Printer Friendly

Monitoring as a component of internal control systems.

According to INTOSAI, internal control in public sector organizations should be understood within the context of the specific characteristics of these organizations, "i.e. their focus on meeting social or political objectives; their use of public funds; the importance of the budget cycle; the complexity of their performance (that calls for a balance between traditional values like legality, integrity and transparency and modern, managerial values like efficiency and effectiveness); and the correspondingly broad scope of their public accountability."

PCAOB claims that the auditor should properly plan the audit of internal control over financial reporting and properly supervise any assistants. The complexity of the organization, business unit, or process, will play an important role in the auditor's risk assessment and the determination of the necessary procedures. The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. Because of its importance to financial reporting and to the auditor's opinions on internal control over financial reporting and the financial statements, the auditor must evaluate the period-end financial reporting process. The risk factors that the auditor should evaluate in the identification of significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements. The decision as to whether a control should be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of misstatement to a given relevant assertion rather than on how the control is labeled. "A smaller, less complex company might achieve its control objectives in a different manner from a larger, more complex organization. For example, a smaller, less complex company might have fewer employees in the accounting function, limiting opportunities to segregate duties and leading the company to implement alternative controls to achieve its control objectives. In such circumstances, the auditor should evaluate whether those alternative controls are effective." (2)

PCAOB argues that the evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor's procedures. The nature of the tests of effectiveness that will provide competent evidence depends (to a large degree) on the nature of the control to be tested, including whether the operation of the control results in documentary evidence of its operation. The auditor should vary the nature, timing, and extent of testing of controls from year to year to introduce unpredictability into the testing and respond to changes in circumstances. In evaluating the magnitude of the potential misstatement, the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount, while understatements could be larger. "When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness." (3)

PCAOB says that the failure to obtain written representations from management (including management's refusal to furnish them) constitutes a limitation on the scope of the audit. The auditor should communicate to management, in writing, all deficiencies in internal control over financial reporting identified during the audit and inform the audit committee when such a communication has been made. The auditor may choose to issue a combined report or separate reports on the company's financial statements and on internal control over financial reporting. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. "If the material weakness has not been included in management's assessment, the report should be modified to state that a material weakness has been identified but not included in management's assessment. Additionally, the auditor's report should include a description of the material weakness, which should provide the users of the audit report with specific information about the nature of the material weakness and its actual and potential effect on the presentation of the company's financial statements issued during the existence of the weakness. In this case, the auditor also should communicate in writing to the audit committee that the material weakness was not disclosed or identified as a material weakness in management's assessment. If the material weakness has been included in management's assessment but the auditor concludes that the disclosure of the material weakness is not fairly presented in all material respects, the auditor's report should describe this conclusion as well as the information necessary to fairly describe the material weakness." (4)

Sullivan & Cromwell LLP holds that in the case of a financial reporting element that has a relatively high risk characteristic but the associated control has a very low risk of failure, the required level of evidence may be lower. Where the operation of a control is complex or requires judgment at the individual location, the ICFR risk would be higher, and more evidence would be required regarding the control's operation at the individual location. Management should recognize that the maximum amount that a balance can be overstated is the amount recorded on the financial statements (the maximum amount that a balance can be understated is much larger). In the event a company is required to restate its financial statements as a result of a material misstatement in the financial statements, management is not necessarily required to reassess or revise its previous conclusion regarding the effectiveness of internal control over financial reporting. "In determining how and to what extent an auditor can use knowledge gained in prior years' audits, the auditor should consider (1) the nature, timing and extent of procedures performed in previous audits; (2) the results of the previous years' testing of the relevant control; and (3) whether there have been changes in the relevant control or the process in which it operates since the previous audit." (5)

Sullivan & Cromwell LLP points out that in addition to competence and objectivity, risk assessment will also play a role in determining how and to what extent an auditor may use the work of others, with the need for the auditor to perform his or her work increasing with the level of risk associated with the particular control. When determining when to test controls, auditors must balance the need to test closer to the as-of date with the need to test controls over a sufficient period of time to obtain adequate evidence of operating effectiveness. In the event that the auditor identifies a material weakness, the auditor must express an adverse opinion on the effectiveness of internal control over financial reporting (the audit report must include an identification of the material weakness described in management's assessment). In identifying significant accounts and disclosures and their relevant assertions, auditors should evaluate the risk factors related to the financial statement line items and disclosures. "Relevant risk factors include: size and composition of the account; susceptibility to misstatement due to errors or fraud; volume of activity, complexity and homogeneity of the individual transactions processed through the account or reflected in the disclosure; nature of the account or disclosure; accounting and reporting complexities associated with the account or disclosure; exposure to losses in the account; possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure; existence of related party transactions in the account; and changes from the prior period in account or disclosure characteristics." (6)

INTOSAI maintains that entities that actively identify and manage risks are more likely to be better prepared to respond quickly when things go wrong and to respond to change in general. Operations, processes and activities should be periodically reviewed to ensure that they are in compliance with current regulations, policies, procedures, or other requirements. General controls are the structure, policies and procedures that apply to all or a large segment of an entity's information systems and help ensure their proper operation. Application controls may be categorized by the kinds of control objectives they relate to, including whether transactions and information are authorized, complete, accurate and valid. Management's ability to make appropriate decisions is affected by the quality of information which implies that the information should be appropriate, timely, current, accurate and accessible. Information systems produce reports that contain operational, financial and non-financial, and compliance-related information, and that make it possible to run and control the operation. "In order to help ensure the quality of information and reporting, carry out the internal control activities and responsibilities, and make monitoring more effective and efficient, the internal control system as such and all transactions and significant events should be fully and clearly documented. This documentation should be readily available for examination. Documentation of the internal control system should include identification of an organization's structure and policies and its operating categories and related objectives and control procedures. An organization must have written evidence of the components of the internal control process, including its objectives and control activities." (7)

INTOSAI asserts that internal control systems should be monitored to assess the quality of the system's performance over time. Specific separate evaluations cover the evaluation of the effectiveness of the internal control system and ensure that internal control achieves the desired results based on predefined methods and procedures. The scope and frequency of separate evaluations should depend primarily on the assessment of risks and the effectiveness of ongoing monitoring procedures. "Monitoring internal control should include policies and procedures aimed at ensuring the findings of audits and other reviews are adequately and promptly resolved. Managers are to (1) promptly evaluate findings from audits and other reviews, including those showing deficiencies and recommendations reported by auditors and others who evaluate agencies' operations, (2) determine proper actions in response to findings and recommendations from audits and reviews, and (3) complete, within established time frames, all actions that correct or otherwise resolve the matters brought to their attention." (8)

Conclusion

In an effective internal control system, the COSO Framework's five components work together, providing reasonable assurance to management and the board of directors regarding the achievement of the organization's objectives. The internal control systems should be monitored to assess the quality of the system's performance over time. Specific separate evaluations cover the evaluation of the effectiveness of the internal control system and ensure that internal control achieves the desired results based on predefined methods and procedures. Absent effective monitoring, controls within any or all of the five components may change, cease to operate, or lose effectiveness because of changes in circumstances.

REFERENCES

(1.) COSO Framework, 69.

(2.) PCAOB (2007), An Audit of Internal Control over Financial Reporting that Is Integrated with an Audit of Financial Statements: 411.

(3.) Ibid., 419.

(4.) Ibid., 428-429.

(5.) Sullivan & Cromwell LLP, (2007) Internal Control over Financial Reporting: 13.

(6.) Ibid., 16.

(7.) INTOSAI (2006), Guidelines for Internal Control Standards for the Public Sector, Brussels: 38.

(8.) Ibid., 42.

LUMINITA IONESCU

luminitaionescu2003@yahoo.com

Spiru Haret University, Bucharest
COPYRIGHT 2011 Addleton Academic Publishers
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2011 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Proceedings of the 5th World Congress on the Advancement of Scholarly Research in Science, Economics, Law, and Culture: May 27-30, 2010 New York
Author:Ionescu, Luminita
Publication:Economics, Management, and Financial Markets
Article Type:Report
Geographic Code:4EXRO
Date:Jun 1, 2011
Words:1902
Previous Article:Internal control for economic crunch.
Next Article:Economic applications of dynamical systems theory.
Topics:

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |