For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Blending the Green Book with the Yellow Book

Objectives:

  • Identify the purpose of the GAO’s Green Book.
  • Distinguish between components of internal control.
  • Distinguish between management objectives
  • Choose a finite subject matter on which to apply controls
  • Identify the auditor’s responsibilities regarding application of the Green Book

Most of the changes between the 2011 Yellow Book and the 2018 Yellow Book that we have discussed so far probably have not shocked you. But the change triggered by the Green Book may. The Green Book is the GAO’s version of the COSO model, and its formal title is “Standards for Internal Control in the Federal Government.”

As I am traveling and teaching the 2018 Yellow Book, I have noticed that quite a few auditors are not familiar with the Green Book which was published by the GAO in 2014. This is not good because the Green Book is by far the biggest change to the Yellow Book.

The Green Book Describes an Ideal Control Structure

The GAO’s Green Book lays out an ideal control structure – a nirvana for internal controls, if you will. And I have never encountered any entity that has achieved this ideal. Yes, I’ve seen some entities achieve control nirvana in some part or aspect of their business. But I have never seen an entire entity under complete control, and I doubt I ever will. I think the lack of perfect internal controls in an organization is a reasonable state of affairs because controls cost money to implement.

However, what I am discussing in this chapter is not the auditee’s responsibility regarding internal controls (which is the focus of the Green Book), but the auditor’s responsibility regarding internal controls. You and I know that the entity you audit has not achieved control nirvana. But instead of just knowing that in your head, the Yellow Book is asking you to document your assessment of the auditee’s internal control status in grand and glorious detail.

Here are some quotes from one of the performance audit chapters in the 2018 Yellow Book that give performance auditors pause. I’ll address financial auditors conducting the Single Audit at the end of the chapter. I added bolding to draw your eye to some new terms that I’d like you to notice.

8.41     Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include

  1. the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
  2. the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
  3. the three categories of entity objectives (operations, reporting, and compliance); and
  4. the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.

8.42     If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment. 

8.47     Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction- level controls, or both. However, even when assessing only transaction- level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit. 

Here is an infographic from the Green Book that starts to explain the highlighted terms:

The terms “three categories of entity objectives” appear at the top of the cube and the terms “five components of internal control” appear on the face of the cube. The seventeen “principles of internal control that support each component” are presented in a stack on the bottom left side of the infographic.

Nice Infographic, Now What?

Yes, the cube is cute, and the stack is pretty – but so what? What does all this new language mean to performance auditors, practically? What the cube and the stack are illustrating is the most up-to-date structure for approaching internal controls. This means that performance auditors are going to have to change the way they document internal controls! The GAO is working on a tool right now to help you with this task, but it won’t be published until the spring of 2019.

So, if you want to implement these changes in your internal control documentation right now, you will need to create a tool on your own. HUD has developed a tool that might get your creative juices flowing. Google “HUD IC Questionnaire 17 principles” to find it.

How are COSO and the Green Book Related?

But before we get too far along, let’s look at how the Green Book is related to the COSO (Committee of Sponsoring Organizations of the Treadway Commission) model and what our profession is trying to accomplish with both. As we will see, the Government Accountability Office (GAO) bases the Green Book on the COSO model.

The GAO Pushed for Better Controls in 1983.

In addition to auditing federal agencies and reporting the results back to Congress, the GAO also advises executive agencies on how to make government more efficient and effective. The Federal Managers Financial Integrity Act of 1982 requires the GAO to establish standards for internal controls. The GAO made its first efforts toward creating a standard for internal controls in 1983.

In the opening letter to this first version of the Green Book, the Comptroller General of the GAO said:

In the past decade, numerous situations came to light that dramatically demonstrated the need for controls as the Government experienced a rash of illegal, unauthorized, and questionable acts which were characterized as fraud, waste, and abuse. It is generally recognized that good internal controls would have made the commission of such wrongful acts more difficult. Consequently, increased attention is being directed toward strengthening internal controls to help restore confidence in Government and to improve its operations.

I wonder what the Comptroller General would think of the hijinks in the government realm in since that initial Green Book was issued 30 years ago!

Congress Pushed for Better Controls in 1977, and the Treadway Commission Was Formed

Six years before the Financial Managers Financial Integrity Act, corporate fraud was getting the attention of Congress. In 1977, Congress enacted the Foreign Corrupt Practices Act (FCPA) as a result of 400 US corporations admitting that they had made questionable or illegal payments to foreign officials as part of conducting business in other countries. In response, the Treadway Commission, a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.

The COSO Report Was Issued in 1992

As a result of the Treadway Commission’s initial report, the Committee of Sponsoring Organizations (COSO) was formed. COSO retained Coopers & Lybrand, a major CPA firm, to study the issues and create a report on controls. This report was titled Internal Control – Integrated Framework and was issued in 1992.

And for the first time, we were introduced to the COSO cube that many of us use in our work today.

Over time, the COSO model, as it came to be called, was integrated into various auditing standards including the American Institute of CPAs auditing standards, the GAO’s Generally Accepted Government Auditing Standards (the aforementioned Yellow Book), and the Institute of Internal Auditor’s professional literature.

SOX Renewed Interest in the COSO Model in 2002.

After a spate of corporate financial scandals (Enron, WorldCom, etc.) at the turn of the century, Congress passed the Sarbanes-Oxley Act (SOX) in 2002. The Sarbanes-Oxley Act requires that publicly traded companies in the United States certify that their internal controls over financial reporting are effective. Most corporations used the COSO model as the framework to guide this assessment.

The COSO Model and Report Were Revised in 2013

The COSO model was revised in 2013, more than 20 years after its initial creation. The 2013 revision didn’t alter the cube very much; the side of the cube now uses the term “division” instead of “unit,” and a few titles were changed on the face of the cube: “financial reporting” on the top of the original cube was changed to the more broad “reporting,” and “monitoring” was changed to “monitoring activities.”

These changes are minor compared to what COSO did to the text of the report. The original 1992 COSO report was presented in narrative form using lengthy, complex paragraphs. The 2013 version breaks each of the five elements on the face of the cube into 17 principles, and then these principles are further broken into 81 points of focus. Breaking down the narrative into smaller, more digestible concepts makes the document much easier to scan and, thus, to use.The 2013 version of the COSO model is available online for $99-270, depending on whether you want a piece of the document or the entire set of literature.

The GAO Published the Green Book in 2014

In September 2014, the GAO revised the Green Book. The 2014 version replicates the 2013 version of the COSO model but changes some terminology to customize the model for the government environment. The Green Book is free online. Get it by Googling “GAO Green Book.”

The COSO Model Has Three Main Dimensions.

The COSO model and the Green Book both represent controls using the three dimensions of a cube. The top of the cube describes WHY you need controls. The side of the cube describes WHAT you will control, and the face of the cube tells you HOW to implement controls.
Let’s talk first about the dimension of the cube that is the most difficult to grasp – the face of the cube which lists the five components of internal control. We will discuss the side and the top next.

The Five Components of Internal Control

The five components of internal control listed on the face of the cube are:

  1. control environment
  2. risk assessment
  3. control activities
  4. information and communication
  5. monitoring

I need to admit, right up front, that I have never ‘clicked’ with face of the cube. You know how some business models just make you say to yourself, “Yes, of course, that is how it is!” For instance, the “Plan, do, check, act!” model. Those four steps – plan, do, check, act – are intuitive and sensible. The five components of internal control? Not so much.

Here is how I make sense of the five components (Warning: this appears nowhere in COSO literature!):

First, the organization needs to ask what risks it is facing. Once they have done this risk assessment, they can apply control activities to keep those risks from occurring. Then valid reports need to be generated that provide information and communicate with the stakeholders of the organization who need to know how well the controls are working. The organization should not just assume, but monitor to ensure, that the control activities and reports they put in place to tamp down risk are working. And all of this effort needs to take place within an encouraging, nurturing environment that appreciates and supports controls.

Does it still sound like Greek? Let’s dig a tiny bit deeper. Let’s begin with an overview of the five components starting where the cube starts, with the control environment.

Do You Care about the Environment?

The control environment component directly addresses the attitudes of the leaders of an organization toward controls. You will also hear this component described as ‘tone at the top.’ If the leaders of an organization are uninterested in excellence in operations, strict compliance with laws and regulations, and accurate and transparent reporting, efforts toward those objectives by the employees will fail.

I have seen a wide variety of control environments, as I am sure you have. Some control environments are strong and reassuring. Others vary from strong to weak depending on who is in the leadership position, and others are crazy disasters that eventually implode. And no matter the size of your entity, the leadership’s attitude permeates the whole organization. One of my jumbo clients sells groceries in 28 countries. Since I am also a customer of this grocery retailer, I was very pleased to hear an executive in charge of food safety initiatives talk openly and emotionally about his responsibilities to keep customers safe.

He began his presentation by sharing the pictures of children in his briefcase that he looks at every day. These were not picture of his children, but children who had died of food borne illness from all food sellers – groceries and restaurants – in the United States. Then he began to share statistics about how vulnerable children are to food borne illnesses. It was clear from talking to his grocery managers, that his serious attitude toward a serious risk had also affected their attitudes and, therefore, controls.

If his powerful message permeated such a large organization, imagine how much more the viewpoint of a leader in a small organization affects controls. Smaller organizations are particularly vulnerable to the attitudes of the leadership.

Regrettably, I agreed to be the treasurer for a small organization, the local chapter of the National Speaker’s Association and served for three years. We had about thirty members and six of them were on the board. The tone at the top dramatically altered the control environment every time we elected a new president.

Most of the members of the local chapter were motivational speakers, and some of them thought that if you just believed something with all your heart and mind, you could wish anything into existence. So, when I informed them at our first board meeting that I had carefully looked over the books and that we were close to bankruptcy, the response from the president was, “Well, if we just think positive thoughts, everything will work out.” A few meetings later, my less-than-positive prognosis came true. We were broke and couldn’t pay the hotel after our monthly Saturday meeting.

The chapter’s president conveniently disappeared after I informed her of this fact. Luckily, one of our successful and moneyed members named Jim stepped in and paid the bill.

Our new savior, Jim, was immediately appointed president. Jim was a six-and-a-half-foot tall ex-Marine who knew how to lead. At our first board meeting, he told the group that we were going to set a strict budget, and that we were going to talk about it at every meeting. All expenditures had to be approved by me before they were incurred. I silently clapped and cheered in my little accounting heart!

Everyone on the board was paying attention to my financial presentation at meetings (or at least they looked like they were paying attention), and I felt great about my role as treasurer. By the end of Jim’s term, we had built our bank account balance up to a healthy $14,000.

But, when Jim’s term was up, the group elected sweet John to be our leader. John preferred to spend the board meeting hugging and vision casting rather than worrying about tacky old money. At our first meeting under John’s leadership, we all discussed relaxation techniques – which just happened to be the focus of John’s signature speech. The group again began to ignore the budget, and by the end of John’s term, we were again near bankruptcy.

I realized that I would only be successful as a treasurer with the chapter if I had the strong support of the president. It didn’t matter how wonderful and clear and compelling my budget presentations were (and I tried everything I could to wake them up to the reality of the situation – emoticons, colors, graphics, dancing, singing). I was ignored. Only when Jim created an environment of compliance and fiscal restraint did the controls over our finances work.

My situation as a powerless treasurer plays out on larger, more important scales all the time. Do you remember the financial executive at Enron, Sherron Watkins, who wrote a memo to the chief executive about Enron’s fraudulent financial statements? The leadership didn’t want to hear it and published the erroneous financial results for public consumption. No matter how well she did her job, without the support of the organization’s leadership, her efforts were thwarted.

