Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 11

Entities should assess and document their internal controls. COSO and auditing standards agree that this is a responsibility of the entity. One often hears the concern voiced that entities have neither the expertise nor the manpower to perform this task. When such excuses are offered, the auditor often begins to question whether the lack of expertise might indicate a controls deficiency. An entity without the expertise to document controls might also lack the ability to design and monitor controls or to respond to issues that arise when controls fail. If the entity does not view internal control as a priority, then questions arise as to whether the control environment is lacking in some respect. The fact is that many entities would rather not bother with this responsibility, despite its overall value to society in adding integrity to investor reports and to the security and success of the entity itself. Attitude is important in shaping the quality of the controls and the quality of the oversight and continuous improvement that sustains and strengthens systems.

Entities and auditors should also have some evidence to support the fact that the descriptions of the internal controls relate to what is actually happening. That evidence may be through observation, examination of evidence, or reperformance of the control. Auditors are instructed to document their understanding of internal controls (and not the whole system of processes and activities). To the extent the entity has done the process and controls documentation well, the auditor can test that work and draw from it in lieu of reinventing the wheel.

All entities need to take a broad look at internal control over financial reporting (ICFR) and not ignore elements that are difficult to assess (the control environment, IT, or processes and controls that are outsourced). In some derivative applications of internal controls in other applications (SOX of Japan), only major processes are “in scope” for purposes of the assessment. There is no 80–20 rule or simple exclusions for U.S. generally accepted auditing standards (GAAS) applications. Materiality (alone or in aggregate) is the benchmark threshold for COSO assessments.

One message that rings clear in the 2013 COSO guidance is the need to articulate various management objectives in terms of operations, financial reporting, and regulatory compliance. These objectives are in turn the genesis for management to identify “risks” to their objectives. The risk assessment component in the Internal Controls Framework and in the COSO ERM relates risks to the stated objectives, answering the question: “Risks to what?” In reality, the objectives related to financial reporting might be fairly obvious. For example, “fair financial reporting in accordance with generally accepted accounting principles (GAAP)” would often be a high-level objective, and the presence of many estimates in the accounting process often presents risks to meeting that objective. An entity objective could also be to protect certain proprietary entity information from public disclosure and competitor scrutiny. The risks to that objective might be more meaningful to ponder and more specific to the entity. Entities should try to articulate their specific objectives, since meaningful risk assessments and the design and maintenance of controls to mitigate the risks follow from the objectives. While auditors may guess at the company-specific risks related to financial reporting and the assertions relating to financial reporting (completeness, existence, valuation, etc.) help structure the audit goals, auditors cannot possibly know all the nuances that management might be considering. Thus the assessment of risks associated with financial reporting is best performed by the entity and shared with the auditor. Too often it happens the other way around for many of the risks. Entities that fail to set objectives and identify risks are likely to exhibit and be assessed a material weakness in the risk assessment component of the Framework.

Transitioning to COSO 2013

Many entities will seek the quickest and easiest way to transition to COSO 2013. For many, there will be a significant number of additional control points to consider, since “2013” is more specific (using 17 Principles and numerous points of focus) than the original 1992 Framework. However, this challenge should also be viewed as an opportunity to reconsider any current documentation or approach and not to institutionalize past practices that may not be the most efficient and effective. The concept of “let's just get through this year” usually results in needed changes never being made and opportunities lost. While much of this book is devoted to providing the insight to assist in an effective and efficient assessment, there is a real issue of how to best take advantage of what has already been done and carry any best practices forward.

Those entities who adopted the 20 Principles outlined in the 2006 COSO guidance directed to smaller public entities will be farther down the road to converting to the 2013 guidance than those that by-passed this guidance and built their assessment process around the original Framework. As mentioned in the legacy versions of this work, that 2006 guidance was potentially useful to all entities and could be a real help in structuring effective assessment projects for any entity. And so it has come to pass. Where there was a change in the 2013 guidance from the 2006 version, this book also provides a road map of what has been added or reallocated to other principles. In addition, various hints are provided throughout the work to illustrate the potentially related principles when deficiencies are identified, in keeping with the integrated nature of controls as discussed in the 2013 guidance.

Mapping to the 2013 Guidance

One method used to map the 2013 guidance to the current project is to create a spreadsheet with the principles and relevant points of focus along one dimension and the previously identified controls along the other dimension. To be more effective, the matrix should also identify the relevant assertion(s) addressed by the controls (when assertions apply, such as for transaction controls) to ensure the coverage of the financial statements assertions and to identify any gaps. When identifying assertions, it may be appropriate to assign a numerical or letter value to the assertions you are using, so that the assertions covered can be sorted and gaps more easily identified. It may also be necessary to segregate the transaction- or disclosure-based controls by account or cycle so that the spreadsheet does not become unwieldy. Note that when considering cash controls, a deficiency might also indicate failure in a related principle, such as competence and training (Principle 4). It is a daunting task to pre-consider all the possible interactions between controls and principles and points of focus, so you may find some common linkages like the aforementioned example will be sufficient for mapping most controls. These linkages will not be automatic; they will depend on the specific root cause of the deficiency if it can be determined. A column or two could be allocated to identify potentially related principles. This task would be a new one, requiring familiarity with the 2013 approach and details of the principles and points of focus.

In total, the 2013 guidance notes 88 points of focus across the 17 Principles. However, a few of these points of focus are more closely related to operations and compliance objectives. Before discarding them from your analysis, note that such objectives often have a financial reporting implication in disclosure controls or for estimating allowance or reserve accounts. We discuss these issues further in connection with the risk assessment component itself.

Table 1.1 is an example template that maps identified entity controls to the 2013 guidance. You may wish to experiment with different approaches to this mapping before settling on one that makes the most sense for your organization, based on where you are and where you want to go. Depending on the component, subcomponent, and number of controls to be mapped, some matrices may be more effectively developed with the principles and points of focus across the top or down the side. While consistency in format is helpful, an unwieldy mapping format is not. Depending on the number of controls likely to be associated with a principle or related point of focus, it may be worthwhile to split the assessment into subsets (by component, by principles, or by other units, such as financial statement captions) that are more manageable. No one design will be perfect for all entities and industries. The important thing is that all currently identified key controls are mapped and that all principles and points of focus are arrayed so that potential gaps can be identified.

Table 1.1 Mapping Controls to the 2013 COSO Framework

³The notation P1 refers to Principle 1 and is noted this way throughout the text.

While COSO clearly states that all the points of focus need not be met to be able to state that an effective system of ICFR exists, many are using the points of focus (and principles) to determine if there might be gaps in controls or yet-undocumented controls of importance that should be recognized. From a documentation standpoint, it is a short leap to expect that a point of focus (POF) considered irrelevant or not applicable will be supported with an explanation of why this is so.

A secondary benefit of this exercise is to assist the independent audit team in relating your assessment to their work paper tools and templates, which often are not customized to your entity approach. Auditors spend considerable time mapping entity approaches to audit requirements, time often better spent on more productive and useful activities or even reductions in seasonal workload.