Evaluate the Control Environment

Documentation is only a start; now it’s all about asking questions.

MANAGEMENT IS RESPONSIBLE FOR EVALUATING and reporting on a company’s controls. The external auditors are responsible for auditing management’s assertion and independently coming to their own conclusions about the company’s internal control effectiveness. They must evaluate management’s assessment and also perform their own, independent tests in many areas, including the control environment.

THE CONTROL ENVIRONMENT HAS A PERVASIVE structure that affects many business process activities. It includes elements such as management’s integrity and ethical values, operating philosophy and commitment to organizational competence.

ADDING TO THE DIFFICULTY OF THE TASK is the fact that the control environment is not transaction-oriented. Tests of controls that auditors are accustomed to performing, such as walk-throughs or the reperformance of the control for a sample of items, will not be possible. And focusing solely on activity-level controls is inappropriate.

TESTS OF THE CONTROL ENVIRONMENT will consist of a combination of procedures, including a review of relevant documentation of the design, inquiries of management and employees and direct observation.

AUDITORS WILL HAVE TO PROBE for understanding and awareness and try to understand the company’s attitude toward internal control over financial reporting. They also should ask management for a self-assessment.

MICHAEL RAMOS, CPA, is the author of How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control, John Wiley & Sons, 2004. Other articles he has written on section 404 can be found on the AICPA Web site. “SOX 404 Consulting: Where to Begin” is available on the AICPA private companies practice section (PCPS) Web site at www.pcps.org . “SOX 404 Compliance: A Structured Approach” can be viewed at www.aicpa.org. Mr. Ramos’ e-mail address is michaeljramos@mac.com .

eginning with the first yearend on or after November 15, 2004, many companies will have to comply with the internal control reporting requirements of the Sarbanes-Oxley Act of 2002. The control environment is one of the key components of an entity’s internal control; it sets the tone of an entity, influences the control consciousness of people within an organization and is the foundation for all other components of the internal control system. In this article management and independent auditors will find some suggestions for addressing one of the most challenging requirements of assessing internal control: evaluating the effectiveness of the control environment.

Management has always been responsible for the design and maintenance of the company’s internal control. Now, because of Sarbanes-Oxley, management has the added responsibility to annually evaluate, test and report on the entity’s internal control over financial reporting. The external auditors are responsible for auditing management’s assertion as to the effectiveness of this internal control and coming to their own, independent conclusions. They must evaluate management’s assessment and perform their own, independent tests of controls, including the control environment. Thus, the suggestions provided in this article on testing the control environment may be helpful to management and auditors alike.

As opposed to an activity-level control (for example, checking the mathematical accuracy of a vendor invoice), which is limited to one processing stream, the control environment has a pervasive structure that affects many business activities. It includes elements such as management’s integrity and ethical values, operating philosophy and commitment to organizational competence.

Designing and performing tests at the control environment level will be a complex and challenging task—for example, a company may point to its code of conduct as documenting its ethical values. Ultimately though, the mere existence of the documentation of a control is not sufficient to support a conclusion about its operating effectiveness. Management and auditors must do more than demonstrate that a code exists; they must evaluate the effectiveness of the code’s implementation. For example, the entity’s implementation procedures may include training sessions for management and employees on the company’s code and the establishment of formal channels for the confidential communication of code violations to senior management.

To determine whether the code of conduct has been implemented effectively, these questions need to be asked:

How is the code communicated?

Do the entity’s employees and management follow the code?

How is compliance with the code monitored?

Does compliance with the code improve the effectiveness of other control policies and procedures?

Adding to the difficulty of the testing requirement task is the fact that the control environment is not transaction-oriented. The tests of controls auditors are accustomed to performing, such as walk-throughs or the reperformance of the control for a sample of items, will not be possible.

At this early stage of complying with section 404 requirements, most companies have focused on the documentation, evaluation and testing of activity-level controls. For example, bank reconciliations, the matching of shipping documents to invoices and computerized checks of data entered into the accounting system all are examples of activity-level controls.

As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, activity-level controls are just one component of internal control over financial reporting. In an evaluation of internal control, both management and the auditors need to consider all its components. If they focus exclusively on activity-level controls to draw a conclusion about all elements of internal control, they may reach inappropriate conclusions about internal control taken as a whole.

For example, consider the entity that requires its board of directors to approve all significant decisions made by the CEO. Suppose, however, the philosophy of the CEO is that he or she alone knows what’s best for the organization. Suppose, too, the CEO, through a committee he or she controls, is able to handpick the majority of the board members. And because the primary criterion for advancement within the organization is personal loyalty to the CEO, the information that senior management presents to the board is tightly controlled and presented in a way that makes ratification of the CEO’s agenda a foregone conclusion.

Focusing solely on the activity-level control is inappropriate. Read the minutes and you’ll undoubtedly find the board approved all the transactions it should have. On the surface, internal control looks good. In reality it is not. Only by looking at the control environment directly—as in management’s philosophy and operating style and its commitment to competence—does a true picture of the organization begin to emerge.

So how can we take a more direct approach to evaluating and testing the control environment? Here are some suggestions.

The COSO framework provides criteria and information on the control environment, but this guidance is at a fairly high level since the framework was tailored for all organizations. For example, COSO identifies integrity and ethical values as important pieces of the entity’s control environment and makes a compelling argument for why this is so. But the purpose of COSO is not to explain how to measure or evaluate whether an ethical climate is “effective.” Once management gathers information about the control and its design, it is left to them to decide how to determine and test its relative effectiveness.

Help in judging the relative effectiveness of a software development process came several years ago when a group of IT software professionals developed a “capabilities maturity model.” This model was quickly adopted by the profession as part of its “control objectives for information and related technology” (COBIT) model for gauging IT-control effectiveness. Some of the larger accounting firms recently adapted the model for use in determining the relative effectiveness of internal control of their clients (see “ Choose the Right Tools for Internal Control Reporting ,” JofA , Feb.04, page 34).

Summary of Internal Control Reliability Model
  Characteristics of reliability
Reliability level Documentation Awareness and understanding Perceived value Control procedures Monitoring
Initial Very limited Basic awareness Unformed Ad hoc, unlinked  
Informal Sporadic, inconsistent Understanding not communicated beyond management Controls are separate from business operations Intuitive, repeatable  
Systematic Comprehensive and consistent Formal communicationand some training Controls integral to operations Formal, standardized  
Integrated Comprehensive and consistent Comprehensive training on control-related matters Control processes considered part of strategy Formal, standardized Periodic monitoring begins
Optimized Comprehensive and consistent Comprehensive training on control-related matters Commitment to continuous improvement Formal, standardized Real-time monitoring
Note: This table and a description of the model first appeared in How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control, by Michael Ramos, John Wiley & Sons, 2004.

The model describes several different levels of reliability or maturity of an internal control system—for example, levels may range from “initial,” the lowest level of reliability, to “optimized,” the highest. The exhibit above summarizes a five-level model based on the various characteristics used to gauge system reliability.

The internal control reliability model can be helpful in designing tests of a control environment’s effectiveness. The overall reliability of the system depends on the characteristics that describe each level. Auditors should design the control environment tests to determine the relative reliability of each of these characteristics, as discussed below.

In evaluating the design and operating effectiveness of the control environment, auditors’ tests will consist of a combination of procedures, including

A review of relevant documentation—for example, the company’s code of conduct.

Inquiries of management and employees, either verbally, in writing or both.

Direct observation.

Here are some tips for designing these procedures:

Start with a review of documentation relating to the control environment. The most likely sources of information include the company’s

Code of conduct.

Personnel policies.

Board of directors and audit committee charters.

Disclosure committee charter.

Other, informal communications from senior management about control environment matters such as ethics or management philosophy.

Remember that documentation is only a start—not the be-all and end-all. Ask management direct questions about the actions it took to assess how management or employees complied with, or violated, stated management philosophies or standards of behavior. Examples of such questions include

Have you observed unacceptable behavior on the job? If so, what did you observe?

If you were to report unacceptable or unethical behavior to senior management, what action do you think management would take?

Probe for employees’ understanding and awareness. Do managers and other employees know the relevance and importance of their control-related activities? Do the board and the audit committee have a full appreciation of their oversight responsibilities?

Try to understand the company’s attitude toward internal control. Is it a “necessary evil,” or is it viewed as an integral part of the company’s management? Suppose you asked senior management and the board the following questions about the company’s code of conduct.

What was the main reason for developing the company’s code of conduct?

How often is the code reviewed and updated?

The answers to these questions may be revealing—for example, a manager who says the code was developed because the lawyers recommended it and that it has not been reviewed or updated in the last 10 years tells you a great deal about the attitude of senior management toward the value of an effective control environment.

Ask for a self-assessment. Direct questions can be quite effective. Ask management or operations personnel about how various control environment elements work:

Do you believe the company has established standards of behavior that create an overall appreciation for and compliance with its documented control policies and procedures?

How would you describe management’s operating style and philosophy?

What aspects of the company’s culture or management policies contribute to or detract from your ability to perform your job responsibilities effectively?


Don’t focus your internal control tests exclusively on activity-level controls. You have to evaluate and test the control environment, too.

Establish a benchmark, such as the internal control reliability model, that will be used to gauge internal control effectiveness. Use this model to design your tests of the control environment

Use several different testing techniques to gather information about the control environment from a broad range of entity personnel.

Sarbanes-Oxley section 404, which requires management to assess and report on the effectiveness of a company’s internal control over financial reporting, has changed dramatically the landscape of control assessment. The control environment is an integral part of the internal control system and therefore must be understood, evaluated and tested, first by management, and then by the external auditors.

The subjective, non-transaction-oriented nature of the control environment will create many challenges, none of which management can use as a rationale for noncompliance. A good place for both management and the auditor to begin is to develop a model, such as the internal control reliability model, that describes the characteristics of a control environment at various levels of reliability. Management can then design tests to evaluate the presence or absence of each of those characteristics and how effective the control environment really is.


The Institute answers individual questions at the Sarbanes-Oxley Act hot line: 866-265-1977, and up-to-date compliance information for CPAs is available at Sarbanes-Oxley Act/PCAOB Implementation Central, http://cpcaf.aicpa.org/Resources/

Consideration of Internal Control in a Financial Statement Audit, an AICPA Audit and Accounting Guide (# 012451JA).

Financial Reporting Alert, Internal Control Reporting—Implementing Sarbanes-Oxley Section 404 (# 029200JA).

Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles R. Lundelius Jr. (# 029879JA).

Internal Control—Integrated Framework, COSO report (# 990012JA).

Internal Control Reporting for Public Companies, a webcast originally presented July 17, 2003, and now available on CD-ROM (# 737132HSJA).

Internal Controls: Design and Documentation, a self-study course (# 731850JA).

SEC Reporting, a self-study course (# 736771JA).

National Advanced Accounting and Auditing Technical Symposium (NAAATS)
July 22–23, 2004
Hilton La Jolla Torrey Pines, La Jolla, California

Conference on Advanced Litigation Services and Fraud
September 26–29, 2004
JW Marriott Desert Ridge, Phoenix

For more information, to place an order or to register, go to www.cpa2biz.com or call the AICPA at 888-777-7077.


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.