During Compliance Monitoring and Enforcement Program (CMEP) engagements, MRO audit staff will inquire as to the extent that registered entities contemplate compliance and organizational risks and how they are effectively reducing those risks through the implementation of internal controls.
Risk-based inquiry is intended to be a seamless and integral aspect of CMEP engagements. Following inquiry, the auditors’ assessments of the overall effectiveness of risk reduction are documented and used in the development of Compliance Oversight Plans. The assessments may also influence testing during fieldwork, as well as future audit scoping and the extent of sampling.
Common Language
Established controls frameworks such as COSO, NIST, and the GAO Green Book all share a set of common terms that may be relied upon by industry and audit staff not only in the development of internal controls, but also in assessments of those controls by the audit team. Common terms and ideas lead to a common language that may help facilitate conversations about internal controls. Inquiry helps auditors assess the overall maturity of a registered entity’s program and the effectiveness of risk reduction using specific internal controls. Below are common attributes of internal controls and some examples of questions the audit team may ask during inquiry:
- Risk – Have you identified and analyzed your inherent risks such that you are aware of your risk tolerances and responses to those risks? What do you use as a baseline? How do you organize risks? Do you contemplate likelihood and impact?
- Objective – To what extent might the control objective reduce the associated risk? Is the expected risk reduction likely to happen and will it be measurable?
- Design – Do you document the design of the control such that the “who, what, when, where, and why” is clear to those who carry out the actions? How do you ensure the appropriate staff are competent and able to implement the control? Is knowledge limited to one individual, or a few, or the entire team?
- Activities – Can the activities be performed under pressure, or could corners be cut? Are activities tracked to help ensure they are performed as intended? Do the activities cover the objective of the control?
- Implementation – How do you put controls in place? Are there levels of review to help ensure the controls are executed as they are intended? Do you train staff to help ensure they understand the activities?
- Effective Operation – Are you able to ensure that the objective is achieved as intended? Are you able to measure performance? Does your organization monitor for changes to its control environment (turnover, changing requirements, new threats and risks)? How do you evaluate the results of your overall Internal Controls program? By what means do you identify and target corrective actions?
Methods of Inquiry
The audit team will inquire about internal controls using methods that are most efficient and appropriate to entities’ circumstances. Methods will include:
- SME Interview – The audit team asks the subject matter experts (SMEs) for additional insight into the attributes of their internal controls and how risks are reduced through implementation.
- Walk Through – Registered entity staff will provide insight into the entire process from identification of risk all the way through implementation of the internal controls.
- Documentation – The audit team reviews submitted internal controls documentation that might include narratives, screenshots, tracking templates, and documented processes.
- Re-Performance – Internal controls tools and applications are demonstrated for the audit team in a “live” environment.
- Written RFI – The audit team requests specific evidence and/or documentation of risk management activities, how controls are designed, and that the controls are implemented.
Conclusions and Feedback
Internal control strengths and deficiencies identified during an engagement, as applicable, will be documented and communicated through discussions during inquiry along with formal conclusions, such as Areas of Concern, Recommendations, and Positive Observations. Internal control conclusions cannot, by themselves, constitute a Potential Noncompliance.
Recognizing that not all entities require the same level of controls, suggested areas of improvements will account for the variation in entity types and provide realistic recommendations.
Using internal controls common terms and language from existing controls frameworks will aid both the audit team and entity staff in an effective and efficient exchange of information that may help ensure that both compliance risks and reliability risks are further reduced.
– Rich Samec, MRO Principal Compliance Engineer