Enhancing Performance Audits: The Critical Role of the Control Environment

Written By Parker Skaats

Performance audits are essential tools for government auditors, designed to evaluate the efficiency, effectiveness, and economy of operations. Central to these audits is the control environment, as outlined in the Green Book, which provides a framework for evaluating organizational governance and control processes. Understanding and assessing the control environment is crucial for auditors to ensure accurate and meaningful audit outcomes. 

This post is the first in a series of five, each focusing on one of the five components of internal control as outlined in the Green Book. In the coming posts, we will explore risk assessment, control activities, information and communication, and monitoring activities, providing a comprehensive overview of internal controls in government auditing.

Understanding the Control Environment

Control Environment

The control environment is the foundation of any organization's system of internal control, setting the tone at the top regarding the importance of internal control and the expected standards of conduct. It includes various elements such as the integrity and ethical values of the organization, the oversight provided by management, and the methods of handling risk. These elements are critical as they influence the overall quality and success of the audit process.

The Five Principles of Control Environment

Principle #1: The oversight body and management should demonstrate a commitment to integrity and ethical values

  • Executive management has established a “tone at the top” that has been communicated to and is practiced by executives and management throughout the agency by their directives, attitudes, and behavior.

  • Management establishes and enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policy/training and addresses acceptable operational practices and conflicts of interest.  Appropriate disciplinary action is taken in response to departures from such. 

  • Management establishes processes to evaluate performance against the entity’s expected  standards of conduct and address any deviations in a timely manner. Management also provides opportunity for individual personnel to report issues through a whistle-blowing program or an ethics hotline.

Principle #2: The oversight body should oversee the entity’s internal control system

  • Management has established an oversight body to oversee the implementation and continued monitoring of internal controls.

  • The oversight body oversees management's design, implementation, and operation of the agency's internal control system.

  • Management takes appropriate action when controls are overridden and/or when exceptions to policies and procedures occur.  Management reports deficiencies in internal controls to the oversight body which provides direction to management on the remediation of these deficiencies along with suggesting an appropriate time frame for correction.

Principle #3: Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives

  • Management has an up-to-date organizational chart which defines the lines of management authority/ responsibility and is shared with employees.

  • Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives. Management also ensures proper segregation of duties within a unit and in the organizational structure.

  • Management appropriately documents its internal control system.  Documentation is required to demonstrate the design, implementation, and operating effectiveness of an entity's internal control system. 

Principle #4: Management should demonstrate a commitment to recruit, develop, and retain competent individuals

  • Management establishes expectations of competence for key roles, and other roles at management’s discretion, to help the entity achieve its objectives. Personnel need to possess and maintain a level of competence that allows them to accomplish their assigned responsibilities, as well as understand the importance of effective internal controls.

  • Management recruits, develops, and retains competent personnel to achieve the entity’s objectives.

  • Management defines succession and contingency plans for key roles to help the entity continue achieving its objectives. Succession plans address the entity’s need to replace competent personnel over the long term, whereas contingency plans address the entity’s need to respond to sudden personnel changes that could compromise the internal control system such as a position that is vacated without notice.

Principle #5: Management should evaluate performance and hold individuals accountable for their internal control responsibilities

  • Management enforces accountability of all individuals and holds personnel accountable for performing their assigned internal control responsibilities.

  • Management adjusts excessive pressures on personnel in the entity. Pressure can appear in an entity because of goals established by management to meet objectives or cyclical demands of various processes performed by the entity, such as year-end financial statement preparation. Excessive pressure can result in personnel “cutting corners” to meet the established goals

Evaluating the Control Environment during Performance Audits

To effectively assess these aspects, auditors need to obtain specific documentation from management that demonstrates the operationalization of these principles. This documentation might include:

Copies of the organization’s codes of conduct, along with records of training sessions on ethical behavior and compliance. These documents help auditors verify that ethical standards are established and disseminated throughout the organization. Documentation of reports made to the oversight body, including how internal control deficiencies are communicated and addressed. This may include minutes of meetings, official communications, and action plans. Updated organizational charts and detailed job descriptions can provide auditors with insights into the clarity of roles and the distribution of responsibilities. Documentation related to hiring practices, employee qualifications, training programs, and personnel evaluations. This helps auditors assess whether the staff is competent and whether there are effective plans for personnel continuity. Records of performance reviews and the related criteria used, alongside documentation of accountability mechanisms such as disciplinary actions or reward systems.

By obtaining and reviewing these types of documents, auditors can corroborate the information provided by management and assess whether the principles of the control environment are being effectively implemented and maintained. This documentation serves as tangible evidence of the organization’s commitment to a robust internal control system.

Conclusion

Evaluating the control environment is a pivotal aspect of performance audits, requiring auditors to systematically assess factors such as integrity and ethics, oversight effectiveness, organizational structure, personnel competence, and accountability mechanisms. By securing and scrutinizing the appropriate documentation from management, auditors can ensure a thorough and accurate assessment of these areas, reinforcing the reliability and effectiveness of their audits. For those interested in deepening their understanding and expertise in this critical area, I invite you to join my upcoming online class, Assessing Controls in Performance Audits. This course will provide detailed guidance on practical techniques for evaluating control environments, enhancing your skills to conduct more effective performance audits.

Parker Skaats
Previous

Evaluating Risk Assessment in Performance Audits
Next

The Impact of Detail on Audit Documentation Quality