Risk based internal auditing

What is Risk Based Internal Auditing? COSO Audit program
Home 1 RBIA Introduction 2 RBIA Compiling an RAU  3 RBIA Implementation  4 RBIA Audit Manual RBIA Audit programs  COSO Audit program auditnet.org users Internal auditing Links introduction

RBIA resources - COSO audit program

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, including the IIA. It issued a documentInternal Control–Integrated Framework' in May 2013 which is an update of a document issued in 1992. To support this document it also issued ‘Illustrative Tools for Assessing Effectiveness of a System of Internal Control' which contains three templates to summarise findings. The framework is an important document which was issued as a draft in 2012.

Since the implementation an integrated framework of internal control is a requirement of COSO, it needs to be included as an objective of a US organisation (or ‘entity' to use COSO's term) and therefore has to be included in the Risk and Audit Universe (RAU).  The audit program spreadsheet and mindmap are extracts from this risk and audit universe (Book 2 - ‘Compiling a risk and audit universe’ for details). They are examples only, you must obtain the final version of the framework, apply it to your own entity and update the program.

I have used the 2012 draft (because I am too mean to buy the final document) and I have included it in the RAU and audit program as follows:

1. In Objective level 1 ‘Establish strategies for delivering the objectives' and Risk level 1 ‘Uncontrolled risks threaten the achievement of objectives' set up Objective' level 2 as ‘Establish an internal control framework (COSO)'.

2. There are 17 ‘principles' in the Framework and I have set these up as level 3 objectives. There are no risks identified, so I have made some suggestions.

3. Each of the principles has ‘attributes' attached, which link with paragraphs in the framework narrative. I have taken these attributes as controls, although they are inevitably non-specific. The ‘Illustrative Tools' document has forms (‘Principle evaluation templates') for inserting the controls in action in order to assess whether there are deficiencies in achieving the attribute. This should be done after testing.

4.  I have then suggested tests which might be used to check that the attribute ‘control' is operating, after reference to the appropriate paragraphs in the narrative.

5. Tests fall into one or more of the following categories:

‘One-off tests' done as part of a specific audit to look at the correct operation of a principle. For example, a test to ensure that the board have carried out a risk assessment for the top level of the entity or published a code of conduct

Tests done as part of an audit which include some specific COSO attributes. For an example, an audit of HR to look at instructions about including the performance of internal controls as a personal target.

Tests done as part of every audit, which provide evidence about compliance with a COSO attribute. For example, ensuring that management have carried out a risk assessment on their objectives and have identified the controls necessary. As part of the audit opinion, compliance with particular COSO principles can be confirmed, or not, depending on the audit findings.

The first two types of test can be identified as part of a specific audit. The last type of test will appear in most audit programs as a 'COSO' test. Internal control deficiencies will be recorded on the '4 Summary of deficiencies template'. Each audit will provide information to complete '3 Principle Evaluation Templates' for some attributes, which can be used to update '2 Component evaluation templates'. By the end of the year the '2 Component evaluation templates' must be sufficiently detailed to complete the '1 Overall assessment of internal control template'.

The compilation of a risk register is an essential part of Principle 7 ('Identifies and analyzes risk'). The COSO website (coso.org/guidance.htm) has useful guidance on setting up a risk register (also known as an Enterprise Risk Management (ERM) Framework).

In particular: Embracing Enterprise Risk Management: Practical Approaches for Getting Started. (2011) (http://www.coso.org/documents/EmbracingERM-GettingStartedforWebPostingDec110_000.pdf)

COSO audit program COSO mind map

You may need to scroll down the page