The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework, updated in May 2013, is considered a leading framework in designing, implementing, and conducting internal control assessments. COSO’s focus on a balanced approach toward internal control makes it a valuable framework for organizations and internal auditors. Leveraging COSO to enhance audit frameworks, activities, and risk assessment approaches helps ensure that key audit outputs add value and advance the organization, rather than impede its progress.
For several years, the Texas Department of Transportation’s (TxDOT’s) Internal Audit Office has been on a mission to improve its audit program by infusing elements of COSO’s Internal Control–Integrated Framework. The successful implementation of COSO 2013 has resulted in increased consistency, quality, and productivity of the audit function. In addition, the department is better aligned with the organization’s key stakeholders to ensure audit is adding value and providing solutions-based recommendations to manage organizational risk and achieve business objectives.
Implementation of the framework came as a result of a top-down review of management and the organization, which called for improvements in the areas of effectiveness, efficiency, communications, and transparency. Blending the audit and COSO framework provided a natural method to focus on evaluation, identification, and monitoring of areas for improvement, and the vehicle identified to do it was an enterprise risk management audit dashboard.
To gain needed organizational support, the dashboard was discussed with members of the commission (board), executives, and senior leader- ship. This ensured understanding of the audit framework and also provided an opportunity to offer input on meaningful, consistent areas to evaluate and monitor. Another advantage of the audit dashboard is clear, consistent reporting and evaluation of results; the dashboard quickly reveals areas that require investment of resources, with color coding that highlights the severity of the risks identified.
The Audit Process
TxDOT has a three-phase audit process: planning, execution, and closing. Within each phase, TxDOT uses the Audit Results Dashboard as the key communications vehicle. The dashboard includes COSO’s five internal control components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. These components are the basis for the audit team’s evaluations and allow for annual reporting, which provides an enterprise wide view of the organization’s risk profile. The dashboard also includes COSO’s defined objectives, which are highlighted to scope areas to be evaluated during the audit engagement: Operations, Reporting, and Compliance. In addition to knowing what is being evaluated during an audit engagement, key stakeholders get assurance and notification of where achievement of COSO objectives is strong or at risk. Designed to establish and be a continuous reminder of the key drivers of the audit engagement, the engagement summary is part of the presentations to audit management and the client throughout the engagement. Where key drivers change, it allows for discussion, consideration, alignment, and approval, as appropriate.
The Strategic element of COSO also is addressed in every audit engagement. For every engagement performed, the team is charged with aligning its work with the organization’s primary goals and the value to the organization (see “Engagement Summary” on this page). This ensures focus on organizational goal achievement, while performing work in meeting audit objectives.
The purpose of planning is to gain a deeper understanding of the engagement area and allow staff members to identify and assess risks. The intended end products are refined objectives and scope, as well as deter- mining the best methodology for accomplishing those objectives. Potential or preliminary issues often are identified during planning and are further tested to identify root causes and organizational impacts during the execution phase of the engagement.
Key outputs of the planning phase are the engagement risk assessment, control design evaluation, and engagement work program. These items are included in the scope recommendation presentation, which is delivered by the assigned team to the chief audit executive (CAE). This scope presentation includes results of interviews, documentation reviews, and team analyses. In addition, the presentation includes a control design evaluation supported by process maps of the areas being evaluated, with key controls identified. This allows for development of a robust risk assessment, which better aligns the audit team and the client on engagement focus areas, the testing approach, and the assurance being delivered.
During the execution phase, audit teams begin to observe processes, test transactions, analyze results, conduct deeper interviews to further understand processes, and communicate exceptions and observations identified. As exceptions are identified, audit teams identify root causes and organizational impacts of the exceptions. These impacts may involve operations, reporting, or compliance elements.
Key outputs of the execution phase are findings, observations, and a mid-status presentation to audit management to ensure alignment and supervisory review and input are obtained. It is then presented to the client to allow for questions, clarification, and support. The presentation consists of an updated engagement dashboard, which includes the status of the engagement and findings or observations identified. Evaluated areas are given color-coded ratings. While still in the field, management and stakeholders are able to obtain an understanding of audit coverage and gain assurance regarding processes evaluated and insight on areas that may require additional attention or investment.
Having a snapshot of results and evidence to support the results are key components of a strong presentation to audit management and the client. This also serves as a constant reminder that the audit engagement is focused on adding value to the organization.
The closing phase of the engagement consists of a final tie of engagement results to audit objectives, engagement work programs, and the dashboard. This diligence is exhibited throughout the engagement; however, ensuring appropriate closure and alignment at this stage is critical to ensuring the work product is sound and in conformance with the International Standards for the Professional Practice of Internal Auditing. This allows for appropriate attention and investments by the organization to remedy identified deficiencies.
As with the other phases, the audit team prepares separate closing presentations for the CAE and client, which includes the finalized findings, observations, scope area, and engagement ratings. These color-coded ratings depict the process variability of the areas tested and the immediate and potential impacts to the organization, if these processes/activities remained unchanged. The dashboard also gives the reader an ability to determine where more and quicker investment of resources is required to ensure process improvement and sustainability.
Connecting the Dots
TxDOT’s use of the audit results dashboard allows for quick reference regarding the operating efficiency and effectiveness of audited processes related to COSO objectives and ERM elements. It also gives key stakeholders a clear view of potential investments of resources, which is important to ensure alignment between stakeholders throughout the audit phases.
Another by-product of leveraging COSO and categorizing and rating the areas evaluated is the compilation of key risk data. As more audit work is performed using the enhanced frame- work, more data is compiled that can be used to trend and forecast key risks to the organization. For example, if four engagements are performed in a certain business segment that reveal systemic issues with Information and Communication or Monitoring, it provides a broader perspective and approach that can be addressed by executive management.
For the benefit of the audit committee and board, this trending and continual focus on COSO elements provides a basis for risk management and organizational risk appetite discussions and strategic decisions. In other words, it further enhances internal audit’s ability to achieve its own mission of “helping the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Ensuring that audit processes con- tribute to the organization’s success is incumbent upon the CAE. In addition, it is important to reflect and determine whether enhancement of audit processes could result in better outcomes. The focus on continuous improvement and process enhancement is vital to internal audit remaining viable and relevant.