Internal Control Audit and Compliance. Graham Lynford

Читать онлайн.
Название Internal Control Audit and Compliance
Автор произведения Graham Lynford
Жанр Зарубежная образовательная литература
Серия
Издательство Зарубежная образовательная литература
Год выпуска 0
isbn 9781118996300



Скачать книгу

recognition.

      4. Information and communication. Surrounding the control activities are information and communication systems, including the accounting system. Whether manual or most likely today implemented using automated (computer) systems, they enable the entity's people to capture and exchange the information needed to conduct, manage, and control its operations. The information and communication component is comprised of both internal (e.g., management, governance) and external communications (e.g., shareholders, prospective investors, or creditors).

      5. Monitoring. The COSO Framework identifies monitoring as the responsibility of management. The auditor is not a part of the entity's system of internal control. The entire company control process should be monitored on a regular basis by management, and issues that arise should be communicated appropriately within the organization. In this way, the system should be in a position to react dynamically, as changing as conditions warrant, and not require that special procedures or independent audit procedures detect these problems. The company is expected to be proactive in identifying and correcting control deficiencies.

Figure 1.1 is from the 1992 COSO Integrated Framework report. It depicts these five elements of internal control and their interrelationships in a 3-sided pyramid, with the control environment as the base.

Figure 1.1 COSO Framework

      Note that the information and communication component is positioned along the edge of the pyramid structure, indicating that this component has close linkages to the other components. It probably would be even more accurate if the component were depicted as affecting all other ones, including control environment and monitoring, as it is difficult to envision these components being effective without effective information and communication.

Historically, the auditing literature has pictorially described the COSO Framework in the shape of a cube (see Figure 1.2). This representation shows that controls can affect the entity either on an entity-wide basis or specifically on a divisional, regional or product line basis. The 2013 revision changed the “cube” and placed the control environment at the top of the cube. The strong hierarchical image of the pyramid and its strong base is somewhat lost in this representation, but for complex entities with multiple product lines or locations, the cube works well.

Figure 1.2 COSO Framework II

      While both models have advantages, whatever the model used to communicate the Framework, it is helpful to have some physical representation of the Framework as a training tool and as a reminder of the components when initiating a project or bringing new personnel into an existing project. In the early days of Sarbanes-Oxley (SOX) implementation, some creative ways were developed to etch the components firmly in the auditor's mind. A unique product was a pen that revealed a new component each time the ballpoint pen point was retracted or extended.

      A blessing of the COSO Framework is that together the five components seem to be satisfactory in describing the broad sources of internal control issues. The corresponding curse is that it is sometimes difficult to determine where specific facts and controls fall within the framework. While it would be nice if a one-to-one relationship existed between processes and controls and the Framework components, that is not the case. Entities can and did make their own decisions where controls belonged under the 1992 Framework. The focus and 17 Principles in the 2013 Framework will reduce the variability in classifying controls within the Framework going forward.

      For example, the 1992 COSO Framework report contained only passing mention of information technology (IT). Can we cleanly assign IT to just one component? Clearly there is a linkage to the control activities component since automated accounting processes and controls depend on the IT being effective. In another sense, IT is important to information and communication, which relies on data in company databases being accurate and complete. And it is hard to imagine running a business or performing the governance function effectively without accurate and timely financial data, so failures of IT can also impact the control environment. The fact is that IT has a pervasive effect on many aspects of the controls assessment and does not fit neatly into only one of the component categories. However, IT General Controls are now a specific principle to be satisfied (Principle 11).

      Another example is fraud risk. There is now a principle (Principle 8) of risk assessment directed to assessing management's implementation of antifraud programs and controls. However, fraud risk can also be associated with the control environment, because of the risk of management override of controls. Fraud can be associated with transaction processing (a control activity) such as cash disbursements. So, prior to the recent guidance, it was not so clearly assigned to one component.

      The point here is that while some topical issues fall neatly within a COSO component, there are control issues that may potentially affect many other components. That is also a reason that the new guidance stresses the interrelationship of controls and control deficiencies. One deficiency can touch several principles and components.

      Revised COSO Internal Controls Framework

      The revised COSO Framework (2013) replaces the 1992 and 2006 Framework guidance and documents. Those prior publications will be considered superseded after December 15, 2014. Some key elements of the new guidance include:

      • Retention of the five basic components: control environment, risk assessment, control activities, information and communication, and monitoring.

      • Identification of 17 Principles that are deemed essential to the five components

      • Clear expectations that the elements of internal control work together in an integrated way.

      Indeed, unless these elements are satisfied, COSO would conclude the system of internal controls is not effective.

      Internal controls are defined in the revised Framework, and similarly in literature of the Public Company Accounting Oversight Board (PCAOB)2 and AICPA, as: “a process, effected by the entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

      This definition is consistent with the focus in the revised Framework on articulating the objectives in the three elements of operations, reporting, and compliance.

      The COSO Framework retains these three elements of internal control. For purposes of this book, our focus is on the financial reporting element. However, as we discuss the issues surrounding this element, note that putting on blinders to issues from the other elements is not appropriate. Failures in operating controls can create increased allowances for returns and greater estimated warranty expenses, and failures in regulatory controls can cause liabilities for environmental issues or labor law violations with financial consequences. What may seem like a bright line in the diagrams is in reality a blurred line in practice.

      In all cases, COSO and regulators expect the entity, and not the auditor, to be responsible for the design and implementation of the system of internal control. Likewise, all entities are expected to document and maintain updates to their internal processes and controls. In public companies, auditors are often impaired by independence rules from venturing very far into the design, assessment, and documentation process. In private companies, the auditor may be more helpful at present; however, future independence rules may limit auditor involvement in government and private engagements. Private companies should prepare to annually maintain and update the documentation of their controls systems. Auditors need to prepare their clients to do so.

      Accompanying the Framework guidance are illustrative templates for documenting assessments, deficiencies, and aggregating issues from the detailed deficiency level to an overall conclusion. These templates may be structured as entities wish, but it may be worthwhile to note their suggested content in the development of proprietary approaches. Not published are forms, documents, and work programs to guide the entity or auditor when