Internal Control — Integrated Framework (Draft Sep 2012)
-
Upload
emil-jabrailzadeh -
Category
Documents
-
view
217 -
download
0
Transcript of Internal Control — Integrated Framework (Draft Sep 2012)
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
1/166
C o m m i t t e e o S p o n s o r i n g O r g a n i z a t i o n s o t h e T r e a d w a y C o m m i s s i o n
Internal Control Integrated Framework
Committee of Sponsoring Organiza tions of the Treadway Commission
To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by
November 16, 2012.
Respondents will be asked to respond to a series of questions. Those questions may be found on-line atwww.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.
September 2012
Internal Control over External Financial Reporting:
A Compendium o Approaches and Examples
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
2/166
2012 All Rights Reserved. No part o this publication may be reproduced, redistributed, transmitted or displayed in any orm or by any
means without written permission. For inormation regarding licensing and reprint permissions please contact the American Institute o
Certifed Public Accountants, licensing and permissions agent or COSO copyrighted materials. Direct all inquiries to copyright@aicpa.
org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed
to 888-777-7707.
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
3/166
Internal Control Integrated Framework
To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by
November 16, 2012.
Respondents will be asked to respond to a series of questions. Those questions may be found on-line atwww.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.
September 2012
Internal Control over External Financial Reporting:
A Compendium o Approaches and Examples
Committee of Sponsoring Organiza tions of the Treadway Commission
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
4/166
Committee o Sponsoring Organizations othe Treadway Commission
Board Members Representative
COSO Chair David L. Landsittel
American Accounting Association Mark S. Beasley
Douglas F. Prawitt
The Institute o Internal Auditors Richard F. Chambers
American Institute o Certied Public Accountants Charles E. Landes
Financial Executives International Marie N. Hollein
Institute o Management Accountants Sandra Rictermeyer
Jerey C. Thomson
PwCAuthor
Principal Contributors
Miles E.A. Everson Engagement Leader New York, USA
Stephen E. Soske Project Lead Partner Boston, USA
J. Aaron Garcia Project Lead Director San Diego, USA
Cara M. Beston Partner San Jose, USA
Charles E. Harris Partner Florham Park, USA
Eric M. Bloesch Managing Director Philadelphia, USA
James M. Downs Director San Francisco, USA
(Through January 2012)
Frank J. Martens Director Vancouver, Canada
Jay A. Posklensky Director Florham Park, USA
Charles J. Finn Senior Manager Detroit, USA
Natalie Protze Senior Manager Washington D.C., USA
(July 2011 to March 2012)
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
5/166
Advisory Council
Sponsoring Organizations Representatives
Audrey A. Gramling Bellarmine University Fr. Raymond J. Treece
Endowed ChairSteven E. Jameson Community Trust Bank Executive Vice President and
Chie Internal Audit & Risk
Ocer
J. Stephen McNally Campbell Soup Company Finance Director/Controller
Ray Purcell Pzer Director o Financial Controls
Bill Schneider AT&T Director o Accounting
Members at Large
Jennier Burns Deloitte Partner
Jim DeLoach Protiviti Managing Director
Trent Gazzaway Grant Thornton Partner
Cees Klumper The Global Fund to Fight AIDS,
Tuberculosis and Malaria
Chie Risk Ocer
Thomas Montminy PwC Partner
Al Paulus E&Y Partner
Thomas Ray KPMG Partner
Dr. Larry E. Rittenberg University o Wisconsin Emeritus Proessor oAccounting
Chair Emeritus COSO
Ken Vander Wal ISACA President
Regulatory Observers and Other Observers
James Dalkin Government Accountability
Oce
Director in the Financial
Management and Assurance
Team
Harrison E. Greene, Jr. Federal Deposit InsuranceCorporation
Assistant Chie Accuntant
Christian Peo Securities and Exchange
Commission
Proessional Accounting
Fellow (Through June 2012)
Amy Steele Securities and Exchange
Commission
Associate Chie Accountant
(Commencing July 2012)
Vincent Topho International Federation
o Accountants
Senior Technical Manager
Keith Wilson Public Company Accounting
Oversight Board
Deputy Chie Auditor
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
6/166
Additional PwC Contributors
Mark Cohen Partner San Francisco, USA
Andrew Dahle Partner Chicago, USA
Junya Hakoda Partner (Retired) Tokyo, Japan
Brian Kinman Partner St. Louis, USA
Pat McNamee Partner Florham Park, USA
Jonathan Mullins Partner (Retired) Dallas, USA
Alexander Young Partner Toronto, Canada
Antoine Elachkar Managing Director Washington D.C., USA
Gary Moss Managing Director Milwaukee, USA
Catherine Jourdan Director Paris, France
Frank Maggio Director Chicago, USA
Christopher Michaelson Director Minneapolis, USA
Sallie Jo Perraglia Manager New York, USA
Tracy Walker Director Bangkok, Thailand
Qiao Pan Senior Associate New York, USA
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
7/166
PreaceThis project was commissioned by COSO, which is dedicated to providing thought lead-
ership through the development o comprehensive rameworks and guidance on internal
control, enterprise risk management, and raud deterrence designed to improve organi-
zational perormance and oversight and to reduce the extent o raud in organizations.COSO is a private sector initiative, jointly sponsored and unded by:
American Accounting Association (AAA)
American Institute o Certied Public Accountants (AICPA)
Financial Executives International (FEI)
Institute o Management Accountants (IMA)
The Institute o Internal Auditors (IIA)
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
8/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
9/166
Table o Contents
Foreword ...........................................................................................................i
1. Introduction.............................................................................................. 1
2. Control Environment ...............................................................................11
3. Risk Assessment ................................................................................... 45
4. Control Activities .....................................................................................73
5. Inormation and Communication ..........................................................103
6. Monitoring Activities .............................................................................131
Appendix
Examples by Topic .....................................................................................148
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
10/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
11/166
ForewordIn 2013, the Committee o Sponsoring Organizations o the Treadway Commission
(COSO) released an update to its Internal ControlIntegrated Framework (Framework).
The original ramework, which was released in 1992, has gained broad acceptance and
is widely used around the world. It is recognized as a leading ramework or designing,implementing, and conducting internal control and or establishing requirements or
an eective system o internal control. To help users apply the Framework to internal
control over external nancial reporting, COSO has released this companion publica-
tion, Internal Control over External Financial Reporting: A Compendium o Approaches
and Examples (Compendium).
The Framework retains the core denition o internal control and the ve components o
internal control. At the same time, the Framework includes enhancements and clari-
cations that are intended to ease use and application. One o the more signicant
enhancements is the ormalization o undamental concepts introduced in the original
ramework as principles. These principles associated with the ve components provide
clarity or users in designing and implementing systems o internal control. In turn, thisCompendium provides approaches and examples to illustrate how entities may apply
the principles set out in the Framework to a system o internal control over external
nancial reporting.
In the twenty years since the release o the original ramework, business and operating
environments have changed dramatically, becoming increasingly complex, technologi-
cally driven, and global. At the same time, stakeholders have become more engaged,
seeking greater transparency and accountability or the integrity o systems o inter-
nal control that support business decisions and governance o the organization. The
Framework and the Compendium incorporate many o these changes including:
Expectations or Governance OversightHigher regulatory and stakeholder
expectations require the board o directors to oversee internal control over exter-
nal nancial reporting. Some jurisdictions require specic regulatory requirements
or expertise and independence o board members o certain types o entities.
Globalization o Markets and OperationsOrganizations expand beyond domes-
tic markets in the pursuit o value, oten entering into international markets and
executing cross-border mergers and acquisitions.
Changes and Greater Complexity in the BusinessOrganizations change busi-
ness models and enter into complex transactions in pursuit o growth, greater
quality, and productivity, and in response to changes in market and regulatory
environments. These changes may include entering into strategic alliances, joint
ventures, and other complex contractual arrangements with external parties,
implementing shared services, and engaging outsourced service providers.
1
2
3
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
12/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
13/166
Introduction
1. IntroductionCOSOs Internal ControlIntegrated Framework (Framework) sets orth three catego-
ries o objectives: operations, reporting, and compliance. The ocus o this publication,
Internal Control over External Financial Reporting: A Compendium o Approaches and
Examples (Compendium) is the external nancial reporting category o objectives, asubset o the reporting category. External nancial reporting objectives address the
preparation o nancial reports or external parties, including:
Financial statements or external purposes, and
Other external nancial reporting derived rom an entitys nancial and accounting
books and records.
Using this DocumentThe Compendium has been developed to assist those users o the Framework who are
responsible or designing, implementing and conducting a system o internal controlover external nancial reporting (ICEFR) that supports the preparation o nancial state-
ments and other external nancial reporting. It is also relevant to entities that report
on the eectiveness o internal control over nancial reporting relating to nancial
statements or external purposes. The preparation o nancial statements or external
purposes and other external nancial reporting applies to:
Public EntitiesOten, public entities are required by rules and regulations
to prepare nancial statements or external purposes; additionally, they oten
prepare other external nancial reporting derived rom its nancial and account-
ing books and records, such as earnings press releases, or inormation included
in stipulated reports or business partners or lending agencies as required by
contractual obligations. Private EntitiesEntities whose ownership may be closely held may prepare nan-
cial statements to provide to banks and other third parties in order to raise capital
or to meet contractual obligations. These can be in accordance with standards
and regulations, however oten, there is no requirement or private entities to
prepare the nancial statements in accordance with specic standards or regula-
tions; the orm o the nancial statements or other external nancial reporting is
stipulated by contractual obligations or a third party.
Not-For-Proft EntitiesThese entities may prepare nancial statements or
external purposes in accordance with appropriate rules and regulations, however
since these entities purpose is other than realizing and generating prot, they
may prepare other nancial reporting or donors, government agencies, or otherthird parties in order to raise unds to support the stated cause, not necessarily in
accordance with specic standards or regulations.
7
8
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
14/166
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Governmental EntitiesIn addition to any nancial statements or external pur-
poses that might be required by law, governmental entities may prepare nancial
reporting, to provide to the public or to other governmental oversight agencies
that is not necessarily required to be prepared in accordance with specic stan-
dards or regulations.
In applying the Framework, users will nd relevant approaches and examples in theCompendium o how organizations apply various aspects o the principles in the design,
implementation and conduct o internal control over external nancial reporting objec-
tives. These approaches and examples relate to each o the ve components and sev-
enteen principles set orth in the Framework.
Approaches describe how organizations may apply these principles within
their system o internal control over external nancial reporting. Approaches
are designed to give users o the Compendium a summary-level description o
activities that management may consider as they apply the Framework in an
ICEFR context.
Examples provide specic illustrations to users on the application o each princi-
ple, based on situations drawn rom practical experiences. Examples may illus-trate one or more points o ocus o a particular principle. They are not designed
to provide a comprehensive, end-to-end example o how the principle may be ully
applied in practice.
The Compendium includes an appendix that highlights those examples that relate to the
changes in business and operating environments that are noted in the Framework.
Note that this document is not designed to be read rom beginning to end. Nor are the
approaches and examples linked across the principles; rather, they stand on their own
and relate to specic points o ocus o the principles. Finally, even though the deni-
tions, components, principles, and points o ocus are consistent with those ound in the
Framework, readers should reer to the Framework or a comprehensive discussion ohow entities design, implement, and conduct internal control, and or the requirements
o an eective system o internal control.
Specic Considerations o External FinancialReportingThis section considers some unique aspects o applying the Framework in the context
o external nancial reporting, and especially preparing nancial statements or
external purposes.
Types o External Financial Reports
External nancial reporting objectives are consistent with accounting principles suitable
and available or that entity and appropriate in the circumstances. External nancial
reporting objectives address the preparation o nancial reports, including nancial
statements or external purposes and other external nancial reporting derived rom an
entitys nancial and accounting books and records.
9
10
11
12
13
Internal Control Integrated Framework September 20122
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
15/166
Introduction
Financial Statements or External Purposes
Financial statements or external purposes are prepared in accordance with applicable
accounting standards, rules and regulations. These nancial statements include annual
and interim nancial statements, condensed nancial statements, and selected nan-
cial inormation derived rom such statements. These statements may, or instance, be
publicly led with a regulator, distributed through annual meetings, posted to an entitys
website, or distributed through other electronic media.
Another orm o nancial statements prepared or external purposes may be nancial
reports prepared in accordance with other comprehensive basis o accounting, such as
those by taxing authorities, regulatory agencies, or requirements established through
contracts and agreements. These nancial reports are typically distributed to specied
external users (e.g., reporting to a bank on nancial covenants established in a loan
agreement, to a taxing authority in connection with ling tax returns, reporting on nan-
cial inormation to an energy regulatory commission)).
Other external nancial reporting
Other external nancial reporting derived rom an entitys nancial and manage-ment accounting books and records rather than rom nancial statements or external
purposes may include earnings releases, selected nancial inormation posted to an
entitys website, and selected amounts reported in regulatory lings. External nan-
cial reporting objectives relating to such other nancial inormation may not be driven
directly by standard setters and regulators, but are typically expected by stakeholders
to align with such standards and regulations.
Suitable Objectives o Financial Statements orExternal Purposes
Complies with Applicable Accounting Standards
Regulators and accounting standard-setters establish laws, rules, and standards relat-
ing to the preparation o nancial statements or external purposes. These nancial
reporting rules and standards orm the basis upon which management species suit-
able objectives or the entity and its subunits.
When speciying suitable external reporting objectives relating to the preparation o
nancial statements, management considers the accounting standards that are appli-
cable to that entity and its subunits. Management also species the accounting prin-
ciples that are appropriate in the circumstances. For example, management may set
an entity-level external nancial reporting objective as ollows: Our Company prepares
reliable nancial statements refecting activities in accordance with generally accepted
accounting principles.
Management species suitable sub-objectives or divisions, subsidiaries, operat-
ing units, and unctions with sucient clarity to support entity-level objectives. For
example, a US company applies accounting principles generally accepted in the United
States o America (US GAAP) to all subunits in preparing its consolidated nancial
statements, and it applies International Financial Reporting Standards (IFRS) to those
14
15
16
17
18
19
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
16/166
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
subunits that submit subsidiary nancial statements in statutory lings in non-United
States jurisdictions.
