Professional Documents
Culture Documents
Purpose helping management better control the organization and to provide a board of
directors with an added ability to oversee internal control.
The Framework sets forth three categories of objectives, which allow organizations to
focus on separate aspects of internal control:
Operations Objectives—These pertain to effectiveness and efficiency of the
entity’s operations, including operational and financial performance goals, and
safeguarding assets against loss.
Reporting Objectives—These pertain to internal and external financial and non-
financial reporting and may encompass reliability, timeliness, transparency, or
other terms as set forth by regulators, standard setters, or the entity’s policies.
Compliance Objectives—These pertain to adherence to laws and regulations to
which the entity is subject.
Control environment – the standards, processes, and structures that guide people at all levels in carrying
out their responsibilities for internal control and making decisions.
An organization that establishes and maintains a strong control environment positions itself to be more
resilient in the face of internal and external pressures.
Organizational culture supports the control environment insofar as it sets expectations of behavior that
reflects a commitment to integrity and ethical values, oversight, accountability and performance
evaluations.
Principles:
1) Demonstrates Commitment to Integrity and Ethical Values
Sets the tone at the top – the board of directors and management at all levels of the entity
demonstrate through their directives, actions, and behavior the importance of integrity and
ethical values to support the functioning of the system of internal control
o Tone at the top and throughout the organization is fundamental to the functioning of an
internal control system. Without a strong tone at the top to support a strong culture of
internal control, awareness of risk can be undermined, responses to risk may be
inappropriate, control activities may be not followed, information and communication
may falter, and feedback from monitoring activities may not be heard or acted upon.
Establishes standards of conduct – the expectations of the board of directors and senior
management concerning integrity and ethical vales are defined in the entity’s standards of
conduct and understood at all levels of the organization and by outsourced service providers and
business partners
o Establishing what is right and wrong
o Providing guidance for navigating what lies in between, considering associated risks
o Reflecting governing laws, rules, regulations, standards and other expectations that the
organization’s stakeholders may have
Applies relevant expertise –the board defines, maintains, and periodically evaluates the
skills an expertise needed amounts its members to enable them to ask probing questions of
senior management and take commensurate actions
Operates independently – the board has sufficient members who are independent from
management and objective in evaluations and decision-making.
o Independence is demonstrated in the board member’s objectivity of mind, action,
appearance and fact.
o Board composition is determined by considering the mission, values, and various
objectives of the entity as well as the skills and expertise needed to oversee, probe,
and evaluate the senior management team most appropriately
o Board skills:
Internal control mindset, market and entity knowledge, financial expertise,
legal and regulatory expertise, social and environment expertise, incentives
and compensation, relevant systems and technology.
Provides oversight for the system of internal control – the board retains oversight
responsibility for management’s design, implementation, and conduct of internal control
Establishes reporting lines – management designs and evaluates lines of reporting for each
entity structure to enable executing of authorities and responsibilities and flow of
information to manage the activities of the entity
o For each type of structure it operates, management designs and evaluates the lines of
reporting so that responsibilities are carried out and information flows as needed.
Defines, assigns and limits authorities and responsibilities – management and the board
delegate authority, define responsibility and segregate duties as necessary at various level of
the organization
o The board delegates authority and defines and assigns responsibility for senior
management. In turn, senior management delegates authority and defines and
assigns responsibility at the overall entity and its subunits.
o Authority and responsibility are delegated based on demonstrated competence, and
roles are defined based on who is responsible for or kept informed of decisions.
Evaluates competence and addresses shortcomings – the board and management evaluate
competence across the organization in relation to established policies and practices, and acts,
as necessary to address short comings
Attracts, develops, and retains individuals – the organization provides mentoring and
training needed to attract, develop, and retain sufficient and competent personnel to support
the achievement of objectives.
Plans and prepares for succession – senior management and the board develop
contingency plans for assignments of responsibility important for internal control
5) Enforces Accountability – the organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives
Enforces accountability through structures, authorities, and responsibilities –
management and the board establish mechanisms to communicate and hold individuals
accountable for performance of internal control responsibilities across the organization ad
implement corrective action as necessary
o The board ultimately holds the CEO accountable for understanding the risks faced
by the entity and establishing the requisite system of internal control to support the
achievement of the entity’s objectives.
o The CEO and senior management, in turn, are responsible for designing,
implementing, conducting, and periodically assessing the structures, authorities, and
responsibilities needed to establish accountability for internal control at all levels of
the organization.
o Accountability is driven by tone at the top and supported by commitment to integrity
and ethical values, competence, structure, processes, and technology, which
collectively influence the control culture of the organization.
Establishes performance measures, incentives and rewards – management and the board
establish performance measures, incentives and other rewards appropriate for responsibilities
at all levels of the entity, reflecting appropriate dimensions of performance and expected
standards of conduct, considering the achievement of both short term and longer term
objectives
Considers excessive pressures – management and the bard evaluate and adjust pressures
associated with the achievement of objectives as they assign responsibilities, develop
performance measures, and evaluate performance
Board of directors – retains authority over significant decisions and reviews management’s assignments
and limitations of authorities and responsibilities
Senior management – establishes directives, guidance and control to enable management and other
personnel to understand and carry out their internal control responsibilities
Management – guides and facilitates the execution of senior management directives at entity and its
subunits
Personnel – understands the entity’s standard of conduct, assessed risks to objectives, and the related
control activities at their respective levels of the entity, the expected communication and information
flow, and monitoring activities relevant to their achievement of the objectives.
A pre-condition to risk assessment is the establishment of objectives, linked at different levels of the
entity. Management specifies objectives within categories relating to operations, reporting and
compliance with sufficient clarity to be able to identify and analyze risks to those objectives.
Introduction
Risk – is defined in the framework as the possibility that an even will occur and adversely affect the
achievement of objectives.
As part of the process of identifying and assessing risks, an organization may also identify opportunities.
These opportunities are important to capture and to communicate to the objective-setting processes.
Risk tolerance – is the acceptable level of variation in performance relative to the achievement of
objectives.
Risk tolerance is normally determined as part of the objective-setting, and as with setting objectives,
setting tolerance levels is a precondition for determining risk responses and related control activities.
Performance measures are used to help an entity operate within established risk tolerance.
Principles:
1) Specifies Suitable Objectives – the organization specifies objectives with sufficient clarity to
enable the identification and assessment of risks relating to objectives.
a. The objectives align with and support the entity in pursuit of its strategic direction.
Objectives form the basis on which risk assessment approaches are implemented and
performed and subsequent control activities are established
In considering the suitability of objectives, management may consider such matters as:
Alignment between established objectives and strategic priorities
Articulation of risk tolerances for objectives
Alignment between established objectives and established laws, rules, regulations and standards
Objectives
Operations Objectives
Reflects management choices – reflect management’s choices about structure, industry
considerations, and performance of an entity
Considers tolerances for risk – consider the acceptable levels of variation relative to the
achievement of operations objectives
Includes operations and financial performance goals – the org reflects the desired level of
operations and financial performance for the entity within operations objective
Forms a basis for committing of resources – mgt uses operations objectives as a basis for
allocating resources needed to attain desired operations and financial performance
Reporting Objectives
Complies with applicable accounting standards – financial reporting standards are consistent
with accounting principles suitable and available for that entity.
Considers materiality – mgt considers materiality in financial statement presentation
Reflects entity activities – external reporting reflects the underlying transactions and events to
show qualitative characteristics and assertions.
Compliance Objectives
Reflects external laws and regulations – laws and regulation establish minimum standards of
conduct which the entity integrates into compliance objectives
Considers tolerances for risk – management considers the acceptable levels of variation
relative to the achievement of compliance objectives
2) Identifies and Analyzes Risk – the organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for determining how the risks should be
managed.
Includes entity, subsidiary, division, operating unit, and functional levels – the
organization identifies and assesses risks at all levels to the achievement of objectives
Analyzes internal and external factors – risk identification considers both internal and
external
o External: economic, natural environment, regulatory, foreign operations, social and
technological
o Internal: infrastructure, management structure, personnel, access to assets,
technology
Once the major factors have been identified, management can then consider their relevance
and significance and, where possible, link these factors to specific risks and activities.
Involves appropriate levels of management – the organization puts into place effective
risk assessment mechanisms that involve appropriate levels of management
Estimates significance of risks identified – identified risks are analyzed through a process
that includes estimating the potential significance of the risk
o An entity’s assessment considers factors that influence the severity, velocity, and
persistence of the risk, likelihood of the loss of assets, and the related impact on
operations, reporting and compliance activities.
o Inherent risk – is the risk to an entity in the absence of any actions management
might take to alter either the risk’s likelihood or impact
o Residual risk – is the risk that remains after management’s response to inherent risk
Determines how to respond to risks – risk assessment includes considering how the risk
should be managed and whether to accept, avoid, reduce or share the risk
o Acceptance – no action is taken
o Avoidance – exiting the activities giving rise to risk
o Reduction – action is taken to reduce likelihood or impact
o Sharing – reducing risk likelihood or impact by transferring a portion of the risk
3) Assesses Fraud Risk – the organization considers the potential for fraud in assessing risks to the
achievement of objectives
Considers various types of fraud – the assessment of fraud considers fraudulent reporting,
possible loss of assets, and corruption resulting from the various ways that fraud and misconduct
can occur
Assesses incentive and pressure – considers incentives and pressures to commit fraud
Assesses opportunities – the assessment of fraud risk considers opportunities for unauthorized
acquisitions, use, or disposal of assets, altering of the entity’s reporting records, or committing
other inappropriate acts
o Created by weak control activities and monitoring, poor management oversight and
management override of control.
Assesses attitudes and rationalizations – the assessment of fraud risk considers how
management and other personnel might engage in or justify inappropriate actions
Safeguarding of assets – refers to protecting against the unauthorized and willful acquisition, use, or
disposal of assets relates to operations objectives
Management override – describes actions taken to override an entity’s controls for an illegitimate
purpose including personal gain or an enhance presentation of an entity’s financial condition or
compliance status
4) Identifies and Analyzes Significant Change – the organization identifies and assesses changes
that could significantly impact the system of internal control
Assesses changes in the external environment – the risk identification process considers
changes to the regulatory, economic and physical environment
o Changing external environment – changing regulatory or economic environment can
result in in increased competitive pressures, changes in operating requirements and
significantly different risks.
o Changing physical environment – natural disasters
Assesses changes in the business model – the organization considers the potential impacts
of new business lines etc.
o Changing business model -
o Significant acquisitions and divestitures – when an entity decides to acquire business
operations, it may need to review and standardize internal controls across the
expanded entity
o Foreign operations – expansion or acquisition foreign operations carries new and
often unique risks
o Rapid growth – when operations expand significantly and quickly, existing
structures, business processes, information systems or resources may be strained to
the point where internal controls break down
o New technology – when new technologies are incorporated internal controls will
likely need to be modified
They may be preventive or detective in nature and may encompass a range of manual and automated
activities such as authorizations and approvals, verifications, reconciliations and business performance
reviews. Segregation of duties is typically built into the selection and development of control activities.
Principles:
1) Selects and Develops Control Activities – the organization selects and develops control activities
that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Integrates with Risk Assessment – control activities help ensure that risk responses that
address and mitigate risks are carried out.
o The action to reduce or share risks serves as a focal point for selecting and developing
control activities. Decisions depend on the desired level of risk mitigation acceptable to
management
o When determining what actions to put in place to mitigate risk, management considers
all aspects of the entity’s internal control components and the relevant business
processes, information technology and locations where control activities are needed.
Evaluates a Mix of Control Activity Types – control activities include a range and variety of
controls and may include a balance of approaches to mitigate risks, both manual and automated
and preventive and detective controls.
Considers at What Level Activities Are Applied – management considers control activities at
various levels in the entity
Information processing
2) Selects and Develops General Controls over Technology – the organization selects and develops
general control activities over technology to support the achievement of objectives.
Determines dependency between the use of technology in business processes and
technology general controls – management understands and determines the dependency and
linkage between business processes, automated control activities, and technology general
controls.
o The reliability of technology within business processes, including automated controls,
depends on the presence and proper functioning of the general control activities over
technology (technology general controls)
o Technology general controls must be deployed for automated controls to work properly
when first developed and implemented.
o Technology general controls help information systems continue to function properly
after they are implemented.
o Technology general controls include control activities over technology
infrastructure, security management, and technology acquisition, development, and
maintenance.
Establishes relevant technology infrastructure control activities – management selects and
develops control activities over technology infrastructure, which are designed and implemented
to ensure the completeness, accuracy and availability of technology processing.
Establishes relevant security management process control activities – management selects
and develops control activities that are designed and implemented to restrict technology access
rights to authorized users commensurate with their job responsibilities and to protect the entity’s
assets from external threats.
Establishes relevant technology acquisition, development, and maintenance process
control activities – develop and select control activities over ^^ and its infrastructure to achieve
management’s objectives.
3) Deploys through Policies and Procedures – the organization deploys control activities through
policies that establish what is expected and procedures that put policies into action.
Establishes policies ad procedures to support deployment of management’s directives –
management establishes control activities that are built into business processes and
employees day-to-day activities through policies establishing what is expected and relevant
procedures for specifying actions.
o Policies reflect management’s statement of what should be done to effect control.
Control activities specifically relate to those policies and procedures that contribute
to the mitigation of risks to the achievement of objectives to acceptable levels.
Establishes responsibility and accountability for executing policies and procedures –
management establishes responsibility and accountability for control activities with
management of the business unit or function in which the relevant risks reside.
Performs in a timely manner – responsible personnel perform control activities in a timely
manner as defined by the policies and procedures.
Takes corrective action – responsible personnel investigate and act on matters identified as
a result of executing control activities.
Performs using competent personnel – competent personnel with sufficient authority
perform control activities with diligence and continuing focus.
Reassess policies and procedures – management periodically reviews control activities to
determine their continued relevant, and refreshes them when necessary.
Internal communication is the means by which information is disseminated throughout the organization,
flowing up, down and across the entity.
It enables personnel to receive a clear message from senior management that control
responsibilities must be taken seriously.
Principles:
1) Uses relevant information – the organization obtains or generates and uses relevant, quality
information to support the functioning of other components of internal control
3) Communicates Externally – the organization communicates with external parties regarding matters
affecting the functioning of other components of internal control
Communicates to external parties
o Processes are in place to communicate relevant and timely information to external parties
o Management’s communication to external parties sends a message about the importance of
internal control in the organization by demonstrating open lines of communication.
Enables inbound communications
o Open communication channels. Communications from external parties may also provide
important information on the functioning of the entity’s internal control system.
Communicates with the board of directors
o Information from external assessments about the organization’s activities that relate to
matters of internal control are evaluated by management, and communicated to the board
Provides separate communication lines
Selects relevant method of communication
o The method of communication considers the timing, audience, and nature of the
communication and legal, regulatory, and fiduciary requirements and expectations.
Principles
1) Conducts Ongoing and/or Separate Evaluations – the organization selects, develops, and
performs ongoing and/or separate evaluations to ascertain whether the components of internal control
are present and functioning
Considers a mix of ongoing and separate evaluations
o Management includes a balance of ongoing and separate evaluations.
o Ongoing evaluations routine operations built into business processes and performed on a
real-time basis, reacting to changing conditions. The components of internal control are
usually structured to monitor themselves on an ongoing basis.
o Separate evaluations conducted periodically by objective management personnel, internal
audit and or external parties
Considers rate of change
o An entity in an industry that is quickly changing may need to have more frequent separate
evaluations and may reconsider the mix of ongoing and separate evaluations
Establishes baseline understanding
o The design and current state of an internal control system are used to establish a baseline and
developing ongoing and separate evaluations.
o Monitoring activities require an understanding of how management has designed the system
of internal control and how controls have been designed, implemented and conducted.
Uses knowledgeable personnel
o Evaluators have sufficient knowledge to understand what is being evaluated
Integrates with business processes
o Ongoing evaluations are built into the business processes and adjust to changing conditions
Adjusts scope and frequency
o Management varies the scope and frequency of separate evaluations depending on risk
o A separate evaluation of the overall internal control system, or specific components of
internal control, may be appropriate for a number of reasons: major strategy or management
change, acquisitions or dispositions, changes in economic or political conditions, or changes
in operations or methods of processing information.
Objectively evaluates
o Separate evaluations are performed periodically to provide objective feedback
o May include: internal audit evaluations, other objective evaluations, cross operating unit or
functional evaluations, benchmarking, self-assessments
2) Evaluates and Communicates Deficiencies – the organization evaluates and communicates internal
control deficiencies in a timely manner to those parties responsible for taking corrective actions,
including senior management and the board of directors as appropriate.
Assess Results
o Assess results of ongoing and separate evaluations
o Those that represent a potential or real shortcoming in some aspect of the system of internal
control that has the potential to adversely affect the ability of the entity to achieve its
objectives are referred to as deficiencies
o In addition, the organization may identify opportunities to improve the efficiency of internal
control, or areas where changes to the current system of IC may provide greater likelihood
that the entity’s objectives will be reached.
Communicates deficiencies
o Deficiencies are communicated to parties responsible for taking corrective action and to
senior management and the board, as appropriate.
o Reporting n the IC deficiencies depends on the criteria established by regulators, standard-
setting bodies, and management and board.
o In considering what needs to be communicated, it is necessary to look at the implications of
findings and the entity’s reporting directives.
Monitors corrective actions
o Management tracks whether deficiencies are remediated on a timely basis