Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 181

The appendix to Section 265.A37 lists the following as examples of circumstances that may be control deficiencies in the design of controls, or failures in the operation of internal control. As such, auditors should consider these matters when designing and performing risk assessment procedures to gain an understanding of the design and implementation of internal control and when performing and evaluating the results of further audit procedures.

Deficiencies in Internal Control Design

 Inadequate design of internal control over the preparation of the financial statements being audited.

 Inadequate design of internal control over a significant account or process.

 Inadequate documentation of the components of internal control.

 Insufficient control consciousness within the organization—for example, the tone at the top and the control environment.

 Absent or inadequate segregation of duties within a significant account or process.

 Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting).

 Inadequate design of information technology (IT) general and application controls that prevents the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.

 Employees or management who lack the qualifications and training to fulfill their assigned functions (for example, in an entity that prepares financial statements in accordance with generally accepted accounting principles [GAAP], the person responsible for the accounting and reporting function lacks the skills and knowledge to apply GAAP in recording the entity’s financial transactions or preparing its financial statements).

 Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity’s internal control over time.

 The absence of any internal process to report deficiencies in internal control to management on a timely basis.

 Evidence of ineffective aspects of the control environment, such as indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance.

 Evidence of an ineffective entity risk assessment process, such as management’s failure to identify a risk of material misstatement that the auditor would expect the entity’s risk assessment process to have identified.

 Evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk).

 Absence of a risk assessment process within the entity when such a process would ordinarily be expected to have been established.