Teaching Auditing Students About Internal Controls
From an Internal Audit Perspective
Susanne O’Callaghan, Ph.D., CPA, CIA
Associate Professor of Accounting
Pace University
Lubin School of Business
One Pace Plaza
New York, NY 10038
John P. Walker, Ph.D., CPA
Professor of Accounting
Queens College – CUNY
65-30 Kissena Blvd
Queens, NY 11367
Raymond J. Elson*, DBA, CPA
Assistant Professor of Accounting
Valdosta State University
Langdale College of Business
Valdosta, GA 31698
* Corresponding author
Teaching Auditing Students About Internal Controls
From an Internal Audit Perspective
Introduction
In the Sarbanes-Oxley era there is a real need for a good understanding of the different responsibilities and reliances that can be placed on the work of others. External auditors must have a good comprehension of the types and extent of work that internal auditors do. Since most universities do not provide a stand-alone course on internal auditing, students must rely on what they learn in the mainstream auditing class to obtain their understanding of what an internal auditor does. This paper provides auditing instructors a vehicle for teaching the need for, and the approach to, how internal auditors do their jobs.
Background
Many accounting students will enter the auditing profession upon graduation. They will enter the external auditing profession, the internal auditing profession or work in organizations where they interact with all types of auditors. If these students enter the external auditing profession, they will be expected to interact and understand what internal auditors do in order to rely on the internal auditors work under SAS 65 “The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements” and PCOAB Standard No. 2. But it is difficult for auditing students to understand what value the internal audit function brings to the table as most auditing textbooks have only one chapter on internal auditing. That chapter is usually very vague as to what an internal auditor actually does. This paper provides a simple approach to understanding concepts surrounding the internal auditors’ role in evaluating internal controls so that their employer meets the objectives.
Literature Review
There is very little literature that offers a pedagogical approach to teaching internal auditing. Fernandes (1994) recognizes that accounting education prepares students well for financial auditing. He acknowledges that the traditional auditing course may trigger an interest in internal auditing on the part of the student but the student is basically left to figure out what internal auditing is all about. These same students are not adequately prepared in the areas of business analytical techniques and there is a void in general audit education because of this. He feels that all universities with business and public administration programs should offer at least one course devoted to internal auditing.
Another article by Fernandes, Poposky and Savage (1995) presents the development of an internal audit course curriculum. The author examines and identifies course objectives that would enhance the students’ understanding of both the conceptual and practical aspects of the internal auditor function. They also identify elements of a curriculum that would enhance students’ analytic, critical thinking, written and oral communication, and group/teamwork skills. This article lays out detailed objectives, methods of instruction, professional company involvement and course evaluation but does not go into any detail of content.
Greensawalt and Stinnett (1992) present an excellent case that can be adapted for use in a financial auditing or internal auditing class. It requires students to find an “audit client.” The students then have the task of understanding and documenting the internal control system of either the revenue cycle or the expenditure cycle. The students present a written report and document their understanding of the controls, prepare an internal control review matrix, do evaluations and make oral presentations. This article provides a great outside project but does not provide the audit instructor an in-class demonstration of how a control matrix is prepared.
Our paper provides a unique pedagogical approach to teaching auditing students how to construct a control matrix, an important tool for use in evaluating internal controls.
The Relationship between Internal and External Auditing
Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization’s operations. Its focus is mainly on evaluating and improving the effectiveness of the organization’s risk management, control and governance processes. External auditing is the systematic process of objectively obtaining and evaluating evidence regarding management assertions in financial statements. Its focus is on communicating any findings to interested users who are mostly external to the organization such as shareholders and the SEC. Both sets of auditing professionals have a use for control matrices.
The Relationships among Organizational Objectives, Threats to Meeting Objectives and Internal Controls
All entities have specific objectives that they must achieve. But all objectives have threats that may threaten their achievement. These threats must be eliminated, avoided, controlled or accepted. By having good controls in place to mitigate the threats, a company is better able to achieve its objectives and therefore places itself in a competitive position. It is management’s responsibility to see that adequate controls are in place. It is the auditor’s responsibility to see that management’s controls are indeed working as planned. The internal auditor’s chief role is to evaluate the design and effectiveness of those controls.
COSO Approach to Developing a Control Matrix
This paper illustrates a control matrix approach that can be used as lecture material (or as a class assignment) in the internal auditing chapter of a traditional textbook or as part of an internal auditing course. This control matrix helps students understand how organization objectives drive the need for controls. A COSO framework is used as the basis for the control matrix development.[1]
The COSO internal control framework states that entities have three objectives: good operations, compliance with rules and regulations and good financial reporting. But there are external and internal threats to having good operations, being in compliance with rules and regulations and having good financial reporting. To achieve organizational objectives and minimize the threats, an entity must have a good internal control system in place. That system should consist of five elements. The entity must have a good control environment, risk assessment procedures, excellent control activities, adequate information and communications and a monitoring mechanism in place.
Auditing students have already learned about COSO in an earlier chapter on internal control so this is a quick internal control review for them. In the internal auditing chapter we move into a more detailed discussion of the internal auditors’ role in evaluating internal controls put in place by management and in the value-added services that internal auditors perform. But there are few examples to really help students internalize what internal auditors do.
