Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 20

In the last section, we illustrated a technique for using revenues to identify the core of the entity for documentation and assessment. A further suggestion would be for the controls documentation project manager to make a template of accounts and balances based on the recent financial statements. Both the balance sheet and the income statement are relevant, so include them along the left column of a multicolumn spreadsheet. In most financial reports, the detailed accounts listed in the consolidated auditor's report are material in amount, or else they likely would have been summarized in some way. Enumerate them in the spreadsheet. Decide on some meaningful way of expressing the different parts of the business across the top rows: say, by segments/divisions/locations/types of revenues, and so on, that describe your entity. (I will call these “segments” for discussion purposes.) Leave a column between each segment. Now, using data relating to each of the identified segments, break out the aggregate consolidated numbers into the individual segments. In some commercial companies, there exist sales subsidiaries for which a sales activity is the only activity associated with the location; order fulfillment and other activities are accounted for elsewhere. In such entities, do not be surprised if some such segments only have one relevant or significant process or transaction cycle (sales to cash).

Have the spreadsheet compute for you the percentage of the consolidated total of each segment. What you should see emerging from this analysis is the ability for you to identify the central core of your entity. You may wish to give special consideration to the implications of transactions (or transfers of costs and revenues) between segments (if there are any) when they are present, even though they may be eliminated during the consolidation process.

In Table 2.2, the financial statement data is used to identify those accounts and cycles that are to be included in the scope of the documentation and assessment project.

Table 2.2 Using the Financial Statements to Set the Scope – Summary Categories

This example shows summary financial data only as an illustration. The New York location is a headquarters and a first-stage manufacturing center; sales transactions are conducted out of the Connecticut facility, which finalizes the product to specifications for shipment. By including the assets and liabilities and expenses at corporate and the revenues at the primary sales location, most of the core business can be covered. The income row is not a very meaningful one from which to make inclusion or exclusion decisions in this example; however, it may be in some situations. Note that in the Barings Bank implosion, the previously significant Singapore-based contributions to consolidated earnings from trading currencies originated from a tiny operation, one that would not be detectable if assets were used to determine scope. The same was true with Orange County, CA, where the profits (before the collapse) from interest rate derivative trades were far more significant than any associated fixed assets or even expenses. Even in the areas that are not identified as the core, a risk assessment, some documentation, and some analysis regarding key controls may need to be developed, since the amounts in the noncore areas are not often trivial.

Do not be surprised if the largest revenue and the largest cost contributors are not in the same segment or location. The key is to look at the entity as a whole and identify where the revenues and costs are accumulating. In some universities, revenues (e.g., day tuition, graduate tuition, night school tuition, fees, etc.) are meticulously segregated, but the costs of undergraduate, graduate, and distance learning faculty may be all accounted for in the aggregate and not separated. In a municipality, the budget may also be an excellent tool for risk assessment and scoping.

You may have to slice and dice your entity several different ways (e.g., product line, location, revenue type such as cash sales and Internet sales) in order to find a logical entity profile or use these different perspectives in ensuring all important areas and scoped into the assessment. However, this actually results in an excellent documentation of your thought process as to what portion of your entity is considered your core and why it is or is not included in the scope of your documentation project. Public companies should clearly document the rationale associated with decisions, particularly ones that limit or scope out certain areas from the assessment.

Plan to update this analysis annually going forward to have it respond to changes in the business. Along the way you may even need to reconsider the bases used to assess the entity. If location was a logical base to use for the assessment initially, product line may be a more logical and cost-effective base to use in future years. Don't get stuck in a rut. COSO has included in the risk assessment component a new principle that management should be updating the risk assessments for changes in the business environment (Principle 9).