Logo en.artbmxmagazine.com

Understanding, evaluation and validation of internal control for external auditors in Cuba

Anonim

Introduction

The objective of this work is to analyze and comment on the experiences of applying external audits and their direct relationship with the decision on the levels of comfort that this auditor can expect, allowing higher levels of efficiency to be achieved.

Internal control. Concepts and Characteristics of the use by the External Auditor

What is internal control?

Internal control is a process carried out by the Director of an entity, the Administration or other members, designed to provide a reasonable degree of security regarding the fulfillment of efficacy and efficiency objectives, generation of reliable financial information and compliance with laws and regulations.

Its "effectiveness" is a state or condition at a certain time. For the work of the External Auditor, the main focus is on the portion of internal control that refers to the “financial report”.

Why is the study and evaluation of internal control in the audit of interest?

The auditor should obtain an understanding of the entity's process to identify business risks relevant to the objectives of the financial report and decide on actions to mitigate these risks and results.

By evaluating control activities and analyzing results, you may or may not place confidence in controls, which reduces our substantive testing and provides us with appropriate audit evidence.

Audit Comfort Cycle, Relationship with internal control

The internal control approach must take into account some business processes or segments thereof, in terms of "cycles" in which related transactions can be grouped appropriately and for which the management of an entity establishes control activities and specific accounting procedures. Each cycle regularly encompasses several types of transactions that vary according to the business in question. Each class of transactions can be further divided by specific transaction type; for example, the sale of products and services can be subdivided into cash sales and credit sales, or foreign sales and domestic sales. Each class of transaction is distinguished from each other primarily by differences in accounting procedures and control activities that apply to them.

The basis of a cycle is the path by which each class of transactions moves through the accounting system and the nature of the control activities that are applied. The auditor should evaluate each class of transaction to determine if appropriate accounting procedures and control activities were designed and if they are operating effectively to achieve their financial reporting control objectives. To the extent that the auditor obtains evidence that these objectives are being met, he may reduce the substantive tests aimed at verifying the existence / occurrence, totality and accuracy of the accounting balances affected by the cycle and transaction under analysis.

Control activities

Control activities are the policies and procedures that provide a reasonable degree of assurance that risks are mitigated throughout the organization, at all levels and in all functions, which include:

i. Business performance reviews

ii. Controls over transaction processing

iii. Asset safeguard controls

iv. Segregation of duties

v. General Information Technology Controls

i. Business performance reviews.

They are applied to the results of transactions, not to control activities. They are analyzes carried out by the Management, Administration or those responsible for the different business functions and are aimed at:

- Analysis of results and evaluation of achievement of objectives

- Analyze operational needs (for example, availability of cash to make payments)

- Identification of unexpected results

- Compliance with legislation

Performance reviews may include:

- Review, analysis and monitoring of information, possibly by comparing with budgets or previous years

- Review and monitoring of exception reports, highlighting abnormal balances and transactions or summaries of processed transactions

- Comparison of different sets of related data - operational or financial - together with the analysis of said data, investigation and corrective actions

- Review of the performance of functional activities such as the number of new customers, deadlines for supplier deliveries, inventory levels, etc.

- Review of market / industry indicators and comparison with own indicators to detect and investigate possible deviations

ii. Controls over transaction processing.

- They are performed on individual transactions, transaction batches, individual balances and data that are used for processing and can be manual or automated. They provide the most detailed level of control that can normally be presented in an organization.

- In general, these are preventive controls, which are designed to avoid errors or irregularities or to detect in a timely manner those that may have been made during the processing and generally provide direct confidence about the statements in the financial statements.

- Controls on transaction processing are divided into:

- Independent controls

- Authorization

controls - Controls on data entry

- Controls on suspensions or rejections

- Controls on data processing

iii. Asset safeguard controls.

These are the controls related to the custody of the assets and include:

- Controls and security measures designed to ensure that access to assets is limited only to authorized personnel.

- Controls to ensure that assets are protected against the issuance of documents that would authorize their misuse or embezzlement.

- Assets include movable and immovable property, cash or collection documents, data records including confidential information.

iii. Segregation of functions.

