search

Why internal control is reasonable assurance?

1 years ago
Komentar: 0
Dibaca: 120

Do we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.

Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.

There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.

Auditing Standard Number 5 (AS5) says:

“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…….. The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment……………….. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”

AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:

“While exercising due professional care, the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”

The guidance continues:

“The independent auditor’s objective is to obtain sufficient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of field work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”

OK, what does this all mean? There are some key phrases:

  • “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
  • “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”

It all comes down to the judgment of a prudent person or official.

AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.

What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.

“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”

So, let’s see if we can come up with something that makes practical sense.

Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.

How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.

If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.

But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.

Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.

OK, so what does this all mean?

As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.

Where am I going with this?

I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.

I welcome your comments and perspectives.

PS. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.

SOURCE: California State University  - University Auditor

You may have heard the term "internal control(s)," but what exactly is it? Evaluating internal controls is one of internal auditing's primary responsibilities. The Institute of Internal Auditors (IIA) defines control and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.

A broadly accepted definition of internal control comes from the Committee of Sponsoring Organizations (COSO)1 of the Treadway Commission's report entitled The Control-Integrated Framework (COSO Report) as follows:

Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Key points about internal control include:

  • It is a process.
  • It is achieved by people.
  • It can only provide reasonable assurance.
  • It is geared to the achievement of objectives.

In the California State University (CSU) environment, internal controls serve the following purposes:

  • Protect the University's Assets
  • Ensure Records Are Accurate
  • Promote Operational Effectiveness and Efficiency
  • Encourage Adherence to Policies
  • Ensure Compliance with Laws, Regulations, and Contracts

Generally, controls are of two types:

  • Preventative Controls:  Designed to discourage errors or prevent irregularities from occurring. They are proactive controls that help prevent a loss. Examples: Separation of duties, proper authorization, adequate documentation, and physical control over assets.
  • Detective Controls:  Designed to find errors or irregularities after they have occurred. Examples: Reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.

The COSO Report further defines five interrelated components of internal control:

  • Control Environment:  This sets the tone of the organization and is the foundation for all other components.
  • Risk Assessment: Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
  • Control Activities:  Polices and procedures that ensure management's directives are carried out and help ensure that necessary actions are taken to address risks to achievement of the entity's objectives.
  • Information and Communication:  Information identified, captured, and communicated in a form and timeframe to enable people to carryout their responsibilities.
  • Monitoring: The process that assesses the quality of the system's performance over time, which includes ongoing monitoring activities, separate evaluations or a combination of the two.

Who is responsible for internal controls?

The auditors, right? Wrong! Everyone plays a part in the CSU's internal control system. Ultimately, it is CSU management's responsibility to ensure that controls are in place. That responsibility is delegated to each area of operation, which must ensure that internal controls are established, properly documented, and maintained. Every employee has some responsibility for making this internal control system function. Therefore, all CSU employees need to be aware of the concept and purpose of internal controls. Internal audit's role is to assist management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control.

What is internal auditing?

The IIA defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The internal audit activity evaluates the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. Internal audit reviews include the reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets, and compliance with laws, regulations, and contracts. These reviews also ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization, as well as the extent to which results are consistent with established goals and objectives and whether operations and programs are being implemented or performed as intended.

1. COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

Q&A Why

Pos Terkait

What is 109 kg in pounds
What is 109 kg in pounds

When percentage change in quantity demanded is equal to change in price the demand curve is?
When percentage change in quantity demanded is equal to change in price the demand curve is?

What is the difference between as is and to be Process Model?
What is the difference between as is and to be Process Model?

What do we call the process of verifying the results obtained from a validation study by administering a test or test battery to a specific sample?
What do we call the process of verifying the results obtained from a validation study by administering a test or test battery to a specific sample?

10 negara bagian termurah untuk membeli rumah 2022
10 negara bagian termurah untuk membeli rumah 2022

What least number should be subtracted from 26492518 so that resulting number is divisible by 3 but not by 9?
What least number should be subtracted from 26492518 so that resulting number is divisible by 3 but not by 9?

What number must be added to each of the numbers 1626 and 40 so that the resulting numbers may be in continued proportion?
What number must be added to each of the numbers 1626 and 40 so that the resulting numbers may be in continued proportion?

How can a research based argumentative essay be written what are the essential factors that should be considered?
How can a research based argumentative essay be written what are the essential factors that should be considered?

Why did George give up on the dream?
Why did George give up on the dream?

What must be added to the polynomial x4 2x3 2x2 x 1 so that the resulting polynomial is exactly divisible by x2 2x 3?
What must be added to the polynomial x4 2x3 2x2 x 1 so that the resulting polynomial is exactly divisible by x2 2x 3?

Periklanan

BERITA TERKINI

Cara menggunakan mysql timestamp from string
1 years ago . by ShavenBrainstorming
Langkah langkah membuat web menggunakan HTML dan CSS?
1 years ago . by OverheatedCabbage
Bagaimana cara mengonversi file txt ke google sheets?
1 years ago . by DeprivedAppeasement
Bagaimana Anda mengganti huruf tertentu dengan python?
1 years ago . by FunctioningApartheid
Apa upaya kita untuk mengatasi krisis air bersih?
1 years ago . by BeardedAnnoyance
Bagaimana cara membekukan area yang dipilih di excel?
1 years ago . by CrackingMolasses
Bagaimana Anda mengonversi bilangan bulat negatif menjadi byte dengan python?
1 years ago . by Wage-priceAccomplice
Apakah infeksi bakteri pada Miss V bisa sembuh sendiri?
1 years ago . by FrayedDaddy
Database mana yang digunakan di phpmyadmin?
1 years ago . by ParamountCounselor
Cara menggunakan semua jenis acara javascript
1 years ago . by CondemnedMirth

Toplist Popular

#1
Top 7 unterschied griechischer joghurt und joghurt griechischer art 2022
1 years ago
#2
Top 9 ibc container 600 liter gebraucht 2022
1 years ago
#3
Top 7 excel hintergrundfarbe auslesen ohne vba 2022
1 years ago
#4
Top 6 dji mavic air 2 wann welcher filter 2022
1 years ago
#5
Top 7 rosen schwarze flecken am stiel 2022
1 years ago
#6
Top 8 wann wird es wieder später dunkel 2022 2022
1 years ago
#7
Top 6 em nome do pai em nome do filho 2022
1 years ago
#8
Top 8 zdf neben der spur -- erlöse mich 2022
1 years ago
#9
Top 8 como melhorar dor no calcanhar 2022
1 years ago
#10
Top 7 vinho é bom para pressão alta 2022
1 years ago

Periklanan

Terpopuler

Periklanan

Tentang Kami

Legal

Dukungan

Social

homeendejahikoptzhth
Copyright © 2024 ketajaman Inc.