Archive for the '1' Category


Deciding on a Model for Evaluating Internal Controls

Worldwide there are many models to choose from to evaluate the adequacy of the internal control framework. In the US we use COSO, Canada developed COCO, with the United Kingdom establishing Cadbury and then there are the globally accepted ISO Standards. This variety can be confusing to say the least. Each model presents a slightly different view-point on internal controls. Ultimately the models all have the same goal to promote guidelines for making judgments about the effectiveness of the controls. However, they exhibit some underlying differences because they are branded with the flavor of the country that created them. There is nothing extraordinary about these models in fact they are rooted in common sense. Using them can result in astounding outcomes. 

The US COSO and the UK Cadbury are broken into five domains with only minimal differences in interpretation. The Canadian COCO focuses on the achievement of objectives and defines internal control as the elements of an organization that taken together support the achievement of these objectives. COCO focuses on the reliability of internal and external reporting. On the other hand COSO defines internal control as the process affected by an entity’s Board of Directors, management and personal designed to provide reasonable assurance regarding the achievement of objective. COSO focuses on the reliability of financial reporting. In the past auditors have examined the hard controls. COSO, COCO and Cadbury highlight the need to examine soft controls as well. 


The Sarbanes-Oxley Act in the US incorporated in to the law the COSO framework as the model of choice. However, the ISO 31000 is quickly gaining ground as the preferred model because it provides a generic framework for establishing the context for, identifying, analyzing, evaluating, treating, monitoring and communicating risk. 

The International Organization for Standardization widely known as ISO is an international-standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promulgates worldwide proprietary industrial and commercial standards. It has its headquarters in Geneva, Switzerland. While ISO defines itself as a non-governmental organization, its ability to set standards that often become law, either through treaties or national standards, makes it more powerful than most non-governmental organizations. The aim of the organization is to equalize and standardize across cultures. With the exception of a small number of isolated standards, ISO standards are normally not available free of charge, but for a purchase fee, which has been seen by some as too expensive. 

ISO 31000 is compatible with the COSO framework and is considered an updated version that reflects the current state of risk management thinking internationally. ISO is considered more practical and less theoretical. It provides explicit terms in more detail. ISO is clearly written and easier for management to understand without audit trying to interpret for them. 

The most significant difference is in the definition of risk for ISO 31000 when compared to COSO. The ISO risk definition is the “effect of uncertainty on objectives.” The ISO standard has more focus on the consequences of uncertainty and allows for different views of risk than COSO. The focus on consequences provides a framework to help consider the impact if an event occurring.was to occur. 

COSO ERM defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” This definition is more focused on events rather the consequences of events. 

Many see the new ISO 31000 series as a very positive development in the risk management standards landscape. While the message is not new, the simplicity of the presentation is a big plus. Maybe we all should take a closer look at the ISO standards and see if it can streamline the risk management process for us. 



Where to go for non-profit resources

A few conferences are coming up which are of note – in April, the Christian Leadership Alliance (CLA) will host the annual CLA conference in San Diego. In June, the AICPA will host the non-profit industry conference in Washington D.C. Historically, I’ve found the D.C. conference packed with knowledgeable industry resources spanning a wide range of topics. I’ve always left the conference with a page of notes on questions I needed to ask at my organization, or reporting requirements I needed to understand better to be prepared to address in the future.

This year, I’m branching out to the CLA. While its target audience is more limited to Christian nonprofits and churches, it is scheduled to bring some of the most dynamic speakers on topics ranging from financial management, board governance and revenue to tax and legal issues. In a year where FAS 157 is becoming old news, 117-1 is up and running, and the new disclosure form 990 is nearly hot off the press, I want to take the opportunity to branch out to see how another national organization educates the community in accounting, reporting and compliance topics.

If I don’t see you there, I’ll tell you about what I discover.


A-133 Audits

What is an A-133 audit?  How is it different than a financial statement audit?  While it may not be a question that keeps you up nights, it is worth a look.  First, let’s look at the purpose of the financial statement audit.  What does the opinion say?  “In our opinion, the financial statements present fairly, in all material respects….”  The purpose of a financial statement audit is to opine on whether or not the financial statements are fairly presented; whether or not the financial statements reflect reality.

An A-133 audit leverages off of the financial statement audit and looks at a couple of elements in greater detail.  Specifically, the purpose of an A-133 audit is to look at Compliance and Internal Controls in organizations expending more than $500,000 in federal grant funds in a given year.  It looks at compliance with rules of the federal grant, and with everyday rules and regulations that, if not followed, would have a material effect on the financial statements.  Internal Controls are those policies and procedures an organization has in place to ensure that mistakes (or worse) are caught in the normal course of work.  An A-133 audit considers whether the organization has controls in place to comply with federal rules and regulations, as well as controls to make sure the financial statements are not materially misstated.

There are many rules and regulations surrounding federal grant funds, which, if you think about it, makes a lot of sense.  Federal money comes from the taxpayers (you and me) who want to make sure it is used wisely and honestly.  Office of Management and Budget (OMB) Circulars A-110 and A-122 contain the grant rules for most nonprofit organizations.  Anyone administering federal grants should become well acquainted with them. 

In addition to OMB Circular A-133, which describes the requirements for auditing federal grants, OMB annually publishes a “Compliance Supplement”.  The Compliance Supplement incorporates rules, regulations, and guidance from A-110, A-122, and A-133 and lays out a plan for the audit of both compliance and internal controls. 

If a federal agency has instructions about specific things they want audited, the instructions are also included in the Compliance Supplement.

The Compliance Supplement lists 14 compliance requirements.  When auditors audit compliance with and internal controls over each of the applicable requirements, they will have adequately audited the major federal grant program.

The 14 compliance requirements are:

  • Activities Allowed and Unallowed – Are the grant activities in accordance with the grant documents and federal regulations?
  • Allowable Costs – Are all expenditures under the grant allowable?
  • Cash Management – Are the cash management regulations being followed?
  • Davis-Bacon – If there is construction using federal funds, are prevailing wages paid?
  • Eligibility – If the grant has eligibility requirements, are they being followed?
  • Equipment and Real Property – Are capital equipment and real property adequately tracked and safeguarded?
  • Matching, Earmarking, Supplanting – If the grant has special matching, earmarking, or supplanting requirements, are they being followed?
  • Period of Availability – Do grant expenditures fall within the beginning and end dates of the grant?
  • Procurement, Suspension & Debarment – Has open competition been held for significant purchases?  Have any payments been made to suspended or debarred individuals or companies?
  • Program Income – Has income earned in the grant been used for grant purposes?
  • Reporting – Have the required reports been filed in a timely and accurate manner?
  • Real Property Relocation – If the grant was involved in relocating real estate, have the regulations been followed?
  • Subrecipient Monitoring – Have subrecipients been properly monitored?
  • Special Tests – Any special tests a federal agency wants will go here.


After the auditors have looked at your federal grant programs from all of these angles, they will have a very good basis for reporting on your compliance with and controls over your federal grant funds.


March 2019
« May    



Online Accounting Degree blog feature

Awards badge