Internal Control Audit and Compliance. Graham Lynford
Читать онлайн.| Название | Internal Control Audit and Compliance |
|---|---|
| Автор произведения | Graham Lynford |
| Жанр | Зарубежная образовательная литература |
| Серия | |
| Издательство | Зарубежная образовательная литература |
| Год выпуска | 0 |
| isbn | 9781118996300 |
Those entities who adopted the 20 Principles outlined in the 2006 COSO guidance directed to smaller public entities will be farther down the road to converting to the 2013 guidance than those that by-passed this guidance and built their assessment process around the original Framework. As mentioned in the legacy versions of this work, that 2006 guidance was potentially useful to all entities and could be a real help in structuring effective assessment projects for any entity. And so it has come to pass. Where there was a change in the 2013 guidance from the 2006 version, this book also provides a road map of what has been added or reallocated to other principles. In addition, various hints are provided throughout the work to illustrate the potentially related principles when deficiencies are identified, in keeping with the integrated nature of controls as discussed in the 2013 guidance.
Mapping to the 2013 Guidance
One method used to map the 2013 guidance to the current project is to create a spreadsheet with the principles and relevant points of focus along one dimension and the previously identified controls along the other dimension. To be more effective, the matrix should also identify the relevant assertion(s) addressed by the controls (when assertions apply, such as for transaction controls) to ensure the coverage of the financial statements assertions and to identify any gaps. When identifying assertions, it may be appropriate to assign a numerical or letter value to the assertions you are using, so that the assertions covered can be sorted and gaps more easily identified. It may also be necessary to segregate the transaction- or disclosure-based controls by account or cycle so that the spreadsheet does not become unwieldy. Note that when considering cash controls, a deficiency might also indicate failure in a related principle, such as competence and training (Principle 4). It is a daunting task to pre-consider all the possible interactions between controls and principles and points of focus, so you may find some common linkages like the aforementioned example will be sufficient for mapping most controls. These linkages will not be automatic; they will depend on the specific root cause of the deficiency if it can be determined. A column or two could be allocated to identify potentially related principles. This task would be a new one, requiring familiarity with the 2013 approach and details of the principles and points of focus.
In total, the 2013 guidance notes 88 points of focus across the 17 Principles. However, a few of these points of focus are more closely related to operations and compliance objectives. Before discarding them from your analysis, note that such objectives often have a financial reporting implication in disclosure controls or for estimating allowance or reserve accounts. We discuss these issues further in connection with the risk assessment component itself.
Table 1.1 is an example template that maps identified entity controls to the 2013 guidance. You may wish to experiment with different approaches to this mapping before settling on one that makes the most sense for your organization, based on where you are and where you want to go. Depending on the component, subcomponent, and number of controls to be mapped, some matrices may be more effectively developed with the principles and points of focus across the top or down the side. While consistency in format is helpful, an unwieldy mapping format is not. Depending on the number of controls likely to be associated with a principle or related point of focus, it may be worthwhile to split the assessment into subsets (by component, by principles, or by other units, such as financial statement captions) that are more manageable. No one design will be perfect for all entities and industries. The important thing is that all currently identified key controls are mapped and that all principles and points of focus are arrayed so that potential gaps can be identified.
Table 1.1 Mapping Controls to the 2013 COSO Framework
3The notation P1 refers to Principle 1 and is noted this way throughout the text.
While COSO clearly states that all the points of focus need not be met to be able to state that an effective system of ICFR exists, many are using the points of focus (and principles) to determine if there might be gaps in controls or yet-undocumented controls of importance that should be recognized. From a documentation standpoint, it is a short leap to expect that a point of focus (POF) considered irrelevant or not applicable will be supported with an explanation of why this is so.
A secondary benefit of this exercise is to assist the independent audit team in relating your assessment to their work paper tools and templates, which often are not customized to your entity approach. Auditors spend considerable time mapping entity approaches to audit requirements, time often better spent on more productive and useful activities or even reductions in seasonal workload.
Basic Scoping and Strategies for Maintenance
All managements and auditors need to consider broadly the scope of ICFR. Just because a wide net is cast in examining controls does not mean that all of the controls under that net are key or critical; thus, testing and detailed analysis may not be required. However, managements were surprised in 2004 when controls over the hiring and use of specialists in determining fair values or allowances were declared by the PCAOB as in scope regarding ICFR. Current auditing standards require a specific assessment of the internal controls over the fair value estimation process. Nonpublic entity auditors are likewise directed by auditing standards to assess such controls over all estimates in the financial reporting process. Similarly managements and auditors were embarrassed when an academic, Professor Eric Lie, post-SOX, discovered that the values of stock options were being manipulated to benefit management in a number of large companies. This activity and process was not included in the early scoping of public company audits of internal control. A continuing conundrum is the issue of using service organizations for various accounting, IT, and data storage functions. A contemporary issue is the controls and security issue surrounding the use of cloud computing and cloud data storage. Outsourcing does not remove a function from the scope of internal controls assessment and analysis. Examples also exist of the failure to recognize the risks associated with trading or derivatives activities that may create exposures that exceed the apparent size of the operation; examples such as the Barings Bank collapse (currency trading) and Orange County, CA, bankruptcy (interest rate swaps) come quickly to mind.
The natural state of systems is for them to deteriorate over time. Managements, through monitoring and thoughtful annual reassessment, can keep a system in tune through an effective monitoring function. The absence or ineffectiveness of an effective monitoring function is likely to be a material weakness that would preclude an effective internal controls assertion or auditor reliance on controls to reduce other auditing procedures.
Where We Depart
Financial statement preparers of public, nonpublic, government, and nonprofit entities have the basic level of responsibility for assessing and documenting controls over financial reporting. While still responsible for the scoping, documentation, and verification that the described controls are implemented, nonpublic entities and their auditors may not need to test the controls as a basis for reliance on controls in setting the audit strategy. However, public companies have a specific requirement that they publicly assert the effectiveness of controls over financial reporting; doing that includes tests of the controls to be able to make that assertion. These various nonpublic entities and their auditors do have requirements that noted material weaknesses and/or significant deficiencies in controls (defined later) be reported to governance or to the overseeing regulator.
However, when auditors of any entity seeks to rely on the effectiveness of internal controls to reduce the scope of their other audit procedures, testing is necessary to confirm the assessment that the controls are designed and are operating effectively. Unlike in an attestation where high assurance is sought, the financial statement auditor may determine the right amount of testing and assurance to support the desired level of controls assurance from