Internal Control Audit and Compliance. Graham Lynford
Чтение книги онлайн.
Читать онлайн книгу Internal Control Audit and Compliance - Graham Lynford страница 6
Название: Internal Control Audit and Compliance
Автор: Graham Lynford
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781118996300
isbn:
The natural state of systems is for them to deteriorate over time. Managements, through monitoring and thoughtful annual reassessment, can keep a system in tune through an effective monitoring function. The absence or ineffectiveness of an effective monitoring function is likely to be a material weakness that would preclude an effective internal controls assertion or auditor reliance on controls to reduce other auditing procedures.
Where We Depart
Financial statement preparers of public, nonpublic, government, and nonprofit entities have the basic level of responsibility for assessing and documenting controls over financial reporting. While still responsible for the scoping, documentation, and verification that the described controls are implemented, nonpublic entities and their auditors may not need to test the controls as a basis for reliance on controls in setting the audit strategy. However, public companies have a specific requirement that they publicly assert the effectiveness of controls over financial reporting; doing that includes tests of the controls to be able to make that assertion. These various nonpublic entities and their auditors do have requirements that noted material weaknesses and/or significant deficiencies in controls (defined later) be reported to governance or to the overseeing regulator.
However, when auditors of any entity seeks to rely on the effectiveness of internal controls to reduce the scope of their other audit procedures, testing is necessary to confirm the assessment that the controls are designed and are operating effectively. Unlike in an attestation where high assurance is sought, the financial statement auditor may determine the right amount of testing and assurance to support the desired level of controls assurance from “low” (some) to “high.” When high assurance is sought, the project scope and testing level is similar to that required for an attestation. However, the assurance sought for controls reliance usually covers the entire audit period, not just the status of internal controls on the date of the report.
Nonpublic entities may optionally report on the effectiveness of their internal controls. Auditors can attest to these assertions under the revised AICPA attestation standards (e.g., AT 501). Alternative attestations allow for attestations on only the design of the controls or an attestation on both the design and operating effectiveness of the controls over financial reporting. For example, a nonprofit entity may wish to report on internal controls to provide assurance to donors of its stewardship over the donated funds and as a competitive tool to attract new donors. It seems likely that some government entities may soon be required to publicly report on their internal controls as a demonstration of their stewardship of public funds.
For certain regulated program audits (e.g., Office of Management and Budget [OMB] A-133 program audits of federal awards and programs), there may be specific audit requirements to meet compliance (with laws and regulations) that require tests of specifically identified controls over compliance by auditors. A source of confusion among some auditors is the fact that there exists very different guidance for financial statement and compliance-oriented government program audits. The focus of this book is on the ICFR.
Public companies report publicly on the effectiveness of their ICFR. As a result, SEC regulations require these entities to test controls as a basis for their assertion. There are specific exemptions from this requirement for companies when they first become public. Auditors of smaller public companies do not have to specifically report to the public on the effectiveness of the auditee's internal controls in the SEC 10-K annual filing. (This relief is now permanent under the Dodd-Frank Act of 2010.) However, auditors of larger public companies, accelerated filers,3 do have to report to the public on the effectiveness of the auditee's internal controls in the required SEC 10-K annual filing. Therefore, auditors would also have a requirement to test internal controls as a basis for their assertion. The auditors of newly registered companies (under the Jumpstart Our Business Startups [JOBS] Act) may qualify for an exemption to auditor reporting on internal controls, provided revenues are under a predefined threshold.
As noted later, auditor oversight and testing may be important to ensure the quality of management's assertion regarding the effectiveness of controls. This seems to be particularly true as management first becomes familiar with controls issues.
Triangle of Efficiency
Everyone desires an efficient project. From experience, an important consideration in achieving an efficient implementation of a controls assessment project is an understanding of the tasks and the acquisition of the skills before beginning in earnest the documentation, assessment, and testing process. Time and again the failure of one of the three key elements in what I call the triangle of efficiency (see Figure 1.3) is the root cause of wasted time and energy, and more often than not it results in an incomplete or incorrect assessment. This is an issue worth mentioning at the start, because false steps will cost money to correct.
Figure 1.3 Triangle of Efficiency
The three knowledge components are:
1. Knowledge of entity and/or auditor requirements.
2. Knowledge of COSO.
3. Knowledge of company controls and processes.
In the case of public companies, their specific requirements are stated by the SEC. Private companies should look to COSO for guidance. While there is nothing contradictory about the SEC and COSO literatures, public companies should be familiar with the SEC-specific requirements, which may contain more detail regarding specific reporting and filing requirements. Public company auditors will be looking toward PCAOB Auditing Standard No. 5 for their requirements, which happen to be closely aligned with the SEC requirements, and ensuring public companies are following that guidance.
It often feels good just to get started on a project and begin to accumulate some evidence of progress. Indeed, that was a clear motivation in companies and auditors beginning to document the detailed activity-level controls over transactions before comprehending the scope of the requirements in 2004 when first reporting on controls under SOX. The resultant complaints about costs and time expended are intertwined with issues regarding failures to consider one or more of the three triangle components.
Experience says that if any of the three elements here is lacking, then there will be an impact on the efficiency and effectiveness of the overall project. Company consultants may be very competent in knowing COSO and knowing company and audit requirements, but they still have to learn the entity and its controls in order to perform their task. Close integration of company and consulting personnel can contribute greatly to efficiency of the company project over a strategy where the task is given primarily to the consultant. In the long run, the most efficient process is often one that is brought in-house and maintained by the entity. This controls focus in entity culture and auditing is not likely to go away. It is likely a part of our permanent business environment.
Controls versus Processes
A good discussion to have before plunging into more subject matter here concerns the source of the surprisingly widespread misunderstanding regarding the distinction between controls and processes. COSO and the regulatory requirements for companies СКАЧАТЬ
Accelerated filers have a market capitalization of $75 million or more.