Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood
Чтение книги онлайн.
Читать онлайн книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood страница 63
In 2007, the SEC revised its rules and described a “risk-based, top-down” approach to understanding internal control. Auditors of nonpublic companies are not required to use this approach. However, applying its basic principles will provide an effective and efficient approach to meeting the requirements of Section 315.
In general, the key steps in this approach include the following:
1 Ask “what can go wrong?” in the preparation of the financial statements. The auditor should use knowledge of the client, external events and circumstances, and the application of GAAP to identify risks that the entity’s financial statements could be misstated. Once they are identified, the auditor should assess the relative magnitude of these risks.
2 Identify controls that address the “what can go wrongs.” The entity should have controls in place to mitigate those misstatement risks that are of some significance. The auditor will focus attention on those controls whose failure is most likely to result in a material misstatement. To make this determination, the auditor will consider both:The likelihood that the control will fail, andIf it did fail, the significance of the misstatement that would result.For example, an entity may have controls over its bank balances (e.g., month-end bank reconciliations) and its petty cash on hand. Auditors will focus on the controls over the company’s bank balances, because the risks related to the control failure of the reconciliation are greater than the risks related to the petty cash. That is, if the bank reconciliations fail, the misstatement of the financial statements could be material; if petty cash was misstated, the misstatement would not be material.
3 Obtain an understanding of relevant controls from the “top” down. This process of identifying controls should begin at the “top,” with the broadest, most pervasive controls, and then proceed “downward” to more direct, specific controls.
A Top-Down Approach to Evaluating Controls
The consideration of the risk of material misstatement is crucial when planning and performing an evaluation of internal control. It is this consideration that helps direct the auditor’s focus to the most critical areas of the company’s internal control system. In a similar fashion, beginning at the “top” of the system and working “down” will help drive efficiency and direct the focus of the evaluation of internal control design.
But where is the “top” of an internal control system? And once the auditor is there, what direction is “down”? To answer these questions requires an understanding of three key principles of internal control design:
1 Within any organization, controls operate at two distinct levels: the broad, general entity level and the more focused and specific activity level.
2 Controls are designed to mitigate risks. Some controls address risks directly, whereas other controls address the same risks indirectly.
3 At the activity level, controls can be designed to either:Prevent errors from entering the financial information system, orDetect and correct errors that have already entered the system.
Entity-level controls sit at the “top” of the internal control structure. For example, these controls might include the company’s hiring and training policies and the firewall protecting its network. There are relatively few entity-level controls. This is because, by their nature, entity-level controls have a broad (though indirect) effect on the company’s financial reporting risks (as indicated by the relative size of the entity). For example, a firewall might cover the company’s inventory system, billing and receivables, and general ledger system all at once.
Entity-level controls have a very indirect effect on the financial statements. For example, the quality of the company’s training can improve job performance and reduce the risk of misstatement, but training alone is not sufficient to prevent or detect an error.
At the lowest level of the pyramid are the company’s most specific, narrowly focused activity- level controls. For example, an edit check to ensure that a date is formatted mm/dd/yyyy is an activity-level control. This control is specifically directed to one field on a single data entry form. The control is designed to prevent an error from entering the information, and it is typical for controls at this level of the pyramid to be preventive controls, designed to be performed on every transaction.
In a typical control system there are many, many activity-level controls. There are two reasons for this relative abundance of preventive activity-level controls:
1 Activity-level controls address very specific risks and have a very narrow (but direct) effect on financial reporting risks. Entities enter into many different types of transactions. In our example, paying suppliers is just one of dozens of different types of financial activities, and an organization will have activity-level controls for each of these activities. Additionally, for each transaction type, the company may face many different kinds of risk, each requiring a different kind of activity-level control. For example, not only will companies want to make sure that they pay only approved suppliers, but they also will want to make sure they pay the correct amount.
2 Many internal control systems include redundant controls—multiple controls that achieve the same objective. For example, the company may use a purchase order system to make sure that its buyers are approved to enter into transactions. In addition, a manager may periodically compare actual purchases to the budget to make sure that company buyers are staying within their approved limits.
Between the entity-level controls and preventive activity-level controls are the broad-based activity-level controls. A bank reconciliation is a good example of such a control. A bank reconciliation does not prevent the bookkeeper from entering an incorrect amount as a cash disbursement, but if such an error were made, a properly performed bank reconciliation should detect and correct it. Many broad-based activity-level controls are detective in nature and usually performed periodically, rather than on every transaction.
A top-down approach to internal control evaluation means that the auditor starts with entity- level controls, which have the broadest span but the most indirect effect on reducing financial statement misstatements. Once the auditor has evaluated entity-level controls, he or she then proceeds “down” to the more specific activity-level controls. At the activity level, the auditor again begins at the “top,” with those controls that are furthest along in the information processing stream. Usually, these are detective controls.
After evaluating detective controls, the auditor may then proceed back down the information processing stream, back to the inception of the transaction, evaluating controls along the way.
The key to applying the top-down approach is to ask—at each step of the evaluation—“Are the controls I have evaluated so far capable of appropriately addressing the related risk of material misstatement?” If the answer is “yes,” then there is no need to evaluate more controls. If the answer is “no,” then the auditor should continue to evaluate more controls further down in the structure until reaching a point where he or she has evaluated enough controls to evaluate the risk.
Effect of IT on Internal Control
Information technology (IT) affects the way in which transactions are initiated, recorded, processed, and reported. IT controls consist of automated controls (e.g., controls embedded in computer programs) and manual controls. Manual controls may be independent of IT, may use information produced by IT, or may be limited to (1) monitoring the effective function of IT and of automated