In this episode of THE SAMPLE, Leita Hart-Fanta, CPA answers the question, “How Do I Teach My Clients About Internal Controls?” Does your auditee recognize that they are responsible for internal controls? Leita shares tips on how to introduce your client to the COSO model without overwhelming them.
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
Transcript
In this episode, we answer the question, “How do I educate my clients about the purpose of internal controls?” I was recently teaching the COSO model – the Green Book – at a conference for auditors, so I’m talking about internal controls. One of the auditors asked a brilliant question. He said, “How do I teach my auditees about internal controls? Because they think that the auditor is responsible for internal controls, and I’m trying to explain, ‘No, you’re responsible for internal controls.’ “
So, I regularly teach full-day sessions to laypeople, people who are not auditors, on internal controls and the purpose of internal controls. I’ve learned a few things about how to approach the topic with laypeople, and I’m going to share those with you right now, a few key things.
First of all, you do not show them the COSO model until late in the day. If you start off the day showing them this model, they tend to flip out and become overwhelmed, just like we did the first time we saw it as auditors. We’re going, “Oh! Look at that thing!”
So, do not show this until after you’ve done some explaining, until after you’ve actually sold them on why controls are important and the purpose of internal controls. Here’s another thing you don’t show them. Don’t show them these 17 principles until much later. Again, too much granularity.
What I do is I start with a more personal example. Sometimes I start with my experience in eating in various restaurants. Sometimes I start with teaching my daughters how to drive and making sure they stay safe. We just brainstorm controls and we talk about that, and that gives me an entree to talk about risk.
Now, the COSO model – the top of the cube – actually starts with control environment. I don’t go there first. I go with risk first. Risk is why we have controls, and it gets people engaged and they care. If I start with control environment, it’s too academic. It’s too theoretical. But everybody can really understand risk: death, injury, shame, loss of money, missed goals. We talk about that in relationship to my kids driving or whatever example I’ve got.
They can also understand the concepts of magnitude and likelihood. Now they’re thinking, “Wow. What kind of risks am I tolerating in my organization or in my personal life on a regular basis?” They’re kind of hooked, and they’re like, “Okay, I understand why we have controls. Controls make sure that bad things don’t happen.” Then if I’m really feeling like they can tolerate it, I’ll use the word “mitigate” with them, that controls mitigate risk. They’re like, “Okay.” Okay, they’re in.
Now, I take one of their examples, like from their world, and I say, “Okay, what kind of risks are you tolerating in your organization?” Now they’re really interested, and that gives me a chance to walk them through the components of the model. Depending on the audience, I still may have not shown them the COSO model, but we began with risk assessment. I’ll walk them through applying control activities, walk them through imagining what kind of reports and information they need to generate, walk them through the question about monitoring (like, “How are you going to make sure that everything you’ve designed here is working as you intended?”), and the last thing I talk about is control environment.
We might not have even looked at the model at all together yet, but now, after we’ve got an inventory of all these controls, then I can come back to them and I can say, “Look, you applied controls in these five layers. Aren’t you brilliant?” And they go, “Oh, yeah, that’s so great. Oh, my gosh, I didn’t even know.” Then it’s like, “Yeah, that’s the model.” “Oh!” And then everybody’s happy.
Then I will come back around and do another example. You may know that Chipotle had a food-borne illness issue. Gosh, it’s probably been about 10 years ago, but famously, they applied beaucoup controls to keep it from ever happening again. I use it as a review of controls. So, again, just make it real to them. Hold off with all the lingo, which obscures the meaning of the COSO model, and your main goal is for them not to spout the lingo back to you, but to create controls that are strong.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me at leita@yellowbook-cpe.com and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info:
Internal Control Workshop: Live & Customized
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: