Internal Control Audit and Compliance. Graham Lynford. Читать онлайн. Newlib. NEWLIB.NET

Автор: Graham Lynford
Издательство: John Wiley & Sons Limited
Серия:
Жанр произведения: Зарубежная образовательная литература
Год издания: 0
isbn: 9781118996300
Скачать книгу
positive shift in management opinion when compared to the early days of the imposed regulations.

      Organization of This Book

      The remainder of this book will go into more depth on the 5 components and 17 Principles of the COSO framework and provide examples of the issues that arise in the assessment and testing of the controls. Specific reporting requirements of public companies are also covered throughout the book. Since many entities already are performing some controls assessments, the section on project management is placed farther back in this book than in previous editions; however, those new to this process (e.g., new companies, new personnel, and new responsibilities) or those seeking to improve current processes may want to review this material sooner or even next.

      As the material is covered, there will be opportunities to speak directly to specific audiences, such as auditors or management or assessment team members, on specific issues, and these sections will be identified by special headings.

      Appendix 1A

      COSO 17 Principles

      Chapter 2

      Setting the Scope of Your Documentation ProjectIdentifying the Core

      Start with Business Objectives

      The essential starting point for determining the extent of documentation you should include in your project is a clear statement of your objectives. Regardless of whether you are formally reporting on your controls or not, you should initially cast a broad net across your entity and reduce the focus on the exclude accounts or transactions streams only as evidence concludes that risks are low. The new COSO guidance emphasizes this as a precursor to risk assessment since the identified risks relate to the objectives.

      To meet the minimum documentation standards expected for any project, you probably can cut out the very minor (trivial) revenue streams and locations that individually are clearly insignificant in terms of assets, revenues, and income. Unfortunately, there is no consensus on where a bright-line minimum might be. Early on, auditors working with large public clients were bludgeoned into including just about everything with a dollar sign in the reporting on internal controls project because of the early interpretations of the guidance in Public Company Accounting Oversight Board (PCAOB) Auditing Standard (AS) No. 2. Now that that standard has been replaced (AS No. 5) with a more risk-based standard than the original. Nonpublic companies follow similar guidance regarding scoping, but there is no clear discernible demarcation between items that should be in scope or out of scope. The danger is that errors in this judgment that later result in material misstatements can create legal liabilities.

      For example, the lack of known issues regarding revenue recognition is not sufficient evidence to deemphasize revenue recognition issues from the assessment in a business with clearly complex sales arrangements. The fact that a company's business is basically a cash business and there are no lingering revenue recognition or period-end cut-off issues is perhaps a more logical basis on which to deemphasize this common control issue in a company's analysis.

      Even in its interpretative guidance on evaluating internal control, the Securities and Exchange Commission (SEC) makes it clear to public companies that management's evaluation need not encompass all the controls that have been implemented at the company. The objective of management's evaluation is to provide it with a reasonable basis for determining whether any material weaknesses in internal control exist at year-end, the date of the required report on internal controls.

      In a risk-based approach, it is helpful for scoping and project management to identify and distinguish your “core.” These are the main activities of your business and likely constitute the bulk of revenues, expenses, and transactions. While not the limits of your scope, the core helps define objectives and identify the key risks to achieving those objectives. It is likely that your internal control efforts will often be concentrated on your core business, and if your core is not well designed and operating effectively, then it is hard to see how the system as a whole can be effective.

You may be able to develop a practical guideline of your core by analyzing the financial statements and the segment/division/location contributions to the numbers flowing into the financial statements. You should be able to include in the scope of your documentation a significant portion of the revenues, expenses, account balances, and net income by selecting a reasonable number of accounts and locations and transaction types within the scope of your project. For example, suppose your municipal entity had several different revenue sources, such as income taxes, fees, fines and judgments, usage charges, and revenue sharing. (See Table 2.1.)

Table 2.1 Using Revenue to Set Scope

      1 Total = $10,000,000

      The amounts or the risks associated with a component of the financial statements will cause you to include those streams within your project scope. Based just on revenues, you might be able to cover 85 % of the revenues by evaluating the controls related to the two main streams of revenue. But the next question is whether you have covered your identified risks with this scope. Because fees and fines are more volatile from year to year, are more difficult to predict and verify, and involve more human interaction and judgment and fraud risk than the other areas, they probably still require controls attention.

      For example, if the receipt and recording of the revenue-sharing portion were easy to track because these revenues are allocated in a scheduled or known way from a larger pool of county revenues and transferred to you in an easy-to-audit transaction, the area may be considered a low risk and require only limited evidence to conclude the controls are effective. However, if the process over fees and their collection and recording is not as well controlled, and there is some risk of completeness (e.g., skimming, a type of fraud) and some risk of inaccurate processing when collecting these fees, then more effort may be placed on controls over these transactions than their sheer size might suggest.

      You might take similar key measures of other financial statement accounts and, in profit-oriented entities, consider the contribution to profit. Thus, you may find a profile of revenues, expenses, and locations or segments emerging from your analysis that really define the core of your entity. That core can be a starting point to determine the main focus of your controls assessment project.

      You may need some talking points to address the peripheral and trivial areas you do not identify as your core based on volume or risk. Auditors cannot reliably use size as a risk indicator when understatement is a risk. For example, a completeness risk could be that all the activity of a remote location might not be reported. Skimming is a fraudulent withholding of some of the revenue stream such that some revenues never get recorded.

      One approach followed by some entities is to make a list of the main controls and procedures that are in place regarding those amounts that might be candidates for exclusion from the analysis. For example, numerous smaller entities may be part of the consolidated entity but individually and in the aggregate still make up only a small portion of the overall entity. If these entities adhere to a common accounting manual of procedures, use the approved company software, and perform monthly bank reconciliations and management or internal audit visits these locations periodically to audit the details, monitoring the key statistics and cash flows from these locations may be sufficient for management to detect a significant departure from expectations.

      As a general guide, you might start with all the financial statement accounts and elements in your initial scope of documentation and assessment of controls. Often the financial statement caption items are larger than materiality or are separately presented for some reason. Your documentation and design assessments can be broader (and should be, for your own protection) than any testing plans need to be. In my view, too many entities and their auditors are too quick in using risk assessment judgments to exclude amounts completely from the scope of the examination. There will come a day of reckoning for those who incorrectly assess risk, as there was with those who thought there was little or no risk in auditing Enron, WorldCom, and Parmalat. Smaller entities suffer similar fates based on bad guesses regarding risk;