implementing process assessment model of internal financia

8/12/2019 Implementing Process Assessment Model of Internal Financia

1/11

1

Implementing Process Assessment Model of Internal FinancialControl

By Jnos Ivanyos, Memolux Ltd. (H), IIA Hungary

New generation of general models referring to either IT or Internal Control like COBIT [4] and COSO[3] - are extended with business perspective willing to gain top managements ear. But the practiceshows, this opening solely does not enough to reach a breakthrough, because models became morecomplicated than it could be applied without some difficulties. Very frequently exposed that the bestcatalyst of improvement programs are the more and more mandatory rules coming into force,nowadays mainly from financial reporting area. Sarbanes-Oxley Act for US SEC registrants and itsaffiliates, the Basel II framework and the 8th Directive on company Law in the EU require strict internalcontrol and effectiveness conclusion performed by the executive management.

Compliance and capability issues have come into the view of the management as the huge cost ofcompliance readiness activities calls the attention of the sustainability and the added business value ofsuch efforts. This challenge has been answered by utilizing the ISO/IEC 15504 process assessmentstandard [1], and its evaluation model concept applicable for both the executive manager, the internalauditor and even the supervisory communities to assess the control effectiveness of financial reporting

processes.

This paper provides an introduction to Process Assessment Model for use in performing a conformantassessment for Internal Financial Control in accordance with the requirements of ISO/IEC 15504-2 [1].

An integral part of conducting an assessment is to use a Process Assessment Model (PAM)constructed for that purpose, related to a Process Reference Model (PRM) and conformant with therequirements defined in ISO/IEC 15504-2. ISO/IEC 15504-2 provides a framework for processassessment and sets out the minimum requirements for performing an assessment in order to ensureconsistency and repeatability of the ratings.

The Process Reference Model derived from COSO Small Business Guidance ( Internal Control overFinancial Reporting Guidance for Small Public Companies) [3] has been used as the basis for theInternal Financial Control Process Assessment Model.

A Process Assessment Model comprises a set of indicators of process performance and processcapability. The indicators are used as a basis for collecting the objective evidence that enables anassessor to assign ratings.

COSO based Process Assessment Model

The Process Reference Model derived from COSO Small Business Guidance, associated with theprocess attributes defined in ISO/IEC 15504-2, provides a common basis for performing assessmentsof internal financial control process capability, allowing for the reporting of results using a commonrating scale.

The Process Assessment Model defines a two-dimensional model of process capability. In onedimension, the process dimension, the processes are defined and classified into process categories.In the other dimension, the capability dimension, a set of process attributes grouped into capabilitylevels is defined. The process attributes provide the measurable characteristics of process capability.


2/11

2

Figure 1 shows the relationship between the general structure of the Process Assessment Model,ISO/IEC 15504-2 and COSO control processes (grouped into the 5 components).

Figure 1: COSO components as Process Dimension of the Process Assessment Model

The Process Assessment Model expands upon the Process Reference Model by adding the definitionand use of assessment indicators. Assessment indicators comprise indicators of process performanceand process capability and are defined to support an assessors judgment of the performance andcapability of an implemented process.

ISO/IEC 15504-2 requires that processes included in a Process Reference Model satisfy the following:

"The fundamental elements of a Process Reference Model are the set of descriptions of theprocesses within the scope of the model. These process descriptions shall meet the followingrequirements:a) A process shall be described in terms of its Purpose and Outcomes.b) In any description the set of process outcomes shall be necessary and sufficient to achievethe purpose of the process.c) Process descriptions shall be such that no aspects of the measurement framework as

described in clause 5 of this International Standard beyond level 1 are contained or implied."The Process Assessment Model includes processes, which are grouped in five process categories,identical to the control components defined in COSO models, which are:

Control Environment; Risk Assessment; Control Activities; Information and Communication; Monitoring.


3/11

3

The processes included in the same category contribute to a complementary area. This categorizationcan also help assessors in defining the assessment scope in term of process selection.

The most recent COSO material called Internal Control over Financial Reporting Guidance forSmall Public Companies is in compliance with the PRM requirements of the ISO/IEC 15504-2.Volume II of the Guidance has a structure of Principles and Attributes, which is equivalent with theprocess identification via Purpose and Outcomes.

The COSO guidance provides a set of twenty basic Principles representing the fundamentalconceptual processes associated with and drawn directly from the five components of the internalcontrol Framework . Supporting each Principle are Attributes, representing characteristics associatedwith the Principle.

The guidance says although each attribute generally is expected to be present within a company, itmay be possible to apply a principle without every listed attribute being present. However, fromcommon internal control assessment perspective we handle the Attributes as process outcomes necessary and sufficient to achieve the purpose of the process which described by the relevantPrinciple. During an assessment the assessor can judge whether a specific Attribute handled asnecessary and sufficient process outcomes in the PRM, is practically assessable within the context ofthe specific assessment scope (characterized by organization type, size, complexity, etc.)

Figure 2 presents how the content of the COSO guidance can be used for mapping with PRM:

Figure 2: COSO Small Business Guidance as Process Reference Model

The principles from COSO Small Business Guidance that are included in the process dimension of thesample Internal Financial Control Process Assessment Model, are listed below:

Control Environment (CE)

1. Integrity and Ethical Values (IEV). Sound integrity and ethical values, particularly of topmanagement, are developed and understood and set the standard of conduct for financialreporting.

2. Oversight Board (OB). The board of directors and/or audit committee understands andexercises oversight responsibility related to financial reporting and related internal control.

Process

Purpose

Outcomes

Process

Purpose

Outcomes


4/11

4

3. Managements Philosophy and Operating Style (MPO). Managements philosophy andoperating style support achieving effective internal control over financial reporting.

4. Organizational Structure (OS). The companys organizational structure supports effectiveinternal control over financial reporting.

5. Financial Reporting Competencies (FRC). The company retains individuals competent infinancial reporting and related oversight roles.

6. Authority and Responsibility (AR). Management and employees are assigned appropriate

levels of authority and responsibility to facilitate effective internal control over financialreporting.7. Human Resources (HR). Human resource policies and practices are designed and

implemented to facilitate effective internal control over financial reporting.

Risk Assessment (RA)

1. Financial Reporting Objectives (FRO). Management specifies financial reporting objectiveswith sufficient clarity and criteria to enable the identification of risks to reliable financialreporting.

2. Financial Reporting Risks (FRR). The company identifies and analyzes risks to theachievement of financial reporting objectives as a basis for determining how the risks shouldbe managed.

3. Fraud Risk (FR). The potential for material misstatement due to fraud is explicitly considered

in assessing risks to the achievement of financial reporting objectives.

Control Activities (CA)

1. Integration with Risk Assessment (IRA). Actions are taken to address risks to theachievement of financial reporting objectives.

2. Selection and Development of Control Activities (SD). Control activities are selected anddeveloped considering their cost and their potential effectiveness in mitigating risks to theachievement of financial reporting objectives.

3. Policies and Procedures (PD). Policies related to reliable financial reporting are establishedand communicated throughout the company, with corresponding procedures resulting inmanagement directives being carried out.

4. Information Technology (IT). Information technology controls, where applicable, aredesigned and implemented to support the achievement of financial reporting objectives.

Information And Communication (IC)

1. Financial Reporting Information (FRI). Pertinent information is identified, captured, used atall levels of the company, and distributed in a form and timeframe that supports theachievement of financial reporting objectives.

2. Internal Control Information (ICI). Information used to execute other control components isidentified, captured, and distributed in a form and timeframe that enables personnel to carryout their internal control responsibilities.

3. Internal Communication (IC). Communications enable and support understanding andexecution of internal control objectives, processes, and individual responsibilities at all levelsof the organization.

4. External Communication (EC). Matters affecting the achievement of financial reportingobjectives are communicated with outside parties.

Monitoring (MO)

1. Ongoing and Separate Evaluations (OSE). Ongoing and/or separate evaluations enablemanagement to determine whether internal control over financial reporting is present andfunctioning.

2. Reporting Deficiencies (RD). Internal control deficiencies are identified and communicatedin a timely manner to those parties responsible for taking corrective action, and tomanagement and the board as appropriate.


5/11

5

For the process dimension , all the processes listed above are included within the process dimensionof the proposed Internal Financial Control Process Assessment Model. Each process in the ProcessAssessment Model is described in terms of a purpose statement. These statements contain the uniquefunctional objectives of the process when performed in a particular environment. A list of specificoutcomes is associated with each of the process purpose statements, as a list of expected positiveresults of the process performance.

Satisfying the purpose statements of a process represents the first step in building a level 1 processcapability where the expected outcomes are observable.

For the capability dimension , the process capability levels and process attributes are identical to thosedefined in ISO/IEC 15504-2.

A capability level is a set of process attribute(s) that work together to provide a major enhancement inthe capability to perform a process. Each level provides a major enhancement of capability in theperformance of a process. The levels constitute a rational way of progressing through improvement ofthe capability of any process and are defined in ISO/IEC 15504-2.

The Process Assessment Model is based on the principle that the capability of a process can beassessed by demonstrating the achievement of process attributes on the basis of evidences related toassessment indicators.

There are two types of assessment indicators: process capability (generic) indicators, which apply tocapability levels 2 to 5 and process performance (specific) indicators, which apply exclusively tocapability level 1.

The process attributes in the capability dimension have a set of process capability indicators thatprovide an indication of the extent of achievement of the attribute in the instantiated process. Theseindicators concern significant activities, resources or results associated with the achievement of theattribute purpose by a process.

The first three capability levels are focusing on the instance or activity view of the processes, whilefrom level 3 the attributes are focusing on the corporate entity view. This observation helps us tounderstand how the COSO Internal Control and ERM frameworks fit into this assessment model. TheInternal Control framework third dimension is the Unit/Activity, while in ERM the third dimension is thecorporate structure.

Figure 3 identifies the applicability of the capability levels to the COSO main objectives:

Figure 3: ISO 15504 capability levels and COSO objectives


6/11

6

ISO 15504 conformance of the Internal Financial Control Process Assessment Model

The purpose of the proposed Internal Financial Control Process Assessment Model is to supportassessment of process capability based on the requirements of ISO/IEC 15504-2.

The Internal Financial Control Process Assessment Model is based upon the Process ReferenceModel using the most recent COSO material called Internal Control over Financial Reporting

Guidance for Small Public CompaniesIn the process dimension of this Process Assessment Model, the model provides coverage of all of theprocesses in the Process Reference Model.

The Process Assessment Model provides a two-dimensional view of process capability for theprocesses in the Process Reference Model, through the inclusion of assessment indicators. TheAssessment Indicators used are:

base practices; and generic practices.

They support the judgment of the performance and capability of an implemented process.

Each of the Processes in this Process Assessment Model is identical in scope to the Process definedin the Process Reference Model. Each Base Practice is cross-referenced to the Process Outcomes itaddresses as shown in Figure 4.

Figure 4: Base Practices cross-referenced to the Process Outcomes in COSO Small BusinessGuidance

The processes in the intended Internal Financial Control Process Assessment Model are identical tothose defined in the proposed Process Reference Model. The Process Attributes and the ProcessAttributes Rating in the proposed Process Assessment Model are identical to those defined in theMeasurement Framework (up to Level 4).

Base Practice

Base Practice

AddressedOutcomes

AddressedOutcomes

Base Practice

Base Practice

AddressedOutcomes

AddressedOutcomes


7/11

7

Defining sectoral process assessment models

Based on the presented steps of setting up the Process Assessment Model, specific sectoralassessment models can be implemented. As it is true for both the public and financial sector requests,the specific guidance or framework can be used for

The definition of PAM specific purpose

Selecting or missing COSO component based processes Applying the capability levels selected from the Measurement Framework Mapping of assessment indicators

By implementing the INTOSAI internal control guidance [5], the applicable process assessment modelshall have public sector specific purpose within the context of the specific characteristics of publicsector organisations (i.e. their focus on meeting social or political objectives; their use of public funds;the importance of the budget cycle; the complexity of their performance, etc.)

By using the INTOSAI guidance the specific PAM can select and map the processes from the COSObased PRM. As having risk orientation focus, the Process Attributes up to Level 4 can be used fromthe Measurement Framework by using the assessment indicators (base and generic practices) withinthe context of the guidance.

If necessary formalized translation or conversion of data gained from the assessment can be settled inorder to represent the results of an assessment as a set of process attribute ratings for each processselected from the COSO based Process Reference Model.

Figure 5 shows the general concept of setting up sectoral Assessment Models covering riskmanagement principles like in the case of INTOSAI guidance:

Figure 5: Set-up of INTOSAI Assessment Model covering risk management principles

In case of more traditional COSO interpretations like within the Basle Committees framework [6],process attributes up to Level 3 can be selected for the specific Assessment Model. However bytaking into the consideration of supporting the supervisory assessment approach, the mapping andtranslation of assessment results into capability ratings can follow more advanced methods (e.g.statistical procedures).


8/11

8

As we focus on assessing Internal Financial Control systems, by implementing assessments in anysector, there are much more similarities, as the assessments mainly concentrate on issues up to Level2. Investigations at Level 3 are more considering the overall system of operational controls, which canalter by sectoral specialities.

However Internal Financial Control systems shall work at level 3 especially in the bank sector and alsoin the public sector institutes managing and intermediating public funds due to the specific roles

played by these organizations in the economy and society.In private sector organizations the appropriate level of Internal Financial Control can be differ by size,type and regulation (like SOX). It can be hardly stated that e.g. SOX compliance requires a levelhigher than 1 for the selected or all control processes (or categories) regarding financial reporting. It isalways an individual business risk consideration what level is enough for the entity comparing theadvantages and costs of robust controls. The enterprise risk management principles also help toidentify the necessary or optimal levels for control processes relevant to achieve organizationsobjectives.

Impact on Internal Audit assignments

In July 2006, the IIA issued its position paper Organizational Governance: Guidance for Internal

Auditors [7]. This guidance is designed to help internal auditing in its assurance and advisory role withregard to specific aspects of governance. The document provides information on definingorganizational governance and the role of internal auditing, organizational governance principles, andother related resources.

The IIA's definition of internal auditing refers to "...bringing a systematic, disciplined approach toevaluate and improve the effectiveness of risk management, control, and governance processes." Thisdefinition incorporates the broad advisory and assurance role that internal auditing can have regardingan organization's governance processes. Aspects of internal auditing's role in governance areaddressed in performance standard 2130 of the International Standards for the Professional Practiceof Internal Auditing [8]:

The common interpretation of ISO 15504 capability levels and COSO objectives showed in Figure 3provides an innovative method for internal auditors to implement the 2130: Governance standard. TheProcess Capability Determination (PCD) and Process Improvement (PI) context of ISO 15504provides the effective tool for internal auditing having the following significant responsibilities incorporate governance activities:

Performing assessments to provide assurance that governance structures and processes areproperly designed and operating effectively.

Providing advice on potential improvements to governance structures and processes.

Figure 6: Internal Audit Governance Maturity Model


9/11

9

Figure 6 shows a graphics from the IIA July 2006 Position Paper on Organizational Governance:Guidance for Internal Auditors. The IIA approach fits well to the ISO 15504 capability modelinterpretation. At lower maturity level the Internal Audit assignments shall mostly cover the processimprovement initiatives for achieving Level 1 and 2 process attributes. From medium level anincreasing part of the assignment covers process improvements up to Level 3 process attributes andthe process capability determination approach identifying compliance with the higher controlrequirements. At high maturity level the Internal Audit assignment mostly covers process improvement

activities for enhancing Level 3 and 4 process attributes.Figure 7 presents the Process Improvement and Capability Determination approaches are applicablefor the two types of Internal Audit Engagements:

Figure 7: ISO 15504 and Internal Audit Engagements

Relevant guidance of internal audit engagements can be found in the The IIA's Professional PracticesFramework and in the Practice Advisories [9].

Systems based audit approach and COSO based, ISO 15504 conformant process assessment

Traditional interpretation of systems based auditing is driven by the actual systems in place andcontrols are related to these. It assumes that the systems in place cover all risks and frequently relieson internal control questionnaires, that is standard documents used every time an audit is carriedout. Risk based auditing experts call the attention of the dangers of these questionnaires comparingthem to risk based approach [10]:

The questionnaires can be incomplete. In particular, they might not check themanagement of all significant risks.

Since many are not linked to risks, there is no indication as to the importance of the testand the consequence if the control tested is found to be ineffective.

They can lead to a box ticking exercise by staff anxious to hit the budgeted time, withoutgaining an understanding of what they are doing. In this way, major risks, which are notbeing managed properly, may be missed.

They dont encourage management to identify and control their risks.

Mapping and applying the COSO and COSO ERM main objectives into the capability dimension of themeasurement framework can avoid these potential drawbacks. Targeting capability profiles by theassessment sponsor, give effective tool to the management to identify, understand and manage

Process

ProcessAssessment

CapabilityDetermination

ProcessImprovement

leadsto

Identifies

changes to

leadsto

Isexamined

by

motivates

Identifies

and risks of

capability

AssuranceEngagements

ConsultingEngagements Process

ProcessAssessment

CapabilityDetermination

ProcessImprovement

leadsto

Identifies

changes to

leadsto

Isexamined

by

motivates

Identifies

and risks of

capability

AssuranceEngagements

ConsultingEngagements


10/11

10

control risk areas. By achieving level 4 attributes for selected control processes, management canimplement risk management principles in a cost effective way.

The assessment model, consisting both process and capability dimensions, enforces not only thesimple usage of the internal control questionnaires and checklists, but also considering the relevantset of the assessment indicators. Keeping the standard requirements of the ISO 15504 conformantassessment process helps to implement this advanced measurement concept into the internal and

external audit procedures standardized by different ways in different sectors. The control riskassessment method derived from ISO 15504 provides an adequate tool for avoiding traditionaldrawbacks of systems based auditing.

The proposed Process Assessment Model presented in paper is directed at assessment sponsors(executive managers) and competent assessors (auditors) who wish to select and implement a model,and associated documented process method, for assessment for either capability determination (assurance audit engagements) or process improvement (consulting audit engagements). Additionallyit may be of use to developers of assessment models in the construction of their own model, byproviding examples of good control and management practices.

In this context the different terminologies used for compliance (or regulatory), financial andperformance audits can be mapped to the capability dimension of this COSO based ProcessAssessment Model. In some regulatory circumstances compliance requirements measured at level 1also enforce fulfilment of level 3 (operational) process attributes for a well-defined set of processesfrom control activities. The nature of similar overlaps in objectives of different audit types can beexplained and supported by using ISO 15504 process assessment principles and techniques.

The COSO based process assessment principles presented in this paper are used to develop SkillCard [2] and related training materials for Certified European Internal Financial Control Assessor. Thisproject (Project number: HU/B/05/B/F/PP-170013) is carried out with the financial support of theCommission of the European Communities under the LEONARDO DA VINCI Programme.

References

[1] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1: Conceptsand vocabularyISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2: Performing anassessmentISO/IEC 15504-2:2003/Cor 1:2004ISO/IEC 15504-3:2004 Information technology -- Process assessment -- Part 3: Guidance onperforming an assessmentISO/IEC 15504-4:2004 Information technology -- Process assessment -- Part 4: Guidance onuse for process improvement and process capability determinationISO/IEC 15504-5:2006 Information technology -- Process Assessment -- Part 5: An exemplarProcess Assessment Model

[2] Skill Card Internal Financial Control Assessor, HU/B/05/B/F/PP-170013 Leonardo da VinciPilot Project, 21000 Task Deliverable, Version 1.0, April 2006

[3] The Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control Integrated Framework (1992) Enterprise Risk Management Integrated Framework (2004) Guidance for Smaller Public Companies Reporting on Internal Control over Financial

Reporting (Draft for public comment, 2005) Internal Control over Financial Reporting Guidance for Small Public Companies (2006)

[4] Information Systems Audit and Control Foundation, IT Governance Institute: COBIT - ControlObjectives for Information and related Technology


11/11

11

[5] INTOSAI: Guidelines for Internal Control Standards for the Public Sector, 2004http://www.intosai.org/Level3/Guidelines/3_InternalContrStand/3_GuICS_PubSec_e.pdf

[6] Basle Committee on Banking Supervision: Framework for Internal Control Systems in BankingOrganisations, 1998http://www.bis.org/publ/bcbs40.pdf

[7] Organizational Governance: Guidance for Internal Auditors, The IIA, Position Paper, July 2006http://www.theiia.org/download.cfm?file=76050

[8] The Institute of Internal Auditors (The IIA): The International Standards for the ProfessionalPractice of Internal Auditinghttp://www.theiia.org/index.cfm?doc_id=124

[9] Professional Practices Framework, The IIA Research Foundation, March 2004

[10] Risk based internal auditing - an introduction, David M Griffiths, 30 January 2006http://www.internalaudit.biz/files/introduction/Internalauditv2_0_3.pdf

implementing process assessment model of internal financia

Documents