The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control--Integrated Framework, updated in May 2013, is considered a leading framework in designing, implementing, and conducting internal control assessments. COSO's focus on a balanced approach toward internal control makes it a valuable framework for organizations and internal auditors. Leveraging COSO to enhance audit frameworks, activities, and risk assessment approaches helps ensure that key audit outputs add value and advance the organization, rather than impede its progress.
For several years, the Texas Department of Transportation's (TxDOT's) Internal Audit Office has been on a mission to improve its audit program by infusing elements of COSO's Internal Control-Integrated Framework. The successful implementation of COSO 2013 has resulted in increased consistency, quality, and productivity of the audit function. In addition, the department is better aligned with the organization's key stakeholders to ensure audit is adding value and providing solutions-based recommendations to manage organizational risk and achieve business objectives.
Implementation of the framework came as a result of a top-down review of management and the organization, which called for improvements in the areas of effectiveness, efficiency, communications, and transparency. Blending the audit and COSO framework provided a natural method to focus on evaluation, identification, and monitoring of areas for improvement, and the vehicle identified to do it was an enterprise risk management audit dashboard (see "Audit Results Dashboard" on page 59).
To gain needed organizational support, the dashboard was discussed with members of the commission (board), executives, and senior leadership. This ensured understanding of the audit framework and also provided an opportunity to offer input on meaningful, consistent areas to evaluate and monitor. Another advantage of the audit dashboard is clear, consistent reporting and evaluation of results; the dashboard quickly reveals areas that require investment of resources, with color coding that highlights the severity of the risks identified.
THE AUDIT PROCESS
TxDOT has a three-phase audit process: planning, execution, and closing. Within each phase, TxDOT uses the Audit Results Dashboard as the key communications vehicle. The dashboard includes COSOs five internal control components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. These components are the basis for the audit teams evaluations and allow for annual reporting, which provides an enterprisewide view of the organizations risk profile. The dashboard also includes COSO's defined objectives, which are highlighted to scope areas to be evaluated during the audit engagement: Operations, Reporting, and Compliance. In addition to knowing what is being evaluated during an audit engagement, key stakeholders get assurance and notification of where achievement of COSO objectives is strong or at risk.
The Strategic element of COSO also is addressed in every audit engagement. For every engagement performed, the...