Controls Mitigate Risks

The second component – risk assessment – is all about making sure we put our resources toward things that matter. We don’t need controls over things we aren’t worried about. Controls are created to mitigate or reduce risk.

Here is a personal example: My family has two cars. One represents more risk to us than the other because it is worth more money. Let me begin by saying that my husband and I only buy used cars and pay cash for them. I was raised in new or nearly new cars. My father bought a new car every few years and still does. But now that I am paying the bills, I appreciate my husband’s view that new cars waste money.

My husband has been driving the same Toyota Sienna minivan (that we, of course, bought used) for the past 10 years or so. It has over 200,000 miles on it and doesn’t show any sign of stopping. It looks like a hideous, rolling pile of retro junk. It is worth about $1000 per the Kelly Blue Book.

Recently, I bought a beautiful, jumbo Lexus sedan with 100,000 miles on it. The sedan cost us around $18,000. We park my Lexus in the garage and repair every little ding. The mini-van is always exposed to the weather, and if it gets a ding, my husband reasons that it only adds to its character. Because more of our money is at risk in the Lexus, (and more of my ego is on the line with the Lexus!), we treat it better and we endeavor to control what happens to it. When a hailstorm hits – as they do at least once a year here in Austin – my husband’s first question is, “Is the Lexus in the garage?”

What do you care about in your organization? Is it that your assets are safeguarded? Is it that your customers and employees are safe? Maybe you care the most about making a difference to the disadvantaged? While it would be nice to have the time and the resources to worry and control everything, no individual or organization in the history of the world has been able to pull that off.

What a risk assessment does is lay out all of the possible things you might care about on the table (or in an Excel table!). It gives you a way of ranking them and deciding where you will to focus your efforts. Controls cost time and money, and you want to be intentional about applying them.

I have seen a wide variety of risk assessment models and risk assessment documentation. You can really go nuts refining the risk assessment and contemplating every eventuality, but at a very basic level, all you have to do is decide if you care. Simply ask yourself what could go wrong. And if you don’t care about the resulting answer, you don’t need any controls over it. So, if I ask myself if I will care if my Lexus suffers hail damage, I would say that I care – the mini-van, not so much.

What Most People Think of When They Think of Controls

The third component – control activities – is what most auditors think of when they think of applying controls. Control activities include such things as segregation of critical duties, transaction approvals, timely reviews of transactions, and documentation.

Figure 6 of the Green Book contains a fabulous list of control activities:

Figure 6: Examples of Common Categories of Control Activities

  1. Top level reviews of actual performance
  2. Reviews by management at the functional or activity level
  3. Management of human capital
  4. Controls over information processing
  5. Physical control over vulnerable assets
  6. Establishment and review of performance measures and indicators
  7. Segregation of duties
  8. Proper execution of transactions
  9. Accurate and timely recording of transactions
  10. Access restrictions to and accountability for resources and records
  11. Appropriate documentation of transactions and internal controls

You Aren’t in This Alone!

Information and communication, the fourth component, acknowledges that you aren’t in this all by yourself. Various stakeholders need to keep informed about what is going on.

Any endeavor will generate critical information and this information will allow stakeholders to evaluate the success of the organization’s efforts. The information and communication component asks the manager who they need to communicate with, what they need to share, and whether the data the manager is sharing is valid.

Hopefully, You Are Being Carefully Watched, But Not in a Creepy Way

Just performing a risk assessment, applying control activities, and communicating with stakeholders is not enough. Unfortunately, we aren’t done. We need the final component – monitoring.

We can’t just set things up and hope that they run on their own forever and ever. Over time, controls slip away and atrophy. Somehow, we need to monitor to make sure that controls are working as intended and make corrections when they aren’t working as intended. And, let’s be honest here, things never work exactly as we intend.

What this means is, that if you are following the COSO model, someone will be watching! It is best if this someone can be honest about what they see without suffering any consequences, and they might watch continually or just occasionally.

We auditors apply the monitoring component and the information and communication component to our audit quality control system by creating an annual monitoring report each year.

Summarizing Five Components of Control

Let’s recap. First you have to decide what you care about and what risks you are unwilling to tolerate. You then apply controls activities to the risks you aren’t interested in experiencing. You need to share the data your activities generate (information and communication) with stakeholders and set up a monitoring function to make sure that everything you have put in place to mitigate the risks is operating as intended. All of this needs to take place within an environment that values and supports controls.

The Top and Side of the Cube: A Little Whine with That Cheese?

In order to make the top and the side of the cube come alive here, I am going to talk about my tiny little operation. And I am probably going to come off as a little whiney in places.

You see, I suffered an embarrassing failure in my business that I am still smarting over. Have you ever seen that poster on Despair, Inc.’s website of a shipwreck? Underneath it is says, “It could be that the purpose of your life is only to serve as a warning to others.” Sometimes I feel like that. See? Whiney.

My Little Idea That Became a Big Set of Processes

Since I like to write, I decided that I should start writing self-study books and selling them through other continuing professional education providers and on my own website. If anyone had told me how involved this idea was going to be before I started, I would have probably stopped right there. But luckily, I was innocent, unaware, and hopeful.

I knew before I started that writing a book is pretty involved. Writing the text is just the beginning; the text has to be edited, revised, and formatted. Lots of processes for that.

My idea to sell to other vendors involved maintaining relationships with those vendors, creating and managing contracts, and lots and lots of communication. Process, process, process.

And since I wanted to sell the books on my website, I needed a website that would allow folks to buy things – so I needed an online store. Process. Since I wanted students to be able to buy and take an online quiz and get credit for the courses online, I had to work with programmers for years and years and years to create the quiz and automatic grading software. Process.

Do I need to go on? Because I can . . . I so can. But I’ll stop there and point out that everything I have described so far would be categorized as ‘operating’ on the top of the cube.

Let’s talk about the top of the cube for a minute…

The Top of the Cube

The top of the cube represents management’s objectives. In less fancy terms, it answers the question, “Why bother having controls?” Yes, as we said in an earlier chapter, controls are there to mitigate risk. But we wouldn’t even have a risk unless we decided to do something, to act in the world. I wouldn’t need controls and processes over my self-studies if I hadn’t decided to write and sell self-study books.

The management objectives at the top of the cube help us categorize why we do things. The top of the cube has three management objectives: operations, reporting, and compliance.

If management is concerned with operations, they are concerned that they deliver their goods and services while efficiently using their entity’s resources. If management is concerned about reportingthey are focused on making sure that reports generated for stakeholders are reliable. For instance, the entity needs to ensure that the financial statements it publishes and sends into regulators are accurate. And if the entity is concerned about compliance, they are making sure that they stay in line with laws and regulations.

I was mistaken that my business was mostly about writing (process or operations). It ended up being mostly about compliance.

Compliance Ate My Lunch

I recognized that no one would read my books for grins. I mean, who wants to read a 300-page book entitled, “The Yellow Book Interpreted” for fun and information only? I knew that I had to offer my books for continuing professional education credit or they wouldn’t sell at all. To qualify for continuing professional education credits for CPAs, I had to register with NASBA (the National Association of State Boards of Public Accountancy).

Years ago, the thought of working with NASBA was slightly intimidating but not prohibitively intimidating. But it seems that I chose a very bad moment to enter the market. As I was authoring my first books, NASBA was busy tightening up its requirements. This meant that I had to add all sorts of components to my books, including quiz questions that are hard to answer. By hard to answer, I mean I have to write the questions in such a way that the answer isn’t obvious – sort of like the obscure questions on the CPA exam. Oh joy! I never imagined myself as a question writer, but I embraced my new task and sent my first book into NASBA for testing. I passed and started selling my books.

All was well until my testing software started failing here and there, and I decided to create a new software program. The next time NASBA ran their test using my new software, they were able to find a flaw in the software that allowed students to jimmy the system and earn credit without taking the quiz. NASBA yanked my license. Huge, embarrassing ouch!

All the clients I had cultivated dropped me like a hot potato. I had to start the lengthy process of fixing the bugs in the software and applying for the license again. NASBA put the review of my courses on the back burner, and it took an entire year for them to review my courses and reinstate my license.

Compliance had eaten my lunch, and my dinner, and my midnight snack.

I won’t go into details about the remaining management objective, reporting, but as you can imagine, I must report to several regulatory bodies every year so that they can ensure I am staying in compliance. One regulatory body requires that I write out every course I offer on a teeny-tiny spreadsheet by hand! Electronic submissions are not allowed. Every course and every student must be tracked and maintained in reports that fit each regulator’s demands. Another process and another set of controls.

All organizations take on the same three areas – operations, compliance, and reporting when they decide to act.

Now for the Right-Hand Side of the Cube

If I told you that you needed to develop controls over the entire planet and keep everyone in line, you wouldn’t be too happy.

How about if I asked you to control the United States? Still too big a task? How about Texas? Yes, too big. How about Austin, Texas? No. How about the state capital complex in Austin, Texas? Getting closer.

What if I asked you to control the north door of the state capital to ensure that all people entering the state capitol building are screened by the Capitol Police? Now, I can work on controls for that! But anything larger, and I get overwhelmed.

And being overwhelmed probably means that I am going to approach the subject in a disorganized way. And being disorganized usually leads to leaving something important undone.

The whole point of the COSO cube is to help us organize our thoughts. The top organizes our purpose in creating controls, the front organizes the types of controls, and the right hand side simply helps us pick a subject — an area to work on. The side of the cube organizes the subject of our controls. This model lists the subject matter of controls as:

  • Entity
  • Division
  • Operating Unit
  • Function
Here is an example from a fictional university:
  • Entity: University of Universal Understanding (UUU)
  • Division: Philosophy Department
  • Operating Unit: Dean Supreme’s Office
  • Function: Curriculum development and divination
To me, the cube doesn’t go far enough in breaking the subject down into manageable, controllable pieces. I imagine that the function “curriculum development and divination” involves a process and each step of the process should be controlled. I advise you to break the subject matter into small enough pieces so that it is obvious what the controls should be.For instance, the process of revising and re-publishing my books is a discreet subject matter. In order to tackle it, I had to break the process into a dozen major steps. And then for a good number of those steps, I had to layer on controls. The result is a two-page checklist with over 20 items that involves five people to complete!

If I had imagined creating controls at a higher level – say for my whole self-study business – I would have gotten hopelessly lost. And my self-study business is just one of five ways I make a living. If I had just started the layering on of controls at that high level, the result would have definitely ended up as a hodge-podge of controls and processes that didn’t get the job done.

So, to summarize: the top of the cube tells us whywe develop controls and the right-hand side helps us decide exactly what we are going to control.

Another Layer of Detail

Because the face of the cube is a little too summarized for COSO and the GAO, both have broken the components on the face into 17 principles as follows:
CONTROL ENVIRONMENT
  1. The oversight body and management should demonstrate a commitment to integrity and ethical values.
  2. The oversight body should oversee the entity’s internal control system.
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

RISK ASSESSMENT

  1. Management should define objectives clearly to enable the identification of risks and define risks tolerances.
  2. Management should identify, analyze and respond to risks related to achieving the defined objectives.
  3. Management should consider the potential for fraud when identify, analyzing, and responding to risks.
  4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

CONTROL ACTIVITIES

  1. Management should design control activities to achieve objectives and respond to risks.
  2. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
  3. Management should implement control activities through policies.

INFORMATION AND COMMUNICAITON

  1. Management should use quality information to achieve the entity’s objectives.
  2. Management should internally communicate the necessary quality information to achieve the entity’s objectives.
  3. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

MONITORING

  1. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
  2. Management should remediate identified internal control deficiencies on a timely basis.

What Does All This Mean for the Auditor?

The purpose of the Green Book is to encourage governments to implement strong, well thought out controls. The purpose of the Yellow Book is to encourage auditors to perform convincing and thorough audits. By integrating the Green Book into the Yellow Book, the GAO is requiring performance auditors to evaluate controls using all of the dimensions of the cube plus the 17 principles. This means that auditor’s internal control documentation must change to include the 17 principles.

Theoretically, as auditors use the new model to evaluate governments, the governments will be encouraged adopt the model in their own organization and thus strengthen their controls.
In the intro to the chapter, we looked at these requirements from the performance audit chapter of the Yellow Book:

8.41     Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include

  1. the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
  2. the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
  3. the three categories of entity objectives (operations, reporting, and compliance); and
  4. the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.

8.42     If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment.

8.47     Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction- level controls, or both. However, even when assessing only transaction- level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit. 

Hopefully now, after we have covered those terms, those paragraphs hold more meaning. But it also may scare you a little bit because it is new and it is detailed!

To Save Time

As you can tell, documenting internal controls is going to be a lot of work! But before you start looking for another job, there is something you can do to minimize the documentation. You can refine your objective early in the audit process!

The Yellow Book says auditors are only responsible for documenting internal controls that are relevant to the audit objective. Thank you, GAO! So, the more specific you are about your audit objectives, the less controls you will end up having to document!

Here is the paragraph that allows you to focus on only documenting controls that a relevant to your audit objective:

8.49     If internal control is determined to be significant to the audit objectives, auditors should assess and document their assessment of the design, implementation, and/or operating effectiveness of such internal control to the extent necessary to address the audit objectives. 

If you dig into controls AFTER you have performed your inherent risk assessment and refined your audit objectives, you will conserve precious audit resources and, maybe, be able to tolerate your job for another year or two.

How the Green Book Affects Financial Auditors

Currently, the financial audit chapter of the Yellow Book does not emphasize the Green Book. This is because the AICPA has not adopted the 2013 version of the COSO model with the 17 principles. The AICPA is still working with the original version of the COSO model without the principles. So, if you are performing a straight up financial audit, you don’t have to worry about documenting the 17 principles.

If you are performing the Single Audit, you do need to apply the new model including the 17 principles because the Uniform Administrative Rules, Cost Principles and Audit Requirements for Federal Awards (the Uniform Guidance) mentions the Green Book. And as we just read, the Green Book structure includes the 17 principles. Check out this quote from the Uniform Guidance directed at the auditee:

200.303 Internal Controls
The non-Federal entity must:
(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal Award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

And check out this requirement directed at the auditor regarding internal controls over compliance. I added bolding to emphasize the reference to the Green Book.

200.514 (c) Internal control. (1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.

This lands auditors working on the compliance portion of the Single Audit in the same position as performance auditors; they will have to evaluate and document the auditee’s application of all 17 principles. Fun-ness!

Pulling It All Together

What’s the matter with the crowd I’m seeing?
“Don’t you know that they’re out of touch?”
Should I try to be a straight-A student?
“If you are then you think too much.
Don’t you know about the new fashion, honey?
All you need are looks and a whole lot of money?”
It’s the next phase, new wave, dance craze, anyways
It’s still rock and roll to me.
Everybody’s talkin’ ‘bout the new sound
Funny, but it’s still rock and roll to me.
It’s Still Rock and Roll to Me, Billy Joel

Objectives:

  • Sequence the steps of developing an internal control structure

Whew!  You made it. We are in the last chapter! Congrats, you have held on through a long case study and a complicated model.

In this final chapter, we are taking another look at the steps of creating a control structure from scratch which will also serve as a review of this text. I will quote various excerpts from the Green Book as I go.  Also, we will address what happens when auditors visit to evaluate your controls.

Steps of developing controls

As I see it, the steps of developing controls are as follows:

1.Choose a subject matter

Maybe you have been asked to develop controls for a whole organization or just a segment of an organization.  In either case, you will benefit from breaking your subject matter down into smaller more defined segments because it is easier to imagine controls for something specific than to imagine controls for something broad.

For instance, if I asked you to control the University of Michigan, you would probably walk out the door never to come back!  But if I asked you to control student financial aid at the University of Michigan, you would feel better.  If I asked you to set up controls to make sure that student financial aid at the University of Michigan is distributed on time, you’d feel super because that is very doable!

The side of the COSO cube prompts us to break the subject matter down into segments.  In the COSO and Green Book literature, the side of the cube is dubbed the ’levels of organizational structure.’  I think of it instead as ‘what’ you are planning to control.

2. Focus on what is risky

Now that you have broken the organization up into segments, you can hone in on the segments that are the most likely to cause trouble.

Risk assessment is the second control component on the face of COSO model, but it is, in practice, the first component you consider when establishing controls.

For each piece, you ask four questions:

  1. What could go wrong?
  2. So what?
  3. How big of a deal is the ‘so what?’
  4. How likely are things to go wrong?

Here are the terms the Green Book uses for all of these questions:

  1. What could go wrong? The Green Book calls the answer to this question ‘identified risks.’
  2. So what?  The Green Book calls this ‘significance.’
  3. How big a deal is the so what?  The Green Book calls this ‘magnitude.’
  4. How likely are things to go wrong?  The Green book calls this ‘likelihood.’

From the Green Book:

7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective. 

7.06 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined. 

3. Decide if you want to tolerate the risk

When you are confronted with a risk, you have four choices of how to handle it:  you can accept it and live with the possible consequences, you can avoid it by not doing the activity, you can mitigate it by layering on controls or you can ask someone else to take on responsibility for it.

If you choose to keep on doing or to tolerate the activity that causes the risk, but you’d rather not suffer from this choice, you will proceed through the rest of the steps laid out here to help you create the controls to mitigate the risk.  Mitigate is a fancy word for ‘reduce.’

From the Green Book:

7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: 

  • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk. 
  • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk. 
  • Reduction - Action is taken to reduce the likelihood or magnitude of the risk. 
  • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses. 
8.06 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks…


4. Come up with a control objective

In order to focus your efforts and make sure that everyone is clear about what you are working toward, the Green Book recommends you come up with a clear control objective.

The Green Book talks about objectives in two layers.  In one layer, they ask you to consider ‘why’ you want to control something.   Is it because you are concerned about operations, compliance or reporting? The GAO calls these ‘categories of objectives’ and they are listed on the top of the cube.
Description: Macintosh HD:Users:Leita:Dropbox:+TOPICS:controls:coso model picture:Slide1.jpg

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories: 

  • Operations - Effectiveness and efficiency of operations 
  • Reporting - Reliability of reporting for internal and external use 
  • Compliance - Compliance with applicable laws and regulations 

OV1.02 These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals. 
Operations Objectives 

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives. Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources. 

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission. 

Reporting Objectives 

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories: 

  • External financial reporting objectives - Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • External nonfinancial reporting objectives - Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • Internal financial reporting objectives and nonfinancial reporting objectives - Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance. 

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively. 

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity. Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. 

But later in the book, the GAO drills down into the categories and describes the need for a specific, customized control objective.

6.02 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment. 

6.03 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals. 

6.04 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement. 

Our objective was, “Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?”

5. Compare the baseline to the ideal

Now it is time to talk to managers and find out if there are any existing controls in place.  This will be your baseline of controls.

16.02 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system. 

16.03 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system. 

Next, you will compare the baseline to the ideal:  the list of 17 principles.  When management has not already addressed a principle with a control or two, then you will need to design a control for that principle.  Remember, in order to judge a control system as effective, all five components and the underlying 17 principles should be in place!

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

Appendix I: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. The 17 principle requirements of the Green Book are as follows: 

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
  2. The oversight body should oversee the entity’s internal control system. 
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 
  6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 
  7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 
  8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 
  9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 
  10. Management should design control activities to achieve objectives and respond to risks. 
  11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 
  12. Management should implement control activities through policies. 
  13. Management should use quality information to achieve the entity’s objectives. 
  14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 
  15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 
  16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 
  17. Management should remediate identified internal control deficiencies on a timely basis. 

6. Consider cost 

Before you run out and implement all of the controls you designed in the last step, stop and think about how much each of the controls is going to cost you.  Do you need to invest in technology to make the control work?  Or do you need to beef up your staff?  Also, consider whether the new controls will slow down processes and frustrate employees, suppliers and customers.  Excessive controls are also known as ‘red tape’ and ‘burdensome bureaucracy!’

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives. 

7. Does it prevent, detect or correct?

Again, before you proceed with the hard work of implementing the controls you designed, take some time to evaluate whether each control is preventative, corrective, or detective.  Detective controls are nice, but stopping the risk before it happens would be better than cleaning up the mess after it happens. This is especially true when it comes to unacceptable risks such as death and injury.  Make sure you have a good mix of all three types of controls with a preponderance of preventative controls.

8. Document

At this point, you are working with a large volume of information.  Just in case you get a little overwhelmed and forgetful, you’d better write down everything you have worked on so far.  The GAO is pretty firm about documentation:

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows: 

  • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06) 
  • Management develops and maintains documentation of its internal control system. (paragraph 3.09) 
  • Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02) 
  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09) 
  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05) 
  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06) 

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively. 

9. Evaluate the design vs. operation

Once you have organized your thoughts and chosen controls for all five components and the 17 principles, someone has to put them into action.  That could take a while.  As usual, it is best to be patient and thorough instead of agitated and spotty.  Ha.  Agitated and spotty is a great title for a teen romance novel!

The GAO takes pains to mention the difference between the design of a control and the implementation of a control in over a dozen places in the Green Book.  Here are a few quotes:

OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system. 

10. Evaluate whether you can declare your controls effective!

Sorry to say that your work isn’t done when you finish designing, documenting and implementing controls.  True to the monitoring component of the COSO model, you can’t just set things up and forget them.  You need to come back and evaluate whether everything you have set up is working, correct any unintended consequences of your efforts, improve controls and start the cycle all over again.

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

This is a great place to introduce auditors back into our conversation because they may be able to help you ensure that the controls you designed are functioning properly.  That is what we will do in our next newsletter.

Chapter 13: Monitoring

Once there were parking lots
Now it’s a peaceful oasis
You’ve got it, you’ve got it

This was a Pizza Hut
Now it’s all covered with daisies
You got it, you got it

I miss the honky tonks,
Dairy Queens, and 7-Elevens
You got it, you got it

And as things fell apart
Nobody paid much attention
You got it, you got it

I dream of cherry pies,
Candy bars, and chocolate chip cookies
You got it, you got it

We used to microwave
Now we just eat nuts and berries
You got it, you got it

This was a discount store,
Now it’s turned into a cornfield
You’ve got it, you’ve got it

Don’t leave me stranded here
I can’t get used to this lifestyle

The Talking Heads: Nothing But Flowers

Atrophy – gradual decline in effectiveness or vigor due to underuse or neglect.

You can’t just “Set it and forget it” 

I love to multitask when doing household chores.  I feel very satisfied when the dishwasher and the clothes washer are running at the same time.  My satisfaction rises even more when I can get my oldest daughter to vacuum simultaneously while I tidy up the living areas.  If I can also have a sauce simmering on the stove while my youngest practices piano, I achieve domestic nirvana!

