Logo en.artbmxmagazine.com

Evaluation of internal control over processes and transactions

Table of contents:

Anonim

1. Introduction

Understanding and evaluating the entity's internal control process is the auditor's responsibility to design tests to identify controls, risks and test the processes established in the company.

2. Objective

In accordance with ISA 330 "The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, by planning and implementing appropriate responses to those risks."

3. Definitions

ISA 330 defines the following terms:

a) Substantive Procedure: An audit procedure designed to detect erroneous representations of relative importance at the assertion level.

The substantive procedures include:

  • Evidence of details (of transaction classes, account balances, disclosures); and Substantive analytical procedures

b) Tests of controls: An audit procedure designed to evaluate the operational effectiveness of controls to prevent, or detect and correct, erroneous representations of relative importance at the assertion level.

During the process of an audit of financial statements, the auditor should evaluate and design the procedures that respond to the identified significant risks of errors in his audit, that affect the audited financial statements as a whole, or to a statement in specific.

A significant risk is the high possibility that an identified and evaluated significant error will occur that, if it occurs, would affect the financial statements or an assertion significantly. Therefore, in the auditor's opinion, an adequate response is required in its audit, through the application of specific procedures.

In the work done on the audit planning, the auditor identified:

  • Significant transactions and the processes that initiate, process and record them Business risks that have significant implications in the financial statements Fraud risks

4. Evaluate the Entity's Internal Control

The understanding of internal control evaluation must be performed at the top first, that is, those who lead and make decisions.

The five components of internal control are listed below:

The control environment is what sets the tone for an organization, that is, the basis for influencing the control consciousness of its personnel. It is the foundation of the other components of internal control, and provides discipline and structure.

Risk assessment is the identification and analysis of the relevant risks that the company runs to achieve its objectives, forming the basis for determining how risks should be managed.

Information and communication systems support the basis for identifying, capturing, and exchanging information in a manner and period of time that allows staff to fulfill their responsibilities.

Control Activities are the policies and procedures that must be followed to ensure that management's instructions are carried out.

Monitoring is a process to verify the quality of internal control performance over time.

Control environment

The guideline set by senior management — that is, the corporate environment or culture within which financial reporting operates — is the single most important factor contributing to the integrity of the financial reporting process. In other words, if the guideline set by management is relaxed or loose, an impressive set of written rules and procedures will do little.

The control environment reflects the general attitude, degree of awareness, and actions of the board of directors, management, owners, and others regarding the importance of control and the emphasis on control over policies, procedures, methods, and organizational structure. of the company. The control environment includes management's attitude toward developing accounting estimates and the philosophy for reporting financial information; it is the context in which the accounting system and internal controls operate.

The control environment reflects the general attitude, degree of awareness, and actions of the board of directors, management, owners, and others regarding the importance of control and the emphasis on control over policies, procedures, methods, and organizational structure. of the company. The control environment includes management's attitude toward developing accounting estimates and the philosophy for reporting financial information; it is the context in which the accounting system and internal controls operate.

In its report, Internal Control-Integrated Framework, COSO states that “The control environment has a dominant influence on the way business activities are structured, how objectives are established and risks are assessed. It also influences control activities, information and communication systems, and monitoring activities. This is true not only regarding its design, but also the way it works day by day. ”..

The control environment is the atmosphere within which a company's accounting controls exist and financial statements are prepared. Therefore, an understanding of the control environment is essential in order to identify the factors that have a dominant effect on the risk of errors in transaction processing and in the judgments management makes when preparing financial statements. A satisfactory control environment does not guarantee the effectiveness of any specific control, but it can be a positive factor when evaluating the risk of errors. An effective control environment also provides a basis for expecting accounting systems that are working well at any given time of the year to continue to work well the rest of the year. In such a way,the control environment is a basic ingredient for effective internal controls.

The project team should consider the following factors when reviewing the control environment:

Integrity, ethical values ​​and the behavior of key executives

Management control awareness and operating style

Commitment to be competent

Participation of the board of directors and the audit committee in the governance and supervision of the business

Adequate organization structure and allocation of authority and responsibilities Human resources policies and practices

Integrity, Ethical Values ​​and the Behavior of Key Executives

Integrity and ethical values ​​are essential elements of the control environment, affecting the design, administration and monitoring of key processes. Integrity and ethical behavior are the product of company standards on ethics and behavior and the way they are communicated, supervised and put into practice. They include actions that management takes to reduce or eliminate opportunities for staff to carry out illegal, dishonest, or unethical actions. They also include communications to staff of the company's values ​​and standards of conduct through policy pronouncements and codes of conduct, as well as examples given by its executives.

Control Awareness and Management Operating Style

Management has the responsibility to direct and control operations and establish, communicate and monitor policies and procedures. Every aspect of the control environment is deeply influenced by the actions and decisions (or, in some cases, inaction and indecision) of management. In an effective control environment, management's awareness of control and its style of operating and coordinating foster effective operation of processes and controls and an environment where the probability of error is minimized.

Control awareness refers to the importance management places on internal controls and the environment in which they operate. In large part this is an intangible concept; it is a management attitude that, once communicated, helps ensure that adequate control remains in place and reduces the chance that specific controls will be ignored.

Commitment to Be Competent

Commitment to being competent includes management's consideration of the skill levels for specific positions and how these levels translate into skill and knowledge requirements. Among other factors that management should consider are the nature and degree of judgment to be used in a specific job and the degree of supervision that will be required. The project team has to consider whether the staff appears to be competent to fulfill their responsibilities (for example, whether the staff has sufficient knowledge and experience in the area of ​​generally accepted accounting principles that the company will report on).

Participation of the Board of Directors and the Audit Committee in Governance and Business Supervision

The board of directors, through its own activities and with the support of an audit committee, is responsible for supervising accounting and financial reporting procedures and policies.

While the specific activities and responsibilities of audit committees vary and require modifications or adaptations depending on individual circumstances, the board of directors has a fiduciary responsibility to shareholders and third parties for the presentation of reliable financial reports.

As a result, the board of directors and the audit committee should be concerned with reporting financial information to shareholders and the investing public and should monitor the company's accounting policies and internal audit and independent audit processes.

In determining the effects of the board of directors and / or the audit committee on the control environment, the project team should consider the independence of the board of directors and / or the audit committee from management, the experience and knowledge of its members, the degree of involvement and scrutiny of the company's operations, the degree to which difficult questions arise and are followed up with management and their interaction with internal auditors and independent auditors.

Organizational Structure and Assignment of Authority and Responsibilities

The organization structure of a company indicates the general framework for planning, directing and controlling operations. An effective structure determines the allocation of responsibility, so that all staff have a clear concept of who the person to report to is and what their responsibilities are.

In its review of the organizational structure, the project team should consider methods for (1) assigning authority, (2) monitoring decentralized operations, (3) assigning and monitoring responsibilities for information systems (including the use of information organizations). service or "service organizations"), (4) establish and monitor policies and procedures (eg, conflict of interest, corporate security and codes of conduct) throughout the organization.

The project team should focus on the substance of the organizational structure and on the methods followed to assign authority and responsibility, rather than on its form. Therefore, the general level of knowledge and compliance with policies and procedures is as important as its monitoring by management. The review of the organizational structure is also useful for the project team to determine the degree of segregation of duties achieved and to assess the effects of significant deficiencies in this regard.

Human Resources Policies and Procedures

These policies and procedures refer to the hiring, orientation, training, evaluation, counseling, promotion and compensation of staff. The effectiveness of policies and procedures, including controls, depends on the people who execute them. Therefore, the capacity and integrity of company personnel are important elements of its control environment. The ability of a company to recruit and hire enough competent and responsible personnel, in turn, depends on human resources policies and practices. Furthermore, the level of competence and integrity of personnel dedicated to specific processes is one of the factors in evaluating the effectiveness of control over processes.

Risk evaluation

All companies, regardless of their size, structure, nature or type of industry, find risks at all levels of their organization. Risks affect a company's ability to survive and to compete successfully within its industry; to maintain its financial strength, its positive public image and the general quality of its products or services and its personnel. There is no practical way to reduce your risk to "zero". In fact, the very decision to establish a business creates a risk. Management must decide the level of risk that it can prudently accept and try to stay within that level.

The risk identification, analysis and management process is a critical component of any effective internal control system. It must also be recognized that change is always present and it is essential for an effective risk assessment process to take the necessary actions to respond to such changes.

To understand the risk assessment process at the company level, the project team should consider factors such as:

  1. Whether company-level objectives have been established and communicated, including how they are supported by strategic plans and complemented at the process or application level.If a risk assessment process has been established that includes an estimate of the importance of the risks, assessment of the probability of their occurrence, and determination of the necessary actions. If mechanisms have been established to anticipate, identify and react to situations that may have a dramatically extensive effect on the company. (For example, a management committee for asset / liability management in a financial institution, or a group of commodity marketing risks in a manufacturing company). If there are mechanisms to anticipate,identify and react to routine events or activities that affect the achievement of the entity's objectives or process / application level. If the accounting department has established processes to identify significant changes in generally accepted accounting principles promulgated by the relevant authorities. Whether the communication channels are empowered to notify the accounting department of changes in the company's business practices that may affect the method or process of recording transactions If the accounting department has processes to identify significant changes in the operating environment, including regulatory changes.Whether the accounting department has established processes to identify significant changes in generally accepted accounting principles promulgated by the relevant authorities; If the communication channels are empowered to notify the accounting department of changes in company business practices that may affect the method or process of recording transactions If the accounting department has processes to identify significant changes in the operating environment, including regulatory changes.Whether the accounting department has established processes to identify significant changes in generally accepted accounting principles promulgated by the relevant authorities; If the communication channels are empowered to notify the accounting department of changes in company business practices that may affect the method or process of recording transactions If the accounting department has processes to identify significant changes in the operating environment, including regulatory changes.Whether the communication channels are empowered to notify the accounting department of changes in the company's business practices that may affect the method or process of recording transactions If the accounting department has processes to identify significant changes in the operating environment, including regulatory changes.Whether the communication channels are empowered to notify the accounting department of changes in the company's business practices that may affect the method or process of recording transactions If the accounting department has processes to identify significant changes in the operating environment, including regulatory changes.

