Page 196 - COSO Guidance Book
P. 196
misstated. To identify likely sources of potential misstatements, and as part of selecting the controls to
test, the auditor studies and understands the flow of transactions related to the relevant assertions. The
auditor identifies the points within the company’s processes at which a misstatement — including a
misstatement due to fraud — could arise and identifies the controls that management has implemented
to address these risks of misstatements.
For example, the cash account should have controls such as controlling access to the blank check
supply, depositing cash receipts daily, and reconciling the book balance with the cash in the bank.
Some accounts, such as cash, will be affected by two systems (processes) — cash receipts and cash
disbursements. The cash receipts process controls could include, for example, having all mail opened by
two individuals who prepare a cash receipts list. The cash receipts list would be sent to the accounts
receivable clerk who would post transactions to individual accounts. The cash would be sent to the
cashier who would make the daily deposit. This process could then be audited by reconciling the cash
receipts list with both the total credit to the subsidiary accounts receivable and the deposit made to
the bank.
A combined model
A model that illustrates the interaction between COSO‘s five components of internal control and AS No.
2201’s levels of control is illustrated in exhibit 2-2. The model
represents COSO’s emphasis on the control environment as the basis for all other components of
internal control;
demonstrates that COSO’s control activities operate at both the account (or transaction) and
company (entity) levels; and
shows that COSO’s risk assessment, information and communication, and monitoring components
operate at the company (entity) and account (or transaction) levels.
© 2020 Association of International Certified Professional Accountants. All rights reserved. 2-8
