internal control over financial reporting.
However, those elements of internal control that are also considered a part of disclosure controls require a quarterly
assessment under Section 302 of Sarbanes-Oxley. The example provided by the SEC
of an internal control over financial reporting, which is also included in disclosure
controls, indicates a high degree of overlap between internal controls and disclosure controls. The only safe harbor may
Hancock’s corporate audit and corporate education services departments
developed a Web-based interactive controls training program that was accessible from corporate audit’s Web site.
A capability for CSAs was also built into
the Web site, enabling managers to perform assessments online. Sample control summaries for 27 typical insurance
company functions were included on the
site for reference. With the advent of
group greatly improved its communication with management and the audit
committee and increased its credibility
through four of its audit practices.
Members of the corporate
audit management team
executive team meetings
throughout the company
using a “road show”
approach to deliver
training in CSA and
be to assume that disclosure controls and
internal controls over financial reporting
are identical and to perform quarterly self
assessments of all financial reporting and
Further, it’s likely that the SEC and
the courts would view a control procedure that is not being complied with
as a “change in internal control.” If a
material misstatement of earnings were
to result from an employee’s failure to
reconcile a major account, it is doubtful
that a credible defense could be built
around a contention that there had been
no change in internal control, but simply a failure to comply with an established internal control procedure.
Sarbanes-Oxley, the CFO has made it
mandatory that all executives and key
control employees complete the Web-based training annually.
Additionally, members of the corporate audit management team attended
individual executive team meetings
throughout the organization, using a
“road show” approach to deliver training in CSA and controls testing (see
“Tips for Evaluating Control Summaries,” page 77).
Corporate Audit also developed a
videotape walk-through of a CSA to provide more advanced training. The CFO
has made an annual review of the videotape mandatory for all key employees, and
copies were provided to the audit committee and company executives. In addition, it also was made available on DVD.
DEVELOPING THE ANNUAL AUDI T PLAN. Each
segment in the audit universe contains
a risk rating that determines the normal
cycle for that segment. As one would
expect, the higher risks have a higher
normal frequency. In drafting the annual
audit plan, internal auditing starts with
the segments that are called for by their
normal cycle. The auditors then review
the business plans of every operating area
to identify new products, changed activities, organizational changes, and any
indications of changing risks. The auditors also factor in their knowledge of
emerging risks in the business world, as
reported in local and national news services, professional newsletters, and audit
conferences. Audits are added to the
plan for new activities, new risks, and
existing segments where risks have
changed, dictating that their normal
cycle be advanced.
Next, the auditors meet with executives and managers companywide to discuss emerging risks and any special
requests that they may have, as well as to
get their full support for the audit plan.
At the close of the management meetings, the auditors make final adjustments
to the draft audit plan.
Each member of the audit management team presents his or her respective
piece of the final draft plan to the audit
committee. Other information about the
internal audit function, such as the audit
process, staff qualifications, and continuous improvement objectives, are also
presented during this meeting. Involving the entire management team in presenting the audit plan benefits both the
audit committee and the audit management team.
The draft audit plan is updated to
address suggestions received from the
audit committee. Progress on the plan
is presented to the committee in a quarterly report.
It is impossible to expect business executives to evaluate their controls as
required under Sarbanes-Oxley without
providing them effective controls and
CSA training. Three years ago, John
IMPROVING AUDIT PRACTICES
In addition to internal auditing’s leadership in controls and CSA training, the
ISSUING THE EXECUTIVE AUDIT REPORT. All
audit reports consist of a one-page executive summary. The advantages of a
single-page summary are brevity, efficiency, and consistency of story. Busy
executives may simply ignore lengthy
INTERNAL AUDITOR FEBRUARY 2004