Information and communication

Information and communication is the process of capturing and exchanging information that is needed to execute, manage and control the operations of the company.

The quality of the company's communication and information system affects management's ability to make sound decisions to control the company's activities and prepare reliable financial reports.

Information and communication encompass the capture and issuance of information to appropriate personnel so that they can fulfill their responsibilities, including an understanding of the individual roles and responsibilities that relate to internal control over financial reporting.

To understand information and communication at the company level, the project team considers factors such as:

information

  1. Whether the information system provides management with the necessary reports on the performance of the company in relation to the established objectives, including relevant information, both external and internal. If the information is provided to the appropriate people in sufficient detail and in advance so that they can carry out their responsibilities efficiently and effectively To what extent the information systems are developed or modified based on a strategic plan that is inter-related to the general information system of the company,that allows the achievement of the objectives at the company and process / application level If the company management allocates adequate human and financial resources to develop the necessary information systems How management ensures and monitors the participation of users in development (including modifications) and program testing If a disaster recovery plan has been established for all major data centers

Communication

  1. If management effectively communicates the functions and responsibilities of personnel control If communication channels have been established for people who have to report suspicious events The suitability of communication through the company to facilitate the performance of obligations by personnel If the management takes timely and appropriate follow-up action in relation to communications from customers, suppliers, mediators and other external parties If the company is subject to monitoring and compliance requirements imposed by regulatory bodies The scope of notification to third parties outside the company (such as customers and suppliers) on the company's policies and ethical standards.

Control Activities

Control activities are policies and procedures that help ensure that management's instructions are followed. They help to ensure that the necessary actions are taken to address the risks in achieving the company's objectives. Control activities, automated or manual, have multiple objectives and apply at various organizational and functional levels.

To understand control activities at the company level, the project team takes into account factors such as:

  1. Are there the policies and procedures that are required with respect to each activity of the company? If the controls are applied to the extent that each policy requires? If management has clear objectives in terms of budget, profits, other financial and operating goals and these objectives are clearly expressed and communicated to the entire organization, and are continuously monitored. If there are established information and planning systems to identify variations in planned performance and communicate such variations at the appropriate level of management. Degree to which functions they are segregated between different people in such a way that the risk of fraud or other improper acts is reduced. Degree to which the functions are logically divided by means of information technology (IT) applications.If periodic comparisons of the amounts recorded in the accounting system are made with physical assets. If there are adequate safeguards to prevent unauthorized access or destruction of documents, records and assets. If policies have been established to control access to files of data and programs. If any access security, operating system, and / or application software is used to control access to data and programs. There are established information and planning systems to identify variations in planned performance and communicate such variations at the appropriate level of management. Degree to which the functions are segregated between different people in such a way that the risk of fraud or other improper acts is reduced.Extent to which functions are logically divided by information technology (IT) applications. If periodic comparisons of amounts recorded in the accounting system are made with physical assets. If there are adequate safeguards to prevent unauthorized access or destruction of documents, records and assets. If policies have been established to control access to data files and programs. If any access security, operating system, and / or application software is used to control access to data and programs.If there is an established information security function with the responsibility of monitoring compliance with information security policies and procedures.If periodic comparisons of the amounts recorded in the accounting system are made with physical assets. If there are adequate safeguards to prevent unauthorized access or destruction of documents, records and assets. If policies have been established to control access to files of data and programs. If any access security software, operating system, and / or applications are used to control access to data and programs. If there is an established information security function with the responsibility of monitoring compliance with the information security policies and procedures.If periodic comparisons of the amounts recorded in the accounting system are made with physical assets. If there are adequate safeguards to prevent unauthorized access or destruction of documents, records and assets. If policies have been established to control access to files of data and programs. If any access security software, operating system, and / or applications are used to control access to data and programs. If there is an established information security function with the responsibility of monitoring compliance with the information security policies and procedures.If policies have been established to control access to data files and programs. If some access security, operating system, and / or application software is used to control access to data and programs. If there is an established function of information security with the responsibility to monitor compliance with information security policies and procedures.If policies have been established to control access to data files and programs. If some access security, operating system, and / or application software is used to control access to data and programs. If there is an established function of information security with the responsibility to monitor compliance with information security policies and procedures.

