Content area
Full Text
Struggling to incorporate the COSO recommendations into your audit process? Here's one audit shop's winning strategy.
IN 1992, THE COMMITTEE OF SPONSORING ORGANIZATIONS of the Treadway Commission (coso) issued a landmark report on internal control. Internal Control-Integrated Framework, which is often referred to as "coso," provides a sound basis for establishing internal control systems and determining their effectiveness.
Following the report's publication, The Boeing Company adopted the coso principles partly as the basis for its internal control policies and procedures. As a result, our internal audit department began to rate the quality of internal controls covered in each audit.
We soon discovered that incorporating these standards into actual practice proved challenging. While informative, our ratings were mostly subjective, lacking the systematic analysis and documented support normally reflected in our reports. To achieve a higher quality result, we reengineered our existing audit methodology-- from inception, through fieldwork, to final reporting-to fit the coso framework.
Our effort was a success. No longer incidental to our processes, coso now provides the foundation for all our audit work.
THE APPROACH
Our integration of coso into the audit process is similar to one described in The IIA Research Foundation report, The Internal Auditor's Role in Management Reporting on Internal Control. The report suggests that audit results be cataloged in terms of the coso framework and that this information be utilized in top-level reports to management and the board of directors. Our approach builds on some of these concepts by incorporating coso criteria into each stage of the audit process.
According to coso, the three primary objectives of an internal control system are to ensure (1) efficient and effective operations, (2) accurate financial reporting, and (3) compliance with laws and regulations. The report also outlines five essential components of an effective internal control system:
* THE CONTROL ENVIRONMENT, which establishes the foundation for the internal control system by providing fundamental discipline and structure.
* RISK ASSESSMENT, which involves the identification and analysis by management-not the internal auditor-of relevant risks to achieving predetermined objectives.
* CONTROL ACTIVITIES, or the policies, procedures, and practices that ensure management objectives are achieved and risk mitigation strategies are carried out.
* INFORMATION AND COMMUNICATION, which support all other control components by communicating control responsibilities...