Sistema de control interno
Páginas: 67 (16604 palabras)
Publicado: 13 de febrero de 2012
A S S U R A N C E A N D A DV I S O RY B U S I N E S S S E RV I C E S
!@#
Evaluating Internal Controls
Considerations for Documenting Controls at the Process, Transaction, or Application Level
a3
To Our Clients and Other Friends
T
he Sarbanes-Oxley Act of 2002 (the Act) makes reporting on internal controls mandatory for SEC registrants and their independent auditors. Section404 of the Act directs the SEC to adopt rules requiring annual reports of public companies to include an assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial reporting. Section 404 also requires the company’s independent auditors to attest to and report on management’s assessment. The SEC issued its proposed rules in October 2002 and,if adopted as proposed, they will be effective for companies with fiscal years ending on or after September 15, 2003. Companies should be getting ready now for the comprehensive documentation and evaluation of internal control that will be needed to support management’s assessment and the auditors’ attestation report. Our publication, Preparing for Internal Control Reporting — A Guide forManagement’s Assessment under Section 404 of the Sarbanes-Oxley Act (the Guide) (Ernst & Young SCORE Retrieval File No. EE0677), provides a methodology and framework for completing the evaluation.
The methodology outlined in the Guide includes five phases:
1 1 1 1
Understand the Definition of Internal Control Organize a Project Team to Conduct the Evaluation Evaluate Internal Control at the EntityLevel Understand and Evaluate Internal Control at the Process, Transaction, or Application Level Evaluate Overall Effectiveness, Identify Matters for Improvement, and Establish Monitoring System
1
Guidance on the first two phases of the methodology is provided in the Guide. Detailed guidance on the third phase is provided in the Ernst & Young publication, Evaluating Internal Controls —Considerations for Evaluating Internal Control at the Entity Level (Ernst & Young SCORE Retrieval File No. EE0687). We will be providing more information about the overall evaluation — the last phase — in a future publication. This document is a tool to assist management in performing the fourth phase: understanding and evaluating internal control at the process, transaction, or application level.Internal control at the entity level can have a pervasive influence on internal control at the process, transaction, or application level. However, unlike the evaluation of entitylevel controls, documenting and evaluating controls at this detailed level will be far more specific and likely will require significantly more time to complete. Evaluating process, transaction, or application level-controlsprovides a good deal of the evidence management will need to support its overall assessment of the effectiveness of internal control over financial reporting. Management will need to consider controls, including information technology (IT) controls, that serve to prevent or detect errors of importance relating to each significant account.
TO O U R C L I E N T S
AND
OT H E R F R I E N D SManagement also will need to consider controls that address each of the five components of internal control:
1 1 1 1 1
Control Environment Risk Assessment Information and Communication Control Activities Monitoring
Controls relating to several of these components — control environment, risk assessment, and monitoring — often are at a higher level and must be evaluated carefully todetermine whether the controls are sensitive enough to prevent or detect errors of importance or fraud relating to each significant account. Many of the more detailed controls that management will identify to support its assessment will be from the information and communication and/or control activities components and primarily relate to specific processes and applications. Companies with multiple...
!@#
Evaluating Internal Controls
Considerations for Documenting Controls at the Process, Transaction, or Application Level
a3
To Our Clients and Other Friends
T
he Sarbanes-Oxley Act of 2002 (the Act) makes reporting on internal controls mandatory for SEC registrants and their independent auditors. Section404 of the Act directs the SEC to adopt rules requiring annual reports of public companies to include an assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial reporting. Section 404 also requires the company’s independent auditors to attest to and report on management’s assessment. The SEC issued its proposed rules in October 2002 and,if adopted as proposed, they will be effective for companies with fiscal years ending on or after September 15, 2003. Companies should be getting ready now for the comprehensive documentation and evaluation of internal control that will be needed to support management’s assessment and the auditors’ attestation report. Our publication, Preparing for Internal Control Reporting — A Guide forManagement’s Assessment under Section 404 of the Sarbanes-Oxley Act (the Guide) (Ernst & Young SCORE Retrieval File No. EE0677), provides a methodology and framework for completing the evaluation.
The methodology outlined in the Guide includes five phases:
1 1 1 1
Understand the Definition of Internal Control Organize a Project Team to Conduct the Evaluation Evaluate Internal Control at the EntityLevel Understand and Evaluate Internal Control at the Process, Transaction, or Application Level Evaluate Overall Effectiveness, Identify Matters for Improvement, and Establish Monitoring System
1
Guidance on the first two phases of the methodology is provided in the Guide. Detailed guidance on the third phase is provided in the Ernst & Young publication, Evaluating Internal Controls —Considerations for Evaluating Internal Control at the Entity Level (Ernst & Young SCORE Retrieval File No. EE0687). We will be providing more information about the overall evaluation — the last phase — in a future publication. This document is a tool to assist management in performing the fourth phase: understanding and evaluating internal control at the process, transaction, or application level.Internal control at the entity level can have a pervasive influence on internal control at the process, transaction, or application level. However, unlike the evaluation of entitylevel controls, documenting and evaluating controls at this detailed level will be far more specific and likely will require significantly more time to complete. Evaluating process, transaction, or application level-controlsprovides a good deal of the evidence management will need to support its overall assessment of the effectiveness of internal control over financial reporting. Management will need to consider controls, including information technology (IT) controls, that serve to prevent or detect errors of importance relating to each significant account.
TO O U R C L I E N T S
AND
OT H E R F R I E N D SManagement also will need to consider controls that address each of the five components of internal control:
1 1 1 1 1
Control Environment Risk Assessment Information and Communication Control Activities Monitoring
Controls relating to several of these components — control environment, risk assessment, and monitoring — often are at a higher level and must be evaluated carefully todetermine whether the controls are sensitive enough to prevent or detect errors of importance or fraud relating to each significant account. Many of the more detailed controls that management will identify to support its assessment will be from the information and communication and/or control activities components and primarily relate to specific processes and applications. Companies with multiple...
Leer documento completo
Regístrate para leer el documento completo.