Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 23

The risks of overstatement and understatement regarding internal controls over financial reporting are commonly misunderstood. Many auditors working in public company environments easily recognize the risk of an overstatement of income. However, in a private entity, minimization of taxes might motivate owners to want to understate accounting income to the extent it impacts tax liabilities. The assertion of occurrence often associated with income overstatement sometimes needs to take a backseat to the assertion of completeness.

Let's say you base your scoping of procedures on the recorded amounts of sales at various locations. If the sales at the Binghamton, NY, location are being systematically skimmed, then that location will seem to be less important for both controls assessment and monitoring – just the opposite of what should happen at that location. This sort of internal theft can be difficult to detect, which points out a common limitation of monitoring (or auditing) based on reported numbers (analytical procedures) that might not be accurate: It is harder to detect error in amounts that never enter the journals and accounts than it is to detect errors in amounts that are actually recorded. Suppose your entity is a church; do you have a record of how much loose cash is generally collected at a weekly service? Do you have statistics that relate the loose plate collections to the attendance? Is the amount recorded in the books what was put in the plate, or just the amount that was deposited in the bank account? How do you know? Is there opportunity for a disconnect to arise here?

A product line or location may appear to be poorly performing because someone has figured out a scheme to skim revenues from the organization. Restaurant license revenues of a municipality may be less than they should be because poor controls over the identification of licensed restaurants are keeping all restaurants from being properly identified in the database. For example, a standing database of licensed facilities should be updated when new licenses are issued or when businesses close, but in some organizations the two files are not related or reconciled. Unfortunately, businesses, governments, and auditors do not have a sterling track record of identifying all these businesses and financial reporting risks up front.

The lack of a consistent, reliable method for making such assessments may be part of the problem. In my view, when entities scope out locations, accounts, and business processes up front, before a careful analysis and some evidence that the area is truly low risk, they are just asking for trouble. To do the job right, I suggest first obtaining some evidence that all is well and that all the exposures have been considered, before concluding the process is indeed a low risk.

Additional Scoping Considerations

As you right-size the scope of your project, you will need to make sure you considered factors that contribute to the overall breadth and depth of the project. Those matters may be affected by one or more of these issues:

• Operations in multiple locations

• Internal controls that reside with third parties, such as service organizations (SOs)

• Recent internal audit and consulting projects

• Work performed by others

• Other technical scoping issues

Multiple Locations

Your evaluation of internal control should initially consider all the company's locations or business units. This does not mean that management is required to replicate its evaluation process at each location. Rather, you should make risk-based judgments about which locations should be scoped into the analysis and the nature, timing, and extent of procedures to be applied. To help you make those judgments, you may want to consider three types of risks:

1. Risks subject to centralized controls. Some companies may manage multiple locations or business units by using standard control procedures, the same software, and centralized controls. For example, consider the ABC Co., which owns and operates shopping malls. The company has developed its own information technology system, which stores and manages tenant leases and performs the basic accounting functions. The centralized processing and controls may adequately address many of the risks associated with ABC's financial reporting. In that case, it may be sufficient for management to consider the shared controls and processes as one system, barring reasons that might contribute to differences (e.g., differences in staffing quality or a local culture of questionable ethics).

2. Specific risks at individual locations or business units. In some cases, a risk may be related only to an individual location or business and therefore may not be adequately addressed by the common controls. For example, suppose that ABC acquired a very significant new mall during the year, and as of year-end it had not yet transitioned the new mall over to its central processing system. Or suppose that one of the malls was in a location that had a unique operating environment (e.g., the management and systems and policies were markedly different from other parts of the country).

In those situations, management will want to consider the controls related to those location- or business unit–specific risks.

3. Low-risk locations or business units. Some of the controls that operate at an individual location or business unit may be related to risks that are relatively low, based on experience and prior testing. In addition, the relative size of some locations in terms of assets, liabilities, and contribution of profit may be very small and the locations pose no specific risks such as are sometimes identified when they are engaged in specific risk activities, such as currency trading or investing in derivative financial instruments. In those situations, management may determine that evidence about the operation of those controls gained through self-assessment and ongoing monitoring activities, when combined with the evidence derived from centralized controls, may be sufficient. However, recall the warning raised earlier regarding understated balances providing a false comfort about the insignificance of the account, balance, or location.

When making risk-based judgments about multiple locations or business units, keep in mind that the three types of risks and controls just described are not mutually exclusive. You should evaluate risk for each financial reporting element, not for the location or business unit as a whole.

The SEC, in Release 33-8810, provides specific warning about wholesale assessments in the context of evidence examination, but the implications are clear for all risk assessments by all entities:

Management should generally consider the risk characteristics of the controls for each financial reporting element, rather than making a single judgment for all controls at that location when deciding whether the nature and extent of evidence is sufficient. (p. 33)

Some implications:

• You probably should identify those business units where common controls can be considered as one population of entity level and activity level controls from which a common conclusion can be reached.