Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 4

Much has been learned in the decade since corporations, other entities, and auditors started re-reading the 1992 COSO Internal Controls Framework document to understand their mandates to document and assess internal controls. We have been through a version of the guidance targeted to smaller public companies (2006) and special guidance for unscrambling what is meant by Monitoring (2009). In 2013 we were presented with the updated Framework that will replace that prior COSO literature after December 15, 2014, and serve as our basis for going forward. Many entities that began the COSO process in 2002-2003 have not made major changes in their approach since that time. The revised Framework provides an excellent opportunity to re-examine past practices and seek improvements and efficiencies, since some level of change is likely to be necessary anyway.

It is likely that the COSO Internal Controls Framework will be around in some form throughout our working lives. Some still fail to embrace its goals and others work hard to find ways to try to change the laws and standards or short-cut the required assessment procedures. Still others are starting to recognize some of the benefits that can be realized from effective controls and more orderly and automated processes.

This book will look back on some of the “lessons learned” as experienced by entities and auditors. We will examine some of the academic and professional literature that provides wider insight than can be obtained from solely one entity's experience. As we face the new Framework, we will consider efficient approaches to migrate entities from current approaches to the new guidance with a minimum of disruption and effort. As with any process, the assessment benefits from periodic reconsideration and improvements, and this book can assist in implementing more effective solutions in that update process.

We are now into the second and for some the third round of staff and management changes over the controls documentation and assessment project. In the natural order of things, systems are known to deteriorate over time. From my observation, that is a real challenge to all entities – “how to keep the music playing.” Internal control pioneers in the early 2000s period had a lot to learn and not much time to learn it. Many of those warriors have now moved on, up, or out. How do we properly train new team members in the use of our developed tools and also fully explain the concepts we are trying to achieve? If approached as a paint-by-numbers exercise, the end product may look acceptable (from a distance) but still not meet the main objective. Controls “101” remains a requested topic on the speaker circuit for the benefit of new project members and helps fill the gaps in understanding by those already involved in projects. This book will also try to provide some history and context from which to understand not just how to do the tasks, but to understand why they are being done and how to make the project more meaningful and valuable to the entity – and in that process, facilitate working with the independent auditors in an efficient and effective way.

This volume is meant to supplement, not replace, the COSO Framework documents. An investment in the actual Framework is worthwhile and undoubtedly at some point with some Principle or Point of Focus, you will need to dig as deep as possible into the Approaches and Examples to find a nugget you can use in crafting your assessment of how the Principle is being met. This volume cannot possibly (or legally) reproduce all the potential COSO reference material you may wish to refer to as your project proceeds.

Some suggestions, based on first readers' comments as to how to get the most out of this volume include:

• Use the material in this volume first to get the lay-of-the-land and understand the concepts underlying the revised Framework.

• Use the guidance here to make an initial mapping of the current state of your assessment to what COSO 2013 is seeking.

• Look at the suggested tools in this volume and in the illustrative templates in the COSO template materials and craft an initial idea of what you think your documentation might look like in a few areas.

• Take advantage of the unique guidance in this volume on crafting interviews and questionnaires, sampling and testing and deficiency assessment.

• Try your ideas out. Include IT assessments and walkthroughs and controls tests to give any revised approach a full trial.

• Revise the plan and flesh out the new directions.

• Provide a forum for discussion with all core team members to share observations and suggestions.

• Develop training material to ensure consistent application as you roll out the new direction.

• Utilize continuous improvement and other techniques to keep the project fresh and current.

This book updates and replaces two separate volumes previously published by John Wiley & Sons: Internal Controls–Guidance for Private, Government, and Nonprofit Entities (2007) and Complying with Sarbanes Oxley Section 404: A Guide for Small Publicly Held Entities (2010). Because of the common Framework these diverse applications now share, it makes sense to combine these volumes at this time. Many of the technical and operational issues are shared in these applications, albeit with different levels of importance and intensity to specific entities and audit environments.

The evolution of the COSO Framework is one of close personal association since I was a partner with Coopers & Lybrand as the 1992 Framework was first being drafted for COSO and introduced to (C&L) clients. I was responsible for the development and training at BDO in applying the Framework to SOX, was a member of a professional Firm 404 Implementation Task Force and was a member of the Auditing Standards Board as the COSO Framework was further integrated into Generally Accepted Auditing Standards. I was appointed as an AICPA representative in roundtable discussions with COSO developers leading up to the release of the 2006 enhanced guidance for smaller public entities and have worked with companies and auditors in implementation issues throughout this period and to date. I have developed several training courses for the AICPA and other associations in documenting internal controls. My sincere hope is that this work will make a difference for those seeking new insights and better approaches to the implementation of the Framework. I would like to thank my clients for all the learning opportunities along the way.