Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 15

A good discussion to have before plunging into more subject matter here concerns the source of the surprisingly widespread misunderstanding regarding the distinction between controls and processes. COSO and the regulatory requirements for companies and auditors are directed at controls. The public company assertions about internal control effectiveness are directed at controls. So why is so much time and effort devoted to evaluating and documenting the business processes underlying the controls in company and auditor documentation? A significant potential source of efficiency and greater effectiveness in the controls documentation and assessment tasks is a clear distinction between controls and processes.

A simple example: A cash payment (cutting the check) is part of a process. A review of the support for the payment by someone other than the accountant is a control. A sale on credit initiates a process of shipment and recognition of a receivable. Checking the credit rating of the customer or checking that the customer is preapproved is a control over the validity or existence of the sale. The requirements are to document, assess, and test controls, not processes. But mountains of documentation are produced and retained in the name of controls documentation, which many times do not contain the description of a single real control.

If all the unnecessary documentation that has been produced magically evaporated from the hard drives and storage rooms of companies and auditors, some highly underutilized storage capacity would be revealed. Please understand, I know we are fond of our flowcharts, narratives that go on and on, and creating a lot of detailed descriptions of how things work. There is nothing wrong with all that. But the focus here is controls. How do we ensure completeness, how do we ensure our ownership of the assets we claim, how do we ensure the transactions are recorded in the proper period? As long as all these considerations (and a lot more to be discussed later) are addressed, the only drawback to the volumes we create are the updating review and edit we have to apply when changes occur and the mountains of data that has to be reviewed by management and the independent auditors. It's only money.

A current trend is away from the beloved narratives toward more flowcharting to document the business process and control points. However, it may be more efficient to keep separate controls documents than to muddy up flowcharts with all the data necessary to describe, assess, and hold the tests of the controls. Flowcharts or narratives can still be referenced to specific controls documentation.

By careful adherence to the spirit of the COSO Framework, the documentation of controls can be concise and organized. Whether you are just beginning in this process now or are seeking ways out of the quagmire of documentation produced previously, there is a way to meet the requirements without producing excessive volumes of documentation.

Internal Control Has Limitations

The existence of undesirable outcomes like misstatements and omitted disclosures may indicate that the process itself was flawed. However, that direct connection may not always hold true. It is possible that an internal control failure can be attributed to something other than a flawed process.

Internal control provides reasonable but not absolute assurance that an entity will achieve its financial reporting objectives. Even an effective internal control system can experience a failure due to:

• Human error. The people who implement internal controls may make simple errors or mistakes that can lead to control failures.

• Management override. Even in an otherwise well-controlled entity, managers may be able to override internal controls for selfish purposes.

• Collusion. Two or more individuals may collude to circumvent what otherwise would be effective controls.

Objective-Driven Approach

The COSO Framework views internal control as built-in to an entity's overall business processes, as opposed to a separate added-on component that attaches itself to the company's real business. Building in internal control requires that management do four things:

1. Establish business objectives. For our purposes, the most relevant objectives relate to financial reporting.

2. Identify the risks to achieving those objectives.

3. Determine how to manage the identified risks. The establishment of internal controls is just one of several options.

4. Where appropriate, establish controls as a way to manage certain risks. Individual controls are designed and implemented to meet the stated risks.

Internal controls have limited value by themselves – they do not produce a product or service or generate revenue for the business. Controls have value to the degree in which they help the entity to achieve its objectives through providing complete, accurate, relevant, and reliable information for decision making and for the fair communication of financial results to third parties. The effectiveness of internal control is judged according to how well it aligns with and addresses the objectives of the company.

Flexible, Adaptable, No One-Size-Fits-All Approach

The COSO Framework is a conceptual and not a rigid, prescriptive approach to internal controls. Thus, a paint-by-numbers approach is not going to be effective in complying with the aims of COSO. COSO recognizes that different entities will make different choices about how to implement controls in their businesses. The key is not whether the company uses control A or control B but whether the controls in place meet the risks by proper design and effective operation. COSO is not a checklist of suggested controls. Furthermore, management will make certain cost–benefit judgments and trade-offs. For example, an elaborate control structure over cash disbursements may be warranted in a large and complex business, but simpler controls may be effective and efficient in smaller enterprises. The result: Internal control is not a one-size-fits-all proposition, and a checklist of “usual” controls is not an effective tool to satisfy the COSO Framework guidance.

What can sometimes be frustrating about COSO controls guidance and the auditing standards is that simplifying the assessment and testing process through the use of practice aids is not easy. To have a successful project, it requires thought and understanding to apply the objectives of the Framework to a specific company circumstance. It takes knowledge of the entity and its processes, the regulatory environment, and the COSO Framework to make sense of the assessment and testing process. Early in the implementation of SOX, an experienced audit partner noted that she obtained a much better knowledge of her clients and their risks after going through the controls assessment process with them. Companies seeking practice aids to take the work out of the assessment process eventually realize this is not an achievable goal. However, an assessment and testing project done right is much easier to maintain over time than one cobbled together to get through this year. Think long term. Practice aids can still have value, but they must be adapted to the application. There is no turn-key approach out there, despite any Web site or brochure claims.

Furthermore, circumstances change at the entity, and so its internal control must be designed in a way to adapt and remain effective in a dynamic business environment. In fact, one of the primary objectives of the monitoring component of internal control is to assess the quality of the system's performance over time, recognizing that circumstances will change. In the 2013 guidance, analyzing and responding to change is a Principle (9) to be satisfied.

Reasonable Assurance

COSO recognizes the limitations of internal control. No matter how well designed or operated, internal control can provide only reasonable assurance that objectives will be met. Reasonable assurance is a high threshold, but it stops short of absolute assurance. The presence of an isolated internal control failure (less than a material weakness) does not, in and of itself, mean that a system is ineffective. The COSO even states that “even an effective internal control system can experience failure.”

However, to be able to report publicly that internal controls are effective or to rely on the effectiveness of internal controls in lieu of other audit procedures requires that material weaknesses are either not present or are limited to specific areas that can be identified and mitigated by other procedures. When reporting on controls, the public expects a correspondingly high level of audit assurance.

People Factor

COSO recognizes that internal control is implemented by people. Documentation of controls is important, but documentation is not all there is to internal control. The effectiveness of internal control depends on the people responsible for carrying out individual control elements – from the chief executive officer and board of directors, all the way to rank-and-file employees charged with performing day-to-day transaction processing and control-related tasks.

Thus, the design of internal control must take into account the human element and must consider the role of human nature. For example, people are greatly influenced by the actions taken by an entity's senior management, more so than they are by what these individuals say. Therefore, the relative strength of an entity's control environment depends in large part on the actions of the entity's leaders and how they are perceived by the rest of the organization. This factor is assessed as part of the control environment.

The ability of individuals to carry out their responsibilities also depends on their competencies and how well they understand what is required. This need for understanding requires that the entity's internal controls have an effective hiring, training, and communication element. This is also an element of the control environment.