- These are controls designed to prevent a person from being in a position to control different stages of the processing of a transaction without another person detecting errors or irregularities, if they occur.

- This includes the combination of different transactions that could allow a person to hide an error or irregularity. For example, the income from collections and credit notes. The flow of information should be designed so that the work of one person, in addition to fulfilling a certain objective, is independent or serves as verification of the work of another.

- Generally the functions to segregate are:

- Start transactions

- Authorize transactions

- Process transactions

- Record transactions

- Custody assets

- Another transaction that allows you to hide an error or irregularity

iv. General information technology controls.

The work of General Information Technology Controls is divided into 4 key areas:

1) Organizational structure and operating procedures of the IT department

2) Development, implementation and maintenance of applications

3) Physical and logical security, which are divided into:

- Access controls at the database and infrastructure level

- Physical protection of computer equipment

4) Operational continuity of the technological infrastructure and the processes that support it

When ITGCs are effective, automatic application controls are more efficient for evaluation than manual controls, some examples of these are:

- Automated calculations or data processing routines programmed in the application.

- Limited access to transaction processing capabilities, for example to support proper segregation of duties

- Restricted access to programs and data (for example, financial data files cannot be modified outside of 1. - Normal operations transaction processing or controlled exchange processes).

Do we have to validate the controls for each of the five internal control components to get significant comfort from the controls?

We must consider each of the five components of internal control during the evaluation phase of the audit comfort cycle. It is at this moment when we decide the controls from which we want to obtain comfort.

We must keep in mind that we frequently have to review control activities, along with other components of internal control. It is through the control activities that the objectives of the information processing (totality, accuracy, validity and restricted access) are reached, normally there will be several controls for this and very rarely we will depend on a single control.

Do we have to validate all the controls we are placing trust in each year?

• When the controls remain unchanged from the previous year, we can consider the evidence on the effective operation of the control obtained in previous audits, but:

• We must test the controls we want to place trust in at least every third audit and consider that some controls need to be tested every year.

The longer the time between validating the effectiveness of the controls, the less certainty that the result of the work of previous years will provide us with certainty about their effectiveness in the current year. For this reason we must test the effectiveness of the controls in which we intend to trust at least every third audit. However, in certain cases, it will be necessary to validate controls that have not changed more frequently than every third year. Factors that may decrease the trial period include the following:

• Weaknesses identified in the Control Environment, Monitoring of the entity on the General Controls of Information Technology.

• If the controls we trust are manual application controls.

• Changes in personnel that significantly affect the application of control.

• Changes in circumstances that indicate the need to modify the control.

• The greater the risk of material error, the greater the confidence we place in the control, and the less time we will not test it.

• We need to get comfort that manual controls tested in previous years have not changed. Therefore, we must perform a combination of procedures involving investigation / interview, observation, and examination to confirm the absence of change.

• If we want to place trust in the controls that mitigate key risks of material error, we must test them in each audit period in which we want to place trust. In other words, all evidence on the effectiveness of controls for key risks must be obtained in the current audit period.

• Due to its penetrating effect on controls. We must test every year the General Information Technology Controls in which we are placing trust.

Conclusions

Internal Control is an effective instrument to achieve business efficiency levels and constitutes an important tool for the Auditor, helping in the case of External Auditors to determine comfort levels for their work, thus gaining more efficiency in the work of the Audit and its final result.

Understanding, evaluation and validation of internal control for external auditors in Cuba
Administration

Editor's choice

Fundamental problems in the financing of higher education in the world

Fundamental problems in the financing of higher education in the world

Environmental problems, economic growth and technological advance. origin, current debate and consequences

Environmental problems, economic growth and technological advance. origin, current debate and consequences

Garbage collection problem in a municipality of Mexico. test

Garbage collection problem in a municipality of Mexico. test

The problem of urban transport in Venezuela

The problem of urban transport in Venezuela

Problems of adolescents in Mexico

Problems of adolescents in Mexico

National problems and presidential disapproval in Peru 2015

National problems and presidential disapproval in Peru 2015

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.