Professional Documents
Culture Documents
INTERNAL CONTROL
GUIDE
August 2003
The AES Corporation
INTERNAL CONTROL GUIDE
Table of Contents
Part 1 Introduction
100 Objective…………………………………………………………………………………………… 4
110 Scope……………………………………………………………………………………….……… 4
120 Responsibility……………………………………………………………………………………… 4
130 Oversight and Evaluation………………………………………………………………………… 4
140 Effective Date……………………………………………………………………………………… 5
150 Updates and Revisions…………………………………………………………………………... 5
160 Definition of Terms………………………………………………………………………………… 5
170 Exceptions and Exemptions……………………………………………………………………... 5
231 Overview…………………………………………………………………………………… 25
232 Required Documentation………………………………………………………………… 26
233 Significant Controls……………………………………………………………………….. 27
234 Locations…………………………………………………………………………………... 28
235 Design Effectiveness………………………………………………………………….….. 30
236 Operating Effectiveness………………………………………………………………….. 31
237 Control Deficiencies………………………………………………………………………. 32
-2-
Part 3 Internal Control Standards
300 Introduction………………………………………………………………………………………… 34
-3-
Part 1 – Introduction
The Internal Control Guide (‘the Guide”) is an integral part of AES’s internal control framework.
The Guide is intended to be the foundation of awareness and understanding throughout AES
regarding the fundamentals of internal control, management’s obligations with respect to internal
control, and the Internal Control Standards applicable to select AES financial processes.
The Guide is designed to be a useful reference tool to help you understand and discharge your
internal control responsibilities.
100 Objective
The Guide provides guidance regarding internal controls that will enhance –
A universal understanding of internal control and consistent application and execution of the
Internal Control Standards contained herein will help achieve this objective.
110 Scope
The Guide has been issued to all Business Leaders and AES people who are either responsible for
or participate in AES’s financial processes and functions. All AES business units will comply fully
with the Standards set forth in Part 3 of the Guide; however, these Standards are not mandated for
equity-method affiliates. Additional copies of the Guide are available from Corporate Accounting.
120 Responsibility
Each Business Leader is responsible for the ethical conduct of his/her business people and
ensuring that the Internal Control Standards (Part 3) are communicated, established, documented,
and maintained within their respective business units. Every business person must take ownership
of and responsibility for internal controls and ethical conduct. Compliance with the Standards will
be monitored by periodic internal audits, external audits, and control self-assessments. Business
Leaders will be required annually to assess and certify the effectiveness of their internal controls.
The Audit Committee of the AES Board of Directors, the CEO, and the CFO will monitor adherence
to this Guide through periodic reporting by AES’s Chief Audit Executive and external auditors.
Additionally, management will annually assess and report on the effectiveness of internal controls
-4-
as required by section 404 of the Sarbanes-Oxley Act. Adherence to this Guide will be a
consideration of management’s annual internal control assessment process.
The Guide contains internal control guidance and Standards applicable to AES’s financial
processes and functions as of the effective date. From time to time, Corporate Accounting will
update or revise the Guide to reflect:
Technical terms have been used consistently with their intended meanings as defined by various
authoritative publications. A glossary of key terms is provided in Part 4 of this Guide.
The manner in which the Internal Control Standards (Part 3) are implemented and executed is a
matter of each business unit’s reasonable professional judgment. The Standards are presented in
terms of desired operating conditions; however, it is recognized that situations may exist where
optimal conditions are either not attainable or not applicable. When this occurs, the business unit
must document each Standard that cannot be followed and the circumstances justifying non-
compliance. Where Standards are not applicable or cost exceeds benefit, the basis for this
determination must be clearly documented. All exceptions must be reviewed and approved by the
responsible Business Leader and Corporate Accounting.
Exemptions from the Standards as a whole will not be granted under any circumstances.
-5-
Part 2 – Internal Control Overview
The concept of “internal control” is not new. For centuries, business people have created systems
of checks and balances to identify risks, prevent or detect financial errors and fraud, improve
productivity and reduce costs, and comply with laws and regulations governing the conduct of
business operations. These checks and balances require management’s commitment and
resources to be effective.
However, internal controls are often overlooked in our modern business environment - time is
short, human resources are limited, and money may not be properly allocated to corporate
housekeeping activities. It’s no surprise that “internal control” (or lack thereof) receives much
attention and blame in the aftermath of corporate scandals. Lawmakers, regulators, and the
investing public inevitably conclude that, if companies simply maintain effective systems of internal
control, fraud and business failures could be prevented – or at least detected and remedied. In this
regard, the US Congress determined that an effective internal control system is more than just
prudent business practice; now it is the law.
The US Congress reacted during several notable corporate financial crises during the last 30 years
by raising and revisiting the broad concept of “internal control.” It is clear that the US Congress
strongly views internal control as an important element of restoring investor confidence and
preventing future wrongdoing. During the following financial crises, the US Congress imposed
increasingly tougher requirements on US corporations to create and maintain effective systems of
internal control:
Two of these laws (i.e., the FCPA and SOA) are applicable to AES as a publicly-traded company.
The following sections address in more detail the relevant portions of each of these laws.
-6-
201 Foreign Corrupt Practices Act of 1977
The Foreign Corrupt Practices Act of 1977 (“FCPA”) established the first broad legal requirement
for US publicly-traded corporations to keep accurate and detailed accounting records and to
“devise and maintain” a system of “internal accounting control.” More specifically, the FCPA
requires, in relevant part, that SEC registrants subject to the Securities and Exchange Act of 1934
must:
1. Make and keep books, records, and accounts, which in reasonable detail, accurately and
fairly reflect the transaction and disposition of the assets of the issuer (company)…
2. Devise and maintain a system of internal accounting controls sufficient to provide
reasonable assurances that:
a. Transactions are executed in accordance with management’s general or
specific authorization;
b. Transactions are recorded as necessary (i) to permit preparation of financial
statements in conformity with generally accepted accounting principles or any
other criteria applicable to such statements and (ii) to maintain accountability
for assets;
c. Access to assets is permitted only in accordance with management’s general
or specific authorization; and
d. The recorded accountability for assets is compared with the existing assets at
reasonable intervals and appropriate action is taken with respect to any
differences.
The Act further states that “no person shall, directly or indirectly, falsify or cause to be falsified, any
book, record or account [of the company].” Under this provision, an individual can be liable under
the Act even if he did not have a specific intent to deceive, defraud, or manipulate. Violations
under this provision would include (1) knowledge that you are falsifying, or (2) good reason to know
you are falsifying, or (3) making an entry in a book or record, which reasonable persons would in
the circumstances consider to be false. A willful failure to comply with the Act’s internal control and
record keeping requirements carries a stiff penalty including imprisonment for up to five years and
personal fines of up to $10,000.
The FCPA does not require, however, that companies report affirmatively in their SEC filings that a
system of internal accounting control exists, is adequate, or is operating effectively with respect to
the FCPA’s provisions. Shortly after the FCPA’s effective date, the SEC attempted to impose such
a reporting requirement, but ultimately withdrew its proposal in favor of voluntary industry initiatives
for public reporting on corporate internal accounting controls.
The high profile collapses of Enron and WorldCom, as well as countless other corporate scandals,
prompted lawmakers and the public to search for answers. Lawmakers concluded that one of the
answers to these significant business failures was a lack of adequate and effective internal control
-7-
systems. Reacting quickly, the US Congress passed the Sarbanes-Oxley Act of 2002 (the “Act”),
which has refocused US publicly-traded corporations on the importance of internal control.
Now, the passive-compliance requirements of the FCPA have been replaced by active-compliance
requirements that include quarterly and annual evaluation, reporting, and certification of internal
controls by senior management and a new internal control audit report to be issued by external
auditors. Like the FCPA, the Sarbanes-Oxley Act only applies to SEC registrants subject to the
Securities and Exchange Act of 1934.
Internal control requirements are addressed primarily in sections 302 and 404 of the Act. The
specific requirements of each of these sections are described in further detail below.
Section 302, as implemented by SEC Rule 33-8124, is applicable to each AES quarterly and
annual report filed with the SEC for periods ending on or after September 30, 2002. Section 302
requires:
[A]n issuer’s principal executive officer or officers and the principal financial officer or
officers, or persons performing similar functions, each to certify in each quarterly and
annual report, including transition reports, filed or submitted by the issuer under Section
13(a) or 15(d) of the Exchange Act that:
• Based on his or her knowledge, the report does not contain any untrue
statement of a material fact or omit to state a material fact necessary in order
to make the statements made, in light of the circumstances under which such
statements were made, not misleading with respect to the period covered by
the report;
• Based on his or her knowledge, the financial statements, and other financial
information included in the report, fairly present in all material respects the
financial condition, results of operations and cash flows of the issuer as of,
and for, the periods presented in the report;
-8-
o Have designed such disclosure controls and procedures to ensure
that material information is made known to them, particularly during
the period in which the periodic report is being prepared;
• He or she and the other certifying officers have disclosed to the issuer’s
auditors and to the audit committee of the board of directors (or persons
fulfilling the equivalent function):
• He or she and the other certifying officers have indicated in the report
whether or not there were significant changes in internal controls or in other
factors that could significantly affect internal controls subsequent to the date
of their evaluation, including any corrective actions with regard to significant
deficiencies and material weaknesses
Also, Section 302 requires that organizations disclose any change in its “internal control over
financial reporting” (discussed later in this section) that occurred during the fiscal quarter covered
by the report if that change has materially affected, or is reasonably likely to materially affect, the
company’s internal control over financial reporting.
For purposes of these new requirements, the newly-coined concept of “disclosure controls and
procedures” (as opposed to “internal controls over financial reporting”) are defined as:
Controls and other procedures of an issuer that are designed to ensure that information
required to be disclosed by the issuer in the reports filed or submitted by it under the
[Securities Exchange Act of 1934] is recorded, processed, summarized and reported,
within the time periods specified in the Commission’s rules and forms.
-9-
Disclosure controls and procedures include, without limitation, controls and procedures designed to
ensure that information required to be disclosed by an issuer in its Exchange Act reports is
accumulated and communicated to the issuer’s management, including its principal executive and
financial officers, as appropriate, to allow timely decisions regarding required disclosure.
Additional information regarding the similarities and differences between “disclosure controls and
procedures” and “internal control over financial reporting” is provided in sections 211 and 212 of
this Guide.
Section 404, as implemented by SEC Rule 33-8238, is applicable to annual reports filed with the
SEC ending on or after December 31, 2004. This section requires:
[A] company’s annual report to include an internal control report of management that
contains:
• A statement that the registered public accounting firm that audited the
financial statements included in the annual report has issued an attestation
report on management’s assessment of the registrant’s internal control over
financial reporting.
Similar to and consistent with the “internal accounting control” language previously enacted and
required by the FCPA, the term “internal control over financial reporting” as used here by the SEC
is defined as:
- 10 -
A process designed by, or under the supervision of, the registrant’s principal executive
and principal financial officers, or persons performing similar functions, and effected by
the registrant’s board of directors, management and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with generally accepted
accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and
fairly reflect the transactions and dispositions of the assets of the registrant;
In the context of the FCPA and the foregoing SEC rules that implement the Sarbanes-Oxley Act,
the following sections of this Guide define in more detail both “disclosure controls and procedures”
and “internal controls over financial reporting” within the broader framework of “internal control” that
AES has adopted and implemented.
Because there are a variety of different definitions of the term “internal control,” and because its
meaning has changed over time, it is important to establish a universal understanding of that term
as it relates to AES. Unfortunately, the SEC’s current definitions of the term “internal control over
financial reporting” and its new term “disclosure controls and procedures” are not sufficient to
establish the common understanding necessary to appreciate the broad scope of the internal
control framework adopted by AES.
As part of a private initiative to define “internal control” and devise a comprehensive method to
evaluate and report publicly on corporate internal control systems, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) issued a report that provides a definition of
“internal control” and establishes criteria that can be used to evaluate an organization’s internal
control. The COSO report, published in 19921 is now commonly known as the “COSO Internal
Control Framework.” This framework has become the generally accepted method for defining and
evaluating internal controls by all sectors of business and government and is recognized by the
1“Internal Control – Integrated Framework” was initially published in 1992 and revised in 1994.
- 11 -
SEC as an acceptable standard against which public companies can measure the effectiveness of
their internal control systems.
The COSO Internal Control Framework broadly defines “internal control” as:
The first category addresses an organization’s basic business operational objectives, including
performance and profitability goals and safeguarding of resources. The second category relates to
the preparation of reliable published financial statements, including interim and condensed financial
statements and selected financial data derived from such statements, such as earnings releases,
reported publicly. The third category addresses compliance with laws and regulations to which the
organization is subject. These three control categories are distinct but not exclusive as depicted by
the interrelated figure shown below:
Operations Compliance
Financial Reporting
Preparation of Reliable
Published Financial
Statements
As a general rule, an internal control process, as defined above, is executed by policies and
procedures. Policies and procedures are established by management to prescribe, influence, or
monitor the conduct of processes, systems, activities, functions, projects, plans, initiatives, and
endeavors of all types at all levels of a company. Fundamentally, “internal controls” are policies
and procedures.
Management designs policies and procedures to mitigate control risks, which are negative
consequences that may result from not achieving management’s control objectives. Management
establishes control objectives to prescribe the desired condition or output resulting from a
- 12 -
particular process, system, activity, etc. The concepts of control objectives, control risks, and
policies and procedures are applicable to each of the control categories illustrated above.
The following sections relate COSO’s definition of “internal control” to the SEC’s “internal control”
and “disclosure control” definitions.
A process designed by, or under the supervision of, the registrant’s principal executive
and principal financial officers, or persons performing similar functions, and effected by
the registrant’s board of directors, management and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with generally accepted
accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and
fairly reflect the transactions and dispositions of the assets of the registrant;
The SEC explicitly recognizes that its definition of “internal control over financial reporting” is
consistent with COSO’s financial reporting control category. Additionally, the SEC confirmed that
internal control over financial reporting does not include controls that relate to COSO’s operational
and compliance control categories, with the exception of compliance with applicable laws and
regulations directly related to the preparation of financial statements (e.g., FCPA, SOA, SEC rules,
etc.)
Thus, using the previous graphic of COSO’s interrelated control categories, you can see that
“internal control over financial reporting” is embodied within the “financial reporting” sphere shown
below:
- 13 -
Operations Compliance
Financial
Reporting
It is important to note that all financial reporting controls, even where the financial reporting control
category overlaps with the operational and compliance control categories, are considered “internal
controls over financial reporting.” Only the areas of the operational and compliance categories that
do not overlap with the financial reporting category are outside the scope of the SOA and, thus, this
Guide.
Several fundamental control objectives related to financial reporting are inherent in the definition of
internal control over financial reporting:
2. Safeguarding assets
3. Authorizing transactions
AES documented its internal controls over financial reporting for significant financial processes and
formalized those controls in the “Manual of Financial Policies” and the “Internal Control Standards.”
The “Internal Control Standards” (Part 3) set forth management’s control objectives, identify
significant control risks, and prescribe standardized “policies and procedures” applicable to each
significant financial process. Policy-related Standards correlate to the policies established in the
“Manual of Financial Policies”. Procedure-related Standards reflect the actions necessary to
implement management’s policies and are a required element of each critical financial process.
- 14 -
212 Disclosure Controls and Procedures
Controls and other procedures of an issuer that are designed to ensure that information
required to be disclosed by the issuer in the reports filed or submitted by it under the
Exchange Act is recorded, processed, summarized, and reported within the time periods
specified in the Commission’s rules and forms. Disclosure control and procedures
include, without limitation, controls and procedures designed to ensure that information
required to be disclosed by an issuer…is accumulated and communicated to the issuer’s
management, including its principal executive and financial officers, as appropriate to
allow timely decisions regarding required disclosure.
Disclosure controls and procedures are intended to complement internal controls over financial
reporting because they focus on the timely collection of both material financial and material non-
financial information potentially subject to SEC filing disclosure requirements. In contrast to
“internal controls over financial reporting,” which correlate directly to the financial reporting control
category, “disclosure controls and procedures” overlay each control category as shown in the
graphic below:
Operations Compliance
Disclosure Controls
and Procedures
Financial
Reporting
To avoid confusion between the meanings of these terms, the SEC provided the following
explanation:
We make this distinction [between disclosure controls and procedures and internal
controls over financial reporting] based on our review of Section 302 of the Act as well as
to effectuate what we believe to be Congress’ intent – to have senior officers certify that
required material non-financial information, as well as financial information, is included in
an issuer’s quarterly and annual reports. Under this interpretation, we maintain the pre-
existing concept in internal controls over financial reporting without expanding it by
relating it to non-financial information.
- 15 -
The concepts of financial information, non-financial information, and materiality are central to
the definition of disclosure controls and procedures and are discussed briefly below.
Financial Information
Some common examples of financial information include, but are not limited to, the following:
• New accounting pronouncements and critical accounting policies, including their financial
statement impact;
• Planned financial transactions such as asset sales, mergers and acquisitions, etc.; and
• Quantitative disclosures about market risk including interest rate risk, foreign currency
exchange rate risk, and commodity price risk.
Non-financial Information
Some common examples of non-financial information include, but are not limited to, the following:
• Qualitative disclosures about market risk – what are they? How are they managed?
Materiality
For purposes of evaluating potential financial and non-financial disclosures, conclusions regarding
materiality are a matter of professional judgment based on an analysis of available facts and
circumstances regarding any particular matter. Materiality conclusions must be consistent with the
following views of the Financial Accounting Standards Board (FASB) and the US Supreme Court:
- 16 -
With respect to materiality judgments, the FASB concluded that –
In a similar manner, the US Supreme Court held that a fact is material if there is –
a substantial likelihood that the…fact would have been viewed by the reasonable
investor as having significantly altered the “total mix” of information made available.
When in doubt regarding the potential materiality of financial or non-financial information, AES
personnel are required to defer judgment to AES’s Disclosure Committee.
A detailed discussion of AES’s disclosure controls and procedures is outside the scope of this
Guide. Additional information regarding disclosure controls and procedures can be obtained from
Corporate Accounting.
In an “effective” internal control system, the following five internal control components form a
framework that supports the achievement of an organization’s mission, strategies, and related
operational, financial reporting, and compliance objectives.
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
- 17 -
The following graphic depicts how these five components interrelate with COSO’s control objective
categories and various functions, processes, and activities of an organization:
Each component row cuts across and applies to all three objective categories. Management is
responsible for ensuring that each of these components exists and is effective within the
organization. Although all five components must be satisfied, this does not mean that each
component should function identically, or even at the same level. Some trade-offs may exist
between components. Because controls can serve a variety of purposes, controls in one
component can serve the purpose of controls that might normally be present in another
component. Additionally, controls can differ in the degree to which they address a particular risk,
so that complementary controls, each with a limited effect, together can be effective.
Each of these components is addressed in more detail in the following sections, which have been
summarized from COSO’s Internal Control – Integrated Framework.
The control environment is influenced by an organization’s history and culture and sets the tone of
the organization, influencing the control consciousness of its personnel. It is the foundation for all
other components of internal control, providing discipline and structure. The control environment
has a pervasive influence on the way business activities are structured, objectives established, and
risks assessed. It also influences control activities, information and communication systems, and
monitoring activities. Effectively controlled companies strive to have competent people, instill a
company-wide attitude of integrity and control consciousness, and set a positive “tone at the top.”
Established policies and procedures, including a written code of conduct, foster shared values and
- 18 -
teamwork in pursuit of the organization’s objectives. The control environment includes the
following factors:
An organization’s objectives and the way they are achieved are based on preferences, value
judgments, and management styles. Those preferences and value judgments that translate into
standards of behavior reflect management’s integrity and its commitment to ethical values. An
organization’s good reputation is valuable; the standard of behavior must go beyond mere
compliance with laws and regulations. The effectiveness of a system of internal control cannot rise
above the integrity and ethical values of the personnel who create, administer, and monitor it.
