Teaching Auditing Students About Internal Controls

From an Internal Audit Perspective

Susanne OCallaghan, Ph.D., CPA, CIA
Associate Professor of Accounting
Pace University
Lubin School of Business
One Pace Plaza
New York, NY 10038
socallaghan@pace.edu
John P. Walker, Ph.D., CPA
Professor of Accounting
Queens College CUNY
65-30 Kissena Blvd
Queens, NY 11367
jpvwalker@aol.com
Raymond J. Elson*, DBA, CPA
Assistant Professor of Accounting
Valdosta State University
Langdale College of Business
Valdosta, GA 31698
relson@valdosta.edu
* Corresponding author

Teaching Auditing Students About Internal Controls

From an Internal Audit Perspective
Introduction
In the Sarbanes-Oxley era there is a real need for a good understanding of the
different responsibilities and reliances that can be placed on the work of others. External
auditors must have a good comprehension of the types and extent of work that internal
auditors do. Since most universities do not provide a stand-alone course on internal
auditing, students must rely on what they learn in the mainstream auditing class to obtain
their understanding of what an internal auditor does. This paper provides auditing
instructors a vehicle for teaching the need for, and the approach to, how internal auditors
do their jobs.
Background
Many accounting students will enter the auditing profession upon graduation.
They will enter the external auditing profession, the internal auditing profession or work
in organizations where they interact with all types of auditors. If these students enter the
external auditing profession, they will be expected to interact and understand what
internal auditors do in order to rely on the internal auditors work under SAS 65 The
Auditors Consideration of the Internal Audit Function in an Audit of Financial
Statements and PCOAB Standard No. 2. But it is difficult for auditing students to
understand what value the internal audit function brings to the table as most auditing
textbooks have only one chapter on internal auditing. That chapter is usually very vague
as to what an internal auditor actually does. This paper provides a simple approach to
understanding concepts surrounding the internal auditors role in evaluating internal
controls so that their employer meets the objectives.
Literature Review
There is very little literature that offers a pedagogical approach to teaching
internal auditing. Fernandes (1994) recognizes that accounting education prepares
students well for financial auditing. He acknowledges that the traditional auditing course
may trigger an interest in internal auditing on the part of the student but the student is
basically left to figure out what internal auditing is all about. These same students are not
adequately prepared in the areas of business analytical techniques and there is a void in
general audit education because of this. He feels that all universities with business and
public administration programs should offer at least one course devoted to internal
auditing.
Another article by Fernandes, Poposky and Savage (1995) presents the
development of an internal audit course curriculum. The author examines and identifies
course objectives that would enhance the students understanding of both the conceptual
and practical aspects of the internal auditor function. They also identify elements of a

curriculum that would enhance students analytic, critical thinking, written and oral
communication, and group/teamwork skills. This article lays out detailed objectives,
methods of instruction, professional company involvement and course evaluation but
does not go into any detail of content.
Greensawalt and Stinnett (1992) present an excellent case that can be adapted for
use in a financial auditing or internal auditing class. It requires students to find an audit
client. The students then have the task of understanding and documenting the internal
control system of either the revenue cycle or the expenditure cycle. The students present a
written report and document their understanding of the controls, prepare an internal
control review matrix, do evaluations and make oral presentations. This article provides a
great outside project but does not provide the audit instructor an in-class demonstration of
how a control matrix is prepared.
Our paper provides a unique pedagogical approach to teaching auditing students
how to construct a control matrix, an important tool for use in evaluating internal
controls.
The Relationship between Internal and External Auditing
Internal auditing is an independent, objective, assurance and consulting activity
designed to add value and improve an organizations operations. Its focus is mainly on
evaluating and improving the effectiveness of the organizations risk management,
control and governance processes. External auditing is the systematic process of
objectively obtaining and evaluating evidence regarding management assertions in
financial statements. Its focus is on communicating any findings to interested users who
are mostly external to the organization such as shareholders and the SEC. Both sets of
auditing professionals have a use for control matrices.
The Relationships among Organizational Objectives, Threats to Meeting Objectives
and Internal Controls
All entities have specific objectives that they must achieve. But all objectives
have threats that may threaten their achievement. These threats must be eliminated,
avoided, controlled or accepted. By having good controls in place to mitigate the threats,
a company is better able to achieve its objectives and therefore places itself in a
competitive position. It is managements responsibility to see that adequate controls are
in place. It is the auditors responsibility to see that managements controls are indeed
working as planned. The internal auditors chief role is to evaluate the design and
effectiveness of those controls.
COSO Approach to Developing a Control Matrix
This paper illustrates a control matrix approach that can be used as lecture
material (or as a class assignment) in the internal auditing chapter of a traditional
textbook or as part of an internal auditing course. This control matrix helps students

understand how organization objectives drive the need for controls. A COSO framework
is used as the basis for the control matrix development.1
The COSO internal control framework states that entities have three objectives:
good operations, compliance with rules and regulations and good financial reporting. But
there are external and internal threats to having good operations, being in compliance
with rules and regulations and having good financial reporting. To achieve organizational
objectives and minimize the threats, an entity must have a good internal control system in
place. That system should consist of five elements. The entity must have a good control
environment, risk assessment procedures, excellent control activities, adequate
information and communications and a monitoring mechanism in place.
Auditing students have already learned about COSO in an earlier chapter on
internal control so this is a quick internal control review for them. In the internal auditing
chapter we move into a more detailed discussion of the internal auditors role in
evaluating internal controls put in place by management and in the value-added services
that internal auditors perform. But there are few examples to really help students
internalize what internal auditors do.
Since most students have some understanding as to how restaurants operate, we
used a restaurant example to illustrate this approach to teaching internal auditing. We use
the COSO framework and a six-step process to create the control matrix. We first
illustrate the three objectives of a restaurant. Second, we identify threats to meeting those
restaurant objectives. Third, we discuss control objectives necessary to see that the threats
are contained. Fourth, we use the five components of a good internal control system to
meet the control objectives. Fifth, we then examine the various control activities that
management could have in place. Lastly, in the sixth step, we identify steps to be taken
by the auditor to assure that control objectives are met.
Teaching Approach
The matrix that follows can be created by the audit instructor by first filling in the
first column: the three objectives identified by COSO: operations, compliance with rules
and regulations, and monitoring (Table 1.)

The Committee on Sponsoring Organizations published the COSO framework in 1992. It is the most
widely recognized internal control framework used in the United States today.

Table 1
Restaurant Objective (Column 1)
COSO
Objectives of
Entity
Operations
Compliance
Financial
Reporting
Next the instructor can present one threat to each of the restaurant objectives; e.g.,
a threat to operations is that employees might lose fingers; a threat to being in compliance
with rules and regulations is that the restaurant could lose its license if it violates health
regulations; a threat to good financial reporting is that restaurant sales may not be
recorded accurately (Table 2.)
The third column is completed by identifying the control objectives that
management has or should have in place to stop the threats! For example, the operations
objective is to stop employees from losing fingers (Table 3.)
Then the instructor fills in the fourth column with the internal control elements.
The five individual elements of a good internal control system are the control
environment, risk assessment, control activities, information and communication, and
monitoring (Table 4.) These internal control elements should ensure that managements
control objectives are met.