Further, management species appropriate accounting principles (e.g., US GAAP, IFRS)
to apply to transactions and events o the entity. For example, management speci-
es that FASB Accounting Standard Codication No. 605 Revenue Recognition and
SAB 101A Revenue Recognition in Financial Statements (US GAAP) or IAS 18 RevenueRecognition (IFRS) apply to all sales transactions as applicable to the entity or subunits
respective external nancial reporting objective.
Considers Materiality
Financial statement materiality sets the threshold or determining whether a nancial
amount is relevant. Entities must consider suitable regulations and guidance promul-
gated by standard-setters and regulators.1
Refects Entity Activities
External nancial reporting refects the entitys transactions and events. In preparing
external nancial statements, management implicitly or explicitly considers suitableobjectives and sub-objectives relating to qualitative characteristics (e.g. reliability, trans-
parency) and assertions (e.g., existence and completeness o transactions). Accounting
standard setters may also determine relevant qualitative characteristics and assertions
or external nancial reporting.
For example, reliability is a requently used qualitative characteristic associated with
external nancial reporting objectives. Reliability involves preparing external nancial
statements that are ree o material error and bias. Reliability is also necessary or an
entitys external reporting to aithully represent the transactions or other events it pur-
ports to represent.
Management makes assertions regarding the recognition, measurement, presenta-tion, and disclosure o account balances and classes o transactions and events in the
entitys nancial statements. For example, one grouping o assertions relating to nan-
cial statements is summarized as ollows:2
Existence or OccurrenceAssets, liabilities, and ownership interests exist at a
specic date and recorded transactions represent events that actually occurred
during a certain period.
CompletenessAll transactions and other events and circumstances that
occurred during a specic period, and that should have been recognized in that
period, have in act been recorded.
Rights and ObligationsAssets are the rights and liabilities are the obligations o
the entity at a given date.
1 For example, Topic 1M o the Sta Accounting Bulletins o the United States Securities and Exchange
Commission provides guidance on assessing materiality.
2 These nancial statement assertions are substantially consistent with those established by the American
Institute o Certied Public Accountants and the International Auditing and Assurance Standards Board.
20
21
22
23
24
Internal Control Integrated Framework September 20124
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
17/166
Introduction
Valuation or AllocationAsset, liability, revenue, and expense components are
recorded at appropriate amounts in conormity with relevant and appropriate
accounting principles. Transactions are mathematically correct and appropriately
summarized and recorded in the entitys books and records.
Presentation and DisclosureItems in the statements are properly described,
sorted, and classied.
For example, management species sub-objectives or sales transactions that apply
applicable accounting standards based on the circumstances and that address relevant
nancial statement assertions and qualitative characteristics, such as:
All sales transactions that occur are recorded on a timely basis.
Sales transactions are recorded at correct amounts in the right accounts.
Sales transactions are accurately and completely summarized in the entitys
books and records.
Presentation and disclosures relating to sales are properly described, sorted,
and classied.
Judgment
In preparing nancial statements, management exercises judgment in complying with
external nancial reporting requirements. Management considers how identied risks
to specied nancial reporting objectives and sub-objectives should be managed.
Managements alternatives to respond to risk may be limited compared to some other
categories o objectives. That is, management is less likely to accept a risk than to
reduce the risk. For instance, management may decide to mitigate a risk by outsourc-
ing transaction processing to a third party that is better suited to perorm the business
process. However, management always retains responsibility or designing, implement-
ing, and conducting its system o internal control even when outsourcing to a thirdparty. For external nancial reporting objectives, risk acceptance or avoidance should
occur only when identied risks could not, individually or in aggregate, exceed the risk
threshold and result in a material misstatement.
Management also exercises judgment in selecting and applying suitable account-
ing principles, particularly those relating to subjective measurements and complex
transactions. For instance, management exercises judgment in making assumptions
and using data in developing accounting estimates, in applying accounting principles
to complex transactions, and in preparing reliable and transparent presentations and
disclosures. Internal control over external nancial reporting addresses the potential
or bias in exercising judgment that could lead to a material misstatement in external
nancial reporting.
25
26
27
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
18/166
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Overlapping Objectives
Many controls are interrelated and may support multiple objectives. An objective in one
category may overlap or support an objective in another. For example, closing nancial
reporting period within ve workdays may be a goal supporting primarily an operations
objectiveto support management in reviewing business perormance. But it also sup-
ports timely reporting and timely lings with regulatory agencies.
The category in which an objective alls can sometimes vary depending on the circum-
stances. For instance, controls to prevent thet o assetssuch as maintaining a ence
around inventory, or having a gatekeeper to veriy proper authorization o requests or
movement o goodsall under the operations category. These controls may not be
relevant to reporting where inventory losses are detected ollowing periodic physical
inspection and recording in the nancial statements. However, i or reporting pur-
poses management relies solely on perpetual inventory records, as may be the case or
interim or internal nancial reporting, the physical security controls would then also all
within the reporting category. These physical security controls, along with controls over
the perpetual inventory records, are needed to achieve reporting objectives. A clear
understanding is needed o the entitys processes and its policies, procedures, and therespective impact on each category o objectives.
Deciencies in Internal Control
The term internal control deciency reers to a shortcoming in a component or
relevant principle o the system o internal control that has the potential to adversely
aect the ability o the entity to achieve its objectives. There are many potential sources
or identiying internal control deciencies, including the entitys monitoring activi-
ties, assessment o eectiveness in other components o internal control, and external
parties that provide input relative to the presence and unctioning o a component or
relevant principle.
When an organization determines that an internal control deciency exists, management
must assess the severity o that deciency based on its potential eect on the entitys
system o internal control. Assessing the severity o an internal control deciency or
combination o deciencies requires management to exercise judgement to determine
the potential impact on the system o internal control. Regulators, standard-setting
bodies, and other relevant third parties establish criteria or evaluating the severity and
corresponding classication and reporting o deciencies relating to external reporting,
operations, and compliance objectives. As well, or internal reporting and other opera-
tions objectives, management and board o directors may need to establish objective
criteria or evaluating internal control deciencies and reporting to those responsible or
achieving these objectives. The Framework does not prescribe such criteria, but rec-ognizes and accommodates the authority and responsibility o those other parties that
interact with the entity to issue such laws, rules, regulations, and standards or conduct-
ing assessments and classications.
28
29
30
31
Internal Control Integrated Framework September 20126
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
19/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
20/166
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
control are in place and unctioning. The nature and extent o the documentation
may be infuenced by the entitys regulatory requirements. This does not neces-
sarily mean that all documentation will or should be more ormal, but that su-
cient evidence that the components o internal control are present and operating
together is available and suitable to satisy the entitys objectives.
In cases where an external auditor attests to the eectiveness o the overall
system o internal control, management will likely be expected to provide the
auditor with support or its assertion on the eectiveness o internal control. That
support would include evidence that the system o internal control is properly
designed and operating eectively. In considering the nature and extent o docu-
mentation needed, management should also remember that the documentation
to support the assertion will likely be used by the external auditor as part o his or
her audit evidence. Management may also document signicant judgments, how
such decisions were considered, and the nal decisions reached.
Approaches and Examples or Applying PrinciplesThe Compendium illustrates through approaches and examples how the principles
apply to external nancial reporting objectives. Each chapter ocuses on one o the ve
components o internal control and contains:
A summary o the component that is consistent with the Framework
A listing o principles associated with that component
A listing o relevant approaches or applying principles in an external nancial
reporting context
For each principle, there is a listing o approaches that illustrate how organizations
apply the principles in designing, implementing or conducting certain aspects o internal
control over external nancial reporting. The approaches apply to any size or type oentity, and, or consistency and illustrative purposes, incorporate the points o ocus
contained in the Framework. This structure is intended to assist users in understand-
ing the linkages o the points o ocus to its associated principle. Various organizations
apply these approaches dierently depending on the entitys circumstances, and the
application by a particular entity is likely to evolve as circumstances change over time.
The approaches included are not intended to be a comprehensive listing. Users should
recognize that points o ocus not listed in the Framework may also be suitable and
relevant in the users judgement depending upon the entitys particular circumstances.
For each approach, one or more examples are provided to illustrate how an important
aspect o the approach has been put in place by entities that prepare nancial state-
ments or external purposes. The examples are based on experiences o entities, andsome details may have been modied or the purposes o this publication (e.g., entity
and personal names are ctional and not attributable to any specic entity). The exam-
ples are not intended to be construed as best practices or suggested solutions or
users o the Framework. Further, the examples are not necessarily sucient to demon-
strate that a particular principle is present and unctioning as dened in the Framework.
36
37
38
Internal Control Integrated Framework September 20128
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
21/166
Introduction
These approaches and examples are likely to be relevant to many types o entities
(including public, private, not-or-prot, and governmental entities) that aim to prepare
nancial statements or external purposes and other orms o external nancial report-
ing. Where an example is not applicable to all types o entities, this is noted. Finally,
even though the approaches and examples primarily relate to the preparation o nan-
cial statements or external purposes, any entity seeking to design, implement and
conduct a system o internal control to achieve other external nancial reporting objec-tives may also benet rom them.
39
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
22/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
23/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
24/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Principles Approaches
1. The organization demonstrates
a commitment to integrity and
ethical values.
Establishing Standards o Conduct
Leading by Example on Matters o
Integrity and Ethics
Evaluating Management and Other
Personnel, Outsourced Service
Providers, and Business Partners or
Adherence to Standards o Conduct
Reporting and Taking Prompt Action
on Deviations rom Standards o
Conduct
2. The board o directors demonstrates
independence rom management
and exercises oversight or the
development and perormance ointernal control.
Establishing the Roles, Responsibili-
ties, and Delegation o Authority o
the Board o Directors
Establishing Policies and Practicesor Meetings between the Board o
Directors and Management
Identiying and Reviewing Board o
Director Candidates
Reviewing Managements Assertions
and Judgments
Obtaining an External View
Considering Whistle-Blower Inorma-
tion about Financial Statement Errors
and Irregularities
3. Management establishes, with board
oversight, structures, reporting
lines, and appropriate authorities
and responsibilities in the pursuit
o objectives.
Dening Roles and Reporting Lines
and Assessing Them or Relevance
Dening Authority at Dierent Levels
o Management
Maintaining Job Descriptions and
Service-Level Agreements
Dening the Role o Internal Auditors
Internal Control Integrated Framework September 201212
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
25/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
26/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
27/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
28/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
These documents emphasize that every individual is responsible or maintaining an
ethical environment and reporting any ethical breaches. Service-level agreements and
contracts with external parties include the relevant language to speciy the companys
expected standards o conduct and serve as a basis or evaluating adherence. The
code also specically sets the expectation o reporting and resolving issues by provid-
ing clear inormation on how to ask a policy question or report a violation through an
independent third party.
Approach: Leading by Example on Matters o Integrity and Ethics
The CEO and key members o management articulate and demonstrate the importance
o integrity and ethical values across the organization. The various orms and mecha-
nisms used to do this may include:
Communications rom senior management that support the expected standards
o conduct and that stay consistent as they permeate throughout the organization
Day-to-day actions and decision making at all levels o the organization that are
consistent with the expected standards o conduct
Interactions with suppliers, customers, and other external parties that refect air
and honest dealings
Perormance appraisals and incentives that reinorce expected standards o
behavior consistent with the entitys objectives at all levels o the organization
Timely inquiries and investigations into any alleged conduct that is inconsistent
with the entitys standards o conduct
Corrective action when deviations rom expected standards o conduct occur
While this approach can be synonymous with that o establishing standards o conduct
when both operate eectively, history has shown instances where organizations dene
and communicate honorable standards o conduct, yet senior management does not
internalize or exhibit these standards in its conduct, and thereore sets a dierent tone
than what is expected.
Example: Using a Company Newsletter to Reinorce Expectations oIntegrity and Ethics
Space Inc., a supplier to the aerospace industry, uses its monthly newsletter to employ-
ees, outsourced service providers, business partners, and other external parties to
emphasize the importance o exercising sound integrity and ethical values. Each edition
o the newsletter contains a section related to ethical decision making and conse-
quences o violations o the code. The newsletter draws attention to the multitude oresources available to discuss and resolve ethical issues; it also reports what actions
are taken by senior management when the code is violated at any level o the organiza-
tion. The newsletter illustrates the open dialogue and resolution o issues that is actively
promoted by senior management.
Examples o ethical dilemmas are provided, along with suggested resolutions. The
newsletter points out that reports o violations originate rom a variety o sources,
SetstheToneattheTop
EstablishesStandardsofConduct
Evaluates Adherence to Standards
o Conduct
Addresses Deviations in a Timely Manner
45
46
47
48
49
Internal Control Integrated Framework September 20126
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
29/166
Control Environment | Demonstrates Commitment to Integrity and Ethical Values
including employees, managers, the companys anonymous hotline, and external
parties. Responses range rom no action (in cases where the violation is shown not to
have occurred) to various levels o discipline, including dismissal.
Finally, the newsletter reminds all Space Inc. employeesrom senior management
to all levels o employeesthat as part o their annual perormance review they must
certiy that they have read the companys mission statement and code o conduct andthat they comply with policies at all times.
Approach: Evaluating Management and Other Personnel, Out-sourced Service Providers, and Business Partners or Adherence to
Standards o Conduct
The board o directors and senior management evaluate adherence to the companys
standards o conduct. This is accomplished in a variety o ways, which may include:
Assessing results rom training and ethics certication processes
Considering anomalies in key perormance indicators and internal analyticalreviews o operational and nancial inormation that could be a potential indicator
o raudulent nancial reporting or other misconduct
Considering the results rom ongoing and separate evaluations o internal control,
which include evaluations o internal control at outsourced service providers and
business partners who provide inormation necessary to produce external nan-
cial reporting
Analyzing issues and trends rom hotlines and help lines made available within
the organization that could indicate potential raud occurrences and other
ethical concerns
Requesting eedback rom meetings held with outsourced service providers andbusiness partners when obtaining nancial inormation or inormation that impacts
the entitys internal control over external nancial reporting
Example: Conducting Ethics Audits
The not-or-prot organization Partners or Development conducts scheduled audits
to determine whether employees are receiving and understanding the board-approved
standards o conduct when they are rst hired and as part o communications, training,
and annual review processes. The audits also include non-employees and consultants
rom their IT service provider. The standards consist o three documents: the code o
ethics and standards o personal conduct, the compliance policy statement, and the
expected standards o conduct.
Partners or Developments purpose in conducting these audits is to determine i there
are any instances o non-compliance and to use those ndings to assess and correct
any deciencies in the organizations new-hire orientation, communications, training,
and employee review processes. Upholding the organizations standards o conduct is a
undamental requirement or continued unding rom its government sponsors.
Sets the Tone at the Top
Establishes Standards o Conduct
EvaluatesAdherencetoStandards
o Conduct
Addresses Deviations in a Timely Manne
50
51
52
53
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
30/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
31/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
32/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Exercises Oversight Responsibility
Principle 2.The board o directors demonstratesindependence rom management and exercises oversightor the development and perormance o internal control.
Points o Focus
The ollowing points o ocus may assist management in determining whether this prin-
ciple is present and unctioning.
Establishes Oversight ResponsibilitiesThe board o directors identies and
accepts its oversight responsibilities in relation to established requirements
and expectations.
Applies Relevant ExpertiseThe board o directors denes, maintains, and
periodically evaluates the skills and expertise needed among its members
to enable them to ask probing questions o senior management and take
commensurate actions.
Operates IndependentlyThe board o directors has sucient members who are
independent rom management and objective in evaluations and decision-making.
Provides Oversight or the System o Internal ControlThe board o directors
retains oversight responsibility or managements development and perormance
o internal control:
- Control EnvironmentEstablishing integrity and ethical values, oversight
structures, authority and responsibility, expectations o competence, and
accountability to the board
- Risk AssessmentOverseeing managements assessment o risks to the
achievement o objectives, including the potential impact o signicant
changes, raud, and management override o internal control
- Control ActivitiesProviding oversight to senior management in the develop-
ment and perormance o control activities
- Inormation and CommunicationAnalyzing and discussing inormation relat-
ing to the entitys achievement o objectives
- Monitoring ActivitiesAssessing and overseeing the nature and scope
o monitoring activities and managements evaluation and remediation
o deciencies
59
Internal Control Integrated Framework September 201220
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
33/166
Control Environment | Exercises Oversight Responsibility
Approaches and Examples to Applying the Principle
Approach: Establishing the Roles, Responsibilities, and Delegationo Authority o the Board o Directors5
The roles, responsibilities, and powers o delegation o the board o directors are
dened in its corporate bylaws and committee charters in accordance with applicableregulatory and listing requirements. For external nancial reporting purposes, the board
typically orms an audit committee whose responsibilities include overseeing:
The eectiveness o internal control over external nancial reporting, including the
assessment o risks, signicant deciencies, and material weaknesses (i any)
Managements assessment o any signicant matters, considering the potential
impact on nancial reporting and need or corrective action
The quality o nancial reporting and disclosures
The hiring o and payment to the external auditor
Audit committee members typically demonstrate independence o thought and sub-stance by absence o any material nancial or other personal ties to the company, which
could impede their ability to provide unbiased guidance and oversight.
The responsibilities o the board and audit committee are to oversee managements
perormance o internal control. The board must thereore retain objectivity in relation
to management.
Example: Reviewing and Documenting Key Activities o theAudit Committee
Every year, the board o directors o Northern Power, a distributor o electricity, com-
missions an eectiveness evaluation o its audit committee relative to its charter. The
charter sets out the responsibilities and key activities o the committee. Under thecharter, the committee solicits rom management and independent reviewers as neces-
sary the inormation required to:
Oversee the quality and reliability o nancial reporting and disclosures
Understand the key risks acing the organization and the processes management
uses to identiy, assess, and manage risks, considering internal audit ndings,
litigation, compensation schemes, regulation, and compliance
Evaluate organizational behavior, culture, and adherence to standards o conduct
Understand how management and the external auditor evaluate materiality or
nancial reporting purposes
Assess reasonableness and appropriateness o critical accounting policies o
the company
5 In practice, many o the activities o the board o directors included here would be carried out by one o its
committees, such as the audit committee.
EstablishesOversightResponsibility
AppliesRelevantExpertise
OperatesIndependently
ProvidesOversightfortheSystemof
InternalControl
60
61
62
63
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
34/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Conrm or reject the basis or management estimates and proposed accounting
policy changes beore approving
Evaluate, retain, or change external auditors
Review audit plans
Review managements assessment o internal control over external
nancial reporting
The results o the evaluation are used to determine whether the roles and responsibili-
ties o the committee have been met and could result in committee member changes or
impact remuneration. In addition to the annual review, every three years the company
conducts a benchmark review against leading practices and renes its charter,
as appropriate.
Approach: Establishing Policies and Practices or Meetings between
the Board o Directors and Management
The board o directors reviews and approves policies and practices that support the
perormance o internal control across the business in regular meetings between man-
agement and the board. The processes and structures particularly relevant to the audit
committee o the board are those that provide:
Appropriate orums to enable board members to ask probing questions
o management
A calendar that establishes the timing and requency o meetings
with management
Expected practices to keep board members current on both emerg-
ing and adopted accounting standards and their impact on the entitys
nancial statements
Procedures to review managements development and perormance o internal
control over external nancial reporting
Authority to engage experts as needed and oversight to ensure that management
appropriately resolves matters raised by the board
Criteria and procedures or calling special and/or urgent meetings as necessary
Allocation o time in board meetings or discussions with external advisors, inter-
nal and external auditors, and legal counsel without management being present
The policies and practices are updated as needed to refect changes in internal and
external expectations, including rules and regulations.
Example: Establishing an Audit Committee Meeting Calendar
The audit committee o Outer Limits Innovations, an aerospace control systems sup-
plier, uses its charter as guidance when setting its meeting dates and agendas. Fred
Krahn, the chair o the committee, plans or at least one meeting during the year at
EstablishesOversightResponsibility
AppliesRelevantExpertise
OperatesIndependently
ProvidesOversightfortheSystemof
InternalControl
64
65
66
67
Internal Control Integrated Framework September 201222
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
35/166
Control Environment | Exercises Oversight Responsibility
which each responsibility set orth in the charter is discussed. This practice helps the
audit committee cover all relevant responsibilities, and helps management anticipate
and plan or the committees expectations. The meeting calendar, which is shown
below, is periodically reassessed to adjust or emerging regulatory and technical
matters that could aect the company or the industry.
Frequency PlannedMeeting
A E ANQuarter
1 2 3 4
Audit Committee Issues
Reportofresultsofannualindependentaudittotheboard
Appointmentoftheexternalauditor
Approvalofexternalauditorfeesforupcomingyear
Reviewofannualproxystatementauditcommitteereport
Assessment o the adequacy o audit committee charter
Approvalofauditcommitteemeetingplanfortheupcomingyear,
conrmmutualexpectationswithmanagementandtheauditor
Audit committee sel-assessment
Approvalofguidelinesforengagementsofexternalauditorsfor
other services (pre-approval policy)
Approval o any non-audit services provided by outside auditors
Reportofexternalauditorpre-approvalstatus/limits
Reviewofproceduresforhandlingnancialreportingerrors
orirregularities
Overseesfraudriskassessmentprocess
Approvalofminutesofpreviousmeeting
Reportquarterlymatterstotheboard(chair)
Scheduleexecutivesessionofcommitteemembers
Othermatters
Financial Management
AnnualReport,10-K,andPr oxyStatementMatters
Quarterlyreportearningsreviewwithmanagementandexternal
auditor,pre-approvalofexternalauditorprofessionalactivities
Assessment o system o internal control
Statusofsignicantaccountingestimates,judgmentsandspecial
issues(e.g.majortransactions,accountingchanges,SECissues,
etc.)Othermatters(adequacyofstafng,successionplanning,etc.)
A=AnnuallyE=EachMeetingorConferenceCallAN=AsNecessary
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
36/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Example: Preparing Eectively or Meetings
The audit committee o Millennium Lighting, a manuacturer o lighting and ventila-
tion equipment, is chaired by Janis White, a CPA with nancial reporting expertise and
previous public accounting experience. Ms. White regularly distributes to the committee
members any updates rom management on technical matters.
Beore each committee meeting, she circulates the drat agenda both to the commit-tee members and the external auditors to solicit their input on any additional technical
accounting agenda items they would like to discuss. Ms. White is committed to keeping
open channels o communication with the external audit engagement partner and the
companys chie audit executive to ensure she receives timely updates on any discus-
sions occurring with management as technical matters emerge. Internal audit, litigation,
and corporate social responsibility are a ew o the areas that are regularly solicited or
input by the board or audit committee.
Approach: Identiying and Reviewing Board o Director Candidates
The board o directors periodically assesses and conrms its collective ability to provide
eective oversight. Through independent review and sel-assessment it determines the
adequacy o its composition, whether it has sucient independent members, and the
appropriate expertise.
To meet the entitys external nancial reporting objectives, the board o directors identi-
es certain board candidates who are independent o both management and the entity
and who have requisite nancial reporting and other relevant expertise. These members
are typically assigned to the audit committee.6 Such expertise may be established
through proessional networks and organizations and by educational institutions whose
missions are aligned to the advancement o the nancial reporting proession.
The board reviews the results o due diligence perormed on potential board candi-
dates and conrms their competence and ability to remain unbiased. The procedures to
ensure that potential board members meet the dened criteria may include:
Evaluating the key risks acing the organization and accordingly dening board
member prole requirements
Perorming background checks and obtaining independent reerences
Reviewing current aliations and directorships to ensure independence relative to
management and the entity
Considering skills and expertise, ranging rom nancial to regulatory and various
technical knowledge needed to understand the issues that could aect the com-
panys external nancial reporting
Validating that any credentials and certications held demonstrate an achieved
competence level
6 Standard setters, regulators, or listing agencies may have specic requirements regarding director inde-
pendence, qualications, and the makeup o the audit committee.
EstablishesOversightResponsibility
AppliesRelevantExpertise
OperatesIndependently
ProvidesOversightfortheSystemof
InternalControl
68
69
70
71
72
Internal Control Integrated Framework September 201224
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
37/166
Control Environment | Exercises Oversight Responsibility
Reviewing inormation about nancial and other relationships with the company,
its external auditors, or management
Using an independent nominating committee or search rm to oversee due dili-
gence procedures
Evaluating periodically the due diligence procedures used or identiying potential
directors, including checking that an individual directors certications are com-plete, up-to-date, and comply with the entitys ethics guidelines and indepen-
dence rules
Example: Changing the Board Composition o a CloselyHeld Company
Giante Ore is a mining exploration company whose shares are traded on an over-
the-counter bulletin board. Giante Ore has long maintained a board o directors that
includes three o the CEOs amily members and three outside, but not independent,
directors: the companys outside legal counsel, a venture capitalist, and a personal
riend o the CEO.
Giante Ore recognized that it needed to strengthen its control environment and board
eectiveness. To that end, it revisited its board structure. The three relatives and one
personal riend o the CEO let the board and have been replaced by our independent
directors, all o whom are nancially literate. One o the our has specic nancial exper-
tise. These directors have now been appointed to a newly ormed audit committee with
its responsibilities set orth in a charter.
Example: Assessing and Disclosing Director Qualications
When Greene Inc. needs to identiy new members or its board, it ollows a detailed pro-
cedure to ensure the best possible candidates are chosen. The nominating committee
works with the human resources department, the legal department, and an independent
executive search rm to identiy candidates and conduct due diligence in support othe interest o the company in its short- and longer-term objectives. The key skills it has
identied are nancial literacy, liquidity risk management expertise, business continuity
planning, and corporate social responsibility reporting experience that refects the busi-
ness perormance expectations o the companys stakeholders.
The same team conducts an annual review to ensure that board members continue
to have the requisite competence and independence given the entitys stakeholder
needs. The senior management o Greene Inc. provides the results o the review in its
public lings.
73
74
75
76
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
38/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Approach: Reviewing Managements Assertions and Judgments
The board demonstrates an appropriate level o skepticism o managements assertions
and judgments that aect nancial reporting by asking probing questions. In particular,
the audit committee o the board seeks clarication and justication o the companys
process or:
Selecting and implementing accounting policies
Determining critical accounting estimates
Making key assumptions used in the application o technical accounting and
reporting matters
Evaluating other risks acing the organization, with the potential impact on nan-
cial reporting
Example: Reviewing Financial Statement Estimates
Future Fabrications manuactures specialty polymer products. The audit commit-
tee meets regularly with management to review the reasonableness o managements
assumptions and judgments used to develop signicant estimates. The committee thenmeets privately with the external auditor to discuss its assessment o managements
estimates and the related impact on nancial reporting.
This practice is carried out or all assumptions related to key nancial statement
accounts, disclosures, and relevant assertions. For example, or Future Fabrications
annual goodwill evaluation, management provides relevant inormation regarding any
specialists engaged to assist the company, key judgments and assumptions included
in the companys discounted cash fow model, plausible sensitivity scenarios that were
considered, and conrmation o the appropriate technical accounting standard applied.
Approach: Meeting with Auditors
The audit committee o the board meets regularly with internal and external auditors, in
private when necessary, to review and provide oversight o:
Key risks acing the organization
Audit scope and testing plans
Basis or denition o materiality threshold
Changes in accounting policies
Assumptions in models and calculations
Resources and stang
Signicant audit ndings
Quality and reliability o nancial reporting and disclosures
EstablishesOversightResponsibility
AppliesRelevantExpertise
OperatesIndependently
ProvidesOversightfortheSystemof
InternalControl
EstablishesOversightResponsibility
AppliesRelevantExpertise
OperatesIndependently
ProvidesOversightfortheSystemof
InternalControl
77
78
79
80
Internal Control Integrated Framework September 201226
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
39/166
Control Environment | Exercises Oversight Responsibility
Example: Interacting with Auditors
Sara Greenburg is the chair o the audit committee o Seaworthy Solutions, a marine
construction services provider. She arranges or the committee to meet quarterly with
the external auditor to discuss a wide range o issues such as audit scope, testing
plans, internal control over external nancial reporting, quality o nancial reporting,
and audit ndings and recommendations. She is responsible or coordinating the audit
committees evaluation o the external auditor. She bases her evaluation on a number
o considerations, including the rms reputation, the qualications o the audit partner
and team, knowledge and experience in the companys industry, and the rms quality
control procedures. Ms. Greenburg believes that these interactions, supplemented as
needed with interim conversations, eectively positions the audit committee chair to
monitor the external auditors perormance and make an inormed judgment on any
need to modiy or terminate the relationship.
The audit committee also regularly meets with the Seaworthys chie audit executive
to ensure that the same oversight objectives o the internal audit unction are attained.
The chie audit executive has a direct reporting line to the audit committee to enable an
objective mindset and acilitate the escalation o issues.
Authors note: This example was taken rom a public company in the US. Standard setters, regulators, or spe-
cic listing agencies may have specic requirements regarding composition and operating responsibilities o
the audit committee. These may vary based on the situation, and the acts and circumstances o this example
infuenced the responsibility and the requency o meetings.
Approach: Considering Whistle-Blower Inormation about FinancialStatement Errors and Irregularities
The audit committee considers inormation obtained rom the companys whistle-blower
and anti-raud programs (or similar processes) to monitor the risks in misstatements
in nancial reporting. These may include risks o inappropriate acts by sta and man-
agement override o controls. The audit committee evaluates managements analysiso signicant matters, potential impact on nancial reporting, and corrective actions
being taken.
Example: Assessing the Potential o Management Override
Generation Now is an electricity transmission and distribution company. At least annu-
ally, its audit committee discusses in executive session its assessment o the risks
o management override o internal control, including motivations, opportunities, and
rationalizations or management override and how those activities might be concealed.
The committee reviews independent evaluations o the unctioning o the companys
whistle-blower process and related reports and the raud hotline, and rom time to time
it also makes inquiries o those managers who are not directly responsible or nancialreporting (including personnel in sales, procurement, and human resources, among
others). It also collects inormation whenever any concerns are expressed about ethics
or possible management override o internal controls. The process o questioning con-
tinues until resolution is reached.
EstablishesOversightResponsibility
AppliesRelevantExpertise
OperatesIndependently ProvidesOversightfortheSystemof
InternalControl
81
82
83
84
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
40/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
41/166
Control Environment | Establishes Structure, Authority, and Responsibility
Approaches and Examples to Applying the Principle
Approach: Dening Roles and Reporting Lines and Assessing Themor Relevance
Senior management prepares organizational charts to document, communicate, and
enorce accountability or the achievement o the entitys nancial reporting objectives.The organizational charts can be used to:
Set orth assignments o authority and responsibility
Ensure duties are appropriately segregated
Establish reporting lines and communication channels
Dene the various reporting dimensions relevant to the organization
Identiy dependencies or roles and responsibilities involved in nancial reporting
as well as those accountable or external parties
Each unit or department within the entity that is relevant to external nancial report-
ing aligns its roles and responsibilities to processes supporting the nancial reportingobjectives. Senior management and the board o directors veriy that accountability
and inormation fow within each o the various organizational structures (by business
segment, geographical location, legal entity, or other) continually support the achieve-
ment o the entitys existing nancial reporting objectives. Existing structures are peri-
odically assessed or relevance considering changes in the entity or the environment in
which it operates to ensure such alignment.
Example: Reorganizing to Support Control Structure
Beore Harmony Homes Real Estate became a public company, a wide range o the
employees reported to the owner and CEO, Milton Chang, and the business structures
in the US and in Asia were loosely connected. During the plans to go public, Mr. Chang,with the boards guidance, took steps to strengthen the organizational structure to
better support both operations and nancial reporting objectives. Management created
three departments to oversee its core business activities: sales and customer service,
purchasing/inventory, and production. Geographic governance structures were also
established to oversee operations by jurisdiction and acilitate reporting to local regula-
tors and other stakeholders. The managers charged with leading each o these depart-
ments and territories, as well as the managers o key sta unctions, documented each
persons responsibility in the processes. Job descriptions, including internal control
responsibilities, were developed to support ull understanding o each persons role.
The clarity o roles helps to ensure responsibilities are carried out in support o the
organizations objectives. They also provide the basis or risk assessment, controlactivities, inormation and communication, and monitoring activities along dierent
dimensions simultaneously.
ConsidersAllStructuresoftheEntity
EstablishesReportingLines
Denes,Assigns,andLimitsAuthorities
Responsibilities
86
87
88
89
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
42/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
43/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
44/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
45/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
46/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
47/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
48/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
This intensive training has provided senior management o Orex with the condence
that their CFO and controller now have sucient knowledge to make inormed decisions
on the proper application o the standard. Documentation o the training attended has
been tracked and included in Ms. Shreves and Mr. Tellemanns employee les.
Approach: Selecting Appropriate Outsourced Service Providers
Management identies the required skills and experience necessary to support the enti-
tys external nancial reporting objectives. It then decides whether to internally retain
people with these skills and experience or to outsource to a third party. The suitability
o a third party is determined not only by assessing skills and experience, but also by
considering the entitys policies on using vendors and on ethical standards. The con-
tractual arrangement with the outsourced service provider captures these competence
requirements and provides the basis or the entity to periodically assess the outsourced
service providers continued commitment to competence.
Example: Retaining External Tax AssistanceCompu Services, a developer o analytical sotware products, currently has limited tax
accounting expertise among its sta. The nance director thereore sought to contract
with a third-party accounting rm, SMR Ledger, LLP, to review its tax provisions. SMR
Ledger is a dierent accounting rm rom the Compu Services auditor.
For successul selection and use o the vendors services, management was careul to
veriy that the vendor met the suitability standards set orth in Compu Services poli-
cies. Being impacted directly by the quality o the control procedures carried out by the
vendor, the CFO spends time with the vendor to understand any assumptions used in
models or calculations, particularly as they may impact nancial reporting. Indeed, while
Compu Services management chooses to outsource certain tax activities, it remains
responsible or the eectiveness o relevant controls regardless o where they are oper-ated. The company thereore requests annual independent certications o the vendors
internal control eectiveness.
Approach: Evaluating Competence and Behavior
To maintain and advance the entitys expected competence and behavioral standards,
management develops policies and conducts practices that may include:
Developing incentives and rewards that consider the multiple dimensions o
conduct and perormance
Reinorcing expectations o continued demonstration and strengthening o
expected levels o competence
Ensuring individual and team goals in support o the achievement o the enti-
tys objectives are dened, use observable metrics, and are communicated to
each employee
EstablishesPoliciesandPractices
EvaluatesCompetenceandAddresses
Shortcomings
Attracts,Develops,andRetainsIndividuals
PlansandPreparesforSuccession
EstablishesPoliciesandPractices
EvaluatesCompetenceandAddresses
Shortcomings
Attracts,Develops,andRetainsIndividuals
PlansandPreparesforSuccession
113
114
115
116
117
Internal Control Integrated Framework September 201236
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
49/166
Control Environment | Demonstrates Commitment to Competence
Developing a perormance appraisal process that conrms employee knowledge
o both their progress against their goals and their status within the organization
Conducting periodic perormance reviews and evaluating employees relative to
their assigned roles to conrm that the employees skills are appropriate or their
current job responsibilities
Making appropriate advancement or termination decisions based onperormance reviews
Changing the perormance appraisal process as needed based on lessons
learned or changes in strategy and operating objectives
Continually endorsing behavior that is consistent with competence standards, and
discouraging inconsistent behavior
Using the same criteria, the board o directors evaluates the competencies o individu-
als serving in key nancial reporting roles, such as the CEO and CFO.
Example: Periodically Assessing Perormance
City Government periodically reviews the perormance o its employees who are
responsible or owning, executing, or testing nancial reporting controls. Perormance is
evaluated against expectations that are established at the beginning o each year. The
progress achieved on needed improvements is reviewed with employees at the end o
each quarter, and a more ormal annual review process occurs ollowing the year-end
reporting cycle. An employees career advancement is based on the overall peror-
mance rating. Management identies specic areas or improvement and proessional
growth, which employees can address with training and development steps, as jointly
agreed with the respective manager in the context o City Governments nance unc-
tion and overall perormance objectives.
Example: Audit Committee Review o Managers RolesThe bylaws o Lead Products Co. speciy the responsibility o the audit committee o
the board or reviewing the principal roles and responsibilities o key nancial reporting
senior management. To this end, the chair o the audit committee meets annually with
the companys human resources director, chie audit executive, and legal counsel to
review the roles, responsibilities, and perormance o the various company managers.
The review ocuses on aligning respective managerial responsibilities with Lead Prod-
ucts organization chart, and the managers expertise and experience in carrying out
the responsibilities.
118
119
120
Internal Control Integrated Framework September 2012
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
50/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Approach: Evaluating Suciency and Competency oFinance Personnel
Senior management evaluates the suciency and competency o the personnel who are
involved in recording and reporting nancial inormation, and in designing and develop-
ing nancial reporting systems including underlying IT systems. Senior management
assesses the departments ability to identiy issues, articulate positions supported by
the relevant literature, and stay abreast o technical nancial reporting developments.
Considerations when assessing the adequacy and competency o nancial reporting
personnel include overall technical skills, nature and requency o their training, and the
number o personnel dedicated to nancial reporting.
Example: Assessing Key Financial Reporting Personnel
The senior management o Tall Tree Finance, an investment bank and institutional secu-
rities company, annually assesses the ability o its key nancial reporting personnel to
understand and manage eectively the companys current business activities, related
accounting questions, and IT implementation challenges. The audit committee oversees
this assessment.
In particular, the assessment considers how adequately personnel respond to emerging
accounting, reporting, and internal control issues. Senior management uses the results
o this assessment to make decisions on sta training, reassignments, or other organi-
zational changes.
Example: Aligning Competencies with Key FinancialReporting Positions
The start-up company o Wireless Data Communications has seen its revenue double
over the last several years, and business transactions and processing have become
signicantly more complex. Because o these evolving corporate needs due to the rapid
growth, it is essential or employee competencies in key nancial reporting positions tobe aligned with roles and responsibilities.
Consequently, the CEO, CFO, and vice-president o human resources together annu-
ally review employee job descriptions and perormance assessments. During a recent
review, they determined that the companys controller, hired initially to perorm basic
accounting and bookkeeping unctions, no longer had the expertise needed or the
associated nancial reporting responsibilities. The company has now assigned the con-
troller to a position better suited to his skills, and hired an individual with the requisite
competencies as controller.
EstablishesPoliciesandPractices
EvaluatesCompetenceandAddresses
Shortcomings
Attracts,Develops,andRetainsIndividuals
PlansandPreparesforSuccession
121
122
123
124
125
Internal Control Integrated Framework September 201238
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
51/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
52/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
53/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
54/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Senior management subsequently reports to the board what actors were considered
in developing the perormance measures, incentives, and rewards and how they are
expected to drive the desired behavior.
Example: Dening and Communicating the Basis or Reward
Modern Financial Services has implemented a rewards system that requires the
achievement o dened perormance measures and encourages departments to
monitor the eectiveness o their internal control systems and to sel-report possible
control deciencies or opportunities or enhancement. This encouragement comes in
the orm o a policy that gives departments credit in the internal audit grading system
or sel-reported deciencies. Any deciencies that are identied through internal audit
procedures, rather than through a departments monitoring eorts, are counted against
the score.
The credit does not preclude the internal audit department rom reporting specic de-
ciencies to management or the board when warranted, but it does positively aect the
grading system, which can aect departmental compensation and benets. The result
is that Modern Financial Services is more likely to identiy control deciencies beore
they can become material to the organization.
Approach: Evaluating Perormance Measures or Intended Infuence
The board o directors and management periodically evaluate the appropriateness o
perormance measures used to determine whether they have the intended infuence on
how people respond to pressures, incentives, and rewards. This evaluation may include:
Reassessing the relevance o perormance measures considering industry trends,
regulatory changes, or changes in the entitys objectives
Considering past nancial errors, ethical violations, and instances o non-compli-ance and whether the established measures could have caused excessive pres-
sures to override controls
Engaging external parties to conduct benchmarking and to interview employees
Monitoring the changing sources o threats that cause pressure to bypass estab-
lished controls or take shortcuts
Considering whether the selection o accounting policies has been unduly infu-
enced by the established perormance measures
Using the assessment to make changes in perormance measures and associated
hiring, evaluation, and promotion structures
The board o directors oversees the periodic assessment to ensure it has been com-
pleted, and may subsequently approve compensation plans. The board also provides
oversight to ensure that the perormance measures and compensation plans estab-
lished or senior management are appropriately aligned with the entitys strategic objec-
tives and balanced to promote the desired accountability without causing excessive
pressure that could lead to raudulent nancial reporting.
EnforcesAccountability,throughStructures,
Authorities,andResponsibilities
EstablishesPerformanceMeasures,
Incentives,andRewards
EvaluatesPerformanceMeasures,
Incentives,andRewardsforOngoing
Relevance
ConsidersExcessivePressures
EvaluatesPerformanceandRewardsor
DisciplinesIndividuals
138
139
140
141
142
Internal Control Integrated Framework September 201242
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
55/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
56/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
During the employee perormance review and appraisal process, management provides
eedback about the extent to which each employee has perormed in accordance with
the companys core values o sound integrity and ethics.
Example: Providing Recognition or Suggestions Made to EnhanceInternal Control
Medic Quest, a private company that researches, develops, produces, and markets
medical scanning equipment, encourages its employees to identiy and submit sugges-
tions or improving internal control, including internal control over nancial reporting.
Employees are rewarded in the orm o company awards and/or cash bonuses or ideas
that are used.
150
151
Internal Control Integrated Framework September 201244
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
57/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
58/166
Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
Principles Approaches
6. The organization species objec-
tives with sucient clarity to enable
the identication and assessment o
risks relating to objectives.
Identiying Financial Statement
Assertions
Speciying Financial Reporting
Objectives
Assessing Materiality
Reviewing and Updating Understand-
ing o Applicable Standards
Considering the Range o Entity
Activities
7. The organization identies risks to
the achievement o its objectivesacross the entity and analyzes risks
as a basis or determining how the
risks should be managed.
Applying a Risk Identication Process
Assessing Risks to Signicant Finan-
cial Statement Accounts
Meeting with Entity Personnel
Assessing the Likelihood and Signi-
cance o Identied Risks
Considering Internal and External
Factors
Evaluating Risk Responses
8. The organization considers the
potential or raud in assessing risks
to the achievement o objectives.
Conducting Fraud Risk Assessments
Considering Approaches to Circum-
vent or Override Controls
Considering Fraud Risk in the InternalAudit Plan
Using Inormation Technology Tools
Reviewing Incentives and Pressures
Related to Compensation Programs
9. The organization identies andassesses changes that could signi-
cantly impact the system o internal
control.
Assessing Change in the External
Environment
Conducting Risk Assessments Relat-
ing to Signicant Change
Considering Change throughSuccession
Considering CEO and Senior Execu-
tive Changes
Internal Control Integrated Framework September 201246
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
59/166
-
7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)
60/166
-
7/29/2019 Internal Control Integrated Framewor