Скачать книгу

(some) to “high.” When high assurance is sought, the project scope and testing level is similar to that required for an attestation. However, the assurance sought for controls reliance usually covers the entire audit period, not just the status of internal controls on the date of the report.

      Nonpublic entities may optionally report on the effectiveness of their internal controls. Auditors can attest to these assertions under the revised AICPA attestation standards (e.g., AT 501). Alternative attestations allow for attestations on only the design of the controls or an attestation on both the design and operating effectiveness of the controls over financial reporting. For example, a nonprofit entity may wish to report on internal controls to provide assurance to donors of its stewardship over the donated funds and as a competitive tool to attract new donors. It seems likely that some government entities may soon be required to publicly report on their internal controls as a demonstration of their stewardship of public funds.

      For certain regulated program audits (e.g., Office of Management and Budget [OMB] A-133 program audits of federal awards and programs), there may be specific audit requirements to meet compliance (with laws and regulations) that require tests of specifically identified controls over compliance by auditors. A source of confusion among some auditors is the fact that there exists very different guidance for financial statement and compliance-oriented government program audits. The focus of this book is on the ICFR.

      Public companies report publicly on the effectiveness of their ICFR. As a result, SEC regulations require these entities to test controls as a basis for their assertion. There are specific exemptions from this requirement for companies when they first become public. Auditors of smaller public companies do not have to specifically report to the public on the effectiveness of the auditee's internal controls in the SEC 10-K annual filing. (This relief is now permanent under the Dodd-Frank Act of 2010.) However, auditors of larger public companies, accelerated filers,3 do have to report to the public on the effectiveness of the auditee's internal controls in the required SEC 10-K annual filing. Therefore, auditors would also have a requirement to test internal controls as a basis for their assertion. The auditors of newly registered companies (under the Jumpstart Our Business Startups [JOBS] Act) may qualify for an exemption to auditor reporting on internal controls, provided revenues are under a predefined threshold.

      As noted later, auditor oversight and testing may be important to ensure the quality of management's assertion regarding the effectiveness of controls. This seems to be particularly true as management first becomes familiar with controls issues.

      Triangle of Efficiency

Everyone desires an efficient project. From experience, an important consideration in achieving an efficient implementation of a controls assessment project is an understanding of the tasks and the acquisition of the skills before beginning in earnest the documentation, assessment, and testing process. Time and again the failure of one of the three key elements in what I call the triangle of efficiency (see Figure 1.3) is the root cause of wasted time and energy, and more often than not it results in an incomplete or incorrect assessment. This is an issue worth mentioning at the start, because false steps will cost money to correct.

Figure 1.3 Triangle of Efficiency

      The three knowledge components are:

      1. Knowledge of entity and/or auditor requirements.

      2. Knowledge of COSO.

      3. Knowledge of company controls and processes.

      In the case of public companies, their specific requirements are stated by the SEC. Private companies should look to COSO for guidance. While there is nothing contradictory about the SEC and COSO literatures, public companies should be familiar with the SEC-specific requirements, which may contain more detail regarding specific reporting and filing requirements. Public company auditors will be looking toward PCAOB Auditing Standard No. 5 for their requirements, which happen to be closely aligned with the SEC requirements, and ensuring public companies are following that guidance.

      It often feels good just to get started on a project and begin to accumulate some evidence of progress. Indeed, that was a clear motivation in companies and auditors beginning to document the detailed activity-level controls over transactions before comprehending the scope of the requirements in 2004 when first reporting on controls under SOX. The resultant complaints about costs and time expended are intertwined with issues regarding failures to consider one or more of the three triangle components.

      Experience says that if any of the three elements here is lacking, then there will be an impact on the efficiency and effectiveness of the overall project. Company consultants may be very competent in knowing COSO and knowing company and audit requirements, but they still have to learn the entity and its controls in order to perform their task. Close integration of company and consulting personnel can contribute greatly to efficiency of the company project over a strategy where the task is given primarily to the consultant. In the long run, the most efficient process is often one that is brought in-house and maintained by the entity. This controls focus in entity culture and auditing is not likely to go away. It is likely a part of our permanent business environment.

      Controls versus Processes

      A good discussion to have before plunging into more subject matter here concerns the source of the surprisingly widespread misunderstanding regarding the distinction between controls and processes. COSO and the regulatory requirements for companies and auditors are directed at controls. The public company assertions about internal control effectiveness are directed at controls. So why is so much time and effort devoted to evaluating and documenting the business processes underlying the controls in company and auditor documentation? A significant potential source of efficiency and greater effectiveness in the controls documentation and assessment tasks is a clear distinction between controls and processes.

      A simple example: A cash payment (cutting the check) is part of a process. A review of the support for the payment by someone other than the accountant is a control. A sale on credit initiates a process of shipment and recognition of a receivable. Checking the credit rating of the customer or checking that the customer is preapproved is a control over the validity or existence of the sale. The requirements are to document, assess, and test controls, not processes. But mountains of documentation are produced and retained in the name of controls documentation, which many times do not contain the description of a single real control.

      If all the unnecessary documentation that has been produced magically evaporated from the hard drives and storage rooms of companies and auditors, some highly underutilized storage capacity would be revealed. Please understand, I know we are fond of our flowcharts, narratives that go on and on, and creating a lot of detailed descriptions of how things work. There is nothing wrong with all that. But the focus here is controls. How do we ensure completeness, how do we ensure our ownership of the assets we claim, how do we ensure the transactions are recorded in the proper period? As long as all these considerations (and a lot more to be discussed later) are addressed, the only drawback to the volumes we create are the updating review and edit we have to apply when changes occur and the mountains of data that has to be reviewed by management and the independent auditors. It's only money.

      A current trend is away from the beloved narratives toward more flowcharting to document the business process and control points. However, it may be more efficient to keep separate controls documents than to muddy up flowcharts with all the data necessary to describe, assess, and hold the tests of the controls. Flowcharts or narratives can still be referenced to specific controls documentation.

      By careful adherence to the spirit of the COSO Framework, the documentation of controls can be concise and organized. Whether you are just beginning in this process now or are seeking ways out of the quagmire of documentation produced previously, there is a way to meet the requirements without producing excessive volumes of documentation.

      Internal Control Has Limitations

      The existence of undesirable outcomes like misstatements and omitted disclosures may indicate

Скачать книгу


<p>3</p>

Accelerated filers have a market capitalization of $75 million or more.