-cima )
Lynford Graham298 Taylor Road SouthShort Hills, NJ 07078LgrahamCPA@gmail.comNovember 8, 2020Members of the Auditing Standards Board and Risk Assessment Task ForceAICPA1211 Ave of the AmericasNew York, NY 10036c/o Ms. Sherry Hazel via email (Sherry.Hazel@aicpa-cima.com)Exposure Draft comments: AU-C 315 ED: UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THERISKS OF MATERIAL MISSTATEMENTThank you for the opportunity to comment on the revisions to AU-C 315. I was an Auditing Standards Board member(2001 – 2005) when the underlying Standards to the current Clarity version were drafted and have been active in furtherdeveloping and updating the associated Audit Guide (Assessing and Responding to Audit Risk in a Financial StatementAudit) since chairing the task force in 2005-2006.In general, the revision will serve the practice well. There are a few areas where further clarification could be helpful.1. Separate evaluations of Inherent and Control Risk (Request for Comment 6)Bravo! An area of continuing practice confusion has been the acceptance of joint IR (inherent risk) and CR (control risk)assessments when reaching RMM or even when assessing IR itself. From my work with Firms and practitioners over thepast 15 years, a large part of the confusion is that practitioners ignore/forget the definition that IR is “beforeconsideration of any related controls.”The proposed Standard (as well as other extant literature) is clear in this regard, but when discussing the other factors tobe considered particularly in the Application sections (A8-A10) it would be helpful to re-iterate in some way the “beforecontrols” definition concept.I often see IR assessments of cash, payroll, fixed asset and revenue accounts noted in workpapers as low inherent risk.Clearly, in the absence of controls, these accounts are not often “low” inherent risk. In some workpapers, most accountsand assertions are rated at low inherent risk. This just cannot be right. The result of this exuberant assessment, absenttesting controls, is a direct impact on reducing otherwise required substantive procedures to get to a low audit risk,which may lead to ineffectiveness of the audit. When reminded of the definition, and the need for evidence or rationalefor the assessment, more realistic assessments result.In one case, the issue has prompted a Firm to require internal pre-audit approval of lower inherent risk assessments as aquality control measure at the planning stage. It is difficult and expensive to “back fill” the evidence to get to low auditrisk if the IR rating is later found to be unsupported or unrealistic.The failure to document any basis or evidence supporting the various assessments of IR also contributes to the inabilityof reviewers and QC to review these determinations. This documentation lapse also makes it difficult for auditors infollowing years to identify when a change in circumstance requires a different assessment or may relate to a differentassertion. Even if IR is rated as “high” is that sufficient to ensure the assertions covered in the designed audit proceduresaddress the risks envisioned in the assessment? As an example, entity interest rate change exposure could be assessedas low due to a perceived unlikely change in interest rates or due to the financial structure of the entity at a point in1
time. Either can change from year to year, and either can be a point of verification or challenge in internal review, ifarticulated in the documentation. Some forms and templates that create a “checklist mentality” fail to remind auditorsof the “before controls” definition of IR. Some fail to prompt for the evidence (basis) supporting the assessments of IR.These practice aids need to be more responsive to this issue since many practitioners rely heavily on the quality of thoseproducts to meet professional standards. AICPA peer reviews of vendor products need to check more closely for properdesign of these forms.When discussing and listing contributing factors/considerations to the IR assessment, a reminder that “before controls”is an overriding concept would be helpful in encouraging realistic assessments. Even when none of the listed factorsapply (a more robust discussion of the factors/considerations are in paragraphs A8-A10), IR might be a high risk or asignificant risk in a specific circumstance. A specific suggestion is to insert a reminder regarding “before controls” inApplication paragraph 8.2. Controls over Financial Reporting (Request for Comment 2)In the extant version of AU-C 315, it was not clear that COSO 2013 Internal Control—Integrated Framework was to befollowed when COSO was the underlying framework for controls evaluation. Given the transition that was underway toCOSO 2013, as well as the desire to write a “framework neutral” standard, the extant construction is understandable.By imbedding most of the 17 Principles in the proposed Standard itself, the COSO Framework emerges within the auditStandard as the useful structure it was meant to be. However, it is not clear that all 17 Principles are identified withinparagraphs 21-27 and they are not specifically distinguished as the Principles. For example, in paragraphs 22 and 23, itappears this section addresses only 1 of the 4 Risk Assessment required Principles from the COSO model. The alignmentof auditing and entity models of internal control would encourage more consistent and efficient practice since someentities and auditors are using the 17 Principle approach for non-issuers and others are not, based on my reviews ofworkpapers.One omission in the Standard that stands out to me is Principle 8 on entity fraud risk assessment. If, for example it isthought that AU-C 240 addresses this point, a simple footnote could help close the loop in the requirements section.Similarly, Principle 9 addresses change, a concept that might be covered elsewhere, but still relevant to the assessmentof an entity’s system of internal control. Additionally, I do not see a parallel to Principle 6 (entity articulation of itsobjectives) in the Risk Assessment section. Within Information and Communication, the COSO concept of using relevant,quality information (Principle 12) seems to be missing. Paragraphs 25a and 25b seem to be more process than substanceoriented.I acknowledge Principles 6 and 8 are noted in paragraph A120. However, since Application material is not supposed toestablish requirements, I suggest these Principles be noted into the Standards section and referenced to the otherliterature there.A useful linkage between the COSO and auditing literatures may be created by presenting a schematic or summary ofthe COSO 2013 framework at the beginning of the Application material discussion on controls, with cross references tothe relevant Standard or Application paragraphs. An example of such a summary is:11From a presentation developed for ENGAGE 2020.2
In combination with the revised COSO cube as presented on page 6 of the COSO 2013 Internal Control: IntegratedFramework. Executive Summary, such an illustration would provide a one-page overview of the internal controlassessment process. Illustration H1-3 of the COSO Certification Course has such an illustration.Within the application material itself the specific 17 Principles could be highlighted (bold or italicized, etc.) whenarticulated, but a cross reference to a listing of the Principles might suffice, since the auditing literature can differ fromthe COSO literature.3
In recent years the AICPA Audit Risk and Response guide has enumerated and identified the specific COSO 17Principles. It has noted that when COSO is the basis for assessment, COSO 2013 is the framework to follow. Thetreatment of the 17 Principles has been treated inconsistently in vendor practice aids.An issue today is also that some current vendor forms list the Principles as concepts to “consider” when documentingthe Components (e.g., Control Environment, Risk Assessment, etc.) rather than required documentation points. Thus,users often view and address them as suggestions (akin to COSO Points of Focus) and may or may not directly addressthe Principles in their assessments. I have observed various governmental applications using the 17 Principles inworkpapers, and they have shown that documenting the 17 Principles does not have to be an onerous task. ManyPrinciples may require just a few sentences and a citation of the evidence examined or cross references to otherprocedures that support the Principle. The COSO framework was revised to help direct the assessments and creategreater consistency and quality in the assessment process.3. Significant Risk (Request for Comment 9)The Board will improve practice with its proposed revisions to better define the term “significant risk.” Clarifying themagnitude and likelihood may lead to more consistent judgments since the parameters of the assessment will need tobe articulated and can be reviewed.However, using the term significant risk may itself contribute to confusion, as it been a source of misapplication inpractice. The term “significant” is widely used by auditors and in the auditing literature (e.g., “significant” accounts,etc.), but in many cases significant risk is simply confused with high risk. In some vendor forms, that term is used in lieuof the term “high risk.” Unless used as intended, identifying all high risks as significant risks will imply that certain extantand proposed auditing requirements and restrictions (e.g., annual testing of controls) apply to those risks, when theywere intended to apply only to special risks. As originally conceived, the term was intended to be applied to the mostimportant risk of the engagement, with an expectation that most audits would have at least one such risk. In carefulreview of workpapers in an adversarial situation like litigation, misuse of the term could expose the auditor to a claim offailing to follow auditing standards.A few editions ago of the AICPA Assessing and Responding to Audit Risk Guide, the term significant risk was approvedby the ASB to be italicized, to distinguish the intended specific term from other text using the same