communicates its principles and values, it will
CHAPTER 5
CONTROL FRAMEWORK
In the 1980s, a commission was established to
address fraudulent acts in financial statements.
The National Commission on Fraudulent Financial
Reporting, chaired by James C. Treadway, identified
the lack of a comprehensive internal controls
framework.
The Commission on Auditor-Supplier Organization
(COSO) of the Treadway Commission was formed in
1985 to sponsor the commission.
The commission was sponsored by five professional
associations, including the Institute of Internal
Auditors, American Institute of Certified Public
Accountants, American Accounting Association,
Institute of Management Accountants, and Financial
Executives Institute.
COSO goal was to improve financial reporting
quality through corporate governance, ethical
practices, and internal control, with a focus on ERM
and fraud deterrence.
The 2013 COSO IC-IF contains 17 principles, stating
that an entity can achieve effective internal control
by applying all principles to operations, reporting,
and compliance objectives.
The COSO framework is typically represented in a
cube, showing the five components of internal
control, the three categories of objectives, and the
entity's structure.
CONTROL ENVIRONMENT
The workplace environment refers to the structure,
leadership style, and ethical practices of an
organization. It includes the tone at the top, which is
set and promoted by the board of directors and
senior management.
This tone drives ethical conduct within the
organization and helps prevent unethical practices
and fraud. When management formally
influence the organizational culture and permeate
the entire organization.
Organizational culture is the collection of learned
beliefs, traditions, and guides for behavior shared
among members of the organization.
It defines and expresses shared assumptions, values,
and beliefs and is manifested in various ways,
including formal rules and policies, norms of daily
behavior, physical settings, modes of dress, special
language, myths, rituals, heroes, and stories.
A healthy culture and ethical environment advance
employee morale, improve productivity and
efficiency, and tend to outperform other
organizations in terms of customer satisfaction,
employee satisfaction, and retention.
Failure to retain an effective governance, ethics, and
compliance program can jeopardize an
organization's reputation, its bottom line, and even
its existence.
Ethics is also closely linked to quality, as evidenced in
the Volkswagen emissions violations scandal. An
auditor who fails to meet accounting standards can
cause great damage to the firm and the client, as
observed in the Xerox and KPMG cases.
Similarly, a healthcare worker who fails to meet
recognized ethical norms and standards is not
delivering high-quality health care, and while
negligence can be claimed for a variety of reasons,
malpractice lawsuits can be significant.
The control environment includes activities related
to the competence and development of personnel,
the assignment of authority and responsibility, and
the organizational structure. Employee reporting
lines and accountability requirements are also
shaped by reporting lines, and these play an
important role in the effectiveness of internal
controls.
Management establishes a risk management
philosophy and the entity's risk appetite, forms a risk
culture, and integrates ERM with related initiatives.
Many managers have come to realize that the
control environment is critical to the overall
corporate image.
A healthy corporate culture has a positive effect on
sales, vendor relationships, investor preferences,
recruitment effectiveness, and stakeholder scrutiny.
Talking about and acting ethically carries financial
benefits.
Organizational culture plays a key role defining the
control environment, including norms, values, rules,
climate, and symbols.
It includes three key elements: the general
relationship between employees and their
organizations, the vertical or hierarchical system of
authority defining superiors and subordinates, and
the general views of employees about the
organization's destiny, purpose, and goals.
Understanding and addressing unethical behavior is
essential for auditors to ensure the integrity and
fairness of the organization. Examples of unethical
behavior include an unreasonable emphasis on
bottom-line performance, high-pressure sales
tactics, kickbacks or bribes, and the failure to comply
with laws and regulations.
Communication, Consistency, and Belief in the
Message
Management must communicate clearly and
consistently to ensure expectations are followed, as
inconsistencies can lead to employees viewing
management as hypocritical. A code of ethics, code
of conduct, and conflict of interest statement are
essential for establishing ethical conduct. These
documents guide employees in ethical decision-
making, motivating them to conduct themselves
ethically. Training should be provided upon hire and
annually to reinforce the importance of these topics.
