Internal Controls Chapter 2 Notes PDF

Preview

Summary

n/a...

Description

ACCT 4501 – Internal Controls Chapter 2: Setting the Scope of Your Documentation Project - Identifying the Core -

The COSO (Committee of Sponsoring Organizations) internal controls framework was first released in 1992 and has become a standard internal controls assessment measure for public accountants, Sarbanes-Oxley internal control rules, internal auditors, and others worldwide.

Business Objectives } The essential starting point for determining the extent of documentation that should be included in the project is a clear statement of objectives. } You should initially cast a broad net across your entity and reduce the focus on the exclude accounts and transactions streams only as evidence concludes that risks are low. } COSO guidance emphasizes this as a precursor to risk assessment since the identified risks relate to the objectives. } To meet the minimum documentation standards expected for any project, you probably can cut out the very minor revenue streams and locations that individually are clearly insignificant in terms of assets, revenues and income. } Example, see Table 2.1 on page 22 TABLE 2.1: Using Revenue to Set Scope Revenue Sources

Income Tax

Fees

2007

$5,000,000

500,000

% of total

50%

5%

Fines 400,000 4%

Usage

Revenue Sharing

600,000

3,500,000

6%

35%

Total = $10,000,000 } At the end, you may wish to review your conclusions with your independent/external auditor to see if your reasoning is on target with the auditor’s expectation. } The initial year of documentation requires a significant commitment of time and effort. After the Initial Year } You should consider: ◦ Whether to expand the documentation process into a few other less significant areas. ◦ If your experience has offered a better way to document the core areas for more efficient update and assessment in the future.

Mapping the Entity to the Financial Statements TABLE 2.2: Using the Financial Statements to Set the Scope – Summary Categories Accounts

Consolidated

Connecticut

Revenue

1,000,000

800,000

80

200,000

20

Expenses

950,000

250,000

26

700,000

74

Income

50,000

300,000

Assets

4,000,000

Liabilities

3,500,000

Owners Capital

500,000

1,000,000

%

150

New York

%

(250,000)

25

3,000,000

0

0

3,500,000

1,000,000

200

(500,000)

75 100 -

Consider Risk, Not Just Quantitative Measures } Excluding accounts and processes because they are judged to be low risk. } BUT... there are a lot of low risk areas becoming major problems } The auditors generally pick fixed assets as a low inherent risk area for many businesses, however, it could be risky where major reclassifications of expenses are usually charged to fixed assets. } It is hard to think of an inherently safe area in the financial statements and process. } It is helpful to rotate the emphasis and the areas in which management monitor and auditors audit. Overstatement & Understatement } The risks of overstatement and understatement regarding internal controls over financial reporting are commonly misunderstood. Additional Scoping Considerations } As you right-size the scope of your project, you will need to make sure you considered factors that contribute to the overall breadth and depth of the project. } These matters may be affected by one or more of the following: ◦ Operations in Multiple Locations ◦ Service Organizations and Outsourcing ◦ Recent Internal Audit and Consulting Projects ◦ Worked Performed by Others ◦ Other technical Scoping Issues Operations in Multiple Locations } The evaluation of internal control should initially consider all the locations or business units of the company.

} This does not mean that management is required to replicate the evaluation process at each location } Risk-based judgment about which location should be scoped into the analysis and the nature, timing, and extent of procedures to be applied. } To help making this judgments, three types of risks need to be considered } Risk subject to centralized control } Specific risk at individual location or business units } Low-risk locations or business units Service Organizations and Outsourcing } Service organization may provide a wide variety of services, such as: ◦ Information Processing ◦ Trust Department ◦ Transfer Agent, Custodians, and record keeper for investment companies ◦ Others SOs Internal Audit Activities } Before turning to planning the project, management and independent auditor scoping considerations should consider the work that has already been performed and will be performed by internal audit to avoid costly re-performance and duplicated effort. } A fundamental objectives of the internal audit function is to help the entity maintain effective operational and financial control by evaluating their adequacy and effectiveness. } Standard established by the institute of internal auditors (IIA) state that this evaluation should include: } Reliability and integrity of financial and operational information } Effectiveness and efficiency of operations } Safeguarding of assets } Compliance with laws, regulations and contracts } In planning the scope of your project, you need to consider any finding of internal audit or any external regulator that reflect on the effectiveness of internal control over financial reporting. } When determining how the engagement and conclusion of others affect the scope of your engagement, you should consider the following: } The scope of other projects and whether it is sufficient to meet some or all of the objectives of your project } The timing of the work and whether it is within a time frame that would permit you to draw a conclusion as to the effectiveness of the entity’s internal control } The documentation of the procedure and whether it is sufficient for the independent auditor....