DOC

Teaching Auditing Students About Internal Controls

By Harry Fisher,2014-04-05 22:08
6 views 0
Teaching Auditing Students About Internal Controls

    Teaching Auditing Students About Internal Controls

    From an Internal Audit Perspective

Susanne O’Callaghan, Ph.D., CPA, CIA

    Associate Professor of Accounting

    Pace University

    Lubin School of Business

    One Pace Plaza

    New York, NY 10038

    socallaghan@pace.edu

    John P. Walker, Ph.D., CPA

    Professor of Accounting

    Queens College CUNY

    65-30 Kissena Blvd

    Queens, NY 11367

    jpvwalker@aol.com

    Raymond J. Elson*, DBA, CPA Assistant Professor of Accounting

    Valdosta State University

    Langdale College of Business

    Valdosta, GA 31698

    relson@valdosta.edu

    * Corresponding author

     1

    Teaching Auditing Students About Internal Controls

    From an Internal Audit Perspective

Introduction

    In the Sarbanes-Oxley era there is a real need for a good understanding of the different responsibilities and reliances that can be placed on the work of others. External auditors must have a good comprehension of the types and extent of work that internal auditors do. Since most universities do not provide a stand-alone course on internal auditing, students must rely on what they learn in the mainstream auditing class to obtain their understanding of what an internal auditor does. This paper provides auditing instructors a vehicle for teaching the need for, and the approach to, how internal auditors do their jobs.

Background

    Many accounting students will enter the auditing profession upon graduation. They will enter the external auditing profession, the internal auditing profession or work in organizations where they interact with all types of auditors. If these students enter the external auditing profession, they will be expected to interact and understand what internal auditors do in order to rely on the internal auditors work under SAS 65 “The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements” and PCOAB Standard No. 2. But it is difficult for auditing students to

    understand what value the internal audit function brings to the table as most auditing textbooks have only one chapter on internal auditing. That chapter is usually very vague as to what an internal auditor actually does. This paper provides a simple approach to understanding concepts surrounding the internal auditors’ role in evaluating internal controls so that their employer meets the objectives.

Literature Review

    There is very little literature that offers a pedagogical approach to teaching internal auditing. Fernandes (1994) recognizes that accounting education prepares students well for financial auditing. He acknowledges that the traditional auditing course may trigger an interest in internal auditing on the part of the student but the student is basically left to figure out what internal auditing is all about. These same students are not adequately prepared in the areas of business analytical techniques and there is a void in general audit education because of this. He feels that all universities with business and public administration programs should offer at least one course devoted to internal auditing.

    Another article by Fernandes, Poposky and Savage (1995) presents the

    development of an internal audit course curriculum. The author examines and identifies course objectives that would enhance the students’ understanding of both the conceptual and practical aspects of the internal auditor function. They also identify elements of a

     2

null

understand how organization objectives drive the need for controls. A COSO framework 1is used as the basis for the control matrix development.

    The COSO internal control framework states that entities have three objectives: good operations, compliance with rules and regulations and good financial reporting. But there are external and internal threats to having good operations, being in compliance with rules and regulations and having good financial reporting. To achieve organizational objectives and minimize the threats, an entity must have a good internal control system in place. That system should consist of five elements. The entity must have a good control environment, risk assessment procedures, excellent control activities, adequate information and communications and a monitoring mechanism in place.

    Auditing students have already learned about COSO in an earlier chapter on internal control so this is a quick internal control review for them. In the internal auditing chapter we move into a more detailed discussion of the internal auditors’ role in

    evaluating internal controls put in place by management and in the value-added services that internal auditors perform. But there are few examples to really help students internalize what internal auditors do.

    Since most students have some understanding as to how restaurants operate, we used a restaurant example to illustrate this approach to teaching internal auditing. We use the COSO framework and a six-step process to create the control matrix. We first illustrate the three objectives of a restaurant. Second, we identify threats to meeting those restaurant objectives. Third, we discuss control objectives necessary to see that the threats are contained. Fourth, we use the five components of a good internal control system to meet the control objectives. Fifth, we then examine the various control activities that management could have in place. Lastly, in the sixth step, we identify steps to be taken by the auditor to assure that control objectives are met.

Teaching Approach

    The matrix that follows can be created by the audit instructor by first filling in the first column: the three objectives identified by COSO: operations, compliance with rules and regulations, and monitoring (Table 1.)

     1

    The Committee on Sponsoring Organizations published the COSO framework in 1992. It is the most widely recognized internal control framework used in the United States today.

     4

    Table 1

    Restaurant Objective (Column 1)

COSO

    Objectives of

    Entity

    Operations

    Compliance

    Financial

    Reporting

    Next the instructor can present one threat to each of the restaurant objectives; e.g., a threat to operations is that employees might lose fingers; a threat to being in compliance with rules and regulations is that the restaurant could lose its license if it violates health regulations; a threat to good financial reporting is that restaurant sales may not be recorded accurately (Table 2.)

    The third column is completed by identifying the control objectives that management has or should have in place to stop the threats! For example, the operations objective is to stop employees from losing fingers (Table 3.)

    Then the instructor fills in the fourth column with the internal control elements. The five individual elements of a good internal control system are the control environment, risk assessment, control activities, information and communication, and monitoring (Table 4.) These internal control elements should ensure that management’s

    control objectives are met.

    Table 2

    Threats to Meeting Objectives (Column 2)

COSO Objectives of Threats to the

    Entity Restaurant

    Operations Employees will lose

    fingers on sharp

    equipment

    Compliance Restaurant may

    lose its license due

    to not adhering to

    health regulations

    Financial Reporting Restaurant sales

    will not be recorded

    accurately

     5

    Table 3

    Management’s Control Objectives (Column 3)

COSO Objectives of Threats to the Control

    Entity Entity Objective (To

    stop the

    Threat-

    Management’s

    Responsibility)

    Operations Employees will To ensure that

    lose fingers on employees

    sharp equipment don’t lose

    fingers on

    sharp

    equipment

    Compliance Restaurant may To ensure that

    lose its license due all health

    to not adhering to regulations

    health regulations are followed so

    that

    restaurant

    does not lose

    its license

    Financial Reporting Restaurant sales To ensure that

    will not be all sales are

    recorded accurately recorded

    accurately so

    that the

    financial

    reporting

    objective is

    met

    The fifth column addresses what management has told the auditor they have put in place to meet the threat belonging to that internal control element. For example, a

    control environment step that could help keep employees from losing fingers would be

    the existence of training sessions to show employees how to use the equipment. These are

    the activities that management has put in place to see that the control objective is met.

    The instructor continues to identify different evidence that the control objective is being

    met for each of the internal control elements in column 4 (Table 5.)

     6

    Table 4

    Internal Control Elements (Column 4)

COSO Threats to the Control Objective Internal Control

    Objectives of Entity (To stop the Element Entity Threat-(COSO)

    Management’s

    Responsibility)

    Operations Employees will To ensure that Control

    lose fingers on employees don’t Environment

    sharp lose fingers on

    equipment sharp equipment

     Same Same Risk Assessment

     Same Same Control

    Activities

     Same Same Information and

    Communications

     Same Same Monitoring Compliance Restaurant may To ensure that all Control

    lose its license health regulations Environment

    due to not are followed so

    adhering to that restaurant

    health does not lose its

    regulations license

     Same Same Risk Assessment

     Same Same Control

    Activities

     Same Same Information and

    Communications

     Same Same Monitoring Financial Restaurant To ensure that all Control Reporting sales will not sales are recorded Environment

    be recorded accurately so that

    accurately the financial

    reporting

    objective is met

     Same Same Risk Assessment

     Same Same Control

    Activities

     Same Same Information and

    Communications

     Same Same Monitoring

     7

    Table 5

    Evidence That Control Objectives are Being Met (Column 5)

    COSO Threats to the Control Objective Internal Control Element Evidence that Control Objectives of Entity (To stop the Threat-(COSO) Objective is Being Met Entity Management’s (Management’s Responsibility)

    Responsibility)

    Operations Employees will To ensure that Control Environment Management provides training

    lose fingers on employees don’t lose sessions for all new employees

    sharp equipment fingers on sharp on how to use equipment safely

    equipment

     Same Same Risk Assessment Management reviews the

    equipment to make sure that

    any new equipment is included

    in training sessions

     Same Same Control Activities Safety blades are required to

    be kept on all equipment when

    equipment is not is use

     Same Same Internal Control Reminders about equipment

    Element (COSO) safety are posted near all

    equipment

     Same Same Control Environment Management keeps logs of

    safety walk-throughs to see

    that equipment is covered

    when not in use and employees

    are following safety

    procedures.

    Compliance Restaurant may To ensure that all Risk Assessment Management has policies and

    lose its license health regulations are procedures on all health

    due to not followed so that regulations; all new employees

    adhering to restaurant does not must read and sign off.

    health lose its license

    regulations

     Same Same Control Activities Management reviews changes

    to health code on a regular

    basis to see if new regulations

    have added to their risks

     Same Same Information and Management has policy that

    Communications no food should be left out of

    refrigerator for more than one

    hour

     Same Same Monitoring Signs are clearly posted stating

    that employees must wash

    hands after using the

    bathroom

     Same Same Control Environment Management goes through all

    city health inspection reports

    and implements all infractions

    Financial Restaurant sales To ensure that all Risk Assessment Management has policies and Reporting will not be sales are recorded procedures for the proper

    recorded accurately so that the recording of sales by servers

    accurately financial reporting and cashiers

    objective is met

     8

     Same Same Control Activities Management conducts

    quarterly reviews to determine

    if employee turnover has

    caused changes to the financial

    procedures

     Same Same Information and Management requires use of

    Communications prenumbered server order

    forms so that all meals can be

    accounted for

     Same Same Monitoring Management prepares daily

    server reports to report on all

    tips for tax purposes; all

    employees sign form

     Same Control Environment Same Management accounts for all

    prenumbered server order

    form tickets

     Risk Assessment

     Control Activities

     Information and

    Communications

     Monitoring

    But the internal auditor cannot rely on management’s statements alone. So the

    sixth column illustrates what evidence the internal auditor would ask for to evaluate

    management’s actions to threats to the restaurant, e.g., if the restaurant’s operating

    objective is to have good operations and management has stated that they provide

    training sessions for all employees to show them how to safely use sharp equipment

    (control environment), then the internal auditor would request and review schedules of

    past and future training sessions and check that all employees have attended those

    sessions (Table 6.)

    Table 6

    Audit Procedures (Column 6)

    COSO Threats to the Control Objective Internal Evidence that Control Audit Procedure Objectives Entity (To stop the Control Objective is Being Met (Auditor’s

    of Entity Threat-Element (Management’s Responsibility)

    Management’s (COSO) Responsibility)

    Responsibility)

    Operations Employees To ensure that Control Management provides Auditor requests and

    will lose employees don’t Environment training sessions for all reviews schedule of past

    fingers on lose fingers on new employees on how and future training

    sharp sharp equipment to use equipment safely sessions and checks that

    equipment all employees have

    attended

     Same Same Risk Management reviews Auditor requests

    Assessment the equipment to make equipment review

    sure that any new reports from

    equipment is included management. Examines

    in training sessions new equipment. Checks

    against training sessions

     9

     Same Same Control Safety blades are Auditors sample

    Activities required to be kept on equipment and inspect

    all equipment when to see that safety blades

    equipment is not is use are on equipment not in

    use

     Same Same Information Reminders about Auditor examines signs

    and equipment safety are near all equipment to

    Communicatioposted near all see that they are posted

    ns equipment and in good condition

     Same Same Monitoring Management keeps logs Auditor requests safety

    of safety walk-throughs walk-throughs logs and

    to see that equipment is determines that

    covered when not in use comments have been

    and employees are addressed

    following safety

    procedures.

    Compliance Restaurant To ensure that all Control Management has Auditor examines

    may lose its health regulations Environment policies and procedures policies and procedures

    license due to are followed so that on all health manual to see that

    not adhering to restaurant does not regulations; all new health regulations are

    health lose its license employees must read included and are

    regulations and sign off. current; examines sign

    off by all employees

     Same Same Risk Management reviews Auditor examines

    Assessment changes to health code management’s review of

    on a regular basis to see new health codes and

    if new regulations have evaluates conclusions

    added to their risks

     Same Same Control Management has policy Check for written

    Activities that no food should be policy; auditor observes

    left out of refrigerator kitchen for food left out;

    for more than one hour auditor inquires of

    employees to see if they

    follow policy

     Same Same Information Signs are clearly posted Auditor visits all

    and stating that employees bathrooms to see that

    Communicatiomust wash hands after signs are clearly visible

    ns using the bathroom and in good condition

     Same Same Monitoring Management goes Auditor examines city

    through all city health health inspection reports

    inspection reports and and inquires if

    implements all infractions have been

    infractions corrected

    Financial Restaurant To ensure that all Control Management has Auditor examines policy Reporting sales will not sales are recorded Environment policies and procedures on recording sales and

    be recorded accurately so that for the proper recording inquires of servers and

    accurately the financial of sales by servers and cashiers

    reporting objective cashiers

    is met

     Same Same Risk Management conducts Auditor requests

    Assessment quarterly reviews to managements quarterly

    determine if employee review of changing

    turnover has caused circumstances and

     10

Report this document

For any questions or suggestions please email
cust-service@docsford.com