Demonstrating assurance over internal controls

Audit's primary function is to provide assurance on the effectiveness of risk management and the strength of the control environment within an organization. By centralizing and automating parts of the audit program, Audit can simplify internal controls management and promote collaboration across the organization. In this article, we discuss how to test controls using the Projects app.

This article illustrates how to test controls using an Anti Bribery and Corruption Internal Control Framework project template, which is useful for small to mid-sized audit functions and teams. The workflow outlined in this article is appropriate for more complex types of audits where narratives are defined, walkthroughs are performed to verify control design, and tests are performed to verify the operating effectiveness of controls. This is one approach, but you can achieve the same or similar objectives using other project templates.

What does it mean to test controls?

Testing controls is the process of:

  • determining key and non-key controls
  • identifying which controls will be tested
  • evaluating each key control based on its design and operational effectiveness

If testing indicates that a control is not operating as expected or designed, Audit notes an exception and works with the business to manage a remediation plan.

Where do I test controls?

You can test controls using the Projects app.

The big picture

  • Projects are used to document objectives, risks, and controls, test the design and effectiveness of controls, and capture issues.
  • Assessments are used to document the evaluations of the design and operational effectiveness of controls.

Ultimately, the testing results in a project can roll up into your organization's assurance score, which gives you a real-time picture of how well your organization is mitigating risk.

Steps

Ready for a tour?

Let's take a closer look at these features in context.

1. Set up your project

The first step is understanding the best method to set up data in the system so that you can report out appropriately. You can create projects to define objectives, risks, and controls, evaluate the design and operational effectiveness of controls, and compile information for reporting purposes. Projects can be created from scratch, from a template, or from an existing project.

Tip

The Projects app offers several risk and control libraries (project templates) that contain pre-populated content for specific workflows. There is a variety of project templates are typically used to jumpstart audits and create re-usable templates. These include:

  • Internal Audit (Operational) Templates
  • SOC/SSAE 16/ISAE 3402 Audit Templates
  • Internal Audit (Financial & Internal Control) Templates
  • the Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework)

Set up a project

You can choose between two different types of project workflows, depending on whether their audits are operational or more comprehensive (such as SOX or ICFR reviews). After you set up a project, Projects enforces a simple workflow in the audit. This helps you identify relevant audit procedures and manage issues.

Tip

Frameworks are helpful for reducing manual efforts involved in setting up projects, and can be used to centrally manage information in evolving regulatory and business environments.

Example

Scenario

You are a compliance professional responsible for conducting an anti-bribery and corruption internal control audit.

Process

Help topics

As a starting point for building out your project, you create a project using the Anti Bribery and Corruption Internal Control Framework project template.

Within the project, you enable the Assurance setting to ensure that testing results are automatically aggregated for reporting purposes, and set the number of testing rounds to One.

Result

The project is populated with a series of objectives that each contain risks and controls.

Document objectives

Objectives form the basis of a project, and they are also the organizing containers for the work done in a project. Each objective states the subject matter under examination and how performance will be assessed. Objectives can be defined so that the work can be divided up into manageable tasks for members of the audit team to complete.

Example

Scenario

Part of your organization's anti-bribery efforts include Travel and Entertainment (TNE) policies which will need to be tested as part of the audit. You need to add a TNE objective to the project to define the area under examination.

Process

Help topic Defining objectives

You define the objective as follows:

  • Title Travel and Entertainment
  • Description Ensure appropriate preventative and detective controls exist against anti-bribery and corruption risk around the travel and entertainment expense process (including purchasing card).
  • Reference TNE
  • Division/Department Finance
  • Assigned User yourName

Result

The objective is defined.

Document narratives

Narratives provide a way of understanding how your organization's internal controls fit into a business process. Many organizations rely on flowcharts as a primary method to visualize and show the detailed workflow within a given area. Any audio or visual content can be attached to support narrative documentation, and you can associate controls for referencing purposes.

Example

Scenario

You need to construct a narrative that relates to the TNE objective.

In the narrative, you plan to define the business process and attach a summary of the risks and key controls associated with the process. As you gather more information, you intend to update the narrative, accordingly.

Process

Help topic Defining narratives

You navigate to the Narratives tab in the project, and add a new narrative entitled TNE Process Narrative.

You begin defining the narrative as follows:

Process Overview: Travel and Entertainment policies encapsulate travel expenses that are incurred while traveling away from home on official business and include transportation, lodging, meals and other miscellaneous expenditures. These expenditures must be reasonable and necessary in the conduct of business and directly attributable to it.

Finally, you attach a Word document containing a summary of risks and key controls associated with the TNE process.

Result

The first portion of the narrative is drafted, and the Word document is added as a supporting attachment.

Document risks and controls

Documenting risks and controls results in the production of a risk control matrix (RCM). A RCM is a combination of identified risks and corresponding controls (the measures or courses of action for how the risk will be mitigated).

Note

Depending on the organization, and the size of the audit function, assessing the inherent and residual risk may be the responsibility of different teams. Larger organizations typically leverage operational risk or compliance risk assessments to support the audit work.

Tip

Once risks and controls are documented, process owners can set up a schedule in Projects to assure that control activities are being performed consistently.

