Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 18

The essential starting point for determining the extent of documentation you should include in your project is a clear statement of your objectives. Regardless of whether you are formally reporting on your controls or not, you should initially cast a broad net across your entity and reduce the focus on the exclude accounts or transactions streams only as evidence concludes that risks are low. The new COSO guidance emphasizes this as a precursor to risk assessment since the identified risks relate to the objectives.

To meet the minimum documentation standards expected for any project, you probably can cut out the very minor (trivial) revenue streams and locations that individually are clearly insignificant in terms of assets, revenues, and income. Unfortunately, there is no consensus on where a bright-line minimum might be. Early on, auditors working with large public clients were bludgeoned into including just about everything with a dollar sign in the reporting on internal controls project because of the early interpretations of the guidance in Public Company Accounting Oversight Board (PCAOB) Auditing Standard (AS) No. 2. Now that that standard has been replaced (AS No. 5) with a more risk-based standard than the original. Nonpublic companies follow similar guidance regarding scoping, but there is no clear discernible demarcation between items that should be in scope or out of scope. The danger is that errors in this judgment that later result in material misstatements can create legal liabilities.

For example, the lack of known issues regarding revenue recognition is not sufficient evidence to deemphasize revenue recognition issues from the assessment in a business with clearly complex sales arrangements. The fact that a company's business is basically a cash business and there are no lingering revenue recognition or period-end cut-off issues is perhaps a more logical basis on which to deemphasize this common control issue in a company's analysis.

Even in its interpretative guidance on evaluating internal control, the Securities and Exchange Commission (SEC) makes it clear to public companies that management's evaluation need not encompass all the controls that have been implemented at the company. The objective of management's evaluation is to provide it with a reasonable basis for determining whether any material weaknesses in internal control exist at year-end, the date of the required report on internal controls.

In a risk-based approach, it is helpful for scoping and project management to identify and distinguish your “core.” These are the main activities of your business and likely constitute the bulk of revenues, expenses, and transactions. While not the limits of your scope, the core helps define objectives and identify the key risks to achieving those objectives. It is likely that your internal control efforts will often be concentrated on your core business, and if your core is not well designed and operating effectively, then it is hard to see how the system as a whole can be effective.

You may be able to develop a practical guideline of your core by analyzing the financial statements and the segment/division/location contributions to the numbers flowing into the financial statements. You should be able to include in the scope of your documentation a significant portion of the revenues, expenses, account balances, and net income by selecting a reasonable number of accounts and locations and transaction types within the scope of your project. For example, suppose your municipal entity had several different revenue sources, such as income taxes, fees, fines and judgments, usage charges, and revenue sharing. (See Table 2.1.)

Table 2.1 Using Revenue to Set Scope

¹ Total = $10,000,000

The amounts or the risks associated with a component of the financial statements will cause you to include those streams within your project scope. Based just on revenues, you might be able to cover 85 % of the revenues by evaluating the controls related to the two main streams of revenue. But the next question is whether you have covered your identified risks with this scope. Because fees and fines are more volatile from year to year, are more difficult to predict and verify, and involve more human interaction and judgment and fraud risk than the other areas, they probably still require controls attention.

For example, if the receipt and recording of the revenue-sharing portion were easy to track because these revenues are allocated in a scheduled or known way from a larger pool of county revenues and transferred to you in an easy-to-audit transaction, the area may be considered a low risk and require only limited evidence to conclude the controls are effective. However, if the process over fees and their collection and recording is not as well controlled, and there is some risk of completeness (e.g., skimming, a type of fraud) and some risk of inaccurate processing when collecting these fees, then more effort may be placed on controls over these transactions than their sheer size might suggest.

You might take similar key measures of other financial statement accounts and, in profit-oriented entities, consider the contribution to profit. Thus, you may find a profile of revenues, expenses, and locations or segments emerging from your analysis that really define the core of your entity. That core can be a starting point to determine the main focus of your controls assessment project.

You may need some talking points to address the peripheral and trivial areas you do not identify as your core based on volume or risk. Auditors cannot reliably use size as a risk indicator when understatement is a risk. For example, a completeness risk could be that all the activity of a remote location might not be reported. Skimming is a fraudulent withholding of some of the revenue stream such that some revenues never get recorded.

One approach followed by some entities is to make a list of the main controls and procedures that are in place regarding those amounts that might be candidates for exclusion from the analysis. For example, numerous smaller entities may be part of the consolidated entity but individually and in the aggregate still make up only a small portion of the overall entity. If these entities adhere to a common accounting manual of procedures, use the approved company software, and perform monthly bank reconciliations and management or internal audit visits these locations periodically to audit the details, monitoring the key statistics and cash flows from these locations may be sufficient for management to detect a significant departure from expectations.

As a general guide, you might start with all the financial statement accounts and elements in your initial scope of documentation and assessment of controls. Often the financial statement caption items are larger than materiality or are separately presented for some reason. Your documentation and design assessments can be broader (and should be, for your own protection) than any testing plans need to be. In my view, too many entities and their auditors are too quick in using risk assessment judgments to exclude amounts completely from the scope of the examination. There will come a day of reckoning for those who incorrectly assess risk, as there was with those who thought there was little or no risk in auditing Enron, WorldCom, and Parmalat. Smaller entities suffer similar fates based on bad guesses regarding risk; you just do not hear about them. They just become empty storefronts at the local strip mall.

One quip attributed to Yogi Berra, the oft-quoted Hall of Fame catcher for the New York Yankees, applies here: “It's amazing what you see when you look.” I am sure many misstatements and frauds are overlooked because of faulty risk assessments that do not indicate an observable risk. All the more reason not to shortcut the process of gathering evidence to support low-risk assessments and periodically reexamining decisions about risks. For example, in 2004 and 2005, few companies or auditors included the stock option granting process in their controls assessments. In the past it was not on the radar screen for substantive audit testing, either since it seemed to be a rather low-risk area or was subject to written corporate policies and clear accounting rules and was not generally noted as a risk area. There was no explicit exclusion of this process in the Sarbanes-Oxley (SOX) Act or any other guidance. Well, what followed was a discovery by an outsider academic (Dr. Eric Lie) of a widespread “fudging” of the stock option dating process to favor the executives receiving the options. Companies and their auditors were embarrassed by the discovery. For sure, this is not a forgotten process these days.

As you perform this analysis, you may wish to review your conclusions with your independent (external) auditor to see if your reasoning is on target with his or her expectations. Having to expand a project late in the year can be both annoying and expensive. In one case I can recall, a reluctant client with an attitude started with a proposed scope of coverage that was far less than any reasonable estimate of the required scope under the standards and kept coming back time and time again with proposed incremental increases, becoming angrier and angrier that the scope had to increase and never understanding that the better answer was to start at the other end and exclude trivial and low-risk aspects of the entity. In the end, the same result would have been achieved by starting with a broad scope, with the side benefit of decreased blood pressure for all involved.