Reference Manual: Generic Business Model

Reference Manual
This Reference Manual is designed to assist an evaluator in completing the “Risk

Assessment and Control Activities Worksheet.”
The Reference Manual, (immediately following the Generic Business Model), presents,
for common business activities, illustrative objectives, risks and “points of focus for
actions control activities.” The listings in this last column may be useful in identifying
actions addressing the risks, and related control activities that help ensure the actions are
carried out. This last column also includes performance indicators that may be
particularly useful in effecting control. The second, “O, F, C” column indicates the
category into which the objectives fall (Operations, Financial reporting, and compliance).
These categorizations are not precise, and may vary with circumstances.
The manual does not purport to list every activity-level objective, risk or point of focus. It
may, however, be helpful in identifying relevant items.
Generic Business Model

The activities covered in the Reference Manual are based on a generic model of a
business enterprise. The generic business model depicts major activities, and is organized
in levels, from a high level view of an enterprise to increasingly more detailed views.
Exhibit 1, the context level, is the highest level. At this level, the model depicts the
interactions of an enterprise with external parties:
• Vendors and candidates for employment provide resources used to bring goods
and services to market.
• A number of other external parties influence the enterprise, including other
sources of consumption, public bodies, collaborators, investors and competitors.
Exhibit 2, the activity level, depicts major activities within the enterprise, comprising five
basic value chain activities, supported by four infrastructure activities. Each activity
receives, performs operations on and transmits goods, services or information. Between
vendors and buyers, value chain activities include:
Inbound Activities
Operations
Outbound Activities
Marketing and Sales
Service
Infrastructure activities -- supporting the value chain activities – include
Administration (this activity is broken down into its sub-activities in Exhibit 3)
Human Resources
Technology Development
Procurement
Copyright © 1992, 1994 by the Committee of Sponsoring Organizations of the Treadway Commission
1
Exhibit 3 focuses on the administration activity, depicting its sub-activities. These are:
Manage Finance (this activity is broken down further into Control, Treasury, Tax and
Audit; the Control unit is depicted in further detail in Exhibit 4)
Manage the Enterprise
Manage External Relations
Provide Administrative Services
Manage Information Technology
Manage Risks (of accident or other insurable loss)
Manage Legal Affairs
Plan
Exhibit 4 depicts the various administration controllership sub-activities:
Process Accounts Payable
Process Accounts Receivable
Process Funds
Process Fixed Assets
Analyze and Reconcile
Process Benefits and Retiree Information
Process Payroll
Process Tax Compliance
Process Product Costs
Provide Financial and Management Reporting
The generic business model serves two purposes. As noted, it provides a structure for the
Reference Manual. The activities, transactions and information flows depicted in the
model form the basis for the manual.
The generic business model can also be used as a starting point for an evaluator to
understand an entity’s activities and their relationships to one another and to outside
parties, and the information that is generated and used to help control those activities.
When used in this way, the generic business model should be tailored to fit the entity
being evaluated. It should be modified or augmented with additional information
particular to the entity, such as systems flowcharts, to better understand the entity’s
activities and information flows. This understanding can, in turn, facilitate an analysis of
the risks associated with each activity, and can help to identify points in the system where
control should be effected. Those risks, and the entity’s related control activities, can be
used to help management complete the “Risk Assessment and Control Activities
Worksheet.”
2
3
Exhibit 1 – Generic Business Model – Context Level
4
Exhibit 2 – Generic Business Model – Activity Level
5
Exhibit 3 – Generic Business Model – Administration Activities
Exhibit 4 – Generic Business Model – Administration Activities
6
7
Reference Manual
Activity: INBOUND
Objectives O,F,C Risks Points of Focus for

Actions Control
Activities
Manage Logistics
1. Ensure that materials O,F Plans and schedules are Specify on plans and
received and related not communicated to schedules what
information is processed inbound activities, or do materials are needed,
and promptly made not clearly identify and when they are
available to production, when or where materials needed
stores or other are needed
departments Communicate all plans
and schedules to
inbound activities
Summarize material
requirements and submit
them to receiving
periodically
Maintain material
routing procedures for
received items
Provide inbound
activities with
nonroutine material
routing instructions
Monitor production
problems related to
unavailable materials
and parts (performance
indicator)
Consider implementing
Just-in-Time or a similar
inventory and
production management
philosophy
Information on materials Maintain procedures for
received is not entered promptly updating
into the information inventory records
system accurately or on
a timely basis Match dates on
receiving information
and inventory
informationand follow
up as appropriate
8
Periodically verify that
prenumbered receiving
documents have been
entered in the
information system
9
Actions Control
Activities
2. Ensure purchase O Purchase orders are lost Purchase orders are
orders not filled on a or not forwarded to prenumbered and
timely basis are inbound activities missing documents are
investigated investigated
Due date information is Maintain open purchase
not available order information in a
manner that facilitates
identification of
purchase orders
remaining unfilled past
the due date
3. Completely and O,F Lost receiving reports or Prenumber documents
accurately document lost shipping records and investigate missing
goods received and documents
goods returned
Receive
4. Accept only items O Purchase order Compare materials
that were properly information is not made received, including
ordered available to inbound verification of quantities
activities received, to properly
approved purchase
orders. Do not accept
materials not properly
ordered
Monitor instances of
invoices presented for
payment when materials
were accepted without a
valid purchase order
(performance indicator)
5. Accept only materials O Purchase order Maintain current lists of

that meet purchase order specifications are specifications to be used
specifications unclear in inspecting and testing
goods
10
Actions Control
Activities
Verify specifications
with purchasing or other
appropriate personnel
Monitor production
problems related to
substandard materials
Materials are not tested Establish testing

for specification procedures, as
compliance appropriate, for all
materials ordered
Monitor production
problems related to
substandard materials
and parts (performance
indicator)
6. Ensure that all O,F Transfer procedures do Require appropriate

materials transferred not require preparation documentation of
from the receiving of supporting materials transferred
activity to other documentation from receiving to other
activities are recorded business activities
Transfer documentation Prenumber documents

may be lost and investigate missing
documents
Periodically count
materials on hand and
reconcile with perpetual
records; investigate any
differences
7. Safeguard goods O,F Inadequate physical Maintain physical

received security over goods security over goods
received received
Segregate custodial and

record-keeping
functions
11
Actions Control
Activities
8. Ensure that vendor, O,F Receiving information Prenumber receiving

inventory and purchase may be lost documents and
order information is investigate missing
accurately updated to documents
reflect receipts
Periodically identify and
investigate open
purchase orders
Periodically count
inventory and reconcile
with perpetual inventory
records; investigate
differences
(performanceindicator)
Receiving information Periodically verify

may be entered accuracy of vendor,
inaccurately in the inventory and open
information system, or purchase order
may not be timely information
Periodically ensure
information is being
entered into the
information system on a
timely basis
9. Return rejected items O Inadequate or untimely Maintain appropriate

promptly inspection of items procedures for
received inspecting items
received
10.Completely and O,F Incomplete or inaccurate Transfer documentation

accurately document all information regarding accompanies all
transfers to and from materials transferred to transfers; stores or other
storage from storage activities personnel
verify materials and
quantities received
Transfer documents may Prenumber transfer

be lost documents and
investigate missing
documents
12
Actions Control
Activities
Periodically count
materials and reconcile
with perpetual records.
Investigate differences
performance indicator)
11. Appropriately O,F Inadequate transfer or Transfer materials only

requisition all goods to requisition procedures on the basis of a
be transferred to properly approved
operations requisition
12. Properly transfer all O,F,C Requisitions may be lost Prenumber requisitions
materials requisitioned and investigate missing
documents
Materials not Verify that material

requisitioned are received complies with
transferred approved requisition
13. Maintain safe C Inadequate safety Maintain relevant

working conditions and considerations policies consistent with
storage of hazardous Occupational Safety and
materials Health Administration
(OSHA) and other
pertinent laws and
regulations, approved by
technical and legal
personnel, and monitor
compliance
Follow up on reported
safety concerns
Maintain appropriate
procedures for handling
and storing hazardous
materials
13
Activity: OPERATIONS

Actions Control
Activities
Manage and Schedule O Poor communication Use standard documents

Operations with marketing to prepare and
regarding sales forecasts communicate sales
1. Schedule operations forecasts
to minimize inventory
and to ensure sufficient Ensure that production
availability of personnel receive all
completed products in a sales forecasts
timely manner
Several products Compare production
compete for concurrent schedules to sales
production forecasts to ensure
scheduled timing and
production quantities are
appropriate
Determine production
priorities based on
established criteria or
management judgment
Evaluate adequacy of
production capacity
Approve all production

schedules
Insufficient or excess Use formalized

raw materials due to communication channels
poor communication to inform procurement
with procurement, or of material
inaccurate or untimely requirements, including
material requirement quantities and dates
forecasts materials are required
Compare material
requirement forecasts
with production
schedule and product
bills of materials;
consider effect of lead
times
required to obtain
materials
14
Actions Control
Activities
Establish and adhere to

accurate and realistic
production schedules
Consider the
costs/benefits of
establishing a Just-in-
Time system, or similar
production and
inventory management
philosophy
insufficient or excessive
raw materials inventory
2. Minimize production O Poorly maintained, Maintain equipment in

downtime misused or obsolete accordance with an
equipment established preventative
maintenance program
Periodically evaluate
production equipment in
light of repairs and
maintenance cost,
capacity, breakdowns,
obsolescence and other
factors. Consider the
costs/benefits of
acquiring new
equipment
Train employees in the

proper use of equipment
production downtime
due to equipment failure
Inadequate skilled labor Train existing

employees to perform
various tasks
15
Actions Control
Activities
Natural or other Maintain and update

disasters contingency and natural
disaster plans
Periodically test such

plans
Perform Operations
3. Produce product in O Quantities to be Use standardized

appropriate quantities produced are not documents to prepare
and in accordance with communicated clearly and communicate
specifications and production plans and
production schedules Inappropriate or unclear directives
specifications
Use standardized
Excessive work steps documents to
operations communicate product
specifications
Consider methods to
simplify production,
such as implementation
of Just-in-Time
principles
4. Comply with O,C Pressure to meet Upper management

Occupational Safety and production deadlines supports, in statements
Health Administration and actions, safety
(OSHA) considerations
laws and regulations
Enforce disciplinary
action on employees
who violate safety
procedures
Monitor safety
violations (performance
indicator)
Lack of awareness of Conduct periodic

laws and regulations training sessions
Post laws, regulations

and company policy in
conspicuous locations
16
Actions Control
Activities
Assure Quality
5. Product is produced O Production processes do Integrate quality
in accordance with not include procedures assurance procedures
quality control standards designed to ensure into production
quality production processes
Standardize production
processes to the extent
practicable
Product is difficult to Design product with

produce appropriate
consideration given to
potential production
difficulties
Inadequate product Test sufficient quantities

testing of each production run
to ensure compliance
with quality control
standards
Monitor defect rates

Quality problems are not Test products using

discovered or personnel independent
appropriately reported of production processes
during the production
process Monitor customer
quality-related returns
and complaints
17
Activity: OUTBOUND

Actions Control
Activities
Process Orders
1. Process orders only O Incomplete, untimely or Credit authorization

for customers who are inaccurate credit systems that provide
authorized for credit information accurate and timely
customer information
regarding approved
credit limits, current
balances due, age of
receivable balance and
other pertinent
information
2. Process orders O Inaccurate or untimely Use current pricing and

accurately and pricing and inventory inventory information
expeditiously information
Untimely processing of Prenumber order forms

order information and periodically follows
up on those not
processed in a
reasonable time frame
Customer order Verify customer order

information may be information with
unclear, inaccurate or appropriate marketing
incomplete sales personnel; contact
customer if necessary
3. Process only valid O,F Customer orders may Verify appropriate

customer orders not be authorized marketing sales
personnel approved
customer order
4. Process all approved O Order documentation is Prenumber order forms;

orders lost investigate missing
documents
Store Product O Employee carelessness Monitor damage caused

5. Protect products from by employee
damage carelessness
Handling and storage Store products in

procedures, including containers and facilities
storage containers, designed with
facilities and consideration for
maintenance, are product features and
18
Actions Control
Activities
inappropriate for the legal and regulatory

nature of the products requirements
Create appropriate
maintenance procedures
and schedules for the
nature of the storage
facility
Employees are not Communicate handling

familiar with handling and storage policies and
and storage procedures clearly to
requirements or store’s employees
procedures
Monitor compliance
with handling and
storage policies and
procedures
6. Store products to O Improper organization Design and maintain

facilitate timely order of storage facility efficient warehouse
processing layout to facilitate order
fulfillment
Insufficient storage Minimize product

capacity inventory while
enabling timely order
fulfillment
Identify the appropriate

number and location of
warehouses
7. Materials are handled C Employees may not be Legal counsel, or other

and stored in aware of applicable laws qualified personnel,
compliance with and regulations provides information
applicable laws and regarding applicable
regulations laws and regulations
Periodic training
regarding legal and
regulatory requirements
Inappropriate handling Review of handling and

and storage policies and storage procedures by
procedures legal counsel or other
qualified personnel
19
Actions Control
Activities
Monitor accidents or
problems due to
inappropriate handling
or storage policies or
procedures
8.Maintain complete and O,F Product moved into or Product transfer

accurate records of out of storage may not documents are required
product stored and be documented or for movements of
available for shipment recorded product into or out of
storage. Such documents
are prenumbered, and
missing documents are
investigated
Product may be moved Physical security

into or out of storage measures to prevent
without proper unauthorized addition to
authorization or removal of product
from storage
Periodically count
product in storage and
reconcile to perpetual
records. Investigate
differences between
physical count and
accounting records
Ship Product
9. Obtain proper O Improper products or Compare products and
products and quantities improper quantities are quantities retrieved from
from storage retrieved from storage storage with the
customer order and/or
product requisition
Product is unavailable in Maintain perpetual

sufficient quantity product inventory
records. Notify
operations or other
when inventory drops
below a predetermined
level
20
Actions Control
Activities
10. Ensure product is O Packing materials, Use packing materials,

packed properly to containers or procedures containers or procedures
minimize damage are inappropriate for the that were designed
nature of the product or giving consideration to
method of shipment the nature of the product
and method of shipment
11. Ship only those O Incomplete or inaccurate Compare documents

products that are information from order authorizing product
authorized for shipment processing shipment with customer
order
Unordered or Compare products to

unauthorized products customer order prior to
are included in customer shipment
shipment
Monitor customer
returns or billing
disputes relating to
products delivered but
not ordered
12. Deliver products in O Disruption of normal Identify alternative

the most efficient shipping channels shipping arrangements
manner
Inaccurate or incomplete Review shipping
shipping documents documents for
completeness and
compare to customer
order for accuracy
before shipment
Use of inefficient Periodically review

shipping methods shipping alternatives
and identify the most
efficient alternative
13. All shipments are O,F Incorrect information is Compare shipping

accurately documented, entered on shipping document information
and such documentation documentation with customer order
is forwarded to accounts information before
receivable on a timely shipment
basis
21
Actions Control
Activities
Independent verification
of shipping document
information before
shipment
Shipping documents are Prenumber shipping

lost documents and
investigate missing
documents
14. Ensure timely O Order or shipping Prenumber order and

shipment of customer documentation may be shipping documents;
order lost investigate missing
documents
22
Activity: MARKETING AND SALES
Actions Control
Activities
Manage Marketing
Activities
1. Design marketing O,C Inadequate information Retain marketing
strategies giving regarding factors that personnel experienced
consideration to may influence the in the entity’s industry
competitive, regulatory, entity’s marketing
business environment or strategy Promote active
other factors that may membership in industry,
influence the entity’s trade or professional
marketing activities, and associations
potential changes in
those factors Monitor legal and
regulatory initiatives
that may affect the
entity
Conduct market
research, and monitor
and analyze economic,
customer and industry
trends
2. Identify potential and O Inaccurate, untimely or Conduct market

existing customers, and unavailable information research
develop marketing regarding pricing,
strategies to influence products, actual or Evaluate pricing
those parties to purchase potential customers, strategies vis-à-vis
the entity’s products or advertising and competitors’ products
services promotion and pricing
Evaluate the
effectiveness of
advertising and
promotion (performance
indicator)
Communication of
product capabilities,
enhancements or new
products from
technology development
personnel
3. Maintain delivery O Limited number of Identify and evaluate

capabilities for delivery appropriate distributors alternative distribution
of products to customers arrangements
on a timely basis at the Poor performance of
least distribution cost distributors Communicate
appropriate customer
information to
23
Actions Control
Activities
distributors to ensure
timely delivery
Monitor distributors’
performance in the
context of the entity’s
overall marketing
strategy
4. Address market needs O Lack of or inaccurate Conduct market

for product, including information regarding research, including
introduction of new competitive products or existence of competitive
products, and potential new products products, products under
continuance, changes to development and
or discontinuance of customer preferences
existing products
Promote active
membership in industry,
trade or professional
associations
Products become Conduct market

obsolete research, focusing on
competitors’ technical
innovations and
customers’ acceptance
of or preference for such
innovations
Lack of product demand Monitor the trend of

product sales by the
entity and the industry
Evaluate advertising and

promotion effectiveness
Conduct market
research
Lack of information Communicate

regarding profit margins information needs to
and/or sales prices accounting,
management
information systems and
other appropriate
personnel
Monitor profit margins

and sales prices for
signs of competitive
price pressures
24
Actions Control
Activities
Manage Sales
Activities
5. Implement marketing O Sales personnel are Communicate marketing
strategies effectively unaware of marketing strategies to sales
strategies personnel
Sales personnel Establish sales quotas,

disregard marketing commissions and other
strategies compensation, or other
performance criteria in
such a manner that
failure to implement
marketing strategies
results in substandard
performance evaluations
and compensation, and
positive implementation
of strategies results in
increased compensation
and recognition
6. Meet or exceed sales O Sales personnel are Communication of

targets in an efficient unaware of potential market research results
manner customers from marketing to sales
personnel
Salespeople lack Provide product

knowledge about awareness training
product features or
benefits Retain qualified and
experienced sales staff
Incomplete or inaccurate Maintain customer

customer information information system,
including name, address,
phone number, contact,
size, locations, history
of previous orders, plans
to expand or change the
business, or other
information that could
be useful in marketing
the entity’s products or
services
Periodically verify the

accuracy of customer
information
25
Actions Control
Activities
Salespeople perform Retain qualified and

poorly experienced salespeople
Organize sales force and

align territories in most
efficient manner
7. Forward all sales O Sales orders are lost Prenumber sales orders
orders to outbound and investigate missing
activities and service in documents
a timely manner
26
Activity: SERVICE

Actions Control
Activities
Provide Customer
Service
1. Handle customer O Inadequate information Maintain accurate and

inquiries expeditiously systems timely product and
and efficiently customer information
Untrained staff
Provide staff with initial
and periodic product and
customer service
training
Customer service
representatives present
favorable image to
customers and are
knowledgeable about
products
Poor organization of Organize customer

customer service service department in
department most efficient manner
(e.g., along product
lines, geographical lines,
etc.)
2. Satisfy customer O Lack of awareness of Customer service

service needs so as to sales and marketing representatives
further sales and objectives understand the
marketing objectives objectives common to
marketing, sales and
customer service
Install O Untrained staff Provide installers with

3. Make authorized initial and periodic
installations correctly, training regarding
efficiently and on a installation techniques
timely basis and product features
Monitor customer
complaints regarding
product installation
Product unavailability Coordinate scheduled

installations with
operations’ production
schedule and shippings’
delivery schedule
27
Actions Control
Activities
Inaccurate or Compare installation

unavailable customer authorization documents
information with customer orders to
verify information
accuracy and review
such documents for
completeness
Prenumber installation
authorization documents
and investigates missing
documents
Unavailability of service Schedule installations

personnel and staff utilization to
minimize costs
Provide Warranty
Service
4. Warranty policies are O Inaccurate market Make certain that
consistent with information market information
marketing and financial developed by marketing
strategies is considered when
establishing warranties
5. Investigate and O Insufficient staff Forecast staffing level

respond to requests for requirements
service on a timely basis
and in accordance with Monitor adequacy of
warranties staffing, overtime,
workloads
Uncommunicated Communicate changes

changes in warranty in product warranty
policies policies to appropriate
personnel
Provide Post-
Warranty Service
6. Customer service O Unavailable or Update pricing
representatives use up- inaccurate information information on order
to-date pricing and other processing systems on a
product information daily basis
Provide customer
representatives access to
order processing
systems
28
Actions Control
Activities
7. Investigate and O Insufficient number of Maintain proper staffing

respond to requests for customer service levels and organize the
services in the most representatives or customer service
efficient manner and on service personnel department in the most
a timely basis efficient manner
Improperly trained Properly train staff

service personnel
29
Activity: PROCUREMENT

Actions Control
Activities
Select Vendor O Inadequate vendor Investigate and

1. Identify and purchase screening, including periodically update
from vendors capable of periodic requalification vendor capabilities
meeting the of existing vendors, regarding production
entity’s needs relating to vendors’ quality and capacity,
abilities to meet: price (including volume
• Technical or cash discounts and
specifications payment terms), order
• Quantity lead-time requirements,
Monitor frequency of requirements current and former
returned purchases • Price customer satisfaction,
(performance indicator) • Delivery financial condition,
dates/lead time management stability,
• Service possible legal
restrictions on providing
the materials required
and pending litigation
Periodically update
vendor information
based on vendor
performance in meeting
terms and specifications
of contracts or
purchase orders (e.g.,
timely delivery of
acceptable items,
correction of errors or
problems, and service)
Appropriate review of
purchase orders
Monitor production
problems related to out-
of-stock materials and
to material
specifications
30
Actions Control
Activities
Develop data on
alternative vendors and
periodically reevaluate
vendor selection
decisions
Specify procedures for

notification by vendors
of potential performance
problems and for
appropriate investigation
and follow-through
2. Purchase items only O,C Unavailable or Maintain updated

from legally qualified inaccurate information vendor information
vendors and in about fraudulent acts or
conformity with other improper activities Review and approve
applicable laws, of vendors purchase orders
regulations and
contracts Institute and monitor
code of conduct
Consider ways to
simplify vendor
investigation procedures
3. Ensure adequate O Poor communication of Timely communication

supply of materials operations’ or other to procurement of
activities’ needs operations’ or other
activities’ needs
Vendors’ inability to
provide needed Utilize forward
quantities due to other contracts
higher-priority orders or
an interruption in their Identify alternate
own supplies vendors
Utilize long-term needs

analysis
Purchase O Inappropriate production Review existing and

4. Order items that meet specifications revised specifications by
appropriate technical personnel
specifications
31
Actions Control
Activities
Monitor and analyze

production problems
related to material
specifications
(performance indicator);
examples of
performance
indicators include
comparing current-
period data on
production
stoppages and slow-
downs, rush orders,
spoilage, and material
price and quantity
variances to prior-period
data, peer or industry
data, budgets, or other
pre-established goals
Communicate
production
specifications to
procurement personnel
Appropriate review and

approval of contracts
and purchase orders
5.Pay appropriate prices O Out-of-date or Obtain competitive bids

incomplete price for each acquisition
information periodically
Consider volume
purchases by
determining total usage
of similar materials;
combine orders to obtain
volume discount
purchase orders
Monitor material price

variances (performance
indicator)
Use hedging or forward

contracts
32
Actions Control
Activities
6. Order appropriate O Unavailable or Maintain accurate

quantities at appropriate inaccurate information perpetual inventory
times on inventory levels or records
production needs
Match periodic
production schedules to
inventory information
and
order lead-time
requirements
purchase orders
Use forecasts
Consider implementing
Just-in-Time or a similar
inventory and
production management
philosophy
7. Update vendor O Information on issued Route copies of

information completely purchase orders is not purchase orders to
and accurately to reflect clearly or completely appropriate personnel
open purchase orders communicated
Purchase orders are not

entered into the system Prenumber purchase
on a timely basis orders and periodically
verifies their entry
into the system.
Investigate unusual time
delays in entering data
8. Receive items ordered O Unavailable or Specify shipment mode

on a timely basis (see inaccurate information and delivery date on
also objective no. 2 on items ordered but not purchase orders
of Inbound activities) received
Prenumber and account
for purchase orders
Match receiving
information with
purchase order
information and
promptly follow through
on outstanding orders
33
Actions Control
Activities
Monitor vendor
performance in terms of
timely delivery; follow
up in cases of poorly
performing vendors
9. Record authorized O,F Purchase orders may be Prenumber and account

purchase orders lost for purchase orders
completely and
accurately
O,F Inadequate policies and Prenumber and account
10. Prevent procedures to prevent for purchase orders
unauthorized use of unauthorized use
purchase orders Maintain physical
security of purchase
orders
Approve purchase
orders
Notify vendors of
company personnel
authorized to approve
purchase orders
34
Activity: TECHNOLOGY DEVELOPMENT
Actions Control
Activities
1. Identify existing O Product or processes Clear communication of

technology or develop needs are not effectively needs and opportunities
new technology to communicated to to Technology
satisfy product needs as Technology Development
identified by marketing, Development
or operating or Identify needs by
management processes appropriate activities
needs as identified by
other activities Technology Retain personnel who
Development personnel are adequately qualified
do not have technical to fulfill their
ability to responsibilities
identify or develop
appropriate technology
2. Maintain a high level O,C Management does not Monitor business,

of knowledge regarding have access to technical and industry
current information relating to literature
technological current technological
developments that may developments
affect the entity Attend technical
seminars, conferences,
trade meetings,
expositions and similar
meetings
Periodically summarize
technological
developments and
distribute to appropriate
personnel
Technology Regularly communicate

Development personnel information, including
may acquire or have nature of the
knowledge that would program, status,
be useful in a manager, anticipated use
development program of technology and any
other than that with other pertinent
which they are information regarding
associated ongoing or planned
research
or development
programs
35
Actions Control
Activities
3. Ensure that developed C Technology may not be Detailed technology

technology does not adequately defined specifications, plans,
violate existing patents drawings, schematics
or other technical data
are created, to the extent
possible, in the concept
or early stages of
development, and are
modified as necessary
throughout the project
Relevant patents may Communicate technical

not be identified data to legal counsel for
use when conducting
patent searches
Existing patents may be Appropriate

disregarded management review and
approval of all
technology projects
4. Commit resources to O Technology Appropriate technology

those projects development projects do project review and
anticipated to have the not support entity-wide approval
greatest expected return objectives or strategies
for the entity
Technology Clear and complete
development communication from
management is unaware management regarding
of project priorities priorities
36
Activity: HUMAN RESOURCES
Actions Control
Activities
Manage Human
Resource Programs
1. Comply with C Management or Require supervisory and
applicable laws, supervisory personnel management personnel
regulations and are unaware of legal and to attend training
company policies regulatory requirements on labor laws and
and company policies regulations and
company personnel
policies
Management or Periodic review of
supervisory personnel policies and procedures
ignore legal and by legal counsel for
regulatory compliance with
requirements or applicable legal and
company policies regulatory requirements
Encourage personnel to
report suspected
violations of laws,
regulations or company
policies
Take appropriate
disciplinary actions for
violations of legal or
2. Maintain records that C Human resource Human resource

demonstrate compliance personnel are unaware personnel are subject to
with applicable laws of the records that must periodic training
and regulations be retained to regarding legal and
demonstrate compliance regulatory requirements
with applicable laws and
regulations Human resource
personnel have
appropriate training and
experience
prior to being hired
Records are lost or File and retain human

prematurely destroyed resource records in
accordance with laws,
regulations and good
business practice
Logs, checklists or other

appropriate tools are
used to ensure
appropriate records are
received and retained
37
Actions Control
Activities
Access to human
resource records is
restricted to authorized
personnel
Review and approve all

files selected for
disposition
Inaccurate or incomplete Review validity,

information is acquired accuracy and
and retained completeness of
information received
Record-keeping and retained in the form
requirements are of records
disregarded
Take appropriate
disciplinary or other
action when legal or
or company policies are
disregarded
3. Maintain O,C Human resource records Restrict access to human

confidentiality of human are not subject to proper resource records to
resource information security authorized personnel
procedures
Require proper security
codes to gain access to
confidential records
maintained on electronic
media; change such
access codes frequently
Monitor personnel
accessing human
resource records
Human resource Subject individuals who

personnel divulge provide confidential
confidential information information to
unauthorized persons to
disciplinary actions
Restrict access to
confidential information
to those persons who
need such information to
discharge their
responsibilities
38
Actions Control
Activities
4. Maintain employee O Compensation and Review and evaluate

turnover at an benefits are less than compensation and
acceptable level offered by other benefits on a regular
companies basis
Compare compensation
and benefits with those
offered by other
companies within the
industry and within the
local geographical area
Seek employee feedback

about their needs
Employees may not feel Periodic, standardized

their efforts are noticed performance evaluations
or appreciated and career counseling
Institute compensation
programs that reflect
past performance and
capacity for future
development
Plan and Acquire
Personnel
5. Acquire sufficient O Over- or under qualified Maintain appropriate
number of appropriately candidates may be hired candidate identification,
qualified personnel screening and
hiring practices
Maintain adequate job

descriptions and hiring
criteria that can
be used to measure and
compare candidates’
qualifications with
job requirements
Lack of awareness of Investigate and review

entity’s current human potential candidates
resources inside the entity
before considering
external candidates
39
Actions Control
Activities
Lack of qualified Identify and retrain

candidates qualified personnel
currently performing
other job functions
Establish networks and

candidate sources
outside of the local
geographical area
The entity may be Regularly update future

unaware of its future staffing requirements as
staffing needs part of ongoing
business planning
Labor organizations Continually identify

may call for strikes or union demands and
work slowdowns issues and take
reasonable steps to
avoid labor disputes
Identify viable
alternative sources of
labor in the event of a
labor dispute
Train and Develop

Employees
6. Ensure employees O Training requirements Solicit opinions and
receive adequate may not be adequately ideas of management,
training to discharge identified supervisors and
their responsibilities employees to identify
effectively training needs
Monitor performance or
other problems that may
indicate training
deficiencies
7. Ensure staff receive O Staff is not evaluated on Periodically evaluate

adequate feedback regular or timely basis performance and
regarding their provide career
performance and career counseling
development
40
Activity: MANAGE THE ENTERPRISE
Actions Control
Activities
1. Design and O Incomplete or inaccurate Develop a strategic plan

implement strategies information regarding that incorporates senior
that allow achievement changes affecting management’s
of entity-wide objectives the entity, such as vision for the company
competition, products,
customer preferences, Periodically evaluate
or legal and regulatory direction and priorities
changes set by senior
management to make
certain they are still
valid
Communicate
information regarding
competitors, products,
customers, and legal and
regulatory changes to all
relevant activities
Establish
communication, down,
up and across the
organization, to
allow prompt
identification and
resolution of problems
that impede
achievement of strategic
objectives
Lack of understanding Identify and analyze

of critical success critical success factors
factors from an industry
and entity standpoint
Insufficient or Identify and maintain

inappropriate resources adequate supply of
internal resources and
ensure availability of
external resources
Inadequate attention to Effectively

relationships with communicate with
shareholders, shareholders, investors
investors or other and other
outside parties outside parties
41
Actions Control
Activities
2. Maintain systems that O,F Information is too Establish an executive

allow timely specific to be usable management reporting
communication of system that focuses
accurate internal and on key information for
external information to managing the business
relevant personnel
Out-of-date systems Regularly review
information systems to
ensure that they meet
the changing needs of
the company
Inaccurate or untimely Institute information

information system that ensures the
accuracy and timeliness
of internal and external
information
3. Ensure entity O,C Lack of Code of Implement and monitor

personnel are aware of Conduct compliance with Code
acceptable actions and of Conduct
behavior
Employees do not Requirements of the
understand the Code of Code of Conduct are
Conduct reviewed with all new
employees, and
periodically with all
employees
Employees ignore the Appropriate disciplinary

Code of Conduct action for violations of
the Code of
Conduct to clearly
communicate the
message that violations
will
not be tolerated
Dishonest employees Hiring policies and

procedures require
reference checks on
employment candidates
Employees found
violating laws are
subject to appropriate
disciplinary action and
are reported to the
authorities for
prosecution
42
Activity: MANAGE EXTERNAL RELATIONS
Actions Control
Activities
1. Attempt to legally O Lack of understanding Employ personnel

influence government of government policies experienced in
policies and regulations government affairs as
that has an impact on the they relate to the entity
entity’s objectives
Monitor and
communicate regulatory
and other government
information
Join industry or trade

organizations that lobby
legislative or regulatory
bodies
2. Actively participate in O Participation dependent Establish reputation as

standard-making bodies on appointment industry leader
Limited number of Make certain that entity

positions officials are visible
spokespeople on
issues that affect the
entity
3. Participate in O Lack of information on Encourage staff to

community activities and awareness of support civic endeavors
that enhance the public community issues
image
of the company
43
Activity: PROVIDE ADMINISTRATIVE SERVICES
Actions Control
Activities
1. Provide quality O Lack of or excess staff Estimate service usage

services that are to ensure appropriate
delivered on a timely staffing levels
basis at the least cost
Lack of planning Where appropriate,
procedures that evaluate the value of
incorporate objectives of using outside service
administrative services companies rather than
providing service in-
house
Inadequate accounting Accurately capture costs

systems for allocating and distribute such costs
costs on an equitable basis
44
Activity: MANAGE INFORMATION TECHNOLOGY
Actions Control
Activities
1. Use information O,F,C Insufficient interaction Develop IT strategic

technology (IT) to carry of information plan that optimizes
out the entity’s strategic technology, financial entity-wide investment
plans and operating in and use of IT, and
management in ensure that IT initiatives
developing strategic support entity’s
plans long-range plans
Involve users in the

development and
maintenance of the
strategic IT plan
Use an IT steering
committee
2. Capture, process and O,F,C Systems are not Use a systems

maintain information designed according to development life cycle,
completely and user needs or are not which includes the
accurately and provide it properly implemented following key aspects or
to the appropriate people phases:
to enable • Request for
them to carry out their systems design
responsibilities • Feasibility
study
• General system
design
• Detailed
systems
specifications
• Program
development
and testing
• System testing
• Conversion
• System
acceptance and
approval
Use project management

procedures to ensure
proper management of
systems development
activities
Involve users in review

and approval to ensure
systems are designed to
meet user requirements
45
Actions Control
Activities
Establish adequate job

set-up and execution
procedures over:
• Setting up of
batch jobs
• Loaning on-
line application
systems
• Loading system
software
Use control statements

and parameters in
processing that are in
accordance with
approved procedures
Require written
approval, including user
involvement where
appropriate, for
departures from
authorized set-up and
execution procedures
Establish adequate
procedures for
identifying, reporting
and approving operator
actions, such as:
• Initial loading
of system and
application
software
• System failures
• Restart and
recovery
• Emergency
situation
• Any other
unusual
situations
Establish a security
Data files are subjected
policy stating senior
to unauthorized access
management’s
commitment on
information security;
demonstrate such
commitment through
appropriate actions
46
Actions Control
Activities
Establish standards,
procedures and
guidelines that translate
the security policy into
rules and compliance
criteria; these standards
and procedures normally
address such matters as:
• The
information
classification
scheme for
information
stored on
• computers and
outside of data
processing,
including
security
• categories (e.g.,
research,
accounting,
marketing) and
security
• levels (e.g., top
secret,
confidential,
internal use
only,
unclassified)
• The data in
each
information
class and the
individuals or
• functions
authorized to
use the data
and the control
and protection
requirements
• The types of
classes of
sensitive assets
and for each:
• Potential
threats
• Protection
requirements
47
Actions Control
Activities
• The
responsibilities
of
management,
security
administration
resource (data,
programs or assets)
owners, computer
operations,
system users
and internal auditors,
with respect to:
• Ownership of
resources
• Procedures for
granting access
• Procedures for
establishing
users’ and
access
privileges
• Required
authorizations
• Security
monitoring
• The
consequences
of
noncompliance
with policy,
standards and
• procedures
• The security
implementation
plan, if
applicable
Consider the
Programs are subjected
development of an
to unauthorized
information security risk
modification
assessment
Use a security or access

control software
package to enhance the
protection of data fields
and system and program
48
Actions Control
Activities
libraries
Use proper system

software controls to
ensure that system
software is properly
implemented,
maintained and
protected from
unauthorized changes
Maintain proper
physical security over
computer hardware and
software and
information stored
outside of data
processing
3.Information systems O,F,C Lack of or poor business Establish and maintain a

are available as needed continuation planning commitment by senior
management for
business contingencies
Develop and maintain a

business continuation
plan
Assess the impact of

new or modified
systems on business
continuation procedures
Establish alternative
processing arrangements
Poor back-up and Regularly back up

recovery procedures critical data files,
systems and program
libraries and store off-
site
49
Actions Control
Activities
Inadequate safeguarding Regularly test business

of IT resources continuation procedures
50
Activity: MANAGE RISKS (of accident or other insurable loss)
Actions Control
Activities
1. Prevent and reduce O Certain jobs, activities Identify hazardous jobs,

potential for accidents or locations are activities or locations
hazardous
Implement policies,
procedures or
precautions to enhance
workers’ safety
Monitor workers’
compensation or related
insurance claims and
compare with industry
averages (performance
indicator)
Identify causes of
accidents and implement
appropriate, cost-
effective safeguards
Ensure that capital

Out-of-date production expansion plans address
facilities safety objectives
Ineffective safety and Provide appropriate

employee training safety and training
programs programs to all new
employees
Provide periodic updates

on such programs to
existing employees
Poorly maintained or Establish a maintenance

inadequate equipment program that ensures
equipment is adequately
maintained. Investigate
and resolve employee
reports of
malfunctioning
equipment
Employees ignore safety Appropriately discipline

policies or procedures violators of safety
policies or procedures
51
Actions Control
Activities
2. Ensure compliance C Lack of knowledge Retain competent legal

with applicable regarding OSHA laws counsel to advise the
Occupational Safety and and regulations entity on OSHA
Health Administration requirements. Ensure
(OSHA) laws and legal counsel
regulations periodically reviews
applicable policies,
procedures and safety
precautions
3. Minimize insurance O Inaccurate, insufficient Ensure that all accidents

claims and other risk- or untimely information or other incidents that
related costs while regarding risk-related could give rise
maintaining adequate costs or accidents or to an insurance claim
insurance coverage incidents that could give are reported to
rise to an insurance appropriate personnel
claim
Ensure information
systems provide
information on all risk-
related costs, including
insurance premiums,
self-insured losses,
risk management
personnel costs and
other related costs
Ensure that all

significant risks
pertaining to all
activities
have been identified and
appropriately addressed,
for example: product
liability, property and
casualty, business
interruption and loss of
key personnel
Evaluate insurance
coverages and consider
opportunities to limit
costs through self-
insurance, captive or
off-shore insurance
companies, or other
techniques
Lack of knowledge of Retain personnel or

risk management cost advisors with risk
containment techniques management training
and experience
52
Activity: MANAGE LEGAL AFFAIRS
Actions Control
Activities
1. Ensure the entity C Management is unaware Retain legal counsel

complies with all laws of legal and regulatory with applicable industry
and regulations requirements experience
Legal counsel
periodically
communicates with
management about
legal and regulatory
requirements
Legal counsel is Review of all significant

unaware of all activities contracts and
taking place within agreements by legal
the entity counsel
Review of subsidiary,
division or unit annual
business plans by
legal counsel
Legal counsel attends

management meetings,
visits business locations
away from the executive
offices or otherwise
establishes adequate
communication with
subsidiary, division or
unit management to gain
a thorough
understanding of
enterprise activities
Encourage regular
communication between
legal counsel and the
internal and independent
auditors, and with the
board of directors and
its various committees
Changing legal and Legal counsel monitors

regulatory requirements new laws, regulations,
court decisions or
other events that could
impact the entity
53
Actions Control
Activities
2. Ensure contracts and O Legal counsel does not Review and approval of
agreements are clear, review contracts or all significant contracts
fair to the entity and agreements and agreements by legal
legally enforceable counsel
Limit personnel
authorized to execute
contracts or agreements
to responsible officials
at an appropriate
management level
3. Minimize litigation O Non-legal personnel are Implement training

costs and settlements unaware that certain programs for
circumstances could appropriate non-legal
potentially lead to personnel that addresses
litigation situations requiring
communication with
legal personnel
Include a clause in all

contracts and
agreements requiring
copies of all legal
notices or
correspondence from
other parties be sent
to legal counsel
Inaccurate information Monitor costs of current

or estimates regarding and previous litigation
costs of litigation
or anticipated Gather information on
settlements recent settlements or
awards in similar
litigation
54
Activity: PLAN
Actions Control
Activities
1. Develop long- and O Lack of awareness of Establish a planning

short-range plans that entity-wide objectives approach that uses as its
are in accordance with foundation entity-
entity-wide objectives wide objectives
Communicate entity-
wide objectives to
involved in the planning
process
Insufficient information Join industry and trade

regarding available associations
opportunities
Attend seminars or other
informative sessions
offered by outside
parties
Retain experienced and

competent management
2. Development plans in O Inadequate management Establish information

a format that allows information systems systems that present
management to manage plan information in
the business and the same format as
measure progress on a historical information
timely basis
Plan formats are Monitor and evaluate
ineffective in providing the effectiveness of
necessary benchmarks plans. Enhance plan
against which formats to emphasize
performance can be critical success factors
measured
3. Develop plans using O Inadequate and out- Require agreement on

an efficient approach dated planning systems entity-wide objectives
before specific plans
are developed. When
allocating resources,
prioritization should
be made in accordance
with entity-wide
objectives
55
Actions Control
Activities
Develop and maintain

planning system and
communicate to all
relevant departments.
Conduct training when
appropriate
Gather information for

plans in accordance with
the business
focus used for managing
the business
Develop and follow

timetable for gathering,
analyzing and
consolidating planning
information
4. Develop plans that are O Incorrect information Review and test the
realistic and assumptions validity of assumptions
Consider all operational

support activities when
developing plans
Appropriate staff is
involved in developing
plans
56
Activity: PROCESS ACCOUNTS PAYABLE
Actions Control
Activities
1. Accurately record O,F Missing documents or Prenumber and account

invoices on a timely information for purchase orders and
basis for all accepted receiving reports
purchases that have been
authorized and only for Match invoice, receiving
such purchases and purchase order
information and
follow up on missing or
inconsistent information
Follow up on unmatched
open purchase orders,
receiving reports
and invoices and resolve
missing, duplicate or
unmatched items,
by individuals
independent of
purchasing and
receiving functions
Inaccurate input of data Use of control totals or

one-for-one checking
Invalid accounts payable Restrict ability to

fraudulently created for modify data
unauthorized or
nonexistent purchases Reconcile vendor
statements to accounts
payable items
2. Identify available O Missing or untimely Investigate unmatched

discounts receipt of documents information before due
date
Maintain accounts
payable ledger by
discount date
3. Accurately record F Missing documents or Prenumber and account

returns and allowances information for shipping orders for
for all authorized returned goods
credits, and only for
such credits Match shipping orders
for returned goods with
vendors’ credit
memos
57
Actions Control
Activities
Follow up on unmatched
shipping orders for
returned goods and
related receiving reports
and invoices and resolve
missing,
duplicate or unmatched
items, by individuals
independent of
accounts payable
function
Review vendor
correspondence
authorizing returns and
allowances
Inaccurate input of data Reconcile accounts

payable records with
vendor statements
Use of control totals or

one-for-one checking
4. Ensure completeness O,F Unauthorized input for Reconcile accounts

and accuracy of nonexistent returns payable subsidiary
accounts payable ledger with purchase
and cash disbursement
transactions
Unauthorized additions Resolve differences

to accounts payable between the accounts
payable subsidiary
ledger and the accounts
payable control account
5. Safeguard accounts O,F Unauthorized access to Restrict access to

payable records accounts payable accounts payable and
records and stored data files used in processing
payables
Restrict access to
mechanical check
signers and signature
plates
58
Activity: PROCESS ACCOUNTS RECEIVABLE
Actions Control
Activities
1. All goods shipped are O Missing documents or Use standard shipping or

accurately billed in the incorrect information contract terms
proper period
Communicate
nonstandard shipping or
contract terms to
accounts
receivable
Verify shipping or
contract terms before
invoice processing
Improper cutoff of Identify shipments as

shipments at the end of a being before or after
period period-end by means
of a shipping log and
prenumbered shipping
documents
Reconcile goods
shipped to goods billed
O,F Missing documents or Prenumber and account

2. Accurately record incorrect information for shipping documents
invoices for all and sales invoices
authorized shipments
and only for such Match orders, shipping
shipments documents, invoices and
customer
information, and follow
through on missing or
inconsistent
information
Mail customer
statements periodically
and investigate and
resolve
disputes or inquiries, by
individuals independent
of the
invoicing function
Monitor number of
customer complaints
regarding improper
invoices
or statements
59
Actions Control
Activities
3. Accurately record all O,F Missing documents or Authorize credit memos

authorized sales returns incorrect information by individuals
and allowances and independent of accounts
only such returns and receivable function
allowances
for credit memos and
receiving documents
Match credit memos and

receiving documents
and resolve unmatched
items by individuals
independent of the
accounts receivable
function
Inaccurate input of data Mail customer

statements periodically
and investigate and
resolve disputes or
inquiries, by individuals
independent of the
invoicing function
4. Ensure continued O,F Unauthorized input for Review correspondence

completeness and nonexistent returns, authorizing returns and
accuracy of accounts allowances and writes- allowances
receivable offs
Reconcile accounts
receivable subsidiary
ledger with sale and
cash receipts
transactions
Resolve differences
between the accounts
receivable subsidiary
ledger and the accounts
receivable control
account
5. Safeguard accounts O,F Unauthorized access to Restrict access to

receivable records accounts receivable accounts receivable files
records and stored and data used in
data processing receivables
60
Activity: PROCESS FUNDS
Actions Control
Activities
1. Accurately forecast O Inaccurate, untimely or Information systems

cash balances to unavailable information identify all sources of
maximize short-term regarding cash cash and dates cash
investment income and inflows and outflows is due or expected to be
to avoid cash collected (such sources
"shortfalls" include accounts
receivable collections,
customer deposits, sale
of assets, loan proceeds
and other cash sources)
Information systems
identify all cash
requirements and dates
cash is needed (such
requirements include
accounts payable, loan
payments, payrolls,
dividends or other cash
requirements)
Identify all internal

sources of information
Compare information
used to prepare cash
forecasts with
supporting records or
underlying documents to
verify information is
internally consistent
2. Ensure necessary O Lack of awareness Retain financial

financing is available in regarding financing personnel experienced
the event of a cash alternatives in obtaining financing
"shortfall" for similar entities
Identify professional
advisors who can assist
in locating
alternative sources of
financing and consult
those advisors as
appropriate
61
Actions Control
Activities
Failure to establish or Establish relationships

maintain appropriate with financing sources
relationships with before financing
financing sources is needed. Maintain
proper and current
relationships to
facilitate access to cash
as the need arises
3. Optimize return on O Lack of knowledge Retain financial

temporary cash regarding investment personnel experienced
investments alternatives in short-term
investments
Use professional
investment advisors
4. Accelerate cash O Handling cash receipts Consider "lock-box"

collections internally can delay arrangements whereby
deposit of such payments are remitted to
receipts a post office box and the
bank collects and
deposits such
remittances
Customers delay Factor accounts

remittance receivable
Honor bank credit cards
Offer discounts for

timely remittance
Establish and enforce

collection policies
Monitor accounts
receivable for overdue
balances; implement
collection procedures on
a timely basis
Excessive accounts Establish and enforce a

receivable collection credit policy that reflects
problems an appropriate balance
between risk of credit
loss and sales volume
62
Actions Control
Activities
5. Record cash receipts O,F Cash received is Assign opening of mail

on accounts receivable diverted, lost or to an individual with no
completely and otherwise not reported responsibility for or
accurately accurately to accounts access to files or
receivable documents pertaining to
accounts receivable or
cash accounts; compare
listed receipts to credits
to accounts receivable
and bank deposits
Consider use of lock-

box or other
arrangements to
accelerate deposits
Consider ability to have

customers transfer funds
electronically to the
entity’s bank account,
and notify the entity of
payment through
Electronic Data
Interchange (EDI)
Receipts are for amounts Send periodic

different than invoiced statements to customers
amounts, or are and investigate
not identifiable customer-
noted differences
Reconcile general ledger

with accounts receivable
subsidiary
records; investigate
differences
Contact payor to
determine reasons for
payment, or payment
different than amounts
invoiced
6. Manage timing of O Inaccurate, untimely or Information system

cash disbursements unavailable information identifies all cash
regarding payment requirements and dates
due dates cash is needed
Use accounts payable

aging analysis
63
Actions Control
Activities
Bills are paid before due Delay check preparation

dates or signature until the
due date
Release check at the

latest possible time and
at the end of a day
or week, if possible
Checks clear the bank Consider check-clearing

quickly time when selecting a
bank
7. Minimize cash O Information system does Information system

disbursements not identify available identifies payment dates
discounts and related to available
related required discounts
payment dates
8. Disburse cash only O,F Fictitious documentation Examine supporting

for authorized purchases is created documents, payments
approved by individuals
independent of
procurement, receiving
and accounts payable
Reuse of supporting Cancel supporting

documents documents to prevent
resubmission for
payment
9. Remit disbursements O,F Inaccurate, untimely or Detailed comparison of

to vendors and others, unavailable information actual versus budgeted
such as for dividends, regarding amounts disbursements
debt service, and tax or or due dates of
other payments, in a payments Compare payment
timely and accurate amounts and recipients
manner with source documents,
such as vendor invoices,
purchase orders, tax
returns, dividend
computations, loan
repayment schedules or
other appropriate
documentation; verify
accuracy of supporting
documents
64
Actions Control
Activities
Establish a "tickler file"

to identify payment due
dates
Modify information
systems as necessary to
provide payment
information
10. Record cash O,F Missing documents or Match disbursement

disbursements information records against accounts
completely and payable/open invoice
accurately files

for checks
Reconcile bank
statements to cash
accounts and investigate
long-outstanding checks
by individuals
independent of accounts
payable and cash
disbursement functions
11. Safeguard cash and O,F Inadequate physical Segregate custodial and
the related accounting security over cash and record-keeping
records documents that can be functions
used to transfer cash
Reconcile bank accounts
by individuals without
responsibility for
cash receipts,
disbursements or
custody
Receive and prelist cash

by individuals
independent of
recording cash receipts
Restrictively endorse
checks on receipt
Deposit receipts intact

daily
Restrict access to
accounts receivable files
and files used in
processing cash receipts
65
Actions Control
Activities
Mail checks by
individuals independent
of recording accounts
payable
Authorized check
signers are independent
of cash receipts
functions
Physically protect
mechanical check
signers and signature
plates
Restrict access to
accounts payable files
and files used in
processing cash
disbursements
66
Activity: PROCESS FIXED ASSETS
Actions Control
Activities
1. Completely and O,F Acquisition Prenumber individual

accurately record fixed documentation may be capital expenditure
asset transfers, lost or otherwise not authorizations and
acquisitions, communicated to proper investigate missing
dispositions and related personnel documents
depreciation
Route copy of purchase
orders for capital
expenditures to
personnel who process
fixed assets; investigate
purchase orders
not matched with
receiving documentation
after anticipated
receipt date
Reconcile fixed asset

additions with capital
expenditure
authorizations
Acquired assets may not Inquire of purchasing or

be adequately described other personnel to
clarify asset
description or function
Establish clear
definitions for asset
categories
Asset disposals or Dispose of or transfer

transfers may not be fixed assets only with
communicated to proper proper authorization, a
personnel copy of which is
provided to appropriate
personnel
Prenumber fixed asset

disposal and transfer
authorization forms
and investigate missing
documents
Count fixed assets

periodically, reconcile
count with fixed asset
records and investigate
differences
67
Actions Control
Activities
Incorrect depreciation Establish policies

lives or methods may be regarding depreciation
used lives and methods,
communicate them to
appropriate personnel,
and periodically
review them to ensure
continued
appropriateness
Review depreciation
detail for accuracy and
compliance with
policies and procedures
2. Safeguard fixed assets O Inadequate physical Restrict access to

from loss through theft security over fixed facilities during non-
assets working hours
Affix an identification
plate and number to
office furniture and
fixtures, equipment and
other portable fixed
assets
Develop, implement and

communicate
safeguarding policies
68
Activity: ANALYZE AND RECONCILE
Actions Control
Activities
1. Compare operating O Pre-established Periodically establish

results with pre- standards are not operating standards,
established standards, determined such as quarterly or
such as budgets or prior- annual budgets
period results. Identify Lack of or inaccurate
variances, trends or information needed to Specify information
unusual changes and compare actual needed to identify and
their causes results with pre- explain variances,
established standards trends or unusual
changes
Design information
systems to communicate
necessary information
to appropriate people on
a timely basis
2. Reconcile books and 0,F (Note: Risks for this

records to ensure their objective vary,
internal consistency depending on the
reconciliation
procedures and the
nature of the
information being
reconciled. Accordingly,
reconciliation
procedures are
identified, where
appropriate, in other
sections of this
Reference Manual)
69
Activity: PROCESS BENEFITS AND RETIREE INFORMATION
Actions Control
Activities
1. Ensure all eligible O,C Program eligibility Train and update

individuals, and only requirements are not appropriate personnel
such individuals, are clearly communicated to regarding plan eligibility
included in benefit appropriate personnel requirements and
programs amendments thereto
Inaccurate employee Compare information to

information is provided employee personnel file
to benefits personnel or otherwise verify its
accuracy
Limit access to
employee database
Eligible employees are Periodically match

improperly excluded participant list to
from participation employee and/or retiree
list and to
documentation of
employees’ elections not
to participate
Nonexistent employees Periodically compare

are entered as program participant list to
participants or employee and/or retiree
beneficiaries list
Approval by an
authorized official of all
additions to
participant data base
Verify existence and

status of participant
2. Accurately calculate O,C Plan benefit provisions Ensure plan documents

benefits due to each are unclear or complex describe benefit
participant provisions clearly and
include sample
calculations
Amend plan as
necessary to clarify
benefit computations
Consult legal, actuarial

or other professionals as
needed to
clarify benefit
provisions
70
Actions Control
Activities
Errors are made in Standardize forms or

calculating benefits programs for calculating
benefits
Review benefit
calculations
Inaccurate information Limit access to

information and data
used in calculating
benefits
Approve all changes to

data bases used to
calculate benefits
3. Summarize and track O Lost or misplaced Reconcile various

benefit information information related reports
Use logs or other

devices to ensure
completeness of
processing
4. Comply with C Personnel are unaware Train human resource or

applicable laws and of applicable laws and other personnel on
regulations regulations applicable laws and
regulations

plan documents and
policies by legal
counsel experienced in
employee and retiree
benefit programs
5. Generate and O Lack of adequate Ensure that report

distribute benefits systems generation systems
reports in an accurate process information
and timely manner accurately and satisfy
reporting deadlines
Lack of understanding Implement and monitor

of reporting training programs
requirements
71
Activity: PROCESS PAYROLL
Actions Control
Activities
1. Pay employees in O System is not designed Implement payment

accordance with wage to reflect payment schedule that reflects
contracts and other schedule included in wage contracts and
established policies collective bargaining agreed-upon payment
agreements or individual schedules
agreements with
employees
2. Calculate and record O,F Pay rates or deductions Review and approve
payroll (including are not properly initial pay and any
payroll deductions) authorized or are subsequent additions or
accurately and inaccurate changes
completely for all
services actually Periodically verify
performed and payroll data base
approved, and only for information
such services
Review and approve
initial deductions/benefit
elections
Use standard forms for

making changes to
payroll information

nonstandard items such
as sick, vacation
and bonus pay
Review payroll register

and checks for
reasonableness
Security controls that

limit access to payroll
data base
Hours are not authorized Review and approve

or are inaccurate time records for unusual
or nonstandard hours
and for overtime
Time cards or other Use standardized

source information is policies and procedures
submitted for when hiring employees
nonexistent employees
72
Actions Control
Activities
Security procedures
relating to additions and
deletions of employees
to or from the data base
Maintain logs or other

documentation
supporting or tracking
changes to payroll data
base
Where practical, require

valid identification and
employee signature to
receive paycheck
Prohibit payment of
wages in cash, except in
prescribed
circumstances
Use direct deposit

systems
Lack or loss of Verify that source

information or documents such as
documents timecards are received
for all employees
Maintain back-up
records of employees’
time in case source
documents are lost
Reconcile the employee

subsidiary ledger to the
general ledger
control accounts;
investigate any
differences
Compare total hours and

number of employees
input with the totals
in the payroll register
73
Actions Control
Activities
3. Restrict access to O Unauthorized personnel Access to information

payroll data information may gain access to stored on electronic
to only those payroll information media is restricted by
individuals who need frequently changed
such information to passwords
discharge duties
Payroll processing
systems and written
information are subject
to physical security
4. Provide payroll O Management Identify how payroll

information to relevant information needs with information can satisfy
personnel to satisfy respect to payroll are not other management
management defined objectives and link
information needs information sources
74
Activity: PROCESS TAX COMPLIANCE
Actions Control
Activities
1. Accurately process, F,C Inadequate information Employ competent tax

prepare and file required about, or understanding professionals either in-
tax documents on a of, filing house or outside the
timely basis requirements and entity to identify and
applicable laws and prepare filings
regulations
Subscribe to tax services
and/or maintain
membership in
appropriate industry,
organizations to
identify emerging tax
requirements or
opportunities
Establish a system, such

as a "tickler file," to
identify tax
filing due dates
Incomplete or inaccurate Identify information

information used as the necessary to prepare tax
basis for documents; ensure
document preparation information systems are
designed to accurately
provide such
information on a timely
basis
2. Reduce tax liabilities O,C Inadequate information Ensure tax professionals

to the legal minimum regarding tax-savings are fully informed of all
opportunities aspects of the
entity’s operations,
including routine and
nonroutine
transactions, and any
changes in the entity’s
business lines or
methods of conducting
business
Periodically review tax

filings and status to
specifically
identify tax-savings
opportunities
75
Actions Control
Activities
3. Record the effect of F,C Inadequate information Employ personnel who

all tax transactions or about, or understanding understand financial
economic events of, financial reporting for taxes
completely and reporting of tax
accurately transactions or Subscribe to technical
economic events service and/or maintain
memberships in
appropriate industry,
organizations that
identify and explain new
or existing financial
reporting
requirements
Journal entries related to Journal entries related to

tax transactions or taxes are approved by
economic events authorized and
are not properly knowledgeable officials
approved or posted to
the general ledger Each journal entry is
compared with the
general ledger to ensure
proper posting
76
Activity: PROCESS PRODUCT COSTS
Actions Control
Activities
1. Develop standard O,F Inadequate or inaccurate Identify information

costs of producing information necessary to develop
products, including costs standard product costs;
at each stage of the ensure information
production process systems accurately
provide such
information on
a timely basis (this
information may include
such items as units
planned to be produced,
budgeted labor hours
and costs, budgeted
overhead costs and
estimated material costs;
it should take into
account the impact of
technology on the
manufacturing process
and consider the proper
basis on which to
allocate costs)
Periodically evaluate the

production process and
estimate the
costs associated with
each stage of the process
Poorly organized See the Operations

production process section of this Reference
Manual
Inability to identify the Clearly define and
stage of production organize each stage of
production;
appropriately document
such stages
Establish systems to
routinely identify stage
of completion;
periodically verify
system is functioning
properly
77
Actions Control
Activities
2.Record actual costs O,F Inaccurate, untimely or Prenumber and account

incurred completely and unavailable information for the numerical
accurately regarding actual sequence of requisitions
costs incurred of materials and
component parts issued
to and returned from
production; investigate
missing or duplicate
(unmatched) items by
people independent of
the materials handling
function
Reconcile records of
labor and overhead
charges to payrolls and
overhead cost incurred;
investigate differences

for the numerical
sequence of production
reports or other records
of finished production
and transfers
within work-in-process;
reconcile those reports
to quantities
recorded; investigate
missing documents and
differences
Review and approve

monthly summarizing
entries
Maintain perpetual
inventory records
Periodically balance the

raw materials, work-in-
process and
finished goods records
(previous balance plus
additions less
transfers out, compared
with the current total)
78
Actions Control
Activities
Periodically count raw

materials, work-in-
process and finished
goods inventories and
compare with the
perpetual records;
investigate differences
Reconcile the perpetual

records to the general
ledger control
accounts, and approve
adjustments, by
personnel other than
those responsible for
maintaining related
perpetual records or for
safeguarding inventories
3. Determine variances O,F Variances are computed Compute variances for

from standard costs and or recorded inaccurately each appropriate
their effect on inventory product; verify
and cost of sales completeness by
comparison to product
list or other appropriate
document
Verify variance
accuracy by
recomputation or other
appropriate
methods
Review general ledger

or other records to
ensure variances are
recorded accurately
79
Activity: PROVIDE FINANCIAL AND MANAGEMENT REPORTING
Actions Control
Activities
1.Provide timely and O Information needs of Identify user

accurate information management or others is information needs and
needed by management unknown or not update such needs
and others to discharge clearly communicated periodically
their responsibility
Communicate
information needs from
users to preparers of
management reports
Due dates and relative Determine due dates for

priorities of all management reports,
management reports are whether routine or
not clarified or nonroutine
communicated
Establish relative
priorities for all
management reports,
whether routine or
nonroutine
Communicate
management report due
dates and priorities to
report preparers and
users
Establish "tickler files"

or other system to
ensure due dates are
routinely identified
Information systems are Identify information that

incapable of providing the system is incapable
necessary of generating;
information identify necessary
modifications to the
system
2. Prepare external F,C Information systems Identify and implement

financial reports on a cannot provide necessary systems
timely basis and in necessary information in changes
compliance with a timely manner
applicable laws, Personnel are unaware
regulations, rules or of applicable laws,
contractual agreements regulations, rules or
contractual agreements
80
Actions Control
Activities
Retain competent
personnel who are
knowledgeable of, and
have experience with,
applicable laws,
regulations or rules
affecting the entity’s
external financial
reporting
Review of significant
contractual agreements
by management or
supervisory personnel
responsible for
preparation of external
financial reports
3. Maintain O,C Unauthorized personnel Restrict report or

confidentiality of have access to financial information distribution
financial information information to authorized
personnel; periodically
review and update
distribution lists
81

Reference Manual: Generic Business Model

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reference Manual: Generic Business Model

Uploaded by

Copyright:

Available Formats

Reference Manual

This Reference Manual is designed to assist an evaluator in completing the “Risk

Generic Business Model

Exhibit 4 – Generic Business Model – Administration Activities

Objectives O,F,C Risks Points of Focus for

5. Accept only materials O Purchase order Maintain current lists of

Materials are not tested Establish testing

6. Ensure that all O,F Transfer procedures do Require appropriate

Transfer documentation Prenumber documents

7. Safeguard goods O,F Inadequate physical Maintain physical

Segregate custodial and

8. Ensure that vendor, O,F Receiving information Prenumber receiving

Receiving information Periodically verify

9. Return rejected items O Inadequate or untimely Maintain appropriate

10.Completely and O,F Incomplete or inaccurate Transfer documentation

Transfer documents may Prenumber transfer

11. Appropriately O,F Inadequate transfer or Transfer materials only

Materials not Verify that material

13. Maintain safe C Inadequate safety Maintain relevant

Objectives O,F,C Risks Points of Focus for

Manage and Schedule O Poor communication Use standard documents

Approve all production

Insufficient or excess Use formalized

Establish and adhere to

2. Minimize production O Poorly maintained, Maintain equipment in

Train employees in the

Inadequate skilled labor Train existing

Natural or other Maintain and update

Periodically test such

3. Produce product in O Quantities to be Use standardized

4. Comply with O,C Pressure to meet Upper management

Lack of awareness of Conduct periodic

Post laws, regulations

Product is difficult to Design product with

Inadequate product Test sufficient quantities

Monitor defect rates

Quality problems are not Test products using

Objectives O,F,C Risks Points of Focus for

1. Process orders only O Incomplete, untimely or Credit authorization

2. Process orders O Inaccurate or untimely Use current pricing and

Untimely processing of Prenumber order forms

Customer order Verify customer order

3. Process only valid O,F Customer orders may Verify appropriate

4. Process all approved O Order documentation is Prenumber order forms;

Store Product O Employee carelessness Monitor damage caused

Handling and storage Store products in

inappropriate for the legal and regulatory

Employees are not Communicate handling

6. Store products to O Improper organization Design and maintain

Insufficient storage Minimize product

Identify the appropriate

7. Materials are handled C Employees may not be Legal counsel, or other

Inappropriate handling Review of handling and

8.Maintain complete and O,F Product moved into or Product transfer

Product may be moved Physical security

Product is unavailable in Maintain perpetual

10. Ensure product is O Packing materials, Use packing materials,

11. Ship only those O Incomplete or inaccurate Compare documents

Unordered or Compare products to

12. Deliver products in O Disruption of normal Identify alternative

Use of inefficient Periodically review

13. All shipments are O,F Incorrect information is Compare shipping

Shipping documents are Prenumber shipping