auditing informal controls

Happy New Year everyone!

To commemorate the new year, I decided to do some light reading on control self-assessments ūüôā

In my research of control self- assessments (CSAs), I came across a paper titled ‘Control Self-Assessment: A tool for organizational improvement’ The authors of the paper imply that audits can only audit formal controls.

“Audits confirm¬†the degree of compliance with formal controls and mandates.¬†They (informal controls) are not tangible and, therefore, are¬†not subject to the verification standards demanded by traditional audit.”

Another resource¬†implied the same thing –

“CSA is an audit technique within the broad framework of internal audit that measures areas that traditional audit techniques are not designed to measure, such as trust, morale and corporate culture”

However, the paper notes (as is also true in my experience) that it is really informal controls that are more influential in an organization.

“One of COSO’s core conclusions was that ‚Äúofficial policies‚ÄĚ (formal controls) specify¬†what management wishes to happen. However, the ‚Äúculture of the organization‚ÄĚ (informal¬†controls) determines what actually happens – which rules are obeyed, ignored or¬†bent. Without a clear assessment of informal internal controls, any organization runs the¬†risk of the loss of opportunities and of potentially serious problems going undetected.”

Is it true that audits can only validate and measure formal controls? If informal controls are more effective than formal controls and audits are limited to validation of formal controls, does this call into question the effectiveness of auditing and imply that the value of auditing is limited to a validation of formal controls?

Widely accepted international standards have defined internal controls in the following ways:

  • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories, (i) Effectiveness and efficiency of operations, (ii) Reliability of financial reporting, (iii) Compliance with applicable laws and regulations – COSO
  • Actions that foster the best result for an organization – COCO¬†(Canada)
  • A company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives – Turnbull Committee (UK)
  • All major factors that, taken together, support¬†people in the achievement of their own work objectives and those of the organization – USAID paper

See this related post for deciding on which internal control framework to implement.

Although the various internal control frameworks use very broad definitions, when most people think about internal controls in the traditional sense, they think primarily about financial reporting controls (e.g. Sarbanes Oxley requirements) and secondarily about other formal non-financial controls such as policies and procedures, authorizations and review processes.

The COSO model has the following components:


For an auditor, the control activities area is typically a primary area of focus to audit. The characteristics of control activities such as policies, authorizations and reconciliations are formal controls and are tangible and repeatable. These controls are typically part of transactions and processes. Monitoring activities are also another component that is typically audited. However, the other COSO components of control environment, information and communication, and risk assessment, are also controls but are typically known as informal controls and are either one-time or non-repetitive controls.

What is the role of an audit as it relates to informal controls – i.e. most of the COSO cube except for control activities? How does audit validate these ‘controls’?

A known method for audit validation is through sample testing of transactions. How do you validate an informal control when it is not directly related to a transaction and non-repetitive? Do you merely validate the existence, use of and importance of the informal control in the organization? Would an audit recommendation be within the realms of if the controls exists, is consistently used and known throughout the organization? The idea that informal controls are an audit issue if it is absent or if there is a very clear exception is supported by the following source:

“Soft ¬† (informal) controls include ethics, commitment to competence, and management ¬† operating style. Such controls have traditionally been overlooked in audits ¬† because documented evidence of the audit condition is difficult to obtain and ¬† test…..on the other hand, proper behavior is assumed for soft controls. An ¬† unfavorable audit conclusion is reached only if improper behavior is ¬† observed. A satisfactory rating wouldn‚Äôt be ruled out if the auditor finds no ¬† direct evidence that the ‚Äúsoft controls‚ÄĚ are in place. Only if instances of ¬† unethical, incompetent, or improper management behavior are discovered should ¬† the auditor consider an unsatisfactory rating. The level of assurance ¬† provided by the auditor for soft controls is , therefore much less than normally ¬† rendered. As techniques for testing soft controls improve, rating criteria ¬† may be revised to render more positive assurance.”

Informal controls are also typically very people oriented and therefore potentially highly subjective. It is possible to use CSA-type tools such as surveys and questionnaires to provide data and observations of informal controls.

It does make sense that formal controls and the auditing of formal controls is important in industries and processes that have high compliance requirements such as financial reporting (adherence to GAAP or similar accounting standards), banking, oil and gas, investments, etc. However, for areas that are not highly regulated and that are more relational, formal controls are not always as evident or important. In the nonprofit industry, there are many activities that are relational and qualitative where informal controls hold much more sway than formal controls.

In my reading so far on CSAs, it appears that CSAs are the preferred tool to provide a more in-depth evaluation of informal controls. In a future post, I will explore the differences between traditional auditing and CSAs.

By nature of IIA’s adoption of the COSO internal control framework as a standard, it is our responsibility as auditors to not just validate formal controls, but also informal controls. It might not be very straightforward or intuitive to audit informal controls, but it is imperative. From my personal experience, the recommendations that have been most valuable to management and that have been part of much needed change in the organization most often relate to informal controls.

I welcome your comments and observations.


2 Responses to “auditing informal controls”

  1. 1 Chris Devairakkam
    January 27, 2013 at 3:30 pm

    It is very true that consistency is so important to succeed. However, the challenge is to be consistent when there are many competing priorities!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


January 2013
« Dec   Feb »



Online Accounting Degree blog feature

%d bloggers like this: