Auditing The Control Environment

IPPF Practice Guide
Auditing
the control
environment
APRIL 2011
IPPF Practice Guide
Auditing the Control Environment
Table of Contents
Executive Summary......................................................................................... 1
Introduction.................................................................................................... 2
An Organizations Control Environment........................................................... 2
Scope and Approach to Auditing the Control Environment............................... 3
Practical Considerations in Auditing the Control Environment........................ 6
How to Audit the Control Environment............................................................. 9
Evaluating Control Environment Deficiencies................................................ 10
Communicating Results................................................................................ 11
Appendix ...................................................................................................... 13
Authors ...................................................................................................... 34
www.theiia.org/guidance / B
IPPF Practice Guide
Executive Summary audits of higher control environment risks. The CAE may
choose to address these risks in (1) a single audit of the or-
The control environment1 is the foundation of an effective ganizations control environment, (2) a series of audits fo-
system of internal control. Most of the well-publicized cusing on aspects of the control environment, and (3) au-
failures (including not only Enron and WorldCom, but dits of controls over specific risks (i.e., the scope includes
also the governance failures that led to the 2008 financial the assessment of controls performed within the control
crisis) were, at least in part, the result of weak control environment as well as within business processes). Since
environments. In the absence of a demonstrably effective the audit of an organizations control environment will of-
control environment, no level of design and operating ten involve discussion of sensitive issues, the CAE must
effectiveness of controls within business and IT processes plan and execute these audits diligently.
can provide meaningful assurance to stakeholders of the
integrity of an organizations internal control structure. There are many practical considerations that the CAE
should pay close attention to when planning and ex-
The International Standards for the Professional Practice of ecuting a control-environment related audit. First, there
Internal Auditing (Standards) Glossary defines the control should be support or buy-in from senior management and/
environment as: or the board or the audit committee for such an audit.
Second, internal auditings reporting structure should be
The attitude and actions of the board and management re- sufficiently independent to ensure minimal or virtually
garding the significance of control within the organization. no scope limitation of the audit team. Third, the CAE
The control environment provides discipline and structure should clearly articulate and communicate the criteria to
for the achievement of the primary objectives of the system be used, for the benefit of the auditee and the audit team
of internal control. The control environment includes the members, in assessing the control environment. Finally,
following elements: due attention should be given to differences in business
culture, language, local laws, etc., while conducting such
Integrity and ethical values. audits in a global organization.
Management philosophy and operating style.
Because the audit of the control environment includes
Organizational structure. auditing soft controls, some of the traditional testing ap-
Assignment of authority and responsibility. proaches and tools may not enable gathering of sufficient
direct evidence of their effective operation. The auditor
Human resource policies and practices.
will need to think outside-the-box to gather sufficient,
Competence of personnel. competent evidential matter in such audits to ensure that
audit findings are not challenged due to lack of rigorous
Central to any approach to auditing the control environ-
audit procedures and evidence.
ment is the assessment of risks from failure of each one
of the six individual control environment elements as de-
Control environment deficiencies need to be evaluated in-
fined in the glossary of the Standards. Upon determining
dividually and it should be understood how they interact
the risks relating to each one of the six control environ-
with or impact other controls in the organization. The cor-
ment elements, the chief audit executive (CAE) may con-
rective actions sometimes may need to extend beyond the
sider including in his or her annual audit plan one or more
immediate control environment element being evaluated.
1 Because control environment includes assessing an organizations culture, the reader of this Practice Guide is also encouraged to review The IIARF publication, Best Practices:
Evaluating the Corporate Culture, by James Roth, 2010.
www.theiia.org/guidance / 1
IPPF Practice Guide
Communication of the control environment audit findings failures can miss the fundamental aspects of the orga-
involve many practical considerations such as determining nizations foundation. An entitys control environment is
the appropriateness of the standard audit report format, the foundation of an organizations entire internal control
limiting the distribution of the audit report, confidential structure financial, operational, and compliance in-
nature of the findings, timeliness, and involvement of the cluding safeguarding of its assets. Internal auditors need
general counsel and the human resource (HR) function ei- to consider the risk of control environment failures in the
ther as the co-executive sponsor or in a supporting role, etc. development of annual (and other periodic) audit plans as
well as in planning each individual audit.
Auditing the control environment or one or more of its
elements either as stand-alone or part of other inter- The Standards defines the control environment as the at-
nal audits is not only consistent with the intention of titude and actions of the board and management regard-
various standards within the International Professional ing the significance of control within the organization.
Practices Framework (IPPF) but is also value-added to Specifically, Standard 2130: Control states, the internal
the organization. audit activity must assist the organization in maintaining
effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
Furthermore, Standard 2130.A1: Control states the in-
Introduction ternal audit activity must evaluate the adequacy and ef-
fectiveness of controls in responding to risks within the
The control environment is the foundation on which an
organizations governance, operations, and information
effective system of internal control is built and operated
systems regarding the: reliability and integrity of financial
in an organization that strives to (1) achieve its strategic
and operational information; effectiveness and efficiency
objectives, (2) provide reliable financial reporting to inter-
of operations and programs; safeguarding of assets; and
nal and external stakeholders, (3) operate its business effi-
compliance with laws, regulations, policies, procedures,
ciently and effectively, (4) comply with all applicable laws
and contracts.
and regulations, and (5) safeguard its assets. Part of the
blame for the 2008 financial crisis and other prominent
failures of the 21st century can be appropriately attributed
to failures in the control environment.
An Organizations
The purpose of this Practice Guide is to provide guidance
to the internal auditor on the significance of the control
Control Environment
environment; how to determine which elements of the The Committee of Sponsoring Organizations of the
control environment should be addressed by engagements Treadway Commission (COSO) published the Internal
in the periodic audit plan; how to scope, staff, and plan ControlIntegrated Framework in 1992. It uses a very simi-
such engagements; and which items to consider in per- lar definition to that in the Standards Glossary referenced
forming related audit work, including evaluating and re- above. The Executive Summary states:
porting deficiencies.
The control environment sets the tone of an organization,
Focusing only on assessing and reporting on controls influencing the control consciousness of its people. It is the
within business and IT processes without assessing and foundation for all other components of internal control,
reporting on the related risk of control environment
IPPF Practice Guide
providing discipline and structure. Control environment

factors include the integrity, ethical values and competence
Scope and Approach to Auditing
of the entitys people; managements philosophy and oper- the Control Environment
ating style; the way management assigns authority and re-
sponsibility, and organizes and develops its people; and the Even though the control environment has a pervasive ef-
attention and direction provided by the board of directors. fect on risk management and internal controls across the
entity, any approach to auditing the control environment
Guidance on Control Number 1 from the Canadian Insti- should include an assessment of the risks from failure of
tute of Chartered Accountants Criteria of Control (CoCo) each individual control environment element and their in-
Board2 uses four criteria as the basis of understanding and teraction with each other. This Practice Guide uses the six
evaluating the effectiveness of an entitys internal control elements described in the Standards Glossary definition of
structure: purpose, commitment, capability, and monitor- the control environment:
ing and learning. The criteria of commitment embodies
shared ethical values, integrity, HR policies and proce- Integrity and ethical values.
dures, authority, responsibility, and accountability, and Management philosophy and operating style.
an atmosphere of mutual trust essentially the same as
Organizational structure.
the 1992 COSO framework and The IIA Standards defini-
tions. Assignment of authority and responsibility.
HR policies and practices.
Similarly, the original Turnbull Guidance, Internal Con- Competence of personnel.
trol: Guidance for Directors on the Combined Code, issued
by the Institute of Chartered Accountants of England The level of risks may vary across geography, business
and Wales in 1999, states that, a companys system of unit, process, etc. For example, the level of risk relat-
internal control will reflect its control environment which ing to integrity and ethical values may be higher in some
encompasses its organizational structure. The system will locations than others. Some business units may have a
include: control activities, information and communica- more established and experienced workforce, leading to a
tions processes, and processes for monitoring the continu- significant reduction in the risks associated with compe-
ing effectiveness of the system of internal control. tence of personnel than in business units where personnel
turnover is high.
While there may be differences in control language around
the world, the intent and the principles are similar and There are several examples of situations that might influ-
consistent. An effective control environment functions ence the assessment of risk of failure for one or more con-
like a keystone in an arch bridge without which, no mat- trol environment elements:
ter what, the best material and craftsmanship cannot hold
the bridge together. Auditing the control environment and Compensation and incentive structures can contrib-
assessing its effectiveness is an important part of an audi- ute to inappropriate behavior or excessive risk-taking.
tors assurance responsibility. A high rate of employee turnover in key functions
can lead to a lack of experience and less reliable ex-
ecution of controls. This may be the result of a num-
ber of failures in the control environment, including
ineffective supervision and other HR process issues.
IPPF Practice Guide
The absence of a defined code of conduct and ethics The CAE may decide to address the risks in:
and/or a whistleblower policy, the failure to establish A single audit across the organization.
an ethics hotline, the absence of a process to evalu-
ate the effectiveness of the code of conduct and A series of audits, each of which addresses selected
ethics policy, a high number of reported frauds, or aspects of the control environment (such as the eth-
management over-ride of established controls can all ics hotline, board and committee operations, etc.).
lead to inappropriate activity that is not detected and Audits of the control environment within selected
addressed timely. divisions or operating units3.
Key functions may be staffed by personnel who do A variation of the above.
not possess the necessary level of competence. The
level of risk is heightened if there is a perception that For instance, if individual operating units have their own
they hold their positions by virtue of their relation- ethics policies and autonomous compliance committees,
ship to senior managers, the promoters, or executive separate control environment audits at each unit may be
directors of the board. the best approach. If each division investigates ethics vio-
lations based on organizational guidelines and tips from a
The board may not provide effective oversight over centralized hotline, an organizationwide audit focusing on
the conduct of the organizations operations, and may the hotline combined with local audits focusing on the in-
not understand and monitor the broad organizational vestigations may be more relevant. If new personnel hiring
control environment. and screening is considered an important control environ-
Key managers in the organization may tend to make ment activity and this process is centralized, an organiza-
business decisions without clearly understanding the tionwide audit may be the best approach.
risks related to their decisions; management may not
exhibit risk and control consciousness in its decision- Although the initial scope and approach can be altered
making. over time as better assessments and knowledge of the or-
Processes relating to defining job descriptions for ganizations control environment comes to light, the CAE
key positions may be weak, background checks and/ should consider:
or reference checks are not consistently performed,
or the organization has difficulty hiring and retaining What are the control environment elements and
qualified individuals. their attributes (ethics policy, board governance,
compliance, fraud detection, etc.) that are key to the
Once the CAE has assessed the risks relating to each of entitys control environment?
the six control environment elements, he or she may in- How are these elements and related attributes man-
clude one or more audits of the higher control environ- aged during day-to-day operations? Is there clear
ment risks in the annual audit plan. The CAE may deter- accountability across the organization?
mine the frequency of auditing the control environment
Can these elements and attributes be managed effec-
based on his or her assessment of risk of control failures
tively and efficiently in the scope of one large audit
associated with one or more of the control environment
or would separate focused audits of each principle
elements.
and related attributes be more effective and efficient?
3 Risks related to the control environment at a location or within a business unit might also be included as part of the scope of broader individual audit engagements of that location or busi-
ness unit. For example, an audit of a factory in China might include assessments of control environment elements (such as code of conduct and ethics awareness) as well as controls over
inventory and procurement. An audit of the shared service center in Ireland might include assessments of HR practices in addition to general ledger and accounts payable controls.
IPPF Practice Guide
Does the balance of centralized versus decentralized the individual audits into an overall assessment of
operations within the organization influence how the the control environment.
control environment operates and thus the nature of Plan the individual audits so that differences in their
audit work? timing do not impede the overall assessment. In the
What combination of control environment audits will case of a substantial time lag between individual
allow the CAE to provide assurance to senior man- audits, it may be necessary to perform procedures
agement and the board regarding the organizations to update the results of earlier audits to support the
system of internal control? overall assessment.
Should the control environment audit be one annual Consider staffing the audits in ways that would
audit, one audit occurring periodically every few ensure continuity in the audit approach and consis-
years, or separate focused audits each year on differ- tency in the assessment process. Well-defined audit
ent principles rolling up into a review of all control programs also could help in this regard.
environment principles every few years?
Audits of the control environment often involve the dis-
If the control environment has not been reviewed cussion of sensitive issues, including the actions or inac-
previously, what knowledge is there that would tions of senior management and the board. The internal
guide the decision on the audit approach? Would a auditor should consider the following issues during the
high-level risk assessment of all control environment planning phase:
principles provide a basis for decisions? Should a
first year audit be different than the ongoing audits Whether specific skills will be required (e.g., requir-
that have been put in place in the audit plan? ing the use of internal or external subject matter ex-
Should any aspect of the control environment assess- perts). These skills may be provided through the use
ment be performed at the direction of legal counsel; of guest auditors from other parts of the organization
for example, those pertaining to investigations? or from a co-source service provider.
Are adequate audit resources available? Whether conversations with senior management and
Are there any explicit senior management and board the review of confidential documents require staff-
preferences (e.g., a stated desire to have the assessing the audit with mature, experienced personnel.
ment completed by a certain date)? In some situations, the CAE may decide to lead the
audit and/or personally perform certain aspects (e.g.,
As noted earlier, the audit plan may include a single audit the review of executive compensation or the results
of control environment risks. It may also include multiple of investigations involving senior management).
audits, each addressing separate elements of the control Ensuring, through discussions well in advance of the
environment, or control environment elements in differ- audit, that the information required to perform the
ent locations or business units. Where the plan includes audit (especially any information considered confi-
multiple control environment audits and the CAE is plan- dential) will be available when required. In addition,
ning to provide an overall assessment based on the results the auditor should ensure that everybody asked to
of these individual audits, the CAE should: support the audit understands the need to provide
the audit team with the information required timely.
Determine, during the initial planning phase, the This may require the involvement of the sponsor.
process that will be used to aggregate the results of
IPPF Practice Guide
Control Environment Implications for Indi- The results of separate audits of the control environment
vidual Internal Audit Engagements should be considered when preparing the audit report:
Effective management of risks involves evaluating and
When the control environment audit has already
monitoring not only business process controls but also
been completed, the auditor should consider those
controls relating to the entitys control environment. If the
results and include them in assessing whether the
effectiveness of the control environment is not considered
system of internal control including those in the
in an audit engagement, there is a risk that the assessment
control environment is adequate.
of the adequacy of controls will be incomplete and per-
haps even misleading or incorrect. When the control environment audit has not yet
been completed, the auditor should consider ac-
When defining the scope of any audit, the internal auditor knowledging that fact and make it clear that the
should consider the level of reliance placed on the effec- assessment of internal controls is based on the
tiveness of control environment activities, and the risk of assumption that the control environment activities
deficiencies in the control environment. In some cases, are effective. The auditor should consider revisiting
these risks and the related controls will be included with- his or her assessment of the adequacy of internal
in the scope of the audit. In others, reliance will be placed controls should the audit of the control environment
on separate audits performed of the control environment result in the identification of deficiencies.
or one or more of its six elements.
For example, when developing the scope of work for an
audit of accounts payable (AP), the auditor should con- Practical Considerations
sider risks such as: in Auditing the
AP staff and managers involved in the AP process Control Environment
(e.g., as approvers of invoices) are not familiar with
Discussed below are some of the practical considerations
the organizations expectations for ethical behavior.
that should be taken into account while planning, execut-
Hiring practices are not effective in staffing key AP ing, and reporting on audits in this area.
positions with experienced personnel.
Audit procedures around these risks might be included

Senior Management and Board Support
within the scope of the AP audit. However, if separate
or Buy-in
audits are being performed that specifically address these An audit of the control environment involves assessing con-
risks for example, as part of audits of the code of controls that in many cases, directly and/or indirectly, are per-
duct and hiring practices the auditor might want to formed by or at the direction of senior management or the
make reference to, and rely on the results of, those audits board. Whether the audit is of all or only one element of the
rather than duplicate the work. control environment, consideration should be given during
the planning phase as to whether the internal audit team
When the scope of work for an audit does not include cov- will be challenged in its need for access to the pertinent in-
erage for control environment risks, that limitation should dividuals and required documentation. Actions may be re-
be clearly communicated to management or the executive quired to mitigate and manage such challenges before the
sponsor during the planning phase and in the final report. commencement of the audit. These actions might include:
IPPF Practice Guide
Discussing the need for access during the develop- records containing discussions about allegations against
ment of the audit plan. senior management). This may be mitigated if the CAE
Ensuring that the audit charter provides for appro- is able to obtain strong support from the board or execu-
priate access. tive management, with a clear mandate that the audit
team should be provided full access to the information
Obtaining the support and sponsorship of the board
required to perform the audit.
and/or the chief executive for the audit. In some
cases, the support of the chief financial officer
If the CAE is unable to ensure that the audit team will
(CFO) or general counsel may be sufficient.
have full access to information necessary to complete an
Written communications from an appropriate effective control environment audit, or will be unable in
member of the executive management instructing fact or perception to be sufficiently objective and inde-
the organization to provide the required access and pendent in its assessment of the control environment,
information. such scope restrictions and other limitations should be
Attendance by the executive sponsor4 at the audits promptly reported to the board. The CAE should consid-
opening meeting. er whether to pursue an audit with appropriate scope re-
strictions communicated in the report per the Standards.
Meeting with key members of executive manage-
Such restrictions do not relieve the CAE of her/his obliga-
ment who are in a position to enable access, early
tion to report to the governing board on the importance
in the audit planning phase. The internal audi-
and need to evaluate the control environment.
tor should ensure that the executives understand
what information and access is needed and why.
Criteria for Assessing the Control
Their concerns should be heard, understood, and
Environment
addressed where possible. Escalation to execu-
tive management or the board may be necessary to The audit planning process includes consideration of the
resolve continued denial of access. end-product of the audit, in particular what criteria will
be used for the assessment. As with other engagements,
Internal Auditings Position Within options include:
the Organization
The reporting structure for internal auditing also may be An assessment of the controls included in scope us-
an issue. Standard 1110: Organizational Independence ing the organizations standard rating system, togeth-
states that the chief audit executive must report to a er with opportunities for improvement.
level within the organization that allows the internal au- The assessment of the controls using a defined
dit activity to fulfill its responsibilities. When the CAE control maturity model, in addition to the standard
does not report to an appropriate level, his or her ability rating and opportunities for improvement.
to perform an audit of the organizations control environ-
Assessment of controls as directed by the general
ment or its elements may be challenged. For example,
counsel with a specific objective in mind.
the CAE may be directed not to assess certain elements
of the control environment (e.g., competence of person- Benchmarking (between companies and/or between
nel in the finance function), or have only limited access units/departments in the company).
to confidential information (such as board minutes or
4 For the purposes of this Practice Guide executive sponsor is a member of the executive team or board who will actively support the completion of the audit.
IPPF Practice Guide
The CAE should use judgment, in consultation as neces- background checks on employees; in some geographies,
sary with the board or executive sponsor or the general practices related to the hiring and treatment of minorities
counsel, in determining what criteria will be used to mea- are accepted that would be illegal in other countries).
sure the effectiveness of the control environment. The
CAE should ensure the board, senior management, and Most multinational organizations have developed and
management responsible for the area being audited clear- published an organizational code of conduct that applies
ly understand how the results will be communicated if to all of their operations globally. In such cases, audits of
they are different from the standard internal audit report- the control environment already have a set standard on
ing process. which the internal auditors should base their audit scop-
ing, program, assessment, and reporting.
Whether the assessment will be of the design and operat-
ing effectiveness of specific controls or the overall quality However, not all organizations have adopted global stan-
of such controls using a particular control maturity model, dards, or the global standards may need to be adjusted for
the criteria for that assessment should be defined during the unit being audited to comply with local laws. In these
the planning process and clearly explained to the engage- cases, the internal audit team should, in consultation with
ment client including appropriate members of senior appropriate management, seek an agreement on what cri-
management. The CAE should consider discussing the teria or standard the audit team will follow. This should be
criteria to be employed with management and obtaining clearly communicated to operating management before
its agreement if possible. Significant value to the organiza- the start of the audit. If the standards differ in any way
tion can be obtained through such discussion and buy-in from the organizationally published standards, the reasons
prior to beginning the audit. for variation should be clearly explained.
Consideration of Local Culture and Values The CAE should consider variations in culture, values,
Local culture and values should be considered when de- and practices, as well as the need for language skills,5 in
termining the criteria for assessing business conduct and assessing risks relating to the control environment and in
other elements of the control environment. Business con- staffing each audit. The team should include individuals
duct and other standards and expectations are not uniform who are able to understand the context as well as the prac-
around the world, due in large part to differences in legal tices in each region and enable an objective, balanced,
traditions, social and cultural values, and the structure of and fair assessment of the adequacy of the control envi-
capital markets. For example, while there are traditions ronment practices.
in some emerging markets for commerce to be enabled
by payments to involved individuals and for purchases Coordination with External Auditors
to be made from related parties, this practice is consid- While it is clear that internal auditings evaluation of an en-
ered illegal under the U.S. Foreign Corrupt Practices Act titys control environment, or one or more of its elements,
(FCPA) and UK Bribery Act. Nations differ in their gov- provides much needed assurance to senior management
ernance laws and regulations (e.g., on the requirement for and the board of directors, the internal auditor should
independent members of the board and other governing be aware that external auditors may not be able to place
bodies), or in other aspects of the control environment complete reliance on their work in assessing the control
(e.g., some restrict the ability of employers to perform
5 Lack of familiarity with the local business culture and language may present barriers to developing an effective understanding of differences in culture and behavioral norms from
that of internal auditors host country. Experience in, and understanding of, the local language and culture is likely to improve the auditors ability to understand and assess compli-
ance or lack thereof with organizational policies, standards, and expectations.
IPPF Practice Guide
environment with respect to audits of the financial state- perceptions. These are considered soft controls because
ments and the system of internal control over financial re- it may be difficult to obtain direct evidence of their effec-
porting. Depending on the external auditors assessment, tive operation through traditional testing. Instead, self-as-
the external auditors may feel compelled to validate cer- sessments, surveys, workshops, or similar techniques may
tain controls themselves to bolster their independence. be better suited than traditional methods. Specifically:
Internal auditing should work with the external auditors
during annual planning sessions to minimize duplication Employee surveys are frequently used in evaluating
and ensure the board and other stakeholders understand: the success of managements efforts in establish-
(a) the external auditors may only review those aspects of ing an effective control environment. These surveys
the control environment that relate to a risk of a material provide useful measurements of the effectiveness
misstatement of the financial statements, (b) the external of one or more control environment elements. An-
auditors may be required to perform some levels of inde- nual employee ethics compliance forms are another
pendent assessment, (c) a review by internal auditing will example.
generally address a greater range of risks (operational and The CAE should use his or her network within the
compliance risks in addition to financial reporting risks), organization. The network is critical in discerning
and (d) there is an opportunity for internal auditing to whether communication, tone at the top, manage-
contribute to improvements in related processes through ment walking the talk, and effective supervision are
its greater understanding of the organization as a whole. present on a day-to-day basis.
The internal auditors knowledge of the organiza-
tions inner-workings is useful to further corroborate
the effectiveness of soft controls.
How to Audit the The value of auditing by walking around cannot
Control Environment be overstated. By being present, visible, and obser-
vant across the organization, auditors can identify
This section elaborates on generic tools and techniques those intangible clues that may lead to deeper
to audit the control environment. The Appendix lists assessments. Associates who trust they can provide
potential audit procedures that might be considered in concerns to auditors with an appropriate degree of
developing an audit of an entitys control environment anonymity are also valuable.
or one or more of its elements. The seven elements and
Past audit results over control activities and the
attributes are taken from COSOs Internal ControlInte-
reaction and remediation from management also are
grated Framework control environment component.6 The
good indicators.
elements and attributes include financial, compliance,
and operating effectiveness control objectives. The Ap- Internal auditors participation in committees,
pendix is presented only for illustrative purposes and is taskforces, workgroups, and involvement in ethics
not intended to be complete or comprehensive. and compliance program implementation and as-
sessments provide valuable insights over extended
An audit of some elements of the control environment periods of time.
will include a review of soft controls, such as those
As the above may provide primarily indirect evidence,
around ethics, integrity, competencies, behaviors, and
the auditor must always ensure sufficient evidence is
6 The seven control elements include the six from the Standards and one additional element Importance of the Board as defined by COSO.
IPPF Practice Guide
obtained to support the audit conclusions and assess- However, limiting the assessment in this way is likely to
ment. Wherever feasible, the auditor should not hesitate result in a failure to understand and act on the pervasive
to employ data analytics to filter patterns and anomalies to effect of the deficiency. Preferred practice is for the inter-
generate hard evidence. nal auditor to work with management and understand any
or all implications for the management of critical risks and
Controls related to other control environment elements the effectiveness of related internal controls.
(e.g., publishing an updated and appropriate code of con-
duct and obtaining references and performing background For example, deficiencies in the hiring process may lead
checks for new employees) may lend themselves to tradi- to an inability to hire sufficient, competent personnel in
tional audit techniques. the accounting function. As a direct result, key account
analyses, bank reconciliations, and the resolution of un-
In planning the audit, the auditor should understand the matched cash receipts may not be completed timely.
different nature of soft and other controls, and select the
most appropriate techniques. When assessing deficiencies in control environment ele-
ments, the auditor should be alert to indicators that other
affected controls are also failing. These controls may be
business process, IT processes, or even other control envi-
Evaluating Control Environment ronment controls. For example, a failure to hire sufficient
staff can lead to shortcuts in processes. These indicators
Deficiencies may point to a higher level of risk to the organization from
the control environment deficiency.
Control environment deficiencies generally impact mul-
tiple areas or processes and are essentially pervasive in The auditor also should consider the implications of multi-
nature. Deficiencies in control environment might be ple, related deficiencies in control environment elements.
identified during audits that focus on (1) the organiza- Some deficiencies may have a greater effect when they are
tions control environment, or one or more of its elements; both present than simple aggregation of their individual
(2) the control environment or one or more of its elements risks may suggest. For example, when the absence of new
within a business unit, location, or equivalent; and (3) one employee training in an organizations code of ethical con-
or more control environment elements as part of other in- duct is coupled with the failure to obtain references and
ternal audits. perform background checks on new employees, the risk
of hiring potentially incompetent personnel and even
1. Evaluating deficiencies found during an audit that is individuals with a criminal record is exacerbated.
focused on the organizations control environment or
one or more of its select elements. Even if the audit report is limited to disclosure of the
deficiencies without consideration of their pervasive ef-
The internal auditor may choose to assess the deficien- fect, the CAE should discuss the implications and related
cies within the context of the control environment audit. management actions with the board or audit committee.
In other words, the audit report may limit discussion to
whether the individual control environment elements are The corrective actions required to address control envi-
effective. ronment deficiencies may have to be extended beyond the
immediate control environment element; for example, to
IPPF Practice Guide
include greater monitoring of affected controls in busi- The assessment of the overall system of internal controls
ness processes. for the business risks covered by the audit should con-
sider whether the control environment deficiencies are
2. Evaluating deficiencies found during an audit that is compensated for or mitigated by other controls that are
focused on the control environment within a business operating effectively within or outside the business unit/
unit, location, or equivalent. function/area that is being audited.
In addition to the analyses discussed above, the auditor

should determine whether control environment issues
identified in a localized audit are indicative of more per-
vasive issues across the business units, areas, or processes
Communicating Results
within the organization. For example, if hiring practices in When communicating the results of a control environ-
the divisions are deficient, could the related procedures, ment audit, the auditor should consider:
processes, and systems be deficient in other divisions? If
there is a lack of awareness of the organizations code of Whether the standard audit report format, includ-
conduct, is it due to the fact that the current version of ing the standard assessment scale, should be used.
the code was not posted on the corporate portal, thereby In some cases, senior management or the board may
affecting all parts of the organization? Has the code been prefer a presentation rather than a standard audit
translated into local languages, to support all parts of the report.
organization?
In many situations, limiting the distribution of the
report. This may be achieved in some organizations
The internal auditor and the CAE should discuss the po-
by clearly marking the report as confidential and
tential implications of local control environment deficien-
thereby limiting its distribution. However, the CAE
cies on the organization as a whole, and adjust the audit
should clearly understand how and when findings of
plan accordingly. In some cases, additional audit work
control environment deficiencies related to the sys-
may be required to assess whether the deficiencies are
tem of internal control over financial reporting need
widespread rather than confined to the unit, country, etc.
to be communicated to the external auditors.
covered by the audit.
Additional safeguards if the audit was performed at
3. Evaluating deficiencies found during an audit that the direction of the general counsel, especially when
focuses on the control environment or one or more of there may be a need to protect the confidentiality of
its elements as part of another audit (e.g., an audit of the report under client-attorney privilege or similar
AP that includes assessing the competence of manage- protective measures.
ment and staff and awareness of the code of conduct Whether the audit did not include procedures relat-
and ethical expectations). ing to an element of the control environment that is
relevant to the assessment. Such a scope limitation
Many of the issues discussed above also apply here. The should be clearly reported in the final audit report,
internal auditor should confer with the CAE and consider even if the exclusion is based on the risk assessment
whether the control environment issues that have been as discussed above.
identified might extend to other parts of the organization.
If the review of the control environment was per-
The audit plan should be adjusted accordingly.
formed as part of a risk-based business audit in line
IPPF Practice Guide
with the audit plan, whether to include a discussion Nature and Tone of Recommendations
of issues related to the control environment as part
Recommendations in the report should be practical with
of the audit or as part of a separate report on the
positive intent and should address the root cause for the
overall control environment.
identified control environment risk.
Varying the timelines for issuance of the report based
on: Follow-up of Recommendations
Significance of the issues identified. Much like other internal audits, the recommendations
Timing of the quarterly attestation on internal con- brought out in these audits should also be followed-up.
trols over financial reporting and compliance. Given the sensitive nature of the findings, the follow-up
The scope and objective of the audit. may be performed by internal auditing or by others in the
organization such as the audit committee and/or the board
The nature or sensitivity of the issues identified. of directors.
The audience of the audit report.
In addition, the CAE should consider the following spe-
cific factors in determining how to communicate the re-
sults of control environment audits.
Sensitive Information
In some situations, communication of risks within the
control environment due to the nature of the control defi-
ciencies may be considered sensitive or confidential. For
example, if there is an issue at the senior management
level that could have a potential adverse bearing on the
perception of their integrity and represent a potential
compromise of organizational values, the CAE should
consult with appropriate members of the senior manage-
ment team, especially the general counsel, and the board
to determine the appropriate communication strategy and
process including how corrective action will be docu-
mented and monitored.
Identification of Significant Issues

If an audit of the control environment identifies issues of
significance, the CAE should review the results of prior
internal audits to determine whether earlier assessments
should be revised. The results of this review should be
communicated to senior management and the board. This
may result in changing the audit plan mid-stream because
of a potential change in the organizations risk profile.
IPPF Practice Guide
Appendix
The following is an example of audit procedures that use seven basic principles for a broad-based audit that assesses the
control environment. The principles, as well as the elements and attributes, are adapted from COSOs Internal Control
Integrated Framework control environment component.7 The elements and attributes include financial, compliance, and
operating effectiveness control objectives.
Control Design 8
Elements and Attributes (methods to achieve control environment Control Testing Considerations
principles, elements, and attributes)
1. Integrity and Ethical Values: Basic Principle Sound integrity and ethical values, particularly of senior management, are developed and
set the standard of conduct for doing business.
Developed senior management develops Senior management conveys the message that Conduct periodic, anonymous pulse surveys
a clearly articulated statement of values or integrity and ethical values cannot be compro- of employees as to the ethical attitude com-
ethical behaviors that are understood by key mised, both in words and in actions. municated by senior management.
executives and the board.
Senior management has developed a code Review the existence and content of the
of ethics that emphasizes the organizations organizations code of conduct and ensure a
expectation that employees will act with process exists for periodic updating of the
integrity in all actions related to their scope of code.
employment.
Review the existence and content of the
Senior management has developed a code organizations code of business conduct and
of business conduct that emphasizes the ensure a process exists for periodic updating
organizations commitment to fair and honest of the code.
dealings with customers, suppliers, and other
external parties. Review the mix between fixed and variable el-
ements in employee compensation plans, and
Performance expectations and incentives are the relative weighting on short-term financial
designed so as to not create undue tempta- performance in compensation plans.
tions to violate laws, rules, regulations, and
organization policies and procedures. Review senior managements compensation
system to understand if it unduly incents
excessive risk-taking and the override of the
entitys system of internal control.
7 Adapted from Internal Control over Financial Reporting-Guidance for Smaller Public Companies: Volume III, Evaluation Tools. COSO, 2006, pages 25-31 for Control Environment
Principles, Attributes and related summary of Entity-wide Controls and Management Documentation. Auditors should consider obtaining and reviewing the COSO literature found
at www.COSO.org for more in-depth guidance and methodology tools.
8 The suggested control testing in many instances asks the internal auditor to obtain certain documentation. In practice the auditor may encounter situations where the documentation
may be missing or may not exist. It is important that this lack of documentation be listed when appropriate as a significant audit finding by the auditor.
IPPF Practice Guide
Control Design
Communicated senior management New employees receive a copy of the Review the signed employee representation
communicates its commitment to ethical organizations code of ethics and code of that they have read and understood the
values through words and actions. business conduct and are trained as to how codes of ethics and business conduct and,
these guidelines apply to specific factual for existing employees, their certification
situations common to the organizations that they have not violated the codes during
business environment. the past year and are aware of no other
such violations (or, if they are aware of such
Existing employees are provided with updated violations, they have 1) communicated these
copies of the organizations code of ethics and violations as directed by their compliance
code of business conduct at least yearly, and or ethics office training and 2) if based on
receive periodic retraining on the application their perspective the violations have not
of these guidelines to the organizations been resolved, communicated the potential
business environment. violations via their companys ethics hotline.
Customers, vendors, and other external Review organization training courses,

parties receive a copy of the organizations including the process for ensuring that all
code of business conduct at least yearly, by employees attend these courses on the codes
inclusion in other mailings to these parties. of ethics and business conduct.
Contractual arrangements with these parties
should include requirements for adherence to Review the organizations policy for including
the organizations code of ethics and code of the code of business conduct in a yearly
business conduct. mailing to customers, vendors, and other
external parties. Verify that the code of
business conduct is included in mailings.
IPPF Practice Guide
Control Design
Reinforced the importance of integrity The organizations newsletter (and other Review editions of the organizations
and ethical values is communicated and internal communication devices) highlights: newsletter during the year to examine whether
reinforced to all employees in a manner a. Ethical dilemmas often arising in coverage of ethical dilemmas, ethical failures,
suitable for the organization. the organizations industry and how and ethical successes are included.
management expects employees to act
in these situations.
b. Ethical failures (with names disguised)
and the consequences of these failures
for both the organization and the
employees involved.
c. Ethical successes (with names
retained and highlighted) with the
situation described, the employee
behavior, and why the behavior was
consistent with organization guidelines.
IPPF Practice Guide
Control Design
Monitored processes are in place to All new employees are required to sign Review the signed employee representation
monitor the organizations compliance with the code of ethics and business conduct that they have read and understood the
principles of sound integrity and ethical indicating that they have read and understand codes of ethics and business conduct and,
values. these codes. for existing employees, their certification
that they have not violated the codes during
All existing employees are required to sign an the past year and are aware of no other
annual contract acknowledging that they have such violations (or, if they are aware of such
read the most recent versions of the code of violations, they have communicated these
ethics and business conduct and that they violations via the hotline).
understand and are in compliance with these
codes. Review organization training courses,
including the process for ensuring that all
HR or hiring department management monitor employees attend these courses, on the codes
whether new and existing employees have of ethics and business conduct.
completed the required training on the codes
of ethics and business conduct. Review the existence of the hotline
including the organizational unit responsible
The organization has established a hotline for managing and overseeing the hotline.
a reporting mechanism that permits Examine the organizations efforts to
anonymity, and preferably staffed by an publicize the hotline. Review a sample of
internal group with a direct reporting calls received on the hotline and examine
relationship to the board or by an outside the appropriateness of investigation and
vendor for receiving reports of suspected resolution of allegations.
violations of the organizations codes of ethics
and business conduct and publicizes the
existence of the hotline.
IPPF Practice Guide
Control Design
Deviations Addressed deviations from A senior executive, preferably with a direct Review the organizational unit, and related
sound integrity and ethical values are reporting relationship to the board, is reporting relationships, responsible for
identified timely and are addressed and responsible for oversight of the organizations oversight of ethics and compliance.
remediated at appropriate levels within the ethics and compliance function.
organization. Examine the appropriateness of investigations
Allegations of violations of the organizations of allegations of violations of the
codes of ethics and business conduct are organizations code of ethics and business
appropriately investigated, and the necessary conduct, including corrective, disciplinary, and
corrective, disciplinary, and remedial actions remedial actions taken.
happen timely. This includes hotline reported
matters. Review the organizations investigation
policies and practices to ensure that
appropriately qualified personnel are
performing the investigations. Evaluate
the qualifications of the investigators and
ascertain that there is good segregation of
duties between investigations, operating
management, and the discipline decision
makers.
IPPF Practice Guide
Control Design
2. Importance of Board: Basic Principle The board understands and exercises oversight responsibility related to financial reporting,
applicable laws and regulations, operating effectiveness and efficiency, and related internal control.
Evaluates and Monitors Risk the board The board develops governance principles and Review the boards governance principles,
actively evaluates and monitors: included among these principles is the boards and that among these principles is the
The risk of management fraud via responsibility for evaluating and monitoring boards responsibility for evaluating and
override of internal controls. risks, especially the risk of fraud by senior monitoring risks. Inquire of the board, senior
Risks affecting the achievement of management. management, the CAE, and the external
internal control objectives. auditor as to the boards processes for
The board actively, or by delegation of the evaluating and monitoring risks.
audit committee, evaluates and monitors the
risk of management fraud by overriding of Review board agenda, minutes, and
internal controls. information packets for evidence that the
board evaluates and monitors the risk of fraud
The board actively evaluates and monitors by senior management via managements
the risk of not achieving internal control override of internal controls. Inquire of the
objectives. board, senior management, the CAE, and
the external auditor as to board processes
for evaluating and monitoring the risk of
management fraud and management override
of internal controls.
Review board agenda, minutes, and

information packets for evidence that the
board evaluates and monitors the risk of
not achieving internal control objectives.
Inquire of the board, senior management,
the CAE, and the external audit partner as
to the boards processes for evaluating and
monitoring the risk of not achieving internal
control objectives.
Oversees Quality and Reliability the The board charter vests oversight Review the board charter to verify that the
board provides oversight for the effectiveness responsibility for the organizations internal board has responsibility for oversight of the
of the system of internal control. control system with the board. internal control system. Review board meeting
agenda and minutes denoting substantive
The board receives periodic reports on the board attention to this issue.
effectiveness of internal control.
Review board meeting agenda, minutes, and
information packets for evidence of reporting
to the board on the effectiveness of internal
control.
IPPF Practice Guide
Control Design
Oversees Audit Activities the board The board charter vests the audit committee Review the audit committee charter to verify
oversees the work of all audit functions, or the similar governing body with the that the audit committee is vested with the
including internal and external auditing, authority to oversee the: authority to oversee the:
and interacts with regulatory auditors, as
necessary. The board has the exclusive Financial reporting and external Financial reporting and external audit
authority to hire, fire, and determine the audit processes, and the exclusive processes, and with the exclusive
compensation of the external audit firm and authority to hire, fire, and determine the authority to hire, fire, and determine
the CAE. compensation of the external audit firm. the compensation of the external audit
firm. Inquire of board members, senior
The internal audit activity, and the management, and the external auditors
authority to hire and fire the CAE and to as to the boards role in overseeing the
approve the budget for the internal audit financial reporting and external audit
activity. processes, including responsibility for
selecting the audit firm and determining
the audit fee.
Internal audit group, and with the