Since most students have some understanding as to how restaurants operate, we used a restaurant example to illustrate this approach to teaching internal auditing. We use the COSO framework and a six-step process to create the control matrix. We first illustrate the three objectives of a restaurant. Second, we identify threats to meeting those restaurant objectives. Third, we discuss control objectives necessary to see that the threats are contained. Fourth, we use the five components of a good internal control system to meet the control objectives. Fifth, we then examine the various control activities that management could have in place. Lastly, in the sixth step, we identify steps to be taken by the auditor to assure that control objectives are met.
Teaching Approach
The matrix that follows can be created by the audit instructor by first filling in the first column: the three objectives identified by COSO: operations, compliance with rules and regulations, and monitoring (Table 1.)
Table 1
Restaurant Objective (Column 1)COSO Objectives of Entity
Operations
Compliance
Financial Reporting
Next the instructor can present one threat to each of the restaurant objectives; e.g., a threat to operations is that employees might lose fingers; a threat to being in compliance with rules and regulations is that the restaurant could lose its license if it violates health regulations; a threat to good financial reporting is that restaurant sales may not be recorded accurately (Table 2.)
The third column is completed by identifying the control objectives that management has or should have in place to stop the threats! For example, the operations objective is to stop employees from losing fingers (Table 3.)
Then the instructor fills in the fourth column with the internal control elements. The five individual elements of a good internal control system are the control environment, risk assessment, control activities, information and communication, and monitoring (Table 4.) These internal control elements should ensure that management’s control objectives are met.
Table 2
Threats to Meeting Objectives (Column 2)COSO Objectives of Entity / Threats to the Restaurant
Operations / Employees will lose fingers on sharp equipment
Compliance / Restaurant may lose its license due to not adhering to health regulations
Financial Reporting / Restaurant sales will not be recorded accurately
Table 3
Management’s Control Objectives (Column 3)COSO Objectives of Entity / Threats to the Entity / Control Objective (To stop the Threat-Management’s Responsibility)
Operations / Employees will lose fingers on sharp equipment / To ensure that employees don’t lose fingers on sharp equipment
Compliance / Restaurant may lose its license due to not adhering to health regulations / To ensure that all health regulations are followed so that restaurant does not lose its license
Financial Reporting / Restaurant sales will not be recorded accurately / To ensure that all sales are recorded accurately so that the financial reporting objective is met
The fifth column addresses what management has told the auditor they have put in place to meet the threat belonging to that internal control element. For example, a control environment step that could help keep employees from losing fingers would be the existence of training sessions to show employees how to use the equipment. These are the activities that management has put in place to see that the control objective is met. The instructor continues to identify different evidence that the control objective is being met for each of the internal control elements in column 4 (Table 5.)
Table 4
Internal Control Elements (Column 4)COSO Objectives of Entity / Threats to the Entity / Control Objective (To stop the Threat-Management’s Responsibility) / Internal Control Element (COSO)
Operations / Employees will lose fingers on sharp equipment / To ensure that employees don’t lose fingers on sharp equipment / Control Environment
Same / Same / Risk Assessment
Same / Same / Control Activities
Same / Same / Information and Communications
Same / Same / Monitoring
Compliance / Restaurant may lose its license due to not adhering to health regulations / To ensure that all health regulations are followed so that restaurant does not lose its license / Control Environment
Same / Same / Risk Assessment
Same / Same / Control Activities
Same / Same / Information and Communications
Same / Same / Monitoring
Financial Reporting / Restaurant sales will not be recorded accurately / To ensure that all sales are recorded accurately so that the financial reporting objective is met / Control Environment
Same / Same / Risk Assessment
Same / Same / Control Activities
Same / Same / Information and Communications
Same / Same / Monitoring
Table 5
Evidence That Control Objectives are Being Met (Column 5)COSO Objectives of Entity / Threats to the Entity / Control Objective (To stop the Threat-Management’s Responsibility) / Internal Control Element (COSO) / Evidence that Control Objective is Being Met (Management’s Responsibility)
Operations / Employees will lose fingers on sharp equipment / To ensure that employees don’t lose fingers on sharp equipment / Control Environment / Management provides training sessions for all new employees on how to use equipment safely
Same / Same / Risk Assessment / Management reviews the equipment to make sure that any new equipment is included in training sessions
Same / Same / Control Activities / Safety blades are required to be kept on all equipment when equipment is not is use
Same / Same / Internal Control Element (COSO) / Reminders about equipment safety are posted near all equipment
Same / Same / Control Environment / Management keeps logs of safety walk-throughs to see that equipment is covered when not in use and employees are following safety procedures.
Compliance / Restaurant may lose its license due to not adhering to health regulations / To ensure that all health regulations are followed so that restaurant does not lose its license / Risk Assessment / Management has policies and procedures on all health regulations; all new employees must read and sign off.
Same / Same / Control Activities / Management reviews changes to health code on a regular basis to see if new regulations have added to their risks
Same / Same / Information and Communications / Management has policy that no food should be left out of refrigerator for more than one hour
Same / Same / Monitoring / Signs are clearly posted stating that employees must wash hands after using the bathroom
Same / Same / Control Environment / Management goes through all city health inspection reports and implements all infractions
Financial Reporting / Restaurant sales will not be recorded accurately / To ensure that all sales are recorded accurately so that the financial reporting objective is met / Risk Assessment / Management has policies and procedures for the proper recording of sales by servers and cashiers
Same / Same / Control Activities / Management conducts quarterly reviews to determine if employee turnover has caused changes to the financial procedures
Same / Same / Information and Communications / Management requires use of prenumbered server order forms so that all meals can be accounted for
Same / Same / Monitoring / Management prepares daily server reports to report on all tips for tax purposes; all employees sign form
Same / Same / Control Environment / Management accounts for all prenumbered server order form tickets
Risk Assessment
Control Activities
Information and Communications
Monitoring
But the internal auditor cannot rely on management’s statements alone. So the sixth column illustrates what evidence the internal auditor would ask for to evaluate management’s actions to threats to the restaurant, e.g., if the restaurant’s operating objective is to have good operations and management has stated that they provide training sessions for all employees to show them how to safely use sharp equipment (control environment), then the internal auditor would request and review schedules of past and future training sessions and check that all employees have attended those sessions (Table 6.)
Table 6
Audit Procedures (Column 6)COSO Objectives of Entity / Threats to the Entity / Control Objective (To stop the Threat-Management’s Responsibility) / Internal Control Element (COSO) / Evidence that Control Objective is Being Met (Management’s Responsibility) / Audit Procedure (Auditor’s Responsibility)
Operations / Employees will lose fingers on sharp equipment / To ensure that employees don’t lose fingers on sharp equipment / Control Environment / Management provides training sessions for all new employees on how to use equipment safely / Auditor requests and reviews schedule of past and future training sessions and checks that all employees have attended
Same / Same / Risk Assessment / Management reviews the equipment to make sure that any new equipment is included in training sessions / Auditor requests equipment review reports from management. Examines new equipment. Checks against training sessions
Same / Same / Control Activities / Safety blades are required to be kept on all equipment when equipment is not is use / Auditors sample equipment and inspect to see that safety blades are on equipment not in use
Same / Same / Information and Communications / Reminders about equipment safety are posted near all equipment / Auditor examines signs near all equipment to see that they are posted and in good condition
Same / Same / Monitoring / Management keeps logs of safety walk-throughs to see that equipment is covered when not in use and employees are following safety procedures. / Auditor requests safety walk-throughs logs and determines that comments have been addressed
Compliance / Restaurant may lose its license due to not adhering to health regulations / To ensure that all health regulations are followed so that restaurant does not lose its license / Control Environment / Management has policies and procedures on all health regulations; all new employees must read and sign off. / Auditor examines policies and procedures manual to see that health regulations are included and are current; examines sign off by all employees
Same / Same / Risk Assessment / Management reviews changes to health code on a regular basis to see if new regulations have added to their risks / Auditor examines management’s review of new health codes and evaluates conclusions
Same / Same / Control Activities / Management has policy that no food should be left out of refrigerator for more than one hour / Check for written policy; auditor observes kitchen for food left out; auditor inquires of employees to see if they follow policy
Same / Same / Information and Communications / Signs are clearly posted stating that employees must wash hands after using the bathroom / Auditor visits all bathrooms to see that signs are clearly visible and in good condition
Same / Same / Monitoring / Management goes through all city health inspection reports and implements all infractions / Auditor examines city health inspection reports and inquires if infractions have been corrected
Financial Reporting / Restaurant sales will not be recorded accurately / To ensure that all sales are recorded accurately so that the financial reporting objective is met / Control Environment / Management has policies and procedures for the proper recording of sales by servers and cashiers / Auditor examines policy on recording sales and inquires of servers and cashiers
Same / Same / Risk Assessment / Management conducts quarterly reviews to determine if employee turnover has caused changes to the financial procedures / Auditor requests managements quarterly review of changing circumstances and inquires as to resulting changes
Same / Same / Control Activities / Management requires use of prenumbered server order forms so that all meals can be accounted for / Auditor samples server order forms and checks for completeness
Same / Same / Information and Communications / Management prepares daily server reports to report on all tips for tax purposes; all employees sign form / Auditor samples daily servers’ tip reports to ensure that all tips are accurately reported to the IRS
Same / Same / Monitoring / Management accounts for all prenumbered server order form tickets / Auditor requests management’s report on monitoring prenumbered tickets and inquires as to action taken on missing order forms
After completing the control matrix, the instructor can give the students an easy assignment. Have the students identify three new control objectives: one for operations, one for compliance and one for financial reporting. For instance, other threats to operations might be that the restaurant does not get enough customers to stay in business or that cashiers might steal money. Other threats to compliance might be that the restaurant does not pay fair wages under the Fair Labor Act or that it fails to pass Board of Health inspections. A threat to financial reporting might be that servers allow friends to eat for free.