1 Cosodraftinternal Control Frameworkdec2011 Unprotected

7/27/2019 1 Cosodraftinternal Control Frameworkdec2011 Unprotected

1/168

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

December 2011

Framework

Internal ControlIntegrated Framework

Committee of Sponsoring Organiza tions of the Treadway Commission

To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by March 31, 2012.

Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in

a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send

responses by fax.

Written comments on the exposure draft will become part of the public record and will be available on-line until December 31, 2012.


2/168

2011 All Rights Reserved. No part o this publication may be reproduced, redistributed, transmitted or displayed in any orm or by any

means without written permission. For inormation regarding licensing and reprint permissions please contact the American Institute o

Certifed Public Accountants, licensing and permissions agent or COSO copyrighted materials. Direct all inquiries to copyright@aicpa.

org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed

to 888-777-7707.


3/168

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

December 2011

Framework

Internal ControlIntegrated Framework

Committee of Sponsoring Organiza tions of the Treadway Commission

To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by March 31, 2012.

Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in

a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send

responses by fax.

Written comments on the exposure draft will become part of the public record and will be available on-line until December 31, 2012.


4/168

Committee o Sponsoring Organizations othe Treadway Commission

Board Members Representative

COSO Chair David L. Landsittel

American Accounting Association Mark S. Beasley

Douglas F. Prawitt

American Institute o Certied Public Accountants Charles E. Landes

Financial Executives International Marie N. Hollein

Institute o Management Accountants Jerey C. Thomson

Sandra Rictermeyer

The Institute o Internal Auditors Richard F. Chambers

PwCAuthor

Principal Contributors

Miles E.A. Everson (Project Leader) Partner New York, USA

Cara M. Beston Partner San Jose, USA

Charles E. Harris Partner Florham Park, USA

Stephen E. Soske Partner Boston, USA

J. Aaron Garcia Director San Diego, USA

Catherine I. Jourdan Director Paris, France

Frank J. Martens Director Vancouver, Canada

Jay A. Posklensky Director Florham Park, USA

Sallie Jo Perraglia Manager New York, USA


5/168

Advisory Council

Sponsoring Organizations Representatives

Audrey A. Gramling Kennesaw State University Proessor

Steven Jameson Community Trust Bank Executive Vice President and

Chie Internal Audit & Risk

Ocer

Steve McNally Campbell Soup Finance Director/Controller -

Napoleon Operations

Ray Purcell Pzer Director o Financial Controls

Bill Schneider, Sr. AT&T Director o Accounting

Members at Large

Jim DeLoach Protiviti Managing Director

John Fogarty Deloitte Partner

Trent Gazzaway Grant Thornton Partner

Cees Klumper GAVI Alliance Director o Internal Audit

Thomas Montminy PwC Partner

Al Paulus E&Y Partner

Tom J. Ray KPMG Partner

Ken Vander Wal ISACA President

Regulatory Observers and Other Observers

James Dalkin Government Accountability

Oce

Director in the Financial

Management and Assurance

Team

Harrison E. Greene, Jr. Federal Deposit Insurance

Corporation

Senior Policy Analyst

Christian Peo Securities and Exchange

Commission

Proessional Accounting Fellow

Vincent Topho International Federation

o Accountants

Senior Technical Manager

Keith Wilson Public Company

Accounting Oversight

Board

Deputy Chie Auditor


6/168

Additional PwC Contributors

Joseph Atkinson Partner New York, USA

Glenn Brady Partner St. Louis, USA

Jerey Boyle Partner Tokyo, Japan

James Chang Partner Beijing, China

Mark Cohen Partner San Francisco, USA

Andrew Dahle Partner Chicago, USA

Megan Haas Partner Hong Kong, China

Junya Hakoda Partner Tokyo, Japan

Diana Hillier Partner London, England

Steve Hirt Partner Boston, USA

Brian Kinman Partner St Louis, USA

Barbara Kipp Partner Boston, USA

Hans Koopmans Partner Singapore

Alan Martin Partner Frankurt, Germany

Pat McNamee Partner Florham Park, USA

Jonathan Mullins Partner Dallas, USA

Simon Perry Partner London, England

Andrew Reinsel Partner Cincinnati, USA

Kristin Rivera Partner San Francisco, USA

Valerie Wieman Partner Florham Park, USA

Alexander Young Partner Toronto, Canada

David Albright Principal Washington, D.C., USA

Charles Yovino Principal Atlanta, USA

Eric M. Bloesch Managing Director Philadelphia, USA

Sachin Mandal Director Florham Park, USA

Christopher Michaelson Director Minneapolis, USA

Lisa Reshaur Director Seattle, USA

Tracy Walker Director Bangkok, Thailand


7/168

PreaceThis project was commissioned by COSO, which is dedicated to providing thought lead-

ership through the development o comprehensive rameworks and guidance on internal

control, enterprise risk management, and raud deterrence designed to improve organi-

zational perormance and oversight and to reduce the extent o raud in organizations.COSO is a private sector initiative, jointly sponsored and unded by:

American Accounting Association (AAA)

American Institute o Certied Public Accountants (AICPA)

Financial Executives International (FEI)

Institute o Management Accountants (IMA)

The Institute o Internal Auditors (IIA)


8/168


9/168

Table o Contents

Foreword ..........................................................................................................i

Framework

Denition o Internal Control ........................................................................... 1

Overview o Internal Control ........................................................................... 5

Components o Internal Control

Control Environment .....................................................................................25

Risk Assessment ...........................................................................................51

Control Activities ...........................................................................................75

Inormation and Communication ...................................................................91

Monitoring Activities ....................................................................................107

Limitations o Internal Control ..................................................................... 119

Roles and Responsibilities ..........................................................................123

Appendices ..................................................................................................135

A. Glossary .................................................................................................136

B. Summary o Changes to the 1992 Version o the Internal Control

Integrated Framework .............................................................................140

C. Methodology ...........................................................................................147

D. Comparison with COSO Enterprise Risk Management

Integrated Framework .............................................................................149

E. Acknowledgments ..................................................................................153

Internal Control Integrated Framework December 2011


10/168


11/168

ForewordIn 1992 the Committee o Sponsoring Organizations o the Treadway Commission

(COSO) released its Internal ControlIntegrated Framework(the original ramework).

The original ramework has gained broad acceptance and is now widely used around

the world. It is recognized as a leading ramework or designing, implementing, andevaluating the eectiveness o internal control.

In the nearly twenty years since the inception o the original ramework, business and

operating environments have changed dramatically, becoming increasingly complex,

technologically driven and global in scope. At the same time, stakeholders are more

engaged, seeking greater transparency and accountability or the integrity o systems o

internal control that support the business decisions and governance o the organization.

COSO believes this ramework will enable organizations to eectively and eciently

develop and maintain systems o internal control that can enhance the likelihood o

achieving the entitys objectives and adapt to changes in the business and operat-

ing environments. COSO is pleased to present this Internal ControlIntegratedFramework(Framework).

The experienced reader will nd much that is amiliar in the Framework, which builds

on what has proven useul in the original version. It retains the core denition o internal

control and the ve components o internal control. The broad criteria used to assess

the eectiveness o an internal control system also remain unchanged. This Framework

continues to emphasize the importance o management judgment in the design, appli-

cation, and assessment o eectiveness o a system o internal control.

At the same time, the Frameworknow includes important enhancements designed to

clariy concepts and ease use and application. One o the most signicant enhance-

ments is the codication o internal control concepts introduced in the original rame-

work into principles and attributes. These principles and attributes provide clarity orthe user in the design and development o systems o internal control. Principles and

attributes can also be used to support the assessment o the eectiveness o internal

control. Other updates and enhancements to the Frameworkhelp the user address

changes in business and operating environments, including:

Expectations or governance oversight.

Globalization o markets and operations.

Changes in business models.

Demands and complexities in laws, rules, regulations, and standards.

Expectations or competencies and accountabilities.

Use o, and reliance on, evolving technologies.

Expectations relating to preventing and detecting corruption.


1

2

3

4

5


12/168

Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities

We are pleased to present this Frameworkin three volumes. The rst is an Executive

Summary: a high-level overview intended or the board o directors, chie executive

ocer, other senior management, and regulators. The second volume, the Framework,

denes internal control and describes components o internal control including the

underlying principles and attributes. This volume also provides direction or all levels

o management to use in designing, implementing, conducting, and evaluating internal

control. The third volume, Evaluation, provides guidance that may be useul in evaluatingthe eectiveness o internal control.

In addition, a supplemental guide to be published concurrently with the Framework

ocuses the discussion on internal control over external nancial reporting, providing

practical approaches and examples supporting the preparation o published nancial

statements. COSO may, in the uture, issue other guidance to provide additional assis-

tance in applying this Framework. However, neither the guidance on internal control

over external nancial reporting nor other uture guidance takes precedence over this

Framework.

Finally, the COSO Board would like to thank PwC and the Advisory Council or their

contributions in developing the Framework. Their ull consideration o input providedby many stakeholders and their attention to detail were instrumental in ensuring that

the core strengths o the 1992 Internal ControlIntegrated Frameworkwere preserved,

claried, and strengthened.

Internal Control Integrated Framework December 2011ii

6

7

8


13/168

Definition of Internal Control

Denition o Internal ControlThe primary purpose o this publication, Internal ControlIntegrated Framework

(Framework) is to help management better control the organization, and provide a board

o directors1 with an added ability to oversee internal control. Implementing a system

o internal control allows management to stay ocused on the organizations pursuito its operations and nancial perormance goals, while operating within the connes

o relevant laws and minimizing surprises along the way. Internal control enables an

organization to deal more eectively with changing economic and competitive environ-

ments, leadership, priorities, and evolving business models. It promotes eciency and

eectiveness o operations, and supports reliable reporting and compliance with laws

and regulations.

A secondary purpose o this Frameworkis to provide clarity on internal control by using

a common denition and integrating various internal control concepts into a ramework

that denes the components o internal control. It is designed to assist management

and other interested parties in assessing the eectiveness o an entitys system o inter-

nal control and reporting.

Understanding Internal ControlInternal control is dened as ollows:

Internal control is a process, eected by an entitys board o directors, manage-

ment, and other personnel, designed to provide reasonable assurance regarding

the achievement o objectives in the ollowing categories:

Eectiveness and efciency o operations.

Reliability o reporting. Compliance with applicable laws and regulations.

This denition emphasizes that internal control is:

A process consisting o ongoing tasks and activities. It is a means to an end,

not an end in itsel.

Eected by people. It is not merely about policy manuals, systems, and orms,

but about people at every level o an organization that impact internal control.

Able toprovide reasonable assurance, not absolute assurance, to an entitys

senior management and board.

Geared to the achievement o objectives in one or more separate but overlap-ping categories.

Adaptable to the entity structure.

1 This Frameworkuses the term board o directors, which encompasses the governing body, including

board, board o trustees, general partners, owner, or supervisory board.


9

10

11

12


14/168


This denition o internal control is intentionally broad or two reasons. First, it captures

key concepts undamental to how companies and other organizations design, imple-

ment, conduct, and evaluate internal control, providing a basis or application across

various types o organizations, industries, and geographic regions. It also provides

fexibility in application, allowing an entity to sustain internal control or an entire entity,

or a subsidiary, division, operating unit, or unction relevant or operations, reporting, or

compliance objectives, based on the entitys specic needs or circumstances.

Second, the denition accommodates subsets o internal control. Those who want to

may ocus separately, or example, on internal control over reporting or controls relat-

ing to complying with laws and regulations. Similarly, a directed ocus on controls in

particular units or activities o an entity can be accommodated.

A Process

Internal control is not one event or circumstance, but a dynamic and iterative process2

actions that permeate an entitys activities and that are inherent in the way manage-

ment runs the business. Embedded within this process are policies and procedures.

These policies refect managements statement o what should be done. Such state-

ments may be documented, explicitly stated in other management communications, or

implied through managements decisions. Procedures consist o actions that implement

a policy. These policies and procedures exist to eect control.

Business processes, which are conducted within or across operating units or unc-

tional areas, are managed through the undamental management activities o planning,

executing, and checking. Internal control is integrated with these processes. Inter-

nal control is most eective when it is embedded in the entitys inrastructure and its

ongoing activities.

Building in controls to an existing system, or modiying controls elsewhere in the entity,

directly aects the entitys ability to reach its goals, supports quality business initia-tives, and has important implications to cost. In contrast, layering on new procedures

to address internal control separate rom those that run the business can add costs.

By ocusing on existing controls that contribute to the overall system o control, and by

building controls into basic operating activities, an entity oten can avoid costs o devel-

oping new procedures.

Eected by People

Internal control is eected by the board o directors, management, and other personnel.

It is accomplished by the people o an organization, by what they do and say. People

establish the entitys objectives and put control mechanisms in place.

The organization consists o people including the board o directors, senior manage-

ment, and other personnel. Included among the boards oversight responsibilities are

providing advice, counsel, and direction to management, approving certain transactions

2 Although reerred to as a process, internal control may be viewed as many processes.


13

14

15

16

17

18

19


15/168

Definition of Internal Control

and policies, and monitoring managements activities. Consequently, the board o direc-

tors is an important element o internal control. For example, the board and senior man-

agement establish the tone or the organization concerning the importance o internal

control and expected standards o conduct across the entity.

However, people do not always understand, communicate, or perorm consistently.

Each individual brings to the workplace a unique background and technical ability,and each has dierent needs and priorities. These individual dierences can be inher-

ently valuable and benecial to innovation and productivity, but i not properly aligned

with the entitys objective, they can be counterproductive. Yet, people must know their

responsibilities and limits o authority. Accordingly, a clear and close linkage needs to

exist between peoples duties and the way in which these duties are carried out, and

aligned with the entitys objectives.

Provides Reasonable Assurance

An eective system o internal control provides management and the board o directors

with reasonable assurance regarding achievement o an entitys objectives. The term

reasonable assurance rather than absolute assurance acknowledges that limitations

exist in all systems o internal control, and that uncertainties and risks may exist, which

no one can condently predict with precision. Absolute assurance is not possible.

Reasonable assurance does not imply that an entity will always achieve its objectives.

The cumulative eect o internal control increases the likelihood o an entity achieving its

objectives. However, the likelihood o achievement is aected by limitations inherent in

all internal control systems, such as human error and the uncertainty inherent in judg-

ment. Additionally, a system o internal control can be circumvented i two or more people

collude. Further, i management is able to override controls, the entire system may ail. In

other words, even an eective system o internal control can experience a ailure.

Geared to the Achievement o Objectives

The Frameworksets orth three categories o objectives, which allow organizations to

ocus on separate aspects o internal control:

Operations ObjectivesThese pertain to eectiveness and eciency o the

entitys operations, including operations and nancial perormance goals and

saeguarding assets against loss.

Reporting ObjectivesThese pertain to the reliability o reporting. They

include internal and external nancial and non-nancial reporting.

Compliance ObjectivesThese pertain to adherence to laws and regulationsto which the entity is subject.

These distinct but overlapping categoriesa particular objective can all under more

than one categoryaddress dierent needs and may be the direct responsibility o

dierent individuals. The three categories also indicate what can be expected rom

internal control.


20

21

22

23

24


16/168


A system o internal control is expected to provide an organization with reasonable

assurance that those objectives relating to the reliability o external reporting and com-

pliance with laws and regulations will be achieved. Achieving those objectives, which

are based largely on laws, rules, or standards established by regulators, recognized

standard setters, and other external parties, depends on how activities within the orga-

nizations control are perormed. Generally, management will have greater discretion

in setting internal reporting objectives which are not driven primarily by such externalparties. However, management may choose to align its internal and external reporting

objectives to allow internal reporting to better support the entitys external reporting.

However, achievement o operations objectivessuch as a particular return on invest-

ment, market share, or entry into new product linesis not always within the organiza-

tions control. Internal control cannot prevent bad judgments or decisions, or external

events that can cause a business to ail to achieve operations goals. For these objec-

tives, the internal control system can only provide reasonable assurance that manage-

ment and the board are made aware, in a timely manner, o the extent to which the

entity is moving toward those objectives.

Adaptable to the Entity Structure

Entities may be structured along various dimensions. The management operating model

may ollow product or service lines; reporting may be done or an overall consolidated

entity, division, or operating unit, with geographic markets providing or urther sub-

divisions or aggregations o perormance. The management model may also rely on

relationships with external parties to support the achievement o objectives.

The legal entity structure is typically designed to ollow regulatory reporting require-

ments, empower managers at oreign operations, limit business risk, or provide tax

benets. Oten, the organization o legal entities is quite dierent rom the management

structure that is used to run the business.

Internal control can be applied, based on managements decision and in the context

o legal or regulatory requirements, to the operating model, legal entity structure, or a

combination o these.


26

25

27

28

29


17/168

Overview of Internal Control

Overview o Internal Control

Introduction

An organization establishes a mission, sets strategies, establishes the objectives itwants to achieve, and ormulates plans or achieving them. Objectives may be set or

an entity as a whole, or be targeted to specic activities within the entity. Though many

objectives are specic to a particular entity, some are widely shared. For example,

objectives common to most entities are sustaining organizational success, providing

reliable reporting to stakeholders, recruiting and retaining motivated and competent

employees, achieving and maintaining a positive reputation within the business and

consumer communities, and complying with laws and regulations.

Supporting the organization in its eorts to achieve its objectives are ve components

o internal control:

Control Environment

Risk Assessment

Control Activities

Inormation and Communication

Monitoring Activities

These components o internal control are relevant to an entire entity, and to the entity

level, subsidiaries, division, or any o its individual operating units, unctions, or other

subsets o the entity.

Relationship o Objectives, Components, and the Entity

A direct relationship exists between objectives, which are what an entity strives to

achieve, the components, which represent what is needed to achieve the objectives,

and the operating units, legal entities, and other structures within the entity. The rela-

tionship can be depicted in the orm o a cube.

The three categories o objectives are

represented by the columns.

The ve components are represented

by the rows.

The organizational structure, whichrepresents the overall entity, divisions,

subsidiaries, operating units, or unc-

tions, including business processes

such as sales, purchasing, production,

and marketing and to which internal

control relates, are depicted by the

third dimension o the cube.3

3 Throughout this Framework, the term the entity and its subunits reers collectively to the overall entity,

divisions, subsidiaries, operating units, or unctions.

Control Environment

Risk Assessment

Control Activities

Information & Communication


Ope

ration

s

EntityLevel

Division

Opera

tingUnit

F

unction

Rep

orting

Com

plianc

e


30

31

32

33


18/168


Each component cuts across and applies to all three categories o objectives. For

example, establishing and executing policies and procedures to ensure that manage-

ment plans, programs, and other directives are carried outrepresenting the control

activities componentis relevant to all three objectives categories.

The three categories o objectives are not parts or units o the entity. For instance,

operations objectives relate to the eciency and eectiveness o operations, notspecic operating units or unctions such as sales, marketing, procurement, or

human resources.

Accordingly, when considering the category o objectives related to reporting, or

example, knowledge o a wide array o inormation about the entitys operations is

needed. In that case, ocus is on the middle column o the modelreporting objec-

tivesrather than the operations objectives category.

Internal control is a dynamic and iterative process. For example, risk assessment not

only infuences the control environment and control activities, but also may highlight a

need to reconsider the entitys inormation and communication needs, or its monitoring

activities. Thus, internal control is not a linear process where one component aects

only the next. It is a dynamic and iterative process in which almost any component can

and will infuence another.

No two entities will, or should, have the same system o internal control. Entities and

their internal control needs dier dramatically by industry, size, and regulatory envi-

ronment, as well as internal considerations such as the nature o the overall business

model, tolerance or risk, reliance on technology, and competence and number o

personnel. Thus, while all entities need each o the components to maintain control

over their activities, one entitys internal control system usually will look dierent

rom anothers.

ObjectivesManagement sets entity-level objectives that align with the entitys mission and value

proposition. These high-level objectives refect managements choice o how the organi-

zation will seek to create, preserve, and realize value or its stakeholders. Such objec-

tives may be based on the entitys unique operations needs, on laws, regulations, and

standards imposed by external parties, or some combination o the two. Setting objec-

tives is a prerequisite to internal control and a key part o the management process

relating to strategic planning. Management needs to understand the overall strategies

set by the organization. As part o internal control, management species objectives

that have been set so that risks to the achievement o those objectives can be identied

and assessed.

Individuals who are part o the internal control process need to understand the overall

strategies and objectives set by the organization. As part o internal control, manage-

ment species objectives that have been set so that risks to the achievement o those

objectives can be identied and assessed. Speciying objectives relates to the articula-

tion o specic, measurable, attainable, relevant, and time-bound objectives. In most

instances, speciying objectives requires some orm o codication. However there


34

35

36

37

38

39

40


19/168


may be instances where an entity might not explicitly state an objective. By speciying

objectives in appropriate detail, they can be readily understood by the people who are

working toward achieving them.

Categories o Objectives

This Frameworkgroups entity objectives into the three categories o operations, report-

ing, and compliance.

Operations Objectives

Operations objectives relate to achievement o an entitys basic missionthe unda-

mental reason or its existence. These objectives vary based on managements choices

relating to structure, industry considerations, and perormance o the entity. Entity-level

objectives cascade into related sub-objectives or operations within the divisions, sub-

sidiaries, operating units, and unctions, directed at enhancing eectiveness and e-

ciency in moving the entity toward its ultimate goal. As such, operations objectives may

relate to improving quality (i.e., avoiding waste and rework), reducing costs and produc-

tion time, improving innovation, and improving customer and employee satisaction.

Reporting Objectives

Reporting objectives pertain to the preparation o reliable reports. Reporting objectives

may relate to nancial or non-nancial reporting and to internal or external reporting.

Internal reporting objectives are driven by internal requirements in response to a variety

o potential needs such as the entitys strategic directions, operating plans, and per-

ormance metrics at various levels o the entity. External reporting objectives are driven

primarily by regulations and/or standards established by accounting bodies, and other

standard-setting organizations.

External Financial Reporting ObjectivesEntities need to achieve external

nancial reporting objectives to meet obligations. Reliable nancial state-

ments are a prerequisite to accessing capital markets and may be critical to

the awarding o contracts or to dealing with suppliers. Investors, analysts,

and creditors oten rely on an entitys nancial statements to assess peror-

mance against peers and alternative investments. Management reporting on

the eectiveness o internal control over external nancial reporting is part o

external non-nancial reporting objectives reerenced below.

External Non-Financial Reporting ObjectivesManagement may report

external non-nancial inormation in accordance with regulations, standards,

or rameworks, including reporting on internal control and operational pro-

cesses. For example, where management operates in accordance with the

International Organization or Standardization (ISO) standards or quality

management, it may report publicly on its operations. An entity may engage

an independent auditor to review and/or report on its conormance with stan-

dards published by such organizations. The entity typically attains an annual

certication that demonstrates adherence to such a standard.


42

41

43


20/168


Internal Financial and Non-Financial Reporting ObjectivesReliable internal

reporting provides management with inormation needed to manage the orga-

nization. It supports managements decision making and assessment o the

entitys activities and perormance. Internal reporting objectives are based on

preerences, judgments, and management style. Internal reporting objectives

vary among entities because dierent organizations have dierent strategic

directions, operating plans and expectations.

Relationship within Reporting Category o Objective

The overall relationship between the our sub-categories o reporting objectives is

depicted in the graphic below.

Reporting objectives are separate and distinct rom the inormation and communica-

tion component o internal control. Reporting objectives ocus on reliable reporting,

and to achieve this, the organization applies all ve components o internal control. For

instance, an organization in preparing an internal non-nancial report to the board on

the status o merger integration eorts assigns competent individuals, assesses risks

relating to the understandability, relevance, and useulness o the report, develops con-

trols to address the reliability o the inormation being reported, and monitors the overall

system o internal control supporting this non-nancial reporting objective. In contrast,the inormation and communication component supports the unctioning o all compo-

nents o internal control and the achievement o the reporting category o objectives, as

well as operations and compliance objectives. For instance, controls within inormation

and communication supports the preparation o the above report, helping to provide rel-

evant and quality inormation underlying the report, but is only part o the overall system

o internal control.

Characteristics

External Financial

Reporting

Annual Financial

StatementsInterim nancialstatements

Earnings releases

Internal Financial

Reporting

Divisional FinancialStatements

Cash fow / budget

Bank covenantcalculations

External Non-Financial

Reporting

Internal Control Report

Sustainability Report

Supply Chain / Custodyo Assets

Internal Non-Financial

Reporting

Sta/Asset utilization

Customer satisactionsurveys

Key risk indicatordashboards

Board reporting

Financial/Non Financial

Internal/External

Used to meet

external stakeholder

and regulatory

requirements

Prepared in accor-

dance with external

standards

May be required by

regulators, contracts,

agreements

Used in managing

the business and

decision making

Established by

management andboard


44

45


21/168


Compliance Objectives

Entities must conduct their activities, and oten take specic actions, in accordance

with applicable laws and regulations. As part o speciying compliance objectives, the

organization needs to understand which laws and regulations apply across the entity.

Many laws and regulations are generally well known, such as those relating to reporting

on internal control over nancial reporting and environmental compliance, but others

may be more obscure, such as those that apply to an entity conducting operations in a

remote oreign territory.

Basis o Objectives Categories

Certain objectives are derived rom the regulatory environment or industry in which the

business operates. For example:

Some entities submit inormation to environmental agencies.

Publicly traded companies le inormation with securities regulators.

Universities report grant expenditures to government agencies.

These types o objectives are established largely by law or regulation, and all into the

category o compliance, external reporting, or in these examples, both.

Conversely, operations objectives and internal reporting are based more on preer-

ences, judgments, and management style. They vary widely among entities simply

because inormed and competent people may select dierent objectives. For example,

or product development, one organization might choose to be an early adopter, another

might be a quick ollower, and yet another a late adopter. These choices will aect the

structure, skills, stang, and controls o the research and development unction. Con-

sequently, no one ormulation o objectives can be optimal or all entities.

Overlap o Objectives Categories

An objective in one category may overlap or support an objective in another. For

example, closing nancial reporting period within ve workdays may be a goal sup-

porting primarily an operations objectiveto support management in reviewing busi-

ness perormance. But it also supports timely reporting and timely lings with regulatory

agencies. The category in which an objective alls can sometimes vary depending on

the circumstances. Controls to prevent thet o assetssuch as maintaining a ence

around inventory, or having a gatekeeper to veriy proper authorization o requests or

movement o goodsall under the operations category. These controls may not be

relevant to the reliability o reporting where inventory losses are detected ollowing

periodic physical inspection and recording in the nancial statements. However, i orreporting purposes management relies solely on perpetual inventory records, as may be

the case or interim or internal nancial reporting, the physical security controls would

then also all within the reporting category. These physical security controls, along with

controls over the perpetual inventory records, are needed to ensure reliable reporting.


46

48

49

47


22/168


Objectives and Sub-Objectives

Management links specied entity-level objectives to more specic sub-objectives that

cascade throughout the organization. These sub-objectives also are established as part

o or fowing rom the strategy-setting process, and relate to subsidiaries, divisions,

operating units and unctional activities, including business processes such as sales,

production, engineering, marketing, productivity, employee engagement, innovation,and inormation technology. Throughout this process, management ensures that the

sub-objectives remain aligned with entity-level objectives and are coordinated across

the entity.

Where entity-level objectives are consistent with prior practice and perormance, the

linkage among activities is usually known. Where, however, objectives depart rom an

entitys past practices, management addresses the linkages or accepts increased risks.

For example, an objective to ll more management roles internally through promotions

will depend heavily on linked sub-objectives dealing with succession planning, apprais-

ing, training, and development. These sub-objectives might be substantially changed i

past practice relied heavily on external recruiting.

Sub-objectives or operating units and unctional activities also need to be clear. These

sub-objectives also need to be specic, measurable, attainable, relevant, and time-

bound. In addition, they must be readily understood by the people who are working

toward achieving them. Management and other personnel require a mutual understand-

ing o both what is to be accomplished and the means o determining to what extent it is

accomplished in order to ensure individual and team accountability.

Many entities establish multiple sub-objectives or each activity, fowing both rom the

entity-level objectives and rom standards relating to the established compliance and

reporting objectives. For procurement, or example, operations objectives may be to:

Purchase goods that meet established engineering specications.

Purchase goods rom companies that meet the entitys environmental, health,

and saety specications as set orth in a code o conduct (e.g., no child labor,

good working conditions).

Negotiate acceptable prices and other terms.

Components o Internal ControlThis Frameworksets out ve components o internal control. It also sets out seventeen

principles representing the undamental concepts associated with each component. All

seventeen principles apply to each category o objective, as well as to individual objec-

tives within a category. Supporting the seventeen principles are eighty-one attributes,representing characteristics associated with the principles.

Below is a summary o each o the ve components o internal control and the prin-

ciples relating to each. This listing o principles is not meant to imply a binary checklist.

Rather, principles are meant to enable eective operation o the components and the

overall system o internal control, with appropriate use o management judgment.


50

51

52

53

54

55


23/168


Each o the principles and attributes is covered in the ollowing chapters. Each principle

is introduced at the beginning o the relevant chapter and then presented at the end o

the relevant chapter along with the attributes relating to each principle. Attributes are

also called out in sidebars to the text o each chapter. For purposes o this Framework,

in describing these principles and attributes we use the word organization to capture

the meaning o, collectively, the board, management, and other personnel.

Control Environment

The control environment is the oundation or all other components o internal control.

The board and senior management establish the tone rom the top regarding the impor-

tance o internal control and expected standards o conduct. The control environment

provides discipline, process, and structure.

There are ve principles relating to Control Environment:

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board o directors demonstrates independence o management and exercisesoversight or the development and perormance o internal control.

3. Management establishes, with board oversight, structures, reporting lines, and

appropriate authorities and responsibilities in the pursuit o objectives.

4. The organization demonstrates a commitment to attract, develop, and retain com-

petent individuals in alignment with objectives.

5. The organization holds individuals accountable or their internal control responsibili-

ties in the pursuit o objectives.

Risk Assessment

Risk assessment involves a dynamic and iterative process or identiying and ana-

lyzing risks to achieving the entitys objectives, orming a basis or determining how

risks should be managed. Management considers possible changes in the external

environment and within its own business model that may impede its ability to achieve

its objectives.

There are our principles relating to Risk Assessment:

6. The organization species objectives with sucient clarity to enable the identica-

tion and assessment o risks relating to objectives.

7. The organization identies risks to the achievement o its objectives acrossthe entity and analyzes risks as a basis or determining how the risks should

be managed.


56

57

58

59

60


24/168


8. The organization considers the potential or raud in assessing risks to the achieve-

ment o objectives.

9. The organization identies and assesses changes that could signicantly impact the

system o internal control.

Control Activities

Control activities are the actions established by policies and procedures to help ensure

that managements directives to mitigate risks to the achievement o objectives are

carried out. Control activities are perormed at all levels o the entity and at various

stages within business processes, and over the technology environment.

There are three principles relating to Control Activities:

10. The organization selects and develops control activities that contribute to the miti-

gation o risks to the achievement o objectives to acceptable levels.

11. The organization selects and develops general control activities over technology tosupport the achievement o objectives.

12. The organization deploys control activities as maniested in policies that establish

what is expected and in relevant procedures to eect the policies.

Inormation and Communication

Inormation is necessary or the entity to carry out internal control responsibilities in

support o achievement o its objectives. Communication occurs both internally and

externally and provides the organization with the inormation needed to carry out day-

to-day internal control activities. Communication enables all personnel to understand

internal control responsibilities and their importance to the achievement o objectives.

There are three principles relating to Inormation and Communication:

13. The organization obtains or generates and uses relevant, quality inormation to

support the unctioning o other components o internal control.

14. The organization internally communicates inormation, including objectives and

responsibilities or internal control, necessary to support the unctioning o other

components o internal control.

15. The organization communicates with external parties regarding matters aecting

the unctioning o other components o internal control.


61

62

63

64


25/168



Ongoing evaluations, separate evaluations, or some combination o the two are used to

ascertain whether each o the ve components o internal control, including controls to

eect the principles within each component, are present and unctioning. Findings are

evaluated and deciencies are communicated in a timely manner, with serious matters

reported to senior management and to the board.

There are two principles relating to Monitoring Activities:

16. The organization selects, develops, and perorms ongoing and/or separate evalu-

ations to ascertain whether the components o internal control are present and

unctioning.

17. The organization evaluates and communicates internal control deciencies in a

timely manner to those parties responsible or taking corrective action, including

senior management and the board o directors, as appropriate.

In addition to the ve components o internal control noted above, the Framework

includes discussion recognizing that while internal control provides important benets,

limitations do exist. Limitations result rom:

The quality and suitability o objectives established as a precondition to inter-

nal control.

The realities that human judgment in decision making can be aulty.

Knowing that decisions on responding to risk and establishing controls must

consider the relative costs and benets.

Breakdowns that can occur because o human ailures such as simple errors

or mistakes.

Controls that can be circumvented by collusion o two or more people.

The ability o management to override internal control decisions.

These limitations preclude the board and management rom having absolute assurance

o the achievement o the entitys objectives that is, controls provide reasonable but

not absolute assurance.

The remaining chapters o this volume, including Roles and Responsibilities and appen-

dices, are not a part o the Framework.


65

66

67

68


26/168


Internal Control and the Management ProcessBecause internal control is a part o managements overall responsibility, the ve com-

ponents are discussed in the context o managements actions in managing the entity.

Not every decision or action o management, however, is part o internal control:

Having a board comprised o directors with sucient independence rom

management that carries out its oversight role eectively is a part o internal

control. However, many decisions reached by the board are not part o inter-

nal control; or example, deciding on or approving a particular strategic plan.

The board will ulll a variety o governance responsibilities that are in addition

to its responsibilities or oversight o internal control.

Setting objectives is part o or fows rom the broader strategic planning

process. Ensuring that management species the objectives chosen by the

entity is part o internal control; however, the appropriateness o particular

objectives selected is not.

Setting the overall level o acceptable risk and associated risk appetite4 is

part o strategic planning and enterprise risk management, not part o internal

control. Similarly, setting risk tolerance levels in relation to specic objectives

is not part o internal control.

Developing control activities that contribute to the mitigation o risks based

on a risk assessment process is a part o internal control, but choosing which

risk response is preerred to address specic risks is not.

Assessing EectivenessAn eective system o internal control provides reasonable assurance regarding

achievement o an entitys objectives. To have an eective system o internal control

relating to one, two, or all three categories o objectives each o the ve componentsmust be present and operate together in a manner that reduces, to an acceptable level,

the risk o not achieving an objective.5 Further, the existence o any material weakness

(with respect to external nancial reporting objectives) or major non-conormity (with

respect to operations, compliance, or non-nancial reporting objectives) would preclude

an organization rom concluding that the entitys system o internal control is eective.

For example, eective internal control over a particular compliance objective requires

that all ve components be present and operating together.

Eectiveness o internal control is assessed relative to the ve components o internal

control. Determining whether an overall system o internal control is eective is a sub-

jective judgment resulting rom an assessment o whether each o the ve components

o internal control are present and whether the ve components o internal control areoperating together. Because internal control is relevant to an entire entity and its sub-

units, eectiveness o internal control can also be assessed relative to a specic part o

the organizational structure.

4 Risk appetite is defned as the amount o risk, on a broad level, an entity is willing to accept in pursuit o its

mission/vision.

5 The phrase present and operating together in a manner that reduces, to an acceptable level, the risk o

not achieving an objective is subsequently reerred to as present and operating together.


69

70

71


27/168


When internal control is determined to be eective or each o the three categories o

objectives, management and the board o directors have reasonable assurance, relative

to the application within the entity structure, that the organization:

Understands the extent to which operations are managed eectively

and eciently.

Prepares reliable reports.

Complies with applicable laws and regulations.

Evaluating each component o internal control requires consideration o how it is being

applied by the entity within the system o internal control, and not whether it is eec-

tive on its own. Components should not be viewed discretely. Rather the components

should be viewed as an integrated system working together to attain eective inter-

nal control. The notion that all ve components o internal control must be present

and operate together does not mean that each should unction identically, or even

at the same level, in dierent entities. Dierent entities internal control systems can

operate dierently.

Furthermore, the integration o these ve components is important in assessing theeectiveness o a system o internal control. Because controls can serve a variety

o purposes, controls put in place to eect principles in one component can serve a

purpose that may also apply to another component. Controls exist in each o the ve

components o internal control. Additionally, controls can dier in the degree to which

they address a particular risk, so that the portolio, or combination o controls, each

with limited eect, together can act satisactorily in reducing risks to the achievement

o objectives.

Any change in the application o one component should not be viewed in isolation. That

is, changes in one component require an evaluation o the potential eects and need

or changes in other components. Thus, the contributions made by each component as

well as the ve components together are evaluated in determining whether a system ointernal control is eective.

Considering the Principles in Assessing Eectiveness

In assessing whether the system o internal control is eective, senior management and

the board o directors determine to what extent the principles and, in turn, the cor-

responding attributes associated with each component are present and unctioning.6

This evaluation entails considering how the principles and attributes are being applied.

Determining whether a principle is present and unctioning implies that the organization:

Understands the intent o the principle and how it is being applied.

Applies the principle consistently across the entity.

Works to help personnel understand and apply the principle across the entity.

6 For purposes o this Framework, the phrase present and unctioning applies to components, principles,

and attributes. Present means that a component, principle, or attribute has been implemented. Function-

ing means that a component, principle, or attribute is operating as intended.


72

73

74

75

76


28/168


Views omission o or non-conormity with a principle as an exception (i.e., not

applying the wording, intent, and spirit o the principle is the exception rather

than the norm).

Furthermore, a principle that is present and unctioning operates within a range o

acceptability and does not imply that the organization achieves the highest level in

applying the principle. Management must still be able to assess the trade-os betweenthe cost o achieving perection and the benets o seeking to operate at the highest

levels o sophistication and capability.

When a principle is deemed not to be present or unctioning, an internal control de-

ciency exists. Management applies judgment in evaluating whether a deciency

prevents the entity rom concluding that a component o internal control is present

and unctioning. These judgments may vary depending on the category o objec-

tives, and additional considerations relating to deciencies in internal control over

operations, compliance, nancial reporting, and other reporting are considered in the

ollowing sections.

Even though attributes are expected to be present and unctioning, it may be possible

to determine that the corresponding principle is present and unctioning, and thus a

component can be present and unctioning without every attribute being present. For

instance, management may be able to determine that Principle 1, The organization

demonstrates a commitment to integrity and ethical values is present and unctioning

based on an assessment that only three o the our related attributes are present and

unctioning. The organization may set the tone at the top, evaluate adherence to stan-

dards o conduct, and address deviations in a timely manner, but it does not ormally

dene the expectations o management and the board o directors in the entitys stan-

dards o conduct. However, in the absence o an attribute being present and unction-

ing, a deciency may still exist.

Deciencies in Internal Control

Deciencies in an entitys system o internal control may surace rom many sources,

including the entitys monitoring activities and other components o internal control, and

external parties that provide input relative to the operation o a component.

The term deciency reers to a shortcoming in some aspect o the system o internal

control and has the potential to adversely aect the ability o the entity to achieve its

objectives. When an organization determines that a deciency exists, management

needs to assess the impact o that deciency on the eectiveness o the entitys system

o internal control. Further, the responsibility or identiying and assessing deciencies

rests with the organization, in the normal course o perorming the unctions. Certain

external parties, such as external auditors and regulators, are not part o the system ointernal control and cannot be relied upon to detect and assess deciencies.

Not every deciency will result in a conclusion that an entity does not have an eective

system o internal control. For one thing, other controls may be present and unction-

ing that allow or each o the components to be present and or all ve components to

be operating together. When a deciency is noted, the evaluator considers the eect o

controls in the same or other components.


77

78

79

80

81

82


29/168


Assessing the severity o a deciency or combination o deciencies to determine the

potential impact on the system o internal control requires judgment. This Framework

sets orth the criteria through the components, principles, and attributes or manage-

ment to assess the eectiveness o an entitys system o internal control and to deter-

mine and assess the nature o a deciency. Management may decide or be required to

consider additional criteria established by external parties or evaluating and classiying

the severity o a deciency or combination o deciencies. For example, regulators,standard-setting bodies, listing agencies, and other relevant third parties have estab-

lished additional criteria contained in standards and other guidance or evaluating the

classication o deciencies relating to the external nancial reporting objective and to

non-nancial reporting, operations, and compliance objectives discussed in the next

sections. This Frameworkdoes not prescribe such additional criteria, but recognizes

and accommodates the authority and responsibility o those external parties to issue

rules and guidance or such classications.

Defciencies in Internal Control over Financial Reporting

There are specic considerations when a deciency relates to internal control over

nancial reporting. In this case, three tiers o deciencies are commonly used: de-ciency, signicant deciency, and material weakness.

For the purposes o this Framework, material weakness is considered in relation to an

entitys nancial reporting objective, and is dened as a condition in which there is a

deciency, or a combination o deciencies, in internal control such that there is a rea-

sonable possibility that a material misstatement o the entitys nancial statements will

not be prevented, detected, or corrected on a timely basis. Determining when a mate-

rial weakness exists requires applying judgment which includes several considerations,

such as:

The likelihood that a potential material misstatement exists and will not be pre-

vented or detected and corrected in a timely manner.

The magnitude o the potential or actual misstatement in relation to the

entitys nancial statements.

The above material weakness concept establishes boundaries around eectiveness,

which is a threshold o seriousness against which deciencies are measured. Some

regulators or standard-setting bodies may provide other actors or consideration in

determining the existence o a material weakness. For external nancial reporting, the

existence o a material weakness precludes an organization rom asserting that the

entitys system o internal control over external nancial reporting is eective.

A signicant deciency is a deciency or combination o deciencies less severe than

a material weakness, yet may be important enough to merit attention by the board o

directors. Multiple signicant deciencies when considered collectively may result in a

determination that a material weakness exists.


83

84

85

87

86


30/168


Defciencies in Internal Control over Operations, Compliance,

and Other Reporting

In evaluating deciencies in internal control over operations, compliance, and non-

nancial reporting, this Frameworksuggests classiying such deciencies as major and

minor non-conormities.7 A major non-conormity reers to any deciency in internal

control that relates to compliance, operations, and non-nancial reporting activities that

adversely aects the likelihood that the entity will achieve its objectives. For operations,

compliance and non-nancial reporting, the existence o any major non-conormity

precludes an organization rom concluding that the entitys system o internal control

over these objectives is eective. For instance, a major non-conormity may exist when

a deciency in internal control has the potential or:

Shipping a nonconorming producte.g. a product that does not meet

quality requirements.

Making unauthorized signicant changes to product design and manuactur-

ing specications.

Not completing routine maintenance o assets, especially those that relate to

public saety (e.g., aircrat, railways, or public transit).

Administering improper medicine doses to hospital patients.

Recurring misreporting o incidences o non-compliance to regulators.

Omitting important inormation supporting budgeting and orecasting

activities.

Improperly treating, storing, or disposing o hazardous wastes.

Improperly reporting child labor ound to be occurring at own or

suppliers actories.

Improperly reporting CO2 emissions to customers and investors.

Acquiring incomplete or inaccurate data or use in actuarial valuations.

Making unauthorized signicant changes to health and saety specications.

A minor non-conormity reers to any deciency relating to compliance, operations, and

non-nancial reporting activities that does not adversely aect the likelihood that the

entity will achieve its objective. For instance, a minor non-conormity may exist when a

deciency in internal control has the potential or:

Failing to document a part o the quality system.

Not inspecting an instrument past its calibration date.

Failing to conduct routine maintenance o an asset needed to keep a warrantyin eect.

7 Some standard-setting bodies and governmental agencies use the term material weakness to reer to

major conormities. For instance, the Auditing Standards Board o the AICPA defnes a material weakness

in internal control over compliance as a defciency, or combination o defciencies, in internal control over

compliance such that there is a reasonable possibility that material noncompliance with a compliance

requirement will not be prevented or detected and corrected on a timely basis.


88

89


31/168


Filing a compliance statement with a regulator one day ater the required

ling date.

Not retaining a training record or uture reerence.

Using inaccurate data to prepare management inormation or

internal analysis.

Multiple minor non-conormities when considered collectively may result in a determina-

tion that a major non-conormity exists.

Other Considerations or Internal Control

Organizational Boundaries

Increasingly, many organizations are choosing to shit business activities to outside

service providers. Such an approach has become prevalent because o the benets o

obtaining access to low-cost human resources, reducing costs in the day-to-day man-agement o certain unctions, obtaining access to better processes and systems, and

allowing management to ocus more on the entitys mission.

Outsourcing, strategic sourcing, and other outside service providers can help organi-

zations to perorm business processes such as procurement, payables management,

payroll, pension and benet management, investment management, and stock-based

compensation programs. Outside service providers may also perorm technology activi-

ties that support business processes, providing services to procure, manage, and main-

tain previously internally managed technology systems. Advances in technology have

created opportunities or cost savings through access to comprehensive architectures

that provide on-demand and scalable shared technology that supports more complex

and changing business operations and that may be cost prohibitive or management as

an internal investment.

Using outsourcing, strategic sourcing, and other outside service providers can provide

substantial benets o speed, eciency, and costs savings to an entity, and the trend to

outsourcing is likely to grow. This dependence on external parties changes the risks o

business activities, increases the importance o the quality o inormation and commu-

nications rom outside the organization, and creates greater challenges in overseeing

activities and the related internal controls. While management can use others to execute

activities or or on behal o the entity, it cannot abdicate responsibility to monitor those

activities, manage the associated risks, and establish mechanisms to support the unc-

tioning o the components o internal control.

This Frameworkcan be applied to the entire entity regardless o what choices manage-ment makes about how it will execute business activities that support its objectives,

either directly or through external relationships.


90

91

92

93

94


32/168


Technology

Technology may be essential to support managements pursuit o the entitys objectives

and to better control the organizations activities. The number o entities that use tech-

nology continues to grow as will the extent that technology is used in most entities.

Technology is oten reerred to by other terms, such as management inormationsystems or inormation technology. These terms share the ideas o using a combi-

nation o automated and manual processes, computer hardware and sotware, meth-

odologies, and processes. This Frameworkuses the term technology to reer to all

computerized systems, including sotware applications running on a computer and

operational control systems.

Technology environments vary signicantly in their size, complexity, and extent o

integration. They range rom large, centralized, and integrated systems to decentralized

systems that operate independently within a specic unit. They may also involve real-

time processing environments that enable immediate access to inormation, including

mobile computer applications that can cut across many systems, organizations, geog-

raphies, processes, and technologies. Technology enables organizations to process

high volumes o transactions, transorm data into inormation to support sound deci-

sion making, share inormation eciently across the entity and with business partners,

and secure condential inormation rom inappropriate use. In addition, technology can

allow an entity to share operational and perormance data with the public.

Technology innovation creates both new opportunities and new risks. It can enable

the development o new business markets and models, generate eciencies through

automation, and enable entities to do things that were previously hard to imagine. It may

also increase complexity, which makes identiying and managing the risks more dicult.

The principles presented in this Frameworkdo not change with the application o tech-

nology. This is not to say that technology does not change the internal control land-

scape. Certainly it aects how an entity implements the components o internal control,such as the greater availability o inormation and the use o automated procedures, but

the principles remain the same. Because technology is continually evolving, this Frame-

workdoes not address specic technologies, such as cloud computing or the rise in

social media.

Larger versus Smaller Entities

The seventeen principles underlying the ve components o internal control are just as

applicable or smaller entities as or larger ones. However, implementation approaches

may vary or smaller entities, regardless o whether the entity is a publicly traded

company, a privately held entity, a government organization, or a not-or-prot orga-nization. For example, all public companies have boards o directors, or other similar

governing bodies, with oversight responsibilities related to reporting. A smaller entity

may have a less complex organizational structure and operations, and more requent

communication with directors, enabling a dierent approach to board oversight. Simi-

larly, while many public companies are oten required to have a whistle-blower program,

there may be a dierence in the reporting procedures between other types o small and


97

95

96

98

99

100


33/168


large entities. In a large entity, or example, the volume o reported events may require

initial reporting to an identied internal sta unction, but a smaller entity may allow

direct reporting to the audit committee chair.

Smaller entities typically have unique advantages over larger ones which can contribute

to eective internal control. These may include a wider span o control by senior man-

agement and greater direct interaction with personnel. For instance, smaller companiesmay nd inormal sta meetings highly eective or communicating inormation relevant

to operating perormance, whereas larger companies may need more ormal mecha-

nisms such as written reports, intranet portals, periodic ormal meetings, or conerence

calls to communicate similar matters.

Conversely, larger entities may enjoy certain economies o scale, which oten aect

support unctions. For example, establishing an internal audit unction within a smaller,

domestic entity likely would require a larger percentage o the companys economic

resources than would be the case or a larger multinational entity. Certainly, the smaller

companys internal audit unction would be smaller, and might rely on co-sourcing or

outsourcing in order to provide needed skills, where the larger companys unction

might be signicantly larger with a broad range o experienced in-house personnel. Butin all likelihood the relative cost or the smaller company would be higher than or the

larger one.

Benets and Costs o Internal Control

Benefts

Internal control provides many benets to an entity. It provides management and the

board o directors with added condence regarding the achievement o objectives, it

provides eedback on how a business is unctioning, and it helps to reduce surprises.

Among the most signicant benets o eective internal control or many entities is the

ability to meet certain criteria required to access the capital markets, providing capital-

driven innovation and economic growth. Such access o course comes with responsibil-

ities to eect timely and reliable reporting or shareholders, creditors, capital providers,

regulators, and other third parties with which an entity has direct contractual relation-

ships. For instance, eective internal control supports reliable external nancial report-

ing, which in turn enhances investor condence in providing the requisite capital.

Other benets o eective internal control include:

Reliable and relevant inormation supporting managements decision

making on matters such as product pricing, capital investment, and

resource deployment.

Consistent mechanisms or processing transactions, supporting quality o

inormation and communications across an organization, enhancing speed

and reliability at which transactions are initiated and settled, and providing

reliable recordkeeping and ongoing integrity o data.

Increased eciency within unctions and processes.


102

101

103

104


34/168


Retention o the acts, reasoning, and basis or decisions where highly subjec-

tive and substantial judgment is needed.

Ability and condence to accurately communicate business per ormance

with business partners and customers, which supports continuity o the

business relationship.

Entities always have limits on their human and capital resources and constraints on how

much they can spend, and thereore they will oten consider the costs relative to the

benets o alternative approaches in managing internal control options.

Costs

Generally, it is easier to deal with the cost aspect in the cost-benet equation because

in most cases costs can be quantied airly precisely. Usually considered are all direct

costs associated with implementing internal control actions and responses, plus indi-

rect costs, where practically measurable. Some entities also include opportunity costs

associated with use o resources. Overall, management considers a variety o cost

actors in relation to expected benets when selecting and developing internal controls.

These may include:

Considering the trade-os between recruiting and retaining sta with a

higher level o competency and the related higher compensation costs. For

instance, a smaller, stable, privately held company may not want to, or be able

to, hire a chie nancial ocer with the experience o working or a publicly

traded company.

Assessing the eorts required to select, develop, and perorm control activi-

ties; the potential incremental eorts that the activity adds to the busi-

ness process; and the eorts to maintain and update the control activity

when needed.

Assessing the impacts o added reliance on technology. While the eort toperorm the control and the impact o added technology-based controls on

the business process may be small, the cost associated with selecting, devel-

oping, maintaining, and updating the technology could be substantial.

Understanding how changes in inormation requirements may call or greater

data collection, processing, and storage that could trigger exponential growth

in data volume. With more data available, an organization aces the challenge

o avoiding inormation overload by ensuring fow o the right inormation, in

the right orm, at the right level o detail, to the right people, at the right time.

Establishing an inormation system that balances costs and benets depends

on thoughtul consideration o inormation requirements.

Other Considerations in Determining Benefts and Costs

The benet side o the cost-benet equation oten involves even more subjective evalu-

ation. For example, benets o eective training programs usually are apparent but

dicult to quantiy. Training programs are not oten designed to measure the benets


106

105

107


35/168


or to capture the necessary data to evaluate the program. For example, sales training

programs may not be structured to measure beore-and-ater employee sales results,

making it dicult to determine whether the training is eective and accomplishing its

objectives. In many cases, however, the benet o developing actions within any o the

ve components o internal control can be evaluated in the context o the benet asso-

ciated with achievement o the related objective.

The complexity o cost-benet determinations is compounded by the interrelationship o

controls with business operations. Where controls are integrated with, or built into, man-

agement and business processes, it is dicult to isolate either their costs or benets.

It is up to management to decide how an entity evaluates the costs versus benets o

alternative approaches to implementing a system o internal control, and the ultimate

actions it takes. However, cost alone is not an acceptable reason to avoid implement-

ing internal controls. The cost versus benets considerations support managements

ability to develop and maintain a system o internal control that balances the allocation

o human resources in relation to the areas o greatest risk, complexity, or other actors

relevant to the entitys objectives.

DocumentationEntities develop and maintain documentation or their internal control system or a

number o reasons. One is to provide clarity around roles and responsibilities, which

promotes consistency in adhering to desired practices in managing the business. Eec-

tive documentation assists in communicating the who, what, when, where, and why

o internal control execution, and creates standards and expectations o perormance

and conduct. Another purpose o documentation is to assist in training new person-

nel and to oer a reresher or reerence tool or other employees. Documentation also

provides evidence o the perormance o activities that are part o the system o internal

control, enables proper monitoring, and supports reporting on internal control eective-ness, particularly when evaluated by external parties, such as regulators, auditors, or

customers.

Management must also determine how much documentation is needed to assess

the eectiveness o internal control. Some level o documentation is always neces-

sary to assure management that the components o internal control are in place and

unctioning. This may include, or example, documents showing that all shipments are

billed, or that periodic reconciliations are perormed. As well, two specic levels o

documentation requirements must be considered in relation to external nancial and

non-nancial reporting:

In cases where management asserts to regulators, shareholders, or other

third parties on the design and operating eectiveness o its overall system o

internal control, management has a higher degree o responsibility. Typically

this will require documentation to support the assertion that all components

o internal control are in place and unctioning. The nature and extent o the

documentation may be infuenced by the entitys regulatory requirements.


109

108

110

111


36/168


This does not necessarily mean that all documentation will or should be more

ormal, but that sucient evidence that the components o internal controls

are present and operating togetheris available and suitable to satisy the

entitys objectives.

In cases where an external auditor attests to the eectiveness o the overall

system o internal control, management will likely be expected to provide the

auditor with support or its assertion on the eectiveness o internal control.

That support would include evidence that the system o internal controls is

properly designed and operating eectively. In considering the nature and

extent o documentation needed, management should also remember that

the documentation to support the assertion will likely be used by the external

auditor as part o his or her audit evidence. Management may also document

signicant judgments, how such decisions were considered, and the nal

1 Cosodraftinternal Control Frameworkdec2011 Unprotected

Documents

Transcript of 1 Cosodraftinternal Control Frameworkdec2011 Unprotected