Example

Scenario

Your organization has a mature and refined risk assessment process, and evaluates risk across two dimensions (Impact and Likelihood) on a 3-point scale.

You need to evaluate the inherent risk score to determine the raw risk the organization faces if no controls or other mitigating factors have been put in place. You also want to assign your key controls an effectiveness score, so that during testing later on, any failed control will provide a residual risk score.

Process

Help topics

First, you bulk upload risks and controls, and assign each risk a rating based on likelihood and impact.

Then, you associate the risks and controls and assign each control an effectiveness score to reflect the control significance when it comes time to report assurance.

Result

The inherent risk assessment is completed, and the risks and controls are documented:

2. Evaluate control design and effectiveness

Many Audit functions look to the business to take on some of the responsibilities of evaluating control design and effectiveness. Simple tasks, such as updating a control walkthrough and documenting control effectiveness test steps, are accessible by the owners themselves. This allows for the assessment of those controls to be truly owned by the business.

Evaluate control design

Audit can work with control owners to evaluate the design of a control through attestation and / or attachment of evidence, define action plans to implement missing controls, or explain why a control is not necessary.

Tip

Frontline staff in an organization can use the Mission Control app to manage the controls they have access to, outside of the Projects app. Mission Control is an app that presents control information from Projects in a simplified and centralized view.

Example

Scenario

Now that you have assessed inherent risk, you need to perform a walkthrough to evaluate the design of each control.

Process

Help topic Executing procedures and testing controls

You navigate to the walkthrough associated with each control, and evaluate the design of the TNE control against the process described in the narrative.

You determine that all of the controls have been designed appropriately. Once you have finished evaluating the design of the controls, you sign off, and set your manager as the next reviewer to approve your work.

Result

The walkthrough for each control is captured:

Define a test plan

Test plans identify how you will test the control. You can define test plans to specify the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.

Tip

Inspirations, a catalog of risk scenarios and tests collected from Diligent initiatives worldwide, offers a series of analytic testing ideas by process. For more information, see Tools & Templates.

Example

Scenario

Now that you performed the walkthroughs, you have a better understanding of how each control is designed to mitigate risk. Before you launch into testing the effectiveness of the control, you need to prepare a test plan that identifies how you will test each control.

Process

Help topic Executing procedures and testing controls

You begin by defining a test plan for the following control:

TNE-04 - Procurement card threshold: Procurement cards have monthly and individual limits. Purchases that exceed these limits should be declined. Management should review and remediate exceptions on a timely basis.

  • Testing Method Observation
  • Total Sample Size 1
  • Test Steps / Test Attributes
    1. Obtain data needed to perform testing:
      • Pcard holder data that includes monthly and transaction limits for each card
      • Pcard transaction data for the period under review
    2. Compare the transaction amounts in the Pcard transaction data to the transaction limits listed in the Pcard holder data.
    3. Subtotal the transaction amounts by month and card and compare to the monthly limits listed in the Pcard holder data.

Result

The test plan for TNE-04 is captured.

Evaluate control effectiveness

Evaluating control effectiveness involves documenting detailed testing results, and specifying whether or not the control passed or failed. Once you have finished evaluating the effectiveness of the control, you can markup portions of text and link to evidence, such as policy or procedure manuals, regulations, SLAs/SLSs, and contracts.

Tip

To avoid manual scoring of control effectiveness, you can use Assessment Drivers to automate different control assessments. You can link a metric created in the Results app to a control assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.

Example

Scenario

Now that you have evaluated control design, and prepared a test plan that defines how you will test TNE-04, you need to evaluate control effectiveness to determine the residual risk, or how much risk remains after controls have been put in place.

Process

Help topic Executing procedures and testing controls

You navigate to the testing round associated with each control and test the effectiveness of each control.

You determine that all controls are operating effectively, except for the TNE-04 control. While the transaction limits are being respected and declined at point of sale, the monthly limits are not and many cards are vastly exceeding their monthly limit.

Result

The test evaluation for each control is captured. At this point, you can also create an issue so you can manage an issue remediation plan and assign actions to those responsible for the relationship with the procurement card company.

3. Demonstrate assurance

Projects provides the ability to automatically aggregate risk assessments, testing results, and issues across the entire project into a single assurance metric (percentage) that can be used for reporting purposes. As walkthrough and tests pass, assurance increases.

Tip

If you've taken a top-down approach and are managing your organization's strategic risks in the Strategy app, you can demonstrate assurance by rolling up testing results from projects that have been put in place to mitigate or manage strategic risks.

Example

Scenario

With the testing for the TNE objective complete, you want to benchmark how well the organization is doing in mitigating risk so that resources can be allocated appropriately.

Process

Help topic Getting started with assurance for risk

You navigate to the Progress area, and view the inherent and residual risk scores, and assurance score for the Travel and Entertainment objective:

You then navigate to the Results area, and view the overall assurance score for the audit:

Result

You can report on the assurance score associated with the Travel and Entertainment objective, and the overall assurance score associated with the audit as a whole.

What's next? 

Monitor progress of your SOX programs

You can view and monitor the progress of your SOX programs through Storyboards. It takes just a few minutes to install the pre-configured SOX Storyboard Toolkit and have your storyboards populated with data. For more information, see SOX Storyboard Toolkit.