I NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 1, 2008Copyright © 2008 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.1The COSO Model: How IT Audtiors Can Use IT toMeasure the Effectiveness on InternalControls (Part 2)In volume 6, 2007, of the Information Systems ControlJournal, the IT Audit Basics column began a two-partarticle on how to apply the Committee of SponsoringOrganizations of the Treadway Commission (COSO) model ofinternal controls to financial audits by information technology(IT) auditors. The first part of the article covered the fiveelements of the COSO model. This part will focus on how toapply the COSO model in evaluating internal controls to fulfillresponsibilities in the new Risk Suite auditing standards fromthe American Institute of Certified Public Accountants(AICPA).How to Evaluate the Level of RiskBefore applying the COSO model to the evaluation ofinternal controls, it is beneficial to review the two-step processthat auditors use in risk assessment. IT audits consist of auditprocedures directed at questions or objectives developed inrelationship to the goal—financial reports. The end result, inthe case of the Risk Suite standards, is an overall evaluation ofthe controls and their effectiveness in mitigating the risk of amaterial misstatement in financial reports. The first step is to develop procedures that provideinformation and/or evidence to assist the auditor in identifying orclarifying areas of risk. The procedures in this phase provideevidence to the IT auditor as to the presence of risks in certainareas of interest, e.g., the control environment (COSO), the entityand its environment (Statement on Auditing Standards [SAS] No.109) or a business process (most likely to be associated with thecontrol activities element of the COSO model).Once an area of nontrivial risk has been identified, the levelof risk must be assessed, i.e., how much risk exists in this area.This is the second step. For simplicity’s sake, if one supposesthat the IT auditor uses high, medium and low levels asmeasures of risk, what factors exist to determine the level ofrisk that exists in the circumstances related to the area ofinterest, either as more or less risk, or a high-medium-low levelof risk? What would cause the IT auditor to evaluate thecontrols as effective in reducing the risk in the area of interestto an acceptable level? The more problems that exist withinternal, missing or weak controls, the more likely it is that theIT auditor will assess a higher level of risk. And, the more anentity effectively applies relevant best practices, the more likelyit is that the IT auditor will assess a lower level of risk. Often an audit procedure can be helpful in performing thefirst step of identification but is not necessarily beneficial inperforming the second—assessing the level of risk that actuallyexists. In such cases, the auditor must develop other proceduresto provide evidence of the level of risk (an illustration followsin the next section).How to Apply the COSO Model to IT AuditProceduresThe COSO model provides some areas of interest (orobjectives) that will likely be relevant to an IT audit of internalcontrols. These areas are divided into five topics (elements ofCOSO) with potential subtopics under each element.1Forexample, a topic of interest for internal controls in general isthe control environment (COSO). A subtopic under thatelement is “communication and enforcement of integrity andethical values.” While not all aspects of each of the five elements will beillustrated here, a couple of specific illustrations follow. One area of the COSO model that is directly applicable tothe Risk Suite standards is the control environment.2The RiskSuite refers to the “entity and its environment, includinginternal controls”3as the object of the risk assessmentprocedures that precede the development of the audit plan in afinancial audit. These two are virtually the same thing. The overall objective of this evaluation is to determine if aspecific control environment has the ability to establish andmaintain an effective system of internal controls over financialreporting. The objective of the risk assessment procedures is toidentify risks associated with the controls related to thedevelopment, management, monitoring and reporting of boththose controls and the financial reporting information.Reporting about the information used in strategic activities,should be made to the highest level of the entity. The first subtopic listed under the control environment ofthe COSO model is “communication and enforcement ofintegrity and ethical values.” The IT auditor must determine ifthe entity being audited has a risk in this subtopic area. Tomake that determination, the IT auditor must develop auditprocedures to provide information and/or evidence. Theparticular audit procedures are contingent upon circumstancesand information specific to each entity. An example of an audit procedure for this subtopic would beto obtain a copy of the written code of ethics, if one exists. Ifnone exists, the auditor could assume this area should beevaluated as having more risk. Regardless of whether a writtencode of ethics exists, the IT auditor should develop other auditprocedures to satisfy his/her identification of risk in this area.These procedures could include determining: • If ethics are covered in employee training or orientation • If documentation of ethics violations exists• If the ethics policy was enforced when violations did occurI NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 1, 2008• If a person or group is responsible for ethics enforcement(and his/her/their effectiveness) One way to determine the effectiveness of ethics in an entityis to socially capture the attention of an average employee andcasually ask him/her if a certain situation would be an ethicalviolation for the entity, or ask him/her what he/she would do ifhe/she discovered an ethical violation (i.e., confirmeffectiveness of communication in this area). This scenario also illustrates the two-phase approach to riskand evaluation of internal controls. The presence of a writtencode of ethics provides some evidence to the IT auditor thatthe entity has done something to address risks associated withethics (the first step in identifying and clarifying risks), butprovides little value as to how to assess the level of risk. Thepresence of a written ethics policy may have little