The AES Corporation

INTERNAL CONTROL
GUIDE

August 2003
 The AES Corporation
INTERNAL CONTROL GUIDE
Table of Contents

Part 1 Introduction
100 Objective…………………………………………………………………………………………… 4
110 Scope……………………………………………………………………………………….……… 4
120 Responsibility……………………………………………………………………………………… 4
130 Oversight and Evaluation………………………………………………………………………… 4
140 Effective Date……………………………………………………………………………………… 5
150 Updates and Revisions…………………………………………………………………………... 5
160 Definition of Terms………………………………………………………………………………… 5
170 Exceptions and Exemptions……………………………………………………………………... 5

Part 2 Internal Control Overview

200 Statutory Significance of Internal Controls………………………………………………….….. 6

201 Foreign Corrupt Practices Act of 1977…………………………………………………. 7

202 Sarbanes-Oxley Act 2002……………………….………………………………………. 7

210 Internal Control Definition………………………………………………………………………... 11

211 Internal Control Over Financial Reporting……………………………………………… 13

212 Disclosure Controls and Procedures…………………………………………………… 15

220 Internal Control Framework……………………………………………………………………… 17

221 Control Environment……………………………………………………………………… 18

222 Risk Assessment…………………………………………………………………………. 20
223 Control Activities………………………………………………………………………….. 22
224 Information and Communication………………………………………………………... 22
225 Monitoring…………………………………………………………………………………. 23

230 Management’s Assessment of Control Effectiveness………………………………………… 24

231 Overview…………………………………………………………………………………… 25
232 Required Documentation………………………………………………………………… 26
233 Significant Controls……………………………………………………………………….. 27
234 Locations…………………………………………………………………………………... 28
235 Design Effectiveness………………………………………………………………….….. 30
236 Operating Effectiveness………………………………………………………………….. 31
237 Control Deficiencies………………………………………………………………………. 32

-2-
Part 3 Internal Control Standards
300 Introduction………………………………………………………………………………………… 34

301 General Control Requirements………………………..………….. General Controls - 1

302 Treasury Cycle…………………………………………………..…. Treasury Cycle - 1
303 Procurement Cycle……………………………………………..….. Procurement Cycle - 1
304 Revenue Cycle……………………………………………………… Revenue Cycle - 1
305 Fixed Assets and Leasing Cycle…………………………………. Fixed Assets Cycle - 1
306 Payroll Cycle………………………………………………………..… Payroll Cycle - 1

Part 4 Reference Materials

400 Glossary of Key Terms……………………………………………………… Glossary - 1

-3-
Part 1 – Introduction
The Internal Control Guide (‘the Guide”) is an integral part of AES’s internal control framework.
The Guide is intended to be the foundation of awareness and understanding throughout AES
regarding the fundamentals of internal control, management’s obligations with respect to internal
control, and the Internal Control Standards applicable to select AES financial processes.

The Guide is designed to be a useful reference tool to help you understand and discharge your
internal control responsibilities.

100 Objective

The Guide provides guidance regarding internal controls that will enhance –

• ownership and responsibility for internal control,

• the integrity of business activities,
• the quality and consistency of internal control and, therefore, the quality and
consistency of financial records and disclosures, and
• compliance with laws and regulations applicable to AES financial dealings and
financial reporting.

A universal understanding of internal control and consistent application and execution of the
Internal Control Standards contained herein will help achieve this objective.

110 Scope

The Guide has been issued to all Business Leaders and AES people who are either responsible for
or participate in AES’s financial processes and functions. All AES business units will comply fully
with the Standards set forth in Part 3 of the Guide; however, these Standards are not mandated for
equity-method affiliates. Additional copies of the Guide are available from Corporate Accounting.

120 Responsibility

Each Business Leader is responsible for the ethical conduct of his/her business people and
ensuring that the Internal Control Standards (Part 3) are communicated, established, documented,
and maintained within their respective business units. Every business person must take ownership
of and responsibility for internal controls and ethical conduct. Compliance with the Standards will
be monitored by periodic internal audits, external audits, and control self-assessments. Business
Leaders will be required annually to assess and certify the effectiveness of their internal controls.

130 Oversight and Evaluation

The Audit Committee of the AES Board of Directors, the CEO, and the CFO will monitor adherence
to this Guide through periodic reporting by AES’s Chief Audit Executive and external auditors.
Additionally, management will annually assess and report on the effectiveness of internal controls

-4-
as required by section 404 of the Sarbanes-Oxley Act. Adherence to this Guide will be a
consideration of management’s annual internal control assessment process.

140 Effective Date

The Internal Control Guide is effective as of September 1, 2003.

150 Updates and Revisions

The Guide contains internal control guidance and Standards applicable to AES’s financial
processes and functions as of the effective date. From time to time, Corporate Accounting will
update or revise the Guide to reflect:

• new internal control guidance,

• relevant new or revised laws and regulations,
• Internal Control Standards for additional financial processes, and
• other revisions as necessary to ensure the Guide addresses internal control-related
matters relevant to AES.

160 Definition of Terms

Technical terms have been used consistently with their intended meanings as defined by various
authoritative publications. A glossary of key terms is provided in Part 4 of this Guide.

170 Exceptions and Exemptions

The manner in which the Internal Control Standards (Part 3) are implemented and executed is a
matter of each business unit’s reasonable professional judgment. The Standards are presented in
terms of desired operating conditions; however, it is recognized that situations may exist where
optimal conditions are either not attainable or not applicable. When this occurs, the business unit
must document each Standard that cannot be followed and the circumstances justifying non-
compliance. Where Standards are not applicable or cost exceeds benefit, the basis for this
determination must be clearly documented. All exceptions must be reviewed and approved by the
responsible Business Leader and Corporate Accounting.

Exemptions from the Standards as a whole will not be granted under any circumstances.

-5-
Part 2 – Internal Control Overview
The concept of “internal control” is not new. For centuries, business people have created systems
of checks and balances to identify risks, prevent or detect financial errors and fraud, improve
productivity and reduce costs, and comply with laws and regulations governing the conduct of
business operations. These checks and balances require management’s commitment and
resources to be effective.

However, internal controls are often overlooked in our modern business environment - time is
short, human resources are limited, and money may not be properly allocated to corporate
housekeeping activities. It’s no surprise that “internal control” (or lack thereof) receives much
attention and blame in the aftermath of corporate scandals. Lawmakers, regulators, and the
investing public inevitably conclude that, if companies simply maintain effective systems of internal
control, fraud and business failures could be prevented – or at least detected and remedied. In this
regard, the US Congress determined that an effective internal control system is more than just
prudent business practice; now it is the law.

200 Statutory Significance of Internal Controls

The US Congress reacted during several notable corporate financial crises during the last 30 years
by raising and revisiting the broad concept of “internal control.” It is clear that the US Congress
strongly views internal control as an important element of restoring investor confidence and
preventing future wrongdoing. During the following financial crises, the US Congress imposed
increasingly tougher requirements on US corporations to create and maintain effective systems of
internal control:

Period Financial Crisis New Law

Early 1970s Allegations of widespread bribery of foreign Foreign Corrupt Practices Act
government officials by US Companies of 1977 (“FCPA”)

Late 1980s Savings and loan crisis Federal Deposit Insurance

Corporation Improvement Act
of 1991 (“FDICIA”)

Early 2000s Catastrophic failures of large corporations Sarbanes-Oxley Act of 2002

(“SOA”)

Two of these laws (i.e., the FCPA and SOA) are applicable to AES as a publicly-traded company.
The following sections address in more detail the relevant portions of each of these laws.

-6-
 201 Foreign Corrupt Practices Act of 1977

The Foreign Corrupt Practices Act of 1977 (“FCPA”) established the first broad legal requirement
for US publicly-traded corporations to keep accurate and detailed accounting records and to
“devise and maintain” a system of “internal accounting control.” More specifically, the FCPA
requires, in relevant part, that SEC registrants subject to the Securities and Exchange Act of 1934
must:

1. Make and keep books, records, and accounts, which in reasonable detail, accurately and
fairly reflect the transaction and disposition of the assets of the issuer (company)…
2. Devise and maintain a system of internal accounting controls sufficient to provide
reasonable assurances that:
a. Transactions are executed in accordance with management’s general or
specific authorization;
b. Transactions are recorded as necessary (i) to permit preparation of financial
statements in conformity with generally accepted accounting principles or any
other criteria applicable to such statements and (ii) to maintain accountability
for assets;
c. Access to assets is permitted only in accordance with management’s general
or specific authorization; and
d. The recorded accountability for assets is compared with the existing assets at
reasonable intervals and appropriate action is taken with respect to any
differences.

The Act further states that “no person shall, directly or indirectly, falsify or cause to be falsified, any
book, record or account [of the company].” Under this provision, an individual can be liable under
the Act even if he did not have a specific intent to deceive, defraud, or manipulate. Violations
under this provision would include (1) knowledge that you are falsifying, or (2) good reason to know
you are falsifying, or (3) making an entry in a book or record, which reasonable persons would in
the circumstances consider to be false. A willful failure to comply with the Act’s internal control and
record keeping requirements carries a stiff penalty including imprisonment for up to five years and
personal fines of up to $10,000.

The FCPA does not require, however, that companies report affirmatively in their SEC filings that a
system of internal accounting control exists, is adequate, or is operating effectively with respect to
the FCPA’s provisions. Shortly after the FCPA’s effective date, the SEC attempted to impose such
a reporting requirement, but ultimately withdrew its proposal in favor of voluntary industry initiatives
for public reporting on corporate internal accounting controls.

202 Sarbanes-Oxley Act of 2002

The high profile collapses of Enron and WorldCom, as well as countless other corporate scandals,
prompted lawmakers and the public to search for answers. Lawmakers concluded that one of the
answers to these significant business failures was a lack of adequate and effective internal control

-7-
systems. Reacting quickly, the US Congress passed the Sarbanes-Oxley Act of 2002 (the “Act”),
which has refocused US publicly-traded corporations on the importance of internal control.

Now, the passive-compliance requirements of the FCPA have been replaced by active-compliance
requirements that include quarterly and annual evaluation, reporting, and certification of internal
controls by senior management and a new internal control audit report to be issued by external
auditors. Like the FCPA, the Sarbanes-Oxley Act only applies to SEC registrants subject to the
Securities and Exchange Act of 1934.

Internal control requirements are addressed primarily in sections 302 and 404 of the Act. The
specific requirements of each of these sections are described in further detail below.

Sarbanes-Oxley Section 302 – Disclosure Controls and Procedures

Section 302, as implemented by SEC Rule 33-8124, is applicable to each AES quarterly and
annual report filed with the SEC for periods ending on or after September 30, 2002. Section 302
requires:

[A]n issuer’s principal executive officer or officers and the principal financial officer or
officers, or persons performing similar functions, each to certify in each quarterly and
annual report, including transition reports, filed or submitted by the issuer under Section
13(a) or 15(d) of the Exchange Act that:

• He or she has reviewed the report;

• Based on his or her knowledge, the report does not contain any untrue
statement of a material fact or omit to state a material fact necessary in order
to make the statements made, in light of the circumstances under which such
statements were made, not misleading with respect to the period covered by
the report;

• Based on his or her knowledge, the financial statements, and other financial
information included in the report, fairly present in all material respects the
financial condition, results of operations and cash flows of the issuer as of,
and for, the periods presented in the report;

• He or she and the other certifying officers:

o Are responsible for establishing and maintaining “disclosure controls

and procedures” (a newly-defined term reflecting the concept of
controls and procedures related to disclosure embodied in Section
302(a)(4) of the Act) for the issuer;

-8-
 o Have designed such disclosure controls and procedures to ensure
that material information is made known to them, particularly during
the period in which the periodic report is being prepared;

o Have evaluated the effectiveness of the issuer’s disclosure controls

and procedures as of the end of the period; and

o Have presented in the report their conclusions about the

effectiveness of the disclosure controls and procedures based on the
required evaluation as of that date;

• He or she and the other certifying officers have disclosed to the issuer’s
auditors and to the audit committee of the board of directors (or persons
fulfilling the equivalent function):

o All significant deficiencies in the design or operation of internal

controls (a pre-existing term relating to internal controls regarding
financial reporting) which could adversely affect the issuer’s ability to
record, process, summarize and report financial data and have
identified for the issuer’s auditors any material weaknesses in
internal controls; and

o Any fraud, whether or not material, that involves management or

other employees who have a significant role in the issuer’s internal
controls; and

• He or she and the other certifying officers have indicated in the report
whether or not there were significant changes in internal controls or in other
factors that could significantly affect internal controls subsequent to the date
of their evaluation, including any corrective actions with regard to significant
deficiencies and material weaknesses

Also, Section 302 requires that organizations disclose any change in its “internal control over
financial reporting” (discussed later in this section) that occurred during the fiscal quarter covered
by the report if that change has materially affected, or is reasonably likely to materially affect, the
company’s internal control over financial reporting.

For purposes of these new requirements, the newly-coined concept of “disclosure controls and
procedures” (as opposed to “internal controls over financial reporting”) are defined as:

Controls and other procedures of an issuer that are designed to ensure that information
required to be disclosed by the issuer in the reports filed or submitted by it under the
[Securities Exchange Act of 1934] is recorded, processed, summarized and reported,
within the time periods specified in the Commission’s rules and forms.

-9-
Disclosure controls and procedures include, without limitation, controls and procedures designed to
ensure that information required to be disclosed by an issuer in its Exchange Act reports is
accumulated and communicated to the issuer’s management, including its principal executive and
financial officers, as appropriate, to allow timely decisions regarding required disclosure.

Additional information regarding the similarities and differences between “disclosure controls and
procedures” and “internal control over financial reporting” is provided in sections 211 and 212 of
this Guide.

Sarbanes-Oxley Section 404 - Internal Control Over Financial Reporting

Section 404, as implemented by SEC Rule 33-8238, is applicable to annual reports filed with the
SEC ending on or after December 31, 2004. This section requires:

[A] company’s annual report to include an internal control report of management that
contains:

• A statement of management’s responsibilities for establishing and

maintaining adequate internal control over financial reporting for the
company;

• A statement identifying the framework used by management to conduct the

required evaluation of the effectiveness of the company’s internal control over
financial reporting;

• Management’s assessment of the effectiveness of the company’s internal

control over financial reporting as of the end of the company’s most recent
fiscal year, including a statement as to whether or not the company’s internal
control over financial reporting is effective. The assessment must include
disclosure of any “material weaknesses” in the company’s internal control
over financial reporting identified by management. Management is not
permitted to conclude that the company’s internal control over financial
reporting is effective if there are one or more material weaknesses in the
company’s internal control over financial reporting; and

• A statement that the registered public accounting firm that audited the
financial statements included in the annual report has issued an attestation
report on management’s assessment of the registrant’s internal control over
financial reporting.

Similar to and consistent with the “internal accounting control” language previously enacted and
required by the FCPA, the term “internal control over financial reporting” as used here by the SEC
is defined as:

- 10 -
 A process designed by, or under the supervision of, the registrant’s principal executive
and principal financial officers, or persons performing similar functions, and effected by
the registrant’s board of directors, management and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with generally accepted
accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and
fairly reflect the transactions and dispositions of the assets of the registrant;

(2) Provide reasonable assurance that transactions are recorded as necessary to

permit preparation of financial statements in accordance with generally accepted
accounting principles, and that receipts and expenditures of the registrant are being
made only in accordance with authorizations of management and directors of the
registrant; and

(3) Provide reasonable assurance regarding prevention or timely detection of

unauthorized acquisition, use or disposition of the registrant’s assets that could have
a material effect on the financial statements.

In the context of the FCPA and the foregoing SEC rules that implement the Sarbanes-Oxley Act,
the following sections of this Guide define in more detail both “disclosure controls and procedures”
and “internal controls over financial reporting” within the broader framework of “internal control” that
AES has adopted and implemented.

210 Internal Control Definition

Because there are a variety of different definitions of the term “internal control,” and because its
meaning has changed over time, it is important to establish a universal understanding of that term
as it relates to AES. Unfortunately, the SEC’s current definitions of the term “internal control over
financial reporting” and its new term “disclosure controls and procedures” are not sufficient to
establish the common understanding necessary to appreciate the broad scope of the internal
control framework adopted by AES.

As part of a private initiative to define “internal control” and devise a comprehensive method to
evaluate and report publicly on corporate internal control systems, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) issued a report that provides a definition of
“internal control” and establishes criteria that can be used to evaluate an organization’s internal
control. The COSO report, published in 19921 is now commonly known as the “COSO Internal
Control Framework.” This framework has become the generally accepted method for defining and
evaluating internal controls by all sectors of business and government and is recognized by the

1“Internal Control – Integrated Framework” was initially published in 1992 and revised in 1994.

- 11 -
SEC as an acceptable standard against which public companies can measure the effectiveness of
their internal control systems.

The COSO Internal Control Framework broadly defines “internal control” as:

A process, effected by an entity’s board of directors, management and other personnel,

designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting
• Compliance with applicable laws and regulations

The first category addresses an organization’s basic business operational objectives, including
performance and profitability goals and safeguarding of resources. The second category relates to
the preparation of reliable published financial statements, including interim and condensed financial
statements and selected financial data derived from such statements, such as earnings releases,
reported publicly. The third category addresses compliance with laws and regulations to which the
organization is subject. These three control categories are distinct but not exclusive as depicted by
the interrelated figure shown below:

Operations Compliance

Effective and Efficient Compliance with Laws

Use of Resources and Regulations

Financial Reporting

Preparation of Reliable
Published Financial
Statements

As a general rule, an internal control process, as defined above, is executed by policies and
procedures. Policies and procedures are established by management to prescribe, influence, or
monitor the conduct of processes, systems, activities, functions, projects, plans, initiatives, and
endeavors of all types at all levels of a company. Fundamentally, “internal controls” are policies
and procedures.

Management designs policies and procedures to mitigate control risks, which are negative
consequences that may result from not achieving management’s control objectives. Management
establishes control objectives to prescribe the desired condition or output resulting from a

- 12 -
particular process, system, activity, etc. The concepts of control objectives, control risks, and
policies and procedures are applicable to each of the control categories illustrated above.

The following sections relate COSO’s definition of “internal control” to the SEC’s “internal control”
and “disclosure control” definitions.

211 Internal Control Over Financial Reporting

The SEC defines “internal control over financial reporting” as:

A process designed by, or under the supervision of, the registrant’s principal executive
and principal financial officers, or persons performing similar functions, and effected by
the registrant’s board of directors, management and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with generally accepted
accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and
fairly reflect the transactions and dispositions of the assets of the registrant;

(2) Provide reasonable assurance that transactions are recorded as necessary to

permit preparation of financial statements in accordance with generally accepted
accounting principles, and that receipts and expenditures of the registrant are being
made only in accordance with authorizations of management and directors of the
registrant; and

(3) Provide reasonable assurance regarding prevention or timely detection of

unauthorized acquisition, use or disposition of the registrant’s assets that could have
a material effect on the financial statements.

The SEC explicitly recognizes that its definition of “internal control over financial reporting” is
consistent with COSO’s financial reporting control category. Additionally, the SEC confirmed that
internal control over financial reporting does not include controls that relate to COSO’s operational
and compliance control categories, with the exception of compliance with applicable laws and
regulations directly related to the preparation of financial statements (e.g., FCPA, SOA, SEC rules,
etc.)

Thus, using the previous graphic of COSO’s interrelated control categories, you can see that
“internal control over financial reporting” is embodied within the “financial reporting” sphere shown
below:

- 13 -
 Operations Compliance

Financial
Reporting

It is important to note that all financial reporting controls, even where the financial reporting control
category overlaps with the operational and compliance control categories, are considered “internal
controls over financial reporting.” Only the areas of the operational and compliance categories that
do not overlap with the financial reporting category are outside the scope of the SOA and, thus, this
Guide.

Several fundamental control objectives related to financial reporting are inherent in the definition of
internal control over financial reporting:

1. Maintaining records (i.e., documentation, safeguarding)

2. Safeguarding assets

3. Authorizing transactions

4. Recording transactions (i.e., timely, accurate, and complete accounting)

5. Preparing financial statements in accordance with US GAAP

AES documented its internal controls over financial reporting for significant financial processes and
formalized those controls in the “Manual of Financial Policies” and the “Internal Control Standards.”
The “Internal Control Standards” (Part 3) set forth management’s control objectives, identify
significant control risks, and prescribe standardized “policies and procedures” applicable to each
significant financial process. Policy-related Standards correlate to the policies established in the
“Manual of Financial Policies”. Procedure-related Standards reflect the actions necessary to
implement management’s policies and are a required element of each critical financial process.

- 14 -
 212 Disclosure Controls and Procedures

The SEC defines “disclosure controls and procedures” as:

Controls and other procedures of an issuer that are designed to ensure that information
required to be disclosed by the issuer in the reports filed or submitted by it under the
Exchange Act is recorded, processed, summarized, and reported within the time periods
specified in the Commission’s rules and forms. Disclosure control and procedures
include, without limitation, controls and procedures designed to ensure that information
required to be disclosed by an issuer…is accumulated and communicated to the issuer’s
management, including its principal executive and financial officers, as appropriate to
allow timely decisions regarding required disclosure.

Disclosure controls and procedures are intended to complement internal controls over financial
reporting because they focus on the timely collection of both material financial and material non-
financial information potentially subject to SEC filing disclosure requirements. In contrast to
“internal controls over financial reporting,” which correlate directly to the financial reporting control
category, “disclosure controls and procedures” overlay each control category as shown in the
graphic below:

Operations Compliance

Disclosure Controls
and Procedures

Financial
Reporting

To avoid confusion between the meanings of these terms, the SEC provided the following
explanation:

We make this distinction [between disclosure controls and procedures and internal
controls over financial reporting] based on our review of Section 302 of the Act as well as
to effectuate what we believe to be Congress’ intent – to have senior officers certify that
required material non-financial information, as well as financial information, is included in
an issuer’s quarterly and annual reports. Under this interpretation, we maintain the pre-
existing concept in internal controls over financial reporting without expanding it by
relating it to non-financial information.

- 15 -
The concepts of financial information, non-financial information, and materiality are central to
the definition of disclosure controls and procedures and are discussed briefly below.

Financial Information

Some common examples of financial information include, but are not limited to, the following:

• Complete set of consolidated, comparative financial statements with footnotes;

• Discussion of AES’s results of operations by segment and geographic region, capital

resources, cash flows and liquidity, including a description of any known material trends;

• New accounting pronouncements and critical accounting policies, including their financial
statement impact;

• Planned financial transactions such as asset sales, mergers and acquisitions, etc.; and

• Quantitative disclosures about market risk including interest rate risk, foreign currency
exchange rate risk, and commodity price risk.

Non-financial Information

Some common examples of non-financial information include, but are not limited to, the following:

• Narrative description of business sufficient to provide an understanding of our operations.

This includes recent strategic initiatives, lines of business, countries with significant
operations, etc.;

• Discussion of material pending legal proceedings;

• Country-specific matters such as political, economic, and social issues;

• Competitive conditions and business risk factors;

• Disclosures related to environmental matters; and

• Qualitative disclosures about market risk – what are they? How are they managed?

Materiality

For purposes of evaluating potential financial and non-financial disclosures, conclusions regarding
materiality are a matter of professional judgment based on an analysis of available facts and
circumstances regarding any particular matter. Materiality conclusions must be consistent with the
following views of the Financial Accounting Standards Board (FASB) and the US Supreme Court:

- 16 -
With respect to materiality judgments, the FASB concluded that –

an item…is material if, in light of surrounding circumstances, the magnitude of an

item is such that it is probable that the judgment of a reasonable person relying upon
the report would have been changed or influenced by the inclusion or correction of
the item.

In a similar manner, the US Supreme Court held that a fact is material if there is –

a substantial likelihood that the…fact would have been viewed by the reasonable
investor as having significantly altered the “total mix” of information made available.

When in doubt regarding the potential materiality of financial or non-financial information, AES
personnel are required to defer judgment to AES’s Disclosure Committee.

A detailed discussion of AES’s disclosure controls and procedures is outside the scope of this
Guide. Additional information regarding disclosure controls and procedures can be obtained from
Corporate Accounting.

220 Internal Control Framework

In an “effective” internal control system, the following five internal control components form a
framework that supports the achievement of an organization’s mission, strategies, and related
operational, financial reporting, and compliance objectives.

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

- 17 -
The following graphic depicts how these five components interrelate with COSO’s control objective
categories and various functions, processes, and activities of an organization:

Each component row cuts across and applies to all three objective categories. Management is
responsible for ensuring that each of these components exists and is effective within the
organization. Although all five components must be satisfied, this does not mean that each
component should function identically, or even at the same level. Some trade-offs may exist
between components. Because controls can serve a variety of purposes, controls in one
component can serve the purpose of controls that might normally be present in another
component. Additionally, controls can differ in the degree to which they address a particular risk,
so that complementary controls, each with a limited effect, together can be effective.

Each of these components is addressed in more detail in the following sections, which have been
summarized from COSO’s Internal Control – Integrated Framework.

221 Control Environment

The control environment is influenced by an organization’s history and culture and sets the tone of
the organization, influencing the control consciousness of its personnel. It is the foundation for all
other components of internal control, providing discipline and structure. The control environment
has a pervasive influence on the way business activities are structured, objectives established, and
risks assessed. It also influences control activities, information and communication systems, and
monitoring activities. Effectively controlled companies strive to have competent people, instill a
company-wide attitude of integrity and control consciousness, and set a positive “tone at the top.”
Established policies and procedures, including a written code of conduct, foster shared values and

- 18 -
teamwork in pursuit of the organization’s objectives. The control environment includes the
following factors:

Integrity and Ethical Values

An organization’s objectives and the way they are achieved are based on preferences, value
judgments, and management styles. Those preferences and value judgments that translate into
standards of behavior reflect management’s integrity and its commitment to ethical values. An
organization’s good reputation is valuable; the standard of behavior must go beyond mere
compliance with laws and regulations. The effectiveness of a system of internal control cannot rise
above the integrity and ethical values of the personnel who create, administer, and monitor it.
Integrity and ethical values are essential elements of the control environment, affecting the design,
administration, and monitoring of other internal control components. Establishing ethical values
often is difficult because of the need to consider the concerns of several parties. Management’s
values must balance the concerns of the enterprise, its people, suppliers, customers, competitors,
and the public.

Commitment to Competence

Management specifies the competence levels for particular jobs and translates those levels into
requisite knowledge and skills. The necessary knowledge and skills may, in turn, depend on an
individual’s training and experience. Among the many factors considered in developing knowledge
and skill levels are the nature and degree of judgment to be applied to a specific job. There often
can be a trade-off between the extent of supervision and the requisite competence level of the
individual.

Board and Audit Committee

An organization’s Board of Directors and Audit Committee significantly influence the control
environment and “tone at the top.” Factors include the Board or Audit Committee’s independence
from management, experience and stature of its members, extent of its involvement with and
scrutiny of activities, the appropriateness of its actions, and degree to which difficult questions are
raised and pursued with management regarding plans or performance. Interaction of the Board or
Audit Committee with internal and external auditors is also an important factor affecting the control
environment.

Management’s Philosophy and Operating Style

Management’s philosophy and operating style affect the way an organization is managed, including
the kinds of business risk accepted. A company that has been successful taking significant risks
may have a different outlook on internal control than one that has faced harsh economic or
regulatory consequences as a result of venturing into dangerous territory. An informally managed
company may control operations largely by face-to-face contact with key managers. A more
formally managed one may rely more on written policies, performance indicators, and exception

- 19 -
reports. Other elements of management’s philosophy and operating style include attitudes toward
financial reporting, conservative or aggressive selection from available alternative accounting
principles, conscientiousness and conservatism with which accounting estimates are developed,
and attitudes toward data processing and accounting functions and personnel.

Organizational Structure

A company’s organizational structure provides the framework within which its activities for
achieving company-wide objectives are planned, executed, controlled, and monitored. Significant
aspects of establishing a relevant organizational structure include defining key areas of authority
and responsibility and establishing appropriate lines of reporting. The appropriateness of a
company’s organizational structure depends, in part, on its size, the nature of its activities and the
type of structure that best suits its needs.

Assignment of Authority and Responsibility

This includes the assignment of authority and responsibility for operating activities as well as
establishing reporting relationships and authorization protocols. It involves the degree to which
individuals and teams are encouraged to use initiative in addressing issues and resolving problems
as well as limits of their authority. It also focuses on the policies specifying appropriate business
practices, knowledge and experience of key personnel, and resources provided for carrying out
duties. Another aspect is ensuring that all personnel understand the organization’s objectives. It is
essential that each individual knows how his or her actions interrelate and contribute to the
achievement of objectives. The control environment is greatly influenced by the extent to which
individuals, including the Chairman and CEO, recognize that they will be held accountable. He or
she has ultimate responsibility for all activities within the organization, including the internal control
system.

Human Resource Policies and Practices

Human resource practices send messages to employees regarding expected levels of integrity,
ethical behavior, and competence. Such practices relate to hiring, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions.

222 Risk Assessment

All companies, regardless of size, structure, nature, or industry, encounter risks at all levels within
their organization. Risks affect a company’s ability to survive; successfully compete within its
industry; maintain financial strength and positive public image; and maintain the overall quality of
its products, services, and people. There is no practical way to reduce risk to zero. The decision
to be in business creates risk. Management must determine how much risk is to be prudently
accepted and strive to maintain risk within these levels.

- 20 -
Objective setting is a precondition to risk assessment. There must first be objectives before
management can identify risks to their achievement and take necessary actions to manage the
risks. Objective setting, then, is a key part of the management process. While not an internal
control component, it is a prerequisite to and an enabler of internal control. The risk assessment
framework component includes the following factors:

Company-wide Objectives

Objective setting can be a highly structured or an informal process. Objectives may be explicitly
stated, or be implicit, such as to continue a past level of performance. At the company-wide level,
objectives are represented by the organization’s mission and value statements. Assessments of
an organization’s strengths and weaknesses, and opportunities and threats, lead to an overall
strategy. Generally, the strategic plan is broadly stated, dealing with high level resource
allocations and priorities. More specific objectives flow from the organization’s broad strategy.
Company-wide objectives are linked and integrated with more specific objectives established for
various activities. By setting objectives at both the company and activity level, the organization can
identify critical success factors. These are the key objectives that must be achieved if goals are to
be attained. Objective setting enables management to identify measurement criteria for
performance, with focus on critical success factors.

Process-Level Objectives

Despite the diversity of objectives, certain broad categories of objectives can be established:

• Operations Objectives – These pertain to the effectiveness and efficiency of the company’s
operations, including performance and profitability goals and safeguarding resources
against loss. They vary based on management’s choices about structure and
performance.

• Financial Reporting Objectives – These pertain to the preparation of reliable published

financial statements, including prevention of fraudulent public financial reporting. They are
driven primarily by external requirements.

• Compliance Objectives – These objectives pertain to adherence to laws and regulations to

which the company is subject. They are dependent on external factors, such as
environmental regulation, and tend to be similar across all companies in some cases and
across industries in other cases.

Risk Identification

The process of identifying and analyzing risk is an on-going process and is a critical component of
an effective internal control system. Management must focus carefully on risks at all levels of the
organization and take necessary actions to manage those risks. An organization’s performance
can be at risk due to internal or external factors. These factors, in turn, can affect either stated or

- 21 -
implied objectives. Risk increases as objectives increasingly differ from past performance. In a
number of areas of performance, an organization often does not set explicit company-wide
objectives because it considers performance to be acceptable. Regardless of whether an objective
is stated or implied, an organization’s risk-assessment process should consider risks that may
occur. It is important that risk identification is comprehensive. Note that there is a distinction
between risk assessment, which is part of internal control, and the resulting plans, programs or
other actions deemed necessary by management to address the risks.

Managing Change

As economic, industry, and regulatory environments change, an organization’s activities should

evolve to address those changes. As the organization’s activities evolve, the internal control
system requires change because an effective system under one set of conditions will not
necessarily be effective under another set of conditions. Mechanisms to manage change should
be forward-looking, so the organization can anticipate and plan for significant changes.
Fundamental to risk assessment is a process to identify changed conditions and take actions as
necessary.

223 Control Activities

Control activities are policies and procedures used to ensure management’s control objectives are
met. They help ensure that necessary actions are taken to address risks to the achievement of the
organization’s objectives. Control objectives occur throughout the organization, at all levels, and in
all functions. They include a range of activities as diverse as approvals, authorizations,
verifications, reviews of operating performance, security of assets, and segregation of duties.
Control activities can be divided into three categories based on the nature of the organization’s
objectives to which they relate (i.e., operations, financial reporting, or compliance). Depending on
circumstances, controls could help to satisfy company objectives in one or more of the three
control categories.

Control activities usually involve two elements: 1) a policy establishing what should be done and 2)
procedures to affect policy. A procedure will not be useful if performed mechanically without a
continuing focus on conditions to which the policy is directed.

Control activities are a significant part of the process by which an organization strives to achieve its
business objectives. Control activities serve as mechanisms for managing and mitigating risk,
thereby enabling the achievement of objectives. Control is built directly into processes and always
relates back to the risk it was designed to mitigate. Control activities that are added on in reaction
to insignificant or non-existent risks can result in burdensome layers of redundant controls that can
increase cost and impede efficiency.

224 Information and Communication

Pertinent information must be identified, captured, and communicated in a form and time frame that
enables people to carry out their responsibilities. Information gathering mechanisms produce

- 22 -
reports containing operational, financial reporting, and compliance related information that makes it
possible to run and control the business. They deal not only with internally generated data, but
also with information about external events, activities, and conditions necessary for informed
business decision-making and external reporting. Effective communication also must occur in a
broader sense, flowing down, across, and up the organization. All personnel must receive a clear
message from top management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how individual activities relate to
the work of others. They must have a means of communicating significant information upstream.
There also needs to be effective communication with external parties such as customers, suppliers,
regulators, and shareholders. The information and communication component of control includes
the following elements:

Quality of Information

Information is needed at all levels of the organization to run the business and move towards
achievement of the organization’s objectives in all categories — operations, financial reporting, and
compliance. Information is identified, captured, processed, and reported by information systems.
Information gathering mechanisms may be computerized, manual, or a combination. They may be
formal or informal. Keeping information consistent with needs becomes particularly important
when a company operates in the face of fundamental industry changes, highly innovative and
quick-moving competitors, or significant customer demand shifts. To be effective, information
gathering mechanisms must not only identify and capture needed financial and non-financial
information; they must also process and report it in a time frame and manner that is useful in
controlling the company’s activities.

Effectiveness of Communication

Communication is inherent in information gathering mechanisms. Information must be provided to

appropriate personnel so that they can carry out their operating, financial reporting, and
compliance responsibilities. Communication also must take place in a broader sense, dealing with
expectations, responsibilities of individuals and groups, and other important matters.

225 Monitoring

Internal control systems need to be monitored — a process that assesses the quality of the
system’s performance over time. This is accomplished through on-going monitoring activities,
separate evaluations, or a combination of the two. On-going monitoring occurs in the course of
normal operations. It includes regular management and supervisory activities and other actions
personnel take in performing their duties. The scope and frequency of separate evaluations (i.e.,
audits) will depend primarily on assessment of risks and the effectiveness of on-going monitoring
procedures. Internal control deficiencies should be reported upstream, with serious matters
reported to senior management and the Board.

- 23 -
 Monitoring Ongoing Activities

On-going monitoring procedures are built into an organization’s normal recurring operating
activities. They are performed on a real-time basis reacting dynamically to changing conditions.
Since separate evaluations take place after-the-fact, problems will often be identified more quickly
by the on-going monitoring routines.

Separate Evaluations

The frequency of separate evaluations necessary for management to have reasonable assurance
about the effectiveness of the internal control system is a matter of management’s judgment. In
making that determination, consideration is given to the following: the nature and degree of
changes occurring and their associated risk, the competence and experience of the people
implementing the controls, and the results of on-going monitoring.

Reporting Control and Process Deficiencies

Deficiencies in an organization’s internal control system could arise from many sources, including
the company’s on-going monitoring procedures, separate evaluations of the internal control
system, and external parties. The term “deficiency” is defined broadly as a condition within an
internal control system worthy of attention. A deficiency, therefore, may represent a perceived,
potential, or real shortcoming, or an opportunity to strengthen the control system to provide a
greater likelihood that the organization’s objectives will be achieved. (See also section 237.)

230 Management’s Assessment of Control Effectiveness

The Sarbanes-Oxley Act requires management to assess the effectiveness of both its internal
control over financial reporting and disclosure controls and procedures as of the end of the most
recent fiscal year and quarter, respectively. In its financial reports filed with the SEC, management
must include a statement as to whether or not internal control over financial reporting (annually)
and disclosure controls and procedures (quarterly) are effective. Management’s statement must
include disclosure of any “material weaknesses” in the organization’s internal controls over
financial reporting and disclosure controls and procedures that have been identified by
management. Importantly, management is precluded from determining that controls are effective if
it identifies one or more material weaknesses.

Management’s assessments must be based on procedures sufficient both to evaluate design and
to test operating effectiveness. The nature of testing activities will largely depend on several facts
and circumstances including the significance of the control. However, inquiry alone generally is not
an adequate basis for management’s assessment.

- 24 -
Controls subject to such assessment include, but are not limited to:

• controls over initiating, recording, processing, and reconciling account balances, classes of
transactions, and disclosure and related assertions included in the financial statements;
• controls related to the initiation and processing of non-routine and non-systematic
transactions;
• controls related to the selection and the application of appropriate accounting policies; and
• controls related to the prevention, identification, and detection of fraud.

Management’s assessment of control effectiveness must be supported by evidential matter,

including documentation, regarding both the design and operation of internal controls. This
evidential matter should provide reasonable support –

• for the evaluation of whether the control is designed to prevent or detect material
misstatements or omissions;
• for the conclusion that tests were appropriately planned and performed; and
• that the results of the tests were appropriately considered.

The remaining sections of this Guide, which have been summarized from the AICPA’s June 2003
proposed Attestation Standards, provide additional detail regarding management’s assessment of
control effectiveness and the identification of control deficiencies, including material weaknesses.

231 Overview

Effective internal control over financial reporting provides reasonable assurance that material
misstatements in the financial statements will be prevented or detected on a timely basis by
employees in the normal course of performing their assigned functions. Internal control generally
includes preventive controls (those designed to prevent a misstatement from occurring) and
detective controls (those designed to detect a misstatement that has occurred) to reduce the risk of
misstatement. Often, companies will place more emphasis on preventive than on detective
controls. Generally, it is more efficient to prevent misstatements than to detect and correct them.
However, no control activity can be expected to be totally effective and a well-run system of
internal control should have an appropriate mix of preventive and detective controls.

The effectiveness of internal control includes both design and operating effectiveness. Design
effectiveness relates to whether controls are suitably designed to prevent or detect material
misstatements. Operating effectiveness is concerned with how the control is applied, the
consistency with which it is applied, and by whom it is applied.

Internal control, no matter how well designed and operated, can provide only reasonable
assurance to management and the Board of Directors regarding achievement of the organization’s
control objectives. The likelihood of achievement is affected by limitations inherent to internal
control. These limitations include the realities that human judgment in decision-making can be
faulty, and that breakdowns in internal control can occur because of human failures such as simple

- 25 -
errors or mistakes. Additionally, controls can be circumvented by the collusion of two or more
people or management override of internal control.

Custom, culture, and the corporate governance system may inhibit fraud by management, but they
are not absolute deterrents. An effective control environment, too, may help mitigate the
probability of such fraud. For example, an effective Board of Directors, Audit Committee, and an
internal audit function may constrain improper conduct by management. Alternatively, an
ineffective control environment may negate the effectiveness of the other components. For
example, when the nature of management compensation creates an incentive for management to
intentionally misstate the financial statements, the effectiveness of control activities may be
reduced. The effectiveness of an internal control system might also be adversely affected by
factors such as a change in ownership or control, changes in management or other personnel, or
developments in the market or industry.

232 Required Documentation

The process by which management supports its evaluation of the effectiveness of internal control
must include the following elements:

• Determining which controls are significant for the purpose of evaluating the effectiveness
of internal control. (See section 233)

• Determining which locations or business units should be included in the evaluation for an
organization with multiple locations or business units. (See section 234)

• Documenting the design of significant controls. The documentation should include each of
the components of internal control; how significant transactions are initiated, recorded,
processed, and reported; the controls that are designed to prevent or detect errors or fraud
in significant account balances, classes of transactions, and disclosures, including who
performs the controls and the related segregation of duties; the financial statement closing
process; and safeguarding controls.

• Evaluating the design effectiveness of controls. (See section 235)

• Evaluating the operating effectiveness of controls based on procedures sufficient to assess

their operating effectiveness. Critical to this evaluation is adequate documentary evidence
to demonstrate that internal controls have been executed as designed. (See section 236)

• Determining which control deficiencies are of such a magnitude, either quantitatively or

qualitatively or both, that they constitute significant deficiencies or material weaknesses.
(See section 237)

• Documenting the results of the evaluation.

• Communicating findings to external auditors and to others, if applicable.

- 26 -
Documentation of the design of significant controls provides evidence that controls related to
management’s assertion about the effectiveness of internal control, including changes to those
controls, have been identified, are capable of being communicated to those responsible for their
performance, and are capable of being monitored by the organization. Documentation of manual
controls facilitates training of personnel and the continued functioning of controls when personnel
change. Inadequate documentation of the design of significant controls may result in a significant
deficiency or a material weakness because documentation provides the foundation for appropriate
communication concerning responsibilities for performing controls and for management’s
evaluation and monitoring of the effective operation of controls.

The absence of observed financial statement errors or misstatements does not, in and of itself,
indicate an effective system of internal control and is not a sufficient basis for management’s
assertion about the effectiveness of internal control.

233 Significant Controls

Factors management considers in determining whether controls are significant include:

• The likelihood that failure of the control could result in a misstatement, and

• The degree to which other controls, if effective, achieve the same control objectives.

Examples of controls that are often considered to be significant generally include:

• Controls over initiating, recording, processing, and reporting significant account balances,
classes of transactions, and disclosures and related assertions embodied in the financial
statements;

• Controls over the selection and application of accounting policies that are in conformity
with US generally accepted accounting principles;

• Antifraud programs and controls;

• Controls, including information technology (IT) general controls, on which other significant
controls are dependent;

• Each significant control in a group of controls that functions together to achieve a control
objective;

• Controls over significant non-routine and non-systematic transactions (such as accounts

involving judgments and estimates); and

• Controls over the period-end financial reporting process, including controls over
procedures used to enter transaction totals into the general ledger; to initiate, record, and

- 27 -
 process journal entries in the general ledger; and to record recurring and nonrecurring
adjustments to the financial statements (for example, consolidating adjustments, report
combinations, and reclassifications).

Also important are company-wide controls that management has established to monitor operations
and to oversee the control environment and risk assessment process at business units. Such
controls include a combination of the following:

• Control environment, including the assignment of authority and responsibility, consistent

policies and procedures, and company-wide programs, such as codes of conduct and
fraud prevention, that apply to all locations and business units;

• Management’s risk assessment process;

• Centralized processing and controls, including shared service environments;

• Monitoring results of operations; and

• Monitoring of controls, including activities of the internal audit function and self-assessment
programs.

The period of time over which management performs tests of controls is a matter of judgment;
however, it varies with the nature of the controls being tested and with the frequency with which
specific controls operate and specific policies are applied. Some controls operate continuously
(e.g., controls over revenues), while others operate only at certain times (e.g., controls over the
preparation of financial statements and controls over physical inventory counts). Management
performs tests of controls over a period of time that is adequate to determine whether, as of the
date specified in the assertion, the controls necessary for achieving control objectives are
operating effectively.

234 Locations

All significant locations and all significant controls must be evaluated in connection with
management’s assertion about the effectiveness of internal control. Determining the locations or
business units at which management will perform audit procedures requires an evaluation of
factors such as the relative financial significance of the location or business unit and the risk of
material misstatement arising from the location or business unit. In making this determination,
management, at a minimum, identifies the locations or business units that are individually important
or that contain specific risks that by themselves could create a material misstatement. With
respect to other locations or business units, management determines which locations or business
units, when aggregated, could result in the group representing a level of financial significance that,
in the aggregate, could create a material misstatement in the financial statements. The remaining
locations and business units should not be able, individually or in the aggregate, to create a
material misstatement in the financial statements.

- 28 -
Individually important locations or business units often represent a relatively small number of
locations or business units that encompass a large portion of the organization’s operations and
financial position. The relative financial significance of the location or business unit and the risk of
material misstatement arising from the location or business unit are both factors that management
considers when identifying locations or business units that are considered individually important.
As a result of the importance of these locations, management must perform tests of all significant
controls at each of these locations or business units.

Although a location or business unit may not be individually important from a financial standpoint, it
may present specific risks that by themselves could create a material misstatement of the
consolidated financial statements. For example, a business unit could be responsible for foreign
exchange trading and, thus, expose the company to a risk of material misstatement even though
the relative financial significance is not great. Although management may not test all controls at
these locations or business units, it will test the controls over the specific risks that could create a
material misstatement in the consolidated financial statements.

Individual locations or business units that are individually not important may, when aggregated with
other locations or business units, result in a group representing a level of financial significance that
in the aggregate could create a material misstatement of the financial statements. In considering
which locations or business units to visit and what controls to test regarding this group,
management will consider the following factors:

• The similarity of business operations and internal controls at the various locations or
business units;

• The degree of centralization of processes and financial reporting applications;

• The effectiveness of the control environment, particularly management's direct control over
the exercise of authority delegated to others and its ability to effectively supervise activities
at the various locations or business units. An ineffective control environment over the
locations or business units may constitute a material weakness;

• The nature and amount of transactions executed and related assets at the various
locations or business units and to what degree the location or business unit could create
an obligation on the part of the company; and

• The risk assessment process and analysis for excluding a location or business unit from its
process of assessing internal control.

Management will not test controls with respect to locations or business units that are not
individually important and, when aggregated, could not result in a material misstatement to the
financial statements. However, management may choose to address the internal controls of such
entities for business purposes.

- 29 -
Situations may arise where the company acquires a business at or near the date of management’s
assertion. If the assertion relates to the effectiveness of the company’s internal control as of a
point in time subsequent to the date of acquisition, the internal control of the acquired business will
be evaluated consistent with this Guide. This evaluation could encompass an evaluation of internal
control either during the due diligence process or subsequent to the acquisition.

Management’s evaluation of internal control does not extend to the internal control of businesses in
which AES has an investment that is accounted for by the equity method of accounting; therefore,
management need not consider the internal control of such entities for purposes of its assessment.

235 Design Effectiveness

Procedures to evaluate the effectiveness of the design of a specific control are concerned with
whether that control is suitably designed to meet one or more of the following fundamental control
objectives with respect to internal controls over financial reporting:

1. Maintaining records (i.e., documentation, safeguarding)

2. Safeguarding assets

3. Authorizing transactions

4. Recording transactions (i.e., timely, accurate, and complete accounting)

5. Preparing financial statements in accordance with US GAAP

These control objectives, and the specific control activities designed to address them, were
established to prevent or detect material misstatements in management’s financial statement
assertions:

Management’s Financial Statement Assertions

¾ Existence or occurrence
¾ Completeness
¾ Rights and obligations
¾ Valuation or allocation
¾ Presentation and disclosure

To the extent control activities are insufficiently designed to fully address one or more of the above
control objectives, management may conclude that certain control activities could fail to prevent or
detect a material misstatement in one or more financial statement assertions. Such a
circumstance may reflect a material weakness in internal control.

- 30 -
Procedures for evaluating design effectiveness will vary depending upon the nature of the specific
control, the nature of documentation of the specific control, and the complexity and sophistication
of operations and systems.

236 Operating Effectiveness

Management will test the operation of controls related to each of the five internal control
components. Tests of the operating effectiveness of a control are concerned with how the control
was applied, the consistency with which it was applied, and by whom it was applied. Critical to this
testing is adequate documentary evidence to demonstrate that controls were executed as
designed. Such evidence is necessary to support both management’s and the external auditor’s
testing of internal control operating effectiveness.

The tests ordinarily include procedures such as inquiries of appropriate personnel, inspection of
relevant documentation, observation of the company’s operations, and reapplication or
reperformance of the operation of the control using selected transactions. The organization’s risk
assessment and monitoring processes may affect the selection of the procedures to be performed,
controls to be tested, the timing of the procedures, and the locations to be included in the
assessment.

Management must ordinarily perform procedures in addition to the use of inquiry to obtain sufficient
evidence. Examples of such procedures include testing of the controls by internal audit, testing of
controls by others under the direction of management, the use of service organization reports, or a
self-assessment/self-test process that includes procedures to assess whether controls are
operating effectively. Inquiry alone does not provide sufficient evidence to support the operating
effectiveness of controls. For example, if the organization implemented a control activity whereby
its sales manager reviews and investigates a report of invoices with unusually high or low gross
margins, mere inquiry of the sales manager as to whether he or she investigates discrepancies is
inadequate. During the inquiry process, the practitioner should corroborate the responses received
by performing other procedures, such as inspecting reports or other documentation used in or
generated by the performance of the control.

The nature of controls influences the nature of the tests of controls that management can perform.
For example, management may examine documents regarding controls for which documentary
evidence exists. However, documentary evidence regarding the control environment (such as
management's philosophy and operating style) may not exist. In circumstances where
documentary evidence of controls or the performance of controls does not exist and is not
expected to exist, management's tests of controls will consist of inquiries of appropriate personnel
and observation of activities. Inspecting selected correspondence, such as legal claims and
company replies to personnel inquiries, and observing actions taken in response to asserted issues
may provide additional assurance concerning the control environment.

In performing tests of preventive and detective controls, management may conclude that a
deficient preventive control is compensated for by an effective detective control and, therefore, not

- 31 -
a significant deficiency or material weakness. For example, a monthly reconciliation control
procedure (a detective control) would detect an out-of-balance situation resulting from an
unauthorized transaction being initiated due to an ineffective authorization procedure (a preventive
control). In making a determination that the detective control is effective, management must
ensure that the detective control is sufficient to achieve the control objective to which the
preventive control relates. However, in this case, management’s reliance on high-level analytical
procedures alone would not be sufficiently precise to achieve the control objective.

237 Control Deficiencies

An internal control deficiency may consist of either a design or operating deficiency. A design
deficiency exists when either a necessary control is missing or an existing control is not properly
designed so that even when the control is operating as designed the control objective is not always
met. An operating deficiency exists when a properly designed control is not operating as designed,
is not consistently applied, or the person performing a control does not possess the necessary
authority or qualifications to perform the control effectively. Internal control deficiencies relevant to
internal control over financial reporting could adversely affect the organization’s ability to initiate,
record, process, and report financial data consistent with the assertions of management in the
financial statements. Internal control deficiencies relevant to financial reporting range from
inconsequential internal control deficiencies to material weaknesses in internal control.

A significant deficiency is an internal control deficiency in a significant control or an aggregation of

such deficiencies that could result in a misstatement of the financial statements that is more than
inconsequential.

A material weakness is a significant deficiency or an aggregation of significant deficiencies that

precludes the company’s internal control from providing reasonable assurance that material
misstatements in the financial statements will be prevented or detected on a timely basis by
employees in the normal course of performing their assigned functions. The inability to provide
such reasonable assurance results from one or more significant deficiencies in which the design or
operation of one or more of the internal control components does not reduce to a relatively low
level the risk that misstatements caused by errors or fraud in amounts that would be material in
relation to the financial statements may occur and not be detected within a timely period by
employees in the normal course of performing their assigned functions. Therefore, the existence of
a material weakness precludes management from concluding that internal control is effective.

In making the judgment as to which internal control deficiencies are significant deficiencies,
management must consider various factors such as the organization’s size, complexity and
diversity of activities, and structure. A significant degree of professional judgment is required in
evaluating whether an internal control deficiency is a significant deficiency. Factors management
may consider include:

• The likelihood that the internal control deficiency could result in a misstatement;

• The magnitude of potential misstatements resulting from the internal control deficiency;

- 32 -
 • The importance of the control that is deficient, including the degree to which other effective
controls achieve the same control objective;

• The nature of the account balances or classes of transactions affected by the internal
control deficiency and the financial statement assertions involved; and

• The frequency of exceptions, if the internal control deficiency is an operating deficiency.

The ineffective design of a significant control generally is a significant deficiency (and potentially a
material weakness) absent other effective controls that achieve the same control objective.

In testing the operating effectiveness of controls, management may encounter exceptions or

deviations to the control. If the reasons for the exception do not indicate a weakness in the general
design or operation of the control, the deviation may not indicate a significant deficiency. However,
regardless of the reasons for the deviation, numerous or repeated instances of the deficiency may
constitute a significant deficiency. A control with an observed non-negligible deviation rate is not
an effective control.

Evaluating whether a significant deficiency, individually or in the aggregate, is also a material

weakness is a subjective process that depends on factors such as the nature of the accounting
system and the financial statement amounts or transactions exposed to the significant deficiency,
the overall control environment, other controls, and the judgment of those making the evaluation.
The absence of identified misstatements is not a criterion for concluding that significant
deficiencies do not constitute material weaknesses.

- 33 -
Part 3 - Internal Control Standards
300 Introduction

The Internal Control Standards are management’s formal control activities applicable to all
significant AES financial processes. The Standards have been divided into a “business cycle”
format for ease of implementation, reference, and evaluation. A “business cycle” has been defined
as a series of sequential or stand-alone sub-cycles that represent a process from the initiation to
the completion of a specific transaction. For example, the Procurement Cycle includes purchasing,
receiving/acceptance, invoice processing/accounts payable, and cash disbursement sub-cycles.

The control activities within each business cycle have been written in a manner to satisfy the basic
control objectives of any system of internal control and to meet the requirements of the Sarbanes-
Oxley Act. These control objectives are:

1. Maintaining records (i.e., documentation, safeguarding)

2. Safeguarding assets

3. Authorizing transactions

4. Recording transactions (i.e., timely, accurate, and complete accounting)

5. Preparing financial statements in accordance with US GAAP

Specific control objectives, consistent with the objectives above, are organized by and applicable to
each sub-cycle within a business cycle. Each control objective has control risks and relevant
control activities to address those risks. The Internal Control Standards include both policies and
procedures. Policy-related Standards have been addressed in additional detail in AES’s “Manual
of Financial Policies,” which became effective on July 1, 2003.

Procedure-related Standards are basic, written broadly, and, therefore, should be interpreted
broadly. Management neither attempted to describe nor intended to prescribe a specific, one-size-
fits-all application of each procedure. How these Standards are built into the many diverse
business processes throughout AES is a matter of each Business Leader’s professional judgment.

These Standards do not “stand-alone.” Rather, they complement other elements of AES’s internal
control framework, which includes, among other things, standard operating procedures, financial
policies, personnel policies, and the Code of Business Conduct and Ethics.

- 34 -
301 GENERAL CONTROL REQUIREMENTS
The following general control requirements, which apply to all financial cycles, will be adopted by
all business units.

301.1 All employees must comply with the AES Code of Business Conduct and Ethics. Senior
level employees will periodically be required to confirm compliance with the Code.
301.2 Policy and procedure manuals must be adhered to by all AES business units. Policies
and procedures established within business units must, at a minimum, meet, and not be
in conflict with, the control requirements specified by this Guide and the AES Manual of
Financial Policies. Policies and procedures must be periodically reviewed and updated.
301.3 Adequate segregation of duties and control responsibilities must be established and
maintained in all functional areas. In general, custodial, processing/operating, and
accounting responsibilities should be separated to promote independent review and
evaluation of Company operations. For example, individuals assigned the responsibility
for receiving and depositing cash receipts (custodians) should not be responsible for
posting to the accounts receivable sub-ledger (accounting) or preparing customer billings
(processing/operations). Where adequate segregation cannot be achieved, other
compensating controls must be established and documented.
301.4 No person shall, directly or indirectly, falsify or cause to be falsified any books, records, or
accounts of the Company.
301.5 All business units must develop a system of internal controls to ensure that the assets
and records of the Company are adequately protected from loss, destruction, theft,
alteration, or unauthorized access.
301.6 All business units will develop procedures for documenting and reporting to operating
management any occurrences of fraud, embezzlement, or unlawful or unethical practices.
Reports of all significant occurrences must be forwarded to the Corporate Legal Group.

General Controls - 1
302 TREASURY CYCLE

The Treasury Cycle includes the functions associated with: determining AES’s cash and
investment management, evaluating and selecting appropriate forms of financing, monitoring
compliance with financing covenants, payment of dividends, and accounting for treasury
transactions. The following standards regarding the documentation, authorization and accounting
for such treasury functions will be followed.

In management’s selection of procedures and techniques of control, the degree of control

implemented is a matter of reasonable business judgment. The common guideline that should be
used in determining the degree of internal control implementation is that the cost of a control
should not exceed the benefit derived.

302.A - CASH
Control Objective #1 – Cash and cash equivalents (i.e., financial instruments of high
liquidity and safety) must be managed effectively and efficiently
Control Risks: Control Activities:
•Poor cash management may impair the Company’s ability to 1. Management has established cash management objectives,
timely acquire resources or honor its current obligations (e.g. minimum balances, account requirements, liquidity
resulting in potential lawsuits, liens, business interruptions, requirements, etc.) responsibility, and authority
bankruptcy, etc. 2. Cash and revolver (credit line) positions are monitored daily
•Poor cash management may impair the Company’s ability to
continue as a going concern
•Short-term borrowings (i.e., working capital) may be obtained at
high costs or on terms that are unacceptable by management,
(e.g., restrictive covenants, difficult repayment terms, etc.)
•Failure to invest excess cash may result in either physical or
purchasing power losses
•Excessive and unnecessary bank accounts may increase costs
(e.g., maintenance fees, transfer fees) and decrease control
(e.g., untimely reconciliations, undetected unauthorized access,
etc.)
•Present value (purchasing power) may not be protected in
periods of inflation

Treasury Cycle - 1
 302.A - CASH
Control Objective #2 – Cash and cash equivalents must be safeguarded from theft or loss
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established criteria regarding authorization
•Cash may be misappropriated (i.e., diverted or disbursed for of cash transactions and access to cash (e.g., account transfers,
unauthorized purposes) wire transfers, certified checks, account maintenance, etc.)
•Ability to forecast cash accurately may be impaired 2. Management has established guidelines regarding petty cash
balances, custody, disbursements, and replenishments
3. Initiation of wire, bank, or account transfers are segregated
from the approval of transfers
4. Cash disbursements are not made payable to cash, bearer,
or left blank
5. Cash is physically safeguarded by financial institutions or
other designated, authorized custodians
6. Each bank account is reflected in the Company’s general
ledger
7. Banks are notified of personnel authorized to access cash,
open and maintain accounts, transfer funds, access balance, or
transaction information, etc.
8. Access to cash (i.e., bank accounts, bank transactions, petty
cash) is restricted to authorized personnel
9. Access codes (i.e., user names, passwords) for on-line bank
access are safeguarded from unauthorized use or access
10. Bank transactions (e.g., account transfers, wire transfers,
certified checks, account maintenance) are documented,
reviewed, and approved consistent with management’s
guidelines
11. Trade disbursements (e.g., payroll, payables) are issued
from zero-balance or imprest bank accounts
12. Only authorized disbursement amounts are transferred to
disbursement bank account
13. Petty cash disbursements and replenishments are
documented, reviewed, and authorized consistent with
management’s policy

Treasury Cycle - 2
 302.A - CASH
Control Objective #3 – General ledger cash accounts must be current, accurate, and
complete
Control Risks:
•Financial statements may be misstated
•Public disclosures regarding liquidity may be incorrect
•Documentation may not be available to facilitate bank
reconciliations
•Cash may not be managed efficiently or effectively
302.B - INVESTING (excl. M&A and PP&E)
Control Objective #1 – Investments must be documented and authorized
Control Risks:
•Restrictions and covenants may be violated
•Financial statements may be misstated (i.e., misclassifications)
•Cash may be deployed in a manner inconsistent with
Company’s strategic plan
•Unreasonable risks of loss may not be appropriately identified
and evaluated by management
•Alternate, more attractive, investment opportunities may be
foregone (opportunity cost)
Control Objective #2 – Investments and related income, gains, and losses must be
accurately and promptly recorded
Control Risks:
•Financial statements may be misstated
•Funds may be diverted for unauthorized use
Treasury Cycle - 3
Control Activities:
1. Management has established guidelines regarding the
frequency and timeliness of bank account reconciliations
2. Management has established guidelines regarding the
frequency, timeliness, and methods of cash equivalent
valuations consistent with generally accepted accounting
principles
3. Cash account reconciliation duties are segregated from cash
access (i.e., deposits, disbursements, transfers) and bank
account maintenance duties
4. Bank and other custodial account balances are reconciled to
general ledger cash account balances (or to respective sub-
ledgers, which are also reconciled to the general ledger)
regularly. Reconciling items are promptly investigated and
resolved
5. Reconciling items are documented and reviewed
Control Activities:
1. Management has established guidelines regarding
documentation and authorization of investment transactions and
custody of investment documents
2. Investing duties are segregated from custodial duties
3. Investment transactions are reviewed and approved
consistent with management’s policies
Control Activities:
1. Management has established guidelines to receive, record,
and value investments consistent with generally accepted
accounting policies
2. Investment transactions (e.g., sales, purchases) are promptly
recorded and verified against source documents. Errors are
promptly corrected
3. Income (i.e., interest, dividends, etc.) and/or gains are
documented and promptly recorded to authorized accounts
4. Accruals are recorded for income (e.g., interest, dividends)
earned but not yet received
5. Accruals by investment are periodically reviewed and
recalculated (to ensure accuracy and completeness)
6. Write-offs or adjustments to investment accounts are
evaluated, documented, and approved consistent with
management’s policy
 302.C - FINANCING AND DEBT COMPLIANCE
Control Objective #1 – Financing arrangements must be documented and authorized
Control Risks:
•Financing costs, terms, and conditions may be unreasonable
•Restrictions and covenants (e.g., legal, loan, etc.) may be
violated resulting in default
•Financing needs may not be satisfied resulting in inadequate
capital for business operations
•Inability to satisfy financing terms may result in bankruptcy
Control Objective #2 – Financing transactions must be accurately, completely, and timely
recorded
Control Risks:
•Financial statements may be misstated
•Compliance with restrictions or covenants may not be properly
evaluated
Treasury Cycle - 4
Control Activities:
1. Management has established criteria regarding
documentation, review, and authorization of financing
arrangements
2. Financing necessity is documented (e.g., need for and use of
proceeds)
3. Financing arrangements are reviewed and approved by
authorized personnel consistent with management’s policy
4. Financing arrangement documents are accumulated and
monitored on a regular basis
5. Financing arrangements are evaluated against current
covenants or other restrictions
Control Activities:
1. Management has established criteria for recording and
reporting the proceeds and costs of financing arrangements
consistent with generally accepted accounting principles
2. Financing transactions (e.g., proceeds, payments,
extinguishments, fees, etc.) are promptly recorded in a manner
consistent with management’s policy
3. Financing agreements and transactions (e.g., issues,
retirements, payments, changes in classification, fees, etc.) are
supported by original source documents
4. Accruals are recorded to reflect interest and/or fees incurred
but not yet paid
5. Payments to satisfy financing obligations are reviewed and
authorized consistent with management’s cash disbursement
policy
6. Current and long-term portions of financing arrangements are
identified, periodically reviewed, and properly classified in the
accounting records
7. Extinguishments or adjustments to financing arrangements
are timely documented, evaluated, and recorded consistent with
management’s policy
 302.C - FINANCING AND DEBT COMPLIANCE
Control Objective #3 – The Company must comply with applicable financing restrictions,
covenants, and reporting requirements
Control Risks:
•Noncompliance may result in fines, penalties, or other liabilities
•Noncompliance that constitutes a covenant breach may result
in default and bankruptcy
•Noncompliance may damage banking/capital markets
relationships and limit future access to capital markets
•Noncompliance may result in lack of full disclosure
Control Activities:
1. Management has established guidelines and responsibility to
accumulate and monitor compliance with financing covenants
2. Management has established policies for payment of
dividends consistent with legal, financial, governmental,
regulatory, or other restrictions and requirements
3. Financing covenants are regularly monitored consistent with
terms prescribed by financing agreements and/or
management’s policy
4. Compliance assessments are documented, reviewed, and
approved
5. Financing transactions are evaluated in light of existing
agreements to avoid covenant or restriction violations. Results
of reviews are documented and retained
6. Areas of potential noncompliance are timely summarized and
communicated to appropriate personnel
7. Dividend payments are made in accordance with
management’s established policies
8. Independent review and recalculation is performed of
financial covenants (on a regular basis)

302.D - CURRENCY RISK MANAGEMENT

Control Objective #1 – Hedge transactions (including derivatives) must be documented and
authorized
Control Risks: Control Activities:
•Risk management arrangements may not be beneficial to the 1. Management has established guidelines regarding
company documentation, review, and authorization of hedge transactions
•Monetary risks may not be timely or completely mitigated 2. Hedge transactions are reviewed and authorized consistent
•Hedge transactions may be inconsistent with the Company’s with management’s policies
hedge accounting policy

Treasury Cycle - 5
 302.D - CURRENCY RISK MANAGEMENT
Control Objective #2 – Hedge transactions must be accurately, completely, and timely
recorded
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established hedge accounting guidelines
consistent with generally accepted accounting principles
2. Hedge transactions (purchases, sales, income, gains and
losses, etc.) are timely recorded in the accounting records
3. Recorded transactions are supported by source documents
4. Accruals are recorded for income earned (or expenses
incurred) but not yet received (or paid)
5. Payments or receipts from exercised instruments are
documented, authorized, and timely recorded
6. Hedge transactions are summarized and communicated to
facilitate accurate financial disclosure
7. Experts (either internal or external) are consulted to
determine the proper valuation and accounting for monetary risk
instruments

Treasury Cycle - 6
303 PROCUREMENT CYCLE

The Procurement Cycle includes the functions associated with: initiating requests for materials,
equipment, supplies, or services; monitoring approved suppliers; placing orders for goods;
receiving, inspecting, or accepting the material or services; accounting for the proper amounts due
to suppliers; and processing payments. The following standards regarding the documentation,
authorization, and accounting for such procurement functions will be followed.

In management’s selection of procedures and techniques of control, the degree of control

implemented is a matter of reasonable business judgment. The common guideline that should be
used in determining the degree of internal control implementation is that the cost of a control
should not exceed the benefit derived.

303.A - PURCHASING
Control Objective #1 – Purchase requisitions must be adequately documented and properly
authorized
Control Risks:
•Purchases may not be made in accordance with management's
business objectives
•Unnecessary goods/services or unnecessary quantities may be
requisitioned
•Purchases may exceed available funds
•Incorrect items or quantities may be requisitioned
•Unauthorized changes may be made after management's
approval
•Unauthorized and illegal items may be purchased
•Budget and requisition limits may be ignored, resulting in
purchases in excess of approved or available funds
•Purchased items may violate the Foreign Corrupt Practices Act
("FCPA")
•Purchased items may be charged to the wrong account/project
number
Control Activities:
1. Management has established and communicated requisition
limits and authority
2. Management has established guidelines regarding required
documentation of purchase requisitions (e.g., specific
description of items requested, estimated prices, quantity,
potential suppliers, due date, project/account numbers, narrative
justification, and current inventory quantity)
3. Purchase limits (e.g., budgets, not-to-exceed limits, ceilings)
are established for each requisition
4. Standard purchase requisition forms are used
5. Purchase requisitions are reviewed and approved
6. All required requisition information is complete prior to review
and approval

Procurement Cycle - 1
 303.A - PURCHASING
Control Objective # 2 – Supplier selection should be competitive and/or value-based
Control Risks: Control Activities:
•The Company does not receive the 'best value' (i.e., most 1. Supplier selection duties are segregated from requisitioning
favorable combination of price, terms, conditions, quality, and and review and approval duties
service) available in the marketplace
•Dependence on a sole vendor may cause business
interruptions if that vendor goes out of business or is unable to
deliver
•Kick-backs or other improper payments may be received by a
Company employee in exchange for sub-optimal purchase
arrangements
•Sole source arrangements may violate laws, regulations, or
contract requirements
•Purchased items not meeting quality standards may cause
business interruptions (e.g., shut-downs, excessive scrap or
rework) and/or substandard finished products

Control Objective #3 – Suppliers must be authorized

Control Risks: Control Activities:
•Goods purchased may not meet the quality standards of the 1. Management has established a qualified/approved and
company current Supplier List, which should include company name,
•Purchases may be made from related parties without the address, contract numbers, tax information, etc.
knowledge of management, which may result in a failure to 2. Additions, deletions, and updates to the approved Supplier
disclose these transactions in financial statements List are reviewed, documented, and approved
•Unauthorized suppliers may cause business interruptions (i.e.,
items received too late) or excessive levels of inventory (i.e.,
items received too early)
•Purchases may be made from suppliers whose interests are in
conflict with the company (e.g. environmentally, legally, and
ethically)
•Purchases from unauthorized suppliers may violate the FCPA
•Company's ability to receive the current 'best value' in the
marketplace may not be maximized (e.g., best price, terms &
conditions, quality & service)

Control Objective #4 – Purchase orders ("POs") must contain firm prices, terms, and
conditions
Control Risks: Control Activities:
•Disputes may cause losses 1. Management has established PO approval authority and
•The Company may have no recourse against suppliers that fail limits
to honor their obligations, resulting in unrecoverable losses 2. Management has established authority regarding physical
access to purchasing system and controlled documents (e.g.,
password control)
3. Purchase order preparation duties are segregated from
requisition, accounts payable, and disbursement duties
4. Standard PO forms are used
5. POs are confirmed against supplier selection results and the
approved Supplier List
6. POs are reviewed to verify PO values do not exceed
requisition limit
7. POs are reviewed to verify required information is complete
and accurate

Procurement Cycle - 2
 303.A - PURCHASING
Control Objective #5 – Purchase orders must be timely issued and monitored
Control Risks:
•Untimely POs may cause business interruptions
•POs not provided to accounts payable in a timely manner may
cause payments to be untimely resulting in late fees and/or
penalties
•POs not provided to receiving in a timely manner may cause
unnecessary returns or untimely acceptance of received items)
Control Activities:
1. Management has established guidelines regarding the
transmittal, distribution, and monitoring of approved POs
2. POs are assigned unique sequential numbers
3. A log is maintained for all approved POs
4. The PO log is routinely updated to reflect PO transmittals,
receipts, and supplier payments
5. PO copies are promptly provided to accounts payable
6. PO copies are provided to either receiving (for deliverable
items) or requester (for service items)

Control Objective #6 – Changes or cancellations to approved POs must be documented and

authorized
Control Risks:
•Unauthorized cancellations may cause decreased operational
efficiency or business interruptions
•Uncommunicated changes, cancellations, and adjustments
may misstate liability accounts
•Changes and cancellations inconsistent with terms and
conditions may increase exposure to disputes
Control Activities:
1. Management has established guidelines to document, review,
and authorize PO cancellations or changes
2. PO cancellations or changes are reviewed and approved
consistent with management's criteria
3. PO changes or cancellations are documented on standard
PO change forms (e.g., PO modifications, change orders, etc.)
4. PO cancellations/changes are communicated to appropriate
departments (i.e., purchasing and receiving)

Procurement Cycle - 3
 303.B - RECEIVING/ACCEPTANCE
Control Objective #1 – Received items must be safeguarded and timely accepted or
returned
Control Risks:
•Receipts not recorded on a timely basis may result in untimely
supplier payment
•Unordered items may be received and paid for
•Acceptance of incorrect quantities, incorrect items, or items not
meeting quality standards or specifications may cause business
interruptions or inventory surpluses
•Cancelled or duplicate orders may be received and accepted
•Untimely receiving and acceptance may cause financial
misstatements or business interruptions
•Received items may be stolen, lost, or destroyed
•Returned items may be incorrectly included within receiving
records and paid for
•Appropriate credits (or supplemental shipments) may not be
obtained for order discrepancies
•Damaged goods that are unusable by the Company may be
accepted
Control Objective #2 – Changes/alterations to receiving reports must be documented and
authorized
Control Risks:
•Unauthorized and unapproved changes may result in improper
payments or misstated financial statements
Procurement Cycle - 4
Control Activities:
1. Management has established guidelines for the acceptance
of items received pursuant to an approved PO
2. Access to the receiving area is restricted to authorized
personnel
3. Received items are physically secured and safeguarded
4. Receiving reports are generated only after receipt of goods
and compared to packing slip
5. Accepted items are documented on sequentially numbered
receiving report
6. Received reports are matched to approved POs
7. Copies of receiving reports are promptly distributed to
purchasing and accounts payable department
8. The receiving report log is reviewed periodically for continuity
of report numbers. Missing reports are investigated and
resolved
9. Items received without an authorized PO, of unacceptable
quality, or not meeting specifications are returned to the supplier
10. Returned items are not reflected on a receiving report; they
are documented on sequentially numbered return reports
11. Purchasing/accounts payable personnel are promptly
notified of returned/rejected items
12. The return report log is reviewed periodically for continuity of
report numbers. Missing reports are investigated and resolved
Control Activities:
1. Only authorized personnel may change receiving reports
2. Changes to receiving reports are documented, reviewed, and
approved
3. Changes to receiving reports are promptly communicated to
accounts payable and purchasing personnel
 303.C - INVOICE PROCESSING/ACCOUNTS PAYABLE
Control Objective #1 – The accounts payable sub-ledger must be accurate, complete, and
current
Control Risks:
•Financial statements may be misstated
•Supplier invoices may not be paid in a timely manner resulting
in interest charges, fines, penalties, or other liabilities
•Relevant tax information (e.g., services reportable on 1099s,
sales tax, use tax, etc.) may be omitted or untimely reported
resulting in fines or penalties
•Advantageous discounts may be foregone, resulting in
increased payments
Control Objective #2 – Accounts payable files are timely closed, segregated, and
safeguarded subsequent to payment
Control Risks:
•Duplicate payments may be made
•Financial statements may be misstated
Procurement Cycle - 5
Control Activities:
1. Management has established guidelines for processing
supplier invoices (i.e., under POs) and check requests (i.e., no
PO, unmatched invoices), which may include proper account
coding, required documentation, and appropriate authorizations
2. Management has established criteria regarding acceptance of
discounts and the timing of supplier payments
3. Management has established procedures for developing,
summarizing, and reporting required tax information (sales or
use tax)
4. Accounts payable duties are segregated from purchasing and
receiving duties
5. Supplier payables are recognized when invoices (e.g., price,
quantity) match PO and receiving report (3-part match)
consistent with management's guidelines
6. Invoices related to check requests (i.e., no PO) are
recognized as payables only when invoice is authorized
consistent with management's guidelines
7. Invoices are reviewed for clerical accuracy
8. Invoices are promptly recorded in the appropriate period
9. Freight bills are compared to supporting shipping or receiving
documentation
10. Adjustments to accounts payable are documented,
reviewed, and approved
11. Debit balances are periodically reviewed and investigated
12. The accounts payable sub-ledger is periodically reconciled
to the general ledger control account
13. Accruals are recorded for shipped items acquired F.O.B. -
Shipping Point
14. Accruals are recorded for items delivered but not yet
accepted at the end of an accounting period
15. Account codings are verified against the standard chart of
accounts
16. Cutoff reviews are performed to verify that obligations are
recognized in the proper time period
17. Open accounts payable (i.e., unmatched invoices, POs, or
receiving reports) are periodically reviewed, investigated, and
resolved
Control Activities:
1. Management has established guidelines to ensure that
accounts payable files are timely closed, segregated, and
safeguarded subsequent to payment
2. The accounts payable system prevents duplicate entry of
supplier invoices
3. Paid invoices are defaced
4. Paid voucher packages are removed from open accounts
payable files
 303.D - CASH DISBURSEMENTS
Control Objective #1 – Accounts payable disbursements (i.e., checks and wire transfers)
must be documented and authorized
Control Risks:
•Financial statements may be misstated
•Payments may be made to an unauthorized party
•Checks may be recorded twice or unrecorded
•Duplicate payments may be made
•Cash may not be disbursed in a timely manner and/or recorded
in the wrong time period
Control Objective #2 – Accounts payable checks must be physically safeguarded
Control Risks:
•Blank or unused checks and signature plates may be used for
unauthorized purposes
•Inaccurate check records may impair cash account
reconciliations
•Undelivered checks may be diverted
•Intended payees may not receive payment
Procurement Cycle - 6
Control Activities:
1. Management has designated signature (checks) and approval
(wire transfers) authority and established authority limits
2. Checks are not made payable to "cash" or "bearer"
3. Invoice approval duties are segregated from disbursement
duties
4. Disbursements are authorized consistent with management's
policy
5. Dual signatures/authorizations are required for disbursements
in accordance with limits prescribed by management's policy
6. Disbursements are reviewed for unusual or anomalous items
7. Disbursements are accurately calculated and recorded in the
appropriate period
Signed checks are matched with supplier remittance advice and
transmitted to the payee
8. For cash forecasting purposes, cash disbursement
requirements are promptly communicated to the treasury
department
9. Proper payee information is verified/reviewed prior to
payment
10. Supplier account data is verified prior to initiating wire
transfers
11. Posted checks are periodically reviewed for alterations (e.g.,
unauthorized/altered signatures, amount paid, payee, etc.)
Control Activities:
1. Management has established guidelines regarding the
physical security of and authorized access to cash disbursement
equipment and materials
2. A check log is maintained
3. Checks are printed in sequential order and check numbers
are used only once
4. Voided, spoiled, or cancelled checks are defaced
5. All checks are periodically accounted for and missing checks
are investigated
6. Blank checks and signature plates are safeguarded, to which
access is limited to authorized individuals
7. Undeliverable checks are returned to personnel independent
of payment preparation and approval
304 REVENUE CYCLE

The Revenue Cycle includes the functions associated with: acquiring and accepting orders;
granting customer credit; delivering goods, equipment, or services; billing and recording sales
transactions; maintaining and monitoring accounts receivable; instituting effective collection
procedures; and recording and controlling cash receipts. The following standards regarding the
documentation, authorization, and accounting for such revenue functions will be followed.

In management’s selection of procedures and techniques of control, the degree of control

implemented is a matter of reasonable business judgment. The common guideline that should be
used in determining the degree of internal control implementation is that the cost of a control
should not exceed the benefit derived.

304.A - CUSTOMER ORDER/CONTRACT ACCEPTANCE

Control Objective #1 – Customer orders or contracts must reflect prudent, arms-length
agreements to provide products or services
Control Risks: Control Activities:
•Undesirable customer orders may result in uncollectible 1. Order acceptance duties are segregated from billing,
accounts receivable accounts receivable, and cash receipts duties
•Related party transactions may cause inadequate financial 2. Customer orders/contracts are accepted/negotiated only by
statement disclosures authorized personnel
•Accepted orders may contain prices or terms that adversely 3. Customer files are created to accumulate client-related
affect operating results and relationships with other customers documentation (e.g., orders, cancellations, changes, notes of
•Accepted orders beyond the Company's attainable quality negotiations, etc.)
standards and technical capabilities may cause the Company to
default on its obligations
•Accepted orders that violate laws and regulations may result in
fines, penalties, or other liabilities
•Fictitious or duplicate sales may be initiated
•Sales to foreign customers may violate export regulations, the
Foreign Corrupt Practices Act ("FCPA"), etc. resulting in fines
and/or penalties

Revenue Cycle - 1
 304.A - CUSTOMER ORDER/CONTRACT ACCEPTANCE
Control Objective #2 – Orders (including changes or cancellations thereto) must be
documented and approved (including evidence of customer authorization)
Control Risks: Control Activities:
•Incomplete or inaccurate order information may cause 1. Management has established guidelines regarding
inaccurate or untimely order fulfillment documentation and safekeeping of customer orders (e.g.,
•Incomplete or inaccurate customer contact information may customer/client legal name, shipping and billing addresses,
impair billing and collection efforts delivery terms (including schedule/due dates), credit checks and
•Financial statements may be misstated approvals, tax information, agreed prices, agreed quantity,
authorizations, related party identifications, order access, etc.)
2. Orders are reviewed to ensure required information and valid
customer authorization is documented
3. Orders are reviewed for accuracy and completeness and
approved before release to operations
4. Order copies are promptly and accurately transmitted to
operations and accounts receivable
5. Order changes that affect order fulfillment are promptly
communicated to operations and accounts receivable
6. Orders are tracked using unique sequential order numbers
7. Order numbers are periodically inventoried. Missing order
numbers (e.g., neither open, closed, nor voided) are promptly
investigated and resolved
8. Access to customer files and specific orders is restricted to
authorized personnel (e.g., system is password protected)

304.B - ORDER/CONTRACT FULFILLMENT

Control Objective #1 – Orders/Contracts must be timely and accurately fulfilled
Control Risks:
•Revenue recognition may be inaccurate or untimely
•Customers may become dissatisfied resulting in increased
uncollectible accounts and/or decreased sales
•Unfulfilled contracts may expose the Company to penalties,
disincentives, or early termination
•Inaccurate shipments may cause inventory excess or shortage
Control Activities:
1. Order fulfillment duties are segregated from order
acceptance, billing, accounts receivable, and cash receipts
duties
2. For demand-based (i.e., indefinite quantity) orders, reliable
mechanisms are employed and monitored to measure customer
consumption
3. Work orders are generated from an accepted customer order
(where applicable)
4. Work orders are periodically accounted for. Missing work
orders are investigated and resolved
5. Electric meters are numerically controlled and assigned to
individual customer orders

Revenue Cycle - 2
 304.B - ORDER/CONTRACT FULFILLMENT
Control Objective #2 – Billing department must be timely notified of order fulfillment
Control Risks:
•Financial misstatements may occur (i.e., revenues and assets
either not recognized or recognized in the wrong period)
•Cash flows may be unfavorably impacted
•Goods or services may not be billed
304.C - BILLING
Control Objective #1 – Sales invoices must accurately, completely, and timely reflect
amounts due to the Company 1) for products or services rendered and/or 2) as required by
law, regulation, or contract
Control Risks:
•Financial statements may be misstated
•Untimely or incorrect invoices may result in either unbilled or
uncollectible receivables and misstated revenue
•Revenues and receivables may be recorded for unfulfilled
orders
•Products or services may not be billed
•Cash flows may be adversely impacted
•The company may face fines, penalties, or other liabilities for
not accurately billing amounts required by law, regulation, or
contract
•Inaccurate invoices may cause increased need for (or burden
on) customer service personnel
Revenue Cycle - 3
Control Activities:
1. Management has established guidelines or methods by which
fulfilled orders are communicated to billing department
2. Fulfilled customer orders are timely transmitted to the billing
department
Control Activities:
1. Management has established guidelines regarding the
preparation, review, and approval of customer billings (e.g.,
timing, content, authorization, etc.)
2. For demand-based (i.e., indefinite quantity) orders, billed
quantities are reviewed for consistency with historical or usual-
and-customary quantities; exceptions are investigated
3. Standard invoice forms are used
4. Invoices are timely delivered to the customer
5. Invoices are reviewed for consistency with the terms and
conditions set forth in customer orders/contracts
6. Invoices are properly authorized
7. Invoices reflect prices consistent with negotiated agreement
(i.e., contract terms) or set by law or regulation
8. Remittance address of Company lockbox account or other
authorized recipient is clearly stated on invoice
9. Payment due dates are clearly indicated on invoice
10. Meter reports are periodically reviewed to ensure all issued
meters have been timely read
11. Access to invoices and the billing system is limited to
authorized personnel
12. Invoices are physically safeguarded
13. Meter reading data for a particular period are reconciled to
billings for that same period. Differences are investigated and
resolved
14. Cumulative usage (i.e., meter reading data) for a particular
period is compared to production/delivery for that same period.
Differences are promptly investigated and resolved
 304.C - BILLING
Control Objective #2 – Revenue must be timely and accurately recognized consistent with
fulfilled orders/contracts
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established and communicated revenue
recognition guidance consistent with generally accepted
accounting principles (e.g., accounting periods, SAB 101, etc.)
2. Invoice values are posted to accounts receivable and revenue
in the period in which they were billed
3. Revenues recorded in connection with customer orders (i.e.,
not long-term contracts) are reviewed for conformance with
management's revenue recognition guidance
4. Billed and unbilled revenues recognized under long-term
contracts are reviewed in accordance with management's
revenue recognition guidance
5. Unbilled revenue and receivables are supported by evidence
that they have been earned
6. Amounts billed on behalf of third parties (e.g., taxes) are
excluded from recognized revenues

304.D - ACCOUNTS RECEIVABLE

Control Objective #1 – The accounts receivable sub-ledger must accurately and completely
reflect amounts billed and due to the Company
Control Risks:
•Unrecorded invoices or unauthorized credit memos may result
in cash misappropriations
•Unauthorized adjustments may cause accounts receivable to
be misstated
•Inaccurate accounts receivable may adversely impact cash flow
forecasts and/or budgets
•Inaccurate agings may cause misstated accounts receivable
valuations
•Inaccurate accounts receivable may complicate collection
efforts
Control Activities:
1. Management has established criteria to monitor accounts
receivable (e.g., agings, identification of delinquent accounts,
etc.)
2. Adjustments to the accounts receivable sub-ledger and/or
general ledger are reviewed and authorized
3. The accounts receivable sub-ledger is periodically reconciled
to the general ledger. Differences are timely investigated and
resolved
4. Sales invoices are reconciled with the accounts receivable
sub-ledger after each posting
5. Delinquent accounts receivable are referred to the collections
department or collection agency
6. Accounts receivable aging is periodically reviewed and
monitored

Control Objective #2 – A sufficient valuation reserve (i.e., allowance for bad debt) must
reflect anticipated uncollectible accounts
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established valuation reserve criteria and
•Failure to assess the collectability of accounts receivable may identified thresholds for management review and authorization
result in unexpected account write-offs of account write-offs
2. Account write-offs are reviewed and approved consistent with
management's policy

Revenue Cycle - 4
 304.E - COLLECTIONS
Control Objective #1 – Reasonable and prudent efforts must be taken to collect delinquent
accounts receivable
Control Risks: Control Activities:
•Collectable accounts receivable may be incorrectly or 1. Management has established guidelines regarding 1) the
prematurely written off circumstances necessitating and the terms of flexible payment
•Costs to monitor and resolve delinquent accounts may exceed arrangements, 2) when to write-off receivables, and 3) when to
the amounts collected discontinue customer relationships
2. Collection duties are segregated from order/contract
acceptance, billing, and cash receipts duties
3. Delinquent accounts are monitored
4. Delinquent accounts are promptly notified (e.g., customers
are contacted by collection personnel, duplication invoices sent,
etc.)
5. Excessively delinquent accounts are closed; product
repossession or service cancellation work orders are prepared
and communicated to operations
6. Write-off decisions are documented (e.g., consultation with
legal department, cost to collect > amount due), reviewed, and
authorized

304.F - CASH RECEIPTS

Control Objective #1 – Cash receipts (i.e., cash, check, wire transfers) must be physically
safeguarded and promptly recorded
Control Risks:
•Cash receipts may be lost, stolen, misappropriated, or diverted
•Financial statements may be misstated
•Unnecessary collection efforts may be taken on previously paid
accounts
Control Activities:
1. Management has established guidelines regarding cash
receipt methods, responsibilities, and authority
2. Cash receipt duties are segregated from billing and collection
duties
3. Receipts are physically safeguarded (e.g., lockbox accounts,
facility restrictions, etc.)
4. Access to cash receipts and bank accounts is limited to
authorized personnel
5. Cash receipts are restrictively endorsed
6. Cash receipts are promptly posted to a cash receipts journal
7. The cash receipts journal is periodically reconciled to bank
statement deposits
8. The cash receipts journal is periodically posted and
reconciled to the general ledger
9. Cash receipts are recorded in the period in which they were
received
10. Cash receipts are promptly summarized and posted to
customer accounts receivable

Revenue Cycle - 5
305 FIXED ASSETS AND LEASING CYCLE

The Fixed Assets and Leasing Cycle includes functions associated with: recording asset
acquisitions, depreciation, transfers, and dispositions; determining the appropriate lease
accounting treatment; accumulating construction work-in-process costs; ensuring that all recorded
assets exist and are in use and that all assets not in use will be disposed of appropriately. The
following standards regarding the documentation, authorization, and accounting for such fixed
asset and leasing functions will be followed.

In management’s selection of procedures and techniques of control, the degree of control

implemented is a matter of reasonable business judgment. The common guideline that should be
used in determining the degree of internal controls implementation is that the cost of a control
should not exceed the benefit derived.

305.A - ASSET ACQUISITION

Control Objective #1 – Acquisition requests must be adequately documented and
authorized
Control Risks:
•Unnecessary assets may be requisitioned
•Incorrect items or quantities may be ordered
•Use of non-approved suppliers may cause potential Foreign
Corrupt Practices Act ("FCPA") violations
•Acquisitions may exceed available funds/budgets (i.e., negative
cash flow impacts)
•Acquisitions may be either capitalized or expensed incorrectly
•Audit trail may not be adequate to support accounting
treatment
Control Activities:
1. Management has established acquisition limits and
authorization responsibilities
2. Cost limits are established and approved for each acquisition
3. Cost overruns in excess of initial limits are re-authorized
4. A capital acquisition request log is maintained by request
number
5. Required information is complete prior to review and approval
6. Capital acquisition request documents are reviewed and
approved consistent with management's policies
7. After review and approval, the requestor cannot change the
requisition unless such changes are explicitly instructed by the
reviewer/approver
8. Proposed CWIP projects are evaluated using the same
criteria as acquired assets
9. Unique CWIP accounts/project numbers are established for
each approved CWIP project

Fixed Assets Cycle - 1

 305.A - ASSET ACQUISITION
Control Objective #2 – Acquisition costs must be appropriately classified (i.e., either capital
or expense) and accurately, timely, and completely recorded
Control Risks:
•Financial statements may be misstated
•The nature and value of insured losses may not be
substantiated
•Lost, stolen, or destroyed asset records may cause audit trail to
be insufficient to substantiate existence or characterization of
acquisition costs
•Cost recovery may be impaired (regulated businesses)
•Tax-basis books may be misstated
Fixed Assets Cycle - 2
Control Activities:
1. Management has established capitalization and expense
criteria consistent with generally accepted accounting principles
and applicable laws and regulations
2. Management has established criteria for defining asset
categories or classes
3. Management has established guidelines regarding the detail
of fixed asset records (e.g., technical descriptions, cost,
sales/use tax paid, in-service date, assigned asset number,
location, depreciation method, useful life, etc.) and the
safeguarding of those records (i.e., custodianship)
4. Capital vs. expense analyses and classification decisions are
documented, evaluated, and approved consistent with
management's criteria
5. Separate account codes are maintained for individual assets
or asset types/classes
6. Acquisition costs (i.e., item cost, taxes, freight, etc.) are
capitalized consistent with management's criteria
7. The historical costs and accumulated depreciation of
capitalized assets are recorded in the fixed asset sub-ledger
8. Fixed asset sub-ledger is periodically reconciled to a general
ledger control account. Differences are promptly investigated
and resolved
9. Manual adjustments to fixed asset sub-ledger and/or general
ledger control account are documented, reviewed, and
approved
10. Detailed fixed asset records are maintained consistent with
management's criteria
11. Access to fixed asset records is limited to authorized
personnel
12. Supporting documentation accurately and completely
identifies the nature and extent of capitalized costs
13. Asset acquisition records are safeguarded from loss,
destruction, or unauthorized access
 305.A - ASSET ACQUISTION
Control Objective #3 – Applicable sales, use, and property taxes are recorded and remitted
accurately and timely
Control Risks: Control Activities:
•Inaccurate or untimely remittance of taxes may result in fines, 1. Management has established guidelines for determining
penalties, or other liabilities appropriate sales or use tax on acquired or internally
constructed fixed assets consistent with applicable laws and
regulations
2. Each asset acquisition is reviewed for sales or use tax
applicability consistent with management's guidelines

305.B - CONSTRUCTION WORK-IN-PROCESS (“CWIP”)

Control Objective #1 – The CWIP subsidiary ledger must include only capital projects and
accurately and completely reflect the cost of capital assets under construction (i.e., not yet
in service)
Control Risks:
•Financial statements may be misstated
•Supporting documentation may not support total CWIP, which
may result in unrecoverable costs (regulated businesses)
•Tax-basis books may be misstated
Control Activities:
1. Management has established guidelines regarding the
accumulation and documentation of CWIP costs
2. Capitalizable costs (i.e., labor, materials, interest, etc.) are
accumulated by CWIP project code/account within the CWIP
sub-ledger
3. CWIP projects are reviewed frequently to monitor project
completion status
4. CWIP projects are promptly removed from the
CWIP sub-ledger and capitalized upon project completion
consistent with management's policy regarding asset
capitalization
5. Inactive CWIP projects are investigated for in-service status
or potential impairments (consistent with management's policy
regarding asset impairments)
6. CWIP sub-ledger is periodically reconciled to general ledger
control account. Differences are promptly investigated and
resolved
7. Manual adjustments to CWIP sub-ledger or general ledger
control account are documented, reviewed, and approved

Fixed Assets Cycle - 3

 305.C - DEPRECIATION AND DEPLETION
Control Objective #1 – Recorded depreciation/depletion expense must reasonably reflect
the expiration or consumption of asset values over time
Control Risks:
•Financial Statements may be misstated
•Inaccurate book-basis cost and accumulated depreciation may
cause income tax calculations to be misstated
305.D - LEASES
Control Objective #1 – Leases must be appropriately classified (i.e., either operating or
capital) and accurately and timely recorded consistent with that classification
Control Risks:
•Value of lease payments may not be commensurate with rights
of lessee
•Lease termination costs may be excessive
•Required condition of returned item may be unattainable or
costly to attain
•Alterations of or additions to leased items may convey to lessor
•Lease may contain unfavorable/unreasonable maintenance
requirements (e.g., frequency, extent, provider)
•Lease costs may be excessive among alternatives
•Improper disclosure of lease commitments
Fixed Assets Cycle - 4
Control Activities:
1. Management has established criteria regarding 1)
depreciation methods; 2) asset useful life estimates; 3) salvage
values; and 4) changes to those methods, estimates, and
salvage values consistent with generally accepted accounting
principles and applicable laws and regulations
2. Each capitalized asset is depreciated/depleted using a
method commensurate with the consumption of its value
consistent with management's criteria
3. Estimated useful lives are determined based on technical
evaluations and/or management's criteria
Salvage values are estimated and assigned to each asset
consistent with same or similar assets and management's policy
4. Similar assets are depreciated/depleted using consistent
methods and useful lives
5. Asset in-service dates are documented and communicated
promptly to personnel responsible for fixed asset accounting
6. Depreciation/depletion is systematically calculated and
accumulated for each asset or asset class
7. Changes to depreciation methods, useful life estimates, and
salvage values are documented, reviewed, and approved
consistent with management's policy
Control Activities:
1. Management has established lease classification and
accounting guidelines consistent with generally accepted
accounting principles
2. Operating lease payments are recognized as expenses in the
period incurred
3. Payments under capital leases are recognized as reductions
to lease liabilities and interest expense
4. Items acquired under capital leases are capitalized and
depreciated consistent with management's capitalization and
depreciation policies
5. Obligations under leases are periodically summarized and
communicated for financial disclosure purposes
6. Lease classification and accounting treatment is reviewed
subsequent to lease amendments
 305.E - MAINTENANCE AND OVERHAULS
Control Objective #1 – M&O costs must be appropriately characterized (i.e., either expense
or capital) and accurately, completely, and timely recorded
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established capitalization and expense
criteria consistent with generally accepted accounting principles
and applicable laws and regulations
2. Authorized M&O activities are evaluated against
management's capitalization and expense criteria
3. Capitalized M&O costs are recorded in a manner that
identifies them with a particular asset or asset class
4. Capitalized M&O costs are depreciated consistently with the
method and useful life of the related asset or asset class
5. Adjustments to depreciation methods or useful life estimates
as a result of M&O activities are documented, reviewed, and
approved consistent with management's depreciation policy

305.F - DISPOSALS
Control Objective #1 – Asset disposals (e.g., transferred, sold, scrapped) must be
adequately documented and authorized
Control Risks: Control Activities:
•Assets may be misappropriated 1. Management has established documentation, evaluation, and
•The Company may not receive reasonable value for the authorization guidelines regarding the disposal of assets
disposed asset 2. Fixed asset disposal duties are segregated from fixed asset
•Assets with future or alternate uses may be prematurely or custodial duties
inappropriately disposed 3. Approved asset disposal requests are provided to fixed asset
•Financial statements may be misstated accounting personnel

Fixed Assets Cycle - 5

 305.F - DISPOSALS
Control Objective #2 – Disposals of fixed assets must be accurately, completely, and timely
recorded
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established criteria regarding the
•Gains or losses may be mischaracterized determination and recognition of gains and losses from the
•Contingent losses may not be recognized timely disposal of fixed assets consistent with generally accepted
accounting principles
2. Disposed assets are either promptly removed from the fixed
asset sub-ledger or carried at a zero net book value and marked
"disposed"
3. Actual disposal costs and proceeds from the sale of fixed
assets are documented and considered in the calculation of gain
or loss
4. Gains (or unanticipated losses) from the disposal of assets
are promptly recognized in the period realized
5. Disposal activity in the fixed-asset sub-ledger is periodically
reconciled to authorized disposal authorizations. Differences
are promptly investigated and resolved

305.G - ASSET IMPAIRMENTS AND ASSET RETIREMENT OBLIGATIONS

Control Objective #1 – The fixed asset sub-ledger must reasonably reflect the net realizable
value of the Company's tangible capital assets
Control Risks:
•Financial Statements may be misstated
Control Activities:
1. Management has established guidelines to identify and value
fixed asset impairments and asset retirement obligations as
required by generally accepted accounting principles
2. Asset impairment losses and asset retirement obligations are
periodically assessed, documented, and reviewed consistent
with management's guidelines
3. Idle and obsolete fixed assets are periodically identified and
values assessed
4. Write-off or write-down decisions are documented, reviewed,
and approved

305.H - SECURITY
Control Objective #1 – Fixed assets and leased items must be safeguarded from loss, theft,
or destruction
Control Risks:
•Operations may be interrupted
•Unanticipated cash outflows may occur (to replace assets)
•Unanticipated financial losses may occur (write-off of net book
value)
•Insurance coverage may be inadequate or excessive
•Unauthorized access to and/or disclosure of
confidential/proprietary items may adversely affect the
Company's competitive position and/or reputation
Control Activities:
1. Physical access to high-value assets and facilities are
restricted to authorized personnel
2. Periodically, fixed assets are physically inventoried against
fixed asset records (i.e., fixed asset sub-ledger). Differences
are investigated and resolved
3. Manual adjustments to the fixed asset sub-ledger as a result
of unreconciled physical inventory differences are documented,
reviewed, and authorized

Fixed Assets Cycle - 6

306 PAYROLL CYCLE

The Payroll Cycle includes the functions associated with: maintaining employee personnel files;
reporting hours worked; preparing payroll checks; accurately accounting for payroll costs;
distributing checks to employees; and ensuring physical security of payroll and personnel
information. The following standards regarding the documentation, authorization, and accounting
for such payroll functions will be followed.

In management’s selection of procedures and techniques of control, the degree of control

implemented is a matter of reasonable business judgment. The common guideline that should be
used in determining the degree of internal control implementation is that the cost of a control
should not exceed the benefit derived.

306.A - PERSONNEL, COMPENSATION, AND BENEFITS

Control Objective #1 – Personnel records must contain documentation that demonstrates
prudent employment practices and compliance with applicable laws, regulations, and union
contracts
Control Risks: Control Activities:
•Employees may not be legally employable 1. Access to employment files is limited to authorized personnel
•The Company may be unnecessarily exposed to fines, 2. Personnel files are safeguarded from loss, theft, or
penalties, lawsuits, or other potentially significant liabilities unauthorized access
•Inadequate personnel records may result in cost disallowances 3. A Personnel Master File (i.e., database of all employee
and/or unfavorable audit findings (regulated businesses) information) is kept current, accurate, and complete
•Unauthorized positions may result in an excessive work force
•Unqualified personnel may be hired

Control Objective #2 – Base compensation (e.g., salary, hourly wage) must be 1)

commensurate with qualifications and term of service, 2) consistent with positions of same
or similar responsibility (internal equity), and 3) consistent with union requirements (if
applicable)
Control Risks: Control Activities:
•Inequities may cause retention difficulties 1. Authorized employee compensation documents are
•Inequities may encourage misappropriation of Company assets maintained in each employee personnel file
or poor productivity 2. Compensation for senior-level employees is periodically
•Inequities may expose the Company to legal liabilities (e.g., reviewed and approved by the Board of Directors
discrimination suits)
•Compensation may be inconsistent with actual value received

Payroll Cycle - 1
 306.A - PERSONNEL, COMPENSATION, AND BENEFITS

Control Objective #3 – Additional compensation (e.g., bonuses, stock options, awards,

commissions, use of company assets, etc.) and fringe benefits (i.e., insurance, vacation,
holiday, sick time, etc.) must be offered equitably, documented, and authorized
Control Risks: Control Activities:
•Key personnel may be lost if exceptional performance is not 1. Additional compensation awards are documented, reviewed,
adequately rewarded and approved by authorized personnel
•Compensation may be excessive or undeserved 2. Benefit entitlements and elections are documented and
•Inequities may cause retention difficulties retained in each employee's personnel file
•Inequities may expose the Company to legal liabilities (e.g., 3. Special benefits for senior-level employees (if inconsistent
discrimination suits) from established policy) are reviewed and approved by the
•Inequities may encourage misappropriation of Company’s Board of Directors
assets or poor productivity
•Inadequate documentation or authorization may result in cost
disallowances and unfavorable audit adjustments (regulated
businesses)

Control Objective #4 – Company assets must be safeguarded upon employee termination

Control Risks:
•Employee advances may become uncollectible
•Company assets may not be recovered
•Unauthorized expenses may be incurred subsequent to
termination for which the Company may be liable
•Failure to restrict access to Company information may
jeopardize data integrity or result in theft and disclosure of
competitive information
Control Activities:
1. Termination forms are retained in the employee's personnel
file
2. Terminated employees are promptly removed from the
Personnel Master File
3. Access to computers, computer networks, and facilities is
promptly cancelled
4. Company security access keys are promptly cancelled and
collected
5. Company credit cards are returned
6. Outstanding debts to the Company (e.g., advances, loans,
personal charges on Company credit card, etc.) are promptly
collected or withheld from final payment

Payroll Cycle - 2
 306.B - PAYROLL PREPARATION
Control Objective #1 – Employee time records must be accurate, complete, authorized, and
timely submitted prior to pay dates
Control Risks:
•Financial statements may be misstated
•Unauthorized overtime, vacation, or sick hours may adversely
impact productivity
•Incorrect time records may result in cost disallowances or
unfavorable audit findings (regulated businesses)
•Employees may be incorrectly paid
Payroll Cycle - 3
Control Activities:
1. Time card approval duties are segregated from payroll
processing duties
2. Individual electronic time records are accessible only by
unique user IDs and passwords or electronic card readers
3. Access to all electronic time records is limited to authorized
personnel
4. Where electronic time cards are not used, standard manual
time cards are used
5. Employee time cards (either manual or electronic), including
overtime, are reviewed and approved by authorized personnel
6. Only approved time charges are authorized for payment
7. Time cards include applicable account number/charge code
references (if necessary)
8. Time summary reports are prepared and reviewed for
unusual or anomalous time charges (e.g., time < standard
hours, excessive overtime, excessive sick time). Appropriate
items are investigated and resolved
 306.B - PAYROLL PREPARATION
Control Objective #2 – The payroll sub-ledger (i.e., payroll account distribution) must reflect
accurately and completely the obligations of the Company to 1) employees, 2) benefit
provider(s), and 3) relevant government agencies
Control Risks:
•Financial statements may be misstated
•Accruals may be incorrectly calculated
•Incorrect payments to benefit providers may result in loss of (or
interruption of) benefit coverage
•Incorrect payments to government agencies may result in fines,
penalties, or other liabilities
•Incorrect compensation and/or incorrect amounts withheld from
employees (e.g., inapplicable taxes, unelected benefits, etc.)
may cause employee discontent
Payroll Cycle - 4
Control Activities (Continued):
1. Payroll preparation duties are segregated from payroll
disbursement and human resource duties
2. Payroll Master File is reconciled to the Personnel Master File
before each pay cycle
3. Changes to the Payroll Master File are summarized,
reviewed, and verified to documentation in individual employee
files. Errors are corrected promptly
4. Payroll obligations are calculated using data from the Payroll
Master File and authorized employee time records
5. Employees (quantity and names) in Payroll Master File are
reconciled to employee time records (i.e., hash totals). Missing
or duplicate employees are promptly investigated and resolved
(hourly only)
6. Active employees with no current time cards are paid
consistent with management's guidelines
7. Payroll registers are reviewed for duplicate or anomalous
payments. Such occurrences are promptly investigated and
resolved
8. Payroll data transmissions (i.e., time summaries, Payroll
Master File) to 3rd party payroll preparer are reconciled when
sent and received
9. Withholding tables (e.g., tax rates, benefit costs) are updated
timely, as required
10. Payroll records are safeguarded from loss, theft, or
destruction
11. Access to payroll records is limited to authorized personnel
12. Payroll registers are reconciled to the payroll sub-ledger
prior to posting to the general ledger
13. Unscheduled payroll disbursements and payroll adjustments
are documented, reviewed, and approved by authorized
personnel
14. The payroll sub-ledger is timely posted and reconciled to the
general ledger. Differences are investigated and resolved
15. Period-end accruals are made for payroll-related obligations
incurred but not yet paid
16. Periodic employee earnings summaries are timely prepared
and provided to employees, government agencies, and other
required recipients in accordance with laws, regulations, or other
contractual arrangements
17. Employee compensation and withholdings in the Payroll
Master File are periodically reconciled to individual personnel
files
 306.C - PAYROLL DISBURSEMENTS
Control Objective #1 – Payroll disbursements must reflect the satisfaction of Company
obligations with respect to 1) employees, 2) benefit provider(s), and 3) relevant taxing
authorities
Control Risks: Control Activities:
•Unauthorized use or issuance of payroll checks may result in 1. Management has established guidelines regarding the timing,
cash misappropriations methods, and safeguards over payroll disbursements
•Cash disbursements may be inconsistent with recognized 2. Payroll disbursement duties are segregated from personnel,
expenses and liabilities payroll preparation, and payroll distribution duties
3. All payroll disbursements (both manual and electronic) are
reconciled to the payroll register. Differences are promptly
investigated and resolved
4. Checks are signed only after printing and review
5. Manual or dual signatures are required for adjustment checks
and checks above a specific threshold
6. Payroll checks (both "live" and blank) and signature stamps
are physically safeguarded from loss, theft, or destruction
7. Access is restricted to checks, check signing equipment, and
signature stamps
8. Checks are numbered sequentially
9. Check numbers are periodically reconciled. Missing checks
are investigated and resolved
10. Voided, spoiled, or cancelled payroll checks are defaced
and retained
11. Payroll disbursements are paid from an imprest or zero-
balance bank account

Control Objective #2 – Payroll disbursements are timely and confidentially distributed to 1)

employees, 2) benefit provider(s), and 3) relevant government agencies
Control Risks:
•Checks may be diverted and cashed by unauthorized persons
which may result in unrecorded liabilities
•Undeliverable checks may be lost, stolen, or diverted resulting
in increased expenses and liabilities
•Distribution may be made to unauthorized individuals who are
not employees of the Company
•Confidential payroll information may be obtained by
unauthorized personnel
•Employees not timely paid may become dissatisfied
•Untimely tax payments may result in fines or penalties
•Untimely payments to benefit plans may result in coverage
interruptions
Control Activities:
1. Payroll distribution duties are segregated from personnel,
payroll preparation, and disbursement duties
2. Payroll is distributed in a manner that protects employee
confidentiality
3. Payments to taxing authorities are remitted as required by
regulation
4. Undeliverable checks or deposit advices are returned to the
payroll or treasury department for safekeeping

Payroll Cycle - 5
Part 4 – Reference Materials
400 Glossary of Key Terms

Application Controls Programmed procedures in application software, and related manual

procedures, designed to help ensure the completeness and accuracy of
information processing. Examples include computerized edit checks of
input data, numerical sequence checks, and manual procedures to follow
up on items listed in exception reports.

Business Cycle A business process comprised of one or more sub-cycles (i.e., the
Revenue Cycle consists of several sub-cycles, including customer
order/contract acceptance, order/contract fulfillment, billing, accounts
receivable, etc., that together represent a business cycle).

Category One of three groupings of business objectives, internal control objectives,

or control activities. The categories are: effectiveness and efficiency of
operations, reliability of financial reporting, and compliance with
applicable laws and regulations. The categories overlap, so that a
particular objective, for example, might address more than one category.

Compliance Having to do with conforming with laws and regulations applicable to an

organization.

Component One of five elements of an internal control framework. The internal

control framework components are the control environment, risk
assessment, control activities, information and communication, and
monitoring.

Computer Controls 1) Controls performed by computer, (i.e., controls programmed into

computer software)(contrast with Manual Controls). 2) Controls over
computer processing of information, consisting of general controls and
application controls (both programmed and manual).

Control 1) A noun, used as a subject, e.g., existence of a control – a policy or

procedure that is part of internal control. A control can exist within any of
the five control framework components. 2) A noun, used as an object,
e.g., to effect control – the result of policies and procedures designed to
control; this result may or may not be effective internal control. 3) A verb,
e.g., to control – to regulate; to establish or implement a policy that effects
control.

Control Activities One of the five internal control framework components. Policy and
procedures designed to achieve a control objective and mitigate an
identified control risk

Glossary – 1
Control Environment One of the five internal control framework components. The attitude and
actions of the board and management regarding the significance of
control within the organization. The control environment establishes the
foundation for an internal control framework by providing the discipline
and structure for the achievement of control objectives.

Control Objective Management’s prescribed output or condition resulting from a particular

process, system, activity, etc.

Control Risk 1) A negative consequence that may result from not achieving a specific
control objective. 2) The risk related to ineffective internal controls.

Criteria A set of standards against which an internal control system can be

measured to determine effectiveness. The five internal control
components, taken in the context of inherent limitations of internal control,
represent criteria for internal control effectiveness for each of the three
control categories.

Design 1) Intent. As used in the definition of internal control, the internal control
system design is intended to provide reasonable assurance as to
achievement of objectives; when the intent is realized, the system can be
deemed effective. 2) Plan; the way a system is supposed to work,
contrasted with how it actually works.

Detective Control A control designed to discover an unintended event or result (contrast

with Preventive Control).

Disclosure Controls and Controls and other procedures of a publicly-traded company that are
Procedures designed to ensure that information required to be disclosed by the
company in the reports filed or submitted by it under the Exchange Act is
recorded, processed, summarized, and reported within the time periods
specified in the SEC’s rules and forms. Disclosure controls and
procedures include, without limitation, controls and procedures designed
to ensure that information required to be disclosed by a company…is
accumulated and communicated to the company’s management,
including its principal executive and financial officers, as appropriate to
allow timely decisions regarding required disclosure.

Glossary – 2
Effected Used with an internal control system: devised and maintained.

Effective Internal Control Internal control can be judged effective in each of the three control
categories, respectively, if the board of directors and management have
reasonable assurance that:

• They understand the extent to which the company’s operations

are being achieved.
• Published financial statements are being prepared reliably.
• Applicable laws and regulations are being complied with.

Effective Internal Control A synonym for Effective Internal Control

System

Ethical Values Moral values that enable a decision maker to determine an appropriate
course of behavior; these values should be based on what is “right,”
which may go beyond what is “legal.”

Financial Reporting Used with “objectives” or “controls”: having to do with the reliable
preparation of published financial statements.

Inconsequential Control An internal control deficiency that alone or aggregated does not adversely
Deficiency affect the entities ability to initiate, record, process, and report financial
data.

Information and One of the five internal control framework components. Supports all other
Communication framework components by identifying, capturing, processing, and
communicating relevant external and internal information throughout the
organization in a timely manner.

Inherent Limitations Those limitations of all internal control systems. The limitations relate to
the limits of human judgment, resource constraints and the need to
consider the cost of controls in relation to expected benefits, the reality
that breakdowns can occur, and the possibility of management override
and collusion.

Inquiry 1) Examination into facts or principles. 2) A request for information.

Inspection 1) The critical examination of a document. 2) A checking or testing of an

individual against established standards.

Integrity The quality or state of being of sound moral principle; uprightness,

honesty and sincerity; the desire to do the right thing, to profess and live
up to a set of values and expectations.

Glossary – 3
Internal Accounting Term initially used by the US Congress in the Foreign Corrupt Practices
Controls Act of 1977; the substance of this term has been incorporated into and
superseded by the term “internal controls over financial reporting.”

Internal Control A process, effected by an entity’s board of directors, management, and

other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.
• Compliance with applicable laws and regulations.

Internal Control 1) A perceived, potential, or real internal control shortcoming, or an

Deficiency opportunity to strengthen the internal control system to provide a greater
likelihood that the company’s objectives are achieved. 2) May consist of
either a design or operating deficiency. A design deficiency exists when
either a necessary control is missing or an existing control is not properly
designed so that even when the control is operating as designed the
control objective is not always met. An operating deficiency exists when
a properly designed control either is not operating as designed or the
person performing a control does not possess the necessary authority or
qualifications to perform the control effectively.

Internal Control An integrated system of internal control that includes five basic
Framework components (i.e., control environment, risk assessment, control activities,
information and communication, monitoring) that, working together, help
an organization successfully achieve its three basic business objectives
(i.e., effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with laws and regulations). This framework
allows an organization to establish, maintain, and evaluate the
effectiveness of internal controls.

Glossary – 4
Internal Control Over A process designed by, or under the supervision of, the registrant’s
Financial Reporting principal executive and principal financial officers, or persons
performing similar functions, and effected by the registrant’s board of
directors, management, and other personnel, to provide reasonable
assurance regarding the reliability of financial reporting and the
preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and
includes those policies and procedures that:

1) Pertain to the maintenance of records that in reasonable detail

accurately and fairly reflect the transactions and dispositions of the
assets of the registrant;

2) Provide reasonable assurance that transactions are recorded as

necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles, and that
receipts and expenditures of the registrant are being made only in
accordance with authorizations of management and directors of the
registrant; and

3) Provide reasonable assurance regarding prevention or timely detection

of unauthorized acquisition, use or disposition of the registrant’s assets
that could have a material effect on the financial statements.

Internal Control System A synonym for Internal Control.

Management Controls Controls performed by one or more managers at any level in an

organization.

Management Intervention Management’s actions to overrule prescribed policies or procedures for

legitimate purposes; management intervention is usually necessary to
deal with non-recurring and non-standard transactions or events that
otherwise might be handled inappropriately by the system (contrast this
term with Management Override).

Management Override Management’s overruling of prescribed policies or procedures for

illegitimate purposes with the intent of personal gain or an enhanced
presentation of a company’s financial condition or compliance status
(contrast this term with Management Intervention).

Management Process The series of actions taken by management to run an organization. An

internal control system is a part of and integrated with the management
process.

Manual Controls Controls performed manually, not by computer (contrast with Computer
Controls).

Glossary – 5
Materiality A judgment regarding the significance of an item (e.g., amount, fact,
circumstance, etc.) for public financial reporting and disclosure purposes.
An item is material if 1) in light of the surrounding circumstances, the
magnitude of an item is such that it is probable that the judgment of a
reasonable person relying upon the report would have been changed or
influenced by the inclusion or correction of the item (FASB), 2) there is a
substantial likelihood that a fact would have been viewed by a reasonable
investor as having significantly altered the “total mix” of information made
available (US Supreme Court).

Material Weakness A significant deficiency in one or more of the internal control components
that alone or in the aggregate precludes the organization’s internal control
from reducing to an appropriately low level the risk that material
misstatements in the financial statements will not be prevented or
detected on a timely basis.

Monitoring One of the five internal control framework components. A continuous

process to determine whether internal control is adequately designed,
executed, effective, and adaptive.

Observation 1) The act or faculty of observing. 2) An inference or a judgment that is

acquired from or based on observing. 3) A comment or remark.

Operations Used with “objectives” or “controls”: having to do with the effectiveness

and efficiency of an organization’s operations, including performance and
profitability goals, and safeguarding resources.

Policy Management’s dictate of what should be done to effect control. A policy

serves as the basis for procedures for its implementation.

Preventive Control A control designed to avoid an unintended event or result (contrast with
Defective Control).

Procedure An action that implements a policy.

Published Financial Financial statements, interim and condensed financial statements, and
Statements selected data derived from such statements, such as earnings releases,
reported publicly.

Reasonable Assurance The concept that internal control, no matter how well designed and
operated, cannot guarantee that an organization’s objectives will be met.
This is because of Inherent Limitations in all internal control systems.

Glossary – 6
Reliability of Financial Used in the context of published financial statements, reliability is
Reporting defined as the preparation of financial statements fairly presented in
conformity with generally accepted (or other relevant and appropriate)
accounting principles and regulatory requirements for external purposes,
within the context of materiality. Supporting fair presentation are the five
basic financial statement assertions: existence or occurrence,
completeness, rights and obligations, valuation or allocation, and
presentation and disclosure.

Reperformance The repeating by the auditor of a computation to check its accuracy.

Risk Assessment One of the five internal control framework components. Management’s
identification and analysis of relevant risks to achieving business
objectives. Risk and objectives are linked to activities at all levels of the
organization.

Self-Assessment A process by which process owners evaluate, report on, and improve the
design and operating effectiveness of internal controls.

Significant Deficiency An internal control deficiency that could adversely affect the
organization’s ability to initiate, record, process, and report financial data
consistent with the assertions of management in the financial statements.
A significant deficiency could arise from a single deficiency or an
aggregation of deficiencies. See also Inconsequential Control
Deficiency and Material Weakness.

Glossary – 7