My drive to be working on several tasks at once has driven me to buy silly products. I used to use ‘Scrubbing Bubbles’ until I realized I was paying a lot of money for nothing.  It is a great idea to spray the shower and then walk away to let those little bubbles eat away the soap scum.  Nice theory, too bad it doesn’t work.

Remember the ads for Ronco Chicken Rotisserie? “Set it and forget it!”  What a great marketing spin.  I almost bought one of those.  I love to start something and then walk away from it and do something else.  This is why my husband does most of the cooking.  My repeated, unintentional ventures into Cajun style cooking – where everything is “blackened” – was getting old.

I wish we could just set our kids and work colleagues on the right path once.  I wish they would keep on the path and never wander off.  I wish people wouldn’t forget or rebel against what they were supposed to do.  But wishing ain’t gettin’!

This component of the COSO model reminds us that we can’t just set things up and forget them.  We can’t walk away from our cooking, our kids or our work processes and hope for the best. Our controls and processes have to be monitored or chaos (and burnt toast) eventually rules.

As a wise counselor once told me, life is like riding a boat headed down a winding river.  Just as you get the boat going straight, the river bends and you have to paddle, paddle, paddle to keep from hitting the shore.  And sometimes you overcorrect and end up hitting the opposite shore, and you have to moderate and change your pace.  You can’t just get on the river and hope to get to the end without any corrections. You are going to have to work really hard to keep you on the narrow path that is the middle of the river.

Design is worthless without implementation

Have you ever used the ‘set it and forget it’ method with a process or a control?  Have you ever designed a process or a control then walked away because you have other things to do? Too bad that doesn’t work.

Upon asking the athletic department staff why she stopped going out for three bids on major purchases – the staff person might say, “That was a lot of work.  No one ever checked to see if I was doing it, and I got tired of keeping all those records.  When I need to buy something, I don’t want to slow down to fill out all that paperwork!”

Here we have someone who doesn’t understand the importance of the control.  She reasons that it is too time consuming to go through the mandated steps when the result is always the same anyway.   She has a solid, logical justification for blowing off a well-designed control.

This is why we have to monitor controls.  We can’t just ask the staff person to do their job once and assume she is always going to do what we asked.

Monitoring has two layers

Some monitoring is contemporary and ongoing and some is occasional.  Which monitoring method you use depends on your control objective and the resources you have to dedicate to monitoring controls.  Monitoring is viewed by some as a luxury that their organization can’t afford and, therefore, is one of the least frequently implemented components of the COSO model/Green Book.

The Green Book describes these two types of monitoring as ongoing monitoring and separate evaluations.

16.04 Management monitors the internal control system through ongoing monitoring and separate evaluations. Ongoing monitoring is built into the entity’s operations, performed continually, and responsive to change. Separate evaluations are used periodically and may provide feedback on the effectiveness of ongoing monitoring. 

Ongoing monitoring includes reconciliations

Matching information to corresponding information from a different source is one of the best ways to make sure the information is correct.  Sometimes matching is called a reconciliation; sometimes it is called a comparison.  For instance, you might reconcile the general ledger record of purchases by the coach to the credit card statement, you might match the expense reports submitted by the coach to the credit card transactions or the general ledger, or you might match or compare the expense report to receipts.

16.05 Management performs ongoing monitoring of the design and operating effectiveness of the internal control system as part of the normal course of operations. Ongoing monitoring includes regular management and supervisory activities, comparisons, reconciliations, and other routine actions. Ongoing monitoring may include automated tools, which can increase objectivity and efficiency by electronically compiling evaluations of controls and transactions. 

Separate Evaluations

Separate evaluations are performed occasionally, not contemporarily.  Separate evaluations are best performed by someone who does not have responsibility for any of the processes or controls. It would be great if the monitor is truly independent of the subject matter and if this monitor would not suffer any negative consequences for telling the truth. For instance, the fine arts department could do a periodic review of the purchases made by the athletic department.  The arts department might actually enjoy monitoring and telling the truth about the athletic department!  A formal audit can also serve as a separate evaluation.

16.06 Management uses separate evaluations to monitor the design and operating effectiveness of the internal control system at a specific time or of a specific function or process. The scope and frequency of separate evaluations depend primarily on the assessment of risks, effectiveness of ongoing monitoring, and rate of change within the entity and its environment. Separate evaluations may take the form of self- assessments, which include cross operating unit or cross functional evaluations. 

16.07 Separate evaluations also include audits and other evaluations that may involve the review of control design and direct testing of internal control. These audits and other evaluations may be mandated by law and are performed by internal auditors, external auditors, the inspectors general, and other external reviewers. Separate evaluations provide greater objectivity when performed by reviewers who do not have responsibility for the activities being evaluated. 

Auditors beware!

Notice that auditors are not mentioned in the Green Book when discussing one of the types of monitoring – ongoing monitoring. There is a reason for that!  Auditors have to be careful NOT to get involved in the day-to-day management of programs and activities because they will compromise their auditor independence.  If an auditor helps manage a program, they will not be able to objectively evaluate the program.

The Institute of Internal Auditors encourages auditors to use a technology called ‘continuous monitoring’ to help catch errors and control breakdowns.  Continuous monitoring scans transactions continually and creates reports of outlying or unusual transactions.  Once the unusual transactions are identified, management or the auditor can follow up and resolve the outlying or unusual transactions.

The GAO is not a fan of auditors implementing continuous monitoring on behalf of management.  The GAO is much stricter about auditor independence than the Institute of Internal Auditors and expressly prohibits auditors from being involved in continuous monitoring in its Government Auditing Standards (Yellow Book).  In the GAO’s view, monitoring is the duty of management not the auditor, and when the auditor performs continuous monitoring, the auditor’s independence is impaired.

The last sentence of the following excerpt from the GAO’s Yellow Book is as firm an admonishment as the GAO can muster!

YB 2011 3.54 Accepting responsibility for designing, implementing or maintaining internal control includes accepting responsibility for designing, implementing, or maintaining monitoring procedures. Monitoring involves the use of either ongoing monitoring procedures or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of the internal control system. Ongoing monitoring procedures performed on behalf of management are built into the routine, recurring operating activities of an organization. Therefore, the management participation threat created if an auditor performs or supervises ongoing monitoring procedures is so significant that no safeguards could reduce the threat to an acceptable level. 

Monitoring asks that you don’t assume, you verify

The monitoring component encourages managers not to assume that controls are working as they were designed, but instead, to put extra controls in place to ensure that controls are working as they were designed.  If you set it and forget it, a significant error or fraud can occur and go undetected because the controls you thought were in place were not actually in place.   Or you could end up wedged against the bank of the river holding a can of Scrubbing Bubbles and a piece of Cajun toast.  Neither of these is a desirable situation!

Another Layer to the Green Book

When I was younger, I was often unpleasantly surprised to find out that responsibilities have layers.  I thought I had gone through the final step… but no!  Instead I realized there was another step, another layer of complexity that needed to be embraced.  And then I found another layer and another layer.

I remember one moment of frustration regarding my ‘dream’ car vividly. When I was 16 I wanted a cool car so I could have more freedom, but first I had to pass the driving test.  Check.  Then I had to learn how to change a tire and add water and oil. Check.  Next, Dad withholds cool car and instead buys me a junky car because he imagined that I would bang up my first car (he was right). Check.

Dad decides I can handle a somewhat cooler car when I am 18.  Sweet!  Check.  Proceed to drive the somewhat cooler car slowly through a notorious speed trap in Houston only to get a ticket for having an expired inspection sticker.  What?  Wait.  What the heck is an inspection sticker? Nobody told me about annual inspections.  How much does that cost?

Well, I don’t want you finishing up this book about internal controls and then gasp, “Inspection stickers!  No one told me about inspection stickers!”  My dad’s response to my complaint was, “What did you think that big square thing with the date on it in the driver’s side window was?”  No good answer for that.

So I want to pause to cover another important layer of the COSO model that you may not have considered yet – although it sits right in the introduction of the Green Book– the requirement that the controls work together in an integrated manner.

Green Book: OV2.04 … The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. 

Integrate the controls

What does ‘integrate’ mean?  Integrate means that various parts are linked together or coordinated.

Maybe an example will demonstrate what integrated controls look like.  Let’s say that your control objective is to prevent unallowable charges on credit cards issued to the buildings and maintenance folks.

The ideal controls sound like they both help satisfy the control objective AND belong together.  See if you can see how these controls fit together:

Control Environment:  Hire accountants skilled at performing reconciliations
Control Activity: Require buildings and maintenance employees submit receipts and invoices to support credit card charges
Monitoring: Accountants match receipts to invoices each month and evaluate charges for allowability.
Information and communication: Accounting emails a report detailing unallowable charges and un-reconciled/undocumented charges to the executive team each month

Several people have been very proud to show me their tricked out, ‘dream’ Green Book spreadsheet. One of my favorites was a spreadsheet that listed the 17 principles along the left hand side as row titles.  And then the 12 compliance items for federal programs were listed along the top as column headers.  The controls in place were the contents of the cells.  But I had to inform the proud creator that simply listing a control in a cell wasn’t all that needed to be done, the controls also needed to be integrated.  They were not happy.  Layer, layer, layer.

Iterative

Just like learning how to take care of a car, the process of creating controls is long and full of little surprises.  Whenever I see the word iterative, I now know what they really mean is you are now embracing the ‘never ending quest for improvement’.  Iterative also means that it will never be perfect, which is hard for some folks to tolerate.  Anybody who has tried to design a control process, document a control process, and implement a control process can attest to it being imperfect and never, ever done.

And the Green Book goes on to say that simply copying other people’s control system probably isn’t going to work either.  Bummer.

Green Book: OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

Where we have been and where we are going

I hope you have been enjoying the book so far.  First we had to learn what the top, side, and front of the cube meant, from a very broad view.  Then we took a deep dive into risk assessment.  Next it is time to mitigate the risks we have identified.  We will endeavor to embrace our responsibilities and avoid unpleasant surprises by layering on controls for the remaining four components of the COSO model: control activities, information and communication, monitoring, and control environment.

If you would like to catch up on what I have written so far about the Green Book, please see these article/chapters.

Internal controls a la GAO’s Green Book

Chapter 2: Grounding the Green Book in Reality

Chapter 3: The Face of the Cube

Chapter 4: The remaining dimensions of the cube

Chapter 5: Ranking What You Care About: The Risk Assessment Component

Fraud Risk per the GAO’s Green Book

Fraud Risk Factors a.k.a. the Fraud Triangle

Completing the risk assessment

The next chapter should sound very familiar if you have every worked on controls before.  We will use concepts like ‘segregation of duties’ and ‘authorization.’   We are far from done. Iterate, integrate, iterate, integrate….

Registering for this Webinar - How it works
  1. When you’re ready to register, select the “Register Now” button (at the top-right or bottom-left of this page).
  2. You’ll be taken directly to the secure website of our webinar-distribution partner:  CPA Crossings
  3. Fill out the “Register Online” section of the CPA Crossings page (near the bottom) and then select “Add to Cart”
  4. (Note:  If you want to register multiple attendees on the same purchase, just re-select the webinar and do a separate “Add to Cart” for each, as required.)
  5. After checking out, look for your notification and registration info via email – and mark your calendar to attend the webinar!
×
Stay Up-To-Date

Sign up here to have the lastest from Yellowbook-CPE.com delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required




×
Stay Up-To-Date

Sign up here to have the latest from Yellowbook-CPE.com delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

[newsletters_subscribe list="20"]

×

Login

Lost your password?