COSO Framework Feature

If you build a jungle gym by following the instruction manual (assuming instructions are good, all parts are present, and you’re handy), you can feel confident that you’ve built a structurally sound and complete jungle gym that will be safe to swing from.

Just like each area of a jungle gym needs solid attention (lest there be risks), so do the right areas of an audit require attention to maintain the health of a company.

As an auditor, you need to feel confident that you are producing a complete and quality audit. Completeness was a question posed by Brian Rourke and Gretchen Sutcliffe at Analog Devices and National Grid respectively. And what they’ve found is a simple final check during the planning stage to make sure that they’ve covered their bases. The two companies’ internal audit teams gain an added level of confidence by plugging their risks into a controls framework: the COSO framework.

Although SOX auditors are familiar with COSO, leveraging the COSO framework seems to be an untapped reservoir of security for many internal audit shops. The term “COSO framework” might sound intimidating, but it doesn’t need to be. If you’re less familiar with COSO, let’s define it first and then see where you can use it as a tool in your audit planning process.

Defining COSO

In 1992, the Committee of Sponsoring Organization of the Treadway Commission (COSO) originally designed a model for evaluating internal controls.

Think of the COSO framework as the controls “jungle gym” for a company. There are five areas (components) of the jungle gym: control environment, risk assessment, control activities, information and communication, and monitoring. Each area of the jungle gym contains similar building materials (operations, reporting, and compliance) that maintain the structural integrity of each area. Of course, each area is unique, and there are principles that help each area to function. If any area of the jungle gym has building gaps in its structure, then that area poses a risk to the rest of the jungle gym. The same principle applies to business: when one area of the company is weak, it can damage the entire company.

That’s why the SEC requires that companies use a widely recognized controls framework (such as the COSO framework) to address control gaps and reduce risk in the structure of the company.

When planning an audit in a complex and unfamiliar area of the business, internal auditors can use the COSO framework as a tool to gain comfort that all risk areas are considered.

Creating a complete audit plan using a framework

Audits are no longer covering just financial processes. To add value to their organizations, internal auditors are auditing operational, strategic, and compliance processes. As types of audits diversify, you still want to feel comfortable that all the right risks are covered by audit procedures.  

The internal audit teams at both companies use the COSO framework for audit planning. Rourke and his team put the process into perspective.

“If you take a step back, there’s a lot going into planning an audit. You start by doing external research, gathering knowledge of the business, and having discussions with management and process owners. You might even send questionnaires. You gather all this knowledge and create a bucket of risks that are inherent to the process.”

Rourke’s team takes that bucket of risks and benchmarks those risks against the COSO framework (the jungle gym). “As you map risks to the framework’s principles, you can identify gaps, determine what’s missing and whether it’s important or not. If the gaps aren’t important, you can provide the rationale for why you didn’t include them in the audit plan.”

Mapping to a framework that was designed to model a well-controlled company, division, or process can give an auditor the added level of confidence that the risk assessment is whole, with rationale for why some items aren’t in scope. “The way we use COSO is to make sure we’re covering everything we should be covering and give credibility,” says Sutcliffe. “Otherwise, why should a 40-year process veteran listen to an auditor?”

Using the COSO framework

The COSO framework benchmarking process can be as simple or complex as you want to make it.

In Rourke’s example, they use a simple spreadsheet with the COSO framework’s five components and associated principles. They do their normal planning and research and create a set of risks for the audit. Once they have their risk “bucket,” they make sure each risk maps to a part of the COSO framework on the spreadsheet. Once they’ve mapped risk to the spreadsheet principles, they take stock:

“We ask ourselves if there are any principles that don’t have a lot of risks assigned. Our risk population is normally 30-40 risks. There’s a lot to map. But then we might find that one principle has 10 risks and another has only 1. The question is, ‘Am I missing a risk?’ Once we do that, we can more clearly determine what is missing. Maybe it should be out of scope. Or maybe we need to rephrase it. Once we have the risks, we can develop the audit program. We want to make sure controls exist to cover the identified risk.”

Sutcliffe’s team uses various questionnaires to identify risks that ultimately address the COSO principles. The end product is the same: understanding the completeness of the risk assessment and going forward with a quality audit.

Making the time

“The entire process is part of planning. It isn’t a significant addition of time to the process and you gain a lot of security from it,” attests Sutcliffe. Rourke adds, “It’s not meant to change your normal risk assessment process; it is meant as an enhancement.”

Since audit provides assurance to the company, it helps to truly feel like you’ve got it all covered. You find areas of risk, areas of improvement, and sometimes you find principles in one area that the audit client hasn’t even considered. No matter what, confidently benchmarking your audit plan will give you an added boost to producing a quality audit.

Let’s keep the conversation going. Have you used the controls frameworks to benchmark risks in your audits?