XYZ CORPORATION

INTERNAL AUDIT
PLANNING FOR THE 20xx
PLAN YEAR AND BEYOND
Internal Controls 101
Prepared By:
Name and Title
File: AP Internal Controls 101

1
 I/C 101BRIEF
• Purpose:
– To provide a perspective of what Internal Control (I/C) is, and is not, and how Internal Audit
(IA) will view Internal Controls within the XYZ organizational environment. This will include;
• Aspects of the Sarbanes/Oxley Act (SOX).
• Aspects of the Committee on Sponsoring Organizations (COSO) I/C components.
• Good common and business sense.

• What is I/C? Per COSO, a process, effected by an entity’s Governing Body,

Management and other personnel, designed to provide reasonable assurance that
the following objectives are being met; effectiveness and efficiency/economy of
operations (i.e., Performance), Reliability of Financial Reports, Compliance with Laws
and Regulations and Safeguarding of Assets.
– Performance:
• Effectiveness; a positive end result (e.g. the carpet and floors are kept clean and sanitary).
• Efficiency; ratio of output to input (e.g. it costs $xx per square foot {input} to clean and sanitize carpets
and flooring {output}).
• Economy; wags the efficiency tail (e.g. based upon cost comparisons/benchmarks, the above cost per
square foot may or may not be economical, and therefore, efficient).
• Effectivity and efficiency are related but are not synonyms.

2
 I/C 101 BRIEF
• What is I/C (Continued)?
– Financial Reliability:
• Accurate, complete, factual, etc.
– GAAP.
– From digitized data element capture through to Financial Statement presentation; both within
XYZ and as reported outside
– Compliance with Laws and Regulations.
• A myriad of them no doubt
– Safeguarding of Assets – so important in the public sector
• Who wants to know about I/C adequacy?
– You do; as the Governing Body , the Audit Committee and key XYZ Committees.
– The State’s CFO and Auditor General.
– Your CPA Auditors.
– Your Management Team.
– Your customers and stake holders.
– All other Business Process Owners, the general public and interested parties.
– Bottom line; everyone should.

3
 I/C 101 BRIEF
• Who is responsible (i.e., answers the question of “why” the preceding group is keenly
interested in I/C adequacy)?
– Governing Body/Management Team: Is directly responsible for adequacy of I/C; to include effectiveness
and efficiency of operations, compliance to laws and regulations and financial statement reliability.
– Internal Audit: Assists in the effective discharge of the above responsible parties.
• In like manner, others assist in this respect to include outside consultants, vendors, etc.
• Why is so much attention placed on I/C?
– Because, when things go wrong, the root cause many times is that the I/C was either non-existent, weak, or
was not complied/was given lip service due to expediency, etc.
– Aspects of I/C to illustrate the above. IA will illustrate a Control Procedure in the following hypothetical
manner:
• Accuracy. Is it mathematically accurate? E.g. Does the Daily Sales Report accurately depict actual cash and checks
received and deposited?
• Population. Do we have all that we need to have? E.g. Do we have all the Daily Sales Reports that we are supposed to
have? Simply ensuring accuracy of Daily Sales Reports processed is an incomplete I/C picture.
• Substance. Did the information on the Daily Sales Reports that were processed, all trace through to General Ledger (G/L)
posting? E.g. the “substance” of things.
• Compliance. At strategic control points, are manual and automated controls in place to prevent or detect errors and
irregularities? E.g. did someone reconcile the Daily Sales Report to actual monies received, prior to deposit? Did someone
compare the actual deposit back to the Daily Sales Report,? Note: all compliance should be clearly documented by initials
or other suitable means.
– Types of I/C’s are:
• Preventative. These tend to prevent errors and irregularities from occurring. They also tend to be the most costly. E.g.
hiring employees with high integrity and honesty so that things tend to be done right the first time.
• Detective. These tend to detect errors and irregularities usually after they have been input/processed. They can be both
manual and automated. E.g. Is there an automated systems control in place to match Daily Sales Report totals to their G/L
accounting distribution?
• Corrective. As the name implied, when an error or irregularity is detected, then control measures can be taken to correct.
• Missing or non-existent. If none of the above are present.

