Internal Auditing and Fraud InvestigationMark R.

Simmons, CIA, CFE

Internal AuditingFraud InvestigationBioReprintsHome
Resource Links: Internal AuditingFraud Investigation

Articles on Internal Auditing

Internal Audit Objectives: A Comparison of the Standards with the Integrated Framework
for Internal Control
By Mark R. Simmons, CIA CFE
With the introduction and recognition of Internal Control - Integrated Framework as the
authoritative work on internal control, many auditors are reevaluating and rethinking the
meaning of internal control and how to go about auditing control systems. The purpose of
this article is to summarize and compare audit objective concepts embodied in the
Standards for the Professional Practice of Internal Auditing and the Integrated
Framework for Internal Control. We will begin with a review of the pertinent Standards,
followed by a summary of the concepts found in the Integrated Framework. We will also
incorporate the concept of "materiality" as it is discussed in the The Internal Auditor's
Role in Management Reporting on Internal Control, a research report published by the
Research Foundation of the Institute of Internal Auditors, and then draw conclusions
about the interrelationships that exist.

The Definition of Internal Control Objectives Under the Standards

At guideline 300.06.4, the Standards for the Professional Practice of Internal Auditing
(the SPPIA) describes the overall system of controls as "the integrated collection of
control systems developed by the organization to achieve its objectives and goals".

At guideline 300.05 the SPPIA states that the primary objective of internal controls is to
provide reasonable assurance to managers that:

1. Financial and operating information is accurate and reliable;

2. Policies, procedures, plans, laws and regulations are complied with;

3. Assets are safeguarded against loss and theft;

4. Resources are used economically and efficiently; and

5. Established program/operating goals and objectives will be met.

Audit Objectives Under the Standards

Standard 300 of the SPPIA defines the scope of Internal Auditing as encompassing:

The examination and evaluation of the adequacy and effectiveness of internal control
systems (i.e., assessing the degree to which controls actually provide the reasonable
assurance that managers need; and
The examination and evaluation of the quality of performance in carrying out assigned
responsibilities (i.e., assessing the degree to which the organization has achieved the
goals and objectives set out by management).

Thus, under the SPPIA, there are five possible objectives that an internal audit might
have:

•to determine whether controls over financial and operating data provide managers with
reasonable assurance that the financial and operating data is accurate and reliable (i.e.,
that information gathering and reporting has been properly planned, organized and
directed);
•to determine whether controls over compliance with policies, procedures, plans, laws
and regulations provide managers with reasonable assurance that proper compliance
actually occurs (i.e., that compliance activities have been properly planned, organized
and directed);
•to determine whether controls over assets provide managers with reasonable assurance
that assets exist and are protected against loss that could result from theft, fire, improper
or illegal activities, or exposure to the elements (i.e., that activities associated with asset
acquisition, recording, storage, use and disposal have been properly planned, organized
and directed);
•to determine whether controls over operations provide managers with reasonable
assurance that resources are used efficiently and economically (i.e., that the organization
is doing things the best way). The objective then, is to determine whether operating
standards have been established for measuring economy and efficiency (i.e., that
activities have been properly planned); and whether operating standards are understood
and are being met , whether deviations from operating standards are identified, analyzed
and communicated to those responsible for corrective action, and whether effective
corrective action has been taken (in summary, whether activities have been properly
directed); and
•to determine whether controls over operations and programs provide managers with
reasonable assurance that the operations and programs are being carried out as planned,
and that the results of operations are consistent with established goals and objectives (i.e.,
whether activities have been planned, organized and directed so that the organization
does the right things). SPPIA Guideline 350.01.8 elaborates on this. It says that the audit
objectives, then, are to determine whether "the objectives and goals established by
management are adequate and have been effectively articulated and communicated;
whether the desired level of results is being achieved; whether factors that inhibit
satisfactory performance and results are identified, evaluated, and controlled; whether
management has considered alternative courses of action to achieve desired results;
whether an operation or program complements, duplicates, overlaps or conflicts with
other operations or programs; whether controls for measuring and reporting the
accomplishment of objectives and goals are adequate; and whether an operation or
program is in compliance with applicable policies, procedures, plans, laws and
regulations."
An internal audit could encompass all five audit objectives (a full scope audit) ; or only
one or a few of the five audit objectives (a limited scope audit). Audit scope could be
further limited by only assessing and evaluating the adequacy of controls (i.e., the degree
to which the controls provide reasonable assurance); or by only assessing and evaluating
the effectiveness of the controls (i.e., the degree to which the controls actually function as
management intended).

