Professional Documents
Culture Documents
curriculum that would enhance students analytic, critical thinking, written and oral
communication, and group/teamwork skills. This article lays out detailed objectives,
methods of instruction, professional company involvement and course evaluation but
does not go into any detail of content.
Greensawalt and Stinnett (1992) present an excellent case that can be adapted for
use in a financial auditing or internal auditing class. It requires students to find an audit
client. The students then have the task of understanding and documenting the internal
control system of either the revenue cycle or the expenditure cycle. The students present a
written report and document their understanding of the controls, prepare an internal
control review matrix, do evaluations and make oral presentations. This article provides a
great outside project but does not provide the audit instructor an in-class demonstration of
how a control matrix is prepared.
Our paper provides a unique pedagogical approach to teaching auditing students
how to construct a control matrix, an important tool for use in evaluating internal
controls.
The Relationship between Internal and External Auditing
Internal auditing is an independent, objective, assurance and consulting activity
designed to add value and improve an organizations operations. Its focus is mainly on
evaluating and improving the effectiveness of the organizations risk management,
control and governance processes. External auditing is the systematic process of
objectively obtaining and evaluating evidence regarding management assertions in
financial statements. Its focus is on communicating any findings to interested users who
are mostly external to the organization such as shareholders and the SEC. Both sets of
auditing professionals have a use for control matrices.
The Relationships among Organizational Objectives, Threats to Meeting Objectives
and Internal Controls
All entities have specific objectives that they must achieve. But all objectives
have threats that may threaten their achievement. These threats must be eliminated,
avoided, controlled or accepted. By having good controls in place to mitigate the threats,
a company is better able to achieve its objectives and therefore places itself in a
competitive position. It is managements responsibility to see that adequate controls are
in place. It is the auditors responsibility to see that managements controls are indeed
working as planned. The internal auditors chief role is to evaluate the design and
effectiveness of those controls.
COSO Approach to Developing a Control Matrix
This paper illustrates a control matrix approach that can be used as lecture
material (or as a class assignment) in the internal auditing chapter of a traditional
textbook or as part of an internal auditing course. This control matrix helps students
understand how organization objectives drive the need for controls. A COSO framework
is used as the basis for the control matrix development.1
The COSO internal control framework states that entities have three objectives:
good operations, compliance with rules and regulations and good financial reporting. But
there are external and internal threats to having good operations, being in compliance
with rules and regulations and having good financial reporting. To achieve organizational
objectives and minimize the threats, an entity must have a good internal control system in
place. That system should consist of five elements. The entity must have a good control
environment, risk assessment procedures, excellent control activities, adequate
information and communications and a monitoring mechanism in place.
Auditing students have already learned about COSO in an earlier chapter on
internal control so this is a quick internal control review for them. In the internal auditing
chapter we move into a more detailed discussion of the internal auditors role in
evaluating internal controls put in place by management and in the value-added services
that internal auditors perform. But there are few examples to really help students
internalize what internal auditors do.
Since most students have some understanding as to how restaurants operate, we
used a restaurant example to illustrate this approach to teaching internal auditing. We use
the COSO framework and a six-step process to create the control matrix. We first
illustrate the three objectives of a restaurant. Second, we identify threats to meeting those
restaurant objectives. Third, we discuss control objectives necessary to see that the threats
are contained. Fourth, we use the five components of a good internal control system to
meet the control objectives. Fifth, we then examine the various control activities that
management could have in place. Lastly, in the sixth step, we identify steps to be taken
by the auditor to assure that control objectives are met.
Teaching Approach
The matrix that follows can be created by the audit instructor by first filling in the
first column: the three objectives identified by COSO: operations, compliance with rules
and regulations, and monitoring (Table 1.)
The Committee on Sponsoring Organizations published the COSO framework in 1992. It is the most
widely recognized internal control framework used in the United States today.
Table 1
Restaurant Objective (Column 1)
COSO
Objectives of
Entity
Operations
Compliance
Financial
Reporting
Next the instructor can present one threat to each of the restaurant objectives; e.g.,
a threat to operations is that employees might lose fingers; a threat to being in compliance
with rules and regulations is that the restaurant could lose its license if it violates health
regulations; a threat to good financial reporting is that restaurant sales may not be
recorded accurately (Table 2.)
The third column is completed by identifying the control objectives that
management has or should have in place to stop the threats! For example, the operations
objective is to stop employees from losing fingers (Table 3.)
Then the instructor fills in the fourth column with the internal control elements.
The five individual elements of a good internal control system are the control
environment, risk assessment, control activities, information and communication, and
monitoring (Table 4.) These internal control elements should ensure that managements
control objectives are met.
Table 2
Threats to Meeting Objectives (Column 2)
COSO Objectives of
Entity
Operations
Compliance
Financial Reporting
Threats to the
Restaurant
Employees will lose
fingers on sharp
equipment
Restaurant may
lose its license due
to not adhering to
health regulations
Restaurant sales
will not be recorded
accurately
5
Table 3
Managements Control Objectives (Column 3)
COSO Objectives of
Entity
Operations
Compliance
Financial Reporting
Threats to the
Entity
Control
Objective (To
stop the
ThreatManagements
Responsibility)
Employees will
To ensure that
lose fingers on
employees
sharp equipment
dont lose
fingers on
sharp
equipment
Restaurant may
To ensure that
lose its license due all health
to not adhering to
regulations are
health regulations
followed so
that
restaurant
does not lose
its license
Restaurant sales
To ensure that
will not be
all sales are
recorded accurately recorded
accurately so
that the
financial
reporting
objective is
met
The fifth column addresses what management has told the auditor they have put
in place to meet the threat belonging to that internal control element. For example, a
control environment step that could help keep employees from losing fingers would be
the existence of training sessions to show employees how to use the equipment. These are
the activities that management has put in place to see that the control objective is met.
The instructor continues to identify different evidence that the control objective is being
met for each of the internal control elements in column 4 (Table 5.)
Table 4
Internal Control Elements (Column 4)
COSO
Objectives of
Entity
Operations
Compliance
Financial
Reporting
Threats to the
Entity
Control Objective
(To stop the
ThreatManagements
Responsibility)
Employees will To ensure that
lose fingers on employees dont
sharp
lose fingers on
equipment
sharp equipment
Same
Same
Same
Same
Same
Same
Same
Restaurant may
lose its license
due to not
adhering to
health
regulations
Same
Same
Same
To ensure that all
health regulations
are followed so
that restaurant
does not lose its
license
Same
Same
Same
Same
Same
Restaurant
sales will not
be recorded
accurately
Same
Same
Same
To ensure that all
sales are recorded
accurately so that
the financial
reporting
objective is met
Same
Same
Same
Same
Same
Same
Internal Control
Element
(COSO)
Control
Environment
Risk Assessment
Control
Activities
Information and
Communications
Monitoring
Control
Environment
Risk Assessment
Control
Activities
Information and
Communications
Monitoring
Control
Environment
Risk Assessment
Control
Activities
Information and
Communications
Monitoring
Table 5
Evidence That Control Objectives are Being Met (Column 5)
COSO
Objectives of
Entity
Threats to the
Entity
Operations
Employees will
lose fingers on
sharp equipment
Compliance
Financial
Reporting
Control Environment
Same
Risk Assessment
Same
Same
Control Activities
Same
Same
Internal Control
Element (COSO)
Same
Same
Control Environment
Restaurant may
lose its license
due to not
adhering to
health
regulations
Same
Risk Assessment
Same
Control Activities
Same
Same
Information and
Communications
Same
Same
Monitoring
Same
Same
Control Environment
Restaurant sales
will not be
recorded
accurately
Risk Assessment
Same
Same
Control Activities
Same
Same
Information and
Communications
Same
Same
Monitoring
Same
Same
Control Environment
Management conducts
quarterly reviews to determine
if employee turnover has
caused changes to the financial
procedures
Management requires use of
prenumbered server order
forms so that all meals can be
accounted for
Management prepares daily
server reports to report on all
tips for tax purposes; all
employees sign form
Management accounts for all
prenumbered server order
form tickets
Risk Assessment
Control Activities
Information and
Communications
Monitoring
But the internal auditor cannot rely on managements statements alone. So the
sixth column illustrates what evidence the internal auditor would ask for to evaluate
managements actions to threats to the restaurant, e.g., if the restaurants operating
objective is to have good operations and management has stated that they provide
training sessions for all employees to show them how to safely use sharp equipment
(control environment), then the internal auditor would request and review schedules of
past and future training sessions and check that all employees have attended those
sessions (Table 6.)
Table 6
Audit Procedures (Column 6)
COSO
Objectives
of Entity
Threats to the
Entity
Operations
Employees
will lose
fingers on
sharp
equipment
Same
Control Objective
(To stop the
ThreatManagements
Responsibility)
To ensure that
employees dont
lose fingers on
sharp equipment
Internal
Control
Element
(COSO)
Audit Procedure
(Auditors
Responsibility)
Control
Environment
Management provides
training sessions for all
new employees on how
to use equipment safely
Same
Risk
Assessment
Management reviews
the equipment to make
sure that any new
equipment is included
in training sessions
Compliance
Financial
Reporting
Same
Same
Control
Activities
Same
Same
Same
Same
Information
and
Communicatio
ns
Monitoring
Reminders about
equipment safety are
posted near all
equipment
Management keeps logs
of safety walk-throughs
to see that equipment is
covered when not in
use and employees are
following safety
procedures.
Restaurant
may lose its
license due to
not adhering to
health
regulations
Control
Environment
Management has
policies and procedures
on all health
regulations; all new
employees must read
and sign off.
Same
Same
Risk
Assessment
Same
Same
Control
Activities
Management reviews
changes to health code
on a regular basis to see
if new regulations have
added to their risks
Management has policy
that no food should be
left out of refrigerator
for more than one hour
Same
Same
Same
Same
Information
and
Communicatio
ns
Monitoring
Restaurant
sales will not
be recorded
accurately
Same
Control
Environment
Risk
Assessment
Auditors sample
equipment and inspect
to see that safety blades
are on equipment not in
use
Auditor examines signs
near all equipment to see
that they are posted and
in good condition
Auditor requests safety
walk-throughs logs and
determines that
comments have been
addressed
Auditor examines
policies and procedures
manual to see that
health regulations are
included and are
current; examines sign
off by all employees
Auditor examines
managements review of
new health codes and
evaluates conclusions
Check for written
policy; auditor observes
kitchen for food left out;
auditor inquires of
employees to see if they
follow policy
Auditor visits all
bathrooms to see that
signs are clearly visible
and in good condition
Auditor examines city
health inspection reports
and inquires if
infractions have been
corrected
Auditor examines policy
on recording sales and
inquires of servers and
cashiers
Auditor requests
managements quarterly
review of changing
circumstances and
10
Same
Same
Control
Activities
Same
Same
Information
and
Communicatio
ns
Same
Same
Monitoring
inquires as to resulting
changes
Auditor samples server
order forms and checks
for completeness
Auditor samples daily
servers tip reports to
ensure that all tips are
accurately reported to
the IRS
Auditor requests
managements report on
monitoring
prenumbered tickets
and inquires as to action
taken on missing order
forms
After completing the control matrix, the instructor can give the students an easy
assignment. Have the students identify three new control objectives: one for operations,
one for compliance and one for financial reporting. For instance, other threats to
operations might be that the restaurant does not get enough customers to stay in business
or that cashiers might steal money. Other threats to compliance might be that the
restaurant does not pay fair wages under the Fair Labor Act or that it fails to pass Board
of Health inspections. A threat to financial reporting might be that servers allow friends to
eat for free.
Then the students can determine what kind of evidence the internal auditor would
ask for in order to evaluate how well managements actions cover the threats. This easy
assignment helps students understand the connection between managements
responsibility to have control objectives in place to meet the restaurants objectives and
the auditors role in gathering evidence to evaluate managements control objectives.
Conclusion
In todays business environment, Sarbanes-Oxley has made it imperative that
everyone in the organization be concerned with good internal controls. Both the external
auditor and the internal auditor are involved in the Sarbanes-Oxley process. It is
imperative that accounting students studying auditing, in addition to understanding the
responsibilities of external auditors, also be keenly aware of the managerial role that
internal auditors play in assuring that internal controls are designed and operating
effectively. Using a control matrix approach (see Appendix A for finished matrix)
provides those students with a valuable learning experience.
11
Appendix A
Control Matrix for a Restaurant
COSO
Objectives
of Entity
Threats to the
Entity
Control Objective
(To stop the
ThreatManagements
Responsibility)
To ensure that
employees dont
lose fingers on
sharp equipment
Internal Control
Element (COSO)
Operations
Employees
will lose
fingers on
sharp
equipment
Operations
Same
Same
Risk Assessment
Operations
Same
Same
Control Activities
Operations
Same
Same
Information and
Communications
Operations
Same
Same
Monitoring
Compliance
Restaurant
may lose its
license due to
not adhering to
health
regulations
Control
Environment
Management has
policies and
procedures on all
health regulations; all
new employees must
read and sign off.
Compliance
Same
Same
Risk Assessment
Management reviews
changes to health
code on a regular
basis to see if new
regulations have
added to their risks
Control
Environment
Evidence that
Control Objective is
Being Met
(Managements
Responsibility)
Management
provides training
sessions for all new
employees on how to
use equipment safely
Management reviews
the equipment to
make sure that any
new equipment is
included in training
sessions
Safety blades are
required to be kept on
all equipment when
equipment is not is
use
Reminders about
equipment safety are
posted near all
equipment
Management keeps
logs of safety walkthroughs to see that
equipment is covered
when not in use and
employees are
following safety
procedures.
Audit Procedure
(Auditors
Responsibility)
Auditor requests and
reviews schedule of
past and future training
sessions and checks that
all employees have
attended
Auditor requests
equipment review
reports from
management. Examines
new equipment. Checks
against training sessions
Auditors sample
equipment and inspect
to see that safety blades
are on equipment not in
use
Auditor examines signs
near all equipment to
see that they are posted
and in good condition
Auditor requests safety
walk through logs and
determines that
comments have been
addressed
Auditor examines
policies and procedure
manual to see that
health regulations are
included and are
current; examines sign
off by all employees
Auditor examines
managements review
of new health codes and
evaluates conclusions
12
Compliance
Same
Same
Control Activities
Management has
policy that no food
should be left out of
refrigerator for more
than one hour
Compliance
Same
Same
Information and
Communications
Compliance
Same
Same
Monitoring
Financial
Reporting
Restaurant
sales will not
be recorded
accurately
Control
Environment
Financial
Reporting
Same
Financial
Reporting
Same
Same
Control Activities
Financial
Reporting
Same
Same
Information and
Communications
Financial
Reporting
Same
Same
Monitoring
Risk Assessment
13
Bibliography
Chambers, Andrew D., Teaching Internal Auditing at a University-An Example in
Content, The Accounting Review, (January 1978), Vol. LIII, No.1, PP. 143-147.
Crockett, James R., The Dynamics of Accounting Education and Their Effects on
Internal Auditing, Managerial Auditing Journal, (1993), Vol. 8, Iss. 4, pp. 27-32.
Dittenhofer, Mortimer A., Teaching Internal Auditing: The Case-Study Method,
Managerial Auditing Journal, (1992) Vol. 7, Iss3, pp. 17-24.
Fernandes, John J., Preparing Tomorrows Internal Auditor, Managerial Auditing
Journal, (1994), Vol. 9, Iss. 2; Pages 20-23.
Fernandes, John J., Margaret L. Poposky and Linda J. Savage, Operational Auditing
Education: High-Impact Techniques, Managerial Auditing Journal, (1995), Vol. 10, Iss.
3, pp 19-22.
Foster, Sheila D. and Mary Brady Greenawalt, Internal Auditing Education: A
Comparison Across Countries, Managerial Auditing Journal, (1995), Vol. 10, Iss. 3, pp.
31-36.
Greenawalt, Mary B., and Sheila Foster-Stinnett, Experiential Learning for the Internal
Auditing Student, Managerial Auditing Journal, (1992), Vol. 7, Iss. 3, pp. 8-12.
Phillips, T. J., and B. T. Lewis, Internal Audit Education: The Accounting Curriculums
Greatest Deficiency, Journal of Education for Business, (Jan/Feb 1991), Vol. 66, Issue 3,
pp 176-180.
Sinason, David H., Attracting Students to Internal Auditing Careers, Internal Auditing,
Jan/Feb 2004, Vol. 19, Iss. 1, pp. 39-42.
Wilson, Dennis, Teach the Process, Not the Content, Managerial Auditing Journal,
(1995), Vol. 10, Iss. 3, pp, 15-18.
14