COSO based auditing
The Internal Auditor; Altamonte Springs; Dec 1997; Mark R Simmons;





Start Page: 




Subject Terms: 

Internal controls
Internal auditing control
Internal controls
Internal auditing control

Classification Codes: 

9190: US
4130: Auditing

Geographic Names: 


After several significant audit failures occurred during the 1980s, the Committee of Sponsoring Organizations (COSO) formed to redefine internal control and the criteria for determining the effectiveness of an internal control system. The 1992 COSO document, Internal Control - Integrated Framework, changed the way internal control is viewed. The COSO Framework considers not only the evaluation of hard controls, like segregation of duties, but also soft controls, such as the competence and professionalism of employees. The Framework and its implementation are discussed.

Full Text:

Copyright Institute of Internal Auditors, Incorporated Dec 1997

Many internal auditors find traditional audit methods too outdated for assessing modern internal controls. An audit approach based on the tenets of COSO may fill the void.

The 1992 COSO document, Internal Control-Integrated Framework, changed the way we look at internal control. After several significant audit failures occurred during the 1980s, The Committee of Sponsoring Orgalll (COSO) formed to redefine internal control and the criteria for determining the effectiveness of an internal control system.

Traditional theories, which primarily addressed financial controls, were broadened substantially. The coso Framework considers not only the evaluation of hard controls, like segregation of duties, but also soft controls, such as the competence and professionalism of employees. Especially in the United States, these concepts have been adopted by many organizations, as well as by many governmental entities.

Applying COSO to practice is not so simple as adopting it in theory, however. No defined approach exists for auditing "soft" controls like the integrity and ethical values of staff, the philosophy and operating style of management, and the effectiveness of communication.

In 1993, when I served as Assistant Director of Internal Audit for a state government agency, my colleagues and I began wrestling with the opportunities-and challengesthat coso presented. After six months of heavy research, discussion, trial, and error, we began to put COSO concepts into practice by melding them with some of the methods and concepts of total quality management. Over the next four years we continued to develop, refine, and implement the process until we arrived at the following formal methodology.


The value of coso-based auditing is that it enables effective evaluation of the soft controls espoused by coso while avoiding the faulty, negative findings that can sometimes result from traditional audit methods. Customer-focused and outcome-oriented, this method addresses systemic root causes, avoids placing blame, and produces a workable solution-every time. The key steps for successfully applying this method are: understanding COSO, determining control strengths and weaknesses, defining key issues and reportable conditions, validating testimonial evidence, making the final assessment, and identifying corrective actions.


To begin, one must have a thorough understanding of the COSO definition of control and the criteria for an effective control systern. According to COSO, "Internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: effectiveness and efficiency of operations, reliability of financial repc and compliance with applicable laws and regulations."

COSO considers these categories to be overlapping, yet distinct. The effectiveness of an internal control system is measured by its capacity to provide reasonable assurance to the board of directors and management that these three objectives have been met.

In addition to these goals, coso identified five interrelated components of internal control:

1 The control environment, which includes the integrity, ethical values, and competence of an organization's people.

2 Risk assessment.

3 Control activities.

4 Information and communication, which encompasses the methods for identifying, capturing, and communicating pertinent information in a time frame that enables people to carry out their responsibilities.

5 Monitoring.

These components combine to form an integrated system of controls. To conclude that internal control is effective in any category of objectives-operations, financial reporting, or compliance-all five components mu be present and functioning.

Our COSO-based audit method is also derived from several premises inherent in coso. The first is that people in an organization, who daily face the realities of trying to work efficiently and effectively to achieve the goals and objectives set out for them, are in the best position to provide insights into the strengths and weaknesses of their processes.

The second premise is that internal auditors should work in a collegial spirit to identify control problems and develop solutions for improving and strengthening controls. Not only will better solutions result, but buyin will be virtually guaranteed in all but the most difficult situations.


Enlarge 200%


Enlarge 400%

THE COSO FRAMEWORK All five control components must be present and functioning to conclude that internal control is effective in any one category of objectives.
THE COSO MODEL The five control components form an integrated system that reacts dynamically to changing conditions.

The final premise is that the use of focus groups and affinity processes affords one of the most efficient and effective means of gathering substantial amounts of highly relevant and useful data. These quality management techniques have been proven many times over and across all types of service and manufacturing environments. In my experience they far surpass the traditional, archaic audit methods of gathering information.


Armed with an understanding of the tenets of coso and the three inherent premises, the next steps involve determining the general strengths and weaknesses of controls in the operational area:

1 A series of generic questions based on the coso Framework are customized and adapted to a specific organizational unit. The chart on page 73 lists typical questions about the accounts receivable control environment. The basics of all five control components can be covered with 30-50 similar questions.

2 Depending on circumstances and requirements, such as the audit client's workload and the number of individuals in the audited unit, either a focus group or a series of individual interviews is scheduled. The process of answering the control questions leads unit managers and staff through a self-evaluation that gauges the importance and presence of key elements of each of the five control components.

3 The results of these interviews are tabulated and correlated to identify strengths and weaknesses in each of the five control components.

At the end of this stage, the five components of control have been used as the criteria to identify the strengths and weaknesses of the system. Some basic conclusions can also be formulated, such as whether managers and staff share the same perceptions regarding operations and controls in their area. If not, the risk that controls may not be working properly rises significantly. If management and staff are more or less in agreement, the business risk is not as great.


It is necessary to determine the nature of a reportable condition and identify the most important control issues for executive and line management. The best way to make this determination is to ask executive and line management separately to describe situations that have caused, or are likely to cause, an error, omission, or irregularity of such significance that immediate corrective action would be needed to mitigate the business risk and potential damage to the organization. A reassessment of business risk can then be made based on whether or not executive management and line management are in agreement. Again, if there is general agreement, risk is lowered because there is both communication and consensus. Disagreement indicates potentially higher risk because it may impact negatively on control environment and risk assessment issues.


At this point in the process, the internal auditors have determined the strengths and weaknesses of the system; whether or not line management and staff are in agreement as to the state of control; the criteria for reportable conditions; and whether or not executive management and line management concur with regard to the most important control issues and concerns.

However, the internal auditors now must address the question of whether they have been misled during the interviews or focus group sessions. In order to confirm the testimonial evidence, documentary evidence or some other form of independent corroboration must be obtained. Depending on the circumstances and time frame, the following strategies may be effective:

* Interview customers and suppliers of the unit under review to identify problems and successes.

* Evaluate written policies and procedures.

* Take statistical or judgment samples for attribute or variables testing.

* Identify industry standards or best practices for the type of operation under review.

* Use written procedures to prepare process flow charts, identify key control points, and test for evidence of the presence of control.

These corroboration activities, in conjunction with the previously obtained testimonial evidence, enable the auditor to:

1 Confirm the presence and effectiveness of identified strengths in each of the control components.

2 Confirm the weaknesses in each of the control components.

3 Determine whether significant weaknesses are counter-balanced or mitigated by any outside, independent controls.

4 Determine, where strengths have not been confirmed and where weaknesses are not independently balanced, whether or not any reportable conditions have occurred.


If reportable conditions have occurred, further assessment is necessary. If reportable conditions have occurred, but, through the course of normal business operations they have been identified, corrected, and not allowed to become persistent or pervasive, there is a strong likelihood that all five components of control are present and effective. In this case, executive management can be reasonably sure that business objectives can be attained, and that future reportable conditions are likely to be detected and corrected in the course of normal operations.

On the other hand, operations are not under control when reportable conditions:

* Have occurred and gone undetected.

* Are persistent, as evidenced by their appearance in current and prior periods or elsewhere in the organization.

* Are pervasive, thereby seriously imperiling the safeguarding of assets.

* Have seriously jeopardized the achievement of operating, reporting, or compliance objectives.

If reportable conditions are discovered during the audit that have not been detected and corrected in the course of normal operations, or if one or more of the control components is absent or seriously flawed, then reasonable assurance is highly suspect. It would be unlikely that a reportable condition would be detected and readily corrected under such circumstances.


Depending on the situation, the final step will be either to identify actions needed to correct material deficiencies, or to identify improvement opportunities for correcting non-material deficiencies and improving system strengths. The most efficient and effective way to identify such actions is through auditor-directed focus groups, since those involved in the process are generally better informed and better positioned to develop workable solutions than the auditor, whose exposure to the operational issues is often limited. Use of such groups partners the control expertise of the auditor with the operational expertise of the auditee.


Anyone who has ever been involved in a difficult decision-making process will recognize the advantages of the coso-based approach, and the possible disadvantages of the traditional audit approach. The coso-based method can produce a comprehensive and balanced picture of the entire control system in a relatively short period of time. More importantly, significant issues can be diagnosed in a collegial manner, enabling management to focus on finding solutions rather than fixing blame. In the end, the coso-based audit process offers internal auditors the opportunity to move their organizations along the continuum from imperfect to perfect control in a constructive way, thus helping to ensure continued organizational health and well-being.


Enlarge 200%


Enlarge 400%

Typical COSO Questions for an Audit of Cash Receipts

[Author note]
MARK R. SIMMONS, CIA, CFE, is the Internal Auditor for Rensselaer Polytechnic Institute (Rpi) in Troy, New York. He can be reached via his website at http.//