menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
ISACA Student Groups
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics


 

The COSO Model: How IT Audtiors Can Use IT to Measure the Effectiveness on Internal Controls (Part 2)

By Tommie Singleton, CISA
Volume 1, 2008
 

In volume 6, 2007, of the Information Systems Control Journal, the IT Audit Basics column began a two-part article on how to apply the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal controls to financial audits by information technology (IT) auditors. The first part of the article covered the five elements of the COSO model. This part will focus on how to apply the COSO model in evaluating internal controls to fulfill responsibilities in the new Risk Suite auditing standards from the American Institute of Certified Public Accountants (AICPA).

How to Evaluate the Level of Risk

Before applying the COSO model to the evaluation of internal controls, it is beneficial to review the two-step process that auditors use in risk assessment. IT audits consist of audit procedures directed at questions or objectives developed in relationship to the goal—financial reports. The end result, in the case of the Risk Suite standards, is an overall evaluation of the controls and their effectiveness in mitigating the risk of a material misstatement in financial reports.

The first step is to develop procedures that provide information and/or evidence to assist the auditor in identifying or clarifying areas of risk. The procedures in this phase provide evidence to the IT auditor as to the presence of risks in certain areas of interest, e.g., the control environment (COSO), the entity and its environment (Statement on Auditing Standards [SAS] No. 109) or a business process (most likely to be associated with the control activities element of the COSO model).

Once an area of nontrivial risk has been identified, the level of risk must be assessed, i.e., how much risk exists in this area. This is the second step. For simplicity's sake, if one supposes that the IT auditor uses high, medium and low levels as measures of risk, what factors exist to determine the level of risk that exists in the circumstances related to the area of interest, either as more or less risk, or a high-medium-low level of risk? What would cause the IT auditor to evaluate the controls as effective in reducing the risk in the area of interest to an acceptable level? The more problems that exist with internal, missing or weak controls, the more likely it is that the IT auditor will assess a higher level of risk. And, the more an entity effectively applies relevant best practices, the more likely it is that the IT auditor will assess a lower level of risk.

Often an audit procedure can be helpful in performing the first step of identification but is not necessarily beneficial in performing the second—assessing the level of risk that actually exists. In such cases, the auditor must develop other procedures to provide evidence of the level of risk (an illustration follows in the next section).

How to Apply the COSO Model to IT Audit Procedures

The COSO model provides some areas of interest (or objectives) that will likely be relevant to an IT audit of internal controls. These areas are divided into five topics (elements of COSO) with potential subtopics under each element.1 For example, a topic of interest for internal controls in general is the control environment (COSO). A subtopic under that element is "communication and enforcement of integrity and ethical values."

While not all aspects of each of the five elements will be illustrated here, a couple of specific illustrations follow.

One area of the COSO model that is directly applicable to the Risk Suite standards is the control environment.2 The Risk Suite refers to the "entity and its environment, including internal controls"3 as the object of the risk assessment procedures that precede the development of the audit plan in a financial audit. These two are virtually the same thing.

The overall objective of this evaluation is to determine if a specific control environment has the ability to establish and maintain an effective system of internal controls over financial reporting. The objective of the risk assessment procedures is to identify risks associated with the controls related to the development, management, monitoring and reporting of both those controls and the financial reporting information. Reporting about the information used in strategic activities, should be made to the highest level of the entity.

The first subtopic listed under the control environment of the COSO model is "communication and enforcement of integrity and ethical values." The IT auditor must determine if the entity being audited has a risk in this subtopic area. To make that determination, the IT auditor must develop audit procedures to provide information and/or evidence. The particular audit procedures are contingent upon circumstances and information specific to each entity.

An example of an audit procedure for this subtopic would be to obtain a copy of the written code of ethics, if one exists. If none exists, the auditor could assume this area should be evaluated as having more risk. Regardless of whether a written code of ethics exists, the IT auditor should develop other audit procedures to satisfy his/her identification of risk in this area. These procedures could include determining:

  • If ethics are covered in employee training or orientation
  • If documentation of ethics violations exists
  • If the ethics policy was enforced when violations did occur
  • If a person or group is responsible for ethics enforcement (and his/her/their effectiveness)

One way to determine the effectiveness of ethics in an entity is to socially capture the attention of an average employee and casually ask him/her if a certain situation would be an ethical violation for the entity, or ask him/her what he/she would do if he/she discovered an ethical violation (i.e., confirm effectiveness of communication in this area).

This scenario also illustrates the two-phase approach to risk and evaluation of internal controls. The presence of a written code of ethics provides some evidence to the IT auditor that the entity has done something to address risks associated with ethics (the first step in identifying and clarifying risks), but provides little value as to how to assess the level of risk. The presence of a written ethics policy may have little effectiveness in reducing risk if the entity has no communication or enforcement plans in place. If evidence shows that the policy is discussed at employee orientation and employees sign a copy of the policy agreeing to adhere to it, this provides evidence that can be used to assess the level of risk (usually lowering risk somewhat). If there is documentation to show that employees who violated the ethics policy were administratively subjected to the ramifications of ethical violations, that information provides greater value in assessing the level of risk (probably lowering risk substantially). In other words, different audit procedures can be more or less effective in determining the level of risk.

In the risk assessment element of COSO, IT auditors are seeking evidence that the executive level of the entity properly identifies and assesses the level of significant risks.

Is it possible for an IT project to get out of control and for the executives and/or board of directors to not be able to understand or recognize the importance of the issue or the impact it could have on financial reporting? Is it possible for a large IT project to be so poorly managed that overruns are in the millions, and the overrun is in fact greater than the level of materiality for the balance sheet? If so, executive management might not recognize the significance of the overrun. In fact, the IT staff members probably would not see a material impairment, and it is possible that the organization could escape the attention of financial auditors if they do not understand IT and project management. This circumstance could occur in cases where best practices of project management are not implemented and no IT governance exists.

While much more could be written on applying the COSO model, hopefully the two examples above illustrate how to apply COSO to Risk Suite standards and the effectiveness of using COSO for evaluating internal controls.

Conclusion

The IT auditor will rely heavily on reviews of policies and procedures in fulfilling responsibilities related to the Risk Suite standards. The IT auditor wants assurances that executive management has a strategic view of and uses internal controls. That begins with policies and procedures, and extends through monitoring (COSO) and decision making related to financial reporting and internal controls (e.g., who the expert is in internal controls and how that expertise makes its way into applications and core business processes).

The IT auditor will also balance all of the evidence in making that final overall evaluation of the level of risk in the five areas of the COSO model. Even within the model, strengths in certain elements may mitigate weaknesses in other elements.

Overall, it seems plausible that an IT auditor can effectively use the COSO model of internal controls to accurately assess the effectiveness of internal controls and the ability to mitigate the risk of material misstatement in financial reports.

Endnotes

1 Refer to the IT Audit Basics column in volume 6, 2007, of this Journal for details on the COSO model. Figures are provided in that article listing some possible subtopics under each element. For more information, visit the official COSO web site (www.coso.org).

2 In the IT Audit Basics column in volume 4, 2007, there were a few sets of best practices described to assist IT auditors in the evaluation of internal controls associated with the Risk Suite standards. In the volume 5, 2007, column, the best practices of IT governance were used to demonstrate how to evaluate the "entity and its environment," which is the term from the Risk Suite.

3 This phrase is used repeatedly in materials associated with the Risk Suite standards, but especially in SAS No. 109.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25˘ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA