1

Module 5
CONTROL FRAMEWORKS
ACELEC 332 – OPERATIONS AUDITING
 The Committee of Sponsoring Organizations of the Treadway
Commission COSO) is a joint initiative of the five private sector
organizations and is dedicated to providing thought leadership through
the development of frameworks and guidance on enterprise risk
management, internal control and fraud deterrence.
 Internal control is defined by the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) as follows:
 “Internal control is a process (1), effected by an entity’s board of
directors, management and other personnel (2), designed to provide
reasonable assurance (3) regarding the achievement of objectives
(4) in the following categories: Effectiveness and efficiency of
operations, reliability of financial reporting, and compliance with
applicable laws and regulations.”
OBJECTIVES

 Operations: These pertain to the effectiveness and efficiency of the

organization’s operations. This includes operational and financial performance
goals, safeguarding assets against loss, damage or obsolescence, and
making sure resources are obtained economically.
 Reporting: Reporting considerations are arranged in four broad categories:
internal/external and financial/nonfinancial. This is of importance to internal
auditors who must remember that organizations must meet reporting
expectations beyond external financial reporting. It includes the reliability,
timeliness, transparency, or other terms set by regulators, the organization’s
policies or other recognized standard setters.
 Compliance: These are related to adherence to laws and regulations to which
the organization is subject. Compliance requirements may also include
compliance with contractual terms and conditions, service level agreements,
voluntary agreements, like those involving corporate sustainability reports .
 5
COSO FRAMEWORK
1. Control environment

 The control environment sets the tone of an organization, influencing the

control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure.
 Elements of the Control Environment:
a. Communication and enforcement of integrity and ethical values;
b. Commitment to competence;
c. Participation by those charged with governance;
d. Management’s philosophy and operating style;
e. Organizational structure;
f. Assignment of authority and responsibility; and
g. Human resources policies and practices
 Elements of the Control Environment:
a. Communication and enforcement of integrity and ethical values - Integrity
and ethical values are expressed through:
 Existence and implementation of codes of conduct and other policies
regarding acceptable business practice, conflicts of interest, or expected
standards or ethical and moral behavior.
 Dealings with employees, suppliers, customers, investors, creditors, insurers,
competitors, and auditors (e.g., whether management conducts business
on a high ethical plane, and insists that others do so, or pays little attention
to ethical issues).
 Pressure to meet unrealistic performance targets – particularly for short-
term results – and extent to which compensation is based on achieving
those performance targets.
 Elements of the Control Environment:
b. Commitment to Competence - There often is a trade-off between
competence and cost – it is not necessary, for instance, to hire an electrical
engineer to change a light bulb. Commitment to competence is expressed
through:
 Formal or informal job description or other means of defining tasks that
comprise particular jobs.
 Analyses of the knowledge and skills needed to perform jobs adequately.
 Elements of the Control Environment:
c. Participation by those charged with governance - The control environment
and “tone at the top” are influenced significantly by the entity’s board of
directors and audit committee. Controls involving the Board of Directors or
Audit Committee include:
 Independence from management, such that necessary, even if difficult and probing,
questions are raised.
 Frequency and timeliness with which meetings are held with chief financial and/or
accounting officers, internal auditors and external auditors.
 Sufficiency and timeliness with which information is provided to board or committee
members, to allow monitoring of management’s objectives and strategies, the entity’s
financial position and operating results, and terms of significant agreements.
 Sufficiency and timeliness with which the board or audit committee is apprised of sensitive
information, investigations and improper acts of officers.
 Elements of the Control Environment:
d. Management’s philosophy and operating style - This factor affects the way
the enterprise is managed, including the kinds of business risks accepted.
Controls involving management’s philosophy and operating style include:
 Nature of business risks accepted, e.g., whether management often enters into
particularly high-risk ventures, or is extremely conservative in accepting risks.
 Frequency of interaction between senior management and operating
management, particularly when operating from geographically removed
locations.
 Attitudes and actions toward financial reporting, including disputes over
application of accounting treatments (e.g., selection of conservative versus liberal
accounting policies, whether accounting principles have been misapplied,
important financial information not disclosed, or records manipulated or falsified).
 Elements of the Control Environment:
e. Organizational structure - An entity’s organizational structure provides the
framework within which its activities for achieving entity-wide objectives are
planned, executed, controlled and monitored. Controls involving
organizational structure are expressed through:
 Appropriateness of the entity’s organization structure, and its ability to
provide the necessary information flow to manage its activities.
 Adequacy of definition of key manager’s responsibilities, and their
understanding of these responsibilities.
 Adequacy of knowledge and experience of key managers in light of
responsibilities.
 Elements of the Control Environment:
f. Assignment of authority and responsibility - This element pertains to how an
organization assigns authority and responsibility for operating activities, and
how reporting relationships and authorization hierarchies are established. It
also includes policies relating to appropriate business practices, knowledge
and experience of key personnel, and resources provided for carrying out
duties. In addition, it includes policies and communications directed at
ensuring that all personnel understand the entity’s objectives, know how their
individual actions interrelate and contribute to those objectives, and
recognize how and for what they will be held accountable.
 Elements of the Control Environment:
g. Human resource policies and practices – Human resources practices send
messages to employees regarding expected levels of integrity, ethical
behavior and competence. Such practices relate to hiring, orientation,
training, evaluating, counseling, promoting, compensating and remedial
actions. Controls involving human resources policies and practices include:
 The extent to which policies and procedures for hiring, training, promoting and
compensating employees are in place.
 Appropriateness of remedial action taken in response to departures from approved policies
and procedures.
 Adequacy of employee candidate background checks, particularly with regard to prior
actions or activities considered to be unacceptable by the entity.
 Adequacy of employee retention and promotion criteria and information gathering
techniques (e.g., performance evaluations) and relation to the code of conduct or other
behavioral guidelines.
2. The entity’s risk assessment process

 An entity’s risk assessment process is its process for identifying and

responding to business risks and the results thereof. (Note that the risk
assessment process refers to the client’s process for assessing risk. This is
different from the risk assessment being performed by an auditor for
inherent and control risk.)
 Risks are typically assessed along two dimensions:
 Likelihood, or the probability that these events occur
 Impact, or the consequence if these events occurred
 RISK IDENTIFICATION – is an iterative process and often is integrated with the
planning process. It also is useful to consider risk from a “clean sheet of paper”
approach, and not merely relate the risk to the previous review.
 RISK ANALYSIS – The methodology for analyzing risks can vary, largely because
many risks are difficult to quantify. Nonetheless, the process – which may be more
or less formal usually includes: Estimating the significance of a risk; Assessing the
likelihood (or frequency) of the risk occurring; Considering how the risk should be
managed – that is, an assessment of what actions need to be taken
3. Control activities

 Control activities are the policies and procedures that help ensure
management directives are carried out. The help ensure that necessary
actions are taken to address risks to achievement of the entity’s
objectives.
 Control activities can be divided into three categories, based on the
nature of the entity’s objectives to which they relate: operations,
financial reporting, or compliance.
 Types of Control Activities:
a. Performance reviews - These control activities include
- reviews and analyses of actual performance versus budgets, forecasts, and
prior period performance;
- relating different sets of data – operating or financial – to one another,
together with analyses of the relationships and investigative and corrective
actions;
- comparing internal data with external sources of information; and
- review of functional or activity performance, such as a bank’s consumer
loan manager’s review of reports by branch, region, and loan type for loan
approvals and collections.
 Types of Control Activities:
b. Information processing - A variety of controls are performed to check
accuracy, completeness, and authorization of transactions. The two broad
groupings of information systems control activities are:
- Application controls - Application controls apply to the processing of
individual applications.
- Examples of application controls include checking the arithmetical
accuracy of records, maintaining and reviewing accounts and trial
balances, automated controls such as edit checks of input data and
numerical sequence checks, and manual follow-up of exception
reports.
- General IT-controls – are polices and procedures that relate to many
applications and support the effective functioning of application controls
by helping to ensure the continued proper operation of information
systems.
- Examples of such general IT-controls are program change controls,
controls that restrict access to programs or data, controls over the
implementation of new releases of packaged software applications,
and controls over system software that restrict access to or monitor
the use of system utilities that could change financial data or records
without leaving an audit trail.
- Physical controls – These activities encompass the physical security of
assets, including adequate safeguards such as secured facilities over
access to assets and records; authorization for access to computer
programs and data files; and periodic counting and comparison with
amounts shown on control records (for example comparing the results of
cash, security and inventory counts with accounting records).
- Segregation of duties – Assigning different people the responsibilities of
authorizing transactions, recording transactions, and maintaining custody
of assets is intended to reduce the opportunities to allow any person to
be in a position to both perpetrate and conceal errors or fraud in the
normal course of the person’s duties.
CATEGORIES OF CONTROL ACTIVITES
 Preventive: Preventive controls are those activities that act before the error
or omission can occur and reduce the likelihood and/or impact of the
event.
 Detective: Detective controls identify errors or anomalies after they have
occurred and alert the need for corrective action.
 Directive: Directive controls are temporary controls that are implemented
to redirect employee actions. They are sometimes referred to as corrective
controls, because they are put in place when an undesirable action has
occurred, even when there were preventive and detective controls in
place.
 Compensating: Compensating or mitigating controls are those that are
put in place when a control is not where it is expected as proper design
would stipulate.
4. Information system and communication

 An information system consists of infrastructure (physical and hardware

components), software, people, procedures, and data. Infrastructure
and software will be absent, or have less significance, in systems that are
exclusively or primarily manual. Many information systems make
extensive use of information technology (IT).
 Information – information developed from internal and external sources, both
financial and non-financial, is relevant to all objectives categories.
 Information quality – It is critical that reports contain enough appropriate data to
support effective control. The quality of information includes ascertaining whether:
 Content is appropriate – Is the needed information there?

 Information is timely – Is it there when required?

 Information is current – Is it the latest available?

 Information is accurate – Are the data correct?

 Information is accessible – Can it be obtained easily by appropriate parties?

 Communication –involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
 Means of communication – Communication takes such forms as policy manuals,
memoranda, bulletin board notices and videotaped messages. Where messages
are transmitted orally in large groups, smaller meetings or one-on-one sessions –
tone of voice and body language serve to emphasize what is being used.
5. Monitoring controls

 Monitoring of controls is a process to assess the quality of internal control

performance over time. It involves assessing the design and operation of
controls on a timely basis and taking necessary corrective actions.
Monitoring is done to ensure that controls continue to operate
effectively.
 For example, if the timeliness and accuracy of bank reconciliations are not
monitored, personnel are likely to stop preparing them. Monitoring of controls is
accomplished through ongoing monitoring activities, separate evaluations, or a
combination of the two.
 Monitoring can be done in two ways: through ongoing activities or
separate evaluations.
 Internal control systems usually will be structured to monitor themselves on an
ongoing basis to some degree. The greater the degree and effectiveness of
ongoing monitoring, the less need for separate evaluations.
 The frequency of separate evaluations necessary for management to have
reasonable assurance about the effectiveness of the internal control system is a
matter of management’s judgment.
 34

End of Module 5