Internal Control Audit and Compliance. Graham Lynford
Чтение книги онлайн.
Читать онлайн книгу Internal Control Audit and Compliance - Graham Lynford страница 7
Название: Internal Control Audit and Compliance
Автор: Graham Lynford
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781118996300
isbn:
A simple example: A cash payment (cutting the check) is part of a process. A review of the support for the payment by someone other than the accountant is a control. A sale on credit initiates a process of shipment and recognition of a receivable. Checking the credit rating of the customer or checking that the customer is preapproved is a control over the validity or existence of the sale. The requirements are to document, assess, and test controls, not processes. But mountains of documentation are produced and retained in the name of controls documentation, which many times do not contain the description of a single real control.
If all the unnecessary documentation that has been produced magically evaporated from the hard drives and storage rooms of companies and auditors, some highly underutilized storage capacity would be revealed. Please understand, I know we are fond of our flowcharts, narratives that go on and on, and creating a lot of detailed descriptions of how things work. There is nothing wrong with all that. But the focus here is controls. How do we ensure completeness, how do we ensure our ownership of the assets we claim, how do we ensure the transactions are recorded in the proper period? As long as all these considerations (and a lot more to be discussed later) are addressed, the only drawback to the volumes we create are the updating review and edit we have to apply when changes occur and the mountains of data that has to be reviewed by management and the independent auditors. It's only money.
A current trend is away from the beloved narratives toward more flowcharting to document the business process and control points. However, it may be more efficient to keep separate controls documents than to muddy up flowcharts with all the data necessary to describe, assess, and hold the tests of the controls. Flowcharts or narratives can still be referenced to specific controls documentation.
By careful adherence to the spirit of the COSO Framework, the documentation of controls can be concise and organized. Whether you are just beginning in this process now or are seeking ways out of the quagmire of documentation produced previously, there is a way to meet the requirements without producing excessive volumes of documentation.
Internal Control Has Limitations
The existence of undesirable outcomes like misstatements and omitted disclosures may indicate that the process itself was flawed. However, that direct connection may not always hold true. It is possible that an internal control failure can be attributed to something other than a flawed process.
Internal control provides reasonable but not absolute assurance that an entity will achieve its financial reporting objectives. Even an effective internal control system can experience a failure due to:
• Human error. The people who implement internal controls may make simple errors or mistakes that can lead to control failures.
• Management override. Even in an otherwise well-controlled entity, managers may be able to override internal controls for selfish purposes.
• Collusion. Two or more individuals may collude to circumvent what otherwise would be effective controls.
Objective-Driven Approach
The COSO Framework views internal control as built-in to an entity's overall business processes, as opposed to a separate added-on component that attaches itself to the company's real business. Building in internal control requires that management do four things:
1. Establish business objectives. For our purposes, the most relevant objectives relate to financial reporting.
2. Identify the risks to achieving those objectives.
3. Determine how to manage the identified risks. The establishment of internal controls is just one of several options.
4. Where appropriate, establish controls as a way to manage certain risks. Individual controls are designed and implemented to meet the stated risks.
Internal controls have limited value by themselves – they do not produce a product or service or generate revenue for the business. Controls have value to the degree in which they help the entity to achieve its objectives through providing complete, accurate, relevant, and reliable information for decision making and for the fair communication of financial results to third parties. The effectiveness of internal control is judged according to how well it aligns with and addresses the objectives of the company.
Flexible, Adaptable, No One-Size-Fits-All Approach
The COSO Framework is a conceptual and not a rigid, prescriptive approach to internal controls. Thus, a paint-by-numbers approach is not going to be effective in complying with the aims of COSO. COSO recognizes that different entities will make different choices about how to implement controls in their businesses. The key is not whether the company uses control A or control B but whether the controls in place meet the risks by proper design and effective operation. COSO is not a checklist of suggested controls. Furthermore, management will make certain cost–benefit judgments and trade-offs. For example, an elaborate control structure over cash disbursements may be warranted in a large and complex business, but simpler controls may be effective and efficient in smaller enterprises. The result: Internal control is not a one-size-fits-all proposition, and a checklist of “usual” controls is not an effective tool to satisfy the COSO Framework guidance.
What can sometimes be frustrating about COSO controls guidance and the auditing standards is that simplifying the assessment and testing process through the use of practice aids is not easy. To have a successful project, it requires thought and understanding to apply the objectives of the Framework to a specific company circumstance. It takes knowledge of the entity and its processes, the regulatory environment, and the COSO Framework to make sense of the assessment and testing process. Early in the implementation of SOX, an experienced audit partner noted that she obtained a much better knowledge of her clients and their risks after going through the controls assessment process with them. Companies seeking practice aids to take the work out of the assessment process eventually realize this is not an achievable goal. However, an assessment and testing project done right is much easier to maintain over time than one cobbled together to get through this year. Think long term. Practice aids can still have value, but they must be adapted to the application. There is no turn-key approach out there, despite any Web site or brochure claims.
Furthermore, circumstances change at the entity, and so its internal control must be designed in a way to adapt and remain effective in a dynamic business environment. In fact, one of the primary objectives of the monitoring component of internal control is to assess the quality of the system's performance over time, recognizing that circumstances will change. In the 2013 guidance, analyzing and responding to change is a Principle (9) to be satisfied.
Reasonable Assurance
COSO recognizes the limitations of internal control. No matter how well designed or operated, internal control can provide only reasonable assurance that objectives will be met. Reasonable assurance is a high threshold, but it stops short of absolute assurance. The presence of an isolated internal control failure (less than a material weakness) does not, in and of itself, mean that a system is ineffective. The COSO even states that “even an effective internal control system can experience failure.”
However, to be able to report publicly that internal controls are effective or to rely on the effectiveness of internal controls in lieu of other audit procedures requires that material weaknesses are either not present СКАЧАТЬ