communicates its principles and values, it will

CHAPTER 5
influence the organizational culture and permeate
CONTROL FRAMEWORK the entire organization.

In the 1980s, a commission was established to Organizational culture is the collection of learned
address fraudulent acts in financial statements. beliefs, traditions, and guides for behavior shared
among members of the organization.
The National Commission on Fraudulent Financial
Reporting, chaired by James C. Treadway, identified It defines and expresses shared assumptions, values,
the lack of a comprehensive internal controls and beliefs and is manifested in various ways,
framework. including formal rules and policies, norms of daily
behavior, physical settings, modes of dress, special
The Commission on Auditor-Supplier Organization language, myths, rituals, heroes, and stories.
(COSO) of the Treadway Commissionwas formed in
1985 to sponsor the commission. A healthy culture and ethical environment advance
employee morale, improve productivity and
The commission was sponsored by five professional efficiency, and tend to outperform other
associations, including the Institute of Internal organizations in terms of customer satisfaction,
Auditors, American Institute of Certified Public employee satisfaction, and retention.
Accountants, American Accounting Association,
Institute of Management Accountants, and Financial Failure to retain an effective governance, ethics, and
Executives Institute. compliance program can jeopardize an
organization's reputation, its bottom line, and even
COSO goal was to improve financial reporting its existence.
quality through corporate governance, ethical
practices, and internal control, with a focus on ERM Ethics is also closely linked to quality, as evidenced in
and fraud deterrence. the Volkswagen emissions violations scandal. An
auditor who fails to meet accounting standards can
The 2013 COSO IC-IF contains 17 principles, stating cause great damage to the firm and the client, as
that an entity can achieve effective internal control observed in the Xerox and KPMG cases.
by applying all principles to operations, reporting,
and compliance objectives. Similarly, a healthcare worker who fails to meet
recognized ethical norms and standards is not
The COSO framework is typically represented in a delivering high-quality health care, and while
cube, showing the five components of internal negligence can be claimed for a variety of reasons,
control, the three categories of objectives, and the malpractice lawsuits can be significant.
entity's structure.
The control environment includes activities related
CONTROL ENVIRONMENT to the competence and development of personnel,
the assignment of authority and responsibility, and
The workplace environment refers to the structure,
the organizational structure. Employee reporting
leadership style, and ethical practices of an
lines and accountability requirements are also
organization. It includes the tone at the top, which is
shaped by reporting lines, and these play an
set and promoted by the board of directors and
important role in the effectiveness of internal
senior management.
controls.
This tone drives ethical conduct within the
Management establishes a risk management
organization and helps prevent unethical practices
philosophy and the entity's risk appetite, forms a risk
and fraud. When management formally
culture, and integrates ERM with related initiatives. partnering with Human Resources, Legal, IT, and
Many managers have come to realize that the Loss Prevention to teach employees about internal
control environment is critical to the overall audits in other settings.
corporate image.
Form over Substance
A healthy corporate culture has a positive effect on
sales, vendor relationships, investor preferences, The control environment is crucial for an
recruitment effectiveness, and stakeholder organization's success, ensuring integrity, ethical
[Link] about and acting ethically carries values, independence from management, and a
financial benefits. commitment to attracting, developing, and retaining
competent individuals.
Organizational culture plays a key role defining the
control environment, including norms, values, rules, The board of directors plays a vital role in
climate, and symbols. maintaining internal control quality, setting
expectations, and ensuring smooth information flow.
It includes three key elements: the general
relationship between employees and their The organization should also demonstrate a
organizations, the vertical or hierarchical system of commitment to attracting, developing, and retaining
authority defining superiors and subordinates, and competent individuals, ensuring their selection,
the general views of employees about the safeguarding, and proper deployment. By addressing
organization's destiny, purpose, and goals. these issues, organizations can ensure their
objectives are met, mitigate risks, and increase the
Understanding and addressing unethical behavior is likelihood of achieving them.
essential for auditors to ensure the integrity and
fairness of the organization. Examples of unethical Entity Level Controls
behavior include an unreasonable emphasis on
Entity level controls are essential in assessing an
bottom-line performance, high-pressure sales
organization's values, systems, policies, and
tactics, kickbacks or bribes, and the failure to comply
processes to prevent fraud and encourage proper
with laws and regulations.
conduct.
Communication, Consistency, and Belief in the
They involve examining tangible and intangible
Message
aspects of the organization, such as policies,
Management must communicate clearly and procedures, manuals, rules, human resources
consistently to ensure expectations are followed, as policies, reporting structures, information flows, and
inconsistencies can lead to employees viewing commitment to [Link] areas of focus
management as hypocritical. A code of ethics, code include controls over management override, risk
of conduct, and conflict of interest statement are assessment methodology, centralized processing,
essential for establishing ethical conduct. These monitoring results of operations, and financial and
documents guide employees in ethical decision- operational reporting. Internal auditors and
making, motivating them to conduct themselves businessleaders can identify strengths and
ethically. Training should be provided upon hire and weaknesses in their entity level controls by
annually to reinforce the importance of these topics. examining factors such as the organization's code of
conduct, disciplinary action, organizational structure,
Leadership organizations should also distribute documentation, compliance requirements, data and
periodic articles, vignettes, scenarios, and surveys to information availability, and coordination within the
staff, and engage in informal lunch and learn organization's second and third lines of defense.
[Link] audits can be beneficial by
Internal auditors must understand that behavior is compensate for a breakdown between senior
influenced by their environment and competing management and board oversight. Once identified,
forces, and must work with management to risks should be linked throughout the organization,
establish clear performance standards, communicate providing a chaining mechanism to trace risks up and
rewards and sanctions, and ensure effective down the organization.
employee management. Organizations should create
a positive environment through socialization, Risk assessment is a crucial process for organizations
education, formal/informal systems, and to identify, analyze, and respond to potential risks
reinforcement, but should not tolerate unethical related to their objectives.
behavior.
It involves identifying, analyzing, and deciding how
Tone in the Middle best to respond to these risks in relation to the
achievement of objectives.
Choosing the right managers is crucial as employees
judge an organization's ethical conduct based on Management specifies objectives within three
their boss's actions. Managers influence workplace categories: reporting, compliance, and operations.
dynamics, values, and customer satisfaction.
Reporting considerations are arranged in four broad
The "tone in the middle" dictates workplace categories: internal/external and
conditions, leading to satisfaction, turnover, profits, financial/nonfinancial.
and goal achievement. Employee engagement
Compliance requirements relate to adherence to
significantly impacts the workplace environment,
laws and regulations, including contractual terms
and internal auditors should collaborate with
and conditions, service level agreements, and
management to assess workforce engagement.
voluntary agreements.
RISK ASSESSMENT
Operations pertain to the effectiveness and
The COSO framework focuses on identifying, efficiency of the organization's operations, including
quantifying, analyzing, and managing organizational operational and financial performance goals,
risks. safeguarding assets against loss, damage or
obsolescence, and making sure resources are
Risks are events that can threaten an organization's obtained economically.
ability to achieve its [Link] can be positive
or negative, with positive events being opportunities Management must consider, specify, and analyze the
and negative events being risks. Risks are assessed degree to which objectives are aligned with their
based on likelihood and impact. Before risk strategic priorities to ensure congruence and
assessment, it is crucial to identify relevant coordination between these objectives. Inaccurate
objectives, as they provide context for identifying alignment can result in competing interests, internal
risks. conflicts, priority dissonance, and poor performance.
Examples include an employee's objectives focused
Larry Rittenberg, COSO's Chair Emeritus, emphasizes on cost reduction, a sales department's performance
the importance of understanding the link between measured on sales volume, and a manufacturing
objectives, risks, and controls. manager's goals weighted heavily on lowering unit
costs.
If objectives are not articulated, a deficiency in the
control environment should be brought to the Lack of alignment with established laws, rules,
attention of senior management and the board. regulations, and standards can lead to trouble and
Focusing more on control activities cannot long-term consequences. Large-scale problems often
invite regulator involvement and media attention, organization's ability to meet or exceed customer
which can become distracting and expensive over expectations consistently over the long term.
time. Any discussion about risk must consider that
every entity faces a variety of risks from internal to Cycle time risk is the unnecessary activities that
external sources. threaten the organization's capacity to develop,
produce, market, and deliver goods and services in a
timely manner.