authority to hire and fire the CAE, and
to approve the budget for the internal
audit activity. Inquire of board members,
senior management, and the CAE as to
the boards role in overseeing the internal
audit activity, including responsibility
for selecting the CAE and approving the
internal audit budget.
Independent Critical Mass the board The organizations charter or bylaws requires Review charter or bylaw provisions requiring
has a critical mass of members who are a critical mass of independent directors independent directors on the board, and
independent of management. on the board, and is appropriate given the evaluate the number of independent directors
organizations size, industry, and regulatory given the organizations size, industry, and
environment. regulatory environment. Review director
backgrounds for those directors classified as
independent.
IPPF Practice Guide
Control Design
Financial Expertise2 the board has one or The board charter requires at least one Review the backgrounds, including education
more members who have financial expertise. member to have financial expertise and and experience, of board members to evaluate
requires all members to be financially literate. the nature of their financial expertise and
literacy.
At least one member on the board has
substantive experience in accounting
(e.g., certified public accountant, CFO, or
controller).
Frequency the board meets regularly, The charter for the board requires it to meet Review the charter for these provisions.
often in executive sessions, and devotes no less frequently than quarterly. Evaluate whether the board was in compliance
sufficient time and resources to adequately with this aspect of the charter. Inquire of
carry out its functions. The board holds an executive session at every board members as to whether the number
meeting. of meetings was sufficient (separately for
independent and non-independent directors).
The board allocates time to meet alone
with the partner from the registered public Review board minutes, and inquire of board
accounting firm and with the CAE at every members as to whether an executive session
meeting. was held at every meeting.
The board devotes sufficient time to carry out Review board minutes, and inquire of audit
its responsibilities (e.g., as a rule of thumb, committee members as to whether the board
the board should meet for 1-2 days at each had the opportunity to meet alone with the
meeting and the audit committee should meet audit partner from the registered public
for 3-4 hours at each meeting). accounting firm and with the CAE at every
meeting and does so on multiple occasions
The chairman of the board, if independent, throughout the year.
or, if not, the lead independent director is
primarily responsible for developing the Review board minutes as to the length of
agenda for board meetings. Other directors, board meetings. Inquire of board members
the CAE, senior management, and external as to whether the number of meetings was
auditors have input to the agenda-setting sufficient (separately for independent and
process. non-independent directors).
9 Although COSOs Small Business Guidance focuses on internal controls over financial reporting, it is important to note that boards need and have other experts (e.g., risk manage-
ment, etc.) as members on various committees. In such cases, it is expected that educational background and related experience of such individuals also be evaluated.
IPPF Practice Guide
Control Design
The board has input into the packet of Inquire of the chairman of the board (lead
information received before board/committee independent director) and other board
meetings. The information packet is received members as to the process for setting the
at least three days before the meeting. board agenda. Confirm that board members
have an opportunity to review and provide
Board members spend sufficient time input into the setting of the agenda.
reviewing the pre-meeting information packet.
Inquire of board members as to their
The charter for the board authorizes the involvement in determining the content of the
board to retain outside advisers or counsel as information packet and appropriateness of the
needed. advanced distribution for review prior to the
meeting.
Inquire of board members, senior

management, the audit partner, and the
CAE as to board preparedness for meetings.
Review the annual board peer evaluation
process, ascertaining that board preparedness
is evaluated.
Review the charters for provisions allowing the

board to retain outside counsel and advisers
as needed. Inquire of board members as to
IPPF Practice Guide
Control Design
3. Managements Philosophy and Operating Style: Basic Principle Managements philosophy and operating style support achieving
effective internal control.
Set the Tone managements philosophy Management emphasizes the importance of Inquire of relevant employees as to their
and operating style emphasize high-quality meeting internal control objectives through perception of the importance of complying
and transparent internal and external both its words and actions. with internal control objectives. Review
reporting, and the importance of effective criteria for employee performance reviews,
internal control and risk management. ascertaining whether employees are held
accountable for meeting internal control
objectives.
Review speeches and presentations to internal

and external parties that may reflect the tone
and style of leadership.
Independently observe or inquire with

attendees of executive and/or board meetings
to confirm that the extent and depth of
conversations regarding risk, controls, and
compliance matters is appropriate given the
matters facing the organization.
Review employee survey results where

questions concerning the culture and
leadership have been asked.
Articulate Objectives management Internal control objectives over financial Review organization operating and accounting
establishes and clearly articulates internal reporting, compliance with applicable laws manuals and other means of disseminating
control objectives. and regulations, efficiency and effectiveness internal control objectives throughout the
of operations, and safeguarding of assets organization. Inquire of relevant individuals
are communicated to relevant individuals as to their understanding of internal control
throughout the organization. objectives.
Select Principles and Estimates The organization follows a periodic, disciplined Review documentation of the organizations
management follows a disciplined, objective process for establishing internal control process for establishing internal control
process in developing internal control objectives over financial reporting, compliance objectives. Inquire of senior financial and
objectives. with applicable laws and regulations, operating management as to their involvement
efficiency and effectiveness of operations, and in establishing internal control objectives.
safeguarding of assets and involves senior
financial and operating management.
IPPF Practice Guide
Control Design
4. Organizational Structure: Basic Principle The organizations organizational structure supports effective internal control.
Establishes Responsibility management The organization designs a structure that is Review the entitys organizational structure.
establishes internal reporting responsibilities appropriate given its size, industry, age, and Compare the organizational structure to other
for each functional area and business unit in business risks. companies of similar size, industry, and age.
the organization.
Management establishes reporting Review established reporting responsibilities
responsibilities for all organizational units. and written evidence of the discharge of these
reporting responsibilities during the period.
Inquire of key operating, financial, and legal
personnel as to their understanding of, and
compliance with, reporting responsibilities.
Review whether the risks associated with the

organizations structure have been discussed
by senior management and the board (e.g.,
risks associated with legal entity complexities,
centralization vs. decentralization, span of
control, pace of business change and whether
the organizational structure is adapting, etc.).
Review whether the organizations structure

facilitates the flow of risk information
upwards, downwards, and across the
organization.
Maintains Structure management The organization develops and maintains an Review the organizational chart, including
maintains an organizational structure that organization chart that establishes roles and delineation of roles and reporting
facilitates effective reporting and other reporting responsibilities for all employees. responsibilities, and review the organizations
communications about internal control process for updating the organizational chart.
among various functions and positions of The organization develops and maintains job Inquire of key employees in the internal control
management. descriptions for key positions. structure as to their understanding of roles
and responsibilities.
Review job descriptions for key employees,

