Batting first in this line up is the new IPPF. Lets give it a rousing welcome. The IPPF or International Professional Practices Framework is smaller than its previous incarnations.
According to the What's New packet available for download,
As the conceptual framework that organizes guidance promulgated by The IIA, the IPPF’s scope has been narrowed to include only authoritative guidance developed by IIA international technical committees following appropriate due process. Authoritative guidance consists of two categories: Mandatory and Strongly Recommended.
This means that less "official" advice and other guidelines have been removed from places like the Practice Advisories and shifted to separate Practice Guides and Whitepapers. Makes sense. Also, there appears to be a committment change that will have these standards updated every three years. Obviously, professional auditors should stand in line at their local IIA bookstore to get a signed and, of course, properly logged/recorded/batched/reconciled copy.
But that's not all.
Following the IPPF's homerun swing, is our next hitter - COSO's Guidance on Monitoring Internal Control Systems. COSO, known to its friends as the Committee of Sponsoring Organizations of the Treadway Commission, released on February 4th a new set of guidelines regarding monitoring.
Monitoring is one of the five components of internal control identified in COSO's landmark guidance issued in 1992, Internal Control-Integrated Framework, which is remains the primary set of guidance on internal control used in the U.S. It is also at the core of Sarbanes-Oxley Section 404.
The other four components of internal control identified by COSO in 1992 are: control environment, risk assessment, control activities, and information and communication.
I found an illustrative article from the January/February edition of Financial Executive, which includes information from interviews with R. Trent Gazzaway of Grant Thornton and Michael P. Cangemi, Formerly FEI President and CEO and representative of FEI on COSO's Board of Directors. FEI, along with the AICPA, American Accounting Association, The Institute of Internal Auditors (IIA) and the Institute of Management Accountants make up the sponsoring organizations.
One of the most salient quotes from that article,
Some companies, he notes, were placing too much reliance over too long a period of time on indirect information like budget-to-actual comparisons and key performance indicators (KPI). “As a consequence, small errors were allowed to fester under the radar screen until they became material.” In fact, he adds, “in many cases the indirect information looked normal entirely because the underlying internal controls were broken.”
So, in keeping with my tortured baseball metaphor, we'll all have to agree that the only reason COSO's "at-bat" didn't bring in a run is a snap decision by the third base coach.
Tortured is right.
And batting clean-up in this all-star line up is the newest member of our team, coming up from the minors only two days ago. Hailing from the Center for Audit Quality, is the Lessons Learned – Performing an Audit of Internal Control in an Integrated Audit.
While arguably the least "official" of the three major-leaguers we've seen today, nevertheless the CAQ's effort provides some useful intel regarding integrated auditing with respect to SOX.It also has the benefit of being freely downloadable, where the others are not.
The Lesson's Learned document offers 21 practical insights for auditors, including:
- Understand and Use Management’s Assessment and Documentation as a Starting Point
- Integrate the Audits
- Establish the Right Team
- Identify Material Risks to Reliable Financial Reporting
- Identify Controls Necessary to Sufficiently Address Identified Risks
- Take a Risk-Based Approach to Testing Identified Controls
Much of what is here is not new, but it does have a degree of practicality that the other two offerings mentioned here do not. Compared to the works from the IPPF and COSO, the CAQ's effort can be likened to the difference between two speakers at a conference. One talks about the mandatory requirements and the other gives you gritty tools you can use back at the office.
The first feels necessary, but you talk about the second much longer.
--Prescott Coleman, CIA, CISA
Posts
No comments:
Post a Comment