Internal Auditing and Controls
Supplementary Lesson Notes – Module 3
Note: Supplementary Lesson Notes only provide brief discussions on topics covered in each
module. The notes are not substitutes for the recommended textbook and additional readings.
Students are required to complete all assigned readings to adequately prepare for classes.
Refer to your Course Textbook guide and Supplementary Readings for a list of assigned
readings.
3 Governance and Internal Auditing
3.1 Risk Management
Risk is the possibility that an event will occur that will have an impact on the
achievement of objectives. Risk has two components: the impact of the event, and the
likelihood of it occurring.
Enterprise risk (or business risk) is the possibility of an event occurring that could reduce
the likelihood of an organization achieving its objectives, whether formally stated in
mission statements or strategic plans, or just assumed or implied.
Risk is very broad, including competition, environmental risk, customer satisfaction, and
many other risks. Although each of these can be quantified in financial terms, it is useful
to identify them individually, which helps to develop mitigation strategies.
Risk can never be totally eliminated. Some risks are totally outside the control of the
company; other risks can only be partially controlled by the company.
3.1.1 Risk Management Process
This a continuous circular process undertaken by an organization to enable them
monitor risks faced by the organization and act on timely basis on ensuring the risk level
is kept within acceptable limit risk can never be totally eliminated. The processes are
described below:
Risk identification is the process of identifying and measuring various risks faced by the
organization.
Determination of risk limits is the level where management sets its desired or acceptable
risk limit, tolerance and appetite level.
Designing controls to curtail risks involves determining the appropriate internal controls
for an organization to reduce the level of risk to the acceptable limit.
Measuring performance is the process of obtaining feedback on the risk level set, and
the effectiveness of controls in place, to determine the need for improvements.
1 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
3.1.2 Risk Mitigating Techniques
Risk avoidance is a strategy of completely eliminating a business activity because of its
associated risk.
Risk diversification ensures that there are many available options with the hope that
where any of the options fails, others can compensate for the failure, or reduce the
overall effect. An example is investing in stocks of many companies in different
industries.
Risk controlling involves closely monitoring risky activities to enable an organization to
act in time to prevent negative consequences. For example, a shareholder might quickly
dispose of stocks upon getting analyst information that the price may decline.
Risk transfer or sharing involves engaging in activities (e.g., purchasing insurance, or
warranties) that would facilitate reinstatement to the financial position that existed before
an unwanted situation occurred.
3.2 Enterprise Risk Management
Enterprise risk management (ERM) involves:
Identifying the risks faced by the company
Establishing acceptable tolerance limits for those risks
Taking measures to keep risks within those tolerances
Testing controls to ensure that the uncontrolled risks remain within those tolerances
Internal auditors assist management and the Board of Directors by monitoring,
examining, evaluating, reporting on and recommending improvements to the
effectiveness of the company’s ERM process.
Even in cases where risks could, be completely eliminated, it may not be cost-effective
to do so. Consider a retail store like Walmart. It is possible to completely eliminate
shoplifting, but the cost of such security methods (including the potential loss of
customers) would be more than the money saved.
As a result, most companies establish risk limits: the degree of risk that the company is
willing to accept (i.e., to account for incidental losses that are just part of doing
business).
3.3 Role of the Internal Auditor
According to the International Standards for the Professional Practice of Internal
Auditing (the Standards; IIA, 2011), Standard 2100 sets out the scope of internal
auditing. It explains that internal auditing should evaluate and contribute to the
improvement of risk management, control, and governance processes using a
systematic and disciplined approach.
2 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
3 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
3.4 Traditional vs. Risk-Based Auditing
Traditionally, auditing (internal and external) focusses on a company’s internal control
system. Each control must be tested, and recommendations are made to address
identified weaknesses.
Risk-based auditing begins with an assessment of an organization’s objectives and their
associated risks. The audit focusses on ensuring that controls are in place to mitigate
the biggest risks. In short, traditional auditing is “bottom-up,” while risk-based auditing is
“top-down.”
3.5 Control Frameworks
Control frameworks are models that help companies identify the means of mitigating key
risks and confirm that risks are under control. Most frameworks establish criteria for
controls and group the criteria in some logical manner. Some models are fairly obscure;
others are more popular and well-known.
3.5.1 CICA’s Criteria of Control Board
The Canadian-developed framework was created by the CICA’s Criteria of Control
Board (CoCo).
Compared to most other frameworks, CoCo is a fairly broad framework. CoCo identifies
20 control criteria organized into 4 groups:
1. Purpose
2. Commitment
3. Capability
4. Monitoring and learning
CoCo recognizes that there are hard controls (policies and procedures) and soft controls
(management philosophy, trust and cooperation) in an organization.
4 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
3.5.2 Committee of Sponsoring Organizations of the Treadway Commission
The American contribution to control frameworks was developed in 1992 by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO
is more restrictive than CoCo, and regards internal controls as processes that are
followed by the Board of Directors, senior management, and personnel.
COSO organizes controls into five groups:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
Rather than outline specific criteria, COSO provides “perfect world” examples to be
considered for each component.
3.5.3 Sarbanes-Oxley Act
The Sarbanes-Oxley Act (SOX), and its Canadian equivalent (MI 52-109), require that
management publicly disclose the company’s compliance (or lack thereof) with certain
standards of governance and compliance. In other words, the CEO and CFO must
certify that they have:
Established internal controls over financial reporting
Tested those controls
No reason to believe there are any material misstatements of the financial
statements (based on the testing)
This certification must be based on an internal control framework. Although there is no
requirement to use any specific framework, most publically-traded companies
(particularly those traded on American exchanges) tend to adopt COSO.
Few CEOs or CFOs have the knowledge, skills, or time (or independence, or objectivity)
to properly design and test internal controls. As a result, these roles very typically fall to
the internal audit group. Internal auditors usually recommend what controls should be
implemented, test those already in existence, and provide their conclusions to the
executive management.
In the United States, an external auditor must also conduct a review of internal controls,
and indicate whether they agree or disagree with management. In Canada, there is no
requirement to have an external auditor concur with management’s assessment.
5 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
3.6 Control Self-Assessment
Control self-assessment (CSA) requires all the control processes to be applied to enable
the organization achieve its goal. It ensures that this responsibility does not fall to
auditors (internal and external), but to management, as controls are tied to managing
and operating the business processes. The CSA process jointly assesses and evaluates
control procedures to ensure that risk management and control processes operate as
required.
3.6.1 Advantages of CSA
It improves awareness about controls in an organization.
It facilitates management interest in control activities.
In the long run, it reduces costs.
3.6.2 Disadvantages of CSA
Its evaluation is often neither independent nor objective.
It is costly in the short run (early implementation years).
It’s only suitable for open management style.
It may become rigid and monotonous with time.
3.7 Governance and Accountability
Governance refers to the responsibilities of senior management and the Board of
Directors to carry out the business in the best interest of the owners (investors), and
their actions to carry out those responsibilities.
Accountability is the obligation to answer for these responsibilities and actions.
Standard 2130 states that “the internal audit activity should assess and make
recommendations for improving the governance process by accomplishing the following:
Promoting appropriate ethics and values in the organization
Ensuring effective organizational performance management and accountability
Effectively communicating risk and control information
Effectively coordinating the activities of and communication among the Board of
Directors, auditors (external and internal), and management.
6 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
In 1994, the Toronto Stock Exchange Committee on Corporate Governance in Canada
released a report on the status of corporate governance in Canada. One of the things
this report did was clarifying that the role of the Board of Directors should include:
Approving the long-term goals and strategy
Ensuring systems are in place to monitor and manage principle risks
Appointing, training, and planning for the succession of high-calibre management
Ensuring effective communication with shareholders and the general public
Ensuring that effective controls exist for the Board of Directors to carry out these
responsibilities
3.8 Role of the Audit Committee
The full responsibility for corporate governance lies with the Board of Directors.
Individual members may not have the time or knowledge to deal with everything,
including dealing with audit matters. Most boards appoint an Audit Committee to oversee
matters related to financial reporting and internal controls.
Generally, the responsibilities of Audit Committees include:
Oversight of annual financial information
Review of external audit activities and reports
Overseeing the Internal audit and control activities in the organization
Ensuring the existence and monitoring of corporate code of conduct
Review and approval of public disclosures (e.g., press releases) by the organization
The internal auditor and the Audit Committee are not the same:
The internal auditor is responsible for conducting the audit function within the
company.
The Audit Committee is a sub-group of the Board of Directors that oversees the
internal auditor.
Just as the internal audit function should have a charter outlining its responsibilities and
scope (refer back to Module 2), the Audit Committee should also have a written charter.
3.9 Risks Associated with Diversity, Equity, and Inclusion (DEI)
It is now essential to cultivate a diverse, equitable and inclusive workplace. While this is
easy to commit to in writing, in reality, this is much harder in practice as it involves
making concrete improvements in a company’s culture and recruitment practices.
3.9.1 Common risks associated with DEI includes:
Employee fatigue
7 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
Backlash with DEI initiatives.
Denial of inequality.
3.9.2 How to minimize risks associated with DEI
Organizations need to set achievable and measurable DEI goals.
Motivate employee to engage in DEI efforts.
Develop comprehensive DEI policy.
Provide DEI training.
Ensure top-down commitment.
Diversify employee recruitment practice and decision making.
Embed DEI initiatives in employment process.
Ensure fair compensation practices.
Encourage open dialogue.
Ensure adaptation and continuously evolve.
3.10 References
Institute of Internal Auditors (IIA). (2011). International Standards for the
Professional Practice of Internal Auditing. IIA Internal Auditing Standards Board.
Accessed from:
http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/?
search=standards
The essential guide to diversity, equity, and inclusion.
https://www.lever.co/resources/the-diversity-and-inclusion-handbook/?
utm_medium=paid_search&utm_source=google&utm_campaign=DSA_2021614
8411&utm_content=c&utm_term=&gad_source=1&gclid=CjwKCAjwyJqzBhBaEi
wAWDRJVDYwQGzLreIcEQWLuv0N-
12vIoWP6vSTKRKsLdtz9hXRMcbuwhwPvBoCzbgQAvD_BwE
Ten steps to reduce risk in Diversity, Equity, and Inclusion (DEI) initiatives
https://www.theirmindia.org/blog/ten-steps-to-reduce-risk-in-diversity-equity-and-
inclusion-dei-initiatives/
8 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
9 School of Business
© 2016, Southern Alberta Institute of Technology
