Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 10

The revised COSO Framework (2013) replaces the 1992 and 2006 Framework guidance and documents. Those prior publications will be considered superseded after December 15, 2014. Some key elements of the new guidance include:

• Retention of the five basic components: control environment, risk assessment, control activities, information and communication, and monitoring.

• Identification of 17 Principles that are deemed essential to the five components

• Clear expectations that the elements of internal control work together in an integrated way.

Indeed, unless these elements are satisfied, COSO would conclude the system of internal controls is not effective.

Internal controls are defined in the revised Framework, and similarly in literature of the Public Company Accounting Oversight Board (PCAOB)2 and AICPA, as: “a process, effected by the entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

This definition is consistent with the focus in the revised Framework on articulating the objectives in the three elements of operations, reporting, and compliance.

The COSO Framework retains these three elements of internal control. For purposes of this book, our focus is on the financial reporting element. However, as we discuss the issues surrounding this element, note that putting on blinders to issues from the other elements is not appropriate. Failures in operating controls can create increased allowances for returns and greater estimated warranty expenses, and failures in regulatory controls can cause liabilities for environmental issues or labor law violations with financial consequences. What may seem like a bright line in the diagrams is in reality a blurred line in practice.

In all cases, COSO and regulators expect the entity, and not the auditor, to be responsible for the design and implementation of the system of internal control. Likewise, all entities are expected to document and maintain updates to their internal processes and controls. In public companies, auditors are often impaired by independence rules from venturing very far into the design, assessment, and documentation process. In private companies, the auditor may be more helpful at present; however, future independence rules may limit auditor involvement in government and private engagements. Private companies should prepare to annually maintain and update the documentation of their controls systems. Auditors need to prepare their clients to do so.

Accompanying the Framework guidance are illustrative templates for documenting assessments, deficiencies, and aggregating issues from the detailed deficiency level to an overall conclusion. These templates may be structured as entities wish, but it may be worthwhile to note their suggested content in the development of proprietary approaches. Not published are forms, documents, and work programs to guide the entity or auditor when gathering information, performing assessments, and drawing conclusions. While various vendors may make such forms available to entities and auditors, the responsibility for ensuring the quality of those materials lies with the user, since COSO nor the auditing standards setters do not “certify” specific products.

The new guidance retains the much of the conceptual look and feel of the original 1992 Framework. In addition to guidance, there is a separate COSO volume with suggested approaches and examples of gathering evidence to support the principles, points of focus, and components. The COSO guidance should be accessible to the project leader or audit team, particularly in the initial period of implementation of the new guidance. In addition to purchasing the set of guidance at www.cpa2biz.com, various technical information vendors (e.g., Accounting Research Manager) have online versions for subscribers. Project leaders and audit team leaders should take the time to study these resources in some detail to ensure that the team is properly interpreting the principles and what sources of evidence might exist. Neither companies nor auditors are required to follow the suggested approaches or examples. They are presented simply as guidance; unlike the 17 Principles, they do not have to be satisfied or followed.

Although checklists are popular in auditing, users should resist creating checklists of controls in lieu of analyses, descriptions, and explanations of controls. COSO guidance seeks to ask the question “How do you accomplish this objective, or how do you satisfy this assertion?” and not whether a specific control exists or does not. In the identification of the points of focus articulated for each principle, it may be worthwhile to read these in connection with each principle and ensure that most are considered when assessing the effective implementation of the principle. While not a “checklist,” the points are a helpful reminder of the scope of intended issues embodied in the principle. However, not all of these more than 80 points will apply to all entities.

Since 1992, business has changed in many ways. The 2013 Framework notably picks up two major trends and has implemented them widely in the new Framework. These trends include:

1. Widespread use of outsourcing. Today more and more business functions are being outsourced to third parties. Just because a function is outsourced does not remove it from the table when the function relates to ICFR. It should adhere to the same standards the entity is held to, including ethical standards of the entity. That includes outsourcing to far distant parts of the earth where cheaper wages may prevail. Outsourcing is mentioned in the discussions and examples of 12 of the 17 Principles. That does not preclude its application to other principles. Since 2003 the Securities and Exchange Commission (SEC) has required outsourcing entities to include a right-to-audit clause in agreements so that entities can ensure, if necessary, that controls are effective in the outsourced facility. Enhancements to the requirements for issuing Service Organization reports (e.g., Service Organization Control (SOC) Reports 1 and SOC 2) have also advanced the quality of these reports and their usefulness in placing reliance on outsourced functions.

2. Widespread use of computer processing. While the 1992 Framework gave limited mention of computer systems, the revised Framework weaves computer and network issues into the discussions of 14 of the 17 Principles.

Other changes brought about by the 2013 guidance will likely include:

• More attention to areas other than control activities. The 17 Principles and numerous points of focus will force many entities to gather more information than previously regarding the “softer” controls and assessments. It was perhaps easier for all to focus on transaction controls, but the new COSO guidance attempts to rebalance the efforts.

• More focus on risk assessment. Risk assessment is more carefully articulated, and more assessment is sought of the types of risk as well as the potential magnitude and likelihood of a risk occurring. In addition, the COSO introduces two new measures of the risk: velocity and persistence. Like a storm, the intensity of a risk and duration can have a very direct effect on the damage sustained. Hurricanes Sandy and Katrina and Midwest tornadoes provide evidence that some unlikely events can have devastating and long-lasting impacts. So also with some business risks. Risk assessment can be seen as a fundamental task that provides a framework for assessing the adequacy of the system of internal controls to prevent or detect material misstatement.