ACCOUNTING & AUDITING
Auditing
Internal Control Components: Did COSO Get It Right?
By Marshall A. Geiger, Steven M. Cooper, and Edmund J. Boyle
Financial accounting frauds and the attention they bring are not new. Fortunately, neither are the accounting profession’s ongoing attempts to limit these types of fraud by encouraging strong systems of internal control. In October 1986, amid growing concerns about the extent of fraudulent financial reporting, the National Commission on Fraudulent Financial Reporting (the Treadway Commission) began an extensive study and evaluation of the integrity of the U.S. system of financial reporting. The Treadway Commission’s final report, issued in 1987, provided numerous recommendations for improving the financial reporting environment and auditing standards. In response, the Committee of Sponsoring Organizations (COSO) developed a comprehensive, integrated model of internal control to offer guidance for creating, adapting, and monitoring systems of controls. This integrated framework was later tailored to practitioners by the Auditing Standards Board (ASB) through SAS 78.
While people are now more interested in internal control evaluations by corporations, auditors, and auditing standards-setters due to SAS 99, Consideration of Fraud in a Financial Statement Audit, and the Sarbanes-Oxley Act of 2002, relatively little factual data is available to confirm or deny the efficacy of the interrelated internal control components embraced by COSO and codified in the professional standards under SAS 78. To illuminate such data, the authors compiled an analysis of internal control weaknesses communicated by 32 Rhode Island state agencies using the framework mandated by SAS 78.
Background
The revised framework proposed by COSO and codified in SAS 78 depicts internal control as a process designed to provide reasonable assurance regarding the achievement of objectives for reliable financial statements, effective and efficient operations, and compliance with applicable laws and regulations. These broad objectives are directly linked to five interrelated components considered necessary to achieve internal control objectives (see Exhibit 1).
The role and importance of the control environment to the effectiveness of a company’s internal control system had been evolving until it became a formal component of SAS 55’s three-component internal control structure. SAS 78 further defined control environment as the component that sets the tone of the organization by influencing the control consciousness of the entity’s employees and establishing the foundation for the remaining components. Risk assessment encompasses those events and circumstances that can adversely affect the underlying integrity of the management assertions embodied within the financial statements. Risk assessment factors identified by SAS 78 focus particularly on changes that can influence the extent of financial statement risks (e.g., changes in the operating environment, information systems, or technology). The control activities component includes policies and procedures designed to ensure that management directives are effectively implemented. The four broad subcategories of policies and procedures are intended to identify breakdowns in control, provide guidance for timely responses, and help achieve the entity’s objectives. The information and communication component has two separate yet integrated factors encompassing the entity’s accounting system and the entity’s communication of the roles and responsibilities of organizational personnel. Monitoring incorporates all management oversight of the organization’s systems of internal control.
Government Auditing Standards
All government audits, including those under the jurisdiction of the Single Audit Act of 1984, must be performed according to the standards set forth by the Government Accounting Office (GAO) through its Government Auditing Standards (GAS), commonly referred to as the Yellow Book. GAS articulates generally accepted government audit standards (GAGAS). Essentially, GAGAS incorporate the external auditor’s generally accepted auditing standards, with additional supplemental general standards for all government audits, as well as supplemental fieldwork and reporting standards for financial and performance audits.
The Single Audit Act of 1984, among other things, requires auditors to provide a single audit report that includes an opinion on the financial statement presentation, a report on relevant internal controls of the financial statements and major programs, and a report on compliance with laws, regulations, and provisions of contracts or grant agreements. Thus, audits that fall under the Single Audit Act are more extensive than those performed under GAAS or GAS, in terms of the extent of compliance tests and the detail of the resulting audit report.
Analysis
Under a Rhode Island law, the governor’s director of administration revived a statewide financial management program that requested the Bureau of Audits (the internal audit agency attached to the governor’s office) to collect and review internal control reports from all agencies. This program involved all state entities, including quasi-public state agencies. Each agency was formally contacted after the state’s fiscal year-end and charged with submitting a letter and detailed “self-assessment summary” to the governor regarding control system weakness mentioned in its most recent audit report. The Bureau of Audits used an open-ended format for reporting agency control system weaknesses in order to allow agency directors enough flexibility to communicate their control system observations and their intended responses to the weaknesses identified in the recently received audit reports.
The authors examined all internal control weaknesses reported for one fiscal year by the Rhode Island agencies contained in the review, and classified each individual control weakness identified according to SAS 78’s five component categories. Because applying the control components requires considerable judgment, each author independently classified the weaknesses according to the framework. The differences in categorization were minimal, as indicated by an average classification agreement of 96.8%. All differences were discussed and resolved before arriving at the final categorizations used for analysis.
In total, the 32 state audit reports identified 213 internal control weaknesses. Each audit report included at least one internal control weakness in the organization audited. The highest number of internal control weaknesses in a single audit report was 25, and the median was three weaknesses.
While each internal control weakness was classified into the five SAS 78 internal control components, a single weakness could be categorized into more than one component (93% of the weaknesses fell into either one or two control components). Accordingly, the 213 weaknesses were categorized as 349 items.
After reaching agreement on the classification of the internal control weaknesses, the authors’ analysis focused on two underlying questions:
Occurrence and interrelationship of internal control weaknesses. As Exhibit 2 indicates, the control component containing the most weaknesses was the control activities component. This one component represented almost 31% of all weaknesses identified in the study. The next highest control component was the control environment component, representing 23% of the identified weaknesses. The component with the fewest identified weaknesses was the monitoring component, at roughly 10%.
In terms of the relationships among the five control components, there was a significant positive correlation between the control environment and risk assessment components. This positive relationship supports the interrelated nature of these components espoused by COSO and SAS 78. This finding also supports the inclusion of the risk assessment factors embodied in the control environment component of the earlier three-component internal control framework of SAS 55.
Negative relationships were observed for the remaining components, indicating that if the weakness was identified as being in one component, it usually was not also identified as any other component. The strongest negative relationships observed were between the control activities component and the remaining components. The other significant negative correlations were between the risk assessment and the information and communications components, and between the control environment and the information and communication components.
Relationship between size and internal control weaknesses. The authors also assessed whether the types of weaknesses identified were related to the size of the organization being audited, as measured by total operating budget. The relationship between the five control component categories and the total operating budgets was only marginally significant. Only the monitoring component varied significantly with the operating budget.
Common agency weaknesses. As indicated in Exhibit 2, each individual audited agency or department was classified into one of six categories:
The results of five independent regression analyses indicated that the type of governmental agency had no significant effect on the specific types of internal control weaknesses identified.
In addition, the results indicate that the type of governmental agency did not significantly affect the total number of weaknesses identified after controlling for agency size.
Implications
Based on this study, the SAS 78 integrated framework was found highly useful. Although the five-component framework effectively captured the weaknesses identified in the study, the weaknesses were not evenly distributed across the five components. Based on this study, actual control activities performed in the organization remain a very important aspect of the system of internal control, and are most likely to be identified by an auditor as deficient. Additionally, this finding may reflect that auditors have historically evaluated control activities in their internal control assessments, and may be better prepared to identify these types of weaknesses or more apt to search for control activity weaknesses. The size of an agency was related to only one type of weakness, monitoring. The type of government agency was not related to the number or type of weaknesses identified.
The predominance of the control activity component highlights the need for audit managers to closely review, evaluate, and amend their existing policies and procedures to ensure that they include those designed specifically to prevent or detect internal control weaknesses. Conversely, because the reported weaknesses in the study were the outcome of a self-assessment process using actual audit reports, the negative correlations to other components may indicate a preoccupation with control activities on the part of the participants, to the disregard of other relevant components.
The results also confirm previous beliefs about the significance of the control environment based on its prevalence in the audit reports for these state agencies. This component received the second-largest number of weaknesses, substantiating the existence of control environment factors as part of the system of internal control. The identification of these factors as control weaknesses legitimizes their inclusion in the framework and also serves to acknowledge auditor and management awareness and concern. Furthermore, the strong correlation between the control environment and risk-assessment components supports the earlier joining of these components in SAS 55 and also perhaps indicates a need to study them together to more effectively understand existing control systems.
The correlation of the monitoring component to size is also significant for practice. As organizations grow in size, the need for monitoring activities increases; this should also affect the need for comprehensive and timely audits of those monitoring mechanisms. In this study, the data suggest that larger entities should continue to establish monitoring mechanisms as a worthwhile activity in an integrated system of internal control.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
Visit the new cpajournal.com.