This article will focus on the basic requirements of the AU-C section 315 with respect to the auditor's understanding of internal control of an entity and the nature of the basic elements of a system of internal control.
The following paragraphs are excerpts from AU Section 315-C (This section should be read in its entirety for a complete understanding of internal control issues related to the audit.):
The following paragraphs are excerpts from AU Section 315-C (This section should be read in its entirety for a complete understanding of internal control issues related to the audit.):
0.13 The auditor should obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor's professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref.: Par .A42-.A67)
Nature and Extent of the Understanding of Relevant Controls (Ref.: 0.14 Par):
.a68 Evaluate the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. The evaluation of the implementation of a control that is not designed effectively is of little use, so the design of a control is considered first. A poorly designed control may represent a significant deficiency or material weakness in internal control of the entity.
Risk assessment procedures .A69 to obtain audit evidence about the design and implementation of relevant controls may include:
• inquiring of entity personnel.
• observing the application of specific controls.
• Inspection of documents and reports.
• tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes
Elements of Internal Control-C AU Section 315
Control Environment: The core of any business is its people and the environment in which they operate. The tone at the top (i.e., management attitudes, values and behaviour’s) provides the control environment for other employees.
Risk Assessment: The Company must consider and deal with the risks faced; identify the risk of error or fraud and the implementation of corrective actions is the primary responsibility of management.
Control activities: Control policies and procedures must be designed and operated to address risks to the achievement of the objectives of the organization.
Information and communication: These systems allow people of the entity to obtain and use the information needed to conduct, manage and control operations.
Monitoring: The internal control process must be monitored and changed by management as the circumstances and the conditions required.
In 2013, the Committee of Sponsoring Organizations of the Tread way Commission (COSO) updated and published a review of the Internal Control-Integrated Framework, originally published in 1992. The updated report did not change the basic components of internal control, but, among other explanatory issues the framework sets out 17 principles for the application of these components. These principles of COSO report are presented below, as they apply to the components of internal control.
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The Board of Directors demonstrates independence from management and exercises oversight of the development and results of internal controls.
3. Directors establishes, under the supervision board, structures, reporting lines, and authorities and responsibilities in the pursuit of goals.
4. The organization demonstrates a commitment to attract, develop and retain competent people in alignment with the objectives.
5. The organization holds individuals responsible for their internal control responsibilities in the pursuit of goals.
Risk Assessment
6. The organization specifies goals enough to allow identification and assessment of risks related to the objectives clearly.
7. The organization identifies the risks to achieving its goals through the organization and risk analysis as a basis for determining how risks should be managed.
8. The organization believes that the possibility of fraud in the assessment of risks to achieving the objectives.
9. The organization identifies and evaluates changes that could significantly affect internal control system.
Control Activities
10. The organization selects and develops control activities that help to mitigate the risks to the achievement of the objectives to acceptable levels.
11. The organization selects and develops activities of general control over the technology to support achievement of objectives.
12. The organization implements control activities through policies that establish what is expected and procedures put policies into action.
Information and Communication
13. The organization gets, generates and uses, relevant information to support the operation of internal quality controls.
14. The organization communicates information internally, including the objectives and responsibilities of internal control necessary to support the operation of internal controls.
15. The organization communicates with external parties on matters that affect the functioning of internal controls.
Monitoring Activities
16. The organization selects, develops and conducts ongoing assessments and / or separately to determine whether the internal control components are present and functioning.
17. The organization evaluates and communicates the internal control deficiencies in a timely manner to those parties responsible for remedial measures, including senior management and the board as appropriate.
Internal control is always relevant to the nature, size and complexity of the reporting entity. Small companies usually have more informal controls carried out by one or a few people. While the basic components of internal control must be present in small and medium-sized entities, the 17 principles ordinarily be subjectively included in the design and operation of internal controls of the entity. Larger organizations can develop specific controls for these explanatory principles.
In general, internal controls over financial reporting include those that are designed to make sure that financial data is recorded, processed, summarized and reported consistent with management representations (statements) in the financial statements. Management of an entity has the primary responsibility for internal control. An auditor's responsibilities include evaluating whether the five components are designed and operating effectively, given the nature, size and complexity of the entity.
The following article will begin a practical discussion of what the auditors need to know about the internal control and monitoring activities play a part in the process of risk assessment required by Section 315 AU-C.
Nature and Extent of the Understanding of Relevant Controls (Ref.: 0.14 Par):
.a68 Evaluate the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. The evaluation of the implementation of a control that is not designed effectively is of little use, so the design of a control is considered first. A poorly designed control may represent a significant deficiency or material weakness in internal control of the entity.
Risk assessment procedures .A69 to obtain audit evidence about the design and implementation of relevant controls may include:
• inquiring of entity personnel.
• observing the application of specific controls.
• Inspection of documents and reports.
• tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes
Elements of Internal Control-C AU Section 315
Control Environment: The core of any business is its people and the environment in which they operate. The tone at the top (i.e., management attitudes, values and behaviour’s) provides the control environment for other employees.
Risk Assessment: The Company must consider and deal with the risks faced; identify the risk of error or fraud and the implementation of corrective actions is the primary responsibility of management.
Control activities: Control policies and procedures must be designed and operated to address risks to the achievement of the objectives of the organization.
Information and communication: These systems allow people of the entity to obtain and use the information needed to conduct, manage and control operations.
Monitoring: The internal control process must be monitored and changed by management as the circumstances and the conditions required.
In 2013, the Committee of Sponsoring Organizations of the Tread way Commission (COSO) updated and published a review of the Internal Control-Integrated Framework, originally published in 1992. The updated report did not change the basic components of internal control, but, among other explanatory issues the framework sets out 17 principles for the application of these components. These principles of COSO report are presented below, as they apply to the components of internal control.
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The Board of Directors demonstrates independence from management and exercises oversight of the development and results of internal controls.
3. Directors establishes, under the supervision board, structures, reporting lines, and authorities and responsibilities in the pursuit of goals.
4. The organization demonstrates a commitment to attract, develop and retain competent people in alignment with the objectives.
5. The organization holds individuals responsible for their internal control responsibilities in the pursuit of goals.
Risk Assessment
6. The organization specifies goals enough to allow identification and assessment of risks related to the objectives clearly.
7. The organization identifies the risks to achieving its goals through the organization and risk analysis as a basis for determining how risks should be managed.
8. The organization believes that the possibility of fraud in the assessment of risks to achieving the objectives.
9. The organization identifies and evaluates changes that could significantly affect internal control system.
Control Activities
10. The organization selects and develops control activities that help to mitigate the risks to the achievement of the objectives to acceptable levels.
11. The organization selects and develops activities of general control over the technology to support achievement of objectives.
12. The organization implements control activities through policies that establish what is expected and procedures put policies into action.
Information and Communication
13. The organization gets, generates and uses, relevant information to support the operation of internal quality controls.
14. The organization communicates information internally, including the objectives and responsibilities of internal control necessary to support the operation of internal controls.
15. The organization communicates with external parties on matters that affect the functioning of internal controls.
Monitoring Activities
16. The organization selects, develops and conducts ongoing assessments and / or separately to determine whether the internal control components are present and functioning.
17. The organization evaluates and communicates the internal control deficiencies in a timely manner to those parties responsible for remedial measures, including senior management and the board as appropriate.
Internal control is always relevant to the nature, size and complexity of the reporting entity. Small companies usually have more informal controls carried out by one or a few people. While the basic components of internal control must be present in small and medium-sized entities, the 17 principles ordinarily be subjectively included in the design and operation of internal controls of the entity. Larger organizations can develop specific controls for these explanatory principles.
In general, internal controls over financial reporting include those that are designed to make sure that financial data is recorded, processed, summarized and reported consistent with management representations (statements) in the financial statements. Management of an entity has the primary responsibility for internal control. An auditor's responsibilities include evaluating whether the five components are designed and operating effectively, given the nature, size and complexity of the entity.
The following article will begin a practical discussion of what the auditors need to know about the internal control and monitoring activities play a part in the process of risk assessment required by Section 315 AU-C.
No comments:
Post a Comment