construction, but ina generic fashion.A clarification in the Standard would be easy and helpful. Simply re-naming the concept of this risk as, say, a “criticalrisk” or “key risk” would avoid any confusion. This would facilitate identification of the risk in the first place, encouragecompliance with the special audit requirements for such risks, and facilitate a more effective engagement team andinternal quality review.4. Documentation (Request for Comment 11)Internal ControlsThe ED sets forth under Controls in paragraph 12 the statement“In this context (Ref: par. A2–A5) policies are statements of what should, or should not, be done within theentity to effect control. Such statements may be documented, explicitly stated in (i) communications, or impliedthrough actions and decisions.”Paragraph A4 goes on to say:4
“A4. Procedures may be mandated, through formal documentation or other communication by management orthose charged with governance, or may result from behaviors that are not mandated but, rather, are conditionedby the entity’s culture.”This aligns with the COSO conceptual view regarding the existence of controls even in the absence of documentation,but could blur the expectation that controls need to be documented. The current construction of the documentationtext in this regard could allow room for “lawyering” the language and supporting a position that documentation of thecontrols is not necessary. After 15 years we still see attempts to distort the clear language in the Standards with regardsto making the design assessment at all. Standards need to be flexible but not obtuse.My recommendation is to remove any references in the ED to controls that may lack documentation. Are the words“Such statements may be documented, explicitly stated in (i) communications, or implied through actions and decisions”in paragraph 12, and paragraph A4 really helpful?COSO has clarified its prior 1992 stance on the status of undocumented controls.“The nature and extent of the documentation may be influenced by the entity’s regulatory requirements2.”As a regulatory body, the ASB can require that controls be documented. If auditee controls are not documented, theperformance of review or testing them can be difficult to perform and quality review. It is also desirable from adefensive perspective that the entity take ownership of its controls descriptions so that later events (e.g., a discoveredfraud or bankruptcy) do not result in a lack of clarity regarding the controls that the entity should have had in place3.If the Board intends to have the system of controls documented, a clarification of the language around that point isrequired.Nearly a decade or more may have passed since COSO 2013 was released and when this revised AU-C 315 may beeffective. Between entity and auditor documentation requirements to this point, there should be a sufficient base ofdocumentation of the entity’s controls, such that “undocumented” controls should be rare. Undocumented controls canlead to misunderstanding and unchallenged misrepresentations to the auditor, for which the auditor may not have aclear defense if adversarial issues later arise.Lack of controls documentation is also identified as a control deficiency in auditing standards4. If entity controlsdocumentation is not essential, edits to that Standard are warranted.My suggestion would be to make it crystal clear that documentation of the system of controls is expected. Entity plusauditor documentations of process and controls combined can satisfy this requirement. If auditors would focus ondistinguishing controls from process, this task (as required by the ED and the extant Standard) and the documentationrequirement would be simpler to perform and be more effective. I observe much wasted effort expended in auditorcontrol narratives that meticulously describe the business processes and yet sometimes do not focus on the relevantcontrols over that process (e.g., ensuring completeness, accuracy, etc.). Training and guidance on this issue can aidcompliance, effectiveness and efficiency.2Internal Control – Integrated Framework: Framework and Appendices. COSO. May 2013, page 29. Also see page 30 regardingauditor needs.3Truth has a way of shifting under pressure.4AU-C 265 Communicating Internal Control Related Matters Identified in an Audit, paragraph A37.5
Linkages of risks to further proceduresOne of the contributing factors to ineffective risk assessments is the failure to link specific risks and issues from the riskassessment process to the further auditing procedures in workpapers. I often see a disconnect between risk assessmentprocedures and where (if at all) those risks are addressed in the workpapers. It is difficult to identify whether risk issuesare properly addressed in the procedures performed when specific cross references are not present. The complexity ofsome engagements, multiple auditor engagement teams, and the difficulty of navigating workpapers all contribute tosome risks being improperly addressed or falling “between the chairs.” This also hampers internal quality reviewers inensuring that risks are properly addressed. In litigation, plaintiff experts comb the risk assessment for risks identified butnot addressed in order to impugn the quality of the audit, even when the risks are not related to the issues of the case.Very embarrassing and costly.Requiring such a link as part of risk assessment documentation is a trivial burden on audit costs with a considerableupside value in the completeness and quality of the audit.An extension of this recommendation is the documentation of the linkage of risks and controls. Too often, differentauditors from the engagement team identify risks and assess controls. If linkages between higher risks and assertionsand their related controls were documented, a clearer linkage between Risk and Controls assessment would helpintegrate these topics, which sometimes become disconnected in practice.A model of risks controls procedures would enhance audit quality and could simply be achieved through referencesand not additional procedures. The internal review process would also benefit from a clearer trail of how issues areaddressed and how low audit risk was achieved.Inherent riskIf the intent is to require the basis and evidence supporting IR assessments along the "spectrum" I do not think this iscrystal clear, and has been a weakness in vendor practice aids leading to a lack of practice documentation andmisunderstanding of the need to document support for assessments. The Standard states in 38d:“the identified and assessed risks of material misstatement at the financial statement level and at the assertionlevel, including significant risks and risks for which substantive procedures alone cannot provide sufficientappropriate audit evidence, and the rationale for the significant judgments made.”I suggest that the words “evidence examined and” be placed before “rationale” to sharpen the expected content of thedocumentation and be in line with AU-C 320 Audit Documentation and AU-C 500 Audit Evidence. The term rationale istoo close to the term rationalization which does not evoke the requirement of evidence. The assessment of IR is tooimportant to the overall scope of the audit to be an armchair assessment or an unsupported rationalization.I would be pleased to further explain or clarify any of the points made in this comment letter.Respectfully submitted,Lynford Graham, CPA, Ph.d., CFE, CIDA6
Nov 25, 2020 · In combination with the revised COSO cube as presented on page 6 of the COSO 2013 Internal Control: Integrated Framework. Executive Summary, such an illustration would provide a one-page overview of the internal control assessment process. Illustration H1-3 of the COSO Certification Course has such an illustration.
(CBA) where you must score 50% to pass each paper. All CBAs are set and controlled by CIMA and can be sat at BPP’s training centre in Bucharest. The regulations for and the contents of the assessments are strictly controlled by CIMA. You must have a CIMA ID before booking a CBA. BPP Romania is a CIMA CBA approved centre.
A ceer Ar As A chArtered globAl mAnAgement AccountAnt er t h A i ss. With cgmA, i cAn reAch for my Ambitions. 3 hy become a Chartered Global Management Accountant with CIMA? W 3ccounting and so much more A 4 The CIMA difference 5 Who is CIMA? 5 Why choose CIMA?
Advanced Management Accounting CIMA (P2) The best things in life are free To benefit from these notes you must watch the free lectures on the OpenTuition website in which we explain and expand on the topics covered. In addition question practice is vital!! You must obtain a current edition of a Revision / Exam Kit - the CIMA approved publisher is Kaplan. It contains a great number of exam .
CIMA Botswana part qualified salary survey 2010. CIMA salary survey 2010 – Botswana Executive summary 1 Main findings 3 Salaries and bonuses 3 Sector 3 Job role 3 Future 3 Recruitment and retention 4 Satisfaction with salary and benefits 4 Benefits received 4 Importance of benefits 5
CIMA salary survey 2010 – Zambia Executive summary 1 Main findings 3 Salaries and bonuses 3 Sector 3 . alongside Botswana, Zambia rated the highest expectations for some benefits. Amongst . Data collection for the CIMA Global Part Qualified Salary Survey 2010 was carried out .
The P3 exam blueprint 10 For the first time, under the updated 2019 CIMA Professional Qualification, CIMA is publishing examination blueprints based on the syllabus which set out in detail what is examinable in each of th
CIMA Mastercourses The catalyst to succeed CIMA MA ster C ourses I n-H o USE TRAI n I ng Arla f oods u K plc Bt plc Balfour Beatty Capital Barclays Bank plc British Waterways Capgemini uK plc Dalkia plc Debswana Diamond Company (pty) ltd. Department for transport eADs Astrium ltd. european Broad
business and financial management. On average, CIMA members are earning just under 67,000 per annum while CIMA fellows are . salary. Management accountants typically earn 35,000 and financial analysts/business analysts 39,000 per annum on average, including bonus. However, many are already