How Audit Objectives are Met Under the Standards

To meet the audit objectives, internal auditors evaluate the things managers do to plan,
organize and direct activities and operations. Guideline 300.07 of the SPPIA states that
"planning and organizing involve the establishment of objectives and goals and the use of
such tools as organization charts, flow charts, procedures, records and reports to establish
the flow of data and the responsibilities of individuals for performing activities,
establishing information trails, and setting standards of performance. Directing involves
certain activities to provide additional assurance that systems operate as planned. These
activities include authorizing and monitoring performance, periodically comparing actual
with planned performance, and appropriately documenting these activities."

Guideline 300.03 of the SPPIA further elaborates on directing activities. It states that
"Authorizing includes initiating or granting permission to perform activities or
transactions. Authorization implies that the authorizing authority has verified and
validated that the activity or transaction conforms with established policies and
procedures. Monitoring encompasses supervising, observing and testing activities and
appropriately reporting to responsible individuals. Monitoring provides an on-going
verification of progress toward achievement of objectives and goals. Periodic comparison
of actual to planned performance enhances the likelihood that activities occurred as
planned. Documentation provides evidence of the exercise of authority and
responsibility; compliance with policies, procedures, and standards of performance;
supervising, observing and testing activities; and verification of planned performance."

The reasonable assurance that managers need comes about when managers plan, organize
and direct in such a way that in the normal course of doing business, cost-effective
actions are taken to minimize the risk that undesired outcomes will occur, and maximize
the likelihood that desired outcomes will occur.

Having evaluated how managers have planned, organized and directed the activities of
the organization, the internal auditors then express an opinion as to whether or not the
controls reviewed provide managers with the necessary reasonable assurance that goals
and objectives will be achieved (the adequacy of controls); and whether the controls
reviewed function as intended to maximize the likelihood that the desired results will be
achieved (the effectiveness of the controls).

Definition of Internal Controls Under the Integrated Framework for Internal Control
The Framework defines internal control in a slightly different way. The Framework says
that internal control is a broadly defined process, effected by people, designed to provide
reasonable assurance regarding achievement of the following three objectives that all
businesses strive for:
1.Effectiveness and efficiency of operations
2.Reliability of financial data and reports
3.Compliance with laws and regulations
Under "Effectiveness and Efficiency of Operations", the Framework includes:
compliance with policies, procedures, and plans; safeguarding assets; economical and
efficient use of resources; reliability of operating data and reports; and achieving goals
and objectives.

The approach presented in the Framework goes directly to the one key issue of any
business - is there reasonable assurance of achieving the mission, goals, objectives and
desired outcomes of the organization, while adhering to laws and regulations; and can the
organization accurately report the outcomes of its operations to the public and interested
third parties.

Audit Objectives Under the Integrated Framework for Internal Control

The scope of Internal Auditing remains the same when approaching controls from the
perspective of the Framework. That is, the audit scope encompasses:

The examination and evaluation of the adequacy and effectiveness of internal control
systems and

The examination and evaluation of the quality of performance in carrying out assigned
responsibilities.

Under the Framework, however, there are three basic audit objectives:

•to determine whether controls provide reasonable assurance of effective and efficient
operations;
•to determine whether controls provide reasonable assurance as to the reliability of
financial data and reports; and
•to determine whether controls provide reasonable assurance of compliance with laws
and regulations.
Each of these objectives has five components of control:

•A sound Control Environment;

•A sound Risk Assessment Process;
•Sound Operational Control Activities;
•Sound Information and Communications System; and
•Sound Monitoring Practices
Under the Framework, "internal control can be judged effective if management has
reasonable assurance that they understand the extent to which the organizations
objectives are being met; the extent to which financial reports are being reliably prepared;
and the extent to which applicable laws and regulations are being complied with". This
judgement of effectiveness results "from an assessment of whether the five components
of control are present and functioning effectively. Their effective functioning provides
the reasonable assurance regarding achievement of the three primary business
objectives". The components therefore form the criteria for effective control. All five
components must be present and effective in order for management to have the
reasonable assurance needed.

Under the Framework, an internal audit could encompass all three audit objectives (a full
scope audit) ; or only one or two of the audit objectives (a limited scope audit).

