A quantitative assessment of internal controls: internal auditors can fortify their assurance efforts by implementing a systematic, framework-based approach to control reviews

Internal Auditor, April, 2005 by William E. Perry, H.C. "Pete" Warner

THE SWEEPING CHANGES TO U.S. ACCOUNTING LAW over the last few years have focused considerable attention on the importance of maintaining effective systems of internal control. Specifically, Section 404 of the U.S. Sarbanes-Oxley Act of 2002 requires chief executive officers (CEOs) and chief financial officers (CFOs) to attest to internal control adequacy, with steep consequences for noncompliance. Even executives at organizations not governed by Sarbanes-Oxley typically are required to provide their board of directors with assurance that controls are adequate.

One of the main challenges faced by executives responsible for attesting to the control system is determining the type of evidence needed to support their attestation. According to technology research firm AMR Research, U.S. corporations will spend more than $11 billion between 2004 and 2005 on Section 404 compliance. Moreover, AMR's research shows that companies are expending considerable resources to determine how to assess control adequacy. The results suggest that executive management is searching for a more substantive method for supporting adequacy certifications.

Although routine control assessments are an integral part of many audit departments' regular duties, auditors can provide enhanced comfort to management by taking their control work a step further and performing a quantitative assessment of internal controls. Quantitative assessments are designed to measure the level of confidence that can be placed on the internal control system's ability to perform effectively. Moreover, the assessment can serve as a road map that enables management to ascertain where control efforts are working and where additional attention might be needed.

Given their intimate knowledge of the company's internal controls and expertise in review processes, internal auditors are ideally equipped to develop and implement a quantitative assessment. Auditors can use the following steps to conduct a thorough, systematic assessment of the organization's control system. Although the quantitative approach does not provide a comprehensive answer to certification challenges, it can serve as a significant step toward helping management understand whether the company's internal controls are adequate.

1. CHOOSE THE RIGHT CONTROL FRAMEWORK

Before initiating assessment procedures, the organization needs to select an internal control framework to serve as a basis for its assessment. This framework should provide a representation of the internal control process. In the United States, the most widely accepted model for control is The Committee of Sponsoring Organizations of the Tread-way Commission's (COSO's) Internal Control-Integrated Framework. COSO broadly defines internal control as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations."

The Sarbanes-Oxley Act requires organizations subject to its provisions to follow an internal control framework. The U.S. Securities and Exchange Commission (SEC), accountable for enforcement of Sarbanes-Oxley, recognizes the COSO framework as an acceptable model for control. In fact, it is the only internal control framework cited by the SEC in its final rules regarding Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure Report--a report that applies to all filers subject to Sarbanes-Oxley. The commission stated that the COSO framework "satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements." Although the final rules do not mandate use of a particular framework, the SEC requires management to identify the evaluation framework used to assess the effectiveness of the company's internal control over financial reporting.

For organizations looking to develop a creditable scoring model for Sarbanes-Oxley purposes, COSO represents a logical choice. The remaining steps assume use of the COSO model as a basis for assessment.

2. DOCUMENT CONTROLS AGAINST THE SELECTED MODEL

The COSO model consists of five main components: control environment, risk assessment, control activities, information and communication, and monitoring (see "The COSO Model" on page 53 for a detailed description of individual components). When using COSO, organizations establish their control objectives along these components. Hence, the component-objectives structure can be used as a basis for documenting the organization's system of internal control.

Suppose, for instance, that the assessment team is conducting a review of COSO's "control environment" component. Documentation would need to include an overview of how the organization controls the overall business environment and how controls are designed and operated. For example, one area of objectives falling under control environment would be the organization's code of conduct. Specific objectives might include ensuring full, fair, accurate, and timely disclosure in the periodic reports; defining conflicts of interest; and complying with applicable governmental laws, rules, and regulations. In documenting the code of conduct control objective, three areas would need to be accounted for: