Internal Control Audit and Compliance. Graham Lynford

Чтение книги онлайн.

Читать онлайн книгу Internal Control Audit and Compliance - Graham Lynford страница 5

Internal Control Audit and Compliance - Graham Lynford

Скачать книгу

assessments.

      One message that rings clear in the 2013 COSO guidance is the need to articulate various management objectives in terms of operations, financial reporting, and regulatory compliance. These objectives are in turn the genesis for management to identify “risks” to their objectives. The risk assessment component in the Internal Controls Framework and in the COSO ERM relates risks to the stated objectives, answering the question: “Risks to what?” In reality, the objectives related to financial reporting might be fairly obvious. For example, “fair financial reporting in accordance with generally accepted accounting principles (GAAP)” would often be a high-level objective, and the presence of many estimates in the accounting process often presents risks to meeting that objective. An entity objective could also be to protect certain proprietary entity information from public disclosure and competitor scrutiny. The risks to that objective might be more meaningful to ponder and more specific to the entity. Entities should try to articulate their specific objectives, since meaningful risk assessments and the design and maintenance of controls to mitigate the risks follow from the objectives. While auditors may guess at the company-specific risks related to financial reporting and the assertions relating to financial reporting (completeness, existence, valuation, etc.) help structure the audit goals, auditors cannot possibly know all the nuances that management might be considering. Thus the assessment of risks associated with financial reporting is best performed by the entity and shared with the auditor. Too often it happens the other way around for many of the risks. Entities that fail to set objectives and identify risks are likely to exhibit and be assessed a material weakness in the risk assessment component of the Framework.

      Transitioning to COSO 2013

      Many entities will seek the quickest and easiest way to transition to COSO 2013. For many, there will be a significant number of additional control points to consider, since “2013” is more specific (using 17 Principles and numerous points of focus) than the original 1992 Framework. However, this challenge should also be viewed as an opportunity to reconsider any current documentation or approach and not to institutionalize past practices that may not be the most efficient and effective. The concept of “let's just get through this year” usually results in needed changes never being made and opportunities lost. While much of this book is devoted to providing the insight to assist in an effective and efficient assessment, there is a real issue of how to best take advantage of what has already been done and carry any best practices forward.

      Those entities who adopted the 20 Principles outlined in the 2006 COSO guidance directed to smaller public entities will be farther down the road to converting to the 2013 guidance than those that by-passed this guidance and built their assessment process around the original Framework. As mentioned in the legacy versions of this work, that 2006 guidance was potentially useful to all entities and could be a real help in structuring effective assessment projects for any entity. And so it has come to pass. Where there was a change in the 2013 guidance from the 2006 version, this book also provides a road map of what has been added or reallocated to other principles. In addition, various hints are provided throughout the work to illustrate the potentially related principles when deficiencies are identified, in keeping with the integrated nature of controls as discussed in the 2013 guidance.

      Mapping to the 2013 Guidance

      One method used to map the 2013 guidance to the current project is to create a spreadsheet with the principles and relevant points of focus along one dimension and the previously identified controls along the other dimension. To be more effective, the matrix should also identify the relevant assertion(s) addressed by the controls (when assertions apply, such as for transaction controls) to ensure the coverage of the financial statements assertions and to identify any gaps. When identifying assertions, it may be appropriate to assign a numerical or letter value to the assertions you are using, so that the assertions covered can be sorted and gaps more easily identified. It may also be necessary to segregate the transaction- or disclosure-based controls by account or cycle so that the spreadsheet does not become unwieldy. Note that when considering cash controls, a deficiency might also indicate failure in a related principle, such as competence and training (Principle 4). It is a daunting task to pre-consider all the possible interactions between controls and principles and points of focus, so you may find some common linkages like the aforementioned example will be sufficient for mapping most controls. These linkages will not be automatic; they will depend on the specific root cause of the deficiency if it can be determined. A column or two could be allocated to identify potentially related principles. This task would be a new one, requiring familiarity with the 2013 approach and details of the principles and points of focus.

      In total, the 2013 guidance notes 88 points of focus across the 17 Principles. However, a few of these points of focus are more closely related to operations and compliance objectives. Before discarding them from your analysis, note that such objectives often have a financial reporting implication in disclosure controls or for estimating allowance or reserve accounts. We discuss these issues further in connection with the risk assessment component itself.

Table 1.1 is an example template that maps identified entity controls to the 2013 guidance. You may wish to experiment with different approaches to this mapping before settling on one that makes the most sense for your organization, based on where you are and where you want to go. Depending on the component, subcomponent, and number of controls to be mapped, some matrices may be more effectively developed with the principles and points of focus across the top or down the side. While consistency in format is helpful, an unwieldy mapping format is not. Depending on the number of controls likely to be associated with a principle or related point of focus, it may be worthwhile to split the assessment into subsets (by component, by principles, or by other units, such as financial statement captions) that are more manageable. No one design will be perfect for all entities and industries. The important thing is that all currently identified key controls are mapped and that all principles and points of focus are arrayed so that potential gaps can be identified.

Table 1.1 Mapping Controls to the 2013 COSO Framework

      3The notation P1 refers to Principle 1 and is noted this way throughout the text.

      While COSO clearly states that all the points of focus need not be met to be able to state that an effective system of ICFR exists, many are using the points of focus (and principles) to determine if there might be gaps in controls or yet-undocumented controls of importance that should be recognized. From a documentation standpoint, it is a short leap to expect that a point of focus (POF) considered irrelevant or not applicable will be supported with an explanation of why this is so.

      A secondary benefit of this exercise is to assist the independent audit team in relating your assessment to their work paper tools and templates, which often are not customized to your entity approach. Auditors spend considerable time mapping entity approaches to audit requirements, time often better spent on more productive and useful activities or even reductions in seasonal workload.

      Basic Scoping and Strategies for Maintenance

      All managements and auditors need to consider broadly the scope of ICFR. Just because a wide net is cast in examining controls does not mean that all of the controls under that net are key or critical; thus, testing and detailed analysis may not be required. However, managements were surprised in 2004 when controls over the hiring and use of specialists in determining fair values or allowances were declared by the PCAOB as in scope regarding ICFR. Current auditing standards require a specific assessment of the internal controls over the fair value estimation process. Nonpublic entity auditors are likewise directed by auditing standards to assess such controls over all estimates in the financial reporting process. Similarly managements and auditors were embarrassed when an academic, Professor Eric Lie, post-SOX, discovered that the values of stock options were being manipulated to benefit management in a number of large companies. This activity and process was not included in

Скачать книгу