Risk based internal auditing
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, including the IIA. It issued a document ‘Internal Control–Integrated Framework' in May 2013 which is an update of a document issued in 1992. To support this document it also issued ‘Illustrative Tools for Assessing Effectiveness of a System of Internal Control' which contains three templates to summarise findings. The framework is an important document which was issued as a draft in 2012.
Since the implementation an integrated framework of internal control is a requirement of COSO, it needs to be included as an objective of a US organisation (or ‘entity' to use COSO's term) and therefore has to be included in the Risk and Audit Universe (RAU). The audit program spreadsheet and mindmap are extracts from this risk and audit universe (Book 2 -
I have used the 2012 draft (because I am too mean to buy the final document) and I have included it in the RAU and audit program as follows:
1. In Objective level 1 ‘Establish strategies for delivering the objectives' and Risk level 1 ‘Uncontrolled risks threaten the achievement of objectives' set up Objective' level 2 as ‘Establish an internal control framework (COSO)'.
2. There are 17 ‘principles' in the Framework and I have set these up as level 3 objectives. There are no risks identified, so I have made some suggestions.
3. Each of the principles has ‘attributes' attached, which link with paragraphs in the framework narrative. I have taken these attributes as controls, although they are inevitably non-
4. I have then suggested tests which might be used to check that the attribute ‘control' is operating, after reference to the appropriate paragraphs in the narrative.
5. Tests fall into one or more of the following categories:
Tests done as part of an audit which include some specific COSO attributes. For an example, an audit of HR to look at instructions about including the performance of internal controls as a personal target.
Tests done as part of every audit, which provide evidence about compliance with a COSO attribute. For example, ensuring that management have carried out a risk assessment on their objectives and have identified the controls necessary. As part of the audit opinion, compliance with particular COSO principles can be confirmed, or not, depending on the audit findings.
The first two types of test can be identified as part of a specific audit. The last type of test will appear in most audit programs as a 'COSO' test. Internal control deficiencies will be recorded on the '4 Summary of deficiencies template'. Each audit will provide information to complete '3 Principle Evaluation Templates' for some attributes, which can be used to update '2 Component evaluation templates'. By the end of the year the '2 Component evaluation templates' must be sufficiently detailed to complete the '1 Overall assessment of internal control template'.
The compilation of a risk register is an essential part of Principle 7 ('Identifies and analyzes risk'). The COSO website (coso.org/guidance.htm) has useful guidance on setting up a risk register (also known as an Enterprise Risk Management (ERM) Framework).
In particular: Embracing Enterprise Risk Management: Practical Approaches for Getting Started. (2011) (http://www.coso.org/documents/EmbracingERM-
You may need to scroll down the page