Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 12

All managements and auditors need to consider broadly the scope of ICFR. Just because a wide net is cast in examining controls does not mean that all of the controls under that net are key or critical; thus, testing and detailed analysis may not be required. However, managements were surprised in 2004 when controls over the hiring and use of specialists in determining fair values or allowances were declared by the PCAOB as in scope regarding ICFR. Current auditing standards require a specific assessment of the internal controls over the fair value estimation process. Nonpublic entity auditors are likewise directed by auditing standards to assess such controls over all estimates in the financial reporting process. Similarly managements and auditors were embarrassed when an academic, Professor Eric Lie, post-SOX, discovered that the values of stock options were being manipulated to benefit management in a number of large companies. This activity and process was not included in the early scoping of public company audits of internal control. A continuing conundrum is the issue of using service organizations for various accounting, IT, and data storage functions. A contemporary issue is the controls and security issue surrounding the use of cloud computing and cloud data storage. Outsourcing does not remove a function from the scope of internal controls assessment and analysis. Examples also exist of the failure to recognize the risks associated with trading or derivatives activities that may create exposures that exceed the apparent size of the operation; examples such as the Barings Bank collapse (currency trading) and Orange County, CA, bankruptcy (interest rate swaps) come quickly to mind.

The natural state of systems is for them to deteriorate over time. Managements, through monitoring and thoughtful annual reassessment, can keep a system in tune through an effective monitoring function. The absence or ineffectiveness of an effective monitoring function is likely to be a material weakness that would preclude an effective internal controls assertion or auditor reliance on controls to reduce other auditing procedures.