BENEFITS OF COSO-BASED AUDITSEffect

BENEFITS OF COSO-BASED AUDITS

Effectiveness
Testing all five COSO control components provides a solid foundation for determining the degree of assurance provided by controls.

Efficiency
Focusing on one COSO objective category guards against costly "scope creep."

Comparability
Using a common audit framework and rating system enables the controls in different business segments to be contrasted.

Communication
Integrating COSO criteria in discussions with clients enhances their understanding of control concepts.

Audit Committee
Reporting in terms of the COSO framework helps to portray strengths and weaknesses of the internal control system.

___________________________________________________________

Operations An operations objective focuses on controls governing efficiency and effectiveness. Effectiveness concerns the quality of controls over the achievement of specific management objectives, while efficiency addresses the quality of controls yielding an optimum measure of resource inputs to productive outputs. An operations audit should determine whether the organization can be reasonably assured that no material inefficiencies or lack of effectiveness exist in the audited organization or process.

Because Boeing is in a highly regulated industry, it is tempting to regard every operations audit as a compliance audit. However, an overall evaluation cannot be provided unless the audit evaluates the entire system of controls for ensuring compliance with laws and regulations. Such a system includes the relationship with the regulatory agency, Boeing internal policies and procedures, the people specifically assigned to promote compliance, and the methods for monitoring compliance effectiveness. Only audits that address each aspect of the compliance program can render an overall opinion on how well the system of internal controls assures compliance with the laws and regulations in question.

At the same time, operations audits that incidentally identify noncompliance with internal procedures provide useful information that must be communicated to management. Auditors are expected to note such potentially illegal violations as incidental findings on the control evaluation form.

___________________________________________________________

RATING CRITERIA FOR COSO-BASED AUDITS

Control Component CRITERIA FOR UNSATISFACTORY RATING

Control Environment "Hard controls" are missing or inadequate.
There are verified instances of breakdowns of "soft controls."

Risk Assessment Management has not predefined relevant objectives.
Such objectives are incompatible with broader objectives.
Management has not identified relevant risks to achieving its objectives.
Management does not have a basis for determining which risks are most critical.
Management has not ensured mitigation of critical operating risks.
Audit tests detect key risks not previously contemplated by management.

Control Activities Key control activities are not functioning as intended.
Management’s risk mitigation strategy is not adequately reflected within control activities.

Information & Communication Key metrics are not identified, collected, and communicated.
Employees do not understand their control responsibilities, and this is pervasive.
Customer or supplier complaints and disputes are not resolved, or remedial action is not undertaken in a timely manner.

Monitoring Management has not established a means of determining the quality of the internal control system over time, either through independent evaluations or ongoing, structured, and independent process checks.

Overall The ratings of all components should be considered to determine whether controls provide reasonable assurance that management objectives will be achieved. A strength in the internal controls of one component may compensate for a control weakness in another.
Financial Reporting In audits where the objective is financial reporting, emphasis is placed on the adequacy and effectiveness of management controls governing the reliability of financial data used for external reporting purposes. An audit based on such controls should provide reasonable assurance that no material misstatements exist in the examined data. Tracing audit controls and financial data back to the financial statements is indicative of an audit with a financial reporting objective.

An audit that reviews the assumptions and methods used to estimate contract costs-at-completion typically has a financial reporting objective. Similarly, audits of accounting controls that govern the preparation of financial statements generally will have financial reporting as their audit objective. Though there are exceptions, many finance-function audits focus on financial reporting since their scope often reflects the audit objective.

It might be initially difficult to determine, for example, whether an audit objective for accounts payable belongs in the operations or the financial reporting arena. The answer would depend on the kind of management controls to be audited. Likewise, audits of "cost screening for government allowability" could potentially address all three objectives: process efficiency and effectiveness—operations; adherence to Federal Acquisition Regulations (FAR) requirements—compliance; and reliability of cost classification and transaction processing—financial reporting. Selecting the objective is a matter of auditor judgment and depends on the nature and preponderance of management controls to be examined.

Compliance Audits based on compliance focus on the adequacy and effectiveness of management controls governing adherence to external laws and regulations. Such audits are primarily concerned with the correlation between laws and company procedure and actual practice. We usually consult our in-house legal counsel extensively during audits of this nature—an excellent indication that the audit should have compliance as its objective.

An audit of company adherence to the provisions of the Foreign Corrupt Practices Act is illustrative of a typical compliance audit. Examples also include audits of controls governing compliance to FAR "cost disclosure," FAR "defective pricing" requirements, and the Federal Aviation Administration’s "unapproved parts" inspection requirements.

ASSESSING CONTROL COMPONENTS
According to COSO, each of the five control components must be assessed before an opinion can be rendered about the design and effectiveness of the overall internal control system. Therefore, our reengineered process requires that each COSO component be covered in all audits.

In defining each control component, COSO identifies several control factors. We use these factors, as criteria for rating the effectiveness of controls. Our auditors must consider each factor during audit program development, and they must design appropriate inquiries and tests when assessing control effectiveness. By requiring each control component and factor to be addressed, we are seeking to ensure greater consistency in audit performance and to maximize audit effectiveness.

To ease understanding and application of the criteria, control component ratings are restricted to satisfactory or unsatisfactory. We considered alternative rating structures, but concluded that this binary approach, along with supporting rationale, communicated the right information. In unusual cases where the auditor stumbles across a reportable condition outside the system of internal controls being audited, an "incidental—satisfactory or unsatisfactory" observation may be recorded.

The assigned ratings must comport with the predefined criteria, be predicated on reliable audit evidence, and be documented in the working papers. If controls provide reasonable assurance that management objectives will be achieved, a satisfactory rating is assigned. An unsatisfactory rating is used if controls do not provide such assurance. While auditor judgment plays a significant role in assigning ratings, the existence of corrective recommendations suggests an unsatisfactory condition. To support auditors in rating controls, we’ve provided guidance that addresses each control component.

___________________________________________________________

The Boeing Control Evaluation Form



Rationale for Unsatisfactory Rating:

___________________________________________________________

Control Environment For ease of analysis, the control factors for this component have been divided into hard and soft controls. At Boeing, hard controls consist of organizational structure, assignment of authority and responsibility, and human resources policies and practices. All three are relatively traditional areas examined in most audits. Audit evidence for each should be readily available.

Soft controls include ethics, commitment to competence, and management operating style. Such controls have traditionally been overlooked in audits because documented evidence of the audit condition is difficult to obtain and test.

If any one of the hard controls isn’t functioning effectively in the area being audited, an unsatisfactory rating is warranted. On the other hand, proper behavior is assumed for soft controls. An unfavorable audit conclusion is reached only if improper behavior is observed. A satisfactory rating wouldn’t be ruled out if the auditor finds no direct evidence that the "soft controls" are in place. Only if instances of unethical, incompetent, or improper management behavior are discovered should the auditor consider an unsatisfactory rating. The level of assurance provided by the auditor for soft controls is, therefore, much less than normally rendered. As techniques for testing soft controls improve, rating criteria may be revised to render more positive assurance.

Risk Assessment According to COSO, effective risk assessment requires:

° Predefinition of objectives.
° Compatibility of objectives.
° Identification of risks to achieving objectives.
° Judgment of which