Internal Control Audit
and Compliance


Wiley Corporate F&A Series
The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals
responsible for issues affecting the profitability of their company, from accounting and finance to
internal controls and performance management.
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United
States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to
developing and marketing print and electronic products and services for our customers’ professional
and personal knowledge and understanding.


Internal Control Audit
and Compliance
Documentation and Testing
Under the New COSO Framework

LYNFORD GRAHAM


Cover image: © iStock.com/kentoh
Cover design: Wiley
Copyright © 2015 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise,

except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without
either the prior written permission of the publisher, or authorization through payment of the
appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers,
MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com.
Requests to the publisher for permission should be addressed to the Permissions Department,
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax
(201) 748-6008, or online at www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best
efforts in preparing this book, they make no representations or warranties with respect to the
accuracy or completeness of the contents of this book and specifically disclaim any implied
warranties of merchantability or fitness for a particular purpose. No warranty may be created or
extended by sales representatives or written sales materials. The advice and strategies contained
herein may not be suitable for your situation. You should consult with a professional where
appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other
commercial damages, including but not limited to special, incidental, consequential, or other
damages.
For general information on our other products and services or for technical support, please
contact our Customer Care Department within the United States at (800) 762-2974, outside the
United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some
material included with standard print versions of this book may not be included in e-books or in
print-on-demand. If this book refers to media such as a CD or DVD that is not included in the
version you purchased, you may download this material at . For
more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Graham, Lynford.
Internal control audit and compliance : documentation and testing under the new COSO
framework / Lynford Graham.
1 online resource. – (Wiley corporate F&A series)
Includes index.

Description based on print version record and CIP data provided by publisher; resource not
viewed.
ISBN 978-1-118-99621-8 (cloth); ISBN 978-1-118-99647-8 (ebk);
ISBN 978-1-118-99630-0 (ebk) 1. Auditing, Internal. I. Title.
HF5668.25
657 .458—dc 3
2014035947
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1


Contents

Preface

xi

Acknowledgments

xv

Chapter 1: What We All Share

1

Need for Control Criteria

1

Overview of the COSO Internal Control Integrated Framework

Holistic, Integrated View
Revised COSO Internal Controls Framework
What We Must Do

2
3
6
8

Basic Scoping and Strategies for Maintenance
Where We Depart

11
12

Triangle of Efficiency
Controls versus Processes
The Debate Continues

13
14
18

Organization of This Book
Appendix 1A: COSO 17 Principles

18
20

Chapter 2: Setting the Scope of Your Documentation Project:

Identifying the Core

21

Start with Business Objectives

21

After the Initial Year
Mapping the Entity to the Financial Statements: Ins and Outs
Consider Risks, Not Just Quantitative Measures
Inherent and Control Risk
Overstatement and Understatement
Does “In Scope” Imply Extensive Testing?
A Consolation

24
25
27
28
28
37
39

Be Careful Out There!
Appendix 2A: Summary of Scoping Inquiries

40
42


v


vi

◾

Contents

Chapter 3: The Risk Assessment Component

45

Risk Assessment Principles in COSO
Cost Control
Basics
Likelihood, Magnitude, Velocity, and Persistence

46
46
47
48

Separate Assessments of Inherent and Control Risks

50

Role of Assertions
Assertions


51
52

Principles 6 and 7: Specify Suitable Objectives; Identify
and Analyze Risk

56

Identifying Risks

59

External Sources of Risk Information
Internal and External Reporting Risks
Compliance Risks
Disclosed Material Weaknesses in Risk Assessment
Principle 8: Assess Fraud Risk
Auditor Responsibility to Detect Fraud

60
61
61
62
62
65

Antifraud Controls for Management to Consider
Ties to Other Principles and Components

66

66

Principle 9: Identify and Assess Significant Change

66

Gathering Information to Support the Risk Assessment and
Consider Change
Appendix 3A: SAS No. 99 Exhibit: Management Antifraud
Programs and Controls
Attachment 1: AICPA “CPA’s Handbook of Fraud and Commercial
Crime Prevention” Code of Conduct
Attachment 2: Financial Executives International Code of Ethics
Statement
Appendix 3B: Understanding Fraud Risk Assessment

91
93

Chapter 4: Control Environment

99

Principle 1: Commitment to Integrity and Ethical Values
Principle 2: Board of Directors (Governance) Demonstrates
Independence from Management and Exercises Oversight
of the Development and Performance of Internal Control
Principle 3: Management Establishes, with Board Oversight,
Structures, Reporting Lines, and Appropriate Authorities
and Responsibilities in the Pursuit of Objectives


68
72
87

100

104

109


Contents

◾

Principle 4: Commitment to Attract, Develop, and Retain
Competent Individuals in Alignment with Objectives

vii

110

Principle 5: The Organization Holds Individuals Accountable for
Their Internal Control Responsibilities in the Pursuit of Objectives
Appendix 4A: Understanding and Awareness of Control
Responsibilities

117


Chapter 5: Control Activities

120

113

Principle 10: Selects and Develops Control Activities to Mitigate
Risk and Achieve Objectives
Principle 11: Selects and Develops General Controls over
Technology
Principle 12: Deploys through Policies and Procedures
Summing Up
Appendix 5A: Linking Common Control Activities and Assertions
Appendix 5B: Linkage of Principles to Controls, Policies,
and Procedures

158

Chapter 6: Information and Communication

165

Principle 13: Generates Relevant Information
Principle 14: Communicates Internally
Principle 15: Communicates Externally

166
168
170


Chapter 7: Monitoring

120
132
141
143
146

173

Principle 16: Select, Develop, and Perform Ongoing and/or
Separate Evaluations

174

Principle 17: Evaluate and Communicate Deficiencies as
Appropriate

176

Chapter 8: Evidence and Testing

179

Sufficient Evidence

179

Gathering Information
Testing and Sampling

Nonsampling Situations

187
194
202

Confusion of Sample Size Guidance in Practice Today

203

Information Technology General Controls
Testing Security and Access
Appendix 8A: Sample Size Tutorial

204
205
211


viii

◾

Contents

Chapter 9: Developing Questionnaires and Conducting
Interviews

217


Surveys of Employees
Conducting Interviews
Management Inquiries: Sample Questions
Appendix 9A: Sample Practice Aids

219
224
234
239

Chapter 10: Assessing the Severity of Identified Controls
Deficiencies

248

It’s Inevitable

248

Alignment of Public and Private Company Standards for Assessing
Deficiency Severity

251

Control Deficiencies and Definitions

252

Key Factors When Assessing the Severity of a Deficiency


263

Conditions Indicating Control Deficiencies

270

Examples of Evaluating the Severity of Deficiencies
Overall Assessment
Appendix 10A: A Framework for Evaluating Control Exceptions
and Deficiencies
Appendix 10B: Assessing the Potential Magnitude of a Control
Deficiency
Chapter 11: Reporting Requirements

277
281
283
299
302

Nonpublic Entity Reporting
Public Company Annual and Quarterly Reporting Requirements

302
304

Reporting on Management’s Responsibilities for Internal Control
Required Company and Auditor Communications

309

312

Reporting the Remediation of Weaknesses
Coordinating with the Independent Auditors and Legal Counsel
Appendix 11A: Illustrative AICPA Report on Internal Controls

314
315
316

Chapter 12: Project Management and Tools Assessment Design

318

Project Management
Structuring the Project Team
Tools Assessment Design

318
319
325

Features of a Good Tools Solution

326

Value of a Pilot Project
Coordinating with the Independent Auditors

331

334


Contents

◾

ix

Chapter 13: Illustrative Forms and Templates

337

Historical Perspective
2013 Framework Examples
Appendix 13A: Information-Gathering Form—Principle Focused
Appendix 13B: Information Gathering Form—Revenue
Appendix 13C: Walk-through Documentation Form
Appendix 13D: Information Technology General Controls
Assessment Form
Appendix 13E: Documentation of Financial Reporting Software
and Spreadsheets
Appendix 13F: Sampling Form for Tests of Controls
Appendix 13G: Summary of Internal Control Deficiencies
Appendix 13H: Control Environment Component Evaluation
Summary

338
340
348

350
353

Chapter 14: Summing Up

373

About the Author
Index

377

375

355
364
368
371
372



PREFACE

M

UCH HAS BEEN learned in the decade since corporations, other entities, and

auditors started re-reading the 1992 COSO Internal Controls Framework
document to understand their mandates to document and assess internal

controls. We have been through a version of the guidance targeted to smaller public
companies (2006) and special guidance for unscrambling what is meant by Monitoring
(2009). In 2013 we were presented with the updated Framework that will replace
that prior COSO literature after December 15, 2014, and serve as our basis for going
forward. Many entities that began the COSO process in 2002-2003 have not made
major changes in their approach since that time. The revised Framework provides
an excellent opportunity to re-examine past practices and seek improvements and
efficiencies, since some level of change is likely to be necessary anyway.
It is likely that the COSO Internal Controls Framework will be around in some form
throughout our working lives. Some still fail to embrace its goals and others work hard to
find ways to try to change the laws and standards or short-cut the required assessment
procedures. Still others are starting to recognize some of the benefits that can be realized
from effective controls and more orderly and automated processes.
This book will look back on some of the “lessons learned” as experienced by entities and auditors. We will examine some of the academic and professional literature
that provides wider insight than can be obtained from solely one entity’s experience.
As we face the new Framework, we will consider efficient approaches to migrate entities from current approaches to the new guidance with a minimum of disruption and
effort. As with any process, the assessment benefits from periodic reconsideration and
improvements, and this book can assist in implementing more effective solutions in that
update process.
We are now into the second and for some the third round of staff and management
changes over the controls documentation and assessment project. In the natural order
of things, systems are known to deteriorate over time. From my observation, that is a
real challenge to all entities – “how to keep the music playing.” Internal control pioneers in the early 2000s period had a lot to learn and not much time to learn it. Many
of those warriors have now moved on, up, or out. How do we properly train new team
members in the use of our developed tools and also fully explain the concepts we are
trying to achieve? If approached as a paint-by-numbers exercise, the end product may
look acceptable (from a distance) but still not meet the main objective. Controls “101”

xi



xii

◾

Preface

remains a requested topic on the speaker circuit for the benefit of new project members
and helps fill the gaps in understanding by those already involved in projects. This book
will also try to provide some history and context from which to understand not just how
to do the tasks, but to understand why they are being done and how to make the project
more meaningful and valuable to the entity—and in that process, facilitate working with
the independent auditors in an efficient and effective way.
This volume is meant to supplement, not replace, the COSO Framework documents.
An investment in the actual Framework is worthwhile and undoubtedly at some point
with some Principle or Point of Focus, you will need to dig as deep as possible into the
Approaches and Examples to find a nugget you can use in crafting your assessment
of how the Principle is being met. This volume cannot possibly (or legally) reproduce
all the potential COSO reference material you may wish to refer to as your project
proceeds.
Some suggestions, based on first readers’ comments as to how to get the most out
of this volume include:
◾

◾

◾

◾


◾

◾
◾

◾

◾

Use the material in this volume first to get the lay-of-the-land and understand the
concepts underlying the revised Framework.
Use the guidance here to make an initial mapping of the current state of your assessment to what COSO 2013 is seeking.
Look at the suggested tools in this volume and in the illustrative templates in the
COSO template materials and craft an initial idea of what you think your documentation might look like in a few areas.
Take advantage of the unique guidance in this volume on crafting interviews and
questionnaires, sampling and testing and deficiency assessment.
Try your ideas out. Include IT assessments and walkthroughs and controls tests to
give any revised approach a full trial.
Revise the plan and flesh out the new directions.
Provide a forum for discussion with all core team members to share observations
and suggestions.
Develop training material to ensure consistent application as you roll out the
new direction.
Utilize continuous improvement and other techniques to keep the project fresh
and current.

This book updates and replaces two separate volumes previously published by John
Wiley & Sons: Internal Controls–Guidance for Private, Government, and Nonprofit Entities
(2007) and Complying with Sarbanes Oxley Section 404: A Guide for Small Publicly Held
Entities (2010). Because of the common Framework these diverse applications now

share, it makes sense to combine these volumes at this time. Many of the technical
and operational issues are shared in these applications, albeit with different levels of
importance and intensity to specific entities and audit environments.


Preface

◾

xiii

The evolution of the COSO Framework is one of close personal association since
I was a partner with Coopers & Lybrand as the 1992 Framework was first being drafted
for COSO and introduced to (C&L) clients. I was responsible for the development and
training at BDO in applying the Framework to SOX, was a member of a professional
Firm 404 Implementation Task Force and was a member of the Auditing Standards
Board as the COSO Framework was further integrated into Generally Accepted Auditing
Standards. I was appointed as an AICPA representative in roundtable discussions with
COSO developers leading up to the release of the 2006 enhanced guidance for smaller
public entities and have worked with companies and auditors in implementation issues
throughout this period and to date. I have developed several training courses for the
AICPA and other associations in documenting internal controls. My sincere hope is that
this work will make a difference for those seeking new insights and better approaches
to the implementation of the Framework. I would like to thank my clients for all the
learning opportunities along the way.



Acknowledgments


A

S ALWAYS, SPECIAL THANKS go to my wife Barbara and to my family, who again

tolerated my being sequestered in my office during the development and refinement of this work.
Thanks to my clients, both companies and auditors and peers, that provided the
experiences and training grounds. Also to be acknowledged are the dedicated professionals of the various COSO development teams and the AICPA and PCAOB whose writings have been woven into this work.
A special thank you also goes to the many John Wiley and Sons production and
editing professionals that have helped make this work and its predecessors along the way
more readable and focused and to the Wiley leadership of John DeRemigis and Timothy
Burgard who strongly supported the production of this volume.

xv



Internal Control Audit
and Compliance



1

CHAPTER ONE

What We All Share

R

EGARDLESS OF THE type of entity, all Committee of Sponsoring Organizations of


the Treadway Commission (COSO) Framework users and auditors in the public
and nonpublic sectors share a great deal in common. We broadly outline those
shared characteristics here before plunging into the details of application and documentation. This will also help readers to target the specific goals they have in studying
this material. Later these concepts are developed in more detail. For now they serve to
overview the subject matter.

NEED FOR CONTROL CRITERIA
Early auditing literature talked about controls, primarily in terms of controls over more
routine transactions, such as cash receipts and disbursements. Based on the analysis
of business and accounting failures over decades of experience, it became clear that a
broader view of controls was necessary to address the various management, information
processing, or oversight weaknesses that so often contributed to these events. However,
there was no broader framework or set of criteria against which to evaluate the effectiveness of the entity in controlling its risk of filing materially false financial information
and preventing other types of fraud. The COSO Framework has filled that void.
A set of criteria is a standard against which a judgment can be made. In the United
States, the internal control integrated framework published by COSO is just about the
only overall controls criteria to assess the effectiveness of internal controls over financial
reporting (ICFR). Choosing an appropriate control criteria is a Securities and Exchange

1


2

◾

What We All Share

Commission (SEC) requirement for public companies when performing an assessment

of the effectiveness of an entity’s internal control. The American Institute of Certified
Public Accountants (AICPA) auditing literature references COSO components in its
guidance to auditors of nonpublic companies, so from a practical perspective, COSO is
the only game in town. While there are other frameworks out there (e.g., the criteria of
control (COCO) framework from Canada, the Turnbull Report in the United Kingdom,
and SOX of Japan), these are not that dissimilar to COSO in overall concept and have
not gained wide acceptance outside of their home countries.

OVERVIEW OF THE COSO INTERNAL CONTROL
INTEGRATED FRAMEWORK
In 1985, COSO was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to
fraudulent financial reporting. It was motivated by yet another intense period of time
when financial reporting fraud and alleged audit failures were prominent in the news.
Since this initial undertaking, COSO has expanded its mission to improving the quality
of financial reporting. A significant part of this mission is aimed at developing guidance
on internal control. In 1992, COSO published Internal Control—Integrated Framework,
which established a framework for internal control and provided evaluation tools that
businesses and other entities could use to evaluate their control systems.1
The COSO internal control framework identifies five components of internal
control:
1.
2.
3.
4.
5.

Control environment
Risk assessment
Control procedures
Information and communication

Monitoring

Today these remain unchanged from the 1992 Framework. That is a testament
to the fundamental correctness of the COSO Framework. However, the level of detailed
guidance over the years has increased due to the more recent widespread implementation of the Framework in our business environment and a desire to have more consistency in the application of COSO principles.
1 In 2003, COSO published a draft of a document, entitled Enterprise Risk Management (ERM) Framework,
whose purpose was to provide guidance on the process used by management to identify and manage risk
across the enterprise. This new framework is not intended to supersede or otherwise amend its earlier internal control framework guidance on internal control. Internal control is encompassed within and an integral
part of enterprise risk management. Enterprise risk management is broader than internal control, expanding
the discussion to form a more robust conceptualization of enterprise risk. Internal Control–Integrated Framework remains in place for entities and others looking at internal control over financial reporting by itself.
Note: Entities using the ERM Framework will still need to make a pointed financial statement risk assessment,
as detailed in the risk assessment component discussion.


Holistic, Integrated View

◾

3

HOLISTIC, INTEGRATED VIEW
The COSO Framework identifies five main components of internal control, and one of the
keys of working with it is to understand how these components relate to and influence
one another. COSO envisions these individual components as being tightly integrated
in a nonlinear fashion. Each component has a relationship with and can influence the
functioning of every other component, operating in an almost organic way.
The five interrelated components of the COSO Framework are, briefly:
1. Control environment. Senior management must set an appropriate tone at the top
that positively influences the control consciousness of entity personnel. The control
environment is the foundation for all other components of internal controls and

provides discipline and structure.
2. Risk assessment. The entity must be aware of and deal with the financial reporting
risks it faces. It must set objectives, integrated throughout its activities, so that the
organization is operating in concert. Once these objectives are set, the entity is in a
better position to identify the risks to achieving those objectives and to analyze and
develop ways to manage them.
3. Control activities. Control policies and procedures must be established and executed
to help ensure transactions being processed on a day-to-day basis, such as sales and
expense transactions, or on a periodic basis, such as accruals and consolidations,
are resulting in complete and accurate accounting recognition.
4. Information and communication. Surrounding the control activities are information
and communication systems, including the accounting system. Whether manual
or most likely today implemented using automated (computer) systems, they enable
the entity’s people to capture and exchange the information needed to conduct,
manage, and control its operations. The information and communication component is comprised of both internal (e.g., management, governance) and external
communications (e.g., shareholders, prospective investors, or creditors).
5. Monitoring. The COSO Framework identifies monitoring as the responsibility of
management. The auditor is not a part of the entity’s system of internal control.
The entire company control process should be monitored on a regular basis by
management, and issues that arise should be communicated appropriately within
the organization. In this way, the system should be in a position to react dynamically, as changing as conditions warrant, and not require that special procedures
or independent audit procedures detect these problems. The company is expected
to be proactive in identifying and correcting control deficiencies.
Figure 1.1 is from the 1992 COSO Integrated Framework report. It depicts these five
elements of internal control and their interrelationships in a 3-sided pyramid, with the
control environment as the base.
Note that the information and communication component is positioned along the
edge of the pyramid structure, indicating that this component has close linkages to the



4

◾

What We All Share

N

RISK
ASSESSMENT

N
TIO
ICA

RM
AT
IO

CONTROL
ACTIVITIES

UN

IN
FO

MM
CO


&

MONITORING

CONTROL ENVIRONMENT

FIGURE 1.1 COSO Framework

e
nc

g

ia

tin

Risk Assessment
Control Activities
Information & Communication
Monitoring Activities

FIGURE 1.2 COSO Framework II

Function

Control Environment

Entity Level
Division

Operating Unit

Co
m

pl

or
Re
p

O

pe

ra
t

io

ns

other components. It probably would be even more accurate if the component were
depicted as affecting all other ones, including control environment and monitoring, as
it is difficult to envision these components being effective without effective information
and communication.
Historically, the auditing literature has pictorially described the COSO Framework
in the shape of a cube (see Figure 1.2). This representation shows that controls can



Holistic, Integrated View

◾

5

affect the entity either on an entity-wide basis or specifically on a divisional, regional or
product line basis. The 2013 revision changed the “cube” and placed the control environment at the top of the cube. The strong hierarchical image of the pyramid and its
strong base is somewhat lost in this representation, but for complex entities with multiple product lines or locations, the cube works well.
While both models have advantages, whatever the model used to communicate the
Framework, it is helpful to have some physical representation of the Framework as a
training tool and as a reminder of the components when initiating a project or bringing new personnel into an existing project. In the early days of Sarbanes-Oxley (SOX)
implementation, some creative ways were developed to etch the components firmly in
the auditor’s mind. A unique product was a pen that revealed a new component each
time the ballpoint pen point was retracted or extended.
A blessing of the COSO Framework is that together the five components seem
to be satisfactory in describing the broad sources of internal control issues. The
corresponding curse is that it is sometimes difficult to determine where specific facts
and controls fall within the framework. While it would be nice if a one-to-one relationship existed between processes and controls and the Framework components,
that is not the case. Entities can and did make their own decisions where controls
belonged under the 1992 Framework. The focus and 17 Principles in the 2013 Framework will reduce the variability in classifying controls within the Framework going
forward.
For example, the 1992 COSO Framework report contained only passing mention of
information technology (IT). Can we cleanly assign IT to just one component? Clearly
there is a linkage to the control activities component since automated accounting processes and controls depend on the IT being effective. In another sense, IT is important
to information and communication, which relies on data in company databases being
accurate and complete. And it is hard to imagine running a business or performing the
governance function effectively without accurate and timely financial data, so failures
of IT can also impact the control environment. The fact is that IT has a pervasive effect
on many aspects of the controls assessment and does not fit neatly into only one of the

component categories. However, IT General Controls are now a specific principle to be
satisfied (Principle 11).
Another example is fraud risk. There is now a principle (Principle 8) of risk
assessment directed to assessing management’s implementation of antifraud programs
and controls. However, fraud risk can also be associated with the control environment,
because of the risk of management override of controls. Fraud can be associated with
transaction processing (a control activity) such as cash disbursements. So, prior to the
recent guidance, it was not so clearly assigned to one component.
The point here is that while some topical issues fall neatly within a COSO component, there are control issues that may potentially affect many other components. That
is also a reason that the new guidance stresses the interrelationship of controls and control deficiencies. One deficiency can touch several principles and components.