1 Cosodraftinternal Control Frameworkdec2011 Unprotected
Transcript of 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
1/168
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n
December 2011
Framework
Internal ControlIntegrated Framework
Committee of Sponsoring Organiza tions of the Treadway Commission
To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by March 31, 2012.
Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on the exposure draft will become part of the public record and will be available on-line until December 31, 2012.
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
2/168
2011 All Rights Reserved. No part o this publication may be reproduced, redistributed, transmitted or displayed in any orm or by any
means without written permission. For inormation regarding licensing and reprint permissions please contact the American Institute o
Certifed Public Accountants, licensing and permissions agent or COSO copyrighted materials. Direct all inquiries to copyright@aicpa.
org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed
to 888-777-7707.
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
3/168
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n
December 2011
Framework
Internal ControlIntegrated Framework
Committee of Sponsoring Organiza tions of the Treadway Commission
To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by March 31, 2012.
Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on the exposure draft will become part of the public record and will be available on-line until December 31, 2012.
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
4/168
Committee o Sponsoring Organizations othe Treadway Commission
Board Members Representative
COSO Chair David L. Landsittel
American Accounting Association Mark S. Beasley
Douglas F. Prawitt
American Institute o Certied Public Accountants Charles E. Landes
Financial Executives International Marie N. Hollein
Institute o Management Accountants Jerey C. Thomson
Sandra Rictermeyer
The Institute o Internal Auditors Richard F. Chambers
PwCAuthor
Principal Contributors
Miles E.A. Everson (Project Leader) Partner New York, USA
Cara M. Beston Partner San Jose, USA
Charles E. Harris Partner Florham Park, USA
Stephen E. Soske Partner Boston, USA
J. Aaron Garcia Director San Diego, USA
Catherine I. Jourdan Director Paris, France
Frank J. Martens Director Vancouver, Canada
Jay A. Posklensky Director Florham Park, USA
Sallie Jo Perraglia Manager New York, USA
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
5/168
Advisory Council
Sponsoring Organizations Representatives
Audrey A. Gramling Kennesaw State University Proessor
Steven Jameson Community Trust Bank Executive Vice President and
Chie Internal Audit & Risk
Ocer
Steve McNally Campbell Soup Finance Director/Controller -
Napoleon Operations
Ray Purcell Pzer Director o Financial Controls
Bill Schneider, Sr. AT&T Director o Accounting
Members at Large
Jim DeLoach Protiviti Managing Director
John Fogarty Deloitte Partner
Trent Gazzaway Grant Thornton Partner
Cees Klumper GAVI Alliance Director o Internal Audit
Thomas Montminy PwC Partner
Al Paulus E&Y Partner
Tom J. Ray KPMG Partner
Ken Vander Wal ISACA President
Regulatory Observers and Other Observers
James Dalkin Government Accountability
Oce
Director in the Financial
Management and Assurance
Team
Harrison E. Greene, Jr. Federal Deposit Insurance
Corporation
Senior Policy Analyst
Christian Peo Securities and Exchange
Commission
Proessional Accounting Fellow
Vincent Topho International Federation
o Accountants
Senior Technical Manager
Keith Wilson Public Company
Accounting Oversight
Board
Deputy Chie Auditor
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
6/168
Additional PwC Contributors
Joseph Atkinson Partner New York, USA
Glenn Brady Partner St. Louis, USA
Jerey Boyle Partner Tokyo, Japan
James Chang Partner Beijing, China
Mark Cohen Partner San Francisco, USA
Andrew Dahle Partner Chicago, USA
Megan Haas Partner Hong Kong, China
Junya Hakoda Partner Tokyo, Japan
Diana Hillier Partner London, England
Steve Hirt Partner Boston, USA
Brian Kinman Partner St Louis, USA
Barbara Kipp Partner Boston, USA
Hans Koopmans Partner Singapore
Alan Martin Partner Frankurt, Germany
Pat McNamee Partner Florham Park, USA
Jonathan Mullins Partner Dallas, USA
Simon Perry Partner London, England
Andrew Reinsel Partner Cincinnati, USA
Kristin Rivera Partner San Francisco, USA
Valerie Wieman Partner Florham Park, USA
Alexander Young Partner Toronto, Canada
David Albright Principal Washington, D.C., USA
Charles Yovino Principal Atlanta, USA
Eric M. Bloesch Managing Director Philadelphia, USA
Sachin Mandal Director Florham Park, USA
Christopher Michaelson Director Minneapolis, USA
Lisa Reshaur Director Seattle, USA
Tracy Walker Director Bangkok, Thailand
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
7/168
PreaceThis project was commissioned by COSO, which is dedicated to providing thought lead-
ership through the development o comprehensive rameworks and guidance on internal
control, enterprise risk management, and raud deterrence designed to improve organi-
zational perormance and oversight and to reduce the extent o raud in organizations.COSO is a private sector initiative, jointly sponsored and unded by:
American Accounting Association (AAA)
American Institute o Certied Public Accountants (AICPA)
Financial Executives International (FEI)
Institute o Management Accountants (IMA)
The Institute o Internal Auditors (IIA)
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
8/168
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
9/168
Table o Contents
Foreword ..........................................................................................................i
Framework
Denition o Internal Control ........................................................................... 1
Overview o Internal Control ........................................................................... 5
Components o Internal Control
Control Environment .....................................................................................25
Risk Assessment ...........................................................................................51
Control Activities ...........................................................................................75
Inormation and Communication ...................................................................91
Monitoring Activities ....................................................................................107
Limitations o Internal Control ..................................................................... 119
Roles and Responsibilities ..........................................................................123
Appendices ..................................................................................................135
A. Glossary .................................................................................................136
B. Summary o Changes to the 1992 Version o the Internal Control
Integrated Framework .............................................................................140
C. Methodology ...........................................................................................147
D. Comparison with COSO Enterprise Risk Management
Integrated Framework .............................................................................149
E. Acknowledgments ..................................................................................153
Internal Control Integrated Framework December 2011
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
10/168
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
11/168
ForewordIn 1992 the Committee o Sponsoring Organizations o the Treadway Commission
(COSO) released its Internal ControlIntegrated Framework(the original ramework).
The original ramework has gained broad acceptance and is now widely used around
the world. It is recognized as a leading ramework or designing, implementing, andevaluating the eectiveness o internal control.
In the nearly twenty years since the inception o the original ramework, business and
operating environments have changed dramatically, becoming increasingly complex,
technologically driven and global in scope. At the same time, stakeholders are more
engaged, seeking greater transparency and accountability or the integrity o systems o
internal control that support the business decisions and governance o the organization.
COSO believes this ramework will enable organizations to eectively and eciently
develop and maintain systems o internal control that can enhance the likelihood o
achieving the entitys objectives and adapt to changes in the business and operat-
ing environments. COSO is pleased to present this Internal ControlIntegratedFramework(Framework).
The experienced reader will nd much that is amiliar in the Framework, which builds
on what has proven useul in the original version. It retains the core denition o internal
control and the ve components o internal control. The broad criteria used to assess
the eectiveness o an internal control system also remain unchanged. This Framework
continues to emphasize the importance o management judgment in the design, appli-
cation, and assessment o eectiveness o a system o internal control.
At the same time, the Frameworknow includes important enhancements designed to
clariy concepts and ease use and application. One o the most signicant enhance-
ments is the codication o internal control concepts introduced in the original rame-
work into principles and attributes. These principles and attributes provide clarity orthe user in the design and development o systems o internal control. Principles and
attributes can also be used to support the assessment o the eectiveness o internal
control. Other updates and enhancements to the Frameworkhelp the user address
changes in business and operating environments, including:
Expectations or governance oversight.
Globalization o markets and operations.
Changes in business models.
Demands and complexities in laws, rules, regulations, and standards.
Expectations or competencies and accountabilities.
Use o, and reliance on, evolving technologies.
Expectations relating to preventing and detecting corruption.
Internal Control Integrated Framework December 2011
1
2
3
4
5
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
12/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
We are pleased to present this Frameworkin three volumes. The rst is an Executive
Summary: a high-level overview intended or the board o directors, chie executive
ocer, other senior management, and regulators. The second volume, the Framework,
denes internal control and describes components o internal control including the
underlying principles and attributes. This volume also provides direction or all levels
o management to use in designing, implementing, conducting, and evaluating internal
control. The third volume, Evaluation, provides guidance that may be useul in evaluatingthe eectiveness o internal control.
In addition, a supplemental guide to be published concurrently with the Framework
ocuses the discussion on internal control over external nancial reporting, providing
practical approaches and examples supporting the preparation o published nancial
statements. COSO may, in the uture, issue other guidance to provide additional assis-
tance in applying this Framework. However, neither the guidance on internal control
over external nancial reporting nor other uture guidance takes precedence over this
Framework.
Finally, the COSO Board would like to thank PwC and the Advisory Council or their
contributions in developing the Framework. Their ull consideration o input providedby many stakeholders and their attention to detail were instrumental in ensuring that
the core strengths o the 1992 Internal ControlIntegrated Frameworkwere preserved,
claried, and strengthened.
Internal Control Integrated Framework December 2011ii
6
7
8
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
13/168
Definition of Internal Control
Denition o Internal ControlThe primary purpose o this publication, Internal ControlIntegrated Framework
(Framework) is to help management better control the organization, and provide a board
o directors1 with an added ability to oversee internal control. Implementing a system
o internal control allows management to stay ocused on the organizations pursuito its operations and nancial perormance goals, while operating within the connes
o relevant laws and minimizing surprises along the way. Internal control enables an
organization to deal more eectively with changing economic and competitive environ-
ments, leadership, priorities, and evolving business models. It promotes eciency and
eectiveness o operations, and supports reliable reporting and compliance with laws
and regulations.
A secondary purpose o this Frameworkis to provide clarity on internal control by using
a common denition and integrating various internal control concepts into a ramework
that denes the components o internal control. It is designed to assist management
and other interested parties in assessing the eectiveness o an entitys system o inter-
nal control and reporting.
Understanding Internal ControlInternal control is dened as ollows:
Internal control is a process, eected by an entitys board o directors, manage-
ment, and other personnel, designed to provide reasonable assurance regarding
the achievement o objectives in the ollowing categories:
Eectiveness and efciency o operations.
Reliability o reporting. Compliance with applicable laws and regulations.
This denition emphasizes that internal control is:
A process consisting o ongoing tasks and activities. It is a means to an end,
not an end in itsel.
Eected by people. It is not merely about policy manuals, systems, and orms,
but about people at every level o an organization that impact internal control.
Able toprovide reasonable assurance, not absolute assurance, to an entitys
senior management and board.
Geared to the achievement o objectives in one or more separate but overlap-ping categories.
Adaptable to the entity structure.
1 This Frameworkuses the term board o directors, which encompasses the governing body, including
board, board o trustees, general partners, owner, or supervisory board.
Internal Control Integrated Framework December 2011
9
10
11
12
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
14/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
This denition o internal control is intentionally broad or two reasons. First, it captures
key concepts undamental to how companies and other organizations design, imple-
ment, conduct, and evaluate internal control, providing a basis or application across
various types o organizations, industries, and geographic regions. It also provides
fexibility in application, allowing an entity to sustain internal control or an entire entity,
or a subsidiary, division, operating unit, or unction relevant or operations, reporting, or
compliance objectives, based on the entitys specic needs or circumstances.
Second, the denition accommodates subsets o internal control. Those who want to
may ocus separately, or example, on internal control over reporting or controls relat-
ing to complying with laws and regulations. Similarly, a directed ocus on controls in
particular units or activities o an entity can be accommodated.
A Process
Internal control is not one event or circumstance, but a dynamic and iterative process2
actions that permeate an entitys activities and that are inherent in the way manage-
ment runs the business. Embedded within this process are policies and procedures.
These policies refect managements statement o what should be done. Such state-
ments may be documented, explicitly stated in other management communications, or
implied through managements decisions. Procedures consist o actions that implement
a policy. These policies and procedures exist to eect control.
Business processes, which are conducted within or across operating units or unc-
tional areas, are managed through the undamental management activities o planning,
executing, and checking. Internal control is integrated with these processes. Inter-
nal control is most eective when it is embedded in the entitys inrastructure and its
ongoing activities.
Building in controls to an existing system, or modiying controls elsewhere in the entity,
directly aects the entitys ability to reach its goals, supports quality business initia-tives, and has important implications to cost. In contrast, layering on new procedures
to address internal control separate rom those that run the business can add costs.
By ocusing on existing controls that contribute to the overall system o control, and by
building controls into basic operating activities, an entity oten can avoid costs o devel-
oping new procedures.
Eected by People
Internal control is eected by the board o directors, management, and other personnel.
It is accomplished by the people o an organization, by what they do and say. People
establish the entitys objectives and put control mechanisms in place.
The organization consists o people including the board o directors, senior manage-
ment, and other personnel. Included among the boards oversight responsibilities are
providing advice, counsel, and direction to management, approving certain transactions
2 Although reerred to as a process, internal control may be viewed as many processes.
Internal Control Integrated Framework December 20112
13
14
15
16
17
18
19
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
15/168
Definition of Internal Control
and policies, and monitoring managements activities. Consequently, the board o direc-
tors is an important element o internal control. For example, the board and senior man-
agement establish the tone or the organization concerning the importance o internal
control and expected standards o conduct across the entity.
However, people do not always understand, communicate, or perorm consistently.
Each individual brings to the workplace a unique background and technical ability,and each has dierent needs and priorities. These individual dierences can be inher-
ently valuable and benecial to innovation and productivity, but i not properly aligned
with the entitys objective, they can be counterproductive. Yet, people must know their
responsibilities and limits o authority. Accordingly, a clear and close linkage needs to
exist between peoples duties and the way in which these duties are carried out, and
aligned with the entitys objectives.
Provides Reasonable Assurance
An eective system o internal control provides management and the board o directors
with reasonable assurance regarding achievement o an entitys objectives. The term
reasonable assurance rather than absolute assurance acknowledges that limitations
exist in all systems o internal control, and that uncertainties and risks may exist, which
no one can condently predict with precision. Absolute assurance is not possible.
Reasonable assurance does not imply that an entity will always achieve its objectives.
