A quantitative assessment of internal controls: internal auditors can fortify their assurance efforts by implementing a systematic, framework-based approach to control reviews

Internal Auditor, April, 2005 by William E. Perry, H.C. "Pete" Warner

* APPROACH -- The method used to identify and encourage compliance with the control. In the code of conduct example, the code itself might serve as the means for documentation.

* DEPLOYMENT -- How the organization disseminates the approach to the appropriate work units/individuals, including awareness and competency training.

* ASSESSMENT OF APPROACH EFFICACY -- Primarily involves communications and monitoring to ensure that the deployed approach is being executed in accordance with management's desires and that any exceptions are documented correctly and reported to an appropriate individual/work unit in the organization.

These areas would apply to documentation of all control objectives across the five COSO components.

The documentation of a specific control should be adequate to identify and substantiate the effectiveness of the control. Documenters should keep in mind that the controls established by management likely will include some clearly visible aspects, such as a formal corporate conduct policy statement and an internal audit function, as well as aspects that are intangible, such as assuring the competence and integrity of organizational personnel. Regardless of transparency, each control needs to be identified (documented), the approach to achievement described, the deployment measurable and monitored, and the results from monitoring reported. Furthermore, a specific action plan must be developed and implemented for each control.

Because of their familiarity with business areas throughout the organization, internal auditors are particularly well-suited to the task of documenting internal controls against the assessment model. Auditors are ideally positioned to assess the completeness of the assessment documentation and ensure it is representative of the organization's system of internal control. Moreover, internal auditing's independence can help ensure an objective assessment.

3. DEVELOP A QUANTITATIVE SCORING PROCESS

There are two key elements of quantitative scoring: establishing how the maximum score will be allocated within the model and determining what percentage of the total allocated score to award each control objective. To determine maximum score allocation, those performing the assessment first need to refer to the scoring model--in this case, the COSO framework. The assessment team can use the five COSO components as the basis for its overall allocation. That is, if the maximum score allowable were 1,000 points, then that amount would need to be allocated among each of the five components.

The specific proportion allotted to each component can be determined, in part, through the COSO framework itself. Internal Control-Integrated Framework provides insight into the importance of the five internal control components in relation to each other (the pyramid graphic in "The COSO Model," page 53, provides a graphic representation of relative component importance). In addition, those performing the assessment should apply their own experience with and knowledge of internal controls and use this in conjunction with the COSO guidance. For example, if the experience of those performing the assessment indicates that environmental controls are more important than detailed business application controls, then the environmental control component of the COSO framework likely would be allocated the largest percentage of scoring points.