Understanding, Using, and Documenting COSO

Internal Controls 105

4.1

IMPORTANCE OF EFFECTIVE INTERNAL CONTROLS

Internal control is the most important and fundamental concept that an internal auditor must understand. An internal auditor reviews both operational and finan- cial areas of the organization with an objective of evaluating their internal controls. Virtually all internal audit procedures focus on some form of this evaluation of inter-

nal controls. While internal auditors generally have a good understanding of what is

meant by internal controls, others may respond to a “can you define good internal controls?” question with answers along the lines of one or more characterizations:

• Good internal controls means everything is well documented—which is a correct answer.

• Good internal controls mean strong security processes—correct again. • Good internal controls mean the debits equal the credits—also true. Although many professionals use the term, they often have to step back and think about it when asked for a definition. Yet, internal controls are a positive set of general procedures necessary for all well-managed and well-functioning busi- ness systems. A common textbook application of internal control is:

Internal control comprises the plan of organization and all of the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. This definition recog- nizes that a system of internal control extends beyond those matters which relate directly to the functions of the accounting and financial departments.

That long and rather academic-sounding definition says that a system or process has good internal controls if it (1) accomplishes its stated mission, (2) produces accurate and reliable data, (3) complies with applicable laws and orga- nization policies, (4) provides for economical and efficient uses of resources, and (5) provides for appropriate safeguarding of assets. All members of the organi- zation are responsible for the internal controls in their area of operation and for making those internal controls function.

Lawrence (Larry) Sawyer, a contemporary of Vic Brink and a founder, with Brink, of the profession of internal auditing, has called control evaluations the auditor’s “open sesame.”1 _{That is, an internal auditor’s skills in assessing the}

internal controls in operation for various specialized areas of an organization will open doors to an internal auditor throughout the organization. The examination and appraisal of internal controls are normally components, either directly or indirectly, of every type of internal auditing assignment. An internal auditor’s special competence in the control-evaluation area justifies reviews covering a wide range of operational activities, even though the auditor may not possess specialized knowledge about the operational details surrounding those activities. The chapter discusses the fundamentals of internal controls both from some very basic definitions of control systems and with some background on how we have arrived at what is called the COSO internal controls framework. An under- standing of that internal control framework is essential for achieving the Section 404 internal control requirements of the Sarbanes-Oxley Act (SOA) as will be discussed in greater detail in Chapter 6, “Evaluating Internal Controls: Section 404 Assessments.” Another COSO-related framework is its Enterprise Risk Mod- ule (ERM). ERM is sometimes mistakenly described as an updated version of COSO and will be discussed in Chapter 5, “Understanding and Assessing Risks: Enterprise Risk Management.”

4.2

FUNDAMENTALS OF INTERNAL CONTROLS

To effectively review internal controls, an internal auditor needs to have a good basic understanding of the nature of controls, a definition of a control system, as well as the overall concept of the types and nature of an organization’s operating internal control processes. The first of these two concepts, the idea of a control

system, is perhaps the easier. This concept goes back to the basic principles of mechanical and paperwork procedures that exist throughout one’s everyday life. Control systems are necessary for all areas of activity, both inside and outside today’s organization, and the concepts and principles used are the same no mat- ter where the control system is encountered. The automobile can provide a good analogy of a control system. When the accelerator is pressed, the automobile goes faster. When the brake is pressed, the automobile slows or stops. When the steering wheel is turned, the vehicle turns. The driver controls the automobile. If the driver does not use the accelerator, brake, or steering wheel properly, the automobile will operate out of control.

An organization is similar to an automobile. There are a variety of systems at work, such as the manufacturing and sales processes, information systems, and accounting operations. If management does not operate or direct these systems or process components properly, the organization may operate out of control. The effective control of an organization, of course, is much more complicated, but a significant failure of one or another component can cause the entire organi- zation to operate out of control. An internal auditor should first develop an understanding of these control systems and then assess them to determine if the components of the system are properly connected and if management is prop- erly operating the controls that allow it to manage the system. This type of sys- tem or process is often referred to as the organization’s system of internal

controls.

Internal auditors are often called on to describe control systems to their management and to convince them of the importance of controls even when management may have other priorities. An internal auditor must be a spokes- person for the importance of internal controls, but to be effective, must have a good understanding of basic internal control objectives and components. The purpose of any control system is to attain or maintain a desired state or condi- tion. The system of internal control should be able to satisfy various objectives established by management for that control area. A basic control system has four elements:

1. Detector or Sensor Element. There must be some type of measuring