Monitoring

An important management responsibility is the establishment and maintenance of internal control. Management monitors the controls to make sure they work as designed, and if they have been modified to adapt to changing conditions. Monitoring is an evaluation process to determine the quality of internal control over time, considering whether the controls are operating for what they were designed for and ensuring that they are appropriately modified by changing conditions. This involves evaluating the design and operation of the controls regularly, taking the necessary corrective actions. This process is accomplished through on-the-fly activities and separate evaluations, or combinations of both.

To understand the monitoring process at the company level, the project team must take into account factors such as:

  1. If periodic evaluations of internal control are carried out Degree in which the personnel, in the development of their regular functions, obtain evidence that the internal control system continues to function Degree in which communications from external parties corroborate the information generated internally or indicate problems If the Management Follows Recommendations Made By Internal Auditors And Independent Auditors Management's Approach To Timely Correcting Known Informal Conditions Management's Approach To Handling Reports And Recommendations From Regulatory Authorities Existence Of An Internal Audit Function That Management Uses To Assist in monitoring, which includes factors such as:
  • Independence (reporting authority and relationships) Reporting lines (reporting directly to the board of directors and / or the audit committee, or having unlimited access to the board of directors and / or the audit committee) Adequacy in assigning personnel, training and existence of specialized skills according to the environment (eg, use of experienced information system auditors, trained in complex and highly automated environments) Compliance with applicable professional standards Scope of activities (a balance between financial and operational audits, coverage and rotation of decentralized operations) Adequacy of planning, risk assessment and documentation of the work performed and the conclusions reached None of operational responsibilities

The project team should assess whether the internal control system is subject to self-monitoring and whether it includes appropriate mechanisms to ensure that any observed deficiencies are corrected. In the event that the methods of self-monitoring and correction of deficiencies are evaluated as inadequate, the team must propose specific recommendations to improve the system.

5. Understand and Evaluate Internal Control in Processes and Transactions

  1. Identify and Evaluate Major Classes of Transactions Other Control Considerations Effects of Information Technology

After completing an internal control evaluation at the company level, an organization's accounting system becomes the primary focus for evaluating internal control over financial reporting. For this purpose, the accounting system is represented by the processes that are basic to the Company's financial information (ie, the business processes and / or accounting activities).

Determine the Significant Accounts

The starting point to identify which are the important processes, which begins with the identification of the significant accounts or groups of accounts at the disclosure level in the items or the notes of the financial statements.

An account or group of accounts is key if there are material errors that may have a material effect on the financial statements or other legal matters, conflicts of interest or unauthorized benefits to officials which, although not material, may adversely affect the prestige of the company with its clients, shareholders or the public if these matters remain undetected.

The importance of an account is its size and composition, and its susceptibility to manipulation or loss; his, her nature; the volume of activity, size, complexity and homogeneity of the individual transactions processed through the account and the subjectivity in determining the account balance (ie, the extent to which the account is affected by lawsuits).

Changes that occur in business activities and their effect on an account or group of accounts is also something to keep in mind. Generally, a company in which many changes take place (for example, its growth rate, markets, products, personnel, technology) will have more situations of uncertainty and risk than companies with stability.

1. Identify and Evaluate the Major Classes of Transactions

Identify significant accounts

The starting point to identify which are the important processes, which begins with the identification of the significant accounts or groups of accounts at the disclosure level in the items or notes of the financial statements.

An account or group of accounts is key if there are material errors that may have a material effect on the financial statements or other legal matters, conflicts of interest or unauthorized benefits to officials which, although not material, may adversely affect the prestige of the company with its clients, shareholders or the public if these matters remain undetected.

The importance of an account is its size and composition, and its susceptibility to manipulation or loss; his, her nature; the volume of activity, size, complexity and homogeneity of the individual transactions processed through the account.

Changes that occur in business activities and their effect on an account or group of accounts is also something to keep in mind. Generally, a company in which many changes take place (for example, its growth rate, markets, products, personnel, technology) will have more situations of uncertainty and risk than companies with stability.

Identify and evaluate important transactions

This identification represents the link between the identification of significant accounts or group of accounts and the understanding and evaluation of the related processes and controls.

Major transactions include all kinds of transactions that materially affect significant accounts or groups of accounts, either directly through entries in the general ledger, or indirectly through the creation of rights or obligations that cannot be recorded in the book. higher.