Integrity and ethical values are essential elements of the control environment, affecting the design,
administration, and monitoring of other internal control components. Establishing ethical values
often is difficult because of the need to consider the concerns of several parties. Management’s
values must balance the concerns of the enterprise, its people, suppliers, customers, competitors,
and the public.
Commitment to Competence
Management specifies the competence levels for particular jobs and translates those levels into
requisite knowledge and skills. The necessary knowledge and skills may, in turn, depend on an
individual’s training and experience. Among the many factors considered in developing knowledge
and skill levels are the nature and degree of judgment to be applied to a specific job. There often
can be a trade-off between the extent of supervision and the requisite competence level of the
individual.
An organization’s Board of Directors and Audit Committee significantly influence the control
environment and “tone at the top.” Factors include the Board or Audit Committee’s independence
from management, experience and stature of its members, extent of its involvement with and
scrutiny of activities, the appropriateness of its actions, and degree to which difficult questions are
raised and pursued with management regarding plans or performance. Interaction of the Board or
Audit Committee with internal and external auditors is also an important factor affecting the control
environment.
Management’s philosophy and operating style affect the way an organization is managed, including
the kinds of business risk accepted. A company that has been successful taking significant risks
may have a different outlook on internal control than one that has faced harsh economic or
regulatory consequences as a result of venturing into dangerous territory. An informally managed
company may control operations largely by face-to-face contact with key managers. A more
formally managed one may rely more on written policies, performance indicators, and exception
- 19 -
reports. Other elements of management’s philosophy and operating style include attitudes toward
financial reporting, conservative or aggressive selection from available alternative accounting
principles, conscientiousness and conservatism with which accounting estimates are developed,
and attitudes toward data processing and accounting functions and personnel.
Organizational Structure
A company’s organizational structure provides the framework within which its activities for
achieving company-wide objectives are planned, executed, controlled, and monitored. Significant
aspects of establishing a relevant organizational structure include defining key areas of authority
and responsibility and establishing appropriate lines of reporting. The appropriateness of a
company’s organizational structure depends, in part, on its size, the nature of its activities and the
type of structure that best suits its needs.
This includes the assignment of authority and responsibility for operating activities as well as
establishing reporting relationships and authorization protocols. It involves the degree to which
individuals and teams are encouraged to use initiative in addressing issues and resolving problems
as well as limits of their authority. It also focuses on the policies specifying appropriate business
practices, knowledge and experience of key personnel, and resources provided for carrying out
duties. Another aspect is ensuring that all personnel understand the organization’s objectives. It is
essential that each individual knows how his or her actions interrelate and contribute to the
achievement of objectives. The control environment is greatly influenced by the extent to which
individuals, including the Chairman and CEO, recognize that they will be held accountable. He or
she has ultimate responsibility for all activities within the organization, including the internal control
system.
Human resource practices send messages to employees regarding expected levels of integrity,
ethical behavior, and competence. Such practices relate to hiring, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions.
All companies, regardless of size, structure, nature, or industry, encounter risks at all levels within
their organization. Risks affect a company’s ability to survive; successfully compete within its
industry; maintain financial strength and positive public image; and maintain the overall quality of
its products, services, and people. There is no practical way to reduce risk to zero. The decision
to be in business creates risk. Management must determine how much risk is to be prudently
accepted and strive to maintain risk within these levels.
- 20 -
Objective setting is a precondition to risk assessment. There must first be objectives before
management can identify risks to their achievement and take necessary actions to manage the
risks. Objective setting, then, is a key part of the management process. While not an internal
control component, it is a prerequisite to and an enabler of internal control. The risk assessment
framework component includes the following factors:
Company-wide Objectives
Objective setting can be a highly structured or an informal process. Objectives may be explicitly
stated, or be implicit, such as to continue a past level of performance. At the company-wide level,
objectives are represented by the organization’s mission and value statements. Assessments of
an organization’s strengths and weaknesses, and opportunities and threats, lead to an overall
strategy. Generally, the strategic plan is broadly stated, dealing with high level resource
allocations and priorities. More specific objectives flow from the organization’s broad strategy.
Company-wide objectives are linked and integrated with more specific objectives established for
various activities. By setting objectives at both the company and activity level, the organization can
identify critical success factors. These are the key objectives that must be achieved if goals are to
be attained. Objective setting enables management to identify measurement criteria for
performance, with focus on critical success factors.
Process-Level Objectives
Despite the diversity of objectives, certain broad categories of objectives can be established:
• Operations Objectives – These pertain to the effectiveness and efficiency of the company’s
operations, including performance and profitability goals and safeguarding resources
against loss. They vary based on management’s choices about structure and
performance.
Risk Identification
The process of identifying and analyzing risk is an on-going process and is a critical component of
an effective internal control system. Management must focus carefully on risks at all levels of the
organization and take necessary actions to manage those risks. An organization’s performance
can be at risk due to internal or external factors. These factors, in turn, can affect either stated or
- 21 -
implied objectives. Risk increases as objectives increasingly differ from past performance. In a
number of areas of performance, an organization often does not set explicit company-wide
objectives because it considers performance to be acceptable. Regardless of whether an objective
is stated or implied, an organization’s risk-assessment process should consider risks that may
occur. It is important that risk identification is comprehensive. Note that there is a distinction
between risk assessment, which is part of internal control, and the resulting plans, programs or
other actions deemed necessary by management to address the risks.
