Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 13

Financial statement preparers of public, nonpublic, government, and nonprofit entities have the basic level of responsibility for assessing and documenting controls over financial reporting. While still responsible for the scoping, documentation, and verification that the described controls are implemented, nonpublic entities and their auditors may not need to test the controls as a basis for reliance on controls in setting the audit strategy. However, public companies have a specific requirement that they publicly assert the effectiveness of controls over financial reporting; doing that includes tests of the controls to be able to make that assertion. These various nonpublic entities and their auditors do have requirements that noted material weaknesses and/or significant deficiencies in controls (defined later) be reported to governance or to the overseeing regulator.

However, when auditors of any entity seeks to rely on the effectiveness of internal controls to reduce the scope of their other audit procedures, testing is necessary to confirm the assessment that the controls are designed and are operating effectively. Unlike in an attestation where high assurance is sought, the financial statement auditor may determine the right amount of testing and assurance to support the desired level of controls assurance from “low” (some) to “high.” When high assurance is sought, the project scope and testing level is similar to that required for an attestation. However, the assurance sought for controls reliance usually covers the entire audit period, not just the status of internal controls on the date of the report.

Nonpublic entities may optionally report on the effectiveness of their internal controls. Auditors can attest to these assertions under the revised AICPA attestation standards (e.g., AT 501). Alternative attestations allow for attestations on only the design of the controls or an attestation on both the design and operating effectiveness of the controls over financial reporting. For example, a nonprofit entity may wish to report on internal controls to provide assurance to donors of its stewardship over the donated funds and as a competitive tool to attract new donors. It seems likely that some government entities may soon be required to publicly report on their internal controls as a demonstration of their stewardship of public funds.

For certain regulated program audits (e.g., Office of Management and Budget [OMB] A-133 program audits of federal awards and programs), there may be specific audit requirements to meet compliance (with laws and regulations) that require tests of specifically identified controls over compliance by auditors. A source of confusion among some auditors is the fact that there exists very different guidance for financial statement and compliance-oriented government program audits. The focus of this book is on the ICFR.

Public companies report publicly on the effectiveness of their ICFR. As a result, SEC regulations require these entities to test controls as a basis for their assertion. There are specific exemptions from this requirement for companies when they first become public. Auditors of smaller public companies do not have to specifically report to the public on the effectiveness of the auditee's internal controls in the SEC 10-K annual filing. (This relief is now permanent under the Dodd-Frank Act of 2010.) However, auditors of larger public companies, accelerated filers,3 do have to report to the public on the effectiveness of the auditee's internal controls in the required SEC 10-K annual filing. Therefore, auditors would also have a requirement to test internal controls as a basis for their assertion. The auditors of newly registered companies (under the Jumpstart Our Business Startups [JOBS] Act) may qualify for an exemption to auditor reporting on internal controls, provided revenues are under a predefined threshold.

As noted later, auditor oversight and testing may be important to ensure the quality of management's assertion regarding the effectiveness of controls. This seems to be particularly true as management first becomes familiar with controls issues.