.

11. Ample evidence exists of an “expectation gap” surrounding the internal auditactivity’s work in evaluating and providing assurance about the state of controlprocesses. One such gap exists between management and the auditcommittee’s normally high expectations about the value of internal auditingservices and the internal auditor’s more modest expectations that derive fromknowledge of practical limitations on audit coverage and from self-doubt aboutgenerating sufficient evidence to support an informed and objective judgment.The chief audit executive should be mindful of the possible gap between what ispresumed by the report reader and what actually happened during the year. Heor she should use the report as another way to address different mental modelsand to suggest improving the capacity of the function or reducing the constraintsto access and audit effectiveness.

4 SU 5: Control I



PA Summary

● The board is responsible for governance processes and obtaining assuranceabout risk management and control. Senior management oversees theestablishment, administration, and assessment of risk management and controlprocesses. The purpose of control is to support risk management andachievement of objectives. Control ensures (1) the reliability and integrity ofinformation; (2) efficient and effective performance; (3) safeguarding of assets;and (4) compliance with laws, regulations, contracts.

● Each manager assesses control in his/her area. Auditors provide assuranceabout the effectiveness of risk management and control.

● The CAE should gather sufficient information to judge the adequacy andeffectiveness of control. This judgment should be communicated to seniormanagement and the board. Also, a management report on control may beincluded in annual or periodic reports to external parties.

● The IAA’s proposed engagement plan should provide sufficient information toevaluate control. The plan should be flexible enough to permit adjustments duringthe year and should cover all major operations and functions. It also should givespecial consideration to operations most affected by recent or expectedchanges. Furthermore, the plan should consider relevant work that will beperformed by others, including (1) management’s assessments of control andquality processes and (2) the work planned by external auditors.

● The plan’s coverage should be adequate across organizational entities andinclusive of transaction and business-process types. If the scope of the plan isinsufficient to give assurance about control, the CAE should inform seniormanagement and the audit committee about causes and probable consequencesof the insufficiency.

● The evaluation of control combines many individual assessments.Communication of engagement observations should be timely.

● The overall evaluation of control considers whether (1) significant weaknesses ordiscrepancies exist, (2) corrections or improvements were made, and (3) apervasive condition leading to unacceptable risk exists.

● Whether unacceptable risk exists because the effectiveness of the whole systemof controls is jeopardized depends on the (1) pattern of discoveries, (2) degree ofintrusion, and (3) level of consequences.

● The CAE’s report on the organization’s control processes should be presented,usually once a year, to senior management and the audit committee. The opinionsection usually expresses negative assurance. But, a qualified or adverseopinion is expressed if the control deficiencies or weaknesses are significant andpervasive.

● The report should be clear, concise, and informative and targeted to the needs ofsenior management and the audit committee. It should contain majorrecommendations about current control issues and trends.

● The CAE should be aware of the “expectation gap.” One such gap is betweenhigh expectations about the value of internal auditing and the auditor’s moremodest expectations based on limitations on audit coverage and doubt aboutgenerating sufficient evidence to support an informed judgment. Another gap liesbetween what is presumed by the report reader and what actually happened.Thus, the CAE should use the report to suggest improving the capacity of the auditfunction or reducing the limits on access and audit effectiveness.

SU 5: Control I 5



5.2 CONTROL SELF-ASSESSMENT (CSA)

1. The following Practice Advisory describes self-assessment methods and the role of theinternal auditors in the process.

a. PRACTICE ADVISORY 2120.A1-2: USING CONTROL SELF-ASSESSMENT FORASSESSING THE ADEQUACY OF CONTROL PROCESSES

1. Senior management is charged with overseeing the establishment,administration, and evaluation of the processes of risk management andcontrol. Operating managers’ responsibilities include assessment of the risksand controls in their units. Internal and external auditors provide varyingdegrees of assurance about the state of effectiveness of the risk managementand control processes of the organization. Both managers and auditors have aninterest in using techniques and tools that sharpen the focus and expand theefforts to assess risk management and control processes that are in placeand to identify ways to improve their effectiveness.

2. A methodology encompassing self-assessment surveys and facilitatedworkshops called CSA is a useful and efficient approach for managers andinternal auditors to collaborate in assessing and evaluating control procedures.In its purest form, CSA integrates business objectives and risks with controlprocesses. Control self-assessment is also referred to as “control/riskself-assessment” or “CRSA.” Although CSA practitioners use a number ofdiffering techniques and formats, most implemented programs share some keyfeatures and goals. An organization that uses self-assessment will have aformal, documented process that allows management and work teams, whoare directly involved in a business unit, function, or process, to participate in astructured manner for the purpose of

● Identifying risks and exposures● Assessing the control processes that mitigate or manage those risks● Developing action plans to reduce risks to acceptable levels● Determining the likelihood of achieving the business objectives

3. The outcomes that may be derived from self-assessment methodologies are

● People in the business units become trained and experienced inassessing risks and associating control processes with managingthose risks and improving the chances of achieving business objectives.

● Informal, “soft” controls are more easily identified and evaluated.● People are motivated to take “ownership” of the control processes in

their units, and corrective actions taken by the work teams are often moreeffective and timely.

● The entire objectives-risks-controls infrastructure of an organization issubject to greater monitoring and continuous improvement.

● Internal auditors become involved in and knowledgeable about theself-assessment process by serving as facilitators, scribes, and reportersfor the work teams and as trainers of risk and control concepts supportingthe CSA program.

6 SU 5: Control I



● Internal audit activity acquires more information about the controlprocesses within the organization and can leverage that additionalinformation in allocating their scarce resources so as to spend a greatereffort in investigating and performing tests of business units or functionsthat have significant control weaknesses or high residual risks.

● Management’s responsibility for the risk management and controlprocesses of the organization is reinforced, and managers will be lesstempted to abdicate those activities to specialists, such as auditors.

● The primary role of the internal audit activity will continue to include thevalidation of the evaluation process by performing tests and theexpression of its professional judgment on the adequacy andeffectiveness of the whole risk management and control systems.

4. The wide variety of approaches used for CSA processes in organizationsreflects the differences in industry, geography, structure, organizational culture,degree of employee empowerment, dominant management style, and themanner of formulating strategies and policies. That observation suggests thatthe success of a particular type of CSA program in one enterprise may not bereplicated in another organization. The CSA process should be customizedto fit the unique characteristics of each organization. Also, it suggests that aCSA approach needs to be dynamic and change with the continualdevelopment of the organization.

5. The three primary forms of CSA programs are facilitated team workshops,surveys, and management-produced analysis. Organizations often combinemore than one approach.

6. Facilitated team workshops gather information from work teams representingdifferent levels in the business unit or function. The format of the workshop maybe based on objectives, risks, controls, or processes.

● Objective-based format focuses on the best way to accomplish abusiness objective. The workshop begins by identifying the controlspresently in place to support the objective and then determining theresidual risks remaining. The aim of the workshop is to decide whetherthe control procedures are working effectively and are resulting in residualrisks within an acceptable level.

● Risk-based format focuses on listing the risks to achieving anobjective. The workshop begins by listing all possible barriers, obstacles,threats, and exposures that might prevent achieving an objective and thenexamining the control procedures to determine if they are sufficient tomanage the key risks. The aim of the workshop is to determine significantresidual risks. This format takes the work team through the entireobjective-risks-controls formula.

● Control-based format focuses on how well the controls in place areworking. This format is different from the two above because thefacilitator identifies the key risks and controls before the beginning ofthe workshop. During the workshop, the work team assesses how wellthe controls mitigate risks and promote the achievement of objectives.The aim of the workshop is to produce an analysis of the gap betweenhow controls are working and how well management expects thosecontrols to work.

SU 5: Control I 7



● Process-based format focuses on selected activities that are elements ofa chain of processes. The processes are usually a series of relatedactivities that go from some beginning point to an end, such as the varioussteps in purchasing, product development, or revenue generation. Thistype of workshop usually covers the identification of the objectives of thewhole process and the various intermediate steps. The aim of theworkshop is to evaluate, update, validate, improve, and even streamlinethe whole process and its component activities. This workshop formatmay have a greater breadth of analysis than a control-based approach bycovering multiple objectives within the process and by supportingconcurrent management efforts, such as reengineering, qualityimprovement, and continuous improvement initiatives.

7. The survey form of CSA uses a questionnaire that tends to ask mostly simple“Yes/No” or “Have/Have Not” questions that are carefully written to beunderstood by the target recipients. Surveys are often used if the desiredrespondents are too numerous or widely dispersed to participate in a workshop.They are also preferred if the culture in the organization may hinder open,candid discussions in workshop settings or if management desires to minimizethe time spent and costs incurred in gathering the information.

8. The form of self-assessment called “management-produced analyses”covers most other approaches by management groups to produce informationabout selected business processes, risk management activities, and controlprocedures. The analysis is often intended to reach an informed and timelyjudgment about specific characteristics of control procedures and iscommonly prepared by a team in a staff or support role. The internal auditormay synthesize this analysis with other information to enhance theunderstanding about controls and to share the knowledge with managers inbusiness or functional units as part of the organization’s CSA program.