Managing Change
Control activities are policies and procedures used to ensure management’s control objectives are
met. They help ensure that necessary actions are taken to address risks to the achievement of the
organization’s objectives. Control objectives occur throughout the organization, at all levels, and in
all functions. They include a range of activities as diverse as approvals, authorizations,
verifications, reviews of operating performance, security of assets, and segregation of duties.
Control activities can be divided into three categories based on the nature of the organization’s
objectives to which they relate (i.e., operations, financial reporting, or compliance). Depending on
circumstances, controls could help to satisfy company objectives in one or more of the three
control categories.
Control activities usually involve two elements: 1) a policy establishing what should be done and 2)
procedures to affect policy. A procedure will not be useful if performed mechanically without a
continuing focus on conditions to which the policy is directed.
Control activities are a significant part of the process by which an organization strives to achieve its
business objectives. Control activities serve as mechanisms for managing and mitigating risk,
thereby enabling the achievement of objectives. Control is built directly into processes and always
relates back to the risk it was designed to mitigate. Control activities that are added on in reaction
to insignificant or non-existent risks can result in burdensome layers of redundant controls that can
increase cost and impede efficiency.
Pertinent information must be identified, captured, and communicated in a form and time frame that
enables people to carry out their responsibilities. Information gathering mechanisms produce
- 22 -
reports containing operational, financial reporting, and compliance related information that makes it
possible to run and control the business. They deal not only with internally generated data, but
also with information about external events, activities, and conditions necessary for informed
business decision-making and external reporting. Effective communication also must occur in a
broader sense, flowing down, across, and up the organization. All personnel must receive a clear
message from top management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how individual activities relate to
the work of others. They must have a means of communicating significant information upstream.
There also needs to be effective communication with external parties such as customers, suppliers,
regulators, and shareholders. The information and communication component of control includes
the following elements:
Quality of Information
Information is needed at all levels of the organization to run the business and move towards
achievement of the organization’s objectives in all categories — operations, financial reporting, and
compliance. Information is identified, captured, processed, and reported by information systems.
Information gathering mechanisms may be computerized, manual, or a combination. They may be
formal or informal. Keeping information consistent with needs becomes particularly important
when a company operates in the face of fundamental industry changes, highly innovative and
quick-moving competitors, or significant customer demand shifts. To be effective, information
gathering mechanisms must not only identify and capture needed financial and non-financial
information; they must also process and report it in a time frame and manner that is useful in
controlling the company’s activities.
Effectiveness of Communication
225 Monitoring
Internal control systems need to be monitored — a process that assesses the quality of the
system’s performance over time. This is accomplished through on-going monitoring activities,
separate evaluations, or a combination of the two. On-going monitoring occurs in the course of
normal operations. It includes regular management and supervisory activities and other actions
personnel take in performing their duties. The scope and frequency of separate evaluations (i.e.,
audits) will depend primarily on assessment of risks and the effectiveness of on-going monitoring
procedures. Internal control deficiencies should be reported upstream, with serious matters
reported to senior management and the Board.
- 23 -
Monitoring Ongoing Activities
On-going monitoring procedures are built into an organization’s normal recurring operating
activities. They are performed on a real-time basis reacting dynamically to changing conditions.
Since separate evaluations take place after-the-fact, problems will often be identified more quickly
by the on-going monitoring routines.
Separate Evaluations
The frequency of separate evaluations necessary for management to have reasonable assurance
about the effectiveness of the internal control system is a matter of management’s judgment. In
making that determination, consideration is given to the following: the nature and degree of
changes occurring and their associated risk, the competence and experience of the people
implementing the controls, and the results of on-going monitoring.
Deficiencies in an organization’s internal control system could arise from many sources, including
the company’s on-going monitoring procedures, separate evaluations of the internal control
system, and external parties. The term “deficiency” is defined broadly as a condition within an
internal control system worthy of attention. A deficiency, therefore, may represent a perceived,
potential, or real shortcoming, or an opportunity to strengthen the control system to provide a
greater likelihood that the organization’s objectives will be achieved. (See also section 237.)
The Sarbanes-Oxley Act requires management to assess the effectiveness of both its internal
control over financial reporting and disclosure controls and procedures as of the end of the most
recent fiscal year and quarter, respectively. In its financial reports filed with the SEC, management
must include a statement as to whether or not internal control over financial reporting (annually)
and disclosure controls and procedures (quarterly) are effective. Management’s statement must
include disclosure of any “material weaknesses” in the organization’s internal controls over
financial reporting and disclosure controls and procedures that have been identified by
management. Importantly, management is precluded from determining that controls are effective if
it identifies one or more material weaknesses.
Management’s assessments must be based on procedures sufficient both to evaluate design and
to test operating effectiveness. The nature of testing activities will largely depend on several facts
and circumstances including the significance of the control. However, inquiry alone generally is not
an adequate basis for management’s assessment.
- 24 -
Controls subject to such assessment include, but are not limited to:
• controls over initiating, recording, processing, and reconciling account balances, classes of
transactions, and disclosure and related assertions included in the financial statements;
• controls related to the initiation and processing of non-routine and non-systematic
transactions;
• controls related to the selection and the application of appropriate accounting policies; and
• controls related to the prevention, identification, and detection of fraud.
• for the evaluation of whether the control is designed to prevent or detect material
misstatements or omissions;
• for the conclusion that tests were appropriately planned and performed; and
• that the results of the tests were appropriately considered.
The remaining sections of this Guide, which have been summarized from the AICPA’s June 2003
proposed Attestation Standards, provide additional detail regarding management’s assessment of
control effectiveness and the identification of control deficiencies, including material weaknesses.
231 Overview
Effective internal control over financial reporting provides reasonable assurance that material
misstatements in the financial statements will be prevented or detected on a timely basis by
employees in the normal course of performing their assigned functions. Internal control generally
includes preventive controls (those designed to prevent a misstatement from occurring) and
detective controls (those designed to detect a misstatement that has occurred) to reduce the risk of
misstatement. Often, companies will place more emphasis on preventive than on detective
controls. Generally, it is more efficient to prevent misstatements than to detect and correct them.
However, no control activity can be expected to be totally effective and a well-run system of
internal control should have an appropriate mix of preventive and detective controls.
The effectiveness of internal control includes both design and operating effectiveness. Design
effectiveness relates to whether controls are suitably designed to prevent or detect material
misstatements. Operating effectiveness is concerned with how the control is applied, the
consistency with which it is applied, and by whom it is applied.
Internal control, no matter how well designed and operated, can provide only reasonable
assurance to management and the Board of Directors regarding achievement of the organization’s
control objectives. The likelihood of achievement is affected by limitations inherent to internal
control. These limitations include the realities that human judgment in decision-making can be
faulty, and that breakdowns in internal control can occur because of human failures such as simple
- 25 -
errors or mistakes. Additionally, controls can be circumvented by the collusion of two or more
people or management override of internal control.
Custom, culture, and the corporate governance system may inhibit fraud by management, but they
are not absolute deterrents. An effective control environment, too, may help mitigate the
probability of such fraud. For example, an effective Board of Directors, Audit Committee, and an
internal audit function may constrain improper conduct by management. Alternatively, an
ineffective control environment may negate the effectiveness of the other components. For
example, when the nature of management compensation creates an incentive for management to
intentionally misstate the financial statements, the effectiveness of control activities may be
reduced. The effectiveness of an internal control system might also be adversely affected by
factors such as a change in ownership or control, changes in management or other personnel, or
developments in the market or industry.
The process by which management supports its evaluation of the effectiveness of internal control
must include the following elements:
• Determining which controls are significant for the purpose of evaluating the effectiveness
of internal control. (See section 233)
• Determining which locations or business units should be included in the evaluation for an
organization with multiple locations or business units. (See section 234)
• Documenting the design of significant controls. The documentation should include each of
the components of internal control; how significant transactions are initiated, recorded,
processed, and reported; the controls that are designed to prevent or detect errors or fraud
in significant account balances, classes of transactions, and disclosures, including who
performs the controls and the related segregation of duties; the financial statement closing
process; and safeguarding controls.
- 26 -
Documentation of the design of significant controls provides evidence that controls related to
management’s assertion about the effectiveness of internal control, including changes to those
controls, have been identified, are capable of being communicated to those responsible for their
performance, and are capable of being monitored by the organization. Documentation of manual
controls facilitates training of personnel and the continued functioning of controls when personnel
change. Inadequate documentation of the design of significant controls may result in a significant
deficiency or a material weakness because documentation provides the foundation for appropriate
communication concerning responsibilities for performing controls and for management’s
evaluation and monitoring of the effective operation of controls.
The absence of observed financial statement errors or misstatements does not, in and of itself,
indicate an effective system of internal control and is not a sufficient basis for management’s
assertion about the effectiveness of internal control.
• The likelihood that failure of the control could result in a misstatement, and
• The degree to which other controls, if effective, achieve the same control objectives.
• Controls over initiating, recording, processing, and reporting significant account balances,
classes of transactions, and disclosures and related assertions embodied in the financial
statements;
• Controls over the selection and application of accounting policies that are in conformity
with US generally accepted accounting principles;
• Controls, including information technology (IT) general controls, on which other significant
controls are dependent;
• Each significant control in a group of controls that functions together to achieve a control
objective;
• Controls over the period-end financial reporting process, including controls over
procedures used to enter transaction totals into the general ledger; to initiate, record, and
- 27 -
process journal entries in the general ledger; and to record recurring and nonrecurring
adjustments to the financial statements (for example, consolidating adjustments, report
combinations, and reclassifications).
Also important are company-wide controls that management has established to monitor operations
and to oversee the control environment and risk assessment process at business units. Such
controls include a combination of the following:
• Monitoring of controls, including activities of the internal audit function and self-assessment
programs.