The processes comprise classes of transactions that can be classified as:

  1. routine, non-routine or estimation

It is important to distinguish between these major classes of transactions because the components and risks in each class are different and, as a result, the probability of material errors arising from the corresponding processes also differs.

Routine Transactions

They are the financial data recorded in the books and the records or non-financial data used to manage the business.

For example, a company could have the following routine transactions: Sales and accounts receivable

  • Cash income Purchases and accounts payable Cash expenses Payroll Inventories and cost of sales

Some companies will have more than a single process for similar transactions. For example, there may be separate processes for domestic and export sales; payroll may be different for those with a fixed salary and those who earn based on hours worked.

Non Routine Transactions

These are transactions that are carried out periodically, generally in conjunction with the financial statements. Any major class of transactions that does not easily meet the definition of a routine transaction or estimate transaction can be viewed as a non-routine transaction. Typical non-routine transactions include:

  • Calculation of income tax expense Counting and valuation of inventories Determination of expenses paid in advance

Estimate Transactions

These are transactions that reflect the numerous judgments, decisions and alternatives in the preparation of financial statements (Ex: Estimate for accounts receivable).

It is important to keep in mind that routine transactions are generally subject to a more formal control system, because there is greater objectivity in the data and in the volume of information processed.

Conversely, because non-routine and estimation transactions are often more subjective or less frequent, their controls are less formal. Consequently, the risk of potential errors may be greater.

Understand the Flow of Transactions

Once the main classes of transactions have been identified, it is necessary to obtain details of the processes to understand the flow of each major class of transactions.

The purpose of this step is to identify the records, documents, and basic procedures in use to identify where errors can occur.

Most processes involve a number of activities such as data entry validation and editing, calculations, updating master and transaction files, and data summary and information.

The most important process procedures that are necessary to identify where errors can occur are the activities that are required to start; to register; process or report major classes of transactions. These include procedures to correct and reprocess previously rejected transactions and procedures to correct erroneous transactions using adjustment entries.

We must understand the flow and nature of the information; analyze the types of errors that may occur in the initiation, recording, process and reporting of transactions and consider the relevant internal control policies and procedures.

While documentation of understanding and evaluation will vary by transaction category, eg, using working papers to document processes for routine transactions and memoranda to document processes for non-routine and estimation transactions, the objectives of recording accounting information are consistent..

Financial Information Reporting Process

The process for producing financial reports should be included in your understanding and evaluation of internal control. Understanding the company's significant processes and their interrelation with the specific process of producing financial information will provide a basis for knowing the information required for the financial reporting process. Typically this will include:

  1. Procedures for recording transaction totals in the general ledger. Procedures for initiating, recording, and processing journal entries in the general ledger. Other procedures used to record recurring and non-recurring adjustments to financial statements and reclassifications. Procedures for Prepare draft financial statements and notes to the financial statements. Prepare management's analysis of business financial and operational accomplishments.

Evaluate Designed Controls

Testing of controls

The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence regarding the operating effectiveness of the relevant controls if:

  1. The auditor's assessment of material misstatement risks at the assertion level includes an expectation that the controls are operating effectively (i.e., the auditor plans to rely on the operating effectiveness of the controls to determine the nature, timing, and extension of substantive procedures); Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

In designing and performing tests of controls, the auditor should obtain more persuasive audit evidence, the greater the auditor's degree of dependence on the effectiveness of a control.

Nature and extent of tests of controls

In designing and performing tests of controls, the auditor should:

a) Perform other audit procedures in combination with the investigation, to obtain audit evidence about the operating effectiveness of the controls, including:

i) How the controls were applied at relevant moments during the period under audit;

ii) The consistency with which they were applied; and iii) By whom and by what means were they applied.

b) Determine if the controls to be tested depend on other controls (indirect controls) and, if so, whether it is necessary to obtain audit evidence that supports the effective operation of said indirect controls.

Timing of tests of controls

The auditor should test controls for the particular time, or during the period, for which the auditor intends to rely on such controls, to provide an appropriate basis for the support intended by the auditor.

If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor should:

  1. Obtain audit evidence about important changes to said controls after the provisional period; yDetermine the additional audit evidence to be obtained for the remaining period

Use of audit evidence obtained in previous audits

In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the period that may elapse before retesting a control, the auditor should consider the following:

  1. The effectiveness of other elements of internal control, including the control environment, the monitoring of controls by the entity, and the entity's risk assessment process; Risks arising from the characteristics of the control, including whether it is manual or automated; The effectiveness of general IT controls; The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of control that were observed in previous audits, and if there have been personnel changes that significantly affect the application of the control; if the lack of a change to a particular control poses a risk due to changing circumstances;y Risks of material misstatement and degree of control dependency Risks of material misstatement and degree of control dependence

If the auditor plans to use audit evidence from a prior audit about the operating effectiveness of specific controls, the auditor should establish the continuing relevance of such evidence, obtaining audit evidence about whether significant changes have occurred in those controls subsequent to the prior audit.

The effectiveness of other elements of internal control, including the control environment, the entity's monitoring of controls, and the entity's risk assessment process; The risks arising from the characteristics of the control, including whether it is manual or automated; The effectiveness of general IT controls; The effectiveness of the control and its application by the entity, including the nature and extent of the deviations in the application of the control that were observed in previous audits, and if there have been personnel changes that significantly affect the application of the control; If the lack of a particular control change poses a risk due to changing circumstances; and The risks of material misstatement and the degree of control dependency.

  1. If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor should test the controls in the audit. If there have been no such changes, the auditor should test the controls at least once every third audit, and should test some controls each audit, to avoid the possibility of testing all the controls the auditor intends to rely on in a single audit period, without testing controls in the two audit periods later.

Controls on significant risks

If the auditor plans to rely on controls over a risk that the auditor has determined to be a significant risk, the auditor should test those controls in the current period.

Evaluation of the operational effectiveness of controls

When evaluating the operating effectiveness of the relevant controls, the auditor should assess whether the misstatements that have been detected with substantive procedures indicate that the controls are not operating effectively. However, the absence of misrepresentations detected with substantive procedures does not give audit evidence that the controls related to the assertion being tested are effective.

If deviations from the controls that the auditor intends to rely on are detected, the auditor should make specific investigations to understand these issues and their potential consequences, and shall determine whether:

  1. Tests of controls that have been performed provide an appropriate basis for reliance on controls; additional tests of controls are required; oThe potential risks of misrepresentation need to be addressed using substantive procedures.

Determining whether controls as designed are effective should be tested through audit testing. In making this assessment, the auditor should consider:

  1. Characteristics of related accounts (size, susceptibility to errors or manipulation). Efficiency of internal control at the company level. Conclusions related to information technology (IT) processes. The design of control implemented by the company. Risks of control. Policies and procedures regarding authorization, custody of assets, reliable control of assets and segregation of duties.

Determining whether controls achieve a specific objective (eg, with respect to financial reporting objectives or what significant errors do not occur) often requires considerable judgment.

The key question is whether essential controls could prevent and / or detect a material error related to each of the relevant assertions in the financial statements.

If existing controls are not effective for that purpose (or there are no controls), it may be necessary to establish additional controls, whether programmed or manual. However, before installing new procedures, the company should carry out a cost-benefit study.

Determine If Controls Work As Designed

Management must have reasonable assurance that the controls function as designed.

An initial step in that process is for the auditor to run a transaction tour to verify that what he understands about the desired operation of the process and its controls is correct.

After this tour has been run, you can begin testing the effectiveness of the controls.

Tests to verify if the controls work as designed can be done by:

  1. Inquiry of the persons responsible for the control and Examination of the evidence (eg review of bank reconciliations) that the control was executed and was effective. Analyze a transaction and repeat the operation (for example, the calculations on an invoice used as a sample).

d. In other cases, security can be obtained from the correct operation of a control, observing the employees while they carry out their functions, and by interviewing the personnel to determine if they understand what they should do if an error is identified during the execution of their functions.

In the case of transactions processed by the IT system, in addition to following the physical flow of documents and forms, the auditor also follows the flow of data and file information through automated application processes (at the system level and not at the level of detailed logic).

This may involve procedures such as questions to independent but knowledgeable personnel, review of user manuals, observation of a user when processing transactions in a terminal, in the case of an "online" application, and review of such documentation. as output reports.

Upon completion of this task, the auditor should document whether the manual and scheduled controls are working as designed and include any other pertinent comments that may assist the auditor in evaluating key processes.

In a dynamic business environment, controls require modification from time to time. Certain systems may require improvements in their controls to respond to new products on the market or due to emerging risks. Automating some manual controls can improve efficiency and compliance with management policies. In other areas the evaluation may indicate redundant controls or other procedures that are no longer necessary. In such cases, the company can maintain an acceptable level of controls and improve its results through appropriate changes.

In the event that areas where controls are insufficient are identified to produce reasonable assurance that the risk of error decreases to an acceptable level, the project team should recommend improvements. The concept of reasonable security must be borne in mind in all recommendations.

Both the audit texts and the COSO report emphasize that internal control does not have to be completely risk-free if the total elimination of these had a cost higher than the expected benefit. Therefore, when the reviewer or project team identifies a risk, a “cost-benefit decision” needs to be made as to whether the costs of installing and maintaining a control that reduces or eliminates the risk outweigh the benefits. expected. Generally, controls can only reduce, not completely eliminate, a risk. In addition, cost-benefit analyzes can be used to determine whether existing controls should be retained.

All aspects of internal control are subject to routine procedures (eg, comparing invoices with receipt reports). Periodic monitoring (eg, tests of controls, verification of portions of the system, updating of previous cost-benefit studies). This includes decisions on the type of monitoring (eg, by internal auditors) and the frequency of monitoring (eg, quarterly, annually, etc.)

Documentation related to:

  • Transactions Control system Monitoring activities Cost-benefit decisions

Reporting policies and practices:

  • Inappropriate operation of controls or circumvented controls Changes in circumstances that create additional or new risks, or reduce or eliminate existing risks Policies and practices for timely corrective action

In many cases, or possibly in most of them, a formal cost-benefit analysis would be difficult or expensive and unnecessary. For example, people doing the analysis, after the second step, may recognize that the cost will exceed the benefits. On the other hand, those conducting the analysis may conclude that the cost of reducing risk will be minimal and that it may be practical to install the control.

However, in those cases where a formal cost-benefit analysis makes sense, it may be useful to consider the following:

  1. List all reasonable alternatives (including controls) that may be adopted to reduce or eliminate risks - and if they have not been identified - list all risks that could be reduced or eliminated with each alternative. List or identify the relevant cost items to incur each alternative. Determine the costs and risks that are quantifiable. Quantify those costs and risks. Estimate the probability that a loss will occur due to failure to correct the weakness, and how often that event may occur. To estimate the alternative in each alternative probability (if any) that a loss may occur if the control is installed, and how often it could occur (if any). Develop the “best estimate” of the benefits that might be obtained by eliminating or reducing the risk (eg,,multiplying in each alternative the risk quantified by the reduction in the probability that a loss could occur and then by the reduction in the frequency of occurrences).Decide if the costs to correct the weakness could exceed the benefits, or vice versa, based on a comparison of costs (quantifiable and non-quantifiable) with benefits (quantifiable and non-quantifiable).

Monitoring

Finally, as mentioned earlier, internal control should be self-monitoring and self-correcting. This means that a company must establish mechanisms to continuously monitor and maintain the internal control system and take corrective action in a timely manner, when necessary.

Generally, the responsibility for making the internal control system "self-monitoring" and "self-correcting" should not be assigned exclusively to a single group. In a broad sense, the internal control system is comprehensive and complete. It involves staff from across the organization, including many people who do not consider themselves to have accounting or control responsibilities.

Sources to document processes

The following are the sources where the Auditor can find information to document the processes:

  • Organizational charts identifying positions and responsibilities Interviews with process owners Procedures manuals Process related policies Observation of process activities Inspection of information produced by the process Internal and / or external audit reports (helps the Auditor identify weaknesses and risks of the process) Review of the Auditor's letters of recommendation from the previous year

Evaluate the process and transaction

To achieve our process analysis, we will consider the development of the following activities, as follows:

  1. Understanding of the process Identification of the risks and controls of the process Selection of the relevant controls to which the tests will be carried out Evaluation of the controls Design of the audit tests related to the operational effectiveness of controls.

to. Understanding the process

It is essential that the Auditor understands and documents the activities that initiate, process and record significant transactions. Example:

b. Identification of risks and process controls

A good understanding of the process will depend on the identification of risks and the controls that mitigate them. In identifying risks, it is important to consider the factors that can increase risks, such as the quality of personnel, past experiences in achieving objectives, complexity of an activity, geographical distribution of activities, among others.

Examples of factors that can increase the probability of occurrence of process risks:

The linking of non-competitive personnel to the challenges of the organization, as well as the lack of effectiveness of training methods and motivation that can influence the level of self-control awareness in the entity's operations.

Failures in the processing of information systems, which affect identity operations.

Changes in the assigned responsibilities of the administration, which affect the execution of some controls.

Identification of Controls

Controls are classified into three types:

  • Automatic: it is carried out from beginning to end by an information system Semi-automatic: it is partially executed by a person, but with the collaboration of an information system Manual: it is carried out entirely by one person, without the collaboration of a system of information.

Controls can be preventive, detective or corrective:

Preventive Control: Its objective is to anticipate unwanted events, acting on the causes of risk, as well as avoiding the generation of errors or fraudulent events.

Detective Control: Identifies all those events at the time they occur, as well as warns about the presence of risks.

Corrective Control: It is oriented to the implementation of corrective actions once an unwanted event has been identified. Its implementation is carried out when preventive and detective controls have not worked, which means that its implementation is more expensive, since they act when loss events have already materialized for the organization.

2. Other Control Considerations

Policies and procedures in relation to authorization, asset safeguard, asset liability and segregation of duties are established by management in order to provide reasonable assurance that:

  1. Assets are acquired, guarded and used, and liabilities are incurred and released in accordance with management's decisions. Financial information is properly maintained in the books and records regarding assets and liabilities resulting from those decisions.

These policies and procedures are an integral part of an internal control system and are basically related to management's control over the disposition of the company's assets and liabilities and, only indirectly, with controls over data processing, which deal with the correct, punctual and complete accounting of transactions. However, the absence of such controls could increase the risk of material errors in the financial information included in the company's books and records.

Because policies and procedures frequently take the form of controls, the absence of adequate policies and procedures in any of these areas can affect how the project team judges the effectiveness of specific controls over processes.

Authorization: The general and specific levels of authorization and approval and the procedures designed to ensure that transactions and activities are executed in accordance with management's intentions.

Asset Safeguard: Restrictions, designed to prevent the loss of assets, access and use of assets and records, including physical access and indirect access through the preparation and processing of data that authorize or facilitate the use or disposal of assets

Liability for assets:

Procedures for comparing recorded assets with assets in physical existence and for taking appropriate actions when differences are identified. Such procedures help establish reasonable assurance that procedures regarding authorization of use and access to assets are followed.

Segregation of duties: The prevention that a single person carries out functions that are not compatible or that an Information Technology application allows inappropriate or excessive access of the functions to users. For example, if a person is in a position to make mistakes while hiding them within the normal course of their own duties.

3. Effects of Information Technology

In more complex automated applications, controls identified by management can often involve information technology (IT). IT controls include application controls and general IT controls. These controls help provide reasonable assurance that transactions are valid and fully and accurately duly authorized and processed for reliability.

Application Controls

Application controls correspond to the processing of individual transactions and may consist of scheduled procedures (eg, specific programs to process or edit a transaction) or unscheduled controls (eg, manual balancing of information produced by IT). There are frequently programmed controls, which can be programmed control procedures (eg, edit, compare, or reconcile) or IT processes (eg, calculations, online entries, or automatic interfaces between systems) that management relies on to ensure accuracy and completeness of the information generated by automated applications. For example, to ensure that prices on all customer invoices are correct,management can rely on automated information to identify pricing transactions that do not meet established criteria in combination with access control software to restrict access to the master price file. Similarly, management can give confidence to an IT process such as the automated extension of sales invoices to ensure that all sales have been valued appropriately.

You can find programmed controls at different levels of data processing. The following are some examples:

Inputs: There are controls to ensure the validity and integrity of the input data (eg, summary of the transactions generated in the branches). There may be several validations to avoid inputting erroneous data.

Processing: There are also controls to provide correct valuation and accounting. Processes can perform simple or complex calculations (eg, product pricing, option pricing). Managing instruction and parameter processing is also a key control issue.

Outputs: Special controls may be in place when data outputs generate payments (eg, validation of vendor identification before payment is processed).

A scheduled check by itself may not be sufficient to ensure that the application prevents errors from occurring or to detect and correct errors that have occurred during processing. However, scheduled monitoring, in combination with effective general IT controls, can provide the desired level of control.

General IT Controls

They refer to fundamental controls over the acquisition and maintenance of application and system software, access security and segregation of functions that operate to ensure the effectiveness of programmed controls. Typically IT general controls are designed to ensure that:

All changes to applications have been authorized, tested and approved prior to implementation.

Only authorized persons and applications have access to the data and only to execute specifically defined functions (eg, inquire, execute or update).

If, taking into account the questions about "what could go wrong", the project team determines that management is giving confidence to programmed controls or that the identified control depends on data generated by IT, then a second question should be asked: "How does management know if the programmed controls are operating effectively?" The answer may be that: (1) user procedures verify processing accuracy (eg, manually recalculating complex calculations, or reconciling IT reports with manual item totals) and / or (2) management depends on IT systems to effectively run control or produce data. In the case of answer (2), the effect of general IT controls (ie, modifications to programs and / or access to data files,including general controls within integrated application environments such as key fixes and segregation of duties between users affecting the entire application) should be taken into account when making the preliminary assessment of the effectiveness of all controls depending on the IT system or of data generated by IT.

Many companies use external service organizations to process transactions. In that case, in addition to evaluating controls within the company, management must develop an understanding of the importance that processing in the service organization has for the accounting system and controls of the company. Based on the degree of importance, management may need to make an assessment of the controls in place in the service organization. Often the service organization auditor prepares a report on these controls, which will be useful for management evaluation of them.

Evaluation of internal control over processes and transactions
Accounting

Editor's choice

The seasons of the year and the stages of life

The seasons of the year and the stages of life

Work teams in process management

Work teams in process management

Statistics applied to the definition of management indicators

Statistics applied to the definition of management indicators

Statistics applied to business

Statistics applied to business

Current status of wineries in Peru

Current status of wineries in Peru

Statement of changes in financial position

Statement of changes in financial position

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.