Скачать книгу

have been considered, before concluding the process is indeed a low risk.

      Additional Scoping Considerations

      As you right-size the scope of your project, you will need to make sure you considered factors that contribute to the overall breadth and depth of the project. Those matters may be affected by one or more of these issues:

      • Operations in multiple locations

      • Internal controls that reside with third parties, such as service organizations (SOs)

      • Recent internal audit and consulting projects

      • Work performed by others

      • Other technical scoping issues

       Multiple Locations

      Your evaluation of internal control should initially consider all the company's locations or business units. This does not mean that management is required to replicate its evaluation process at each location. Rather, you should make risk-based judgments about which locations should be scoped into the analysis and the nature, timing, and extent of procedures to be applied. To help you make those judgments, you may want to consider three types of risks:

      1. Risks subject to centralized controls. Some companies may manage multiple locations or business units by using standard control procedures, the same software, and centralized controls. For example, consider the ABC Co., which owns and operates shopping malls. The company has developed its own information technology system, which stores and manages tenant leases and performs the basic accounting functions. The centralized processing and controls may adequately address many of the risks associated with ABC's financial reporting. In that case, it may be sufficient for management to consider the shared controls and processes as one system, barring reasons that might contribute to differences (e.g., differences in staffing quality or a local culture of questionable ethics).

      2. Specific risks at individual locations or business units. In some cases, a risk may be related only to an individual location or business and therefore may not be adequately addressed by the common controls. For example, suppose that ABC acquired a very significant new mall during the year, and as of year-end it had not yet transitioned the new mall over to its central processing system. Or suppose that one of the malls was in a location that had a unique operating environment (e.g., the management and systems and policies were markedly different from other parts of the country).

      In those situations, management will want to consider the controls related to those location- or business unit–specific risks.

      3. Low-risk locations or business units. Some of the controls that operate at an individual location or business unit may be related to risks that are relatively low, based on experience and prior testing. In addition, the relative size of some locations in terms of assets, liabilities, and contribution of profit may be very small and the locations pose no specific risks such as are sometimes identified when they are engaged in specific risk activities, such as currency trading or investing in derivative financial instruments. In those situations, management may determine that evidence about the operation of those controls gained through self-assessment and ongoing monitoring activities, when combined with the evidence derived from centralized controls, may be sufficient. However, recall the warning raised earlier regarding understated balances providing a false comfort about the insignificance of the account, balance, or location.

      When making risk-based judgments about multiple locations or business units, keep in mind that the three types of risks and controls just described are not mutually exclusive. You should evaluate risk for each financial reporting element, not for the location or business unit as a whole.

      The SEC, in Release 33-8810, provides specific warning about wholesale assessments in the context of evidence examination, but the implications are clear for all risk assessments by all entities:

      Management should generally consider the risk characteristics of the controls for each financial reporting element, rather than making a single judgment for all controls at that location when deciding whether the nature and extent of evidence is sufficient. (p. 33)

      Some implications:

      • You probably should identify those business units where common controls can be considered as one population of entity level and activity level controls from which a common conclusion can be reached.

      Конец ознакомительного фрагмента.

      Текст предоставлен ООО «ЛитРес».

      Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.

      Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.

      1

      In 2003, COSO published a draft of a document, entitled Enterprise Risk Management (ERM) Framework, whose purpose was to provide guidance on the process used by management to identify and manage risk across the enterprise. This new framework is not intended to supersede or otherwise amend its earlier internal control framework guidance on internal control. Internal control is encompas

1

In 2003, COSO published a draft of a document, entitled Enterprise Risk Management (ERM) Framework, whose purpose was to provide guidance on the process used by management to identify and manage risk across the enterprise. This new framework is not intended to supersede or otherwise amend its earlier internal control framework guidance on internal control. Internal control is encompassed within and an integral part of enterprise risk management. Enterprise risk management is broader than internal control, expanding the discussion to form a more robust conceptualization of enterprise risk. Internal Control–Integrated Framework remains in place for entities and others looking at internal control over financial reporting by itself. Note: Entities using the ERM Framework will still need to make a pointed financial statement risk assessment, as detailed in the risk assessment component discussion.

2

For example, PCAOB Auditing Standard (AS) No. 5, paragraph A5.

3

Accelerated filers have a market capitalization of $75 million or more.

Скачать книгу