Teaching Auditing Students About Internal Controls

By Janice Torres,2014-05-18 13:27
12 views 0
Teaching Auditing Students About Internal Controls

    Teaching Auditing Students About Internal Controls

    From an Internal Audit Perspective

Susanne O’Callaghan, Ph.D., CPA, CIA

    Associate Professor of Accounting

    Pace University

    Lubin School of Business

    One Pace Plaza

    New York, NY 10038

    John P. Walker, Ph.D., CPA

    Professor of Accounting

    Queens College CUNY

    65-30 Kissena Blvd

    Queens, NY 11367

    Raymond J. Elson*, DBA, CPA

    Assistant Professor of Accounting

    Valdosta State University

    Langdale College of Business

    Valdosta, GA 31698

    * Corresponding author


    Teaching Auditing Students About Internal Controls

    From an Internal Audit Perspective


    In the Sarbanes-Oxley era there is a real need for a good understanding of the different responsibilities and reliances that can be placed on the work of others. External

    auditors must have a good comprehension of the types and extent of work that internal

    auditors do. Since most universities do not provide a stand-alone course on internal

    auditing, students must rely on what they learn in the mainstream auditing class to obtain

    their understanding of what an internal auditor does. This paper provides auditing

    instructors a vehicle for teaching the need for, and the approach to, how internal auditors

    do their jobs.


    Many accounting students will enter the auditing profession upon graduation. They will enter the external auditing profession, the internal auditing profession or work

    in organizations where they interact with all types of auditors. If these students enter the

    external auditing profession, they will be expected to interact and understand what

    internal auditors do in order to rely on the internal auditors work under SAS 65 “The

    Auditor’s Consideration of the Internal Audit Function in an Audit of Financial

    Statements” and PCOAB Standard No. 2. But it is difficult for auditing students to

    understand what value the internal audit function brings to the table as most auditing

    textbooks have only one chapter on internal auditing. That chapter is usually very vague

    as to what an internal auditor actually does. This paper provides a simple approach to

    understanding concepts surrounding the internal auditors’ role in evaluating internal

    controls so that their employer meets the objectives.

    Literature Review

    There is very little literature that offers a pedagogical approach to teaching internal auditing. Fernandes (1994) recognizes that accounting education prepares

    students well for financial auditing. He acknowledges that the traditional auditing course

    may trigger an interest in internal auditing on the part of the student but the student is

    basically left to figure out what internal auditing is all about. These same students are not

    adequately prepared in the areas of business analytical techniques and there is a void in

    general audit education because of this. He feels that all universities with business and

    public administration programs should offer at least one course devoted to internal


    Another article by Fernandes, Poposky and Savage (1995) presents the development of an internal audit course curriculum. The author examines and identifies

    course objectives that would enhance the students’ understanding of both the conceptual

    and practical aspects of the internal auditor function. They also identify elements of a


    curriculum that would enhance students’ analytic, critical thinking, written and oral communication, and group/teamwork skills. This article lays out detailed objectives,

    methods of instruction, professional company involvement and course evaluation but

    does not go into any detail of content.

    Greensawalt and Stinnett (1992) present an excellent case that can be adapted for

    use in a financial auditing or internal auditing class. It requires students to find an “audit

    client.” The students then have the task of understanding and documenting the internal

    control system of either the revenue cycle or the expenditure cycle. The students present

    a written report and document their understanding of the controls, prepare an internal

    control review matrix, do evaluations and make oral presentations. This article provides a

    great outside project but does not provide the audit instructor an in-class demonstration of

    how a control matrix is prepared.

    Our paper provides a unique pedagogical approach to teaching auditing students

    how to construct a control matrix, an important tool for use in evaluating internal controls.

The Relationship between Internal and External Auditing

    Internal auditing is an independent, objective, assurance and consulting activity

    designed to add value and improve an organization’s operations. Its focus is mainly on

    evaluating and improving the effectiveness of the organization’s risk management,

    control and governance processes. External auditing is the systematic process of objectively obtaining and evaluating evidence regarding management assertions in

    financial statements. Its focus is on communicating any findings to interested users who

    are mostly external to the organization such as shareholders and the SEC. Both sets of

    auditing professionals have a use for control matrices.

The Relationships among Organizational Objectives, Threats to Meeting Objectives

    and Internal Controls

    All entities have specific objectives that they must achieve. But all objectives

    have threats that may threaten their achievement. These threats must be eliminated,

    avoided, controlled or accepted. By having good controls in place to mitigate the threats,

    a company is better able to achieve its objectives and therefore places itself in a

    competitive position. It is management’s responsibility to see that adequate controls are

    in place. It is the auditor’s responsibility to see that management’s controls are indeed

    working as planned. The internal auditor’s chief role is to evaluate the design and

    effectiveness of those controls.

    COSO Approach to Developing a Control Matrix

    This paper illustrates a control matrix approach that can be used as lecture

    material (or as a class assignment) in the internal auditing chapter of a traditional

    textbook or as part of an internal auditing course. This control matrix helps students


understand how organization objectives drive the need for controls. A COSO framework 1is used as the basis for the control matrix development.

    The COSO internal control framework states that entities have three objectives: good operations, compliance with rules and regulations and good financial reporting. But

    there are external and internal threats to having good operations, being in compliance

    with rules and regulations and having good financial reporting. To achieve organizational

    objectives and minimize the threats, an entity must have a good internal control system in

    place. That system should consist of five elements. The entity must have a good control

    environment, risk assessment procedures, excellent control activities, adequate

    information and communications and a monitoring mechanism in place.

    Auditing students have already learned about COSO in an earlier chapter on internal control so this is a quick internal control review for them. In the internal auditing

    chapter we move into a more detailed discussion of the internal auditors’ role in

    evaluating internal controls put in place by management and in the value-added services

    that internal auditors perform. But there are few examples to really help students

    internalize what internal auditors do.

    Since most students have some understanding as to how restaurants operate, we used a restaurant example to illustrate this approach to teaching internal auditing. We use

    the COSO framework and a six-step process to create the control matrix. We first

    illustrate the three objectives of a restaurant. Second, we identify threats to meeting those

    restaurant objectives. Third, we discuss control objectives necessary to see that the threats

    are contained. Fourth, we use the five components of a good internal control system to

    meet the control objectives. Fifth, we then examine the various control activities that

    management could have in place. Lastly, in the sixth step, we identify steps to be taken

    by the auditor to assure that control objectives are met.

Teaching Approach

    The matrix that follows can be created by the audit instructor by first filling in the first column: the three objectives identified by COSO: operations, compliance with rules

    and regulations, and monitoring (Table 1.)


    The Committee on Sponsoring Organizations published the COSO framework in 1992. It is the most

    widely recognized internal control framework used in the United States today.


    Table 1

    Restaurant Objective (Column 1)

    COSO Objectives of


    Operations Compliance Financial Reporting

    Next the instructor can present one threat to each of the restaurant objectives; e.g.,

    a threat to operations is that employees might lose fingers; a threat to being in compliance

    with rules and regulations is that the restaurant could lose its license if it violates health

    regulations; a threat to good financial reporting is that restaurant sales may not be

    recorded accurately (Table 2.)

    The third column is completed by identifying the control objectives that

    management has or should have in place to stop the threats! For example, the operations

    objective is to stop employees from losing fingers (Table 3.)

    Then the instructor fills in the fourth column with the internal control elements.

    The five individual elements of a good internal control system are the control

    environment, risk assessment, control activities, information and communication, and

    monitoring (Table 4.) These internal control elements should ensure that management’s

    control objectives are met.

    Table 2

    Threats to Meeting Objectives (Column 2)

COSO Objectives of Threats to the

    Entity Restaurant

    Operations Employees will lose

    fingers on sharp


    Compliance Restaurant may

    lose its license due

    to not adhering to

    health regulations

    Financial Reporting Restaurant sales

    will not be recorded



    Table 3

    Management’s Control Objectives (Column 3)

    COSO Objectives of Threats to the Control Entity Entity Objective (To

    stop the




    Operations Employees will To ensure that

    lose fingers on employees

    sharp equipment don’t lose

    fingers on


    equipment Compliance Restaurant may To ensure that

    lose its license due all health

    to not adhering to regulations

    health regulations are followed so



    does not lose

    its license Financial Reporting Restaurant sales To ensure that

    will not be all sales are

    recorded accurately recorded

    accurately so

    that the



    objective is


    The fifth column addresses what management has told the auditor they have put

    in place to meet the threat belonging to that internal control element. For example, a

    control environment step that could help keep employees from losing fingers would be

    the existence of training sessions to show employees how to use the equipment. These are

    the activities that management has put in place to see that the control objective is met.

    The instructor continues to identify different evidence that the control objective is being

    met for each of the internal control elements in column 4 (Table 5.)


    Table 4

    Internal Control Elements (Column 4)

    COSO Threats to the Control Objective Internal Control Objectives of Entity (To stop the Element

    Entity Threat-(COSO)



    Operations Employees will To ensure that Control

    lose fingers on employees don’t Environment

    sharp lose fingers on

    equipment sharp equipment

     Same Same Risk Assessment

     Same Same Control


     Same Same Information and


     Same Same Monitoring Compliance Restaurant may To ensure that all Control

    lose its license health regulations Environment

    due to not are followed so

    adhering to that restaurant

    health does not lose its

    regulations license

     Same Same Risk Assessment

     Same Same Control


     Same Same Information and


     Same Same Monitoring Financial Restaurant To ensure that all Control

    Reporting sales will not sales are recorded Environment

    be recorded accurately so that

    accurately the financial


    objective is met

     Same Same Risk Assessment

     Same Same Control


     Same Same Information and


     Same Same Monitoring


    Table 5

    Evidence That Control Objectives are Being Met (Column 5)

    COSO Threats to the Control Objective Internal Control Element Evidence that Control Objectives of Entity (To stop the Threat-(COSO) Objective is Being Met Entity Management’s (Management’s Responsibility)


    Operations Employees will To ensure that Control Environment Management provides training

    lose fingers on employees don’t lose sessions for all new employees

    sharp equipment fingers on sharp on how to use equipment safely


     Same Same Risk Assessment Management reviews the

    equipment to make sure that

    any new equipment is included

    in training sessions

     Same Same Control Activities Safety blades are required to

    be kept on all equipment when

    equipment is not is use

     Same Same Internal Control Reminders about equipment

    Element (COSO) safety are posted near all


     Same Same Control Environment Management keeps logs of

    safety walk-throughs to see

    that equipment is covered

    when not in use and employees

    are following safety

    procedures. Compliance Restaurant may To ensure that all Risk Assessment Management has policies and

    lose its license health regulations are procedures on all health

    due to not followed so that regulations; all new employees

    adhering to restaurant does not must read and sign off.

    health lose its license


     Same Same Control Activities Management reviews changes

    to health code on a regular

    basis to see if new regulations

    have added to their risks

     Same Same Information and Management has policy that

    Communications no food should be left out of

    refrigerator for more than one


     Same Same Monitoring Signs are clearly posted stating

    that employees must wash

    hands after using the


     Same Same Control Environment Management goes through all

    city health inspection reports

    and implements all infractions Financial Restaurant sales To ensure that all Risk Assessment Management has policies and Reporting will not be sales are recorded procedures for the proper

    recorded accurately so that the recording of sales by servers

    accurately financial reporting and cashiers

    objective is met


     Same Same Control Activities Management conducts

    quarterly reviews to determine

    if employee turnover has

    caused changes to the financial


     Same Same Information and Management requires use of

    Communications prenumbered server order

    forms so that all meals can be

    accounted for

     Same Same Monitoring Management prepares daily

    server reports to report on all

    tips for tax purposes; all

    employees sign form

     Same Control Environment Same Management accounts for all

    prenumbered server order

    form tickets

     Risk Assessment

     Control Activities

     Information and



    But the internal auditor cannot rely on management’s statements alone. So the

    sixth column illustrates what evidence the internal auditor would ask for to evaluate

    management’s actions to threats to the restaurant, e.g., if the restaurant’s operating

    objective is to have good operations and management has stated that they provide

    training sessions for all employees to show them how to safely use sharp equipment

    (control environment), then the internal auditor would request and review schedules of

    past and future training sessions and check that all employees have attended those

    sessions (Table 6.)

    Table 6

    Audit Procedures (Column 6)

    COSO Threats to the Control Objective Internal Evidence that Control Audit Procedure Objectives Entity (To stop the Control Objective is Being Met (Auditor’s of Entity Threat-Element (Management’s Responsibility)

    Management’s (COSO) Responsibility)


    Operations Employees To ensure that Control Management provides Auditor requests and

    will lose employees don’t Environment training sessions for all reviews schedule of past

    fingers on lose fingers on new employees on how and future training

    sharp sharp equipment to use equipment safely sessions and checks that

    equipment all employees have


     Same Same Risk Management reviews Auditor requests

    Assessment the equipment to make equipment review

    sure that any new reports from

    equipment is included management. Examines

    in training sessions new equipment. Checks

    against training sessions


     Same Same Control Safety blades are Auditors sample

    Activities required to be kept on equipment and inspect

    all equipment when to see that safety blades

    equipment is not is use are on equipment not in


     Same Same Information Reminders about Auditor examines signs

    and equipment safety are near all equipment to

    Communicatioposted near all see that they are posted

    ns equipment and in good condition

     Same Same Monitoring Management keeps logs Auditor requests safety

    of safety walk-throughs walk-throughs logs and

    to see that equipment is determines that

    covered when not in use comments have been

    and employees are addressed

    following safety


    Compliance Restaurant To ensure that all Control Management has Auditor examines

    may lose its health regulations Environment policies and procedures policies and procedures

    license due to are followed so that on all health manual to see that

    not adhering to restaurant does not regulations; all new health regulations are

    health lose its license employees must read included and are

    regulations and sign off. current; examines sign

    off by all employees

     Same Same Risk Management reviews Auditor examines

    Assessment changes to health code management’s review of

    on a regular basis to see new health codes and

    if new regulations have evaluates conclusions

    added to their risks

     Same Same Control Management has policy Check for written

    Activities that no food should be policy; auditor observes

    left out of refrigerator kitchen for food left out;

    for more than one hour auditor inquires of

    employees to see if they

    follow policy

     Same Same Information Signs are clearly posted Auditor visits all

    and stating that employees bathrooms to see that

    Communicatiomust wash hands after signs are clearly visible

    ns using the bathroom and in good condition

     Same Same Monitoring Management goes Auditor examines city

    through all city health health inspection reports

    inspection reports and and inquires if

    implements all infractions have been

    infractions corrected Financial Restaurant To ensure that all Control Management has Auditor examines policy Reporting sales will not sales are recorded Environment policies and procedures on recording sales and

    be recorded accurately so that for the proper recording inquires of servers and

    accurately the financial of sales by servers and cashiers

    reporting objective cashiers

    is met

     Same Same Risk Management conducts Auditor requests

    Assessment quarterly reviews to managements quarterly

    determine if employee review of changing

    turnover has caused circumstances and


Report this document

For any questions or suggestions please email