9. All self-assessment programs assume that managers and members of the workteams possess an understanding of risks and control concepts and usethose concepts in communications. For training sessions, to facilitate theorderly flow of workshop discussions and as a check on the completeness of theoverall process, organizations often use a control framework, such as theCOSO (Committee of Sponsoring Organizations) and CoCo (Canadian Criteriaof Control Board) models.

10. In the typical CSA facilitated workshop, a report will be largely created duringthe deliberations. A group consensus will be recorded for the various segmentsof the discussions, and the group will review the proposed final report beforethe end of the final session. Some programs will use anonymous votingtechniques to ensure the free flow of information and viewpoints during theworkshops and to aid in negotiating differences between viewpoints and interestgroups.

8 SU 5: Control I



11. Internal audit’s investment in some CSA programs is fairly significant. Itmay sponsor, design, implement and, in effect, own the process; conduct thetraining; supply the facilitators, scribes, and reporters; and orchestrate theparticipation of management and work teams. In other CSA programs,internal audit’s involvement is minimal, serving as interested party andconsultant of the whole process and as ultimate verifier of the evaluationsproduced by the teams. In most programs, internal audit’s investment in theorganization’s CSA efforts is somewhere between the two extremes describedon the previous page. As the level of internal audit’s involvement in the CSAprogram and individual workshop deliberations increases, the chief auditexecutive should monitor the objectivity of the internal audit staff, takesteps to manage that objectivity (if necessary), and augment internal audittesting to ensure that bias or partiality do not affect the final judgments of thestaff. Standard 1120 states: “Internal auditors should have an impartial,unbiased attitude and avoid conflicts of interest.”

12. A CSA program augments the traditional role of the internal audit activityby assisting management in fulfilling its responsibilities to establish and maintainrisk management and control processes and to evaluate the adequacy of thatsystem. Through a CSA program, the internal audit activity and the businessunits and functions collaborate to produce better information about how wellthe control processes are working and how significant the residual risks are.

13. Although providing staff support for the CSA program as facilitator andspecialist, the internal audit activity often finds that it may reduce the effortspent in gathering information about control procedures and eliminatesome testing. A CSA program should increase the coverage of assessingcontrol processes across the organization, improve the quality of correctiveactions made by the process owners, and focus internal audit’s work onreviewing high-risk processes and unusual situations. It can focus onvalidating the evaluation conclusions produced by the CSA process,synthesizing the information gathered from the components of the organization,and expressing its overall judgment about the effectiveness of controls to seniormanagement and the audit committee.

SU 5: Control I 9



PA Summary

● Senior management oversees the processes of risk management and control(RMC). Operating managers assess risks and controls in their units. Auditorsprovide assurance about the effectiveness of RMC processes. All want to(1) sharpen the focus of, and expand efforts to assess, RMC processes and(2) improve their effectiveness.

● Control self-assessment (CSA) is a collaboration between managers and auditorsto evaluate control. CSA integrates business objectives and risks withcontrol processes. Programs vary but share key features. A formal,documented process allows those directly involved to participate in (1) identifyingrisks and exposures, (2) assessing relevant controls, (3) developing plans, and(4) estimating the probability of achieving objectives.

● Outcomes of CSA may include (1) training in assessment of the objectives-risks-controls infrastructure, (2) recognition of soft controls, (3) willingness to takeownership of control that results in more effective and timely corrective action,(4) greater monitoring and continuous improvement, (5) greater internal auditorknowledge of CSA, (6) more information about control and better allocation ofresources to audits of control, (7) reinforcement of management’sresponsibility for control, and (8) continuation of the IAA’s primary role invalidation of the evaluation process by testing and expressing judgment on theadequacy and effectiveness of the RMC process.

● The variety of approaches used for CSA reflects the differences amongorganizations. Accordingly, the CSA process should be customized to fit theorganization. CSA also should change as the organization develops.

● The facilitated team workshop form of CSA may be based on (1) objectives,(2) risks, (3) controls, or (4) processes. A final report should reflect the groupconsensus.

● Objective-based format focuses on the best way to accomplish an objective. Itidentifies relevant controls and determines the residual risks. The aim is todecide whether controls are effective and result in acceptable residual risks.

● Risk-based format focuses on listing the risks of achieving an objective andexamining the controls to determine whether they suffice to manage the key risks.The aim is to determine significant residual risks.

● Control-based format differs because the facilitator identifies the key risks andcontrols before the workshop begins. The work team assesses how well thecontrols mitigate risks and promote the achievement of objectives. The aim is toanalyze the gap between actual and expected performance of controls.

● Process-based format focuses on selected activities in a chain of processes. Theprocesses are a series of related activities from a beginning to an end, such as thesteps in purchasing. This workshop format identifies the objectives of the wholeprocess and the intermediate steps. The aim is to improve the whole processand its activities. This format may have greater breadth than a control-basedapproach. It covers multiple objectives within the process and supports suchefforts as reengineering, quality improvement, and continuous improvement.

● The survey form of CSA uses a simple questionnaire. Surveys are often usedwhen a workshop is impracticable, the culture may hinder open discussions, or thetime spent and costs incurred must be minimized.

● The management analysis form of CSA often addresses specific aspects ofcontrol and is prepared by support staff. The internal auditor may combine thisand other information to better understand controls and to share knowledge withmanagers.

10 SU 5: Control I



● CSA programs assume an understanding of risk and control concepts. Thus,CSA often uses a control framework, e.g., COSO or CoCo, that facilitatestraining and discussion and serves as a check on the completeness of theprocess.

● Internal audit’s involvement in CSA may range from ownership of the process toservice as a consultant. As involvement in the CSA program and workshopdeliberations increases, the CAE should monitor the objectivity of the internalaudit staff, manage that objectivity (if necessary), and augment testing toensure that bias does not affect final judgments.

● The IAA and business units collaborate in CSA to produce better informationabout the effectiveness of controls and the significance of residual risks.

● A CSA program may reduce the audit effort devoted to control. It should increasethe coverage of control assessments, improve the quality of corrective action, andfocus audit work on reviewing high-risk processes and unusual situations.

5.3 INTERIM REPORTS, DISCLOSURE, AND CERTIFICATION

1. The following is adapted from a Practice Advisory. It covers the role of internal auditors withrespect to certain legislative and regulatory requirements. These enactments areresponses to scandals that have undermined investor confidence.

a. The strength of all financial markets depends on investor confidence. Eventsinvolving allegations of misdeeds by business executives, independent auditors, andother market participants have undermined that confidence. In response to thisthreat, a growing number of legislative bodies and regulatory agencies in variouscountries have passed legislation and regulations affecting disclosures andfinancial reporting.

b. Recommended actions for internal auditors. The following actions andconsiderations are offered to internal auditors as value-added services that can beprovided regarding interim financial reports, disclosures, and managementcertifications.

1) The internal auditor’s role in such processes may range from initial designerof the process to participant on a disclosure committee, to coordinator or liaisonbetween management and its auditors, or to independent assessor of theprocess.

2) All internal auditors involved in interim reporting and disclosure processesshould have a clearly defined role and evaluate responsibilities with appropriateIIA Consulting and Assurance Standards and with guidance contained inrelated Practice Advisories.

3) Internal auditors should ensure that organizations have a formal policy anddocumented procedures to govern processes for interim financial reports,related disclosures, and regulatory reporting requirements. Appropriate reviewof any policies and procedures by attorneys, external auditors, and otherexperts can offer additional comfort that policies and procedures arecomprehensive and accurately reflect applicable requirements.

SU 5: Control I 11



4) Internal auditors should encourage organizations to establish a “disclosurecommittee” to coordinate the process and provide oversight to participants.Representatives from key areas of the organization should be represented onthe committee, including key financial managers, legal counsel, riskmanagement, internal audit, and any area providing input or data for theregulatory filings and disclosures. Normally the chief audit executive (CAE)should be a member of the disclosure committee. Consideration should begiven to the CAE’s status on the committee. CAEs who serve as committeechairs or regular or “voting” members need to be aware of independenceconsiderations and are advised to review IIA Standards and related PracticeAdvisories for guidance and required disclosures. Status as an “ex-officio”member normally would not create independence problems.

5) Internal auditors should periodically review and evaluate interim reportingand disclosure processes, disclosure committee activities, and relateddocumentation and provide management and the audit committee with anassessment of the process and assurance concerning overall operationsand compliance with policies and procedures. Internal auditors whoseindependence may be impaired due to their assigned role in the process shouldensure that management and the audit committee are able to obtainappropriate assurance about the process from other sources. Other sourcescan include internal self-assessments as well as third parties such as externalauditors and consultants.

6) Internal auditors should recommend appropriate improvements to thepolicies, procedures, and process for interim reporting and related disclosuresbased on the results of an assessment of related activities. Recommendedbest practices for such activities may include all, or components of, thefollowing tools and procedures, depending on the specific process used byeach organization:

a) Properly documented policies, procedures, controls, and monitoringreports

b) Interim period checklist of procedures and key control elementsc) Standardized control reports on key disclosure controlsd) Management self-assessments (such as CSA)e) Sign-offs or representation statements from key managersf) Review of draft regulatory filings prior to submissiong) Process maps to document the source of data elements for regulatory

filings, key controls, and responsible parties for each elementh) Follow-up on previously reported outstanding itemsi) Consideration of internal audit reports issued during the periodj) Special or specifically targeted reviews of high-risk, complex, and problem

areas, including material accounting estimates, reserve valuations,off-balance sheet activities, major subsidiaries, joint ventures, andspecial-purpose entities

k) Observation of the “closing process” for the financial statements andrelated adjusting entries, including waived adjustments

l) Conference calls with key management from remote locations to ensureappropriate consideration of and participation by all major components ofthe organization

m) Review of potential and pending litigation and contingent liabilitiesn) CAE report on internal control, issued at least annually and possibly more

frequentlyo) Regularly scheduled disclosure and audit committee meetings

12 SU 5: Control I



7) Internal auditors should compare processes for complying with legal orregulatory requirements for interim reporting and disclosures with those forassessing and publicly reporting on internal controls. Processes designed tobe similar or compatible will contribute to operational efficiencies and reducethe likelihood or risk for problems and errors to occur or go undetected. Whileprocesses and procedures may be similar, it is possible that the internalauditor’s role may vary. In some organizations, the work of internal auditorsmay form the basis for management’s assertions about internal control. Butin other organizations internal auditors may be called upon to evaluate arequired assessment by management.

a) The nature of internal audit’s work, and of its use, can potentially affectthe treatment or degree of reliance placed upon the internal auditor’swork by the external auditor. Internal auditors should ensure that eachparticipant’s role is clarified and activities are coordinated and agreedupon with management and the external auditors.

b) In organizations in which management conducts its own assessmentof controls as the basis for an opinion, internal auditors should evaluatemanagement’s assessment and supporting documentation.

c) Internal auditors should evaluate how internal audit report comments areclassified and ensure that comments that may be subject to disclosurein interim reports or an annual report on internal controls areappropriately communicated to management and the audit committee.Extra care should be taken to ensure such comments are adequatelyresolved in a timely manner.

5.4 AUDITING FINANCIAL REPORTING

1. The Practice Advisory in this subunit complements the material in the prior subunit. It tooaddresses the internal auditor’s role in responding to requirements for organizations toimprove their governance and financial reporting processes.

a. PRACTICE ADVISORY 2120.A1-4: AUDITING THE FINANCIAL REPORTINGPROCESS

1. The published reports of corporate governance failures in various countriesunderscore the need for change to achieve greater accountability andtransparency by all organizations -- profit-making, nonprofit, andgovernmental. Senior management, boards of directors, internal auditors, andexternal auditors are the cornerstones of the foundation on which effectiveorganizational governance is built. The internal audit activity plays a key rolein support of good organizational governance; it has a unique position to assistin improving an organization’s operations by evaluating and improving theeffectiveness of risk management, control, and governance processes. Recentinitiatives have put the spotlight on the need for senior management to bemore accountable for the information contained in an organization’s financialreports. Senior management and the audit committee of many organizationsare requesting additional services from the internal audit activity to improve thegovernance and financial reporting processes. These requests includeevaluations of the organization’s internal controls over financial reporting andthe reliability and integrity of its financial report.

SU 5: Control I 13



Reporting on Internal Control

2. An organization’s audit or other board committee and internal audit activity haveinterlocking goals. The core role of the chief audit executive (CAE) is toensure that the audit committee receives the support and assurance servicesit needs and requests. One of the primary objectives of the audit committee isoversight of the organization’s financial reporting processes to ensure theirreliability and fairness. The committee and senior management typicallyrequest that the internal audit activity perform sufficient audit work and gatherother available information during the year to form an opinion on theadequacy and effectiveness of the internal control processes. The CAEnormally communicates that overall evaluation, on a timely basis, to thecommittee. The committee will evaluate the coverage and adequacy of theCAE’s report and may incorporate its conclusion in the committee’s report to thegoverning board.

3. The internal audit activity’s work plans and specific assurance engagementsbegin with a careful identification of the exposures facing the organization,and internal audit’s work plan is based on the risks and the assessment of therisk management and control processes maintained by management tomitigate those risks. Among the events and transactions included in theidentification of risks are

● New businesses, including mergers and acquisitions● New products and systems● Joint ventures and partnerships● Restructuring● Management estimates, budgets, and forecasts● Environmental matters● Regulatory compliance

A Framework for Internal Control

4. The assessment of a system of internal control of an organization shouldemploy a broad definition of control. The IIA believes that the most effectiveinternal control guidance available today is the report Internal Control –Integrated Framework, published in 1992 and 1994 by the Committee ofSponsoring Organizations (COSO) of the Treadway Commission. While use ofthe COSO model is widely accepted, it may be appropriate to use some otherrecognized and credible model. Sometimes, regulatory or legal requirementswill specify the use of a particular model or control design for an organization orindustry within a country

5. Several conclusions in the Internal Control – Integrated Framework report arerelevant to this discussion.

● Internal control is defined broadly; it is not limited to accounting controlsand is not narrowly restricted to financial reporting.

● While accounting and financial reports are important issues, there areother important aspects of the business, such as resource protection,operational efficiency and effectiveness, and compliance with rules,regulations, and organization policies. These factors also have an impacton financial reporting.

● Internal control is management’s responsibility and requires theparticipation of all persons within an organization if it is to be effective.

● The control framework is tied to the business objectives and is flexibleenough to be adaptable.

14 SU 5: Control I



Reporting on the Effectiveness of Internal Control

6. The CAE should provide to the audit committee internal audit’s assessment ofthe effectiveness of the organization’s system of controls, including itsjudgment on the adequacy of the control model or design. A governingboard must rely on management to maintain an adequate and effective internalcontrol system. It will reinforce that reliance with independent oversight. Theboard or its audit (or other designated) committee should ask the followingquestions, and the CAE may be expected to assist in answering them.

(a) Is there a strong ethical environment and culture?

● Do board members and senior executives set examples of highintegrity?

● Are performance and incentive targets realistic, or do they createthe excessive pressure for short-term results?

● Is the organization’s code of conduct reinforced with training andtop-down communication? Does the message reach the employeesin the field?

● Are the organization’s communication channels open? Do all levelsof management get the information they need?

● Is there zero tolerance for fraudulent financial reporting at any level?

(b) How does the organization identify and manage risks?

● Is there a risk management process, and is it effective?● Is risk managed throughout the organization?● Are major risks candidly discussed with the board?

(c) Is the control system effective?

● Are the organization’s controls over the financial reporting processcomprehensive, including preparation of financial statements,related notes, and the other required and discretionary disclosuresthat are an integral part of the financial reports?

● Do senior and line management demonstrate that they acceptcontrol responsibility?

● Is there an increasing frequency of “surprises” occurring at thesenior management, board, or public levels from the organization’sreported financial results or in the accompanying financialdisclosures?

● Is there good communication and reporting throughout theorganization?

● Are controls seen as enhancing the achievement of objectives or asa “necessary evil?”

● Are qualified people hired promptly, and do they receive adequatetraining?

● Are problem areas fixed quickly and completely?

SU 5: Control I 15



(d) Is there strong monitoring?

● Is the board independent of management, free of conflicts ofinterest, well informed, and inquisitive?

● Does internal audit have the support of senior management and theaudit committee?

● Do the internal and external auditors have and use open lines ofcommunication and private access to all members of seniormanagement and the audit committee?

● Is line management monitoring the control process?● Is there a program to monitor outsourced processes?

7. Internal controls cannot ensure success. Bad decisions, poor managers, orenvironmental factors can negate controls. Also, dishonest management mayoverride controls and ignore or stifle communications from subordinates. Anactive and independent governing board that is coupled with open and truthfulcommunications from all components of management and is assisted bycapable financial, legal, and internal audit functions is capable of identifyingproblems and providing effective oversight.

Roles for the Internal Auditor

8. The CAE needs to review internal audit’s risk assessment and audit plans forthe year if adequate resources have not been committed to helping seniormanagement, the audit committee, and the external auditor with theirresponsibilities in the upcoming year’s financial reporting regimen. Thefinancial reporting process encompasses the steps to create the informationand prepare financial statements, related notes, and other accompanyingdisclosures in the organization’s financial reports.

9. The CAE should allocate internal audit’s resources to the financialreporting, governance, and control processes consistent with theorganization’s risk assessment. The CAE should perform procedures thatprovide a level of assurance to senior management and the audit committeethat the controls surrounding the processes supporting the development offinancial reports are adequately designed and effectively executed. Thecontrols should be adequate to ensure the prevention and detection ofsignificant errors, irregularities, incorrect assumptions and estimates, and otherevents that could result in inaccurate or misleading financial statements, relatednotes, or other disclosures.

10. The following lists suggest topics that the CAE may consider in supporting theorganization’s governance process and the oversight responsibilities of thegoverning board and its audit committee (or other designated committee) toensure the reliability and integrity of financial reports.

(a) Financial Reporting

● Providing information relevant to the appointment of theindependent accountants.

● Coordinating audit plans, coverage, and scheduling with theexternal auditors.

● Sharing audit results with the external auditors.

16 SU 5: Control I



● Communicating pertinent observations with the external auditorsand audit committee about accounting policies and policy decisions(including accounting decisions for discretionary items andoff-balance-sheet transactions), specific components of the financialreporting process, and unusual or complex financial transactionsand events (e.g., related-party transactions, mergers andacquisitions, joint ventures, and partnership transactions).

● Participating in the financial reports and disclosures review processwith the audit committee, external auditors, and seniormanagement; evaluating the quality of the financial reports,including those filed with regulatory agencies.

● Assessing the adequacy and effectiveness of the organization’sinternal controls, specifically those controls over the financialreporting process; this assessment should consider theorganization’s susceptibility to fraud and the effectiveness ofprograms and controls to mitigate or eliminate those exposures.

● Monitoring management’s compliance with the organization’s codeof conduct and ensuring that ethical policies and other procedurespromoting ethical behavior are being followed; an important factor inestablishing an effective ethical culture in the organization is whenmembers of senior management set a good example of ethicalbehavior and provide open and truthful communications toemployees, the board, and outside stakeholders.

(b) Corporate Governance

● Reviewing corporate policies relating to compliance with laws andregulations, ethics, conflicts of interest, and the timely and thoroughinvestigation of misconduct and fraud allegations.

● Reviewing pending litigation or regulatory proceedings bearing onorganizational risk and governance.

● Providing information on employee conflicts of interest, misconduct,fraud, and other outcomes of the organization’s ethical proceduresand reporting mechanisms.

(c) Corporate Control

● Reviewing the reliability and integrity of the organization’s operatingand financial information compiled and reported by the organization.

● Performing an analysis of the controls for critical accounting policiesand comparing them with preferred practices (e.g., transactions inwhich questions are raised about revenue recognition oroff-balance-sheet accounting treatment should be reviewed forcompliance with appropriate generally accepted accountingstandards).

● Evaluating the reasonableness of estimates and assumptions usedin preparing operating and financial reports.

● Ensuring that estimates and assumptions included in disclosures orcomments are in line with underlying organizational information andpractices and with similar items reported by other companies, ifappropriate.

● Evaluating the process of preparing, reviewing, approving, andposting journal entries.

● Evaluating the adequacy of controls in the accounting function.

SU 5: Control I 17



PA Summary

● Corporate governance failures underscore the need for greater accountabilityand transparency by all organizations. Senior management, boards, andauditors are the basis for effective governance. Many organizations arerequesting additional services from the IAA to improve the governance andfinancial reporting processes, including evaluations of controls over financialreporting and the reliability and integrity of financial reports.

● The core role of the CAE is to ensure that the audit committee receives the supportand assurance services it needs and requests. One of its primary objectives isoversight of financial reporting to ensure reliability and fairness. The IAAtypically performs sufficient work and gathers other information to form anopinion on the adequacy and effectiveness of control. The CAEcommunicates that evaluation to the committee, which evaluates the report andmay incorporate its conclusion in its report to the governing board.

● The IAA’s work plans and specific assurance engagements begin withidentification of risk exposures and its work plan is based on the risks and theassessment of the RMC processes that mitigate those risks. Among thematters considered are (1) new businesses, products, and systems; (2) jointventures and partnerships; (3) restructurings; (4) estimates, budgets, andforecasts; (5) environmental issues; and (6) compliance.

● The most effective control guidance is the Internal Control – IntegratedFramework, by the Committee of Sponsoring Organizations (COSO). But anotherrecognized and credible model may be used unless the law requires otherwise.Control is defined broadly. It is not limited to accounting control and financialreporting. Other aspects of the business are important, such as resourceprotection, efficiency and effectiveness, and compliance. These factors also affectfinancial reporting. Control is management’s responsibility and requireseveryone’s participation. The framework is tied to business objectives andshould be adaptable.

● The IAA’s report on control assesses effectiveness but also includes a judgment onthe adequacy of the control model or design. The board relies on managementto maintain effective control but reinforces that reliance with independentoversight. The board should ask, and the CAE assist in answering, questionsabout (1) the ethical environment and culture, (2) how risks are identified andmanaged, (3) the effectiveness of control, and (4) the strength of monitoring.

● Internal controls cannot ensure success because bad decisions, poor ordishonest managers, or environmental factors can negate controls. The CAEmust review the risk assessment and audit plans for the year if adequateresources have not been committed to the financial reporting regimen. Thefinancial reporting process involves creating information and preparingstatements, notes, and disclosures in financial reports. IAA resources should beallocated to financial reporting, governance, and control processes in accordancewith the risk assessment.

● Audit procedures should provide assurance that controls over financial reportingare adequately designed and effectively executed. Controls should ensure theprevention and detection of significant errors, irregularities, incorrect assumptionsand estimates, and other events that could misstate financial statements, notes, ordisclosures.

● The CAE considers many factors related to financial reporting, corporategovernance, and corporate control when supporting the governance process. Thepurpose is to ensure the reliability of financial reports.

18 SU 5: Control I



5.5 CONTROL CRITERIA

1. This subunit addresses the first element of the control process: establishing standards forthe program or operation to be controlled. The topic is covered in three AssuranceImplementation Standards, two Consulting Implementation Standards, and two PracticeAdvisories.

2. 2120.A2 – Internal auditors should ascertain the extent to which operating and programgoals and objectives have been established and conform to those of the organization.

3. 2120.A3 – Internal auditors should review operations and programs to ascertain the extentto which results are consistent with established goals and objectives to determine whetheroperations and programs are being implemented or performed as intended.

4. 2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors shouldascertain the extent to which management has established adequate criteria to determinewhether objectives and goals have been accomplished. If adequate, internal auditorsshould use such criteria in their evaluation. If inadequate, internal auditors should workwith management to develop appropriate evaluation criteria.

a. PRACTICE ADVISORY 2120.A4-1: CONTROL CRITERIA

1. Internal auditors should evaluate the established operating targets andexpectations and should determine whether those operating standards areacceptable and are being met. When such management targets and criteria arevague, authoritative interpretations should be sought. If internal auditors arerequired to interpret or select operating standards, they should seek agreementwith engagement clients as to the criteria needed to measure operatingperformance.

PA Summary

● Internal auditors should evaluate operating targets and expectations andwhether they are acceptable and being met. If operating criteria are vague, theIAA seeks authoritative guidance. If the IAA must interpret or select criteria,agreement with the client should be sought.

5. 2120.C1 – During consulting engagements, internal auditors should address controlsconsistent with the engagement’s objectives and should be alert to the existence of anysignificant control weaknesses.

SU 5: Control I 19



6. 2120.C2 – Internal auditors should incorporate knowledge of controls gained from consultingengagements into the process of identifying and evaluating significant risk exposures of theorganization.

a. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FORFORMAL CONSULTING ENGAGEMENTS

The following is the portion of this comprehensive Practice Advisory relevant toStandards 2120.C1 and 2120.C2:

14. Internal auditors should be observant of the effectiveness of risk managementand control processes during formal consulting engagements. Substantial riskexposures or material control weaknesses should be brought to the attentionof management. In some situations, the auditor’s concerns should also becommunicated to executive management, the audit committee, or theboard of directors. Auditors should use professional judgment (a) to determinethe significance of exposures or weaknesses and the actions taken orcontemplated to mitigate or correct these exposures or weaknesses and (b) toascertain the expectations of executive management, the audit committee, andboard in having these matters reported.

PA Summary

● In formal consulting engagements, material risk exposures and controlweaknesses observed should be reported, in some cases, to executivemanagement, the audit committee, or the board.

5.6 STUDY UNIT 5 SUMMARY

1. The board establishes the governance process and obtains assurance about the system ofrisk management and controls. Senior management oversees establishment,administration, and assessment of that system. Each manager assesses control in his/herarea. Auditors provide assurance about the effectiveness of risk management and control.The CAE should gather sufficient information to judge the adequacy and effectiveness ofcontrol. This judgment should be communicated to management and the board. Also,management may report on control to external parties.

2. CSA is a collaboration between managers and internal auditors to evaluate control.Programs vary but share key features. A formal, documented process allows those directlyinvolved to participate in (a) identifying risks and exposures, (b) assessing relevantcontrols, (c) developing plans, and (d) estimating the probability of achieving objectives.

3. An organization may be subject to legal and regulatory requirements for interim reports,disclosures, and management certifications. Applicable laws or regulations also mayrequire management to report on controls. The internal auditors’ roles in these processesmay vary from designer of the process to an assessor of the process.

4. The IIA’s favored control framework is the COSO model, but other frameworks may beappropriate. It (a) defines control broadly, (b) stresses all important aspects of thebusiness, (c) states that management is responsible for control, and (d) ties the frameworkto business objectives.

5. If operating criteria are vague, the IAA seeks authoritative guidance. If the IAA mustinterpret or select criteria, agreement with clients should be sought.

20 SU 5: Control I



5. control i

Documents