Audit scope could be further limited by assessing only one or a few of the five control
components. However, doing so could prevent the internal auditor from expressing an
opinion as to the effectiveness of controls for the particular audit objective. Under the
Framework, all five components must be present and operating effectively in order for
management to have the necessary reasonable assurances. The internal auditor can not
express an opinion as to the existence of reasonable assurance unless all five components
are assessed. However, if a review of only one or a few of the components demonstrated
that a component was missing or ineffective, the system of control could not provide the
necessary reasonable assurance, and the auditor could so state in an opinion.

How Audit Objectives are Met Under the Framework

To meet the audit objectives under the Framework, internal auditors evaluate the
elements of the five components of control:

1. For the Control Environment Component auditors assess

•whether managers and employees possess integrity, ethical values and competence;
•whether the nature of management's philosophy and operating style is appropriate;
•whether there is proper assignment of authority and responsibility;
•whether there is proper organization of available resources;
•whether there is proper training and development of people; and
•whether there is proper attention and direction from management.
2. For the Risk Assessment Component auditors assess

•whether management has established a set of objectives that integrate all the
organization's resources so that the organization operates in concert;
•whether there is an awareness of and ability to deal with the risks and obstacles to
successful achievement of business objectives; and
•whether management identifies, analyzes and manages the risks and obstacles to
successful achievement of business objectives.
3. For the Operational Control Activities Component auditors assess

•whether management has established and executed policies and procedures to help
ensure effective implementation of the actions they have identified as being necessary to
address risks and obstacles to achievement of business objectives;
4. For the Information and Communications Systems Component auditors assess

•whether the information system produces the financial, operational and compliance
reports needed to run the business;
•whether the reports that are produced deal with internal and external activities,
conditions and events necessary to informed business decision making and external
reporting;
•whether the organizations people are able to capture and exchange the information they
need to conduct, manage and control operations;
•whether pertinent information is identified, captured and communicated in a form that
enables people to effectively carry out their responsibilities;
•whether communications flows in all directions throughout the organization;
•whether management has made it clear to all employees that control responsibilities are
to be taken seriously;
•whether employees understand their own roles in the internal control system, as well as
how their individual activities relate to the work of others;
•whether all employees have the means of communicating significant information
upstream; and
•whether their is effective communication with external parties.
5. For the Effective Monitoring Component auditors assess

•whether the entire control system is monitored to assess the quality of the system's
performance over time;
•whether there is on-going monitoring in the normal course of doing business, such as
regular supervisory and management activities, and actions employees take in performing
their normal duties;
•whether internal deficiencies are reported upstream, with serious matters reported
directly to top management;
•whether there are separate, independent evaluations of the internal control system.
The Role of Materiality in Meeting Audit Objectives
The objective of an internal audit is to form an opinion as to whether control systems
provide managers with reasonable assurance that desired business outcomes will be
achieved. To reach this conclusion, the auditor has to consider the issue of materiality.
An effective control system should prevent, or detect and correct, "material" errors,
omissions, fraud or other adversities that impact on achieving desired business outcomes.

The Internal Auditor's Role in Management Reporting on Internal Control, a research

report published by the Research Foundation of the Institute of Internal Auditors, defines
materiality as "any condition that has caused, or is likely to cause, errors, omissions,
fraud or other adversities of such magnitude as to force senior managers to undertake
immediate corrective actions to mitigate the associated business risk and possible
consequent damages to the organization".

According to the research report, the control processes for identifying material
weaknesses are working if, during the course of routine operations, the control system
successfully identifies and addresses:

non-persistent and non-pervasive weaknesses that have caused, or are likely to cause,
errors, omissions, fraud or other adversities of such magnitude as to force senior
managers to undertake immediate corrective actions to mitigate the associated business
risk and possible consequent damages to the organization.

Material weaknesses are persistent if the same problem appeared in prior periods; or the
same problem has arisen elsewhere in the organization.

Material weaknesses are pervasive if the effects of the problem seriously imperil
safeguarding of assets; or the effects of the problem seriously imperil the achievement of
operating, reporting or compliance objectives.

A condition is "serious" if it has caused, or is likely to cause, errors, omissions, fraud or

other adversities that increase business risk and possible consequent damages to the
organization, but does not require senior managers to undertake immediate corrective
actions to mitigate the associated impact on operations or outcomes.

This suggests that auditors have five decision options regarding a professional opinion
about the system of controls:

1.The system is well controlled - there are virtually no internal control weaknesses; (or)
2.The system is highly satisfactory - there are opportunities for improvement, but no
reportable conditions; (or)
3.The system is marginally satisfactory - the audit identified a serious condition, but it
has NOT caused, or is NOT likely to cause, errors, omissions, fraud or other adversities
of such magnitude as to force senior managers to undertake immediate corrective actions
to mitigate the associated business risk and possible consequent damages to the
organization; (or)
4.The system is unsatisfactory - the audit identified a serious condition that has caused, or
is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to
force senior managers to undertake immediate corrective actions to mitigate the
associated business risk and possible consequent damages to the organization.; or
5.The system is unreliable - the audit identified a persistent or pervasive serious condition
that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such
magnitude as to force senior managers to undertake immediate corrective actions to
mitigate the associated business risk and possible consequent damages to the
organization.
Items three through five above are "Reportable Conditions". A "reportable condition"
means that:

•the problem is serious, but not material; or

•the problem is material but not persistent or pervasive; or
•the problem is material and persistent or pervasive.
The research report indicates that as long as the control process identifies and corrects the
problem, or assesses the consequences of inaction, regarding reportable conditions and
material weaknesses, then it is unlikely that the reportable condition will be material and
pervasive or persistent. If this is the case, then the control system is working. However, if
the reportable conditions and material weaknesses were detected by the audit, but not by
the control system, then the auditor should evaluate the circumstances and consider
issuing a qualified or adverse opinion in the report.

It is the auditor's professional judgement that determines what "serious" and "material"
actually mean in the context of a given audit. How does the auditor determine this? There
are several ways, depending on the specific circumstances. Some examples are:

•Discussions with senior management, line managers and staff, and suppliers and
customers of the audit client;
•The auditor's experience and knowledge of control systems and related risks;
•The requirements of laws and regulations;
•The exposure to fraud, waste or abuse; and
•The monetary value or impact of goods, services, transactions, events or outcomes.
The threshold for reportable conditions should be evaluated during the planning phase of
the audit work; discussed with senior management; and discussed with the responsible
manager at the entrance conference. Prior to initiating substantive audit work, the auditor
should have a clear and agreed upon definition of what will constitute a reportable
condition for the activity or function being reviewed.

Conclusions
Both the SPPIA and the Framework address the ways that managers plan, organize and
direct the organization's activities. Both seek to evaluate whether or not managers have
reasonable assurance that risks will be minimized and the likelihood of achieving desired
results maximized. The SPPIA approaches control from the auditor's perspective. The
Framework approaches control from the manager's perspective. A full scope review
under the Framework is more comprehensive than a full scope review under the SPPIA.
This results from the concepts embodied in each of the Framework's five components of
control.

For example, under the Framework's Control Environment component, in addition to

reviewing how resources are organized and how authority and responsibility are assigned,
there is a requirement to assess the ethics, integrity and competence of management and
employees; the degree of training and development afforded to managers and employees;
and the degree of attention and direction that management provides.

The Framework's Risk Assessment component takes an approach to analyzing objective

setting and risk assessment that significantly expands on the concepts found in the
SPPIA. The same is true for the approach taken in the Framework's Information and
Communications Systems component.

The Framework's Operational Control Activities component and Effective Monitoring

component most closely match the traditional issues evaluated through internal audits -
establishment and execution of policies and procedures designed to achieve objectives;
and monitoring/reporting activities designed to determine effective implementation of
those policies and procedures.
As an integral part of establishing audit objectives, the auditor should clearly define the
threshold for reportable conditions and materiality. In the traditional paradigm, the
internal auditor would most likely to this unilaterally, based on professional judgement.
When auditing under the Framework, defining materiality might be better accomplished
with the active participation and agreement of management.

By using the manager's perspective, the Framework elevates the level at which internal
auditors look at internal control. It moves internal auditing from the more traditional
operational level to a strategic level. The beauty of the Framework is that although there
is a shift in emphasis, it can be applied to audits of entire organizations, or to audits of
individual organizational units, at a strategic level. The Framework provides the internal
auditor with an excellent methodology for adding significant value to the organization,
while maintaining compliance with the Standards for the Professional Practice of Internal
Auditing.

Copyright © 1995 Mark R. Simmons, All rights reserved

Home | Bio | Internal Auditing | Fraud Investigation | Request to Reprint | Privacy | Site
Map

© 1996-2010 Mark R Simmons, CIA, CFE. All rights reserved. Updated 12-Oct-2010
Designed and maintained by Web Wise Concepts, LLC for
http://www.facilitatedcontrols.com
 Internal Audit
&
Risk Management

Internal Audit Risk Management

Head Auditor Head Risk Analyst

Senior Auditor Senior Risk Analyst
Auditor Risk Analyst
Assistant Auditor Junior Risk Analyst
Administration Staff Administration Staff