including the organizations process for
updating job descriptions. Inquire of key
employees in the internal control structure as
to their understanding of their job description.
IPPF Practice Guide
Control Design
4. Organizational Structure: Basic Principle The organizations organizational structure supports effective internal control.
Maintains Processes managements The organization has established processes Review the organizations process for
lines of reporting recognize the importance for periodically validating the reliability of periodically validating the reliability of
of maintaining processes for objective its information system and the accuracy, its information system and the accuracy,
verification of information generated from the completeness, and timeliness of the completeness, and timeliness of the
organizations information system. information generated from that system. information generated from that system, and
reports generated as a result of this process.
Review deficiencies identified, and the
organizations investigation, resolution, and
remediation of identified deficiencies.
5. Commitment to Competence: Basic Principle The organization retains individuals competent in financial reporting, internal control,
and risk management, and related oversight roles.
Identifies Competencies competencies A clear and transparent competency strategy/ Obtain and review the competency strategy/
that support effective financial reporting, plan exists that is aligned to the organizations plan to verify that it exists, aligns to business
internal control, and risk management are business strategy and objectives. The strategy strategies and objectives, has been approved
identified. has been approved by executive management by executive management, and has been
and communicated. The strategy/plan should communicated as appropriate.
include the competency requirements for
activities that have been outsourced. The Review staffing levels and organization charts
plan should include methods for acquiring the and inquire with management to understand
competencies required. the methodologies used to assess that there
is sufficient staff to execute strategies and
Plans are in place to ensure the appropriate operating plans.
level of staffing.
From the organization charts, select a
Formal job/role descriptions exist that define sample of positions and review the job/role
tasks and competencies for each position. descriptions to ensure that the right level of
Job/role descriptions (and experience) should competencies have been articulated to fulfill
include both skills and behaviors necessary the assigned tasks of the position. Do the
to complete the assigned work. For each skills seem appropriate and competencies
competency, the desired level of competency (and experience) reasonable and consistent?
should be articulated. It is recommended that the sample include
key leadership, management, and supervisory
positions particularly as they relate to
financial reporting, risk, and control.
IPPF Practice Guide
Control Design
Retains Individuals the organization Individuals are placed in positions based on For recent hires, obtain the incumbents
employs or otherwise utilizes individuals who the fit of their competencies (and experience) curriculum vitae or rsums to ascertain
possess the required competencies in financial to the job requirements as defined by the job that there is an appropriate match of their
reporting, internal control, compliance, and descriptions. competencies to the job position. Consider
risk management. competencies, background, education, and
In filling key management positions, broad experience. Inquire with management about
functional experience should be a goal. the adequacy of the selection process.
Consideration is given to competency of In reviewing the key management job

service providers when outsourcing activities. descriptions of incumbents, ascertain that
there is broad functional experience rather
There should be a plan to cross train than over-weighting from one or two functional
management and staff to provide areas. Inquire with management about the
understanding of other functions impacting alignment of current skills and competencies
their specific duties and for back-up. of incumbents given ongoing business
changes, risks, and current operational
Plans are in place to ensure adequate staffing performance.
levels are maintained.
Review outsource agreements/arrangements
Succession plans for key positions exist and to ascertain that competencies were given due
individuals identified in those succession consideration in selecting the service provider
plans have the required competencies or plans (pre-qualification). Ensure that provisions
exist to develop those competencies. exist requiring the service provider to maintain
the necessary competencies. Assess whether
There is a process in place to obtain the process for monitoring competencies is
assistance for highly complex technical effective.
matters.
Obtain training plans and ascertain that cross
Hiring of individuals includes background training is being included in training plan
checks and references, etc. strategies.
Inquire of external auditors their perception

of capabilities and staffing levels within
the financial reporting and key governance
functions within the organization. Review
audits completed by external parties
(regulators, contract, environmental, etc.).
IPPF Practice Guide
Control Design
Were competencies evaluated and if so what

were the conclusions/ recommendations?
Review succession plans for key positions.

Ensure that training development plans
and competencies of potential succession
planning candidates generally align to job/role
requirements.
Inquire with finance staff and independently

with external auditors to determine how past
needs for technical assistance/confirmation of
accounting procedures were handled.
Evaluates Competencies needed There is a competency assessment approach Obtain and review the adequacy of procedures
competencies are regularly evaluated and and guidance that is documented and updated for assessing individual competencies. Select
maintained. regularly. The approach is designed to identify a sample of management and staff and review
competency gaps and establish written assessments, plans to address gaps, and
development plans to address gaps within progress made to date. Review the reporting
a reasonable timeframe and a monitoring/ system, and conclude on whether people
reporting system to ensure that the gaps are collectively are progressing adequately in
addressed. addressing competency gaps.
For individuals in key financial reporting, risk, For key individuals, review documentation that
and control functions, the board annually this was completed.
assesses their competencies.
Review those business processes where
Annual assessments of competencies and surprise risk events, material weakness,
performance of both organization and or deficiencies occurred to determine if
outsourced service provider employees is in competency assessments were properly
place. carried out.
Skills noted in job descriptions are part of the Review a sample of performance appraisals
regular annual employee performance review. to determine whether skills noted in job
descriptions are indeed part of employees
annual performance appraisal and whether
compensation adjustments differ for
employees performing the same skill at
various levels of competency.
IPPF Practice Guide
Control Design
6. Authority and Responsibility: Basic Principle Management and employees are assigned appropriate levels of authority and responsibility to
facilitate effective internal control.
Board Oversees Internal Control and Legal entity board and committee Obtain and review the organizations legal
Risk Management the board oversees structures, bylaws, and/or charters set documents to ensure that proper oversight
managements process for defining forth responsibilities for the oversight and roles exist and are documented.
responsibilities for internal control and risk evaluation of managements principal roles
management. and responsibilities for risk management and Review board meeting agenda and minutes
internal control. to ascertain that appropriate oversight
discussions are taking place.
Board meetings should regularly include
discussions on the effectiveness of
managements roles and responsibilities for
risk management and internal control.
As a result of discussions, the board should

make recommendations on realignment where
necessary.
Defined Responsibilities assignment of The board delegates authorities and Review completeness of process for defining
responsibility and delegation of authority are responsibilities to the CEO who in turn responsibilities and delegating authorities.
clearly defined for all employees involved in delegates authority and responsibilities to
the internal control and risk management, appropriate individuals in the organization. Evaluate appropriateness of criteria for
compliance, and financial reporting processes. These delegated authorities and assigned delegating authorities.
responsibilities should be formally
documented. Through inspection, verify that key
management has appropriate documented
For key management positions, the board authorities. By interview, ascertain that
reviews and approves descriptions of the management understands its authorities and
positions responsibilities and authorities, responsibilities.
and considers how those positions affect the
strength of internal control. Verify that authorities are reviewed and
adjusted where appropriate periodically.
The evidence for assignment of authorities
can be in the form of a delegated authorities Review employee surveys (or conduct a survey
matrix, written job descriptions, or individual if not conducted by others) to determine
authority grant letters. Employees should whether authorities and responsibilities were
clearly understand their authorities and clearly communicated and understood.
responsibilities.
IPPF Practice Guide
Control Design
When management assigns authority and

responsibilities to key individuals, it considers
the impact on the effectiveness of the
control environment and the importance of
maintaining effective segregation of duties. A
defined set of criteria should exist upon which
management bases level of authority.
When delegating levels of authority and

responsibility, management establishes an
appropriate balance between the authority
needed to get the job done and the need to
maintain adequate internal control over key
business processes.
Authority levels should be reviewed

periodically to ensure they are appropriate.
Employees are empowered to correct problems

or implement improvements in their assigned
business processes as deemed necessary.
Empowerment to take these actions is
accompanied by pre-approved levels of
responsibility and authority.
Management considers the nature of employee

positions within the organization when
assigning responsibilities to individuals or
determining certain levels of authority for
positions.
IPPF Practice Guide
Control Design
Limit of Authority assignment of authority As part of granting authorities, the Include verification of authority limits in
and responsibility includes appropriate organization process includes clear lines of testing above.
limitations. authority for approving transactions over a
specific dollar amount or in meeting certain During the review period for any significant
described characteristics. As dollar threshold events/ transactions, verify that the
increases, additional approvals from senior appropriate approval process and levels of
management are required, with the highest approval were followed.
dollar thresholds reserved for CEO and board
approval.
There is a process in place to monitor

compliance to authority levels and a
remediation process in those cases where
authorities are exceeded.
IPPF Practice Guide
Control Design
7. Human Resources: Basic Principle HR policies and practices are designed and implemented to facilitate effective internal control.
Establish HR Policies management HR policies and procedures exist. These are Obtain and review the organizations HR
establishes HR policies and procedures that reviewed and approved by the board and policies and procedures to ensure that
demonstrate its commitment to integrity, implemented by management. The policies they are complete, current, and approved
ethical behavior, and competence. and procedures are documented and thus appropriately.
provide evidence of the control process.
Review most recent employee survey content.
HR policies and procedures are periodically Did it ask employees to evaluate quality/
reviewed, updated where necessary, effectiveness of the policies, procedures, and
and signed off/approved by appropriate practices? Where improvement opportunities
individuals. exist, what is the status of the actions? Were
the results summarized and reviewed with
An effective policy exists for disseminating senior management and the board?
the HR policies and procedures and employees
understand them.
Newly hired employees receive a copy of the

policies and procedures and all employees
receive updates.
Periodic employee surveys are conducted to

assess employee understanding of HR policies
and procedures and whether they have been
effective in achieving HR objectives.
IPPF Practice Guide
Control Design
Recruiting and Retention employee Management establishes and enforces Include review of recruiting/retention
recruitment and retention for key positions are standards for hiring qualified individuals procedures when completing above review.
guided by the principles of integrity and by the consistent with job description requirements.
necessary competencies associated with the Verify that screening procedures are being
positions. Policies over conflicts of interest regarding followed.
employment relationships such as those
involving family members or personal For recent hires into key positions, verify that
relationships among co-workers are in place the new hire meets the position requirements.
and enforced.
Review exit interview documentation. Verify
Recruiting practices include formal, in-depth that follow-up action was appropriate.
employment interviews. Screening procedures,
including reference checks, resume review, Obtain and review succession plans for
and background checks are employed for job key positions. Ensure they are periodically
applicants, particularly those applying for key reviewed and approved.
management positions.
Review turnover statistics and trends. Were
Interview and screening practices comply with results outside reasonable range analyzed and
local employment, human rights, and privacy discussed at an appropriate level?
laws/regulations.
Assess whether HR or another management
The organization develops and maintains area reviews turnover levels. Independently
position descriptions that reflect its values review turnover data regarding overall
and the competencies needed to fulfill the turnover, turnover of recent hires, and turnover
position requirements. The job descriptions of key positions or competencies. Inquire
contain specific references to control related further about potential root cause of excessive
responsibilities. or unexpected or unexplained turnover.
The organization performs exit interviews with

those leaving the organization and inquires
about any concerns related to internal control.
Retention strategies include formal

succession plans. The organization should
have a documented succession plan for key
management positions. Succession plans
should be updated periodically and approved
by the CEO and board.
IPPF Practice Guide
Control Design
Adequate Training management supports Training programs exist to enforce and Obtain and review training and development
employees by providing access to the tools promote ethical behavior and internal control. programs to ensure they address key
and training needed to perform their roles. elements.
A training program should include
identification of the knowledge, skills, and Verify that the program includes steps to
competencies necessary to perform their evaluate employee effectiveness and to set a
roles. Individual training needs should be plan to close any identified gaps.
documented in a training plan.
Inspect training plans for several key
The ongoing training process enables people management team members to verify
to effectively deal with evolving business existence. Evaluate progress in closing gaps.
environments.
Review budgets to ensure that there are
Training includes development and coaching in adequate resources (e.g. time, people, funds,
leadership and interpersonal skills. equipment) to achieve the development plans.
Review actual spending to ensure that the
Management supports employees by providing employees are availing themselves of the
them the tools and resources necessary to training.
perform their jobs.
Review the organizations supplemental
education program if one exists.
Sample employees regarding the adequacy

of internal training and the value add
of the training for enhancing skills and
competencies.
IPPF Practice Guide
Control Design
Performance and Compensation A performance management process that Obtain and review organizations documented
employee performance evaluations and includes objective setting, assessment, and performance management process. Verify that
the organizations compensation practices, reward exists. key elements exist.
including those affecting senior management,
support the achievement of internal control The organizations compensation/incentive For key management (particular emphasis
objectives. plan for senior executives is balanced among on executive) verify that performance
achievement of financial and non-financial management process was performed as
goals and is not over-weighted to achievement required.
of quarterly financial results.
Review board meeting minutes and other
The performance management process documentation to support its review and
includes steps to confirm awareness of approval of performance and rewards.
an employees progress to achievement of
objectives during the performance period. Verify that compensation changes, incentive
comp awards, and stock grants made are
Performance reviews are conducted annually consistent with board approved amounts.
and signed by the employee and respective
manager. The documented review is evidence Review information packages to the board
of the performance review and is retrievable. to ensure that it is getting appropriate
information for benchmarking compensation
Performance evaluations and compensation and awarding incentives.
to include incentive compensation for key
management are reviewed by the board before Review processes used to develop and compile
administration/payout. compensation information and identify that
assurance activities cover all important
Compensation programs are benchmarked in activities.
the market and by industry periodically. The
board is apprised of such benchmarks. Review actual compensation paid and
incentive awards made to approved amounts
The board is assured of the integrity of and pay guidelines.
incentive program information systems and
that information used to award incentive
compensation is reliable.
IPPF Practice Guide
Authors
Parveen P. Gupta
Philip D. Bahrman, CIA
Joseph Carcello, CIA
Princy Jain, CIA, CCSA
Norman Marks
James A. Rose, CIA
Erich Schumann, CIA
Natarajan Girija Shankar, CIA
Reviewers
Carlos Alberto Reyes, CIA
Maria E. Mendes, CIA, CCSA
Lynn C. Morley, CIA
David W. Zechnich, CIA
Douglas J. Anderson, CIA
Steven E. Jameson, CIA, CCSA, CFSA
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for informa-
Auditors (IIA) is an international professional tional and educational purposes. This guidance
association with global headquarters in Altamonte material is not intended to provide definitive an-
Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as
professions global voice, recognized authority, such is only intended to be used as a guide. The
acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen-
pal educator. dent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for
About Practice Guides anyone placing sole reliance on this guidance.
Practice Guides provide detailed guidance for
conducting internal audit activities. They include Copyright
detailed processes and procedures, such as tools Copyright 2011 The Institute of Internal
and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please
proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org.
Practice Guides are part of The IIAs IPPF. As
part of the Strongly Recommended category of
guidance, compliance is not mandatory, but it
is strongly recommended, and the guidance is
endorsed by The IIA through formal review and
approval processes. For other authoritative guid-
ance materials provided by The IIA, please visit
our website at www.theiia.org/guidance.
global headquarters T: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101
Altamonte Springs, FL 32701 USA W: www.theiia.org

Auditing The Control Environment

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Auditing The Control Environment

Загружено:

Авторское право:

Доступные форматы

IPPF Practice Guide

An Organizations Control Environment........................................................... 2

Scope and Approach to Auditing the Control Environment............................... 3

Practical Considerations in Auditing the Control Environment........................ 6

How to Audit the Control Environment............................................................. 9

Evaluating Control Environment Deficiencies................................................ 10

providing discipline and structure. Control environment

Audit procedures around these risks might be included

In addition to the analyses discussed above, the auditor

Identification of Significant Issues

Customers, vendors, and other external Review organization training courses,

Review board agenda, minutes, and

Internal audit group, and with the

Inquire of board members, senior

Review the charters for provisions allowing the

Review speeches and presentations to internal

Independently observe or inquire with

Review employee survey results where

Review whether the risks associated with the

Review whether the organizations structure

Review job descriptions for key employees,

Consideration is given to competency of In reviewing the key management job

Inquire of external auditors their perception

Were competencies evaluated and if so what

Review succession plans for key positions.

Inquire with finance staff and independently

As a result of discussions, the board should

When management assigns authority and

When delegating levels of authority and

Authority levels should be reviewed

Employees are empowered to correct problems

Management considers the nature of employee

There is a process in place to monitor

Newly hired employees receive a copy of the

Periodic employee surveys are conducted to

The organization performs exit interviews with

Retention strategies include formal

Sample employees regarding the adequacy

Philip D. Bahrman, CIA

Joseph Carcello, CIA

Princy Jain, CIA, CCSA

James A. Rose, CIA

Erich Schumann, CIA

Natarajan Girija Shankar, CIA

Maria E. Mendes, CIA, CCSA

Lynn C. Morley, CIA

David W. Zechnich, CIA

Douglas J. Anderson, CIA

Steven E. Jameson, CIA, CCSA, CFSA

global headquarters T: +1-407-937-1111

Вам также может понравиться