top of page
  • CCS

Internal Control: Pervasive Controls (that address financial statement level risks)


We have now addressed each of the five components of internal control.


Some of these controls are pervasive in nature (financial statement-level risks).


They only indirectly serve to prevent a misstatement from occurring or to detect and correct it after it has occurred.


Other controls relate to particular transaction (assertion level) risks (such as payroll, sales, and purchases) and are designed specifically to prevent or detect and correct misstatements.


The following exhibit shows the interaction of the two levels of control over transactions as they journey from initiation and processing (transactional level) through the accounting records (financial statement level) and finally to the financial statements.

我们现在已经对内部控制的五个组成部分逐一进行了讨论。


其中一些控制在性质上是普遍存在的(财务报表层面的风险)。


它们只是间接地起到防止错报发生或在错报发生后发现并纠正错报的作用。


其他控制措施与特定的交易(主张层面)风险有关(如工资、销售和采购),专门用于防止或发现和纠正错报。


下图显示了交易控制的两个层面的互动,它们从启动和处理(交易层面)到会计记录(财务报表层面),最后到财务报表的过程。


Notice that at least three of the five internal control components consist primarily of pervasive controls.


请注意,五个内部控制组成部分中至少有三个主要由普遍性控制组成。

Notes:

  1. The above illustration is a general guide. In some instances, pervasive controls can be designed to operate at a level of precision that would prevent or detect specific misstatements at the business process level. For example, a detailed budget approved by those charged with governance may be used by management to detect unauthorised administration expenditures. In other instances, control activities and parts of the information system may relate to financial statement-level activities.

  2. Pervasive controls relating to the entity as a whole (such as the commitment to competence) may be less tangible than those at the business process level (such as matching goods received to a purchase order) but are just as critical in preventing and detecting fraud and error.

  3. The period-end financial reporting process includes procedures to

  4. Enter transaction totals into the general ledger; • Select and apply accounting policies;

  5. Initiate, authorise, record, and process journal entries in the general ledger;

  6. Record recurring and non-recurring adjustments to the financial statements; and

  7. Prepare the financial statements and related disclosures.

  8. General information technology (IT) controls are pervasive to the entity as a whole, focusing on how IT operations (such as organisation, staffing, and data integrity) are managed across the entity.

  9. IT application controls are similar to transaction controls. They relate to how specific transactions are processed at the business process level.

Pervasive controls (at the financial statement level) form the basis or foundation upon which specific assertion-level (transactional) controls can be built.


They set the “tone at the top” and establish expectations for the organisation’s control environment in general.


Poorly designed pervasive controls may encourage all types of error and fraud. For example, an entity may have a highly controlled and effective sales process.


However, if senior management has a poor attitude toward control and has sometimes overridden these controls, a material error could still occur in the financial statements. Management override and poor “tone at the top” are common themes in corporate wrongdoing.


Pervasive controls also include monitoring controls that assess whether the actual tone at the top is what was intended and how well control expectations are being fulfilled. The pervasive controls (that pertain to the financial statements as a whole) could include

  • Controls related to the control environment;

  • Controls over management override;

  • The entity’s risk assessment process;

  • Controls to monitor results of operations and other controls;

  • Controls over the period-end financial reporting process; and

  • Policies that address significant business control and risk management practices.

Smaller Entities

In smaller entities, the lack of specific business process controls (due to limited staff and resources) is often offset by a high degree of involvement by management (such as the owner-manager) in performing controls.


In fact, some pervasive controls in smaller entities can often operate at a level of precision that actually serves to prevent or detect specific misstatements.


However, the increased involvement of senior management also increases the risk of management override. This could be addressed through further audit procedures or the design of suitable anti-fraud controls.


Pervasive Control Deficiencies

Although weaknesses in pervasive controls do not generally result in an immediate deficiency or errors in the financial statements, they still significantly influence the likelihood of misstatements resulting at the business process control level.


The absence of good pervasive controls may seriously undermine other business process controls; consequently, significant deficiencies in these controls would be reported to management and those charged with governance.


注意事项:

  1. 上面的说明是一个一般性的指导。在某些情况下,普遍控制可以被设计成在一定的精度水平上运行,以防止或发现业务流程层面上的特定错报。例如,管理层可以利用由负责管理的人批准的详细预算来检测未经授权的行政开支。在其他情况下,控制活动和信息系统的部分可能与财务报表层面的活动有关。

  2. 与整个实体有关的普遍性控制(如对能力的承诺)可能不如业务流程层面的控制(如将收到的货物与采购订单相匹配)那么具体,但在预防和发现欺诈和错误方面同样重要。

  3. 期末财务报告流程包括以下程序

  4. 将交易总额输入总账; - 选择和应用会计政策。

  5. 发起、授权、记录和处理总账中的日记账。

  6. 记录财务报表的经常性和非经常性调整;以及

  7. 编制财务报表和相关披露。

  8. 一般信息技术(IT)控制对整个实体来说是普遍存在的,重点是如何管理整个实体的IT业务(如组织、人员配置和数据完整性)。

  9. IT应用控制类似于交易控制。它们涉及到如何在业务流程层面上处理具体的交易。

普遍性控制(在财务报表层面)构成了基础,在此基础上可以建立具体的断言层面(交易)控制。它们设定了 "高层的基调",并确立了对组织总体控制环境的期望。


设计不良的普遍性控制可能会鼓励所有类型的错误和欺诈。


例如,一个实体可能有一个高度控制和有效的销售流程。


然而,如果高级管理层对控制的态度很差,而且有时还凌驾于这些控制之上,那么财务报表中仍然可能出现重大错误。


管理层的凌驾和不良的 "高层语气 "是企业错误行为的常见主题。


普遍性控制还包括监测控制,以评估高层的实际语气是否符合预期,以及控制预期的实现情况。普遍性控制(与整个财务报表有关)可以包括:

  • 与控制环境有关的控制。

  • 对管理层的控制。

  • 该实体的风险评估过程。

  • 监测经营结果的控制和其他控制。

  • 对期末财务报告过程的控制;以及

  • 涉及重大业务控制和风险管理实践的政策。

较小的实体

在较小的实体中,缺乏具体的业务流程控制(由于人员和资源有限),往往被管理层(如所有者-管理者)在执行控制方面的高度参与所抵消。


事实上,在较小的实体中,一些普遍存在的控制措施往往可以在一定程度上精确地运作,实际起到防止或发现具体错报的作用。


然而,高级管理层参与度的提高也增加了管理层越权的风险。 这可以通过进一步的审计程序或设计适当的反欺诈控制来解决。


普遍性控制缺陷

尽管普遍性控制的缺陷一般不会导致财务报表中出现直接的缺陷或错误,但它们仍然会大大影响业务流程控制层面产生错报的可能性。


缺乏良好的普遍性控制可能会严重破坏其他业务流程控制;因此,这些控制的重大缺陷将被报告给管理层和负责管理的人。



Our website's articles, templates,