In this episode of THE SAMPLE, Leita Hart-Fanta, CPA answers the question, “When do you apply the 17 principles of internal control on your audit?”
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
In this episode we answer the question, “When do you apply the 17 principles of internal control on your audit?” You might be aware that the GAO in the 2018 Yellow Book has amped up the reporting and documentation responsibilities for performance auditors when it comes to internal controls. From this paragraph, you can see that they’re mentioning components and principles. What the heck is that about?
This is the COSO model. These things on the face are called components, and what the green book has done and the 2013 version of the COSO model had done is they have divided those into 17 underlying principles. Performance auditors following Yellow Book standards need to apply these 17 principles to their audit objective in the documentation and in the audit report.
There’s a couple of different places where you can apply, where you can actually worry about, the 17 principles. If you have very refined objectives from the get go, you can apply the 17 principles early. But if your objective is a little vague to begin with, I recommend that you hold off applying the 17 principles until you have refined your objective, because we are only to apply the 17 principles that are relevant to our audit objective.
Let me show you something else that might help you. These are the steps of an audit process. Assuming you get a vague assignment when you begin. Then you gather information, and then where is the criteria? I’ve buried it pretty good. There it is. Choose the criteria. Then you take your subject matter. You break it into small enough pieces to put it into an inherent risk assessment. Then you refine your objective and subjective. You got this vague assignment to begin with. But after you decide that you care, you refine that objective and then you dig into controls.
You don’t dig into controls early because you can end up working too hard, especially now, when you have to apply the 17 principles, you definitely want to push off doing a detailed control work for as long as possible. Then you choose methodologies, allocate resources, write the audit program, perform and document your methodologies, conclude against your objective, draft your findings, and then finalize the report.
Now, all of these black little circles over here are places where you touch upon internal controls on your audit. It’s pretty much everywhere. Your assignment can sound something like, “Go evaluate controls in this area.” When you’re gathering information, this is where it gets really potentially dangerous with controls and applying the 17 principles here. I recommend that in gathering information, you just confirm that they have a control consciousness, but you do not dig into internal controls until you get over here as I’ll show you in a minute.
Of course, your criteria could be based on controls like a policy and procedures manual, or even the COSO model. You can break your universe into pieces in terms of controls. I do get to skip inherent risk with this control black thing because you’re not going to do that. But you could write a control-oriented objective and then of course, assess controls, choose control, and fact-based tests here.
Your program could include some control terminology. Of course, performing the work. Your conclusion can sound control-oriented as could your findings. Okay? Controls are everywhere. But the key question is, “Where do you apply this?” I’m going to recommend if you start off with a vague assignment as I put here, that you wait until you assess controls late, late, late in the game. Do not apply it right here in the gathering information phase and your scoping phase because you could potentially work yourself into a frenzy.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me firstname.lastname@example.org and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info: