individual project

profileMayan
Doc6.docx

Appendix C — Understanding the Entity’s System of Internal Control (Ref: par. 12, 21–26, A98–A202)

1. The entity’s system of internal control may be reflected in policy and procedures manuals, systems and forms, and the information embedded therein, and is effected by people. The entity’s system of internal control is implemented by management, those charged with governance, and other personnel based on the structure of the entity. The entity’s system of internal control can be applied based on the decisions of management, those charged with governance, or other personnel and in the context of legal or regulatory requirements to the operating model of the entity, the legal entity structure, or a combination of these.

2. This appendix further explains the components of, as well as the limitations of, the entity’s system of internal control as set out in paragraphs 12(l), 21–26, and A98–A202 as they relate to a financial statement audit.

3. Included within the entity’s system of internal control are aspects that relate to the entity’s reporting objectives, including its financial reporting objectives, but it may also include aspects that relate to its operations or compliance objectives, when such aspects are relevant to financial reporting. For example, controls over compliance with laws and regulations may be relevant to financial reporting when such controls are relevant to the entity’s preparation of disclosures of contingencies in the financial statements.

Components of the Entity’s System of Internal Control

Control Environment

4. The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s system of internal control and its importance in the entity. The control environment sets the tone of an organization, influencing the control consciousness of its people, and provides the overall foundation for the operation of the other components of the entity’s system of internal control.

5. An entity’s control consciousness is influenced by those charged with governance because one of their roles is to counterbalance pressures on management in relation to financial reporting that may arise from market demands or remuneration schemes. Therefore, the effectiveness of the design of the control environment in relation to participation by those charged with governance is influenced by such matters as the following:

· Their independence from management and their ability to evaluate the actions of management

· Whether they understand the entity’s business transactions

· The extent to which they evaluate whether the financial statements are prepared in accordance with the applicable financial reporting framework, including whether the financial statements include adequate disclosures

6. The control environment encompasses the following elements:

a. How management’s responsibilities are carried out, such as creating and maintaining the entity’s culture and demonstrating management’s commitment to integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical behavior are the product of the entity’s ethical and behavioral standards or codes of conduct, how they are communicated (for example, through policy statements), and how they are reinforced in practice (for example, through management actions to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts). The communication of entity policies on integrity and ethical values may include the communication of behavioral standards to personnel through policy statements and codes of conduct and by example.

b. When those charged with governance are separate from management, how those charged with governance demonstrate independence from management and exercise oversight of the entity’s system of internal control. An entity’s control consciousness is influenced by those charged with governance. Considerations may include whether there are sufficient individuals who are independent from management and objective in their evaluations and decision making; how those charged with governance identify and accept oversight responsibilities and whether those charged with governance retain oversight responsibility for management’s design, implementation, and conduct of the entity’s system of internal control. The importance of the responsibilities of those charged with governance is recognized in codes of practice and other laws and regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle-blower procedures.

c. How the entity assigns authority and responsibility in pursuit of its objectives. This may include the following considerations:

· Key areas of authority and responsibility and appropriate lines of reporting

· Policies relating to appropriate business practices, knowledge and experience of

key personnel, and resources provided for carrying out duties

· Policies and communications directed at ensuring that all personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable

d. How the entity attracts, develops, and retains competent individuals in alignment with its objectives. This includes how the entity ensures the individuals have the knowledge and skills necessary to accomplish the tasks that define the individual’s job, such as the following:

• Standards for recruiting the most qualified individuals, with an emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior

· Training policies that communicate prospective roles and responsibilities, including practices such as training schools and seminars that illustrate expected levels of performance and behavior

· Periodic performance appraisals driving promotions that demonstrate the entity’s commitment to the advancement of qualified personnel to higher levels of responsibility

e. How the entity holds individuals accountable for their responsibilities in pursuit of the objectives of the entity’s system of internal control. This may be accomplished through some of the following examples:

· Mechanisms to communicate and hold individuals accountable for performance of controls responsibilities and implement corrective actions as necessary

· Establishing performance measures, incentives, and rewards for those responsible for the entity’s system of internal control, including how the measures are evaluated and maintain their relevance

· How pressures associated with the achievement of control objectives affect the individual’s responsibilities and performance measures

· How the individuals are disciplined as necessary The appropriateness of the preceding matters will be different for every entity depending on its

size, the complexity of its structure, and the nature of its activities.

The Entity’s Risk Assessment Process

7. The entity’s risk assessment process is an iterative process for identifying and analyzing risks to achieving the entity’s objectives and forms the basis for how management or those charged with governance determine the risks to be managed.

8. For financial reporting purposes, the entity’s risk assessment process includes how management identifies business risks relevant to the preparation of financial statements in accordance with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them and the results thereof. For example, the entity’s risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements or considers risks of fraud.

9. Risks relevant to reliable financial reporting include external and internal events, transactions, or circumstances that may occur and adversely affect an entity’s ability to initiate, record, process, and report financial information consistent with the assertions of management in the financial statements. Management may initiate plans, programs, or actions to address specific risks, or it may decide to assume a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:

· Changes in operating environment. Changes in the regulatory, economic, or operating environment can result in changes in competitive pressures and significantly different risks.

· New personnel. New personnel may have a different focus on or understanding of the entity’s system of internal control.

· New or revamped information system. Significant and rapid changes in the information system can change the risk relating to the entity’s system of internal control.

· Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.

· New technology. Incorporating new technologies into production processes or the information system may change the risk associated with the entity’s system of internal control.

· New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with the entity’s system of internal control.

· Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with the entity’s system of internal control.

· Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.

· New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.

· Use of IT. Risks relating to

· —  maintaining the integrity of data and information processing;

· —  risks to the entity business strategy that arise if the entity’s IT strategy does not effectively support the entity’s business strategy; or

· —  changes or interruptions in the entity’s IT environment or turnover of IT personnel or when the entity does not make necessary updates to the IT environment or such updates are not timely.

The Entity’s Process to Monitor the System of Internal Control

10. The entity’s process to monitor the system of internal control is a continual process to evaluate the effectiveness of the entity’s system of internal control and to take necessary remedial actions on a timely basis. The entity’s process to monitor the entity’s system of internal control may consist of ongoing activities, separate evaluations (conducted periodically), or some combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and may include regular management and supervisory activities. The entity’s

process will likely vary in scope and frequency depending on the assessment of the risks by the entity.

11. The objectives and scope of internal audit functions typically include activities designed to evaluate or monitor the effectiveness of the entity’s system of internal control.1 The entity’s process to monitor the entity’s system of internal control may include activities such as management’s review of whether bank reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal department’s oversight of compliance with the entity’s ethical or business practice policies. Monitoring is done also to ensure that controls continue to operate effectively over time. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them.

12. Controls related to the entity’s process to monitor the entity’s system of internal control, including those that monitor underlying automated controls, may be automated or manual, or a combination of both. For example, an entity may use automated monitoring controls over access to certain technology with automated reports of unusual activity to management, who manually investigate identified anomalies.

13. When distinguishing between a monitoring activity and a control related to the information system, the underlying details of the activity are considered, especially when the activity involves some level of supervisory review. Supervisory reviews are not automatically classified as monitoring activities, and it may be a matter of judgment whether a review is classified as a control related to the information system or a monitoring activity. For example, the intent of a monthly completeness control would be to detect and correct errors, whereas a monitoring activity would determine why errors are occurring and assign management the responsibility of fixing the process to prevent future errors. In simple terms, a control related to the information system responds to a specific risk, whereas a monitoring activity assesses whether controls within each of the five components of the entity’s system of internal control are operating as intended.

14. Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of the entity’s system of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider in performing monitoring activities any communications relating to the entity’s system of internal control from external auditors.

The Information System and Communication

15. The information system relevant to the preparation of the financial statements consists of activities and policies, and accounting and supporting records, designed and established to do the following:

1 AU-C section 610, “The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements,” and appendix D, “Considerations for Understanding an Entity’s Internal Audit Function,” of this proposed SAS provide further guidance related to internal audit.

page111image2536775680 page111image2536775936

• •

16.

• • •

Initiate, record, and process entity transactions (as well as to capture, process, and disclose information about events and conditions other than transactions, such as changes in fair values or indicators of impairment) and to maintain accountability for the related assets, liabilities, and equity

Resolve incorrect processing of transactions, for example, automated suspense files and procedures followed to clear suspense items out on a timely basis

Process and account for system overrides or bypasses to controls

Incorporate information from transaction processing in the general ledger (for example, transferring of accumulated transactions from various data tables)

Capture and process information relevant to the preparation of the financial statements for events and conditions other than transactions, such as the depreciation and amortization of assets and changes in the recoverability of assets

Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements

An entity’s business processes include the activities designed to develop, purchase, produce, sell, and distribute an entity’s products and services; ensure compliance with laws and regulations; and record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed, and reported by the information system.

17. The quality of information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities and to prepare reliable financial reports.

18. Communication, which involves providing an understanding of individual roles and responsibilities pertaining to the entity’s system of internal control, may take such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.

19. Communication by the entity of the financial reporting roles and responsibilities and of significant matters relating to financial reporting involves providing an understanding of individual roles and responsibilities pertaining to the entity’s system of internal control relevant to financial reporting. It may include such matters as the extent to which personnel understand how their activities in the information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity.

Control Activities

20. Controls in the control activities component are identified in accordance with paragraph 26. Such controls include information-processing controls and general IT controls, both of which may be manual or automated in nature. The greater the extent of automated controls, or controls

involving automated aspects, that management uses and relies on in relation to its financial reporting, the more important it may become for the entity to implement general IT controls that address the continued functioning of the automated aspects of information-processing controls. Controls in the control activities component may pertain, for example, to the following:

· Authorization and approvals. An authorization affirms that a transaction is valid (that is, it represents an actual economic event or is within an entity’s policy). An authorization typically takes the form of an approval by a higher level of management or of verification and a determination if the transaction is valid. For example, a supervisor approves an expense report after reviewing whether the expenses seem reasonable and within policy. An example of an automated approval is when an invoice unit cost is automatically compared with the related purchase order unit cost within a pre-established tolerance level. Invoices within the tolerance level are automatically approved for payment. Those invoices outside the tolerance level are flagged for additional investigation.

· Reconciliations. Reconciliations compare two or more data elements. If differences are identified, action is taken to bring the data into agreement. Reconciliations generally address the completeness or accuracy of processing transactions.

· Verifications. Verifications compare two or more items with each other or compare an item with a policy and will likely involve a follow-up action when the two items do not match or the item is not consistent with policy. Verifications generally address the completeness, accuracy, or validity of processing transactions.

· Physical or logical controls, including those that address security of assets against unauthorized access, acquisition, use, or disposal. Controls that encompass the following:

· —  The physical security of assets, including adequate safeguards such as secured facilities over access to assets and records

· —  The authorization for access to computer programs and data files (that is, logical access)

· —  The periodic counting and comparison with amounts shown on control records (for example, comparing the results of cash, security, and inventory counts with accounting records)

The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation depends on circumstances such as when assets are highly susceptible to misappropriation.

· Segregation of duties. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. Segregation of duties is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties.

For example, a manager authorizing credit sales is not responsible for maintaining accounts receivable records or handling cash receipts. If one person is able to perform all these activities he

or she could, for example, create a fictitious sale that could go undetected. Similarly, salespersons should not have the ability to modify product price files or commission rates.

Sometimes, segregation is not practical, cost effective, or feasible. For example, smaller and less complex entities may lack sufficient resources to achieve ideal segregation, and the cost of hiring additional staff may be prohibitive. In these situations, management may institute alternative controls. In the preceding example, if the salesperson can modify product price files, a detective control activity can be put in place to have personnel unrelated to the sales function periodically review whether and under what circumstances the salesperson changed prices.

21. Certain controls may depend on the existence of appropriate supervisory controls established by management or those charged with governance. For example, authorization controls may be delegated under established guidelines, such as investment criteria set by those charged with governance; alternatively, nonroutine transactions such as major acquisitions or divestments may require specific high-level approval, including, in some cases, that of shareholders.

Limitations of Internal Control

22. The entity’s system of internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The likelihood of their achievement is affected by the inherent limitations of internal control. These include the realities that human judgment in decision making can be faulty, and that breakdown in the entity’s system of internal control can occur because of human error. For example, there may be an error in the design of, or in the change to, a control. Equally, the operation of a control may not be effective, such as when information produced for the purposes of the entity’s system of internal control (for example, an exception report) is not effectively used because the individual responsible for reviewing the information does not understand its purpose or fails to take appropriate action.

23. Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of controls. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition. Also, edit checks in an IT application that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled.

24. Further, in designing and implementing controls, management may make judgments on the nature and extent of the controls it chooses to implement, and the nature and extent of the risks it chooses to assume.