The cumulative eect o internal control increases the likelihood o an entity achieving its
objectives. However, the likelihood o achievement is aected by limitations inherent in
all internal control systems, such as human error and the uncertainty inherent in judg-
ment. Additionally, a system o internal control can be circumvented i two or more people
collude. Further, i management is able to override controls, the entire system may ail. In
other words, even an eective system o internal control can experience a ailure.
Geared to the Achievement o Objectives
The Frameworksets orth three categories o objectives, which allow organizations to
ocus on separate aspects o internal control:
Operations ObjectivesThese pertain to eectiveness and eciency o the
entitys operations, including operations and nancial perormance goals and
saeguarding assets against loss.
Reporting ObjectivesThese pertain to the reliability o reporting. They
include internal and external nancial and non-nancial reporting.
Compliance ObjectivesThese pertain to adherence to laws and regulationsto which the entity is subject.
These distinct but overlapping categoriesa particular objective can all under more
than one categoryaddress dierent needs and may be the direct responsibility o
dierent individuals. The three categories also indicate what can be expected rom
internal control.
Internal Control Integrated Framework December 2011
20
21
22
23
24
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
16/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
A system o internal control is expected to provide an organization with reasonable
assurance that those objectives relating to the reliability o external reporting and com-
pliance with laws and regulations will be achieved. Achieving those objectives, which
are based largely on laws, rules, or standards established by regulators, recognized
standard setters, and other external parties, depends on how activities within the orga-
nizations control are perormed. Generally, management will have greater discretion
in setting internal reporting objectives which are not driven primarily by such externalparties. However, management may choose to align its internal and external reporting
objectives to allow internal reporting to better support the entitys external reporting.
However, achievement o operations objectivessuch as a particular return on invest-
ment, market share, or entry into new product linesis not always within the organiza-
tions control. Internal control cannot prevent bad judgments or decisions, or external
events that can cause a business to ail to achieve operations goals. For these objec-
tives, the internal control system can only provide reasonable assurance that manage-
ment and the board are made aware, in a timely manner, o the extent to which the
entity is moving toward those objectives.
Adaptable to the Entity Structure
Entities may be structured along various dimensions. The management operating model
may ollow product or service lines; reporting may be done or an overall consolidated
entity, division, or operating unit, with geographic markets providing or urther sub-
divisions or aggregations o perormance. The management model may also rely on
relationships with external parties to support the achievement o objectives.
The legal entity structure is typically designed to ollow regulatory reporting require-
ments, empower managers at oreign operations, limit business risk, or provide tax
benets. Oten, the organization o legal entities is quite dierent rom the management
structure that is used to run the business.
Internal control can be applied, based on managements decision and in the context
o legal or regulatory requirements, to the operating model, legal entity structure, or a
combination o these.
Internal Control Integrated Framework December 20114
26
25
27
28
29
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
17/168
Overview of Internal Control
Overview o Internal Control
Introduction
An organization establishes a mission, sets strategies, establishes the objectives itwants to achieve, and ormulates plans or achieving them. Objectives may be set or
an entity as a whole, or be targeted to specic activities within the entity. Though many
objectives are specic to a particular entity, some are widely shared. For example,
objectives common to most entities are sustaining organizational success, providing
reliable reporting to stakeholders, recruiting and retaining motivated and competent
employees, achieving and maintaining a positive reputation within the business and
consumer communities, and complying with laws and regulations.
Supporting the organization in its eorts to achieve its objectives are ve components
o internal control:
Control Environment
Risk Assessment
Control Activities
Inormation and Communication
Monitoring Activities
These components o internal control are relevant to an entire entity, and to the entity
level, subsidiaries, division, or any o its individual operating units, unctions, or other
subsets o the entity.
Relationship o Objectives, Components, and the Entity
A direct relationship exists between objectives, which are what an entity strives to
achieve, the components, which represent what is needed to achieve the objectives,
and the operating units, legal entities, and other structures within the entity. The rela-
tionship can be depicted in the orm o a cube.
The three categories o objectives are
represented by the columns.
The ve components are represented
by the rows.
The organizational structure, whichrepresents the overall entity, divisions,
subsidiaries, operating units, or unc-
tions, including business processes
such as sales, purchasing, production,
and marketing and to which internal
control relates, are depicted by the
third dimension o the cube.3
3 Throughout this Framework, the term the entity and its subunits reers collectively to the overall entity,
divisions, subsidiaries, operating units, or unctions.
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Ope
ration
s
EntityLevel
Division
Opera
tingUnit
F
unction
Rep
orting
Com
plianc
e
Internal Control Integrated Framework December 2011
30
31
32
33
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
18/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Each component cuts across and applies to all three categories o objectives. For
example, establishing and executing policies and procedures to ensure that manage-
ment plans, programs, and other directives are carried outrepresenting the control
activities componentis relevant to all three objectives categories.
The three categories o objectives are not parts or units o the entity. For instance,
operations objectives relate to the eciency and eectiveness o operations, notspecic operating units or unctions such as sales, marketing, procurement, or
human resources.
Accordingly, when considering the category o objectives related to reporting, or
example, knowledge o a wide array o inormation about the entitys operations is
needed. In that case, ocus is on the middle column o the modelreporting objec-
tivesrather than the operations objectives category.
Internal control is a dynamic and iterative process. For example, risk assessment not
only infuences the control environment and control activities, but also may highlight a
need to reconsider the entitys inormation and communication needs, or its monitoring
activities. Thus, internal control is not a linear process where one component aects
only the next. It is a dynamic and iterative process in which almost any component can
and will infuence another.
No two entities will, or should, have the same system o internal control. Entities and
their internal control needs dier dramatically by industry, size, and regulatory envi-
ronment, as well as internal considerations such as the nature o the overall business
model, tolerance or risk, reliance on technology, and competence and number o
personnel. Thus, while all entities need each o the components to maintain control
over their activities, one entitys internal control system usually will look dierent
rom anothers.
ObjectivesManagement sets entity-level objectives that align with the entitys mission and value
proposition. These high-level objectives refect managements choice o how the organi-
zation will seek to create, preserve, and realize value or its stakeholders. Such objec-
tives may be based on the entitys unique operations needs, on laws, regulations, and
standards imposed by external parties, or some combination o the two. Setting objec-
tives is a prerequisite to internal control and a key part o the management process
relating to strategic planning. Management needs to understand the overall strategies
set by the organization. As part o internal control, management species objectives
that have been set so that risks to the achievement o those objectives can be identied
and assessed.
Individuals who are part o the internal control process need to understand the overall
strategies and objectives set by the organization. As part o internal control, manage-
ment species objectives that have been set so that risks to the achievement o those
objectives can be identied and assessed. Speciying objectives relates to the articula-
tion o specic, measurable, attainable, relevant, and time-bound objectives. In most
instances, speciying objectives requires some orm o codication. However there
Internal Control Integrated Framework December 20116
34
35
36
37
38
39
40
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
19/168
Overview of Internal Control
may be instances where an entity might not explicitly state an objective. By speciying
objectives in appropriate detail, they can be readily understood by the people who are
working toward achieving them.
Categories o Objectives
This Frameworkgroups entity objectives into the three categories o operations, report-
ing, and compliance.
Operations Objectives
Operations objectives relate to achievement o an entitys basic missionthe unda-
mental reason or its existence. These objectives vary based on managements choices
relating to structure, industry considerations, and perormance o the entity. Entity-level
objectives cascade into related sub-objectives or operations within the divisions, sub-
sidiaries, operating units, and unctions, directed at enhancing eectiveness and e-
ciency in moving the entity toward its ultimate goal. As such, operations objectives may
relate to improving quality (i.e., avoiding waste and rework), reducing costs and produc-
tion time, improving innovation, and improving customer and employee satisaction.
Reporting Objectives
Reporting objectives pertain to the preparation o reliable reports. Reporting objectives
may relate to nancial or non-nancial reporting and to internal or external reporting.
Internal reporting objectives are driven by internal requirements in response to a variety
o potential needs such as the entitys strategic directions, operating plans, and per-
ormance metrics at various levels o the entity. External reporting objectives are driven
primarily by regulations and/or standards established by accounting bodies, and other
standard-setting organizations.
External Financial Reporting ObjectivesEntities need to achieve external
nancial reporting objectives to meet obligations. Reliable nancial state-
ments are a prerequisite to accessing capital markets and may be critical to
the awarding o contracts or to dealing with suppliers. Investors, analysts,
and creditors oten rely on an entitys nancial statements to assess peror-
mance against peers and alternative investments. Management reporting on
the eectiveness o internal control over external nancial reporting is part o
external non-nancial reporting objectives reerenced below.
External Non-Financial Reporting ObjectivesManagement may report
external non-nancial inormation in accordance with regulations, standards,
or rameworks, including reporting on internal control and operational pro-
cesses. For example, where management operates in accordance with the
International Organization or Standardization (ISO) standards or quality
management, it may report publicly on its operations. An entity may engage
an independent auditor to review and/or report on its conormance with stan-
dards published by such organizations. The entity typically attains an annual
certication that demonstrates adherence to such a standard.
Internal Control Integrated Framework December 2011
42
41
43
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
20/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Internal Financial and Non-Financial Reporting ObjectivesReliable internal
reporting provides management with inormation needed to manage the orga-
nization. It supports managements decision making and assessment o the
entitys activities and perormance. Internal reporting objectives are based on
preerences, judgments, and management style. Internal reporting objectives
vary among entities because dierent organizations have dierent strategic
directions, operating plans and expectations.
Relationship within Reporting Category o Objective
The overall relationship between the our sub-categories o reporting objectives is
depicted in the graphic below.
Reporting objectives are separate and distinct rom the inormation and communica-
tion component o internal control. Reporting objectives ocus on reliable reporting,
and to achieve this, the organization applies all ve components o internal control. For
instance, an organization in preparing an internal non-nancial report to the board on
the status o merger integration eorts assigns competent individuals, assesses risks
relating to the understandability, relevance, and useulness o the report, develops con-
trols to address the reliability o the inormation being reported, and monitors the overall
system o internal control supporting this non-nancial reporting objective. In contrast,the inormation and communication component supports the unctioning o all compo-
nents o internal control and the achievement o the reporting category o objectives, as
well as operations and compliance objectives. For instance, controls within inormation
and communication supports the preparation o the above report, helping to provide rel-
evant and quality inormation underlying the report, but is only part o the overall system
o internal control.
Characteristics
External Financial
Reporting
Annual Financial
StatementsInterim nancialstatements
Earnings releases
Internal Financial
Reporting
Divisional FinancialStatements
Cash fow / budget
Bank covenantcalculations
External Non-Financial
Reporting
Internal Control Report
Sustainability Report
Supply Chain / Custodyo Assets
Internal Non-Financial
Reporting
Sta/Asset utilization
Customer satisactionsurveys
Key risk indicatordashboards
Board reporting
Financial/Non Financial
Internal/External
Used to meet
external stakeholder
and regulatory
requirements
Prepared in accor-
dance with external
standards
May be required by
regulators, contracts,
agreements
Used in managing
the business and
decision making
Established by
management andboard
Internal Control Integrated Framework December 20118
44
45
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
21/168
Overview of Internal Control
Compliance Objectives
Entities must conduct their activities, and oten take specic actions, in accordance
with applicable laws and regulations. As part o speciying compliance objectives, the
organization needs to understand which laws and regulations apply across the entity.
Many laws and regulations are generally well known, such as those relating to reporting
on internal control over nancial reporting and environmental compliance, but others
may be more obscure, such as those that apply to an entity conducting operations in a
remote oreign territory.
Basis o Objectives Categories
Certain objectives are derived rom the regulatory environment or industry in which the
business operates. For example:
Some entities submit inormation to environmental agencies.
Publicly traded companies le inormation with securities regulators.
Universities report grant expenditures to government agencies.
These types o objectives are established largely by law or regulation, and all into the
category o compliance, external reporting, or in these examples, both.
Conversely, operations objectives and internal reporting are based more on preer-
ences, judgments, and management style. They vary widely among entities simply
because inormed and competent people may select dierent objectives. For example,
or product development, one organization might choose to be an early adopter, another
might be a quick ollower, and yet another a late adopter. These choices will aect the
structure, skills, stang, and controls o the research and development unction. Con-
sequently, no one ormulation o objectives can be optimal or all entities.
Overlap o Objectives Categories
An objective in one category may overlap or support an objective in another. For
example, closing nancial reporting period within ve workdays may be a goal sup-
porting primarily an operations objectiveto support management in reviewing busi-
ness perormance. But it also supports timely reporting and timely lings with regulatory
agencies. The category in which an objective alls can sometimes vary depending on
the circumstances. Controls to prevent thet o assetssuch as maintaining a ence
around inventory, or having a gatekeeper to veriy proper authorization o requests or
movement o goodsall under the operations category. These controls may not be
relevant to the reliability o reporting where inventory losses are detected ollowing
periodic physical inspection and recording in the nancial statements. However, i orreporting purposes management relies solely on perpetual inventory records, as may be
the case or interim or internal nancial reporting, the physical security controls would
then also all within the reporting category. These physical security controls, along with
controls over the perpetual inventory records, are needed to ensure reliable reporting.
Internal Control Integrated Framework December 2011
46
48
49
47
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
22/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Objectives and Sub-Objectives
Management links specied entity-level objectives to more specic sub-objectives that
cascade throughout the organization. These sub-objectives also are established as part
o or fowing rom the strategy-setting process, and relate to subsidiaries, divisions,
operating units and unctional activities, including business processes such as sales,
production, engineering, marketing, productivity, employee engagement, innovation,and inormation technology. Throughout this process, management ensures that the
sub-objectives remain aligned with entity-level objectives and are coordinated across
the entity.
Where entity-level objectives are consistent with prior practice and perormance, the
linkage among activities is usually known. Where, however, objectives depart rom an
entitys past practices, management addresses the linkages or accepts increased risks.
For example, an objective to ll more management roles internally through promotions
will depend heavily on linked sub-objectives dealing with succession planning, apprais-
ing, training, and development. These sub-objectives might be substantially changed i
past practice relied heavily on external recruiting.
Sub-objectives or operating units and unctional activities also need to be clear. These
sub-objectives also need to be specic, measurable, attainable, relevant, and time-
bound. In addition, they must be readily understood by the people who are working
toward achieving them. Management and other personnel require a mutual understand-
ing o both what is to be accomplished and the means o determining to what extent it is
accomplished in order to ensure individual and team accountability.
Many entities establish multiple sub-objectives or each activity, fowing both rom the
entity-level objectives and rom standards relating to the established compliance and
reporting objectives. For procurement, or example, operations objectives may be to:
Purchase goods that meet established engineering specications.
Purchase goods rom companies that meet the entitys environmental, health,
and saety specications as set orth in a code o conduct (e.g., no child labor,
good working conditions).
Negotiate acceptable prices and other terms.
Components o Internal ControlThis Frameworksets out ve components o internal control. It also sets out seventeen
principles representing the undamental concepts associated with each component. All
seventeen principles apply to each category o objective, as well as to individual objec-
tives within a category. Supporting the seventeen principles are eighty-one attributes,representing characteristics associated with the principles.
Below is a summary o each o the ve components o internal control and the prin-
ciples relating to each. This listing o principles is not meant to imply a binary checklist.
Rather, principles are meant to enable eective operation o the components and the
overall system o internal control, with appropriate use o management judgment.
Internal Control Integrated Framework December 20110
50
51
52
53
54
55
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
23/168
Overview of Internal Control
Each o the principles and attributes is covered in the ollowing chapters. Each principle
is introduced at the beginning o the relevant chapter and then presented at the end o
the relevant chapter along with the attributes relating to each principle. Attributes are
also called out in sidebars to the text o each chapter. For purposes o this Framework,
in describing these principles and attributes we use the word organization to capture
the meaning o, collectively, the board, management, and other personnel.
Control Environment
The control environment is the oundation or all other components o internal control.
The board and senior management establish the tone rom the top regarding the impor-
tance o internal control and expected standards o conduct. The control environment
provides discipline, process, and structure.
There are ve principles relating to Control Environment:
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board o directors demonstrates independence o management and exercisesoversight or the development and perormance o internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit o objectives.
4. The organization demonstrates a commitment to attract, develop, and retain com-
petent individuals in alignment with objectives.
5. The organization holds individuals accountable or their internal control responsibili-
ties in the pursuit o objectives.
Risk Assessment
Risk assessment involves a dynamic and iterative process or identiying and ana-
lyzing risks to achieving the entitys objectives, orming a basis or determining how
risks should be managed. Management considers possible changes in the external
environment and within its own business model that may impede its ability to achieve
its objectives.
There are our principles relating to Risk Assessment:
6. The organization species objectives with sucient clarity to enable the identica-
tion and assessment o risks relating to objectives.
7. The organization identies risks to the achievement o its objectives acrossthe entity and analyzes risks as a basis or determining how the risks should
be managed.
Internal Control Integrated Framework December 2011
56
57
58
59
60
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
24/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
8. The organization considers the potential or raud in assessing risks to the achieve-
ment o objectives.
9. The organization identies and assesses changes that could signicantly impact the
system o internal control.
Control Activities
Control activities are the actions established by policies and procedures to help ensure
that managements directives to mitigate risks to the achievement o objectives are
carried out. Control activities are perormed at all levels o the entity and at various
stages within business processes, and over the technology environment.
There are three principles relating to Control Activities:
10. The organization selects and develops control activities that contribute to the miti-
gation o risks to the achievement o objectives to acceptable levels.
11. The organization selects and develops general control activities over technology tosupport the achievement o objectives.
12. The organization deploys control activities as maniested in policies that establish
what is expected and in relevant procedures to eect the policies.
Inormation and Communication
Inormation is necessary or the entity to carry out internal control responsibilities in
support o achievement o its objectives. Communication occurs both internally and
externally and provides the organization with the inormation needed to carry out day-
to-day internal control activities. Communication enables all personnel to understand
internal control responsibilities and their importance to the achievement o objectives.
There are three principles relating to Inormation and Communication:
13. The organization obtains or generates and uses relevant, quality inormation to
support the unctioning o other components o internal control.
14. The organization internally communicates inormation, including objectives and
responsibilities or internal control, necessary to support the unctioning o other
components o internal control.
15. The organization communicates with external parties regarding matters aecting
the unctioning o other components o internal control.
Internal Control Integrated Framework December 201112
61
62
63
64
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
25/168
Overview of Internal Control
Monitoring Activities
Ongoing evaluations, separate evaluations, or some combination o the two are used to
ascertain whether each o the ve components o internal control, including controls to
eect the principles within each component, are present and unctioning. Findings are
evaluated and deciencies are communicated in a timely manner, with serious matters
reported to senior management and to the board.
There are two principles relating to Monitoring Activities:
16. The organization selects, develops, and perorms ongoing and/or separate evalu-
ations to ascertain whether the components o internal control are present and
unctioning.
17. The organization evaluates and communicates internal control deciencies in a
timely manner to those parties responsible or taking corrective action, including
senior management and the board o directors, as appropriate.
In addition to the ve components o internal control noted above, the Framework
includes discussion recognizing that while internal control provides important benets,
limitations do exist. Limitations result rom:
The quality and suitability o objectives established as a precondition to inter-
nal control.
The realities that human judgment in decision making can be aulty.
Knowing that decisions on responding to risk and establishing controls must
consider the relative costs and benets.
Breakdowns that can occur because o human ailures such as simple errors
or mistakes.
Controls that can be circumvented by collusion o two or more people.
The ability o management to override internal control decisions.
These limitations preclude the board and management rom having absolute assurance
o the achievement o the entitys objectives that is, controls provide reasonable but
not absolute assurance.
The remaining chapters o this volume, including Roles and Responsibilities and appen-
dices, are not a part o the Framework.
Internal Control Integrated Framework December 2011
65
66
67
68
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
26/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Internal Control and the Management ProcessBecause internal control is a part o managements overall responsibility, the ve com-
ponents are discussed in the context o managements actions in managing the entity.
Not every decision or action o management, however, is part o internal control:
Having a board comprised o directors with sucient independence rom
management that carries out its oversight role eectively is a part o internal
control. However, many decisions reached by the board are not part o inter-
nal control; or example, deciding on or approving a particular strategic plan.
The board will ulll a variety o governance responsibilities that are in addition
to its responsibilities or oversight o internal control.
Setting objectives is part o or fows rom the broader strategic planning
process. Ensuring that management species the objectives chosen by the
entity is part o internal control; however, the appropriateness o particular
objectives selected is not.
Setting the overall level o acceptable risk and associated risk appetite4 is
part o strategic planning and enterprise risk management, not part o internal
control. Similarly, setting risk tolerance levels in relation to specic objectives
is not part o internal control.
Developing control activities that contribute to the mitigation o risks based
on a risk assessment process is a part o internal control, but choosing which
risk response is preerred to address specic risks is not.
Assessing EectivenessAn eective system o internal control provides reasonable assurance regarding
achievement o an entitys objectives. To have an eective system o internal control
relating to one, two, or all three categories o objectives each o the ve componentsmust be present and operate together in a manner that reduces, to an acceptable level,
the risk o not achieving an objective.5 Further, the existence o any material weakness
(with respect to external nancial reporting objectives) or major non-conormity (with
respect to operations, compliance, or non-nancial reporting objectives) would preclude
an organization rom concluding that the entitys system o internal control is eective.
For example, eective internal control over a particular compliance objective requires
that all ve components be present and operating together.
Eectiveness o internal control is assessed relative to the ve components o internal
control. Determining whether an overall system o internal control is eective is a sub-
jective judgment resulting rom an assessment o whether each o the ve components
o internal control are present and whether the ve components o internal control areoperating together. Because internal control is relevant to an entire entity and its sub-
units, eectiveness o internal control can also be assessed relative to a specic part o
the organizational structure.
4 Risk appetite is defned as the amount o risk, on a broad level, an entity is willing to accept in pursuit o its
mission/vision.
5 The phrase present and operating together in a manner that reduces, to an acceptable level, the risk o
not achieving an objective is subsequently reerred to as present and operating together.
Internal Control Integrated Framework December 20114
69
70
71
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
27/168
Overview of Internal Control
When internal control is determined to be eective or each o the three categories o
objectives, management and the board o directors have reasonable assurance, relative
to the application within the entity structure, that the organization:
Understands the extent to which operations are managed eectively
and eciently.
Prepares reliable reports.
Complies with applicable laws and regulations.
Evaluating each component o internal control requires consideration o how it is being
applied by the entity within the system o internal control, and not whether it is eec-
tive on its own. Components should not be viewed discretely. Rather the components
should be viewed as an integrated system working together to attain eective inter-
nal control. The notion that all ve components o internal control must be present
and operate together does not mean that each should unction identically, or even
at the same level, in dierent entities. Dierent entities internal control systems can
operate dierently.
Furthermore, the integration o these ve components is important in assessing theeectiveness o a system o internal control. Because controls can serve a variety
o purposes, controls put in place to eect principles in one component can serve a
purpose that may also apply to another component. Controls exist in each o the ve
components o internal control. Additionally, controls can dier in the degree to which
they address a particular risk, so that the portolio, or combination o controls, each
with limited eect, together can act satisactorily in reducing risks to the achievement
o objectives.
Any change in the application o one component should not be viewed in isolation. That
is, changes in one component require an evaluation o the potential eects and need
or changes in other components. Thus, the contributions made by each component as
well as the ve components together are evaluated in determining whether a system ointernal control is eective.
Considering the Principles in Assessing Eectiveness
In assessing whether the system o internal control is eective, senior management and
the board o directors determine to what extent the principles and, in turn, the cor-
responding attributes associated with each component are present and unctioning.6
This evaluation entails considering how the principles and attributes are being applied.
Determining whether a principle is present and unctioning implies that the organization:
Understands the intent o the principle and how it is being applied.
Applies the principle consistently across the entity.
Works to help personnel understand and apply the principle across the entity.
6 For purposes o this Framework, the phrase present and unctioning applies to components, principles,
and attributes. Present means that a component, principle, or attribute has been implemented. Function-
ing means that a component, principle, or attribute is operating as intended.
Internal Control Integrated Framework December 2011
72
73
74
75
76
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
28/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Views omission o or non-conormity with a principle as an exception (i.e., not
applying the wording, intent, and spirit o the principle is the exception rather
than the norm).
Furthermore, a principle that is present and unctioning operates within a range o
acceptability and does not imply that the organization achieves the highest level in
applying the principle. Management must still be able to assess the trade-os betweenthe cost o achieving perection and the benets o seeking to operate at the highest
levels o sophistication and capability.
When a principle is deemed not to be present or unctioning, an internal control de-
ciency exists. Management applies judgment in evaluating whether a deciency
prevents the entity rom concluding that a component o internal control is present
and unctioning. These judgments may vary depending on the category o objec-
tives, and additional considerations relating to deciencies in internal control over
operations, compliance, nancial reporting, and other reporting are considered in the
ollowing sections.
Even though attributes are expected to be present and unctioning, it may be possible
to determine that the corresponding principle is present and unctioning, and thus a
component can be present and unctioning without every attribute being present. For
instance, management may be able to determine that Principle 1, The organization
demonstrates a commitment to integrity and ethical values is present and unctioning
based on an assessment that only three o the our related attributes are present and
unctioning. The organization may set the tone at the top, evaluate adherence to stan-
dards o conduct, and address deviations in a timely manner, but it does not ormally
dene the expectations o management and the board o directors in the entitys stan-
dards o conduct. However, in the absence o an attribute being present and unction-
ing, a deciency may still exist.
Deciencies in Internal Control
Deciencies in an entitys system o internal control may surace rom many sources,
including the entitys monitoring activities and other components o internal control, and
external parties that provide input relative to the operation o a component.
The term deciency reers to a shortcoming in some aspect o the system o internal
control and has the potential to adversely aect the ability o the entity to achieve its
objectives. When an organization determines that a deciency exists, management
needs to assess the impact o that deciency on the eectiveness o the entitys system
o internal control. Further, the responsibility or identiying and assessing deciencies
rests with the organization, in the normal course o perorming the unctions. Certain
external parties, such as external auditors and regulators, are not part o the system ointernal control and cannot be relied upon to detect and assess deciencies.
Not every deciency will result in a conclusion that an entity does not have an eective
system o internal control. For one thing, other controls may be present and unction-
ing that allow or each o the components to be present and or all ve components to
be operating together. When a deciency is noted, the evaluator considers the eect o
controls in the same or other components.
Internal Control Integrated Framework December 20116
77
78
79
80
81
82
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
29/168
Overview of Internal Control
Assessing the severity o a deciency or combination o deciencies to determine the
potential impact on the system o internal control requires judgment. This Framework
sets orth the criteria through the components, principles, and attributes or manage-
ment to assess the eectiveness o an entitys system o internal control and to deter-
mine and assess the nature o a deciency. Management may decide or be required to
consider additional criteria established by external parties or evaluating and classiying
the severity o a deciency or combination o deciencies. For example, regulators,standard-setting bodies, listing agencies, and other relevant third parties have estab-
lished additional criteria contained in standards and other guidance or evaluating the
classication o deciencies relating to the external nancial reporting objective and to
non-nancial reporting, operations, and compliance objectives discussed in the next
sections. This Frameworkdoes not prescribe such additional criteria, but recognizes
and accommodates the authority and responsibility o those external parties to issue
rules and guidance or such classications.
Defciencies in Internal Control over Financial Reporting
There are specic considerations when a deciency relates to internal control over
nancial reporting. In this case, three tiers o deciencies are commonly used: de-ciency, signicant deciency, and material weakness.
For the purposes o this Framework, material weakness is considered in relation to an
entitys nancial reporting objective, and is dened as a condition in which there is a
deciency, or a combination o deciencies, in internal control such that there is a rea-
sonable possibility that a material misstatement o the entitys nancial statements will
not be prevented, detected, or corrected on a timely basis. Determining when a mate-
rial weakness exists requires applying judgment which includes several considerations,
such as:
The likelihood that a potential material misstatement exists and will not be pre-
vented or detected and corrected in a timely manner.
The magnitude o the potential or actual misstatement in relation to the
entitys nancial statements.
The above material weakness concept establishes boundaries around eectiveness,
which is a threshold o seriousness against which deciencies are measured. Some
regulators or standard-setting bodies may provide other actors or consideration in
determining the existence o a material weakness. For external nancial reporting, the
existence o a material weakness precludes an organization rom asserting that the
entitys system o internal control over external nancial reporting is eective.
A signicant deciency is a deciency or combination o deciencies less severe than
a material weakness, yet may be important enough to merit attention by the board o
directors. Multiple signicant deciencies when considered collectively may result in a
determination that a material weakness exists.
Internal Control Integrated Framework December 2011
83
84
85
87
86
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
30/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Defciencies in Internal Control over Operations, Compliance,
and Other Reporting
In evaluating deciencies in internal control over operations, compliance, and non-
nancial reporting, this Frameworksuggests classiying such deciencies as major and
minor non-conormities.7 A major non-conormity reers to any deciency in internal
control that relates to compliance, operations, and non-nancial reporting activities that
adversely aects the likelihood that the entity will achieve its objectives. For operations,
compliance and non-nancial reporting, the existence o any major non-conormity
precludes an organization rom concluding that the entitys system o internal control
over these objectives is eective. For instance, a major non-conormity may exist when
a deciency in internal control has the potential or:
Shipping a nonconorming producte.g. a product that does not meet
quality requirements.
Making unauthorized signicant changes to product design and manuactur-
ing specications.
Not completing routine maintenance o assets, especially those that relate to
public saety (e.g., aircrat, railways, or public transit).
Administering improper medicine doses to hospital patients.
Recurring misreporting o incidences o non-compliance to regulators.
Omitting important inormation supporting budgeting and orecasting
activities.
Improperly treating, storing, or disposing o hazardous wastes.
Improperly reporting child labor ound to be occurring at own or
suppliers actories.
Improperly reporting CO2 emissions to customers and investors.
Acquiring incomplete or inaccurate data or use in actuarial valuations.
Making unauthorized signicant changes to health and saety specications.
A minor non-conormity reers to any deciency relating to compliance, operations, and
non-nancial reporting activities that does not adversely aect the likelihood that the
entity will achieve its objective. For instance, a minor non-conormity may exist when a
deciency in internal control has the potential or:
Failing to document a part o the quality system.
Not inspecting an instrument past its calibration date.
Failing to conduct routine maintenance o an asset needed to keep a warrantyin eect.
7 Some standard-setting bodies and governmental agencies use the term material weakness to reer to
major conormities. For instance, the Auditing Standards Board o the AICPA defnes a material weakness
in internal control over compliance as a defciency, or combination o defciencies, in internal control over
compliance such that there is a reasonable possibility that material noncompliance with a compliance
requirement will not be prevented or detected and corrected on a timely basis.
Internal Control Integrated Framework December 20118
88
89
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
31/168
Overview of Internal Control
Filing a compliance statement with a regulator one day ater the required
ling date.
Not retaining a training record or uture reerence.
Using inaccurate data to prepare management inormation or
internal analysis.
Multiple minor non-conormities when considered collectively may result in a determina-
tion that a major non-conormity exists.
Other Considerations or Internal Control
Organizational Boundaries
Increasingly, many organizations are choosing to shit business activities to outside
service providers. Such an approach has become prevalent because o the benets o
obtaining access to low-cost human resources, reducing costs in the day-to-day man-agement o certain unctions, obtaining access to better processes and systems, and
allowing management to ocus more on the entitys mission.
Outsourcing, strategic sourcing, and other outside service providers can help organi-
zations to perorm business processes such as procurement, payables management,
payroll, pension and benet management, investment management, and stock-based
compensation programs. Outside service providers may also perorm technology activi-
ties that support business processes, providing services to procure, manage, and main-
tain previously internally managed technology systems. Advances in technology have
created opportunities or cost savings through access to comprehensive architectures
that provide on-demand and scalable shared technology that supports more complex
and changing business operations and that may be cost prohibitive or management as
an internal investment.
Using outsourcing, strategic sourcing, and other outside service providers can provide
substantial benets o speed, eciency, and costs savings to an entity, and the trend to
outsourcing is likely to grow. This dependence on external parties changes the risks o
business activities, increases the importance o the quality o inormation and commu-
nications rom outside the organization, and creates greater challenges in overseeing
activities and the related internal controls. While management can use others to execute
activities or or on behal o the entity, it cannot abdicate responsibility to monitor those
activities, manage the associated risks, and establish mechanisms to support the unc-
tioning o the components o internal control.
This Frameworkcan be applied to the entire entity regardless o what choices manage-ment makes about how it will execute business activities that support its objectives,
either directly or through external relationships.
Internal Control Integrated Framework December 2011
90
91
92
93
94
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
32/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Technology
Technology may be essential to support managements pursuit o the entitys objectives
and to better control the organizations activities. The number o entities that use tech-
nology continues to grow as will the extent that technology is used in most entities.
Technology is oten reerred to by other terms, such as management inormationsystems or inormation technology. These terms share the ideas o using a combi-
nation o automated and manual processes, computer hardware and sotware, meth-
odologies, and processes. This Frameworkuses the term technology to reer to all
computerized systems, including sotware applications running on a computer and
operational control systems.
Technology environments vary signicantly in their size, complexity, and extent o
integration. They range rom large, centralized, and integrated systems to decentralized
systems that operate independently within a specic unit. They may also involve real-
time processing environments that enable immediate access to inormation, including
mobile computer applications that can cut across many systems, organizations, geog-
raphies, processes, and technologies. Technology enables organizations to process
high volumes o transactions, transorm data into inormation to support sound deci-
sion making, share inormation eciently across the entity and with business partners,
and secure condential inormation rom inappropriate use. In addition, technology can
allow an entity to share operational and perormance data with the public.
Technology innovation creates both new opportunities and new risks. It can enable
the development o new business markets and models, generate eciencies through
automation, and enable entities to do things that were previously hard to imagine. It may
also increase complexity, which makes identiying and managing the risks more dicult.
The principles presented in this Frameworkdo not change with the application o tech-
nology. This is not to say that technology does not change the internal control land-
scape. Certainly it aects how an entity implements the components o internal control,such as the greater availability o inormation and the use o automated procedures, but
the principles remain the same. Because technology is continually evolving, this Frame-
workdoes not address specic technologies, such as cloud computing or the rise in
social media.
Larger versus Smaller Entities
The seventeen principles underlying the ve components o internal control are just as
applicable or smaller entities as or larger ones. However, implementation approaches
may vary or smaller entities, regardless o whether the entity is a publicly traded
company, a privately held entity, a government organization, or a not-or-prot orga-nization. For example, all public companies have boards o directors, or other similar
governing bodies, with oversight responsibilities related to reporting. A smaller entity
may have a less complex organizational structure and operations, and more requent
communication with directors, enabling a dierent approach to board oversight. Simi-
larly, while many public companies are oten required to have a whistle-blower program,
there may be a dierence in the reporting procedures between other types o small and
Internal Control Integrated Framework December 201120
97
95
96
98
99
100
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
33/168
Overview of Internal Control
large entities. In a large entity, or example, the volume o reported events may require
initial reporting to an identied internal sta unction, but a smaller entity may allow
direct reporting to the audit committee chair.
Smaller entities typically have unique advantages over larger ones which can contribute
to eective internal control. These may include a wider span o control by senior man-
agement and greater direct interaction with personnel. For instance, smaller companiesmay nd inormal sta meetings highly eective or communicating inormation relevant
to operating perormance, whereas larger companies may need more ormal mecha-
nisms such as written reports, intranet portals, periodic ormal meetings, or conerence
calls to communicate similar matters.
Conversely, larger entities may enjoy certain economies o scale, which oten aect
support unctions. For example, establishing an internal audit unction within a smaller,
domestic entity likely would require a larger percentage o the companys economic
resources than would be the case or a larger multinational entity. Certainly, the smaller
companys internal audit unction would be smaller, and might rely on co-sourcing or
outsourcing in order to provide needed skills, where the larger companys unction
might be signicantly larger with a broad range o experienced in-house personnel. Butin all likelihood the relative cost or the smaller company would be higher than or the
larger one.
Benets and Costs o Internal Control
Benefts
Internal control provides many benets to an entity. It provides management and the
board o directors with added condence regarding the achievement o objectives, it
provides eedback on how a business is unctioning, and it helps to reduce surprises.
Among the most signicant benets o eective internal control or many entities is the
ability to meet certain criteria required to access the capital markets, providing capital-
driven innovation and economic growth. Such access o course comes with responsibil-
ities to eect timely and reliable reporting or shareholders, creditors, capital providers,
regulators, and other third parties with which an entity has direct contractual relation-
ships. For instance, eective internal control supports reliable external nancial report-
ing, which in turn enhances investor condence in providing the requisite capital.
Other benets o eective internal control include:
Reliable and relevant inormation supporting managements decision
making on matters such as product pricing, capital investment, and
resource deployment.
Consistent mechanisms or processing transactions, supporting quality o
inormation and communications across an organization, enhancing speed
and reliability at which transactions are initiated and settled, and providing
reliable recordkeeping and ongoing integrity o data.
Increased eciency within unctions and processes.
Internal Control Integrated Framework December 2011
102
101
103
104
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
34/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Retention o the acts, reasoning, and basis or decisions where highly subjec-
tive and substantial judgment is needed.
Ability and condence to accurately communicate business per ormance
with business partners and customers, which supports continuity o the
business relationship.
Entities always have limits on their human and capital resources and constraints on how
much they can spend, and thereore they will oten consider the costs relative to the
benets o alternative approaches in managing internal control options.
Costs
Generally, it is easier to deal with the cost aspect in the cost-benet equation because
in most cases costs can be quantied airly precisely. Usually considered are all direct
costs associated with implementing internal control actions and responses, plus indi-
rect costs, where practically measurable. Some entities also include opportunity costs
associated with use o resources. Overall, management considers a variety o cost
actors in relation to expected benets when selecting and developing internal controls.
These may include:
Considering the trade-os between recruiting and retaining sta with a
higher level o competency and the related higher compensation costs. For
instance, a smaller, stable, privately held company may not want to, or be able
to, hire a chie nancial ocer with the experience o working or a publicly
traded company.
Assessing the eorts required to select, develop, and perorm control activi-
ties; the potential incremental eorts that the activity adds to the busi-
ness process; and the eorts to maintain and update the control activity
when needed.
Assessing the impacts o added reliance on technology. While the eort toperorm the control and the impact o added technology-based controls on
the business process may be small, the cost associated with selecting, devel-
oping, maintaining, and updating the technology could be substantial.
Understanding how changes in inormation requirements may call or greater
data collection, processing, and storage that could trigger exponential growth
in data volume. With more data available, an organization aces the challenge
o avoiding inormation overload by ensuring fow o the right inormation, in
the right orm, at the right level o detail, to the right people, at the right time.
Establishing an inormation system that balances costs and benets depends
on thoughtul consideration o inormation requirements.
Other Considerations in Determining Benefts and Costs
The benet side o the cost-benet equation oten involves even more subjective evalu-
ation. For example, benets o eective training programs usually are apparent but
dicult to quantiy. Training programs are not oten designed to measure the benets
Internal Control Integrated Framework December 201122
106
105
107
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
35/168
Overview of Internal Control
or to capture the necessary data to evaluate the program. For example, sales training
programs may not be structured to measure beore-and-ater employee sales results,
making it dicult to determine whether the training is eective and accomplishing its
objectives. In many cases, however, the benet o developing actions within any o the
ve components o internal control can be evaluated in the context o the benet asso-
ciated with achievement o the related objective.
The complexity o cost-benet determinations is compounded by the interrelationship o
controls with business operations. Where controls are integrated with, or built into, man-
agement and business processes, it is dicult to isolate either their costs or benets.
It is up to management to decide how an entity evaluates the costs versus benets o
alternative approaches to implementing a system o internal control, and the ultimate
actions it takes. However, cost alone is not an acceptable reason to avoid implement-
ing internal controls. The cost versus benets considerations support managements
ability to develop and maintain a system o internal control that balances the allocation
o human resources in relation to the areas o greatest risk, complexity, or other actors
relevant to the entitys objectives.
DocumentationEntities develop and maintain documentation or their internal control system or a
number o reasons. One is to provide clarity around roles and responsibilities, which
promotes consistency in adhering to desired practices in managing the business. Eec-
tive documentation assists in communicating the who, what, when, where, and why
o internal control execution, and creates standards and expectations o perormance
and conduct. Another purpose o documentation is to assist in training new person-
nel and to oer a reresher or reerence tool or other employees. Documentation also
provides evidence o the perormance o activities that are part o the system o internal
control, enables proper monitoring, and supports reporting on internal control eective-ness, particularly when evaluated by external parties, such as regulators, auditors, or
customers.
Management must also determine how much documentation is needed to assess
the eectiveness o internal control. Some level o documentation is always neces-
sary to assure management that the components o internal control are in place and
unctioning. This may include, or example, documents showing that all shipments are
billed, or that periodic reconciliations are perormed. As well, two specic levels o
documentation requirements must be considered in relation to external nancial and
non-nancial reporting:
In cases where management asserts to regulators, shareholders, or other
third parties on the design and operating eectiveness o its overall system o
internal control, management has a higher degree o responsibility. Typically
this will require documentation to support the assertion that all components
o internal control are in place and unctioning. The nature and extent o the
documentation may be infuenced by the entitys regulatory requirements.
Internal Control Integrated Framework December 2011
109
108
110
111
-
7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected
36/168
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
This does not necessarily mean that all documentation will or should be more
ormal, but that sucient evidence that the components o internal controls
are present and operating togetheris available and suitable to satisy the
entitys objectives.
In cases where an external auditor attests to the eectiveness o the overall
system o internal control, management will likely be expected to provide the
auditor with support or its assertion on the eectiveness o internal control.
That support would include evidence that the system o internal controls is
properly designed and operating eectively. In considering the nature and
extent o documentation needed, management should also remember that
the documentation to support the assertion will likely be used by the external
auditor as part o his or her audit evidence. Management may also document
signicant judgments, how such decisions were considered, and the nal