Leadership organizations should also distribute
periodic articles, vignettes, scenarios, and surveys to
staff, and engage in informal lunch and learn
sessions. Internal audits can be beneficial by
partnering with Human Resources, Legal, IT, and
Loss Prevention to teach employees about internal
audits in other settings.
Form over Substance
The control environment is crucial for an
organization's success, ensuring integrity, ethical
values, independence from management, and a
commitment to attracting, developing, and retaining
competent individuals.
The board of directors plays a vital role in
maintaining internal control quality, setting
expectations, and ensuring smooth information flow.
The organization should also demonstrate a
commitment to attracting, developing, and retaining
competent individuals, ensuring their selection,
safeguarding, and proper deployment. By addressing
these issues, organizations can ensure their
objectives are met, mitigate risks, and increase the
likelihood of achieving them.
Entity Level Controls
Entity level controls are essential in assessing an
organization's values, systems, policies, and
processes to prevent fraud and encourage proper
conduct.
They involve examining tangible and intangible
aspects of the organization, such as policies,
procedures, manuals, rules, human resources
policies, reporting structures, information flows, and
commitment to competence. Key areas of focus
include controls over management override, risk
assessment methodology, centralized processing,
monitoring results of operations, and financial and
operational reporting. Internal auditors and business
leaders can identify strengths and weaknesses in
their entity level controls by examining factors such
as the organization's code of conduct, disciplinary
action, organizational structure, documentation,
compliance requirements, data and information
availability, and coordination within the
organization's second and third lines of defense.
Internal auditors must understand that behavior is
influenced by their environment and competing
forces, and must work with management to
establish clear performance standards, communicate
rewards and sanctions, and ensure effective
employee management. Organizations should create
a positive environment through socialization,
education, formal/informal systems, and
reinforcement, but should not tolerate unethical
behavior.
Tone in the Middle
Choosing the right managers is crucial as employees
judge an organization's ethical conduct based on
their boss's actions. Managers influence workplace
dynamics, values, and customer satisfaction.
The "tone in the middle" dictates workplace
conditions, leading to satisfaction, turnover, profits,
and goal achievement. Employee engagement
significantly impacts the workplace environment,
and internal auditors should collaborate with
management to assess workforce engagement.
RISK ASSESSMENT
The COSO framework focuses on identifying,
quantifying, analyzing, and managing organizational
risks.
Risks are events that can threaten an organization's
ability to achieve its objectives.They can be positive
or negative, with positive events being opportunities
and negative events being risks. Risks are assessed
based on likelihood and impact. Before risk
assessment, it is crucial to identify relevant
objectives, as they provide context for identifying
risks.
Larry Rittenberg, COSO's Chair Emeritus, emphasizes
the importance of understanding the link between
objectives, risks, and controls.
If objectives are not articulated, a deficiency in the
control environment should be brought to the
attention of senior management and the board.
Focusing more on control activities cannot
compensate for a breakdown between senior
management and board oversight. Once identified,
risks should be linked throughout the organization,
providing a chaining mechanism to trace risks up and
down the organization.
Risk assessment is a crucial process for organizations
to identify, analyze, and respond to potential risks
related to their objectives.
It involves identifying, analyzing, and deciding how
best to respond to these risks in relation to the
achievement of objectives.
Management specifies objectives within three
categories: reporting, compliance, and operations.
Reporting considerations are arranged in four broad
categories: internal/external and
financial/nonfinancial.
Compliance requirements relate to adherence to
laws and regulations, including contractual terms
and conditions, service level agreements, and
voluntary agreements.
Operations pertain to the effectiveness and
efficiency of the organization's operations, including
operational and financial performance goals,
safeguarding assets against loss, damage or
obsolescence, and making sure resources are
obtained economically.
Management must consider, specify, and analyze the
degree to which objectives are aligned with their
strategic priorities to ensure congruence and
coordination between these objectives. Inaccurate
alignment can result in competing interests, internal
conflicts, priority dissonance, and poor performance.
Examples include an employee's objectives focused
on cost reduction, a sales department's performance
measured on sales volume, and a manufacturing
manager's goals weighted heavily on lowering unit
costs.
Lack of alignment with established laws, rules,
regulations, and standards can lead to trouble and
long-term consequences. Large-scale problems often
invite regulator involvement and media attention,
which can become distracting and expensive over
time. Any discussion about risk must consider that
every entity faces a variety of risks from internal to
external sources.
