menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image

Home

Journal vol. 6 cover
 

The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls

By Tommie Singleton, CISA
Volume 6, 2007
PDF icon
 

In the vol. 1, 2006, issue of this Journal, the IT Audit Basics column focused on the pervasive usefulness of Control Objectives for Information and related Technology (COBIT) in performing the various duties of the information technology (IT) auditor, especially in light of the scandals of the last 10 years. In recent years, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal controls has not only received attention, but has also been applied in the auditing profession with increasing frequency. This article focuses on how the IT auditor can effectively apply the COSO model to help fulfill obligations of recent standards, especially those included in the Risk Suite1 auditing standards from the American Institute of Certified Public Accountants (AICPA).2

Brief History of COSO

In the 1980s, the US economy suffered several scandals related to savings and loans associations (S&Ls). Public opinion and interested legislators led the way in demanding changes to prevent those kinds of catastrophes from occurring again. As a result, the National Commission on Fraudulent Financial Reporting was formed in 1985 to study the causal factors that can lead to financial frauds, and to develop recommendations for public companies, independent auditors, the US Securities and Exchange Commission (SEC), other regulators, and the educational institutions.3 The commission was chaired by James C. Treadway Jr.

Figure 1

COSO was formed the same year to sponsor the work of what became commonly referred to as the Treadway Commission. COSO sponsors were (and remain) American Accounting Association (AAA), Institute of Management Accountants (IMA), Institute of Internal Auditors (IIA), AICPA and the Financial Executives International (FEI).

One of the major conclusions of the commission was that the best way to prevent major financial frauds was to improve internal controls.

COSO developed a model of internal controls, promulgated it among members of the various stakeholder organizations and, in 1992, published what now is referred to as the COSO Model of Internal Control (see figure 1). That effort was immediately recognized as valuable when AICPA adopted the COSO Model as Statement on Auditing Standard (SAS) No. 78, "Consideration of Internal Control in a Financial Statement Audit." Thus, it became a part of the technical literature for financial auditors.

Recent Relevant Events

But the importance of the COSO model did not stop there. Recent events have made the model even more significant.

Sarbanes-Oxley Section 404

With the passage in the US of the Sarbanes-Oxley Act of 2002 in July 2002, publicly traded companies had to comply with section 404, which requires management to evaluate internal controls every year and requires financial auditors to opine on the evaluation. Everyone concerned wondered how that process would be standardized and if the SEC or Public Company Accounting Oversight Board (PCAOB), created by the Sarbanes-Oxley Act, would require some standard model or benchmark for evaluating controls.

Auditing Standard No. 2

PCAOB had been given responsibilities in the area of standard setting for financial reporting and began to issue auditing standards. The first one, Auditing Standard (AS) No. 1, accepted all previous auditing standards set by the AICPA. The second one, AS2,4 was published in June 2004 and addressed the issue of complying with Sarbanes-Oxley section 404. In it, PCAOB recommended the COSO model as a way to evaluate and report on internal controls. Thus, AS2 entrenched the COSO model as a tool that auditors, internal and external, needed to understand, especially in applying it to section 404 evaluations of internal controls.

SAS No. 109

AICPA issued SAS No. 109, "Understanding the Entity and Its Environment, and Assessing the Risks of Material Misstatement," in 2006, once again showing the importance placed on COSO and its perceived value in evaluating internal controls. In it, financial auditors are required to evaluate internal controls, especially those related to IT, those that are an integral part of information systems (IS), and those related to the "entity and its environment." SAS No. 109 is effective with fiscal years beginning on or after 15 December 2006.

In SAS No. 109, appendix B adds guidance on how to apply the standard and uses the COSO model to develop audit procedures, applicable questions and other information useful for developing audit procedures to comply with this standard.

In practice, financial audits need to include someone capable of complying with this standard, and that is most likely going to be an IT auditor or Certified Information Systems AuditorTM (CISA®). Therefore, it is important for the IT auditor to understand the COSO model and, most of all, to be able to apply it in a financial audit in evaluating internal controls.

COSO Model of Internal Controls

COSO defines internal controls as "a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations." The COSO Model of Internal Controls uses five elements of internal controls: control environment, risk assessment, information and communication, control activities, and monitoring.

Control Environment

What is the risk of material misstatement occurring within the current entity and its environment?

The control environment element is a view of internal controls from the entity’s perspective, including both the environment it creates for business processes and controls internally, and the influences of its environment on its ability to establish and/or maintain an effective system of internal controls. Some of the ways the control environment can be evaluated regarding the risks associated with the control environment include:

  • Communication and enforcement of integrity and ethical values
  • Commitment to competence
  • Participation of those charged with governance
  • Management’s philosophy and style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and practices
  • Industry factors

Thinking about this element of the COSO model and auditors’ obligations to comply with SAS No. 109 is valuable to financial auditors. Financial auditors are required to gain an understanding of the "entity and its environment" to ascertain the risk of material misstatement associated with that aspect of the financial statements, and the COSO model is extremely valuable as a tool to comply with this standard.

