Читать книгу Wiley Practitioner's Guide to GAAS 2017 - Flood Joanne M. - Страница 32

Illustration 1. Examples of Circumstances That May Be Control Deficiencies, Significant Deficiencies, or Material Weaknesses

The appendix to Section 265.A37 lists the following as examples of circumstances that may be control deficiencies in the design of controls, or failures in the operation of internal control. As such, auditors should consider these matters when designing and performing risk assessment procedures to gain an understanding of the design and implementation of internal control and when performing and evaluating the results of further audit procedures.

Deficiencies in Internal Control Design

● Inadequate design of internal control over the preparation of the financial statements being audited.

● Inadequate design of internal control over a significant account or process.

● Inadequate documentation of the components of internal control.

● Insufficient control consciousness within the organization – for example, the tone at the top and the control environment.

● Absent or inadequate segregation of duties within a significant account or process.

● Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting).

● Inadequate design of information technology (IT) general and application controls that prevents the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.

● Employees or management who lack the qualifications and training to fulfill their assigned functions (for example, in an entity that prepares financial statements in accordance with generally accepted accounting principles (GAAP), the person responsible for the accounting and reporting function lacks the skills and knowledge to apply GAAP in recording the entity's financial transactions or preparing its financial statements).

● Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity's internal control over time.

● The absence of any internal process to report deficiencies in internal control to management on a timely basis.

● Evidence of ineffective aspects of the control environment, such as indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance.

● Evidence of an ineffective entity risk assessment process, such as management's failure to identify a risk of material misstatement that the auditor would expect the entity's risk assessment process to have identified.

● Evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk).

● Absence of a risk assessment process within the entity when such a process would ordinarily be expected to have been established.

Failures in the Operation of Internal Control

● Failure in the operation of effectively designed controls over a significant account or process; for example, the failure of a control such as dual authorization for significant disbursements within the purchasing process.

● Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy; for example, the failure to obtain timely and accurate consolidating information from remote locations that is needed to prepare the financial statements.

● Failure of controls designed to safeguard assets from loss, damage, or misappropriation. This circumstance may need careful consideration before it is evaluated as a significant deficiency or material weakness. For example, assume that a company uses security devices to safeguard inventory (preventive controls) and also performs periodic physical inventory counts (detective control) timely in relation to its financial reporting. Although the physical inventory count does not safeguard the inventory from theft or loss, it prevents a material misstatement of the financial statements if performed effectively and timely. Therefore, given that the definitions of material weakness and significant deficiency relate to likelihood of misstatement of financial statements, the failure of a preventive control such as inventory tags will not result in a significant deficiency or material weakness if the detective control (physical inventory) prevents a misstatement of the financial statements. Material weaknesses relating to controls over the safeguarding of assets would exist only if the company does not have effective controls (considering both safeguarding and other controls) to prevent or detect and correct a material misstatement of the financial statements.

● Failure to perform reconciliations of significant accounts. For example, accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate manner.

● Undue bias or lack of objectivity by those responsible for accounting decisions; for example, consistent understatement of expenses or overstatement of allowances at the direction of management.

● Misrepresentation by client personnel to the auditor (an indicator of fraud).

● Management override of controls.

● Failure of an application control caused by a deficiency in the design or operation of an IT general control.

● An observed deviation rate that exceeds the number of deviations expected by the auditor in a test of the operating effectiveness of a control. For example, if the auditor designs a test in which he or she selects a sample and expects no deviations, the finding of one deviation is a nonnegligible deviation rate because, based on the results of the auditor's test of the sample, the desired level of confidence was not obtained.

Illustration 2. Auditor's Communication Regarding Significant Deficiences and Material Weaknesses (AU-C 265.A38)

To Management and [identify the body or individuals charged with governance, such as the entity's board of directors] of ABC Company

In planning and performing our audit of the financial statements of ABC Company (the “Company”) as of and for the year ended December 31, 20XX, in accordance with auditing standards generally accepted in the United States of America, we considered the Company's internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company's internal control. Accordingly, we do not express an opinion on the effectiveness of the Company's internal control.

Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be [material weaknesses or significant deficiencies] and therefore [material weaknesses or significant deficiencies] may exist that were not identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be [material weaknesses or significant deficiencies or material weaknesses and significant deficiencies].

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. [We consider the following deficiencies in the Company's internal control to be material weaknesses:]

[Describe the material weaknesses that were identified and explain their potential effects.]

[A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the following deficiencies in the Company's internal control to be significant deficiencies:]

[Describe the significant deficiencies that were identified and explain their potential effects.]

[If the auditor is communicating significant deficiencies and did not identify any material weaknesses, the auditor may state that none of the identified significant deficiencies are considered to be material weaknesses.]

This communication is intended solely for the information and use of management, [identify the body or individuals charged with governance], others within the organization, and [identify any governmental authorities to which the auditor is required to report] and is not intended to be, and should not be, used by anyone other than these specified parties.

[Auditor's signature]

[Auditor's city and state]

[Date]

Illustration 3. Auditor's Communication Indicating That No Material Weaknesses Were Identified (AU-C 265.A39)

To Management and [identify the body or individuals charged with governance, such as the entity's board of directors] of NPO Organization:

In planning and performing our audit of the financial statements of NPO Organization (the “Organization”) as of and for the year ended December 31, 20XX, in accordance with auditing standards generally accepted in the United States of America, we considered the Organization's internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Organization's internal control. Accordingly, we do not express an opinion on the effectiveness of the Organization's internal control.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

Our consideration of internal control was for the limited purpose described in the first paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified.

[If one or more significant deficiencies have been identified, the auditor may add the following:]

Our audit was also not designed to identify deficiencies in internal control that might be significant deficiencies. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We communicated the significant deficiencies identified during our audit in a separate communication dated [date].

This communication is intended solely for the information and use of management, [identify the body or individuals charged with governance], others within the organization, and [identify any governmental authorities to which the auditor is required to report], and is not intended to be, and should not be, used by anyone other than these specified parties.

[Auditor's signature]

[Auditor's city and state]

[Date]