Table 2
Threats to Meeting Objectives (Column 2)
COSO Objectives of
Entity
Operations
Compliance

Financial Reporting

Threats to the
Restaurant
Employees will lose
fingers on sharp
equipment
Restaurant may
lose its license due
to not adhering to
health regulations
Restaurant sales
will not be recorded
accurately
5

Table 3
Managements Control Objectives (Column 3)
COSO Objectives of
Entity

Operations

Compliance

Financial Reporting

Threats to the
Entity

Control
Objective (To
stop the
ThreatManagements
Responsibility)
Employees will
To ensure that
lose fingers on
employees
sharp equipment
dont lose
fingers on
sharp
equipment
Restaurant may
To ensure that
lose its license due all health
to not adhering to
regulations are
health regulations
followed so
that
restaurant
does not lose
its license
Restaurant sales
To ensure that
will not be
all sales are
recorded accurately recorded
accurately so
that the
financial
reporting
objective is
met

The fifth column addresses what management has told the auditor they have put
in place to meet the threat belonging to that internal control element. For example, a
control environment step that could help keep employees from losing fingers would be
the existence of training sessions to show employees how to use the equipment. These are
the activities that management has put in place to see that the control objective is met.
The instructor continues to identify different evidence that the control objective is being
met for each of the internal control elements in column 4 (Table 5.)

Table 4
Internal Control Elements (Column 4)
COSO
Objectives of
Entity
Operations

Compliance

Financial
Reporting

Threats to the
Entity

Control Objective
(To stop the
ThreatManagements
Responsibility)
Employees will To ensure that
lose fingers on employees dont
sharp
lose fingers on
equipment
sharp equipment
Same
Same
Same
Same
Same

Same

Same
Restaurant may
lose its license
due to not
adhering to
health
regulations
Same
Same

Same
To ensure that all
health regulations
are followed so
that restaurant
does not lose its
license
Same
Same

Same

Same

Same
Restaurant
sales will not
be recorded
accurately
Same
Same

Same
To ensure that all
sales are recorded
accurately so that
the financial
reporting
objective is met
Same
Same

Same

Same

Same

Same

Internal Control
Element
(COSO)
Control
Environment
Risk Assessment
Control
Activities
Information and
Communications
Monitoring
Control
Environment

Risk Assessment
Control
Activities
Information and
Communications
Monitoring
Control
Environment

Risk Assessment
Control
Activities
Information and
Communications
Monitoring

Table 5
Evidence That Control Objectives are Being Met (Column 5)
COSO
Objectives of
Entity

Threats to the
Entity

Operations

Employees will
lose fingers on
sharp equipment

Compliance

Financial
Reporting

Internal Control Element

(COSO)

Evidence that Control

Objective is Being Met
(Managements Responsibility)

Control Environment

Management provides training

sessions for all new employees
on how to use equipment safely

Same

Control Objective (To

stop
the ThreatManagements
Responsibility)
To ensure that
employees dont lose
fingers on sharp
equipment
Same

Risk Assessment

Same

Same

Control Activities

Same

Same

Internal Control
Element (COSO)

Same

Same

Control Environment

Restaurant may
lose its license
due to not
adhering to
health
regulations
Same

To ensure that all

health regulations are
followed so that
restaurant does not
lose its license

Risk Assessment

Management reviews the

equipment to make sure that
any new equipment is included
in training sessions
Safety blades are required to
be kept on all equipment when
equipment is not is use
Reminders about equipment
safety are posted near all
equipment
Management keeps logs of
safety walk-throughs to see
that equipment is covered
when not in use and employees
are following safety
procedures.
Management has policies and
procedures on all health
regulations; all new employees
must read and sign off.

Same

Control Activities

Same

Same

Information and
Communications

Same

Same

Monitoring

Same

Same

Control Environment

Restaurant sales
will not be
recorded
accurately

To ensure that all

sales are recorded
accurately so that the
financial reporting
objective is met

Risk Assessment

Management reviews changes

to health code on a regular
basis to see if new regulations
have added to their risks
Management has policy that
no food should be left out of
refrigerator for more than one
hour
Signs are clearly posted stating
that employees must wash
hands after using the
bathroom
Management goes through all
city health inspection reports
and implements all infractions
Management has policies and
procedures for the proper
recording of sales by servers
and cashiers

Same

Same

Control Activities

Same

Same

Information and
Communications

Same

Same

Monitoring

Same

Same

Control Environment

Management conducts
quarterly reviews to determine
if employee turnover has
caused changes to the financial
procedures
Management requires use of
prenumbered server order
forms so that all meals can be
accounted for
Management prepares daily
server reports to report on all
tips for tax purposes; all
employees sign form
Management accounts for all
prenumbered server order
form tickets

Risk Assessment
Control Activities
Information and
Communications
Monitoring

But the internal auditor cannot rely on managements statements alone. So the
sixth column illustrates what evidence the internal auditor would ask for to evaluate
managements actions to threats to the restaurant, e.g., if the restaurants operating
objective is to have good operations and management has stated that they provide
training sessions for all employees to show them how to safely use sharp equipment
(control environment), then the internal auditor would request and review schedules of
past and future training sessions and check that all employees have attended those
sessions (Table 6.)
Table 6
Audit Procedures (Column 6)
COSO
Objectives
of Entity

Threats to the
Entity

Operations

Employees
will lose
fingers on
sharp
equipment
Same

Control Objective
(To stop the
ThreatManagements
Responsibility)
To ensure that
employees dont
lose fingers on
sharp equipment

Internal
Control
Element
(COSO)

Evidence that Control

Objective is Being Met
(Managements
Responsibility)

Audit Procedure
(Auditors
Responsibility)

Control
Environment

Management provides
training sessions for all
new employees on how
to use equipment safely

Same

Risk
Assessment

Management reviews
the equipment to make
sure that any new
equipment is included
in training sessions

Auditor requests and

reviews schedule of past
and future training
sessions and checks that
all employees have
attended
Auditor requests
equipment review
reports from
management. Examines
new equipment. Checks
against training sessions

Compliance

Financial
Reporting

Same

Same

Control
Activities

Safety blades are

required to be kept on
all equipment when
equipment is not is use

Same

Same

Same

Same

Information
and
Communicatio
ns
Monitoring

Reminders about
equipment safety are
posted near all
equipment
Management keeps logs
of safety walk-throughs
to see that equipment is
covered when not in
use and employees are
following safety
procedures.

Restaurant
may lose its
license due to
not adhering to
health
regulations

To ensure that all

health regulations
are followed so that
restaurant does not
lose its license

Control
Environment

Management has
policies and procedures
on all health
regulations; all new
employees must read
and sign off.

Same

Same

Risk
Assessment

Same

Same

Control
Activities

Management reviews
changes to health code
on a regular basis to see
if new regulations have
added to their risks
Management has policy
that no food should be
left out of refrigerator
for more than one hour

Same

Same

Same

Same

Information
and
Communicatio
ns
Monitoring

Restaurant
sales will not
be recorded
accurately

To ensure that all

sales are recorded
accurately so that
the financial
reporting objective
is met
Same

Same

Control
Environment

Risk
Assessment

Signs are clearly posted

stating that employees
must wash hands after
using the bathroom
Management goes
through all city health
inspection reports and
implements all
infractions
Management has
policies and procedures
for the proper recording
of sales by servers and
cashiers
Management conducts
quarterly reviews to
determine if employee
turnover has caused

Auditors sample
equipment and inspect
to see that safety blades
are on equipment not in
use
Auditor examines signs
near all equipment to see
that they are posted and
in good condition
Auditor requests safety
walk-throughs logs and
determines that
comments have been
addressed

Auditor examines
policies and procedures
manual to see that
health regulations are
included and are
current; examines sign
off by all employees
Auditor examines
managements review of
new health codes and
evaluates conclusions
Check for written
policy; auditor observes
kitchen for food left out;
auditor inquires of
employees to see if they
follow policy
Auditor visits all
bathrooms to see that
signs are clearly visible
and in good condition
Auditor examines city
health inspection reports
and inquires if
infractions have been
corrected
Auditor examines policy
on recording sales and
inquires of servers and
cashiers
Auditor requests
managements quarterly
review of changing
circumstances and

10

Same

Same

Control
Activities

Same

Same

Information
and
Communicatio
ns

Same

Same

Monitoring

changes to the financial

procedures
Management requires
use of prenumbered
server order forms so
that all meals can be
accounted for
Management prepares
daily server reports to
report on all tips for tax
purposes; all employees
sign form
Management accounts
for all prenumbered
server order form
tickets

inquires as to resulting
changes
Auditor samples server
order forms and checks
for completeness
Auditor samples daily
servers tip reports to
ensure that all tips are
accurately reported to
the IRS
Auditor requests
managements report on
monitoring
prenumbered tickets
and inquires as to action
taken on missing order
forms

After completing the control matrix, the instructor can give the students an easy
assignment. Have the students identify three new control objectives: one for operations,
one for compliance and one for financial reporting. For instance, other threats to
operations might be that the restaurant does not get enough customers to stay in business
or that cashiers might steal money. Other threats to compliance might be that the
restaurant does not pay fair wages under the Fair Labor Act or that it fails to pass Board
of Health inspections. A threat to financial reporting might be that servers allow friends to
eat for free.
Then the students can determine what kind of evidence the internal auditor would
ask for in order to evaluate how well managements actions cover the threats. This easy
assignment helps students understand the connection between managements
responsibility to have control objectives in place to meet the restaurants objectives and
the auditors role in gathering evidence to evaluate managements control objectives.
Conclusion
In todays business environment, Sarbanes-Oxley has made it imperative that
everyone in the organization be concerned with good internal controls. Both the external
auditor and the internal auditor are involved in the Sarbanes-Oxley process. It is
imperative that accounting students studying auditing, in addition to understanding the
responsibilities of external auditors, also be keenly aware of the managerial role that
internal auditors play in assuring that internal controls are designed and operating
effectively. Using a control matrix approach (see Appendix A for finished matrix)
provides those students with a valuable learning experience.

11

Appendix A
Control Matrix for a Restaurant
COSO
Objectives
of Entity

Threats to the
Entity

Control Objective
(To stop the
ThreatManagements
Responsibility)
To ensure that
employees dont
lose fingers on
sharp equipment

Internal Control
Element (COSO)

Operations

Employees
will lose
fingers on
sharp
equipment

Operations

Same

Same

Risk Assessment

Operations

Same

Same

Control Activities

Operations

Same

Same

Information and
Communications

Operations

Same

Same

Monitoring

Compliance

Restaurant
may lose its
license due to
not adhering to
health
regulations

To ensure that all

health regulations
are followed so that
restaurant does not
lose its license

Control
Environment

Management has
policies and
procedures on all
health regulations; all
new employees must
read and sign off.

Compliance

Same

Same

Risk Assessment

Management reviews
changes to health
code on a regular
basis to see if new
regulations have
added to their risks

Control
Environment

Evidence that
Control Objective is
Being Met
(Managements
Responsibility)
Management
provides training
sessions for all new
employees on how to
use equipment safely
Management reviews
the equipment to
make sure that any
new equipment is
included in training
sessions
Safety blades are
required to be kept on
all equipment when
equipment is not is
use
Reminders about
equipment safety are
posted near all
equipment
Management keeps
logs of safety walkthroughs to see that
equipment is covered
when not in use and
employees are
following safety
procedures.

