MISSION D’AUDIT
– Objectifs et principes généraux en matière d’audit d’états financiers (ISA 200 et ISA 220 à 260) et Termes de l’audit (ISA 210)
– Phase 1 : Planification de la mission d’audit financier (ISA 300)
– Phase 2 : Connaissance de l’entité et de son environnement y compris de son contrôle interne et évaluation des risques d’anomalies significatives (ISA 315) et
– Phase 3 : Mise en œuvre des procédures d’audit pour couvrir les risques évalués (ISA 330)
– Phase 4 : Obtention et évaluation du caractère probant des éléments collectés (ISA 500 et ISA 501 à 620)
– Phase 5 : Synthèse et rapports (ISA 700 et ISA 701 à 800)
EXEMPLE : ETAPES DE LA PHASE 1
– Prise de connaissance de l’entité et de son environnement
– Prise de connaissance des éléments de contrôle interne pertinents pour l’audit
– Evaluation du risque d’anomalies significatives dans les comptes au niveau des comptes pris dans leur ensemble et au niveau des assertions
– Echanges d’informations au sein de l’équipe d’audit
– Communications avec les personnes constituant le Gouvernement d’entreprise
– Documentation des travaux
– Plan de mission
DOCUMENTS DECOULANT DES PHASES
– Lettre de mission Principes de base
– Synthèse de l’évaluation des risques et Plan de mission Phase 2
– Programmes de travail Phase 3
– Note de synthèse de la mission Phase 5
– Rapports d’audit Phase 5
AUDIT PAR L’APPROCHE PAR LES RISQUES
Les dirigeants de l’entreprise sont responsables de l’identification des risques d’entreprise et de leur couverture.
Le risque qu’une opinion exprimée pour un auditeur soit inappropriée s’appelle risque d’audit et l’assurance raisonnable est obtenue lorsque l’auditeur a réduit le risque d’audit à un niveau acceptable.
La réduction du risque d’audit s’effectue en identifiant et en mettant en œuvre des procédures d’audit pour collecter des éléments avec un caractère probant suffisant et approprié permettant de tirer des conclusions raisonnables base d’une opinion d’audit.
Le risque d’audit est la conjonction du risque que les états financiers comprennent des erreurs ou omissions significatives (risques d’anomalies significatives) et le risque que les procédures mises en œuvre par l’auditeur ne permettent pas de les détecter (risque de détection).
L’auditeur met en œuvre des procédures pour évaluer les risques d’erreurs ou d’omissions (ISA 315) et met en œuvre des procédures d’audit basées sur cette évaluation (ISA 330).
Le processus d’audit met en œuvre un jugement professionnel dans la définition de l’approche d’audit à travers la recherche des anomalies significatives et dans l’exécution des procédures d’audit en couverture des risques évalués et ce en vue d’obtenir des éléments probants suffisants et appropriés.
L’auditeur est responsable des anomalies significatives.
Le caractère significatif des omissions identifiées au niveau individuel des assertions par groupes de comptes ou par cycles et du type d’information à fournir et au niveau global des états financiers est apprécié au niveau de l’entité ou des états financiers dans leur ensemble.
Le risque d’audit et le seuil de signification sont liés
Les risques d’anomalies significatives au niveau global des états financiers sont des risques à influence globale affectant potentiellement plusieurs assertions. Les risques de cette nature se rapportent généralement à l’environnement de contrôle ou à d’autres facteurs comme la dégradation des conditions économiques du secteur, du pays ou de la région.
Ces risques ne sont pas à rattacher à des assertions au niveau des groupes de comptes ou du cycle et les informations à fournir.
L’attitude de l’auditeur face à ces risques d’erreurs ou d’omissions requiert un personnel disposant de connaissances, d’outils et de capacités appropriés et même éventuellement des experts.
L’auditeur devra également prendre en considération les risques d’erreurs au niveau des groupes de comptes, des cycles et des informations à fournir qui leur sont associées. Cette prise en considération permet la détermination de la nature, du délai et de l’étendue des procédures d’audit à mettre en œuvre au niveau des assertions. L’auditeur recherchera à obtenir les éléments probants à ce niveau qui lui permettront à la fin de son audit d’exprimer une opinion sur les états financiers dans leur ensemble et à un niveau de risque d’audit acceptable.
Le risque d’anomalies significatives au niveau des assertions comprend deux composantes :
– le risque inhérent : c’est la possibilité qu’une assertion retenue comporte une anomalie qui peut être significative isolément ou cumulée à d’autres erreurs ou omissions pour d’autres assertions nonobstant les contrôles internes existants. Ce risque dépend de la nature des comptes (avec calculs complexes, estimations comptables, circonstances externes augmentant les risques d’entreprises comme le développement technologique, l’insuffisance du fonds de roulement ou une industrie en récession caractérisée par un nombre important de défaillances d’entreprises).
– Le risque de contrôle : c’est la possibilité qu’une assertion comporte une anomalie significative ; isolément ou cumulée à d’autres erreurs ou omission non identifiée, ou non détectée et non corrigée à temps par le système de contrôle interne de l’entreprise. Ce risque est fonction du caractère effectif et opérationnel du contrôle interne.
Les risque inhérent et risque de contrôle sont des risques de l’entreprise et sont donc indépendant de l’audit des états financiers.
L’auditeur devra évaluer le risque d’anomalie significative au niveau de l’assertion comme base des procédures d’audit bien que cette évaluation soit un jugement et non une mesure précise du risque.
Si cette évaluation du risque comprend une attente de l’effectivité des contrôles, l’auditeur doit effectuer des tests de contrôle pour justifier son évaluation du risque.
Les normes ne font pas séparément référence au risque inhérent et au risque de contrôle mais plutôt à une évaluation combinée des risques d’anomalies significatives. Toutefois l’auditeur devra faire une évaluation séparée ou combinée de ces 2 catégories de risques en fonction des techniques, de la méthodologie et des pratiques d’audit. Cette évaluation pourra être faite en termes quantitatifs (%) ou non quantitatifs.
Le risque de détection est le risque que l’auditeur ne détecte pas une anomalie qui existe dans une assertion et qui est significative individuellement ou associée à d’autres erreurs ou omission.
Ce risque est fonction de l’effectivité des procédures d’audit.
Ce risque ne peut être réduit à zéro en raison de :
– des techniques de sondages
– la mise en œuvre d’une procédure d’audit inappropriée ou une mauvaise application d’une procédure d’audit appropriée
– la mauvaise interprétation des résultats d’une procédure d’audit ou d’un audit.
Il est couvert généralement par :
– une planification de la mission
– l’affectation d’un personnel approprié à la mission
– l’application d’un scepticisme professionnel et d’un esprit critiue
– d’une supervision et revue des travaux d’audit.
Il est lié à la nature, aux délais et à l’étendue des procédures d’audit définies par l’auditeur pour réduire le risque d’audit à un niveau acceptable.
Pour un risque d’anomalie significative élevé, le risque de détection admis doit être faible et inversement.
La préparation et la correcte présentation des états financiers en conformité avec le cadre conceptuel des états financiers (Normes internationales ou nationales) sont de la responsabilité des dirigeants de l’entreprise, sous la supervision de ceux qui sont en charge de la gouvernance de l’entreprise.
L’audit des états financiers ne dégage pas la responsabilité des dirigeants ou de celle de ceux qui sont en charge de la gouvernance.
ELEMENTS A PRENDRE EN CONSIDERATION DANS LE PLAN DE MISSION
Les aspects que le commissaire aux comptes prend en compte pour élaborer son plan de mission concernent notamment :
1. La connaissance générale de l'entité
· Facteurs économiques et les caractéristiques du secteur ayant une incidence sur l'activité de l'entité.
· Principales caractéristiques de l'entité : son secteur d'activité, ses résultats financiers et ses obligations de communication d'informations financières, ainsi que les changements intervenus depuis la dernière mission.
· Niveau général de compétence de la direction.
2. La compréhension des systèmes comptable et de contrôle interne
· Politiques d'arrêté des comptes adoptées par l'entité et leurs modifications.
· Effets de nouveaux principes comptables ou de nouvelles normes d'audit.
· Connaissance d'ensemble par le commissaire aux comptes des systèmes comptable et de contrôle interne, ainsi que l'importance susceptible d'être donnée aux tests de procédures par rapport aux contrôles substantifs.
3. Le risque d'audit et le seuil de signification
· Evaluation prévisible du risque inhérent et du risque lié au contrôle et l'identification des principales zones de risques.
· Détermination de seuils de signification pour les besoins de l'audit.
· Possibilité d'anomalies significatives, compte tenu de l'expérience acquise au cours des exercices précédents.
· Identification de procédures comptables complexes, notamment celles impliquant des estimations comptables.
4. La nature, le calendrier et l'étendue des procédures d'audit
· Changement possible dans l'importance accordée à tel ou tel aspect de la mission.
· Incidences de l'informatique sur l'audit.
· Travaux réalisés par l'audit interne et les conséquences attendues sur les procédures d'audit.
5. La coordination, la direction, la supervision et la revue de la mission
· Intervention d'autres professionnels chargés du contrôle des comptes au sein, par exemple, de succursales ou de divisions.
· Coordination avec les commissaires aux comptes des filiales ou de la société mère.
· Recours à des experts.
· Nombre de sites.
· Besoins en personnel.
6. Autres aspects
· Possibilité de remise en cause de l'hypothèse de continuité de l'exploitation.
· Faits nécessitant une attention particulière, par exemple l'existence de parties liées.
· Termes de la mission et obligations légales (vérifications spécifiques, opérations et événements intervenus dans l'entité au cours de l'exercice, etc.).
· Type et calendrier des rapports, ainsi que des autres communications avec les organes compétents, prévus dans le cadre de la mission.
CONNAISSANCE GÉNÉRALE DE L'ENTITÉ ET DE SON SECTEUR D'ACTIVITÉ
NORMES CNCC
Liste indicative de points à considérer
La liste ci-après couvre un grand nombre de domaines. Toutefois, toutes les missions ne sont pas concernées par chacun de ces domaines et cette liste n'est pas nécessairement exhaustive.
1. Facteurs économiques généraux :
· Niveau général d'activité économique (par exemple : récession, croissance).
· Taux d'intérêt et facilité d'accès au crédit.
· Inflation.
· Politiques gouvernementales :
o monétaires,
o fiscales (fiscalité des entreprises et autres),
o subventions (par exemple : programmes d'aide gouvernementale),
o droits de douane et barrières douanières.
· Taux de change et contrôle des changes.
2. Secteur d'activité - éléments importants ayant une incidence sur les activités de l'entité
· Marché et concurrence.
· Activité cyclique ou saisonnière.
· Innovations technologiques concernant les produits.
· Risque commercial (par exemple : technologie de pointe, activité tributaire du phénomène de mode, vulnérabilité à la concurrence).
· Activité en déclin ou en expansion.
· Conditions défavorables (par exemple : baisse de la demande, surproduction, guerre des prix).
· Ratios clés et statistiques d'exploitation.
· Pratiques comptables particulières et problèmes sous-jacents.
· Exigences et problèmes en matière d'environnement.
· Cadre réglementaire.
· Approvisionnement énergétique et coût de l'énergie.
· Pratiques homogènes ou diversifiées (concernant, par exemple : les contrats ou la durée du travail, les modes de financement ou les principes comptables).
3. L'entité
1) Direction et détention du capital
· Structure de l'entité - familiale, cotée, publique, para-publique (changements récents ou prévus).
· Propriétaires ultimes et parties liées (locales, étrangères, réputation
· commerciale et expérience).
· Structure du capital (changements récents ou prévus).
· Organigramme.
· Objectifs, philosophie et politiques stratégiques de la direction.
· Acquisitions, fusions ou abandon d'activités (récents ou prévus).
· Sources et modes de financement (actuels, historiques).
· Conseil d'administration / Directoire :
o composition,
o réputation et expérience des membres,
o indépendance par rapport à la direction et contrôle sur cette dernière,
o fréquence des réunions,
o existence d'un comité d'audit et étendue de ses compétences,
o existence d'un code d'éthique au sein de l'entité,
o rotation des conseillers (avocats par exemple)
· Direction opérationnelle :
o expérience et réputation,
o rotation,
o principaux responsables financiers et leur statut dans l'entité,
o effectifs du service comptable,
o importance des primes et des incitations financières dans la rémunération (par exemple : participation aux résultats, stock options),
o utilisation de prévisions et de budgets,
o pressions sur les dirigeants (direction dominée par une seule personne, soutien du cours de l'action, délais déraisonnables pour l'annonce des résultats),
o systèmes d'information de gestion.
· Fonction d'audit interne (existence, qualité).
· Attitude des dirigeants vis-à-vis de l'environnement général de contrôle interne.
2) Activité de l'entité - produits, marchés, fournisseurs, dépenses, opérations
· Nature des activités (par exemple : fabricant, grossiste, services financiers, import/export, etc.).
· Emplacement des sites de production, entrepôts, bureaux.
· Conditions d'emploi (par sites, ressources, niveaux de salaires, conventions collectives, plans de retraite, réglementations gouvernementales, etc.).
· Produits ou services et marchés (par exemple : principaux clients et contrats, conditions de paiement, marges bénéficiaires, part de marché, concurrents, exportation, politique de prix, réputation des produits, garantie, carnet de commandes, tendances, stratégie et objectifs de marketing, processus de production, etc.).
· Principaux fournisseurs de biens et services (contrats à long terme, stabilité de l'approvisionnement, conditions de paiement, importations, méthodes de livraison telles que le " juste à temps ").
· Stocks (localisation, niveau).
· Franchises, licences, brevets.
· Postes de dépenses importants.
· Recherche et développement.
· Actifs, dettes et opérations libellés en devise étrangère (par devise), opérations de couverture.
· Textes légaux et réglementaires ayant une incidence significative sur l'entité.
· Systèmes d'informations de gestion (actuels et changements prévus).
· Endettement (existence de clauses restrictives et limitatives).
3. Résultats financiers - facteurs affectant la situation financière et la rentabilité de l'entité
· Ratios clés et statistiques d'exploitation.
· Tendances.
4. Communication financière - facteurs externes influençant la direction lors de l'établissement des comptes
5. Législation
· Cadre réglementaire et obligations.
· Fiscalité.
· Communication d'informations spécifiques à l'entité.
· Rapports obligatoires sur l'information publiée.
· Utilisateurs des comptes.
CONNAISSANCE GÉNÉRALE DE L'ENTITÉ ET DE SON SECTEUR D'ACTIVITÉ
NORMES IFAC
Pour la prise de connaissance générale de l’entité et de son environnement les domaines à prendre en considération sont :
– Secteur d’activité, Réglementation et autres factures externes y compris le référentiel comptable applicable
– Caractéristiques de l’entité
– Objectifs de l’entité et ses stratégies
– Mesure et analyse des indicateurs de performance KPI’s
– Eléments de contrôle interne pertinents pour l’audit
APPENDIX 1: UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
This appendix provides additional guidance on matters the auditor may consider when obtaining an understanding of the industry, regulatory, and other external factors that affect the entity, including the applicable financial reporting framework; the nature of the entity; objectives and strategies and related business risks; and measurement and review of the entity’s financial performance. The examples provided cover a broad range of matters applicable to many engagements; however, not all matters are relevant to every engagement and the list of examples is not necessarily complete. Additional guidance on internal control is contained in Appendix 2.
INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS, INCLUDING THE APPLICABLE FINANCIAL REPORTING FRAMEWORK.
Examples of matters an auditor may consider include the following:
· Industry conditions
- The market and competition, including demand, capacity, and price competition cyclical or seasonal activity
- Product technology relating to the entity’s products - - Energy supply and cost
· Regulatory environment
– Accounting principles and industry specific practices
– Regulatory framework for a regulated industry
– Legislation and regulation that significantly affect the entity’s operations
· regulatory requirements
· direct supervisory activities
– Taxation (corporate and other)
– Government policies currently affecting the conduct of the entity’s business
· monetary, including foreign exchange controls
· fiscal
· financial incentives (for example, government aid programs)
· tariffs, trade restrictions
– Environmental requirements affecting the industry and the entity’s business
· Other external factors currently affecting the entity’s business – General level of economic activity (for example, recession, growth) – Interest rates and availability of financing – Inflation, currency revaluation
NATURE OF THE ENTITY
Examples of matters an auditor may consider include the following:
Business Operations:
· Nature of revenue sources (for example, manufacturer, wholesaler, banking, insurance or other financial services, import/export trading, utility, transportation and technology products and services)
· Products or services and markets (for example, major customers and contracts, terms of payment, profit margins, market share, competitors, exports, pricing policies, reputation of products, warranties, order book, trends, marketing strategy and objectives, manufacturing processes)
· Conduct of operations (for example, stages and methods of production, business segments, delivery or products and services, details of declining or expanding operations)
· Alliances, joint ventures, and outsourcing activities
· Involvement in E-commerce, including Internet sales and marketing activities
· Geographic dispersion and industry segmentation
· Location of production facilities, warehouses, and offices
· Key customers
· Important suppliers of goods and services (for example, long-term contracts, stability of supply, terms of payment, imports, methods of delivery such as “just-in-time”)
· Employment (for example, by location, supply, wage levels, union contracts, pension and other post employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters)
· Research and development activities and expenditures
· Transactions with related parties
Investments:
· Acquisitions, mergers or disposals of business activities (planned or recently executed)
· Investments and dispositions of securities and loans
· Capital investment activities, including investments in plant and equipment and technology, and any recent or planned changes
· Investments in non-consolidated entities, including partnerships, joint ventures and specialpurpose entities
Financing:
· Group structure – major subsidiaries and associated entities, including consolidated and nonconsolidated structures
· Debt structure, including covenants, restrictions, guarantees, and off-balance-sheet financing arrangements
· Leasing of property, plant or equipment for use in the business
· Beneficial owners (local, foreign, business reputation and experience)
· Related parties
· Use of derivative financial instruments
Financial Reporting:
· Accounting principles and industry specific practices
· Revenue recognition practices
· Accounting for fair values
· Inventories (for example, locations, quantities)
· Foreign currency assets, liabilities and transactions
· Industry-specific significant categories (for example, loans and investments for banks,
accounts receivable and inventory for manufacturers, research and development for pharmaceuticals)
· Accounting for unusual or complex transactions including those in controversial or emerging areas (for example, accounting for stock-based compensation)
· Financial statement presentation and disclosure
OBJECTIVES AND STRATEGIES AND RELATED BUSINESS RISKS
Examples of matters an auditor may consider include:
· Existence of objectives (i.e., how the entity addresses industry, regulatory and other external factors) relating to, for example, the following:
– Industry developments (a potential related business risk might be, for example, that the entity does not have the personnel or expertise to deal with the changes in the industry)
– New products and services (a potential related business risk might be, for example, that there is increased product liability)
– Expansion of the business (a potential related business risk might be, for example, that the demand has not been accurately estimated)
– New accounting requirements (a potential related business risk might be, for example, incomplete or improper implementation, or increased costs)
– Regulatory requirements (a potential related business risk might be, for example, that there is increased legal exposure)
be, for example, the loss of financing due to the entity’s inability to meet requirements)
– Use of IT (a potential related business risk might be, for example, that systems and processes are compatible)
· Effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, for example, incomplete or improper implementation)
MEASUREMENT AND REVIEW OF THE ENTITY'S FINANCIAL PERFORMANCE
Examples of matters an auditor may consider include:
· Key ratios and operating statistics
· Key performance indicators
· Employee performance measures and incentive compensation policies
· Trends
· Use of forecasts, budgets and variance analysis
· Analyst reports and credit rating reports
· Competitor analysis
· Period-on-period financial performance (revenue growth, profitability, leverage)
CONNAISSANCE DE L’ENTITE ET DE SON ENVIRONNEMENT ET EVALUATION DES RISQUES D’ANOMALIES SIGNIFICATIVES
La compréhension du système de contrôle interne permet à l’auditeur d’identifier le type d’anomalies potentielles, de prendre en considération les facteurs qui affectent les risques d’erreurs ou d’anomalies et de déterminer la nature, le calendrier et l’étendue des procédures d’audit.
Les objectifs du contrôle interne c’est de permettre aux dirigeants de s’assurer que les instructions sont suivi pour atteindre les objectifs d’efficacité opérationnelle, les objectifs de reporting financier ou de fiabilité des états financiers et les objectifs de conformité aux lois et règlements.
Le dispositif de contrôle interne relatif à l’objectif de fiabilité des rapports ou états financiers est celui qui est pris en compte par le CAC ou l’Auditeur.
CADRE DE REFERENCE POUR LE CONTROLE INTERNE PAR LE COMITE DE PLACE DE L’AMF
COMPOSANTES DU CONTROLE INTERNE DECRITES A L’ANNEXE 2 ISA 315.
Appendix 2: Internal Control Components
1. As set out in paragraph 43 and described in paragraphs 67 to 98, internal control consists of the following components:
(a) The control environment;
(b) The entity’s risk assessment process;
(c) The information system, including the related business processes, relevant to financial reporting, and communication;
(d) Control activities; and
(e) Monitoring of controls.
This appendix further explains the above components as they relate to a financial statement audit.
CONTROL ENVIRONMENT
2. The control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity. The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.
3. The control environment encompasses the following elements:
(a) Communication and enforcement of integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment which influence the effectiveness of the design, administration, and monitoring of other components of internal control. Integrity and ethical behavior are the product of the entity's ethical and behavioral standards, how they are communicated, and how they are reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct and by example.
(b) Commitment to competence. Competence is the knowledge and skills necessary to accomplish tasks that define the individual's job. Commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.
(c) Participation by those charged with governance. An entity's control consciousness is influenced significantly by those charged with governance. Attributes of those charged with governance include independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the appropriateness of their actions, the information they receive, the degree to which difficult questions are raised and pursued with management and their interaction with internal and external auditors. The importance of responsibilities of those charged with governance is recognized in codes of practice and other regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures and the process for reviewing the effectiveness of the entity’s internal control.
(d) Management's philosophy and operating style. Management's philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following: management's approach to taking and monitoring business risks; management's attitudes and actions toward financial reporting (conservative or aggressive selection from available alternative accounting principles, and conscientiousness and conservatism with which accounting estimates are developed); and management's attitudes toward information processing and accounting functions and personnel.
(e) Organizational structure. An entity's organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. Establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organizational structure suited to its needs. The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its activities.
(f) Assignment of authority and responsibility. This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.
(g) Human resource policies and practices. Human resource policies and practices relate to recruitment, orientation, training, evaluating, counseling, promoting, compensating, and remedial actions. For example, standards for recruiting the most qualified individuals— with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior—demonstrate an entity's commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behavior. Promotions driven by periodic performance appraisals demonstrate the entity's commitment to the advancement of qualified personnel to higher levels of responsibility.
Application to Small Entities
4. Small entities may implement the control environment elements differently than larger entities. For example, small entities might not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Similarly, those charged with governance in small entities may not include an independent or outside member.
ENTITY’S RISK ASSESSMENT PROCESS
5. An entity's risk assessment process is its process for identifying and responding to business risks and the results thereof. For financial reporting purposes, the entity’s risk assessment process includes how management identifies risks relevant to the preparation of financial statements that give a true and fair view (or are presented fairly, in all material respects) in accordance with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity’s risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.
6. Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:
· Changes in operating environment. Changes in the regulatory or operating environment can result in changes in competitive pressures and significantly different risks.
· New personnel. New personnel may have a different focus on or understanding of internal control.
· New or revamped information systems. Significant and rapid changes in information systems can change the risk relating to internal control.
· Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.
· New technology. Incorporating new technologies into production processes or information systems may change the risk associated with internal control.
· New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control.
· Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control.
· Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.
· New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements. |
Application to Small Entities
7. The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in small entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties.
INFORMATION SYSTEM, INCLUDING THE RELATED BUSINESS PROCESSES, RELEVANT TO FINANCIAL REPORTING, AND COMMUNICATION
8. An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology (IT).
9. The information system relevant to financial reporting objectives, which includes the financial reporting system, consists of the procedures and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarization, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in measuring and reviewing the entity’s financial performance and in other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports.
10. Accordingly, an information system encompasses methods and records that:
· Identify and record all valid transactions.
· Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
· Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
· Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
· Present properly the transactions and related disclosures in the financial statements.
11. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communications channels help ensure that exceptions are reported and acted on.
12. Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.
Application to Small Entities
13. Information systems and related business processes relevant to financial reporting in small entities are likely to be less formal than in larger entities, but their role is just as significant. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small entity than in a larger entity due to the small entity’s size and fewer levels as well as management's greater visibility and availability.
CONTROL ACTIVITIES
14. Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels.
15. Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following:
· Performance reviews. These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data—operating or financial—to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections.
· Information processing. A variety of controls are performed to check accuracy, completeness, and authorization of transactions. The two broad groupings of information systems control activities are application controls and general IT-controls. Application controls apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Examples of application controls include checking the arithmetical accuracy of records, maintaining and reviewing accounts and trial balances, automated controls such as edit checks of input data and numerical sequence checks, and manual follow-up of exception reports. General IT-controls are polices and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT-controls commonly include controls over data center and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance. These controls apply to mainframe, miniframe, and end-user environments. Examples of such general ITcontrols are program change controls, controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail.
· Physical controls. These activities encompass the physical security of assets, including adequate safeguards such as secured facilities, over access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records (for example comparing the results of cash, security and inventory counts with accounting records). The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. For example, these controls would ordinarily not be relevant when any inventory losses would be detected pursuant to periodic physical inspection and recorded in the financial statements. However, if for financial reporting purposes management relies solely on perpetual inventory records, the physical security controls would be relevant to the audit.
· Segregation of duties. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the auditor’s duties. Examples of segregation of duties include reporting, reviewing and approving reconciliations and approval and control of documents.
16. Certain control activities may depend on the existence of appropriate higher level policies established by management or those charged with governance. For example, authorization controls may be delegated under established guidelines, such as investment criteria set by those charged with governance; alternatively, non-routine transactions such as major acquisitions or divestments may require specific high level approval, including in some cases that of shareholders.
Application to Small Entities
17. The concepts underlying control activities in small entities are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, small entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in small entities. Even companies that have only a few employees, however, may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives.
MONITORING OF CONTROLS
18. An important management responsibility is to establish and maintain internal control on an ongoing basis. Management’s monitoring of controls includes considering whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring of controls may include activities such as management’s review of whether bank reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts, and legal departments’ oversight of compliance with the entity’s ethical or business practice policies.
19. Monitoring of controls is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
20. Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations.
22. Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external auditors in performing monitoring activities.
Application to Small Entities
23. Ongoing monitoring activities of small entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control.
Risk assessment is the client’s process for identifying and analyzing the risks (both internal and external) that are relevant to the achievement of its objectives. In addition, a risk assessment process provides the client with a basis for determining how to manage its risks (e.g., the actions to address specific risks or a decision to accept a risk because of cost or other considerations). After indicating the risk factors in this section that we are aware of that are present, we gain an understanding of the client’s risk assessment process, specifically as it relates to the financial reporting objectives of internal control, and then we determine, generally through inquiry, observation, and inspection of relevant documents, whether the client’s risk assessment process has identified and analyzed each of the risks, and if so, whether the client has implemented appropriate steps to mitigate each of the risks.
NORMES CNCC France 2006
Définitions et principes
Prise de connaissance et évaluation des risques d’anomalies significatives
Procédures mises en œuvre par l’auditeur à l’issue de son évaluation des risques
Caractère probant des éléments collectés
Aucun commentaire:
Enregistrer un commentaire