Business and Process Risk
The risk management process of an organization
involves various risks, including capacity, execution,
supply chain, business interruption, human
resources, product or service failure, product
development risk, cycle time risk, health and safety
risk, leadership risk, outsourcing risk, competitor
risk, catastrophic loss risk, industry risk, planning
risk, organization structure risk, integrity and fraud
risk, reputation risk, data integrity, infrastructure
risk, commerce risk, access risk, and availability risk.
Capacity risk refers to the inability to meet demand
in the short and long term
Execution risk involves the inability to produce
consistently without compromising quality.
Supply chain risk refers to the inability to maintain a
steady stream of supplies when needed.
Business interruption risk stems from the
unavailability of raw materials, IT, skilled labor,
facilities, or other resources that threaten the
organization's ability to continue operations.
Human resources risk refers to the lack of
knowledge, skills, and experiences among key
personnel that threatens the ability to achieve
business objectives.
Product or service failure risk involves the failure of
products or services to meet customer expectations,
leading to customer complaints, warranty claims,
returns, field repairs, product liability claims,
litigation, lost revenues, lower market share, and
damage to the business's reputation.
Product development risk involves ineffective
product development that threatens the
organization's ability to meet or exceed customer
expectations consistently over the long term.
Cycle time risk is the unnecessary activities that
threaten the organization's capacity to develop,
produce, market, and deliver goods and services in a
timely manner.
Health and safety risk involves the failure to provide
a safe working environment for workers
Outsourcing risk involves outsourcing activities that
do not align with the organization's strategies,
objectives, values, and behavioral standards and
expectations.
Technological and Information Technology Risks
IT risks involve issues with the operation of IT
systems, data integrity, and the potential loss or
misuse of assets.
These risks include data and system availability risk,
data integrity risk, system capacity risk, data
integrity, infrastructure risk, commerce risk, access
risk, and availability risk.
Data and system availability risk involves the uptime
of systems and tools to support the needs of
workers, customers, suppliers, and stakeholders.
Data integrity risk involves the accuracy and
consistency of data stored, processed, retrieved, and
destroyed.
System capacity risk involves optimizing storage and
computing capabilities.
Infrastructure risk refers to the outdated or lack of IT
infrastructure needed to support information
requirements.
Commerce risk involves events that compromise
financial and data flows.
Access risk involves unauthorized use of confidential
information or limited personnel performance.
Availability risk threatens the continuity of
operations and processes.

Personnel risks are conditions that limit an
organization's ability to obtain, deploy, and retain
suitable numbers of qualified and motivated
workers.
These risks include availability risk, competence risk,
judgment risk, malfeasance risk, motivation risk,
financial risks, environmental risks, political risks,
social risks, and political risks.
These risks can result in poor cash flows, currency
and interest rate fluctuations, and an inability to
move funds quickly and without loss of value.
Examples of financial risks include resources risk,
commodity prices risk, foreign currency risk, liquidity
risk, market risk, and political risks.
Environmental risks involve the actual or potential
threat of negative effects on the environment by
emissions, wastes, and resource depletion. Examples
include energy and other resources risk, natural
disaster risk, pollution risk, transportation risk, and
pandemic risk.
Political risks involve the effects that political
decisions, events, or conditions can cause when they
affect the profitability of a business or the ability to
operate freely. Examples include regulations and
legislation risk, public policy risk, and instability risk.
Social risks involve dynamics where an issue affects
stakeholders who can form negative perceptions
that can cause damage to the organization.
Examples of social risks include demographics risk,
privacy risk, CSR requirements, and mobility.
Risk assessment requires management to consider
the impact of possible changes in the external
environment and within their own business model
that could make internal control ineffective. This
includes clearly articulating objectives relating to
operations, reporting, and compliance so any risks to
those objectives can be identified and assessed.
Effectiveness relates to the achievement of
objectives and the degree to which these are
achieved.
Identifying business goals is essential for internal
auditors, as it involves obtaining these from process
owners during the planning phase.
