Visit our AuditSkills site! Visit our Happy Cash Flow site

“I have been ranting and raving to my peers, family and friends about your seminar… you had me on the edge of my seat just absorbing all the information you covered! Anyone that can teach [auditing]… in such a fun, exciting and upbeat way… deserves more than just KUDOS. I am already looking into other seminars you teach.”
 

Home

Seminars & Workshops

Schedule

About

Clients

Newsletter / Archives

Store

Resources

Links

Contact
 

SIGN UP FOR OUR
FREE NEWSLETTERS
First Name
Last Name
*  Email Address
*  Preferred Format
 
Mailing Lists:
 
*  Enter security code:

 
AuditSkills Archives
Happy Cash Flow Archives

 

Contact Us
P.O. Box 202w138
Austin, Texas 78720

P: 512-996-8588
F: 512-996-8585
Email
 

What a Control Model Can Do for You

March 2004

Many moons ago, during our last national financial crisis—the savings and loan crisis—the auditing profession decided it had some cleaning up to do. Sound familiar?

Investigators into the scandal found that auditors were concluding that the savings and loans were healthy without doing the work necessary to prove it. Auditors were doing what they had always done. And what they were doing was not based on any firm standards or approach.

Auditors are still doing the same old thing

Amazingly, I still see this going on in audit shops. What was happening then, and still happens now, is that audit teams take last year's working papers, questionnaires and programs and do the same thing again. No one ever stops to think, "Is what we are doing complete, thorough, or well-thought-out?"

For instance, one audit team I was training on working paper techniques used a very old questionnaire to gain an understanding of their client's systems. The questionnaire was barely readable; it had been copied so many times! I asked the team where they had gotten the questionnaire and they said they had always used it as long as they could remember.

Upon examining one of the completed questionnaires, I found that many of the questions went unanswered or were deemed not applicable. Some audit teams left out whole series of questions. They reasoned that after years and years of not uncovering anything interesting with the questions, they could safely skip them. Not surprisingly, no one had ever added a question to the questionnaire. That would cause more work!

I imagine that this is what happened with the savings and loan auditors. Old Joe Bob Auditor had been doing the same procedures and asking the same questions for years and years and years. He may have seen hints of some "questionable business practices," but he didn't want to rock the boat by suggesting improvements. Boat rockers lost clients, so he just kept his auditor blinders on, ignoring anything out of his predetermined and limited field of vision.

BLAM! One day this half-baked technique harvested predictable results. After so many savings and loans failed, everyone asked, "Where were the auditors?" Investigators later uncovered that auditors were doing whatever they wanted—however they wanted—with no guidance.

COSO's Internal Control Integrated Framework was created out of this need for structure and guidance.

What is COSO anyway?

COSO stands for Committee of Sponsoring Organizations of the Treadway Commission and is the acronym commonly used to name the internal control structure defined by the Committee. The AICPA, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute all sponsored the effort. COSO defines what a good system of internal controls should look like.

A two-volume set of books describes the ideal internal control components in detail and provides tools auditors can use to evaluate internal controls. You can purchase these books from the AICPA at www.coso.org under the publications tab.

Why should you buy these? Because you should read them! You of all people need to know what a good internal control system should look like. If you are an auditor in a publicly traded organization, Sarbanes-Oxley section 404 requires your entity to undergo an audit of internal controls over financial reporting. And guess what criteria most of these auditors are using to judge your internal control system. COSO.

We should all be able to say the components of COSO in our sleep:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

Click here for a short summary of what each of these components means.

A model! We don't need no stinkin' model!

Oh, yes you do! Models help people conceptualize abstract and complex concepts. Models can often be depicted as a picture or graphic. Models ease communication between people (I particularly like the picture of the COSO cube that is included in the first volume of the COSO books).

The benefits of adopting COSO as a control model are. it:

  • Makes sure that your approach is complete—without a comprehensive, well-designed model, how can you be sure you have covered all the bases? Without a model to tell you what areas to look at, you might miss an area.
  • Structures and focuses your audit—without guidance, you have to reinvent the wheel each time you begin an audit. With the COSO model, you can quickly get down to business, knowing that you can rely on a structure to focus your efforts.
  • Provides criteria for your recommendations—instead of saying "good business practices dictate you should xyz, " the auditor can turn to the benchmark that the COSO model provides as backup criteria for any recommendation
  • Creates a common language—the auditor, the supervisor, the manager, and the auditee can use the model to create a common language to base their conversations on. The auditor can easily explain his objectives to the client once the client understands the model. In this way, the client can be info rmed of what the auditor did and did not do.

You may not have a choice, you may be REQUIRED to use it

SAS 79 and the Yellow Book require you use the COSO model in planning and conducting all financial audits. If you are following Yellow Book standards and doing a financial audit, you are subject to SAS 79 and will follow the COSO model.

If you are doing a performance audit under Yellow Book standards, you follow an alternative control structure made of three components: 1. effectiveness and efficiency of program operations, 2. validity and reliability of data, and 3. compliance with applicable laws and regulations and provisions of contracts or grant agreements. See the Yellow Book Standards section 7.12 at www.gao.gov/govaud

The Institute of Internal Auditors hasn't clarified an internal control model in the Red Book yet, although they are working on it. It seems likely that they would end up relying on COSO, since the IIA was part of the committee that invented it.

So, buy or borrow the COSO book and get to know and love it as many other auditors already do. You can take it even further, and ask that your auditee or client read it! Maybe you could chat with them about it, educate them. CRAZY I KNOW—but a potentially powerful idea.

 

 

  © 2000 to 2008 Leita Hart-Fanta. All rights reserved. | Privacy Policy