IIA Research Foundation

Internal Auditors Role in Corporate Governance

Researched by James Roth, PhD, CIA, CCSA, and Donald Espersen, CIA, CBA. Published by The IIA Research Foundation. The following document is part of The IIA Research Foundation project titled Internal Auditors Role in Corporate Governance. In order to bring this type of information to internal auditors as quickly as possible, documents related to this project will be published electronically via The IIAs Web site.

ALLTEL Control and Risk Self-Assessment Process

ALLTELs COSO-based Control And Risk (CAR) self-assessment process is an excellent example of the detailed, activity-level evaluation required by Section 404 of Sarbanes-Oxley. It is reprinted by The IIA Research Foundation with permission from ALLTEL.

Disclosure Copyright 2003 by Institute of Internal Auditors - Research Foundation, Inc. 247 Maitland Avenue, Altamonte Springs, Florida 32701. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means -- electronic, mechanical, photocopying, recording, or otherwise -- without prior written permission of the publisher. This document was created and intended for the use of members of The Institute of Internal Auditors and the management and boards of the companies that they serve. IIA members may reproduce and distribute copies for use within their organizations. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Professional Practices Framework for Internal Auditing (PPF) was designed by The IIA Board of Directors' Guidance Task Force to appropriately organize the full range of existing and developing practice guidance for the profession. Based on the definition of internal auditing, the PPF comprises Ethics, Standards, Practice Advisories, and Development and Practice Aids, and paves the way to world-class internal auditing. This guidance fits into the Professional Practices Framework under the heading Development and Practice Aids.

ALLTEL Control and Risk Self-Assessment Process

ALLTELs COSO-based Control and Risk (CAR) self-assessment process is an excellent example of the detailed, activity-level evaluation required by Section 404 of Sarbanes-Oxley. It was not solely created for that purpose. Rather, internal audit believed a robust COSO-based CSA process would add value to the organization by creating a team focus on risk assessment and increasing awareness of the impact of employees in achieving corporate objectives. Consequently, they include all internal controls as defined by COSO, not just financial reporting and disclosure controls. ALLTELs process has several attributes that should be considered in every companys certification process: Detailed analysis of objectives, risks, and controls at the activity level (i.e., department, process, or sub-process). Performed by employees within the activity. Facilitated by a dedicated team who developed the technique, train the employees, provide guidance as needed, and monitor performance. Testing of key controls, with sub-testing by independent parties to verify the results. Coding elements of the analysis by the COSO framework, to enable results to be rolled up from the activity to the entity-wide level.

ALLTELs process also has attributes which will not be in every companys certification process: Coverage of all three COSO objectives of internal control, not just financial reporting and disclosure controls. Process designed and administered by internal audit. Use of facilitated CSA workshops. Use of an activity-level CSA survey similar to entity-wide questionnaires used by some other companies.

ALLTELs robust CSA process involves much more effort from the units than SarbanesOxley requires. Internal audit sells this process for its inherent value rather than as a compliance requirement. They have found management at all levels to be very supportive, willing to make the effort involved, and appreciative of the results. At the time of this writing, ALLTEL had conducted more than 60 CSA projects and had just completed a major revision of their process. They expect further enhancements as they continue to use the process. How The Process Works 1. Workshop participants are usually the supervisor, manager, director level, and sometimes the VP. Internal audit has a one-hour meeting with participants 2-3

weeks before the workshop. In this meeting, they explain the process (in effect, train the participants) and get buy-in for the process. 2. Before the workshop, participants: Complete the Internal Control System Survey. Prepare or update a flowchart of the process (when applicable). Define the business objectives of the process.

3. During the 4 hour workshop, participants: Discuss the Internal Control System Survey results. This is usually brief, with the survey results serving as background for the detailed assessment that follows. The group will discuss any unusual results (e.g., statements for which there is significant disagreement). After the workshop, internal audit enters the survey results into a Control and Risk Knowledgebase, together with the results of the detailed analysis from the Control and Risk (CAR) Assessment Report. Individual workshop results then aggregate into results for ALLTEL as a whole and support the Section 302 and 404 certifications. Survey results are especially meaningful when aggregated. They may indicate pervasive issues for which upper management develops action plans. Identify the controls that help accomplish the business objectives. Identify the threats (i.e., risks) to accomplishing the objectives. The order of the analysis is unusual and worth considering. The usual order is objectives-riskscontrols. ALLTEL finds that objectives-controls-risks is a more positive approach, and participants are more likely to identify important controls that contribute to the overall control environment rather than to a specific threat. Later in the analysis, when they map controls to threats and assess the level of each threat, they identify any risk-mitigating controls that may have been missed. Assess the unmitigated level of each threat to the process as high-medium-low (i.e., the inherent level of each threat, without taking controls that mitigate the threat into account). Map controls to threats and identify additional controls when applicable. Identify the primary controls. Assess the effectiveness of each control (subjectively, based on the knowledge and consensus of the group).

Assess the mitigated (i.e., actual or residual) impact and probability of each threat and determine overall risk score (i.e., residual risk). Develop action plans to improve controls where necessary.

Note: Participants do not categorize objectives and controls by COSO during the workshop. One of the facilitators monitors the control components during the workshop to ensure adequate coverage and does the categorization behind the scenes or later. 4. After the workshop: Participants test each control identified during the workshop and complete the Control and Risk Assessment Test of Controls worksheet. Internal audit tests a sample of the primary controls and documents their testing and conclusions in the audit workpapers. Internal audit completes the Control and Risk (CAR) Assessment Report. Most of the fields in this report are self-explanatory. Here are some explanatory notes for those that might not be: Internal audit completes the last row of the General Information section as the last step in the evaluation. They use stoplight colors (green, yellow, red) to rate each COSO Component. They also rate the overall process risk, given the current state of controls: first the Impact, then an overall Score which includes Impact and Probability. In the Business Objectives section, internal audit categorizes each objective as Financial, Operational, or Compliance. Workshop participants estimate the percentage of resources they devote to each objective. In the Threat Identification section, internal audit assigns each threat identified in the workshop to a Threat Category and Threat Source. These classifications are found in the Control and Risk Assessment Supplement. The Objective Threat RatingUnmitigated is the participants rating of the level of risk each threat would pose to achieving the process objective if it were not mitigated by controls. In the Control Identification and Assessment section, internal audit classifies each control according to its COSO Component and Control Component (ALLTELs modification of the COSO Factors, see the Control and Risk Assessment Supplement). For the Participant Control Rating and IA Control Rating, they use the four-point scale in the Control and Risk Assessment Supplement. The owners rate every control. When the CSA is stand-alone, internal audit only rates the controls they tested. When the CSA is done within an audit project, internal audit tests and rates the primary controls.

 In the Current Risk Exposure and Control Improvement section, they describe each Current Risk Exposure (i.e., control weakness). They assess the Impact, Probability, and combined Score of each exposure, using the Risk Level Grid in the Control and Risk Assessment Supplement, as well as the action plan, owner, and action date for completion. When the CAR Report is complete, the process owner signs it, certifying the results. Internal audit tracks the progress of all control improvements rated moderate or above.

5. At year end: All process owners complete a Control Self-Assessment Acknowledgement stating whether any material changes have occurred within the process and/or environment since the last CAR assessment. If changes have occurred, they update the CAR. They also certify that controls are in place and working effectively or action plans have been put in place to ensure effectiveness as of the year-end date.

Notes on the Process ALLTEL has an audit staff of 15. Two auditors are assigned to CSA full time and the rest of the audit staff participate in the CSAs during assigned audits and as needed. About 15% of the departments time is devoted to CSA. ALLTEL focused on Finance and Accounting initially and completed CSAs for approximately 60 sub-processes in 2 months. They will expand into operational areas and facilitate approximately 200 CSAs in total by the end of 2003. The participants time commitment varies, but is expected to be around 40 hours for the entire process, including 6-10 hours for controls testing. The preparation of the flowchart has been the largest expenditure of time, but this should become more efficient in future years. The COSO coding enables internal audit to roll results up to higher levels and upper management to develop action plans to improve high-level controls. The Threat Categories and Threat Sources serve a similar purpose. ALLTEL also has an external reporting department that has documented the disclosure process, and external audit tests this process fully. Internal audit reviews and tests the disclosure controls and procedures on a quarterly basis. ALLTEL anticipates that external audit will use the control documentation for the Section 404 testing which should impact the engagement fees.

ALLTEL Internal Control System Survey

Directions: Place an X in the appropriate column that best describes your reaction to each statement for your business unit.
Strongly Agree Not Disagree Strongly Agree Sure Disagree

Control Environment
1 2 3 4 5 6 7 8 Management and employees demonstrate commitment to integrity and ethics. Employees are aware of the ethics policies of the company. Performance targets in my business unit are realistic and obtainable. Employees in my work group have the knowledge, skills and training to perform their jobs adequately. The assignment of responsibility and delegation of authority provide a basis for accountability and control. Personnel turnover has NOT impacted my work unit's ability to effectively perform its function. Integrity of financial and operational results always takes priority over reporting acceptable performance targets. Job descriptions are documented and provided to the employees in my work group.

Risk Assessment
9 Management establishes business objectives consistent with company objectives and strategic plans. 10 Management establishes goals consistent with the business objectives and strategic plans of the company. 11 Goals are formally defined and monitored on a periodic basis. 12 Goals are effectively communicated to employees. 13 Management performs and documents a risk analysis periodically to identify and consider the implications of relevant risks at both the entity and the activity level. 14 Mechanisms are in place to identify and react to change that can impact the business objectives of the entity. 15 Sufficient resources, tools and time are available to accomplish my business objectives.

Control Activities
16 Policies and procedures are documented and communicated to the employees. 17 Control activities are in place to mitigate risks to the company. 18 Management periodically reviews the functioning of control activities and modifies as needed to meet changing needs. 19 Employees who steal from the company (I.e., physical property, money, information, time) will be discovered. 20 Policies and procedures for my work group allow employees to do their jobs effectively.

Information and Communication

21 Timely and sufficient information is provided to the right people to enable them to carry out their responsibilities. 22 The business unit has established open lines of communication with other functions within the company. 23 An effective communication channel exists for reporting suspected improprieties. 24 Mechanisms and incentives are in place for employees to provide recommendations for process improvements.

Monitoring
25 Ongoing monitoring activity occurs to assess the adequacy of the internal control systems. 26 Management is responsive to internal or external recommendations made by auditors or regulatory agencies to strengthen the internal control system. 27 Employee performance reviews are performed at appropriate intervals. 28 Management has enough information to monitor vendor performance. 29 Management has enough information to monitor customers' satisfaction or dissatisfaction (either internal or external). 30 Mechanisms are in place for capturing internal control deficiencies and reporting the deficiencies to upper management.

CONTROL AND RISK (CAR) REPORT GUIDE

GENERAL INFORMATION
Business Cycle From map of audit universe Process From map of audit universe Sub-Process From map of audit universe Strategic Importance Answers the question, How is the subject important to the company? Financial Statement Captions General Ledger Accounts Narrative Summary A thumb-nail summary of audit findings General Overview Control Control Control Risk Information Component Control Activities Environment Activities Assessment Monitoring Communication Summary: (CE) (CA) (RA) (M) (IC) Process ID: Groups Represented: Audit Team: Date Prepared: Key Systems: Internal audit assigned

Risk Exposure:

Impact

Overall Summary: COSO

Score

BUSINESS OBJECTIVES
Business Objective Business Objectives Number 1 End result statements of the business purpose of the process. These are ranked in order of importance. 2 3 4 Total 100% Process Activity From the high level process flow Objective Category F-O-C Estimated Percentage Total = 100%

THREAT IDENTIFICATION
Business Objective Number Threat ID Threats to Achieving Objectives 1 A A description of threats to the achievement of the business objective 1 Etc. 2 Threat Count B Etc. H 8 Control Number 1,3, etc. Threat Category See supplement for list Objective Threat Rating- Unmitigated High, Medium, Low Threat Source See supplement for list

CONTROL IDENTIFICATION AND ASSESSMENT

Control COSO Threat ID Number Component Controls Control Description From 1 From look-up See A description of a procedure, or a group of procedures, which works to achieve the business supplement objective above list for Control for list Component 2 CA Etc. CA Primary Control X Participant Control IA Control Rating Rating See supplement for list

X X

Control 2 Count Control Ranking

1: Well Controlled 2: Adequately Controlled 3: Needs Improvement 4: Inadequately Controlled

CURRENT RISK EXPOSURE AND CONTROL IMPROVEMENT

Objective Threat ID Current Risk Exposure Impact to Probability Score Control Improvement Number company to company From the risk level grid Corrective action is determined by process From From A description of the current exposure based on the owners in conjunction with internal audit. above above threat mitigated by the controls in place. I.e., I.e., I.e., Exposure with a score rated moderate or The description should include these four elements Low Likely Moderate above will be tracked by Internal Audit. of a finding: condition, standard, impact, and cause. The fifth element is recorded as control improvement Owner Action Date

CONTROL AND RISK ASSESSMENT TEST OF CONTROLS

GENERAL INFORMATION
Business Cycle Process Sub-Process Strategic Importance Financial Statement Captions General Ledger Accounts Narrative Summary Threat Number A,C,D,E Control Count Control Number 1 1 XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX A thumbnail recap of audit findings. Process ID: Groups Represented: Audit Team: Date Prepared: Key Systems: XXXXX XXXXX XX, XX, XX XXXXX

TEST OF CONTROLS
Controls Scope of Testing Testing Performed Conclusion Management
Authorization

Date

I hereby certify that I have taken appropriate steps and performed testing to validate that the internal controls identified above are operating effectively and as designed, except as otherwise noted above. Signed__________________________________________________________________________________ Dated___________________________________________________________________________________

Control and Risk Assessment Supplement

Business Objectives Business objectives describe specific desired end results what is to be achieved. Business objectives can relate to any aspect of the business: Compliance, Operations, or Financial Reporting. Business objectives do not direct how end results are to be achieved. End results are measurable. End results are reasonably attainable in the course of business over a stated period of time. There must be a clear alignment of strategic and sub-process goals in the organization

Discussion: Business objectives can be written for all levels of the corporation. Usually, strategic objectives are stated in broad terms. Sub-process objectives are written in very specific terms. Sub-process objectives often represent how strategic goals will be accomplished. Strategic Objective: Maximize revenue assurance Process Objective 1: Maximize revenue assurance at the switch Sub-Process Objective 1: Improve revenue assurance regarding dropped calls Process Objective 2: Improve capture of CDR information in the billing system Sub-Process Objective 2: Ensure 3-way calls are captured in the billing system The sub-process objectives are ways the respective process objectives can be achieved. The process objectives are different aspects of how the strategic objective can be achieved. Please note that none of the objectives talk about procedures, only end results. Threat Identification and Assessment THREAT CATEGORY Strategic Objectives Compliance Financial Reporting External Fraud Business Environment Customer Technology Reputation Governance Management Reporting - Internal Safeguarding of Assets Operational Efficiency THREAT SOURCE Budgetary Constraints Contractual and Legal Relationships Employee behavior Fraud Industry Competition Knowledge and Skills Management activities and controls Natural events Political Circumstances Process Design Technology, technology issues

10

COSO Objectives: Compliance, Operational, Financial Reporting

300 Control Activities Information/Transaction Processing (Manual or Automated) Authorization Completeness Accuracy of Data Timeliness Continuity Controls over Information Systems Data Center Operating Systems Access Security IT Disaster Recovery System Rules Automated File Feed Development of Performance Measures Direct Function or Activity Management Analysis Reconciliations Physical Safeguard Controls Segregation of Duties Third Party Management 400 Information and Communication Management Communication Processes Information Transfer and Dissemination Strategic Communication Processes Communication of Objectives to Organization Periodic Status Meetings Upward Flow of Performance Information Training 500 Monitoring Ongoing Monitoring Continuous Improvement Activities Deficiency Reporting Mechanisms Monitoring Corrective Action Review of Reconciliations Disclosure Committee 301 302 303 304 305 311 312 313 314 315 316 321 331 341 342 351 361 371 401 402 403 404 405 406 407 501 502 503 504 505 506

100 Control Environment Assignment of Authority and Responsibility Board of Directors/Audit Committee Commitment to Competence External/Specialist Reviews Human Resource Policies and Practices Integrity and Ethical Values Mgmt Philosophy and Operating Style Organizational Structure General Policies and Procedures Self-Assessment/Quality Assurance Review Supervision and Evaluation of Employee Performance 200 Risk Assessment Strategic Objectives Process Objectives Sub-Process Objectives Business Continuity Planning Change Management Threat Identification Risk Assessment Activities Planning and Budgeting

101 102 103 104 105 106 107 108 109 110 111 201 202 203 204 205 206 207 208

11

9/99

Impact Probability Almost certain 5 Likely 4 Moderate 3 Unlikely 2 Rare 1

IMPACT GUIDANCE

Extreme 5 severe severe high

High 4 severe high

significant

Medium 3 high
significant

Low 2
significant

Negligible 1 moderate low very low trivial trivial

moderate low very low trivial

moderate low very low

significant moderate moderate low

PROBABILITY DEFINITIONS Almost certaincontrol design and execution indicate high probability of control failure likelycontrol design and execution is unreliable moderatecontrols mostly work as intended, but not always unlikelycontrol design and execution is consistent overall with few lapses rarecontrol design and execution are adequate and in place and working

extreme--would threaten the survival of the process high--would threaten the continued effective function of the process and require top level management intervention medium--the process could be subject to significant review and/or modification low--would threaten the efficiency or effectiveness of the process but would be dealt with internally negligible--impact would be dealt with by routine procedures CURRENT RISK RATING DEFINITIONS severe--must be managed by senior management with a detailed plan (e.g., CEO/CFO) high--detailed research and management planning required at senior levels (e.g., SVP/EVP) significant--management responsibility must be identified (e.g., VP) moderate--manage by specific monitoring or response procedures (e.g., Director/Manager) low--manage by routine procedures (e.g., Manager/Supervisor) very low/trivial--unlikely to need specific application of resources

Current risks rated moderate and above are included on the Monitoring report and tracked until control improvements have been successfully implemented.
Australian Risk Level Grid as modified by BellSouth. Used with permission.

12