Business and Process Risk Health and safety risk involves the failure to provide
a safe working environment for workers
The risk management process of an organization
involves various risks, including capacity, execution, Outsourcing risk involves outsourcing activities that
supply chain, business interruption, human do not align with the organization's strategies,
resources, product or service failure, product objectives, values, and behavioral standards and
development risk, cycle time risk, health and safety expectations.
risk, leadership risk, outsourcing risk, competitor
risk, catastrophic loss risk, industry risk, planning Technological and Information Technology Risks
risk, organization structure risk, integrity and fraud
IT risks involve issues with the operation of IT
risk, reputation risk, data integrity, infrastructure
systems, data integrity, and the potential loss or
risk, commerce risk, access risk, and availability risk.
misuse of assets.
Capacity risk refers to the inability to meet demand
These risks include data and system availability risk,
in the short and long term
data integrity risk, system capacity risk, data
Execution risk involves the inability to produce integrity, infrastructure risk, commerce risk, access
consistently without compromising quality. risk, and availability risk.

Supply chain risk refers to the inability to maintain a Data and system availability risk involves the uptime
steady stream of supplies when needed. of systems and tools to support the needs of
workers, customers, suppliers, and stakeholders.
Business interruption risk stems from the
unavailability of raw materials, IT, skilled labor, Data integrity risk involves the accuracy and
facilities, or other resources that threaten the consistency of data stored, processed, retrieved, and
organization's ability to continue operations. destroyed.

Human resources risk refers to the lack of System capacity risk involves optimizing storage and
knowledge, skills, and experiences among key computing capabilities.
personnel that threatens the ability to achieve
Infrastructure risk refers to the outdated or lack of IT
business objectives.
infrastructure needed to support information
Product or service failure risk involves the failure of requirements.
products or services to meet customer expectations,
Commerce risk involves events that compromise
leading to customer complaints, warranty claims,
financial and data flows.
returns, field repairs, product liability claims,
litigation, lost revenues, lower market share, and Access risk involves unauthorized use of confidential
damage to the business's reputation. information or limited personnel performance.

Product development risk involves ineffective Availability risk threatens the continuity of
product development that threatens the operations and processes.
 Effectiveness relates to the achievement of
objectives and the degree to which these are
Personnel risks are conditions that limit an achieved.
organization's ability to obtain, deploy, and retain
suitable numbers of qualified and motivated Identifying business goals is essential for internal
workers. auditors, as it involves obtaining these from process
owners during the planning phase.
These risks include availability risk, competence risk,
judgment risk, malfeasance risk, motivation risk, The IIA Standardsstate that internal auditors must
financial risks, environmental risks, political risks, consider the objectives of the activity being
social risks, and political risks. reviewed, the means by which the activity controls
its performance, and the significant risks to the
These risks can result in poor cash flows, currency activity, its objectives, resources, and operations. If
and interest rate fluctuations, and an inability to goals have been defined but are inadequate, internal
move funds quickly and without loss of value. auditors should engage management to develop
Examples of financial risks include resources risk, improvements.
commodity prices risk, foreign currency risk, liquidity
risk, market risk, and political risks. The SMARTER modelis a useful tool for internal
auditors in developing organizational and personal
Environmental risks involve the actual or potential goals.
threat of negative effects on the environment by
emissions, wastes, and resource depletion. Examples It helps to remember the elements of well-
include energy and other resources risk, natural developed goals, which are specific, measurable,
disaster risk, pollution risk, transportation risk, and achievable, relevant, time-bound, and evaluated.
pandemic risk. Specific goals make it easier for managers and
employees to focus their energy, resources, and
Political risks involve the effects that political priorities on accomplishing them. Measurable goals
decisions, events, or conditions can cause when they are easier to link their completion to performance
affect the profitability of a business or the ability to monitoring and rewards mechanisms, as they help to
operate freely. Examples include regulations and measure the degree of success accomplishing the
legislation risk, public policy risk, and instability risk. related goal.

Social risks involve dynamics where an issue affects Achievable goals are more motivating and aligned
stakeholders who can form negative perceptions with the mission and strategy of the organization,
that can cause damage to the organization. the process, and the individual. They build
Examples of social risks include demographics risk, confidence and serve to motivate those involved to
privacy risk, CSR requirements, and mobility. pursue something great. Goals should have
milestones and checkpoints that allow the person
Risk assessment requires management to consider
responsible for their completion to witness progress.
the impact of possible changes in the external
Relevant goals should be aligned with the
environment and within their own business model
organization's mission and strategy, and should be
that could make internal control ineffective. This
relevant to the employee's career or job description.
includes clearly articulating objectives relating to
operations, reporting, and compliance so any risks to Time-bound goals require commitment from both
those objectives can be identified and assessed. the individual and the person overseeing the goal.
Goals should precipitate a plan to accomplish the
goal, creating a sense of urgency and time pressure.
The combination of goals, plans, and deadlines
brings out the talents in people and can be leveraged knowledge to evaluate the risk of fraud and how it
among all involved. can be committed. Areas of focus related to fraud
include material omission or misstatement of
Goals must be evaluated to determine if they meet reporting, inadequate safeguarding of assets, and
the SMARTER elements and if they meet ethical and corruption.
ecological considerations. Unethical actions justified
by the manager or others are commonplace in some Assessing risk on a formal and informal basis is
locales, and ignoring the environmental impact of essential for organizational success, and internal
business actions is also unfortunate and is auditors can help raise awareness by highlighting
increasingly shown disapproval by stakeholders. By some exposures.
using the SMARTER model, internal auditors can help
managers perceive the value of their work and Risk assessments should consider change, as it can
improve overall performance. either undermine or enable objectives. External
factors like demographic shifts, technological
Goals should be challenging, difficult, achievable, advances, and low interest rates can help achieve
and meaningful to ensure the success of an business objectives. The Millennial generation, who
organization. They should be measurable, visible, are comfortable with technology and adapt to
and impactful. Rewards should be commensurate change, can be a valuable asset. Technological
with the effort put into the task and the outcome advances like cloud computing and broadband
achieved. Managers should also reward the enable remote work, reducing costs, and generating
successful completion of tasks and the effort put into revenues.
them, showing how the work satisfies the needs of
organizational stakeholders. Control Activities

Millennials are idealistic and want to understand the Controls are actions established through policies and
big picture, so managers should reward the procedures to mitigate the likelihood and/or impact
successful completion of tasks and the effort put into of risks. They are performed at all levels of an
them. Internal auditors should link audit tests to organization, at various stages within processes and
business objectives, linking everything they do to a over the technological infrastructure. Controls can
risk, which in turn is linked to a business objective. be manual, performed by individuals using tangible
This helps mitigate the potential likelihood and items, or automated, performed by computer and
impact of these risks. electronic systems without direct human interaction.
Some controls are a combination of manual and
Internal auditors should examine the functioning of automated, requiring both a system component and
programs and processes to ensure that the design human follow-through.
and performance of these activities are as expected
and make recommendations for improvement. The rate of dependence on IT has increased
Anomalies detected during audit testing should be substantially over the past few decades, and most
presented in that context, as they allow risks to activities involve the use of computers to some
materialize, which jeopardize the successful degree or another. Organizations often struggle with
accomplishment of a particular objective. the lack of consistency in the performance of control
activities due to the implementation process not
The topic of fraud and corruption has gained aligning with performance evaluation measures,
attention over the past few years, with alarming supervision, training, disciplinary actions, and
statistics about fraud. The IIA's Standards include rewards.
specific reference to fraud, emphasizing the
importance of internal auditors having sufficient Control activities can be categorized as preventive,
detective, directive, and compensating.
Preventive controls act before errors or omissions communications can follow various patterns, and
can occur and reduce thelikelihood and/or impact of organizations should support management efforts to
the event. increase the production, analysis, dissemination, and
use of information for better decision-making and
Detective controls identify errors or anomalies after organizational effectiveness. The free flow of
they have occurred and alert the need for corrective information is essential for understanding new or
action. changed events in the operating environment and
preventing management from operating in a
Directive controls are temporary controls
vacuum.
implemented to redirect employee actions,
sometimes referred to as corrective controls, when Organizations face increasing risks and modifications
an undesirable action has occurred. to their internal control systems due to changing
business dynamics. Outsourced service providers,
Compensating controls are put in place when a
financial institutions, and intermediaries provide
control is not where it is expected as proper design
diverse and complex information sources, which can
would stipulate.
disrupt operations and reduce revenues. Social
Internal auditors are generally tasked with verifying media has become an essential part of organizations'
that processes, programs, and their related controls communications infrastructure, connecting
have been designed appropriately and that those employees, customers, vendors, supporters, and
controls are operating as intended. Nonperforming detractors. As data flows expand beyond pairs and
controls can be due to inadequate knowledge, involve intermediaries, organizations must ensure
sabotage, emotional and physical reasons, or poor the compatibility, quality, speed, and reliability of all
management practices. Ensuring that controls are information.
designed effectively and implemented effectively is
Outsourcing can create operational risks, strategic
crucial for maintaining organizational effectiveness.
risks, and composite risks. Outsourcing organizations
Information and Communication must manage these risks and ensure clients are
protected and financial statements are correct. To
The fourth component of the COSO IC/IF model ensure acceptable risk levels, organizations can have
focuses on the flow of information within an their own internal or external auditor review the
organization. It involves clear, consistent, timely, and service provider or provide reports to clients.
purposeful directions from the top, feedback from Organizations also have numerous third-party
employees, and lateral flows of information between intermediaries that play a crucial role in their
individuals and units. Communication is crucial for business operations and interactions with
effective functioning, decision-making, problem- governments. Companies must conduct due
solving, and change-management processes. It diligence and investigate their third parties before
provides workers with important information about contracting them, understanding their roles,
their jobs, the organization, and each other, responsibilities, and potential risks.
improving motivation, building trust, and
engendering engagement. Internal communication The hiring organization must manage third-party
occurs on multiple levels, including interpersonal, monitoring and use technology to assist in this
group-level, and organizational-level. Information is process. Service providers can provide standardized
necessary for internal control activities, such as audit reports for customers to use in risk
reconciliations, inventory counts, and inventory assessment. The Statement on Standards for
counts. Communication should be continuous, Attestation Engagements (SSAE) No. 16, Reporting
iterative, and share necessary information to on Controls at a Service Organization, replaced SAS
maximize its utility. Internal and external 70 in 2010. There are three types of SOC reports:
SOC 1 (Report on Controls at a Service Organization customer requirements and continuous
Relevant to User Entities' Internal Control over improvement.
Financial Reporting), SOC 2 (Report on Controls at a
Service Organization Relevant to Security, ISO also facilitates communication and the setting of
Availability, Processing Integrity, Confidentiality, or expectations between organizations, complementing
Privacy), and SOC 3 (Trust Services Report for Service COSO's components and helping internal auditors
Organizations). supplement their audit programs. By understanding
and implementing these standards, organizations
Monitoring Activities can ensure their IT operations align with their
business needs and achieve long-term success.
Monitoring activities are ongoing evaluations used to
assess the functioning of internal control ITIL is a comprehensive framework for IT service
components. These evaluations can be cyclical or management that focuses on organizational
ongoing, depending on the risk assessment and structure, skill requirements, and standard
previous evaluations. The criteria used during these management procedures. It provides templates,
reviews are based on internal requirements and checklists, and downloads for quick implementation
external criteria. Monitoring should be viewed and helps organizations achieve predictable service
holistically, considering other components such as levels. ITIL v3 was published in 2007 and updated in
the control environment, risk assessment, and 2011. It addresses service strategy, design,
information and communication. Employee surveys transition, operation, event and incident
can help assess the state of ethics, risk assessment, management, request fulfillment, and continual
and information and communication. Monitoring service improvement. Successful companies that
helps management understand how all components have implemented ITIL include Procter & Gamble,
of internal control are being applied and enhances Caterpillar, Nationwide Insurance, and Capital One.
organizational effectiveness. Key goals include streamlining service delivery,
developing repeatable procedures, reducing service
IT plays a crucial role in organizational success, and incidents, implementing standards, ensuring future
organizations should consider IT as a business capacity, defining clear service targets, and
service partner rather than just a back-end support accurately allocating costs.
unit. The Information Systems Audit and Control
Association (ISACA) has addressed the gap in IT The CMMI is a process improvement appraisal
considerations through the COBIT framework, which program developed by Carnegie Mellon University,
includes strategic direction, project management, used in various areas such as project management,
purchases, and training end users. The COBIT software development, and performance
framework addresses more than technical subjects improvement. It has five maturity levels: Initial,
and includes critical managerial and Repeatable, Defined, Managed, and Optimized.
accounting/financial activities. Internal control frameworks, such as COSO and
COBIT, are used for planning, analysis, decision-
ISO, an independent nongovernmental organization, making, and monitoring. Planning is a crucial aspect
provides world-class specifications for products, of classical management, involving formulating
services, and systems to ensure quality, safety, and detailed plans to achieve the optimum balance
efficiency. It has published over 19,000 international between needs and resources. COSO and COBIT
standards and related documents, covering various frameworks provide guidance and a roadmap for
industries. ISO 9000 and ISO 31000 are popular organizations to structure and run effectively.
standards for quality management and risk Managers should be taught about these frameworks
management, providing guidance and tools for and have their performance measured based on the
organizations to ensure consistent meeting of quality of internal controls in their areas of
responsibility. This would reinforce the importance FISH BONE
of internal controls and reduce compensation for
non-performance. The fishbone diagram, also known as the cause and
effect diagram or Ishikawa diagram, is a useful tool
for internal auditors to identify the root causes of
problems. This method, which is binary in nature,
CHAPTER 6 helps auditors treat issues from a binary perspective,
focusing on what should have been done, verifying
Histograms
consistency, reporting no findings, and
are charts that display the frequency distribution of recommending future practices. However, when
numerical data using rectangles representing dealing with operational issues, the answer may not
intervals. They represent the probability distribution be straightforward. Many operational issues are
of a continuous variable and are used to assess the caused by a combination of people, process, and
distribution of data. Histograms provide a fluid view technology issues, so auditors should attempt to
of transactions, helping auditors understand the identify the root causes of these conditions. The six
dynamics affecting the process under review. They categories used are people, methods, machines,
can be used to plot sales revenues, vehicle serviced, materials, measurements, and environment. The
and more, providing a more comprehensive diagram can be categorized based on the type of
understanding of the data. organization or environment being analyzed. When
preparing the fishbone diagram, it becomes clearer
Control Chart why the problem exists and how a number of root
causes impact multiple categories. The top two or
Process owners are responsible for setting the
three items that have the biggest influence on the
structure of their processes and programs,
effect are identified, similar to the 80/20 rule. The
establishing goals, identifying risks, and designing
fishbone diagram is a useful tool for identifying root
controls to mitigate them. Monitoring these controls
causes and exploring solutions to problems. It aids in
provides valuable information about their strengths
problem-solving and can be used in conjunction with
and weaknesses, and helps management identify
the CCCER model for documenting internal audit
anomalies that require intervention. Control charts
findings.
are a tool used to document this monitoring, plotting
and studying how a process changes over time. They
are one of the seven basic tools of quality and are
often less used by internal auditors. Control charts Internal auditors often face pushback from clients
help auditors determine if a process is stable and when recommending corrective actions, which can
under control, predict future performance, and be due to insufficient testing or communication.
identify the source of problems. By setting upper and Force field analysis can help prevent this by
lower control limits and observing patterns, internal identifying the forces for and against a course of
auditors can increase the sophistication of their data action, evaluating the pros and cons of a decision,
analytics and support their findings with measurable and understanding the client's [Link] tool
data. can help resolve conflict of opinions, compare pros
and cons, and evaluate the strength and weaknesses
The Pareto principle, also known as the 80/20 rule, of an idea, product, or project. To use force field
suggests that 80% of events' effects are caused by analysis, write a T at the top of a piece of paper.
20% of their causes. Pareto diagrams organize data
and prioritize improvement efforts by focusing on A force field analysis is a tool used to analyze the
major root causes. They organize data by influence of change on an organization. It involves
constructing bars and ranking items in importance. writing driving forces that support the change
initiative, such as lower costs, faster speed, and customization, such as text font, size, and color.
increased customer satisfaction, and restraining While auditors may initially find it time-consuming,
forces that prevent it. Factors such as over time, the process becomes faster and more
implementation costs, complexity, and conflicting accurate.
priorities can be scored based on their influence. The
strategy employed can either strengthen the support The As Is diagram is a tool used by auditors to
forces or manage the opposing forces. document the current state of a process, including
time, bottlenecks, production volume, and delays. It
Force Field Analysis is a useful tool for auditors to helps identify operational risks, such as time to
understand client priorities, challenges, and execution, bottlenecks, and production volumes,
concerns. It helps prepare arguments to address which can impact customer satisfaction and lead to
objections, demonstrating understanding and employee frustration. It also helps auditors
removing objections. This tool can be used as a understand the context of the program or process,
visual aid during presentations, promoting identifying higher risk areas, and ensuring
engagement and addressing misunderstandings. transactions are completed promptly. This helps in
identifying potential issues and addressing them
effectively.

Flowcharts are a useful tool for auditors to The As Is map is a useful tool for understanding and
understand and analyze processes. They represent assessing the performance of a process. It helps
workflows in visual form, allowing auditors to identify anomalies and corrective measures, allowing
identify defects such as bottlenecks, rework, delays, internal auditors and management to compare
and underutilized personnel. Flowcharts, also known before and after results. To draw an effective As Is
as process flow diagrams, process maps, process map, determine the boundaries of the process,
models, and work flow diagrams, provide a visual identify steps through consensus, walk the process
representation of activities performed, while process chronologically, use appropriate symbols, test for
flow diagrams include details like time, data, and completeness, look for problem areas as a team, and
information flows. show details.

Flowcharts are diagrams that represent the To draw an effective As Is map, determine the scope
movement of documents from left to right, with of the review, engage employees in the audited unit,
symbols such as rectangular boxes, diamonds, draw using appropriate symbols, test for
arrows, and ellipses. They are typically horizontal completeness, look for problem areas as a team,
and can be drawn top-down. Cross-functional show details, and include inputs, outputs, suppliers,
flowcharts show the steps and actors performing metrics, and time. By doing so, auditors can better
activities, allowing auditors to identify responsibility understand the dynamics of the process, identify
and decision-making. Flowcharts can be areas for improvement, and identify areas of
complemented by process narratives for more improvement. By incorporating these steps, auditors
detailed information. They can help identify can help organizations improve their processes and
efficiencies, handoffs, and control points, making reduce costs.
them easier to identify and understand.
An As Is map is crucial for auditors to understand the
Microsoft Visio, SmartDraw, Flowcharter, Edraw, and current process and identify the desired output or
RF Flow are popular flowchart software packages. outcome. They should brainstorm the ideal process
They offer user-friendly features like automatic and create a flowchart showing the To-Be diagram.
connection points, drag and drop, snap-to tools, and Automation can provide time and labor savings,
grid lines. Flowcharting software also allows for while simplifying tasks can improve efficiency. The
diagram should also consider who is involved and others. This metric can be used to determine the
why they are involved. Performance standards help pace to keep a process flowing, preventing
shape priorities and measure the success of the bottlenecks and setting performance expectations.
process. Outputs are measured in terms of volume,
while outcomes are measured in the short, medium, Internal auditors can calculate the average demand
and long term. Organizations should focus more on on the process and use this formula to calculate the
outcomes in the twenty-first century, focusing on required takt time. They can then observe and time
customer satisfaction, retention, and image. This watch the pace and amount of time performing their
approach helps organizations improve their duties, and calculate the actual takt time to
processes and overall business performance. determine the aggregate pace of work. This helps
document the expected and actual cycle times and
determine if the process and performance are
conducive to the success of the process.
When reviewing processes, it is essential to identify
areas for improvement. Backlogs, which are Lead time refers to the time from the initiation to
uncompleted work, can pose challenges when the completion of a process. Mismanaging lead
meeting deadlines or ensuring customer satisfaction. times can result in stock out situations, resulting in
Cycle time, the total time from the start to the end excess costs and extra inventory management. To
of a process, is a general expectation. It includes gauge process performance, management should
process time specific to each activity and waiting have metrics in place, such as productivity measures,
time between boxes. To capture process cycle times, on-time delivery record, uptime, or turnaround time.
auditors can use stop watches, systems data, and
samples. To improve the process, organizations should explore
opportunities to streamline operations, reduce or
simplify activities, reduce or eliminate delays,
optimize transportation, and ensure proper
Stop watches document the time it takes to process inspections and decisions.
various steps in a flowchart, while systems data
capture user ID, date, and time every time a user
accesses a transaction record. Samples allow
auditors to test financial and compliance controls, Waste reduction is crucial for increasing profitability
checking for accuracy, completeness, authorization, and utilizing limited resources. Toyota's chief
and business-relatedness. By expanding data engineer, Taiichi Ohno, identified seven wastes:
capture during the review, auditors can test for transportation, inventory, motion, waiting,
speed of execution, which can impact customer overprocessing, overproduction, and defects.
satisfaction and future sales. By working with a
Under the Lean concept, there are eight wastes,
random sample, auditors can gain valuable insights
including underutilized employees. Transporting
into the cycle time and other areas for improvement.
people, products, and information is essential but
not necessary and can lead to damage, delays, or
loss. Minimizing transport costs and ensuring
Takt time is the rate at which a production operation product delivery to end users is essential.
produces output, derived from the German word
"takzeit," meaning "rhythm." It is the average
amount of time or pace of activities, and it is the
Transporting is essential in many processes but
rhythm or heartbeat of the operation. Without takt
poses risks of damage, delay, or loss. It does not add
time, there would be inventory between work
value to the product and incurs costs such as fuel,
stations and possibly shortages of material between
packing, unpacking, and handling. Minimizing auditors to organize ideas and large amounts of
transport is crucial to ensure the product is delivered data. They help gather large amounts of data,
quickly and efficiently. organize it into groupings or themes, build
consensus, and address complex issues.
Unnecessary inventory is storing parts, pieces, and
documentation ahead of requirements, with the goal Affinity diagrams require sticky notes or cards and a
of zero inventory. This adds cost to production large work surface to work on . The first step is to
activities and does not benefit the customer. place each idea on a separate sticky note or card,
with at least 20 items or issues. Then, all the notes
Excess motion, which involves the unnecessary are placed randomly on the large work surface.
movement of people, parts, or machines within a
process, can damage or cause extra costs on the unit The process should be done silently, with each team
or person that creates the product or delivers the member looking for ideas that appear related and
service over time. placing them side by side. The process is repeated
until all notes are grouped, then someone else takes
Waiting is a significant part of an item's life, as a turn performing the same procedure. After
products and services often wait for parts, everyone has had a turn, team members can discuss
information, instructions, and equipment. the rationale for clustering several items together.

Overprocessing occurs when more work is done on Affinity diagrams also improve report writing by
an item other than what is required by the customer, arranging items so the findings flow logically. Two
including using components that are more precise, common challenges auditors face are reporting on
complex, higher quality, or expensive than required. the root cause of problems and reducing the length
of the audit report. By consolidating findings, the
Defects in manufacturing and service environments
report becomes shorter and more focused, making
are often difficult to define, as they may involve late
the case for corrective action more effective.
service delivery, incorrect information, or incorrect
reports and statements. By minimizing transport, Internal auditors must remember that as the
minimizing excess motion, and addressing defects, profession matures, clients seek more than just
organizations can ensure the smooth and efficient reports stating "the organization lacks KPIs." Audit
delivery of their products to end users. reports should describe a problem, include
pragmatic recommendations, and describe a
In summary, waste reduction is essential for
collaborative effort to cooperate with management.
organizations to increase profitability and better
utilize their limited resources. By identifying and A check sheet is a structured document used by
addressing these wastes, organizations can improve
internal auditors to collect and analyze data in real-
their overall performance and competitiveness.
time. It can be qualitative or quantitative and is
Organizations should capitalize on underutilized sometimes referred to as a tally sheet. Check sheets
employees' skills, including creativity, to enhance provide a consistent method for capturing
performance and customer satisfaction. This information about transactions examined. They are
includes utilizing their capabilities, delegating tasks often used to document the frequency or pattern of
with inadequate training, and promoting individuals problems, defects, defects causes, or events.
for reasons other than merit, ultimately reducing However, the challenge lies in how check sheets are
waste and improving overall performance. designed. Most auditors focus on documenting
issues, but their construction often only shows the
Affinity diagrams, also known as affinity charts or the problem where it is present. To construct a check
Jiro Kawakita (KJ) method, are useful tools for sheet, auditors should identify operational
definitions, decide on the event or problem to be
observed, decide when data will be collected, design
the form for easy data recording, label all rows and 5S is a workplace method that uses five Japanese
columns, select the transactions or events to be words: seiri, seiton, seiso, seiketsu, and shitsuke.
reviewed, and record every event or problem. This Seiton refers to a systematic arrangement of
approach provides valuable insights into the source necessary items, preventing the loss of items and
of errors and facilitates further investigation. reducing the likelihood of workplace accidents. Seiri,
translated to sort, encourages workers to remove
unnecessary items and dispose of them
appropriately. Seiso, translated to shine, sweep,
Scatter diagrams are visual tools used to analyze sanitize, or scrub, emphasizes cleaning the
pairs of numerical data and show the relationship workplace completely. This helps prevent machinery
between two variables. They are often used to and equipment from deteriorating, keeping the
examine metrics like error rates, accident rates, workplace clean and safe. Seiso can be achieved
delays, or merchandise returns to determine if they through dusting, scrubbing, vacuuming, and washing
are increasing or decreasing. Correlation analysis is the workplace and surrounding areas. By embracing
crucial when determining potential root causes of these practices, the workplace becomes more
problems, such as when brainstorming causes and efficient and effective.
effects using a fishbone diagram.
Seiketsu is the practice of standardizing workplace
The correlation analysis can help both auditors and design and operating practices to maintain high
managers estimate future values for the relationship standards and efficiency. It involves clear,
between two variables. For example, if an communicated, and enforced standards for the
organization has a goal to grow by 25% and expect design, storage, and operation of the workplace.
transaction volumes to increase proportionately, it Erratic processes can lead to confusion, increased
may be better prepared to handle that volume training difficulties, and mistakes. Shitsuke, meaning
increase and maintain low error rates. However, if "sustain," suggests that organizations should thrive
the processing volume increases, it could lead to to create a culture of compliance. This requires
catastrophic consequences for the organization. management involvement, investment, and well-
thought-out training. Regular audits and reviews
verify compliance with the set standards.
Auditors should think creatively about using scatter
diagrams to discover root causes and support their
findings with information about the relationship The benefits of applying 5S include eliminating
between multiple variables. This can enable them to hidden inventory, freeing up floor space, improving
provide management with useful forward-looking material flow, reducing transportation time, and
assistance when making decisions. eliminating unnecessary items for reuse. The RACI
Diagram, also known as responsibility assignment
matrix or linear responsibility chart, is a useful tool
In summary, scatter diagrams are a valuable tool for to address the lack of clarity around tasks, roles, and
auditors to analyze pairs of numerical data and responsibilities in organizations. It identifies
identify potential root causes of problems. However, responsible, accountable, consulted, and informed
it is important to note that correlation is different roles in cross-functional projects and processes.
from causation and that auditors should consider the
scalability of the process when making decisions.
In summary, Seiketsu, Shitsuke, and RACI are all A communications plan is a crucial tool for effective
essential practices in organizations to ensure communication within and outside a team. It
efficient and effective work processes. By identifies key elements to ensure the intended
implementing these practices, organizations can message is received, understood, and acted upon by
improve their overall performance and reduce the stakeholders. The plan should answer six simple
risk of errors and misunderstandings. questions: what, when, where, who, how, and why.

The RACI diagram is a useful tool in organizations to

clarify roles and responsibilities in cross-functional or
departmental projects and processes. It is derived What includes performance, progress, and status of
from the four roles and responsibilities that various activities, while when refers to the timing of
parties play in a program or process: responsible, communication activities. Where focuses on the
accountable (or approver), consulted, and informed. location of the communications, such as the office,
conference room, or open-space near the
department's location. Who decides who should
attend meetings, and who does the communicating
Responsible refers to those who perform the task, and receiving the communication.
while accountable (or approver) is the person who
approves the completed activity. Consulted refers to
those whose knowledge is important for the
successful completion of the task, and informed A communications matrix is used to summarize and
refers to anyone who should be kept updated about facilitate the communication plan by defining the
the activities being performed, their progress, or details regarding the communications activities used
their completion. during the team's activities during the project. Key
components of a communications matrix include
communication type, description, delivery method,
frequency, documents, participants, and those
The RACI diagram is typically created with a vertical responsible for ensuring each communication event
axis listing of tasks and a horizontal axis showing the takes place according to the plan.
parties involved. The corresponding letter is entered
based on the role each party plays in the
accomplishment of the activities noted. It is
generally recommended that each task have one of A communications plan and communications matrix
the RACI participation types assigned to it, and that can help prevent complaints and confusion, ensuring
everyone involved agrees to the roles being assigned that everyone is included in important
to them. communications.

In conclusion, the RACI diagram is a valuable tool in The Suppliers, Inputs, Process, Outputs, and
ensuring clear roles and responsibilities in cross- Customers (SIPOC) diagram is a useful tool for
functional or departmental projects. By identifying auditors to gain a comprehensive understanding of a
and assigning roles to each party, organizations can program or process. It helps identify all relevant
improve their overall performance and overall elements of a process, including suppliers, inputs,
success. process, outputs, and customers. The SIPOC map is
particularly useful in defining the scope of the
review, as it provides a high-level overview of the
program or process. It also aids in stakeholder
analysis, identifying key participants, and defining
risk exposures, size of operation, audit coverage, and
customer requirements. Further analysis of each Benchmarking is a statistical process that compares
component can provide valuable assessment performance metrics to determine if an item is
information, such as the location of suppliers, supply performing at an acceptable level. It helps internal
chain length, foreign currency conversion risk, and auditors identify areas of excellence within an
political risk. Inputs and outputs can be materials, organization and provide objective information on
services, or information, and understanding these how well or poorly a process compares to others.
can help define roles during integrated audits. It is Typical metrics used in benchmarking include time,
crucial for internal auditors to identify relevant quality, and cost. It is often best to benchmark
stakeholders during a review, as some stakeholders continuously, linked to continuous quality
share benefits while others bear risks. The SIPOC improvement initiatives, ERP, and audit planning.
map is a valuable tool for addressing these issues
and making informed decisions.
Benchmarking is not only about gathering results
and trying to match or outdo them but also studying
Poka Yoke, a Japanese term meaning "mistake- the practices in others' processes recognized as
proofing," is a mechanism in a process that helps leading organizations. The goal should always be to
operators avoid mistakes. It aims to eliminate provide the level of customer satisfaction, quality,
defects in products by preventing or drawing and efficiency that an organization wants. However,
attention to human errors that can occur. Examples two common issues associated with benchmarking
of Poka Yoke include power plugs, garage door are the information being often proprietary and the
sensors, microwave motors, automobiles, plumbing, information being sometimes not comparable due to
and automatic faucets. different sizes, maturity, or markets.

Poka Yoke can be a valuable tool for internal Trend analysis can also be used to identify centers of
auditors who examine program and process design excellence within an organization. Examining
and make recommendations for improvement. The multiple years of a metric may provide different
best Poka Yoke solutions are simple, cost-effective, perspectives or even appear satisfactory, so the
mandatory, and intuitive, avoiding operator auditor may need to discuss this condition with
decision-making. Common ways of mistake-proofing management. By performing benchmarking analyses
processes include orientation, sequence, weights, within the organization, the information should be
location/size/count, and system checks. more readily available and serve as a great way to
identify centers of excellence within the
organization.

In a service environment, Poka Yoke principles are

applicable in various applications, such as
spreadsheets, reconciliation templates, data entry, The Five Whys is a powerful tool used by auditors to
expense reports, and entry-logs. Internal auditors identify the root cause of issues. It is an iterative
should consider the attributes and characteristics of technique that consists of asking "why" multiple
Poka Yoke to ensure effective recommendations for items, each of which probes further as to the source
process improvement in both industrial and service of the problem. The primary goal of the technique is
environments. to determine the root cause of a defect or problem
by repeating the question "why." The process is
sequential, with each question forming the basis of best prepared with input from past project
the next question. experience or the project team.

The "5" in the name represents the typical number

of iterations typically needed to resolve the problem,
but identifying the root cause may take fewer or
more times than 5 whys. It is important to work
through the process sufficiently and go to a lower-
level root cause to avoid an inadequate solution.

For example, if the water on the floor is caused by

poor procurement practices, the auditor can address
the vendor contracting process to eliminate
favoritism and not allow the plumber to do any
additional work for the organization. Another
example is when the processing unit is making
mistakes when shipping goods to customers. The
absence of a consistent method of capturing orders
and communicating them to the shipping
department is causing the problem.

If resources are sufficient, a new order taking system

can be bought and implemented, or a standard form
should be prepared using common software like
Word and Excel. The 5 Whys can be used individually
or in conjunction with the fishbone diagram or other
related tools. After identifying all inputs on the
fishbone diagram, the 5 Whys technique can help to
drill down to the root causes.

A Work Breakdown Structure (WBS) is a method

used by the Project Management Institute (PMI) to
organize and define a project's work scope. It
involves a hierarchical arrangement of tasks, starting
with larger jobs and progressing to smaller ones. The
WBS helps project managers estimate staff, resource
needs, costs, and risks. It also prevents high-level
planning that focuses solely on core tasks, allowing
for the identification of support tasks like
preparatory work and lead time planning. A WBS is