Audit Procedure
(Auditors
Responsibility)
Auditor requests and
reviews schedule of
past and future training
sessions and checks that
all employees have
attended
Auditor requests
equipment review
reports from
management. Examines
new equipment. Checks
against training sessions
Auditors sample
equipment and inspect
to see that safety blades
are on equipment not in
use
Auditor examines signs
near all equipment to
see that they are posted
and in good condition
Auditor requests safety
walk through logs and
determines that
comments have been
addressed

Auditor examines
policies and procedure
manual to see that
health regulations are
included and are
current; examines sign
off by all employees
Auditor examines
managements review
of new health codes and
evaluates conclusions

12

Compliance

Same

Same

Control Activities

Management has
policy that no food
should be left out of
refrigerator for more
than one hour

Compliance

Same

Same

Information and
Communications

Compliance

Same

Same

Monitoring

Financial
Reporting

Restaurant
sales will not
be recorded
accurately

Control
Environment

Financial
Reporting

Same

To ensure that all

sales are recorded
accurately so that
the financial
reporting objective
is met
Same

Financial
Reporting

Same

Same

Control Activities

Financial
Reporting

Same

Same

Information and
Communications

Financial
Reporting

Same

Same

Monitoring

Signs are clearly

posted stating that
employees must wash
hands after using the
bathroom
Management goes
through all city health
inspection reports
and implements all
infractions
Management has
policies and
procedures for the
proper recording of
sales by servers and
cashiers
Management
conducts quarterly
reviews to determine
if employee turnover
has caused changes to
the financial
procedures
Management requires
use of prenumbered
server order forms so
that all meals can be
accounted for
Management
prepares daily server
reports to report on
all tips for tax
purposes; all
employees sign form
Management
accounts for all
prenumbered server
order form tickets

Risk Assessment

Check for written

policy; auditor observes
kitchen for food left
out; auditor inquires of
employees to see if they
follow policy
Auditor visits all
bathrooms to see that
signs are clearly visible
and in good condition
Auditor examines city
health inspection
reports and inquires if
infractions have been
corrected
Auditor examines
policy on recording
sales and inquires of
servers and cashiers
Auditor requests
managements quarterly
review of changing
circumstances and
inquires as to resulting
changes
Auditor samples server
order forms and checks
for completeness
Auditor samples daily
servers tip reports to
ensure that all tips are
accurately reported to
the IRS
Auditor requests
managements report on
monitoring
prenumbered tickets
and inquires as to action
taken on missing order
forms

13

Bibliography
Chambers, Andrew D., Teaching Internal Auditing at a University-An Example in
Content, The Accounting Review, (January 1978), Vol. LIII, No.1, PP. 143-147.
Crockett, James R., The Dynamics of Accounting Education and Their Effects on
Internal Auditing, Managerial Auditing Journal, (1993), Vol. 8, Iss. 4, pp. 27-32.
Dittenhofer, Mortimer A., Teaching Internal Auditing: The Case-Study Method,
Managerial Auditing Journal, (1992) Vol. 7, Iss3, pp. 17-24.
Fernandes, John J., Preparing Tomorrows Internal Auditor, Managerial Auditing
Journal, (1994), Vol. 9, Iss. 2; Pages 20-23.
Fernandes, John J., Margaret L. Poposky and Linda J. Savage, Operational Auditing
Education: High-Impact Techniques, Managerial Auditing Journal, (1995), Vol. 10, Iss.
3, pp 19-22.
Foster, Sheila D. and Mary Brady Greenawalt, Internal Auditing Education: A
Comparison Across Countries, Managerial Auditing Journal, (1995), Vol. 10, Iss. 3, pp.
31-36.
Greenawalt, Mary B., and Sheila Foster-Stinnett, Experiential Learning for the Internal
Auditing Student, Managerial Auditing Journal, (1992), Vol. 7, Iss. 3, pp. 8-12.
Phillips, T. J., and B. T. Lewis, Internal Audit Education: The Accounting Curriculums
Greatest Deficiency, Journal of Education for Business, (Jan/Feb 1991), Vol. 66, Issue 3,
pp 176-180.
Sinason, David H., Attracting Students to Internal Auditing Careers, Internal Auditing,
Jan/Feb 2004, Vol. 19, Iss. 1, pp. 39-42.
Wilson, Dennis, Teach the Process, Not the Content, Managerial Auditing Journal,
(1995), Vol. 10, Iss. 3, pp, 15-18.

14