Risk Assessment

Has the entity made an effective effort to identify areas of risk that would allow a material misstatement to occur?

The risk assessment aspect of COSO, in general, refers to the entity’s ability to properly assess risks and, for major ("significant") risks, mitigate them to an acceptable level using controls. Some of the various ways in which risks could be introduced to the entity and, therefore, areas where controls and/or procedures should be developed to affect the entity’s system of controls positively include:

  • Changes in operating environment
  • New personnel
  • New or revamped information systems
  • Rapid growth
  • New information technology employed
  • New business models, products or activities
  • Corporate restructurings
  • Expanded foreign operations
  • New accounting pronouncements

If the entity’s management and/or board are not active in assessing and mitigating risks, this aspect of the control system would be defective to some degree.

Information and Communication

Does the entity have sufficient controls to ensure the timely and proper notification of a material misstatement if and when one occurs?

The financial reporting information not only should have reliability, but should also be communicated in a timely manner and accurately to managers and decision makers. Therefore, in general, this aspect of controls deals with effective communication and relay of information from the financial reporting systems, and the controls that make those activities effective. Some of the various ways in which information and communication can be evaluated regarding the risks associated with those activities include:

  • Systems to support the identification, capture and exchange of information in a form and time frame that enable personnel to carry out their responsibilities
  • Financial reporting information
  • Internal control information
  • Internal communication
  • External communication

Control Activities

Are there sufficient controls that, in the aggregate, effectively mitigate the risk of a material misstatement in the financial statements to an acceptable level?

The control activities are the actual controls themselves. Some of the various ways to evaluate control activities include:

  • General controls:
    • Policies and procedures related to the service/product provided
    • Controls over support (especially computer systems and operations, networks, etc.)
    • Changes to systems associated with core business processes
    • Environmental security
    • Application development, maintenance and documentation
    • Information security
    • Disaster recovery/business recovery
  • Application controls:
    • Tests of control
    • Controls embedded in various applications to satisfy management’s policies and procedures for carrying out business processes
  • Physical controls:
    • Authorization of service instance
    • Segregation of duties (if applicable, IT personnel too)
    • Supervision
    • Audit trails
    • Access controls to systems and data
    • Independent verification (performance reports, independent reviews, audits, error logs, etc.)

Controls are evaluated at three levels: design effectiveness, implementation and operational effectiveness.

Design effectiveness relates to the ability of the control to mitigate risks and provide adequate controls over a certain business process or to ensure that policies are enforced within business processes. The control should be able to detect a material misstatement or error in a timely manner.

The second level is whether the control has actually been implemented. It is possible to determine the implementation via a walk-through. SAS No. 109 recommends such a procedure to make that determination.

The third level is whether, on a continuing basis, that control is actually performing as designed (i.e., control effectiveness). Traditionally, financial and IT auditors have used tests of controls as a way to make this determination. This level is the topic of the fifth element, monitoring.

Controls are also categorized as to the area or aspect of the entity as follows: general controls, application controls and physical controls. General controls are controls that in general affect the computer systems (information systems) and information technologies employed by the entity in performing functions (business processes) associated with financial reporting activities. Application controls are computer controls embedded within technologies and systems that are intended to ensure that policies and procedures are carried out in the business processes.

Monitoring

Does the entity have a system of monitoring activities to continuously evaluate and improve the effectiveness of its internal controls?

Monitoring, as mentioned previously, refers to the entity’s ability to monitor the effectiveness of controls as they operate daily, individually and in cooperation with other controls. Some of the various ways in which controls over monitoring of control effectiveness could be evaluated regarding the risks associated with those activities include:

  • Ongoing and separate evaluations on internal controls over financial reporting
  • Identifying and reporting deficiencies
  • Assessing the quality of internal control performance over time
  • Putting procedures in place to modify the control system as needed (add, change, delete)
  • Ensuring effective management review of control system status
  • Checking for the absence of monitoring systems, which tends to allow people to reduce vigilance on controls
  • Utilizing relevant external information or independent monitors
  • Analyzing control objectives and their related control activities
  • Reviewing changes to controls since the date of the last report or within the last 12 months

Conclusion

It is imperative in the IT audit environment, this year and beyond, that IT auditors know how to apply the COSO model of internal controls. This involves not only an understanding the components and other aspects of the model, such as the cross-sectional approach to business units, but also how to develop meaningful and effective audit procedures, such as inquiries or observation, from the COSO model.

Endnotes

1 Statement on Auditing Standards Nos. 104-111 are generally referred to by the term "Risk Suite."

2 This article should be taken in the context of the IT Audit Basics column in vol. 1, 2006. Please consider reviewing it while reading this article.

3 Much of this paragraph was taken from the COSO web site, www.coso.org.

4 Recently, PCAOB released AS5 to replace AS2, but the importance of COSO in complying with AS5 is the same as it was in AS2.

Author’s Note

In the next issue, the author will further develop this topic with a practical framework for applying COSO to the new riskbased financial audits.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25˘ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA