Internal Control Audit and Compliance. Graham Lynford

Чтение книги онлайн.

СКАЧАТЬ the objectives in the three elements of operations, reporting, and compliance.

      The COSO Framework retains these three elements of internal control. For purposes of this book, our focus is on the financial reporting element. However, as we discuss the issues surrounding this element, note that putting on blinders to issues from the other elements is not appropriate. Failures in operating controls can create increased allowances for returns and greater estimated warranty expenses, and failures in regulatory controls can cause liabilities for environmental issues or labor law violations with financial consequences. What may seem like a bright line in the diagrams is in reality a blurred line in practice.

      In all cases, COSO and regulators expect the entity, and not the auditor, to be responsible for the design and implementation of the system of internal control. Likewise, all entities are expected to document and maintain updates to their internal processes and controls. In public companies, auditors are often impaired by independence rules from venturing very far into the design, assessment, and documentation process. In private companies, the auditor may be more helpful at present; however, future independence rules may limit auditor involvement in government and private engagements. Private companies should prepare to annually maintain and update the documentation of their controls systems. Auditors need to prepare their clients to do so.

      Accompanying the Framework guidance are illustrative templates for documenting assessments, deficiencies, and aggregating issues from the detailed deficiency level to an overall conclusion. These templates may be structured as entities wish, but it may be worthwhile to note their suggested content in the development of proprietary approaches. Not published are forms, documents, and work programs to guide the entity or auditor when gathering information, performing assessments, and drawing conclusions. While various vendors may make such forms available to entities and auditors, the responsibility for ensuring the quality of those materials lies with the user, since COSO nor the auditing standards setters do not “certify” specific products.

      The new guidance retains the much of the conceptual look and feel of the original 1992 Framework. In addition to guidance, there is a separate COSO volume with suggested approaches and examples of gathering evidence to support the principles, points of focus, and components. The COSO guidance should be accessible to the project leader or audit team, particularly in the initial period of implementation of the new guidance. In addition to purchasing the set of guidance at www.cpa2biz.com, various technical information vendors (e.g., Accounting Research Manager) have online versions for subscribers. Project leaders and audit team leaders should take the time to study these resources in some detail to ensure that the team is properly interpreting the principles and what sources of evidence might exist. Neither companies nor auditors are required to follow the suggested approaches or examples. They are presented simply as guidance; unlike the 17 Principles, they do not have to be satisfied or followed.

      Although checklists are popular in auditing, users should resist creating checklists of controls in lieu of analyses, descriptions, and explanations of controls. COSO guidance seeks to ask the question “How do you accomplish this objective, or how do you satisfy this assertion?” and not whether a specific control exists or does not. In the identification of the points of focus articulated for each principle, it may be worthwhile to read these in connection with each principle and ensure that most are considered when assessing the effective implementation of the principle. While not a “checklist,” the points are a helpful reminder of the scope of intended issues embodied in the principle. However, not all of these more than 80 points will apply to all entities.

      Since 1992, business has changed in many ways. The 2013 Framework notably picks up two major trends and has implemented them widely in the new Framework. These trends include:

      1. Widespread use of outsourcing. Today more and more business functions are being outsourced to third parties. Just because a function is outsourced does not remove it from the table when the function relates to ICFR. It should adhere to the same standards the entity is held to, including ethical standards of the entity. That includes outsourcing to far distant parts of the earth where cheaper wages may prevail. Outsourcing is mentioned in the discussions and examples of 12 of the 17 Principles. That does not preclude its application to other principles. Since 2003 the Securities and Exchange Commission (SEC) has required outsourcing entities to include a right-to-audit clause in agreements so that entities can ensure, if necessary, that controls are effective in the outsourced facility. Enhancements to the requirements for issuing Service Organization reports (e.g., Service Organization Control (SOC) Reports 1 and SOC 2) have also advanced the quality of these reports and their usefulness in placing reliance on outsourced functions.

      2. Widespread use of computer processing. While the 1992 Framework gave limited mention of computer systems, the revised Framework weaves computer and network issues into the discussions of 14 of the 17 Principles.

      Other changes brought about by the 2013 guidance will likely include:

      • More attention to areas other than control activities. The 17 Principles and numerous points of focus will force many entities to gather more information than previously regarding the “softer” controls and assessments. It was perhaps easier for all to focus on transaction controls, but the new COSO guidance attempts to rebalance the efforts.

      • More focus on risk assessment. Risk assessment is more carefully articulated, and more assessment is sought of the types of risk as well as the potential magnitude and likelihood of a risk occurring. In addition, the COSO introduces two new measures of the risk: velocity and persistence. Like a storm, the intensity of a risk and duration can have a very direct effect on the damage sustained. Hurricanes Sandy and Katrina and Midwest tornadoes provide evidence that some unlikely events can have devastating and long-lasting impacts. So also with some business risks. Risk assessment can be seen as a fundamental task that provides a framework for assessing the adequacy of the system of internal controls to prevent or detect material misstatement.

      What We Must Do

      Entities should assess and document their internal controls. COSO and auditing standards agree that this is a responsibility of the entity. One often hears the concern voiced that entities have neither the expertise nor the manpower to perform this task. When such excuses are offered, the auditor often begins to question whether the lack of expertise might indicate a controls deficiency. An entity without the expertise to document controls might also lack the ability to design and monitor controls or to respond to issues that arise when controls fail. If the entity does not view internal control as a priority, then questions arise as to whether the control environment is lacking in some respect. The fact is that many entities would rather not bother with this responsibility, despite its overall value to society in adding integrity to investor reports and to the security and success of the entity itself. Attitude is important in shaping the quality of the controls and the quality of the oversight and continuous improvement that sustains and strengthens systems.

      Entities and auditors should also have some evidence to support the fact that the descriptions of the internal controls relate to what is actually happening. That evidence may be through observation, examination of evidence, or reperformance of the control. Auditors are instructed to document their understanding of internal controls (and not the whole system of processes and activities). To the extent the entity has done the process and controls documentation well, the auditor can test that work and draw from it in lieu of reinventing the wheel.

      All entities need to take a broad look at internal control over financial reporting (ICFR) and not ignore elements that are difficult to assess (the control environment, IT, or processes and controls that are outsourced). In some derivative applications of internal controls in other applications (SOX of Japan), only major processes are “in scope” for purposes of the assessment. There is no 80–20 rule or simple exclusions for U.S. generally accepted auditing standards (GAAS) applications. Materiality (alone or in aggregate) is the benchmark СКАЧАТЬ