4
 I/C 101 BRIEF
• History, explanation and potential use of COSO I/C components within XYZ
– Historical context.
• Formed as a voluntary private sector organization in 1985 to sponsor a National Commission (AKA the
Treadway Commission) on causal factors leading to fraudulent financial reporting. Organizations
were;
– American Institute of CPA (AICPA’s).
– Institute of Internal Auditors (IIA).
– American Accounting Association (AAA).
– Financial Executives International (FEI).
– Institute of Management Accountants (IMA).
• Current broad purpose: to improve the quality of financial reporting through business ethics, effective
internal controls, and corporate governance.
• Mandatory for SEC registered companies, optional for all others at the present time.
– The 5 I/C components is a multidimensional approach:
• Control environment. Includes the Governing Body and Audit Committee, etc., and deals with
foundational areas such as ethics, integrity, code of conduct, values and levels of authority and
responsibility.
• Risk Assessment. Includes identifying and evaluating risks that may impact on achieving
organizational goals and objectives.
• Control Activities. Includes policy and procedures to ensure that actions are identified to address risks
and that these actions are carried out. Control activities may be identified during top level reviews,
functional/activity management reviews, information processing functions, physical controls, etc.
• Communications and information. Includes quality and reliability of information spanning across all
other I/C components, along with how information is communicated up and down the organization, as
well as across the organization.
• Monitoring. Includes how the organization ensures that I/C’s are continuously being complied with.

5
 I/C 101 Brief
• History, explanation and potential use of COSO I/C … (Cont’d):
– As COSO’s broad purpose infers; from an organizational standpoint, it is better to use a
multidimensional approach to determine adequacy of I/C
• Because of this, COSO is mandatory regarding SOX tests of I/C. Why? To reduce the likelihood of
problems that led to the downfall of Enron and WorldCom etc.
– So the question is; whether and to what extent Internal Audit uses SOX/COSO I/C approach
in testing and in other matters previously presented to the Audit Committee? Answer:
• Internal Audit will use a modified-COSO I/C approach, for audit testing purposes, when the situation
warrants one. In other words;
– IA will not tackle a full-blown SOX/COSO project from a XYZ organizational prospective; i.e., too large for one-
person staff and, at XYZ such an approach appears not to be top-down driven by the Governing Body, through the
Audit Committee, with Executive Management sanction.
» Examples of a quasi-government corporation using a modified SOX/COSO approach as sanctioned by its
governing body are the Tennessee Valley Authority, the University of Texas System and several other
State University Systems.
» IA knows of no quasi-government corporation using such an approach without a top-down mandate.
– IA will use this multidimensional approach, for audit testing purposes, when the project audit objective(s) warrants a
more broad approach. E.g. on a project by project basis, or within a project to accomplish audit objectives.
» It is apparent that the more I/C components that are used to evaluate I/C adequacy, the more relevant and
meaningful will be the audit results. Put in other words; “the more credible evidence one gathers will
demand, a stronger/more assured verdict/conclusion .” This assists the Governing Body to perform its
Governance function.
» Evidences that will be used include; physical, documentary, analytical and testimonial.
– Think of COSO as I/C on “steroids” in a good way.

6
 I/C 101 Brief
• Concluding thoughts and observations:
– Good I/C’s are keys to success.
– Good audit and financial management methodology will yield good audit results.
• May include developing the capability for Continuous Assurance Auditing (CAA), whose attributes
include the following:
– Installation of control based monitors in automated systems to monitor selected I/C’s, which would be triggered if
results differed from an audit defined limit or parameter.
– Production of audit results shortly after the actual occurrence of an event.
– A vendor (e.g. ACL) supplied software and working closely with auditee clients to identify I/C’s to monitor.
• May include developing the capability for implementing a Control Self Assessment (CSA) process,
whose attributes include the following:
– Having auditee clients monitor and report on the I/C’s and control processes that they are responsible for.
– Done either through interactive process, or through use of questionnaires, or both.
– Result, if done properly, increases audit coverage of a small audit staff.
• For definition purposes, IA will use Auditable Activities or “AAs” for the activity(s), function(s) or
task(s) being audited.
• As appropriate, and based upon audit scope and objectives, there are other additional outputs that IA
may be able to derive. They are;
– Whether and to what extent the AA being audited properly safeguards its assets from loss, damage or
inappropriate use.
– Whether and to what extent the AA being audited is able to accomplish its goals.
– Whether and to what extent the AA being audited is providing quality customer service, and service delivery, to all
of its customers and stake holders.
– Whether and to what extent the AA being audited is developing and maintaining staff competence and integrity.
• Questions and Comments: