Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​COSO Evaluation Considerations for Auditors

Comments Views

​Control Environment

1. Are the responsibilities, accountabilities, and authorities (RAA) established and communicated effectively through policies, procedures, or other methods to support process and control objectives?

  • Are control performers’ responsibilities aligned with authority or accountability?
  • Are organizational responsibilities identified (e.g., charter and structure) and people assigned to achieve the process objectives and key deliverables?
  • Is there segregation of duties to mitigate misrepresentation or misstatement of operations (fraud risk)?

Potential Audit Evidence to Support Conclusions
Inspect organizational charts/charters and confirm that current job responsibilities are aligned with relevant process objectives.

2. Do control performers have sufficient competencies to execute controls?  

  • Do they understand the risk and objective of the control?
  • Does the control performer have the experience/training necessary to execute the control?

Potential Audit Evidence to Support Conclusions
Evaluate results of control testing (as applicable) where competence is an attribute.

3. Are management actions and priorities consistent with stated objectives, RAA, and Boeing values?

Potential Audit Evidence to Support Conclusions
Evaluate whether management actions align with supporting process objectives (i.e., demonstrated allocation of resources, priorities are managed to stated objectives, and corrective actions are taken).

Risk Assessment

1. Is a risk assessment occurring on a regular basis for the process? It could be formal or informal, but it should be happening in some form by management.

Potential Audit Evidence to Support Conclusions
Attend meetings to observe where risks are identified, monitored, and actions are taken. Are stakeholders represented and is the frequency adequate to help with risk mitigation?

2. Are process objectives defined specifically enough to support identification of inherent risk events?

Potential Audit Evidence to Support Conclusions
Inspect process objective definitions to evaluate whether objectives are stated specifically enough to support risk identification (this may not be documented, so use inquiry as needed).

3. Are inherent risk events identified and assessed?

  • Are internal or external business changes (e.g., regulatory, funding, market, business growth or reduction, and system changes) considered within the risk assessment?
  • Is the risk assessment occurring frequently enough to capture these changes?
  • Have key stakeholders been identified and are they involved in the risk assessment?
  • Are nonconformances or negative trends captured and evaluated for inclusion in the risk assessment?
  • Are potential fraud risks (financial or nonfinancial) identified and evaluated (e.g., a nonfinancial fraud risk such as metrics that are intentionally misrepresented to hide poor performance or risk (reported as yellow; when they are red))?
  • Are risk tolerances established, (e.g., a 2 percent error rate for manufacturing defects).

Potential Audit Evidence to Support Conclusions
Inspect identified risks for completeness of events (this may not be documented, so use inquiry as needed).Inspect metrics for negative trends and inclusion in risk assessment for systemic issues.

4. Has management determined appropriate risk response (i.e., accept, avoid, reduce, or share)? (See Control Activities.)

Potential Audit Evidence to Support Conclusions
Inspect control implementation as documented in policies and procedures, business process instructions, desk instructions, or other methods to evaluate whether identified risks are adequately responded to with controls.

Control Activities

1  Are the controls designed and operating effectively to achieve their objectives, to mitigate the risks, and support the process objective?
Control testing of attributes using statistically relevant samples will be the primary way to evaluate control activities.

Potential Audit Evidence to Support Conclusions
Control test results will be the most influential data for conclusion.

2. Based on the evaluation of risk events inherent to the process, have corresponding controls been identified? (See Risk Assessment.)

  • Are there enough controls developed and implemented to mitigate the risks in the process (i.e., preventive, detective, manual, general computing controls, and IT dependent as needed)?

Potential Audit Evidence to Support Conclusions
Inspect process guidance where controls are defined, such as relevant command media, desktop procedures, manuals, and monitoring. Do they align with identified risks?

3. Are controls defined, documented, and communicated (e.g., command media, desktop procedures, manuals, and training)? (See Information & Communication.)

Potential Audit Evidence to Support Conclusions
Inspect control documentation and communication to control performers for sufficiency. Factors to consider for level of documentation include complexity of controls, significance of risks, number of control performers, and turnover expected. Lack of documentation may or may not be a deficiency.

Information & Communication

1. For affected stakeholders, is information identified, validated, documented, communicated, and reviewed to achieve process objectives such that control performers can execute consistently (i.e., process steps, process RAA, control RAA, control definitions and objectives, changes to relevant policies, procedures, risks, and new initiatives)? (See Monitoring Activities.)

  • Is documentation sufficient to match the level of risk and complexity of control?
  • Is there data identified to support monitoring of control performance?
  • Are there open channels of communication both top-down and bottom-up?

Potential Audit Evidence to Support Conclusions
Inspect information and communication of other relevant information (i.e., business/process objective statements, command media, change notifications, and metrics) and assess whether it is disseminated to relevant stakeholders (i.e., control performers, process owners, and management/customers/suppliers). (See Control Environment.)

  • Inspect process documentation to evaluate adequacy to support consistent execution by the control performers. (See Control Activities.)  
  • Inspect controls for associated information used to monitor and evaluate whether there is sufficient and reliable information and communication to identify failures timely.

Monitoring Activities

1. Does effective monitoring of the internal controls of the process exist?

  • Are metrics in alignment with objectives, risk tolerance levels, and controls?
  • Are out-of-tolerance conditions consistently identified (i.e., red and yellow criteria; or methods of effectiveness identified)?
  • Are corrective/preventive actions identified, approved, and tracked to completion?

Potential Audit Evidence to Support Conclusions
Inspect metrics in use to evaluate whether they are aligned to the key objectives and risks, and that there are clear criteria for identifying unacceptable conditions.

2. Are metrics validated and communicated to relevant stakeholders? (See Information & Communication.)

Potential Audit Evidence to Support Conclusions
Inquire and inspect how metrics are validated and communicated to stakeholders.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • NAVEX_June 2019_June 1-20_Premium 1
  • IIA CERT-CIA_June 2019_Premium 2
  • IIA Training_June 2019_Premium 3