You will never reach your destination if you stop and throw stones at every dog that barks. -Winston Churchill
I burned up several chapters covering the risk assessment component of the COSO model… but if you don’t get that right, nothing else works. There is no point to having well designed controls over items that are not risky.
Our case study has centered around the use of purchasing cards by school district employees. And after choosing a more specific subject matter, asking what could go wrong (inherent risk), and then choosing which potentially bad results were more likely to occur and of higher magnitude, we chose three risks that should be mitigated with controls:
1. The risk that the coach would buy something personal with the purchasing card.
2. The risk that the coach would spend too much money with the purchasing card.
3. The risk that the coach is unable to use the card because use involves too much paperwork and bureaucracy.
To move forward with our case study, I am going to work on just one of these three risks; this text will suffer from control overload if I try to tackle all three! So, let’s focus on the first one – the risk that the coach will buy something personal with the purchasing card.
Control objectives
In order to stay focused, the Green Book recommends that managers develop a control objective before they begin applying controls to a risk. These quotes have been edited and truncated to help us see the specific directions from the GAO regarding control objectives:
6.02 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives.
6.05 Management considers external requirements and internal expectations when defining objectives to enable the design of internal control. Legislators, regulators, and standard-setting bodies set external requirements by establishing the laws, regulations, and standards with which the entity is required to comply.
My background as an auditor is coming in very handy here because I can relate what the GAO is saying about control objectives in the Green Book to what the GAO says about audit objectives in the Yellow Book – the government auditing standards.
The Yellow Book shows auditors that a workable audit objective (a statement of the purpose of the audit) includes a specific well-defined subject matter and a criteria. I equate the Green Book’s section 6.02 as our needed ‘specific well-defined subject matter.’ The specific well-defined subject matter in our case is the coach’s purchasing card purchases.
And when I read 6.05 I equate ‘laws, regulations, and standards’ with ‘criteria.’ The ‘criteria’ in our case will be school district policy regarding what constitutes personal vs. valid business related purchases.
So, I could phrase our control objective for our chosen risk: Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?
Or I could phrase it this way: Do controls ensure that the coach’s purchasing card purchases are business related as defined by Grace School District Policy #C7.459?
I think the first one sounds more compelling, but it has a negative tone, as if we suspect him of bad behavior… which we kinda do… As an auditor, I usually skew statements in a negative light, so I find this one preferable. But the negative tone might get us into some trouble with the management and leadership responsible for the controls.
So, our control objective going forward is: Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?
Now brainstorm controls
Since we are now very clear on what we want to develop controls for, I can easily come up with ideas for controls that could be put into place. But if I am not careful, I can easily come up with controls that do not apply to our control objective! Which of these controls will help us with our control objective?
• Vendor codes should be restricted to prevent personal use. Yes, this does help us with our objective – in part. But just because the coach buys something under an appropriate vendor code, doesn’t mean he can’t take it home with him! For instance, he could buy a treadmill and put it in front of his big screen TV at home.
• Periodic inventory of items purchased. This one sounds applicable, but whether it is effective will depend on who does the inventory. Obviously, if the coach is asked to perform his own inventory of items he has purchased, the results will not be objective nor will the results be useful. We can’t trust the results if his assistant does the inventory either. This control is a good idea only if the inventory is performed by an objective party or a party who is not motivated to lie.
• Training. Yes, asking the users of the cards to attend training regarding their proper use is applicable. And although I write and conduct training classes, I am going to have to shoot a few holes in this idea. Hole #1: The training has to be well designed and presented – not all trainings are. Hole #2: The participant has to pay attention during the training – not all participants do!
• Dollar limits are placed on each purchase. No, this does not help us with our objective. Whether the purchase is a high dollar amount or a low dollar amount does not affect whether the item purchased is personal or not.
• Purchases over a certain dollar amount must be approved. No, this does not help with our objective. Again, the dollar amount is not relevant to our objective.
• Purchases from vendors not on the allowable vendor list must be approved. Yes, this can help us restrict personal use, but it will not prevent the coach from buying something from an allowable vendor – say a sporting goods store – and then taking it home to use personally.
• Receipts should be matched to statements and evaluated for allowability. Again, this one is not a direct solution because the term ‘allowable’ is not the same term as ‘personal.’
• Receipts should be reviewed for possible personal purchases. Questionable purchases are investigated. This one is applicable.
I bet you have come up with some ideas yourself. Now it is time to make sure that our thinking is robust and that we have considered all of our options. That is one of the core benefits of the Green Book; the Green Book gives us more options and helps us make sure that we thought of everything. That is also one of the Green Book’s drawbacks; it presents so many options and layers it can get overwhelming.
In order to describe each of the remaining components of the COSO model, I am going to go full bore in the next chapters on control activities, information and communication, monitoring, and control environment; laying out as many controls as possible; and sharing everything I can think of. At the end of the book, I will cull through all of those ideas and choose a set of manageable and doable controls that you should be able to use. But in no way should you intend to implement all of these ideas because that would cost way too much money and time.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: