Risk based internal auditing

Introduction COSO Audit program
Home 1 RBIA Introduction 2 RBIA Compiling an RAU 3 RBIA Implementation 4 RBIA Audit Manual RBIA Audit programs COSO Audit program auditnet.org users RBIA images Links introduction

RBIA resources - COSO audit program

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, including the IIA. It issued a documentInternal Control–Integrated Framework' in May 2013 which is an update of a document issued in 1992. To support this document it also issued ‘Illustrative Tools for Assessing Effectiveness of a System of Internal Control' which contains three templates to summarise findings. The framework is an important document which was issued as a draft in 2012.

Since the implementation an integrated framework of internal control is a requirement of COSO, it needs to be included as an objective of a US organisation (or ‘entity' to use COSO's term) and therefore has to be included in the Risk and Audit Universe (RAU).  The audit program spreadsheet and mindmap are extracts from this risk and audit universe (Book 2 - ‘Compiling a risk and audit universe’ for details). They are examples only, you must obtain the final version of the framework, apply it to your own entity and update the program.

I have used the 2012 draft (because I am too mean to buy the final document) and I have included it in the RAU and audit program as follows:

1. In Objective level 1 ‘Establish strategies for delivering the objectives' and Risk level 1 ‘Uncontrolled risks threaten the achievement of objectives' set up Objective' level 2 as ‘Establish an internal control framework (COSO)'.

2. There are 17 ‘principles' in the Framework and I have set these up as level 3 objectives. There are no risks identified, so I have made some suggestions.

3. Each of the principles has ‘attributes' attached, which link with paragraphs in the framework narrative. I have taken these attributes as controls, although they are inevitably non-specific. The ‘Illustrative Tools' document has forms (‘Principle evaluation templates') for inserting the controls in action in order to assess whether there are deficiencies in achieving the attribute. This should be done after testing.

4.  I have then suggested tests which might be used to check that the attribute ‘control' is operating, after reference to the appropriate paragraphs in the narrative.

5. Tests fall into one or more of the following categories:

The first two types of test can be identified as part of a specific audit. The last type of test will appear in most audit programs as a 'COSO' test. Internal control deficiencies will be recorded on the '4 Summary of deficiencies template'. Each audit will provide information to complete '3 Principle Evaluation Templates' for some attributes, which can be used to update '2 Component evaluation templates'. By the end of the year the '2 Component evaluation templates' must be sufficiently detailed to complete the '1 Overall assessment of internal control template'.

The compilation of a risk register is an essential part of Principle 7 ('Identifies and analyzes risk'). The COSO website (coso.org/guidance.htm) has useful guidance on setting up a risk register (also known as an Enterprise Risk Management (ERM) Framework).

In particular: Embracing Enterprise Risk Management: Practical Approaches for Getting Started. (2011) (http://www.coso.org/documents/EmbracingERM-GettingStartedforWebPostingDec110_000.pdf)

COSO audit program COSO mind map

You may need to scroll down the page