Please reach us at reports@performanceaspects.com if you cannot find an answer to your question.
We conduct our performance audits in compliance with generally accepted government auditing standards (GAGAS). These standards are developed by the US Government Accountability Office (GAO) and published in a book referred to as the Government Auditing Standards or the Yellow Book. The standards provide a framework that ensures that a) the auditor’s conclusions are supported with sufficient evidence b) the auditor is competent, objective, and independent.
The COSO Internal Control – Integrated Framework is recognized in the United States as the standard for designing, implementing, and assessing internal control. First published in 1992, the framework was revised and reissued in May 2013. It defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Background
COSO dates back to 1985 when five preeminent professional organizations for accountants and auditors in the United States, a) American Accounting Association b) American Institute of Certified Public Accountants c) Financial Executives International d) Institute of Internal Auditors e) Institute of Management Accountants, sponsored the National Commission on Fraudulent Financial Reporting chaired by John C. Treadway. The primary objective of the commission was to identify factors that led to fraudulent financial reporting. The five organizations formed a committee, referred to as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), whose goal was to provide thought leadership in internal control, enterprise risk management, and fraud deterrence.
There are alternatives to the COSO framework. Other countries have developed their own internal control frameworks. For example, the United Kingdom has a framework developed by the Turnbull Committee, while Canada has the Criteria for Control framework, commonly referred to as CoCo. The United States federal government also has a framework, Standards for Internal Control in the Federal Government commonly known as the Green Book, which is widely used in the government sector.
The Framework
The framework provides for three objectives a) Operations b) Reporting and c) Compliance. The objectives are what an entity is working to achieve. The framework consists of five integrated components which represent what is required to achieve the objectives. The components are a) Control Environment b) Risk Assessment c) Control Activities d) Information and Communication e) Monitoring Activities. The components are further broken down into 17 principles which represent the fundamental concepts associated with each component.
COSO Internal Control - Integrated Framework Executive Summary
There are two perspectives from which to view internal control a) entity b) auditor.
From the entity's perspective, management is responsible for designing, implementing, and conducting internal control. It is also responsible for assessing the effectiveness of the internal control. Management uses a framework, such as COSO's Internal Control - Integrated Framework, as a guide or template for building an effective internal control. Effective internal control, in turn, helps the entity to achieve its operations, reporting, and/or compliance objectives, and to sustain and improve performance.
On the flip side, auditors rely on an internal control framework for criteria when conducting a performance audit. Criteria present the desired state, and the desired state for an effective internal control is one consisting of all the components of the framework. Any deviation from the framework is an opportunity for a deficiency and a risk to the entity not achieving its objectives. For example, COSO’s Internal Control – Integrated Framework consists of five integrated components. When a performance auditor is assessing internal control over an entity’s program and one or more components of internal control are absent, it may imply that the entity’s internal control is deficient and that the entity is therefore at risk of not meeting its objectives. The auditor may recommend in the audit report that the entity address this deficiency.
According to GAGAS, the auditor should address five areas, each with corresponding mandatory standards, when considering internal control during a performance audit.
a. Determining Significance and Obtaining an Understanding of Internal Control
b. Assessing Internal Control
c. Internal Control Deficiencies Considerations
d. Information Systems Controls Considerations
e. Reporting on Internal Control
At a minimum, the auditor must determine whether internal control is significant to the audit objective. This determination either terminates the consideration of internal control or leads the auditor down a decision tree that may culminate in reporting on internal control.
a. While traditionally, performance auditing has followed the Waterfall methodology or model where the auditors sequentially go through planning, survey, analysis and reporting phases, we are embracing the emerging Agile Auditing where the audit is broken up and conducted in sprints. The Waterfall methodology, where each phase is completed before moving to the next, leads to lengthy audits spanning several months, sometimes over 12 months. This approach to auditing is unsustainable in a fast-changing business environment. For such lengthy audits, the findings and recommendations in the report may be outdated or overtaken by events. Agile Auditing offers a faster way of surfacing issues and findings – sometimes within three months – enabling the management of the entity under audit a chance to consider timely recommendations.
b. During our audits, we follow the generally accepted government auditing standards (GAGAS) Fieldwork standards for performance auditing. These standards require us to understand and assess audit risk, fraud risk and internal control, among others. The standards cover the audit planning, fieldwork, supervision, evidence gathering and analysis, and documentation. We also follow GAGAS Reporting standards for performance auditing.
c. During the audit, we examine relevant audit evidence primarily from interviews, documentation, data analysis, surveys, and observations. GAGAS requires that we gather sufficient and appropriate evidence to support our conclusions and findings.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.