CPE for Government Auditors

Pulling It All Together

What’s the matter with the crowd I’m seeing?
“Don’t you know that they’re out of touch?”
Should I try to be a straight-A student?
“If you are then you think too much.
Don’t you know about the new fashion, honey?
All you need are looks and a whole lot of money?”
It’s the next phase, new wave, dance craze, anyways
It’s still rock and roll to me.
Everybody’s talkin’ ‘bout the new sound
Funny, but it’s still rock and roll to me.
It’s Still Rock and Roll to Me, Billy Joel


  • Sequence the steps of developing an internal control structure

Whew!  You made it. We are in the last chapter! Congrats, you have held on through a long case study and a complicated model.

In this final chapter, we are taking another look at the steps of creating a control structure from scratch which will also serve as a review of this text. I will quote various excerpts from the Green Book as I go.  Also, we will address what happens when auditors visit to evaluate your controls.

Steps of developing controls

As I see it, the steps of developing controls are as follows:

1.Choose a subject matter

Maybe you have been asked to develop controls for a whole organization or just a segment of an organization.  In either case, you will benefit from breaking your subject matter down into smaller more defined segments because it is easier to imagine controls for something specific than to imagine controls for something broad.

For instance, if I asked you to control the University of Michigan, you would probably walk out the door never to come back!  But if I asked you to control student financial aid at the University of Michigan, you would feel better.  If I asked you to set up controls to make sure that student financial aid at the University of Michigan is distributed on time, you’d feel super because that is very doable!

The side of the COSO cube prompts us to break the subject matter down into segments.  In the COSO and Green Book literature, the side of the cube is dubbed the ’levels of organizational structure.’  I think of it instead as ‘what’ you are planning to control.

2. Focus on what is risky

Now that you have broken the organization up into segments, you can hone in on the segments that are the most likely to cause trouble.

Risk assessment is the second control component on the face of COSO model, but it is, in practice, the first component you consider when establishing controls.

For each piece, you ask four questions:

  1. What could go wrong?
  2. So what?
  3. How big of a deal is the ‘so what?’
  4. How likely are things to go wrong?

Here are the terms the Green Book uses for all of these questions:

  1. What could go wrong? The Green Book calls the answer to this question ‘identified risks.’
  2. So what?  The Green Book calls this ‘significance.’
  3. How big a deal is the so what?  The Green Book calls this ‘magnitude.’
  4. How likely are things to go wrong?  The Green book calls this ‘likelihood.’

From the Green Book:

7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective. 

7.06 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined. 

3. Decide if you want to tolerate the risk

When you are confronted with a risk, you have four choices of how to handle it:  you can accept it and live with the possible consequences, you can avoid it by not doing the activity, you can mitigate it by layering on controls or you can ask someone else to take on responsibility for it.

If you choose to keep on doing or to tolerate the activity that causes the risk, but you’d rather not suffer from this choice, you will proceed through the rest of the steps laid out here to help you create the controls to mitigate the risk.  Mitigate is a fancy word for ‘reduce.’

From the Green Book:

7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: 

  • Acceptance – No action is taken to respond to the risk based on the insignificance of the risk. 
  • Avoidance – Action is taken to stop the operational process or the part of the operational process causing the risk. 
  • Reduction – Action is taken to reduce the likelihood or magnitude of the risk. 
  • Sharing – Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses. 
8.06 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks…

4. Come up with a control objective

In order to focus your efforts and make sure that everyone is clear about what you are working toward, the Green Book recommends you come up with a clear control objective.

The Green Book talks about objectives in two layers.  In one layer, they ask you to consider ‘why’ you want to control something.   Is it because you are concerned about operations, compliance or reporting? The GAO calls these ‘categories of objectives’ and they are listed on the top of the cube.
Description: Macintosh HD:Users:Leita:Dropbox:+TOPICS:controls:coso model picture:Slide1.jpg

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories: 

  • Operations – Effectiveness and efficiency of operations 
  • Reporting – Reliability of reporting for internal and external use 
  • Compliance – Compliance with applicable laws and regulations 

OV1.02 These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals. 
Operations Objectives 

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives. Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources. 

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission. 

Reporting Objectives 

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories: 

  • External financial reporting objectives – Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • External nonfinancial reporting objectives – Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • Internal financial reporting objectives and nonfinancial reporting objectives – Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance. 

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively. 

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity. Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. 

But later in the book, the GAO drills down into the categories and describes the need for a specific, customized control objective.

6.02 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment. 

6.03 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals. 

6.04 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement. 

Our objective was, “Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?”

5. Compare the baseline to the ideal

Now it is time to talk to managers and find out if there are any existing controls in place.  This will be your baseline of controls.

16.02 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system. 

16.03 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system. 

Next, you will compare the baseline to the ideal:  the list of 17 principles.  When management has not already addressed a principle with a control or two, then you will need to design a control for that principle.  Remember, in order to judge a control system as effective, all five components and the underlying 17 principles should be in place!

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

Appendix I: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. The 17 principle requirements of the Green Book are as follows: 

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
  2. The oversight body should oversee the entity’s internal control system. 
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 
  6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 
  7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 
  8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 
  9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 
  10. Management should design control activities to achieve objectives and respond to risks. 
  11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 
  12. Management should implement control activities through policies. 
  13. Management should use quality information to achieve the entity’s objectives. 
  14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 
  15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 
  16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 
  17. Management should remediate identified internal control deficiencies on a timely basis. 

6. Consider cost 

Before you run out and implement all of the controls you designed in the last step, stop and think about how much each of the controls is going to cost you.  Do you need to invest in technology to make the control work?  Or do you need to beef up your staff?  Also, consider whether the new controls will slow down processes and frustrate employees, suppliers and customers.  Excessive controls are also known as ‘red tape’ and ‘burdensome bureaucracy!’

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives. 

7. Does it prevent, detect or correct?

Again, before you proceed with the hard work of implementing the controls you designed, take some time to evaluate whether each control is preventative, corrective, or detective.  Detective controls are nice, but stopping the risk before it happens would be better than cleaning up the mess after it happens. This is especially true when it comes to unacceptable risks such as death and injury.  Make sure you have a good mix of all three types of controls with a preponderance of preventative controls.

8. Document

At this point, you are working with a large volume of information.  Just in case you get a little overwhelmed and forgetful, you’d better write down everything you have worked on so far.  The GAO is pretty firm about documentation:

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows: 

  • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06) 
  • Management develops and maintains documentation of its internal control system. (paragraph 3.09) 
  • Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02) 
  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09) 
  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05) 
  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06) 

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively. 

9. Evaluate the design vs. operation

Once you have organized your thoughts and chosen controls for all five components and the 17 principles, someone has to put them into action.  That could take a while.  As usual, it is best to be patient and thorough instead of agitated and spotty.  Ha.  Agitated and spotty is a great title for a teen romance novel!

The GAO takes pains to mention the difference between the design of a control and the implementation of a control in over a dozen places in the Green Book.  Here are a few quotes:

OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system. 

10. Evaluate whether you can declare your controls effective!

Sorry to say that your work isn’t done when you finish designing, documenting and implementing controls.  True to the monitoring component of the COSO model, you can’t just set things up and forget them.  You need to come back and evaluate whether everything you have set up is working, correct any unintended consequences of your efforts, improve controls and start the cycle all over again.

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

This is a great place to introduce auditors back into our conversation because they may be able to help you ensure that the controls you designed are functioning properly.  That is what we will do in our next newsletter.

Is that your job? More on Control Environment

13 The next day, Moses took his seat to hear the people’s disputes against each other. They waited before him from morning till evening.

14 When Moses’ father-in-law saw all that Moses was doing for the people, he asked, “What are you really accomplishing here? Why are you trying to do all this alone while everyone stands around you from morning till evening?”

15 Moses replied, “Because the people come to me to get a ruling from God. 16 When a dispute arises, they come to me, and I am the one who settles the case between the quarreling parties. I inform the people of God’s decrees and give them his instructions.”

17 “This is not good!” Moses’ father-in-law exclaimed. 18 “You’re going to wear yourself out—and the people, too. This job is too heavy a burden for you to handle all by yourself. 19 Now listen to me, and let me give you a word of advice, and may God be with you. You should continue to be the people’s representative before God, bringing their disputes to him.20 Teach them God’s decrees, and give them his instructions. Show them how to conduct their lives. 21 But select from all the people some capable, honest men who fear God and hate bribes. Appoint them as leaders over groups of one thousand, one hundred, fifty, and ten. 22 They should always be available to solve the people’s common disputes, but have them bring the major cases to you. Let the leaders decide the smaller matters themselves. They will help you carry the load, making the task easier for you. 23 If you follow this advice, and if God commands you to do so, then you will be able to endure the pressures, and all these people will go home in peace.”

24 Moses listened to his father-in-law’s advice and followed his suggestions. 25 He chose capable men from all over Israel and appointed them as leaders over the people. He put them in charge of groups of one thousand, one hundred, fifty, and ten. 26 These men were always available to solve the people’s common disputes. They brought the major cases to Moses, but they took care of the smaller matters themselves.  

In this chapter, we will cover the remaining three principles included in the control environment component of the COSO model:  Principle 3 – structure, responsibility and authority, Principle 4 -competence and Principle 5 – accountability.

Not even Moses, God’s chosen leader, could get it done all on his own.  Taking care of everything for everyone will absolutely wear a person out.

I watched a TV biography on Jim Henson, the creator of the Muppets.   He tried to be involved in every aspect of his business – Sesame Street, an HBO series, the next Muppet movie- even as his team grew to 300 people.  He didn’t take care of himself, contracted a very common illness, and refused to slow down long enough to go to the doctor.  By the time he got to the hospital, it was too late and he died at age 53!

No, most of us don’t work under that kind of pressure, but I have made myself sick trying to do it all several times.  I have learned to delegate and to give those to whom I delegate the authority to act without checking in with me.  My late-found ability to let go allows me to spend time doing what I do best and allows me some space to rest and think.

From the Green Book’s perspective, the reason we have controls is to make sure the entity achieves its objectives.  If an entity unwisely lays too much responsible on one individual, and isn’t intentional about organizing itself and dividing and delegating the work, the Green Book points out that the entity simply won’t get where it wants to be.

3.01 Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 

3.06 To achieve the entity’s objectives, management assigns responsibility and delegates authority to key roles throughout the entity….

3.07 Management considers the overall responsibilities assigned to each unit, determines what key roles are needed to fulfill the assigned responsibilities, and establishes the key roles. Those in key roles can further assign responsibility for internal control to roles below them in the organizational structure, but retain ownership for fulfilling the overall responsibilities assigned to the unit. 

That isn’t my job!

One of the deadliest things that someone in customer service can utter is, “That isn’t my job.”  What this person and organization have failed to realize is that I, as a customer, do not give a flying rat’s patootie whose job it is, I just want my product or service with as little hassle as possible.

I recently used my frequent flyer miles on American Airlines to buy tickets on British Airways.  Big mistake.  After two hours of work booking the tickets, I found out that I had no seat assignments.  The next day, I spent another two hours getting seat assignments.  When I would ask American Airlines for help, they would pass me off to British Airways.  When I asked British Airways for help – you guessed it – they passed me off to American Airlines.

After several internet searches, a few password wrestling matches, multiple phone calls and hours of being on hold, I finally found a sympathetic ear.  Everyone else I encountered wanted to pass the responsibility on to someone else or gave me incomplete or erroneous information, but this angel stayed with me until I got the information I needed.

Who are the angels?

After figuring out what needs to be done, you have to put competent people in place to get it done.   Usually, an organization has to invest in its people to enable them to be good at their job.  My angel at American Airlines obviously had years of experience in customer care and knew exactly how to help me cut through all of the red tape and get my seat assignments.  I hope American is investing more in her.

The Green Book is clear that management is responsible for investing in its people and should not expect employees to be ready to work on their first day on the job!

4.01 Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 

4.05 Management recruits, develops, and retains competent personnel to achieve the entity’s objectives. Management considers the following: 

  • Recruit – Conduct procedures to determine whether a particular candidate fits the organizational needs and has the competence for the proposed role. 
  • Train – Enable individuals to develop competencies appropriate for key roles, reinforce standards of conduct, and tailor training based on the needs of the role. 
  • Mentor – Provide guidance on the individual’s performance based on standards of conduct and expectations of competence, align the individual’s skills and expertise with the entity’s objectives, and help personnel adapt to an evolving environment. 
  • Retain – Provide incentives to motivate and reinforce expected levels of performance and desired conduct, including training and credentialing as appropriate. 

I’d love to hold customer service accountable

At the beginning of each call to the airlines, I heard “This call is recorded and may be used for training purposes.”  What I’d love the message to say instead is, “This call is being monitored by someone who will hold these customer care representatives accountable if they send you to the wrong place or give you wrong or incomplete information.”  Wouldn’t it be nice if, at the end of each interaction with a customer care rep, you could evaluate whether they helped you or frustrated you?  Is it just me, or have you noticed that the customer care reps only connect you with the evaluation when they know you are happy?

So how do you hold people accountable?  

When I teach budgeting courses, I discuss how budgets are the translation of an organization’s plan into numbers.  I emphasize that unless an organization identifies when managers are off plan and holds them accountable, a budget just becomes a silly, wasteful, paper-pushing exercise.

Through real life stories told by the participants in my classes and my own work experience, I’ve compiled a list of options organizations can use to hold folks accountable.  Here is a list of some of the options from least stringent to most stringent:

  • Send out a variance report to all managers
  • Require managers to explain variances to the accountant
  • Require managers to explain variances in writing
  • Require managers to explain variances during a staff meeting
  • Require managers to explain variances during a meeting with executives
  • Evaluate budget performance in the manager’s annual performance evaluation
  • Reprimand managers who do not stay on track with the budget
  • Withhold bonuses from managers who stray from the budget
  • Fire managers who dismiss and ignore the budget

Did you think the last one was too extreme?  A mature CFO shared with the class that every time he pushed forward a new initiative on behalf of the executive team, he made sure the executives gave him the ability to fire anyone who did not play along.  He told a story about the executive team wanting to hold managers to a tighter and very unpopular budget.  When one division director rebelled and would not follow the budget, the CFO fired him.  After that, he had no problem keeping the other managers in line.

Here is what the Green Book says about holding people accountable:

5.03 Management holds entity personnel accountable for performing their assigned internal control responsibilities. The oversight body, in turn, holds management accountable as well as the organization as a whole for its internal control responsibilities. 

The flip side of stringency

But the Green Book also acknowledges the negative, flip side of holding folks accountable.  Whatever gets measured gets done – which is a good thing… sort of.  But on the flip side, employees will occasionally do silly and wasteful things to meet expectations.

For example, I audited a manufacturer of computer components in the late 80’s.   At the end of the year, the manufacturing managers received a bonus if their inventory was minimal.  So, on December 30, the managers filled two semi trucks full of inventory and sent the trucks off to an unwitting customer in California.

The shipment was rejected by the customer on January 2 because they hadn’t ordered the components.  The trucks arrived back in Texas, full of inventory, on January 4.

The managers received their bonuses and the year-end records looked good – so on one hand, the manager’s mission was accomplished. But on the other hand, the records were misleading, the customer in California was annoyed, and the manufacturer wasted thousands on the bogus shipment.

From the Green Book:

5.04 If management establishes incentives, management recognizes that such actions can yield unintended consequences and evaluates incentives so that they align with the entity’s standards of conduct. 

5.07 Management adjusts excessive pressures on personnel in the entity. Pressure can appear in an entity because of goals established by management to meet objectives or cyclical demands of various processes performed by the entity, such as year-end financial statement preparation. Excessive pressure can result in personnel “cutting corners” to meet the established goals. 

The Control Environment Component is full of wisdom

The definition of wisdom is: the quality of having experience, knowledge, and good judgment. It is apparent that the creators of the COSO model and the Green Book have been around the block a few times and know the harm poor controls can do.

The control environment component of the COSO model tells us that what leaders do, matters; that oversight bodies have an important role to play in keeping controls strong; that everyone should know their job, be equipped to perform their job, and be held accountable for doing their jobs.

Here is a summary of the control environment component from the introduction to the chapter:

The control environment is the foundation for an internal control system. It provides the discipline and structure, which affect the overall quality of internal control. It influences how objectives are defined and how control activities are structured. The oversight body and management establish and maintain an environment throughout the entity that sets a positive attitude toward internal control. 

1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
2. The oversight body should oversee the entity’s internal control system. 
3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 

Woven into these principles are warnings that our best intentions can go awry:

  • Under the first principle on tone at the top, we are warned that well-designed controls can break down when leaders act badly.
  • Under the second principle on oversight, we are warned that management might not want to fix obvious problems and therefore must be forced to act by an oversight body.
  • Under the fourth principle on competence, we are warned that our best people can leave us, and we’d better have a plan to keep the organization going without them.
  • Under the fifth principle on accountability, we are warned that holding people accountable can result in squirrely behavior that goes against the ultimate objectives of the entity.

What’s next?

In the next chapter, we will collect all of the controls we came up with for our case study, sort them out and then evaluate them for effectiveness and cost.

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?