The IIA Standards state that internal auditors must
consider the objectives of the activity being
reviewed, the means by which the activity controls
its performance, and the significant risks to the
activity, its objectives, resources, and operations. If
goals have been defined but are inadequate, internal
auditors should engage management to develop
improvements.
The SMARTER model is a useful tool for internal
auditors in developing organizational and personal
goals.
It helps to remember the elements of well-
developed goals, which are specific, measurable,
achievable, relevant, time-bound, and evaluated.
Specific goals make it easier for managers and
employees to focus their energy, resources, and
priorities on accomplishing them. Measurable goals
are easier to link their completion to performance
monitoring and rewards mechanisms, as they help to
measure the degree of success accomplishing the
related goal.
Achievable goals are more motivating and aligned
with the mission and strategy of the organization,
the process, and the individual. They build
confidence and serve to motivate those involved to
pursue something great. Goals should have
milestones and checkpoints that allow the person
responsible for their completion to witness progress.
Relevant goals should be aligned with the
organization's mission and strategy, and should be
relevant to the employee's career or job description.
Time-bound goals require commitment from both
the individual and the person overseeing the goal.
Goals should precipitate a plan to accomplish the
goal, creating a sense of urgency and time pressure.
The combination of goals, plans, and deadlines
brings out the talents in people and can be leveraged
among all involved.
Goals must be evaluated to determine if they meet
the SMARTER elements and if they meet ethical and
ecological considerations. Unethical actions justified
by the manager or others are commonplace in some
locales, and ignoring the environmental impact of
business actions is also unfortunate and is
increasingly shown disapproval by stakeholders. By
using the SMARTER model, internal auditors can help
managers perceive the value of their work and
improve overall performance.
Goals should be challenging, difficult, achievable,
and meaningful to ensure the success of an
organization. They should be measurable, visible,
and impactful. Rewards should be commensurate
with the effort put into the task and the outcome
achieved. Managers should also reward the
successful completion of tasks and the effort put into
them, showing how the work satisfies the needs of
organizational stakeholders.
Millennials are idealistic and want to understand the
big picture, so managers should reward the
successful completion of tasks and the effort put into
them. Internal auditors should link audit tests to
business objectives, linking everything they do to a
risk, which in turn is linked to a business objective.
This helps mitigate the potential likelihood and
impact of these risks.
Internal auditors should examine the functioning of
programs and processes to ensure that the design
and performance of these activities are as expected
and make recommendations for improvement.
Anomalies detected during audit testing should be
presented in that context, as they allow risks to
materialize, which jeopardize the successful
accomplishment of a particular objective.
The topic of fraud and corruption has gained
attention over the past few years, with alarming
statistics about fraud. The IIA's Standards include
specific reference to fraud, emphasizing the
importance of internal auditors having sufficient
knowledge to evaluate the risk of fraud and how it
can be committed. Areas of focus related to fraud
include material omission or misstatement of
reporting, inadequate safeguarding of assets, and
corruption.
Assessing risk on a formal and informal basis is
essential for organizational success, and internal
auditors can help raise awareness by highlighting
some exposures.
Risk assessments should consider change, as it can
either undermine or enable objectives. External
factors like demographic shifts, technological
advances, and low interest rates can help achieve
business objectives. The Millennial generation, who
are comfortable with technology and adapt to
change, can be a valuable asset. Technological
advances like cloud computing and broadband
enable remote work, reducing costs, and generating
revenues.
Control Activities
Controls are actions established through policies and
procedures to mitigate the likelihood and/or impact
of risks. They are performed at all levels of an
organization, at various stages within processes and
over the technological infrastructure. Controls can
be manual, performed by individuals using tangible
items, or automated, performed by computer and
electronic systems without direct human interaction.
Some controls are a combination of manual and
automated, requiring both a system component and
human follow-through.
The rate of dependence on IT has increased
substantially over the past few decades, and most
activities involve the use of computers to some
degree or another. Organizations often struggle with
the lack of consistency in the performance of control
activities due to the implementation process not
aligning with performance evaluation measures,
supervision, training, disciplinary actions, and
rewards.
Control activities can be categorized as preventive,
detective, directive, and compensating.
Preventive controls act before errors or omissions
can occur and reduce the likelihood and/or impact of
the event.
Detective controls identify errors or anomalies after
they have occurred and alert the need for corrective
action.
Directive controls are temporary controls
implemented to redirect employee actions,
sometimes referred to as corrective controls, when
an undesirable action has occurred.
Compensating controls are put in place when a
control is not where it is expected as proper design
would stipulate.
Internal auditors are generally tasked with verifying
that processes, programs, and their related controls
have been designed appropriately and that those
controls are operating as intended. Nonperforming
controls can be due to inadequate knowledge,
sabotage, emotional and physical reasons, or poor
management practices. Ensuring that controls are
designed effectively and implemented effectively is
crucial for maintaining organizational effectiveness.
Information and Communication
The fourth component of the COSO IC/IF model
focuses on the flow of information within an
organization. It involves clear, consistent, timely, and
purposeful directions from the top, feedback from
employees, and lateral flows of information between
individuals and units. Communication is crucial for
effective functioning, decision-making, problem-
solving, and change-management processes. It
provides workers with important information about
their jobs, the organization, and each other,
improving motivation, building trust, and
engendering engagement. Internal communication
occurs on multiple levels, including interpersonal,
group-level, and organizational-level. Information is
necessary for internal control activities, such as
reconciliations, inventory counts, and inventory
counts. Communication should be continuous,
iterative, and share necessary information to
maximize its utility. Internal and external
communications can follow various patterns, and
organizations should support management efforts to
increase the production, analysis, dissemination, and
use of information for better decision-making and
organizational effectiveness. The free flow of
information is essential for understanding new or
changed events in the operating environment and
preventing management from operating in a
vacuum.
Organizations face increasing risks and modifications
to their internal control systems due to changing
business dynamics. Outsourced service providers,
financial institutions, and intermediaries provide
diverse and complex information sources, which can
disrupt operations and reduce revenues. Social
media has become an essential part of organizations'
communications infrastructure, connecting
employees, customers, vendors, supporters, and
detractors. As data flows expand beyond pairs and
involve intermediaries, organizations must ensure
the compatibility, quality, speed, and reliability of all
information.
Outsourcing can create operational risks, strategic
risks, and composite risks. Outsourcing organizations
must manage these risks and ensure clients are
protected and financial statements are correct. To
ensure acceptable risk levels, organizations can have
their own internal or external auditor review the
service provider or provide reports to clients.
Organizations also have numerous third-party
intermediaries that play a crucial role in their
business operations and interactions with
governments. Companies must conduct due
diligence and investigate their third parties before
contracting them, understanding their roles,
responsibilities, and potential risks.
The hiring organization must manage third-party
monitoring and use technology to assist in this
process. Service providers can provide standardized
audit reports for customers to use in risk
assessment. The Statement on Standards for
Attestation Engagements (SSAE) No. 16, Reporting
on Controls at a Service Organization, replaced SAS
70 in 2010. There are three types of SOC reports:
SOC 1 (Report on Controls at a Service Organization
Relevant to User Entities' Internal Control over
Financial Reporting), SOC 2 (Report on Controls at a
Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality, or
Privacy), and SOC 3 (Trust Services Report for Service
Organizations).
Monitoring Activities
Monitoring activities are ongoing evaluations used to
assess the functioning of internal control
components. These evaluations can be cyclical or
ongoing, depending on the risk assessment and
previous evaluations. The criteria used during these
reviews are based on internal requirements and
external criteria. Monitoring should be viewed
holistically, considering other components such as
the control environment, risk assessment, and
information and communication. Employee surveys
can help assess the state of ethics, risk assessment,
and information and communication. Monitoring
helps management understand how all components
of internal control are being applied and enhances
organizational effectiveness.
IT plays a crucial role in organizational success, and
organizations should consider IT as a business
service partner rather than just a back-end support
unit. The Information Systems Audit and Control
Association (ISACA) has addressed the gap in IT
considerations through the COBIT framework, which
includes strategic direction, project management,
purchases, and training end users. The COBIT
framework addresses more than technical subjects
and includes critical managerial and
accounting/financial activities.
ISO, an independent nongovernmental organization,
provides world-class specifications for products,
services, and systems to ensure quality, safety, and
efficiency. It has published over 19,000 international
standards and related documents, covering various
industries. ISO 9000 and ISO 31000 are popular
standards for quality management and risk
management, providing guidance and tools for
organizations to ensure consistent meeting of
customer requirements and continuous
improvement.
ISO also facilitates communication and the setting of
expectations between organizations, complementing
COSO's components and helping internal auditors
supplement their audit programs. By understanding
and implementing these standards, organizations
can ensure their IT operations align with their
business needs and achieve long-term success.
ITIL is a comprehensive framework for IT service
management that focuses on organizational
structure, skill requirements, and standard
management procedures. It provides templates,
checklists, and downloads for quick implementation
and helps organizations achieve predictable service
levels. ITIL v3 was published in 2007 and updated in
2011. It addresses service strategy, design,
transition, operation, event and incident
management, request fulfillment, and continual
service improvement. Successful companies that
have implemented ITIL include Procter & Gamble,
Caterpillar, Nationwide Insurance, and Capital One.
Key goals include streamlining service delivery,
developing repeatable procedures, reducing service
incidents, implementing standards, ensuring future
capacity, defining clear service targets, and
accurately allocating costs.
The CMMI is a process improvement appraisal
program developed by Carnegie Mellon University,
used in various areas such as project management,
software development, and performance
improvement. It has five maturity levels: Initial,
Repeatable, Defined, Managed, and Optimized.
Internal control frameworks, such as COSO and
COBIT, are used for planning, analysis, decision-
making, and monitoring. Planning is a crucial aspect
of classical management, involving formulating
detailed plans to achieve the optimum balance
between needs and resources. COSO and COBIT
frameworks provide guidance and a roadmap for
organizations to structure and run effectively.
Managers should be taught about these frameworks
and have their performance measured based on the
quality of internal controls in their areas of
responsibility. This would reinforce the importance FISH BONE
of internal controls and reduce compensation for
non-performance. The fishbone diagram, also known as the cause and
effect diagram or Ishikawa diagram, is a useful tool
for internal auditors to identify the root causes of
problems. This method, which is binary in nature,
CHAPTER 6 helps auditors treat issues from a binary perspective,
focusing on what should have been done, verifying
Histograms
consistency, reporting no findings, and
are charts that display the frequency distribution of recommending future practices. However, when
numerical data using rectangles representing dealing with operational issues, the answer may not
intervals. They represent the probability distribution be straightforward. Many operational issues are
of a continuous variable and are used to assess the caused by a combination of people, process, and
distribution of data. Histograms provide a fluid view technology issues, so auditors should attempt to
of transactions, helping auditors understand the identify the root causes of these conditions. The six
dynamics affecting the process under review. They categories used are people, methods, machines,
can be used to plot sales revenues, vehicle serviced, materials, measurements, and environment. The
and more, providing a more comprehensive diagram can be categorized based on the type of
understanding of the data. organization or environment being analyzed. When
preparing the fishbone diagram, it becomes clearer
Control Chart why the problem exists and how a number of root
causes impact multiple categories. The top two or
Process owners are responsible for setting the
three items that have the biggest influence on the
structure of their processes and programs,
effect are identified, similar to the 80/20 rule. The
establishing goals, identifying risks, and designing
fishbone diagram is a useful tool for identifying root
controls to mitigate them. Monitoring these controls
causes and exploring solutions to problems. It aids in
provides valuable information about their strengths
problem-solving and can be used in conjunction with
and weaknesses, and helps management identify
the CCCER model for documenting internal audit
anomalies that require intervention. Control charts
findings.
are a tool used to document this monitoring, plotting
and studying how a process changes over time. They
are one of the seven basic tools of quality and are
often less used by internal auditors. Control charts
help auditors determine if a process is stable and
under control, predict future performance, and
identify the source of problems. By setting upper and
lower control limits and observing patterns, internal
auditors can increase the sophistication of their data
analytics and support their findings with measurable
data.

The Pareto principle, also known as the 80/20 rule,

suggests that 80% of events' effects are caused by
20% of their causes. Pareto diagrams organize data
and prioritize improvement efforts by focusing on
major root causes. They organize data by
constructing bars and ranking items in importance.