Internal Control Audit and Compliance. Graham Lynford
Чтение книги онлайн.

Читать онлайн книгу Internal Control Audit and Compliance - Graham Lynford страница 2

СКАЧАТЬ This volume cannot possibly (or legally) reproduce all the potential COSO reference material you may wish to refer to as your project proceeds.

      Some suggestions, based on first readers' comments as to how to get the most out of this volume include:

      • Use the material in this volume first to get the lay-of-the-land and understand the concepts underlying the revised Framework.

      • Use the guidance here to make an initial mapping of the current state of your assessment to what COSO 2013 is seeking.

      • Look at the suggested tools in this volume and in the illustrative templates in the COSO template materials and craft an initial idea of what you think your documentation might look like in a few areas.

      • Take advantage of the unique guidance in this volume on crafting interviews and questionnaires, sampling and testing and deficiency assessment.

      • Try your ideas out. Include IT assessments and walkthroughs and controls tests to give any revised approach a full trial.

      • Revise the plan and flesh out the new directions.

      • Provide a forum for discussion with all core team members to share observations and suggestions.

      • Develop training material to ensure consistent application as you roll out the new direction.

      • Utilize continuous improvement and other techniques to keep the project fresh and current.

      This book updates and replaces two separate volumes previously published by John Wiley & Sons: Internal Controls–Guidance for Private, Government, and Nonprofit Entities (2007) and Complying with Sarbanes Oxley Section 404: A Guide for Small Publicly Held Entities (2010). Because of the common Framework these diverse applications now share, it makes sense to combine these volumes at this time. Many of the technical and operational issues are shared in these applications, albeit with different levels of importance and intensity to specific entities and audit environments.

      The evolution of the COSO Framework is one of close personal association since I was a partner with Coopers & Lybrand as the 1992 Framework was first being drafted for COSO and introduced to (C&L) clients. I was responsible for the development and training at BDO in applying the Framework to SOX, was a member of a professional Firm 404 Implementation Task Force and was a member of the Auditing Standards Board as the COSO Framework was further integrated into Generally Accepted Auditing Standards. I was appointed as an AICPA representative in roundtable discussions with COSO developers leading up to the release of the 2006 enhanced guidance for smaller public entities and have worked with companies and auditors in implementation issues throughout this period and to date. I have developed several training courses for the AICPA and other associations in documenting internal controls. My sincere hope is that this work will make a difference for those seeking new insights and better approaches to the implementation of the Framework. I would like to thank my clients for all the learning opportunities along the way.

      Acknowledgments

      As always, special thanks go to my wife Barbara and to my family, who again tolerated my being sequestered in my office during the development and refinement of this work.

      Thanks to my clients, both companies and auditors and peers, that provided the experiences and training grounds. Also to be acknowledged are the dedicated professionals of the various COSO development teams and the AICPA and PCAOB whose writings have been woven into this work.

      A special thank you also goes to the many John Wiley and Sons production and editing professionals that have helped make this work and its predecessors along the way more readable and focused and to the Wiley leadership of John DeRemigis and Timothy Burgard who strongly supported the production of this volume.

      Chapter 1

      What We All Share

      Regardless of the type of entity, all Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework users and auditors in the public and nonpublic sectors share a great deal in common. We broadly outline those shared characteristics here before plunging into the details of application and documentation. This will also help readers to target the specific goals they have in studying this material. Later these concepts are developed in more detail. For now they serve to overview the subject matter.

      Need for Control Criteria

      Early auditing literature talked about controls, primarily in terms of controls over more routine transactions, such as cash receipts and disbursements. Based on the analysis of business and accounting failures over decades of experience, it became clear that a broader view of controls was necessary to address the various management, information processing, or oversight weaknesses that so often contributed to these events. However, there was no broader framework or set of criteria against which to evaluate the effectiveness of the entity in controlling its risk of filing materially false financial information and preventing other types of fraud. The COSO Framework has filled that void.

      A set of criteria is a standard against which a judgment can be made. In the United States, the internal control integrated framework published by COSO is just about the only overall controls criteria to assess the effectiveness of internal controls over financial reporting (ICFR). Choosing an appropriate control criteria is a Securities and Exchange Commission (SEC) requirement for public companies when performing an assessment of the effectiveness of an entity's internal control. The American Institute of Certified Public Accountants (AICPA) auditing literature references COSO components in its guidance to auditors of nonpublic companies, so from a practical perspective, COSO is the only game in town. While there are other frameworks out there (e.g., the criteria of control (COCO) framework from Canada, the Turnbull Report in the United Kingdom, and SOX of Japan), these are not that dissimilar to COSO in overall concept and have not gained wide acceptance outside of their home countries.

      Overview of the COSO Internal Control Integrated Framework

      In 1985, COSO was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to fraudulent financial reporting. It was motivated by yet another intense period of time when financial reporting fraud and alleged audit failures were prominent in the news. Since this initial undertaking, COSO has expanded its mission to improving the quality of financial reporting. A significant part of this mission is aimed at developing guidance on internal control. In 1992, COSO published Internal Control – Integrated Framework, which established a framework for internal control and provided evaluation tools that businesses and other entities could use to evaluate their control systems.1

      The COSO internal control framework identifies five components of internal control:

      1. Control environment

      2. Risk assessment

      3. Control procedures

      4. Information and communication

      5. Monitoring

      Today these remain unchanged from the 1992 Framework. That is a testament to the fundamental correctness of the COSO Framework. However, the level of detailed guidance over the years has increased due to the more recent widespread implementation of the Framework in our business environment and a desire to have more consistency in the application of COSO principles.

      Holistic, Integrated View

      The COSO Framework identifies five main components СКАЧАТЬ



<p>1</p>

In 2003, COSO published a draft of a document, entitled Enterprise Risk Management (ERM) Framework, whose purpose was to provide guidance on the process used by management to identify and manage risk across the enterprise. This new framework is not intended to supersede or otherwise amend its earlier internal control framework guidance on internal control. Internal control is encompassed within and an integral part of enterprise risk management. Enterprise risk management is broader than internal control, expanding the discussion to form a more robust conceptualization of enterprise risk. Internal Control–Integrated Framework remains in place for entities and others looking at internal control over financial reporting by itself. Note: Entities using the ERM Framework will still need to make a pointed financial statement risk assessment, as detailed in the risk assessment component discussion.