召しませ?U.S.CPA

元U.S.CPAを目指して・・・ 受験生、合格者が有意義な場所を目指して新装開店! CPAの勉強論点やTopicをA la carteでどうぞ♪

上記の広告は1ヶ月以上更新のないブログに表示されています。
新しい記事を書く事で広告が消せます。

今日もいい天気ですね。
こんな日、昼寝したら最高だろうなぁと思うのですが、まあ安い願望です。


さて、今日はSOXがらみの話を。

今、世間ではH20年度からのJ-SOX対応でワイワイやっていますが、当然日本でも焦点となるのはInternal Controlのはなし。
アメリカのSOXではTreadwey委員会のCOSOモデルを基本にInternal Controlを論じているのに対して、日本では若干手が加えられています。


というのも、COSOモデル自体が10年以上前のモデルであるため、現在の環境を考慮すると修正が必要というのが主な理由のようです。
下がJ-SOXの中で規定された基本的な内部統制モデル。



日本では、伝統的COSOキューブを現在の経営環境にマッチさせるために目的のところに"資産の保全"、コンポーネントのところに"ITへの対応"というのが追加されています。

そういわれると、私達CPA受験者達がJ-SOXを考えるとき「CPA受験の際に覚えたのとは違うのか~」と思いがちですが実はそうでもありません。


まず、"資産の保全"について。
J-SOXでは"資産の保全"を内部統制の重要な目的として目的に追加しました。
たしかに、今まで企業側に人達が使用しているCOSOモデルでは資産の保全という項目はなかったかもしれませんが、私達監査する側のCOSOモデルには今までも存在していました。

Safeguarding of Assets (AU319.13)

Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives. This relationship is depicted as follows:




In obtaining an understanding of each of the components of internal control to plan the audit, the auditor's consideration of safeguarding controls is generally limited to those relevant to the reliability of financial reporting. For example, use of a lockbox system for collecting cash or access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. Conversely, controls to prevent the excess use of materials in production generally are not relevant to a financial statement audit.


それもそのはずで、SASではアサーションの「Existance Occurrance」その対象資産が本当にあるのか?などといったことを監査を通じて確かめることを要求されています。
Assetsにおける最重要Asertionは「Existance Occurrance」であることを考えても、私達がJ-SOXを考えるときには取り立てて、大きな変更は無いといえるでしょう。



んで、次が"ITへの対応"です。
たぶん、ここの項目が日本におけるJ-SOXの大きなポイントであり他の国との違いだと思われますが、残念ながらというかお粗末というか、実はここに対する対応の具体的指針がお上から出てきていません。
「何をどれだけやればいいのか?」かなりあいまいな状態です。
内部統制部会では、「ITへの対応をうけてIT業界では今とばかりに躍起になっていますが、あまり踊らされないように!」のような事を言っていますが、お上が具体的指針を出さない以上不安に駆られている企業サイドは保守的にならざる負えないでしょう。
一方CPAサイドの話としては、やはりここの項目も目新しい話でなく
SAS319では.16~.20にかけてITの影響が書かれています。
ここを抑えておくと、日本のJ-SOXもすんなり入れそうですし、テストもバッチリかもしれませんね。

Effect of Information Technology on Internal Control(AU319)
.16
An entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. For example, an entity may use IT as part of discrete systems that support only particular business units, functions, or activities, such as a unique accounts receivable system for a particular business unit or a system that controls the operation of factory equipment. Alternatively, an entity may have complex, highly integrated systems that share data and that are used to support all aspects of the entity’s financial reporting, operations, and compliance objectives.

.17
The use of IT also affects the fundamental manner in which transactions are initiated, recorded, processed, and reported. fn 8 In a manual system, an entity uses manual procedures and records in paper format (for example, individuals may manually record sales orders on paper forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in such a system also are manual and may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Alternatively, an entity may have information systems that use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in systems that use IT consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. An entity’s mix of manual and automated controls varies with the nature and complexity of the entity’s use of IT.

.18
IT provides potential benefits of effectiveness and efficiency for an entity’s internal control because it enables an entity to-

Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

Enhance the timeliness, availability, and accuracy of information.

Facilitate the additional analysis of information.

Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.

Reduce the risk that controls will be circumvented.

Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.

.19
IT also poses specific risks to an entity’s internal control, including-

Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.

Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

Unauthorized changes to data in master files.

Unauthorized changes to systems or programs.

Failure to make necessary changes to systems or programs.

Inappropriate manual intervention.

Potential loss of data.

.20
The extent and nature of these risks to internal control vary depending on the nature and characteristics of the entity’s information system. For example, multiple users, either external or internal, may access a common database of information that affects financial reporting. In such circumstances, a lack of control at a single user entry point might compromise the security of the entire database, potentially resulting in improper changes to or destruction of data. When IT personnel or users are given, or can gain, access privileges beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can occur. This could result in unauthorized transactions or changes to programs or data that affect the financial statements. Therefore, the nature and characteristics of an entity’s use of IT in its information system affect the entity’s internal control.

スポンサーサイト
コメントする
URL:
Comment:
Pass:
秘密: 管理者にだけ表示を許可する
 
http://since14thdec2005.blog41.fc2.com/tb.php/324-f070cccf
トラックバック
上記広告は1ヶ月以上更新のないブログに表示されています。新しい記事を書くことで広告を消せます。