The period of time over which management performs tests of controls is a matter of judgment;
however, it varies with the nature of the controls being tested and with the frequency with which
specific controls operate and specific policies are applied. Some controls operate continuously
(e.g., controls over revenues), while others operate only at certain times (e.g., controls over the
preparation of financial statements and controls over physical inventory counts). Management
performs tests of controls over a period of time that is adequate to determine whether, as of the
date specified in the assertion, the controls necessary for achieving control objectives are
operating effectively.
234 Locations
All significant locations and all significant controls must be evaluated in connection with
management’s assertion about the effectiveness of internal control. Determining the locations or
business units at which management will perform audit procedures requires an evaluation of
factors such as the relative financial significance of the location or business unit and the risk of
material misstatement arising from the location or business unit. In making this determination,
management, at a minimum, identifies the locations or business units that are individually important
or that contain specific risks that by themselves could create a material misstatement. With
respect to other locations or business units, management determines which locations or business
units, when aggregated, could result in the group representing a level of financial significance that,
in the aggregate, could create a material misstatement in the financial statements. The remaining
locations and business units should not be able, individually or in the aggregate, to create a
material misstatement in the financial statements.
- 28 -
Individually important locations or business units often represent a relatively small number of
locations or business units that encompass a large portion of the organization’s operations and
financial position. The relative financial significance of the location or business unit and the risk of
material misstatement arising from the location or business unit are both factors that management
considers when identifying locations or business units that are considered individually important.
As a result of the importance of these locations, management must perform tests of all significant
controls at each of these locations or business units.
Although a location or business unit may not be individually important from a financial standpoint, it
may present specific risks that by themselves could create a material misstatement of the
consolidated financial statements. For example, a business unit could be responsible for foreign
exchange trading and, thus, expose the company to a risk of material misstatement even though
the relative financial significance is not great. Although management may not test all controls at
these locations or business units, it will test the controls over the specific risks that could create a
material misstatement in the consolidated financial statements.
Individual locations or business units that are individually not important may, when aggregated with
other locations or business units, result in a group representing a level of financial significance that
in the aggregate could create a material misstatement of the financial statements. In considering
which locations or business units to visit and what controls to test regarding this group,
management will consider the following factors:
• The similarity of business operations and internal controls at the various locations or
business units;
• The effectiveness of the control environment, particularly management's direct control over
the exercise of authority delegated to others and its ability to effectively supervise activities
at the various locations or business units. An ineffective control environment over the
locations or business units may constitute a material weakness;
• The nature and amount of transactions executed and related assets at the various
locations or business units and to what degree the location or business unit could create
an obligation on the part of the company; and
• The risk assessment process and analysis for excluding a location or business unit from its
process of assessing internal control.
Management will not test controls with respect to locations or business units that are not
individually important and, when aggregated, could not result in a material misstatement to the
financial statements. However, management may choose to address the internal controls of such
entities for business purposes.
- 29 -
Situations may arise where the company acquires a business at or near the date of management’s
assertion. If the assertion relates to the effectiveness of the company’s internal control as of a
point in time subsequent to the date of acquisition, the internal control of the acquired business will
be evaluated consistent with this Guide. This evaluation could encompass an evaluation of internal
control either during the due diligence process or subsequent to the acquisition.
Management’s evaluation of internal control does not extend to the internal control of businesses in
which AES has an investment that is accounted for by the equity method of accounting; therefore,
management need not consider the internal control of such entities for purposes of its assessment.
Procedures to evaluate the effectiveness of the design of a specific control are concerned with
whether that control is suitably designed to meet one or more of the following fundamental control
objectives with respect to internal controls over financial reporting:
2. Safeguarding assets
3. Authorizing transactions
These control objectives, and the specific control activities designed to address them, were
established to prevent or detect material misstatements in management’s financial statement
assertions:
To the extent control activities are insufficiently designed to fully address one or more of the above
control objectives, management may conclude that certain control activities could fail to prevent or
detect a material misstatement in one or more financial statement assertions. Such a
circumstance may reflect a material weakness in internal control.
- 30 -
Procedures for evaluating design effectiveness will vary depending upon the nature of the specific
control, the nature of documentation of the specific control, and the complexity and sophistication
of operations and systems.
Management will test the operation of controls related to each of the five internal control
components. Tests of the operating effectiveness of a control are concerned with how the control
was applied, the consistency with which it was applied, and by whom it was applied. Critical to this
testing is adequate documentary evidence to demonstrate that controls were executed as
designed. Such evidence is necessary to support both management’s and the external auditor’s
testing of internal control operating effectiveness.
The tests ordinarily include procedures such as inquiries of appropriate personnel, inspection of
relevant documentation, observation of the company’s operations, and reapplication or
reperformance of the operation of the control using selected transactions. The organization’s risk
assessment and monitoring processes may affect the selection of the procedures to be performed,
controls to be tested, the timing of the procedures, and the locations to be included in the
assessment.
Management must ordinarily perform procedures in addition to the use of inquiry to obtain sufficient
evidence. Examples of such procedures include testing of the controls by internal audit, testing of
controls by others under the direction of management, the use of service organization reports, or a
self-assessment/self-test process that includes procedures to assess whether controls are
operating effectively. Inquiry alone does not provide sufficient evidence to support the operating
effectiveness of controls. For example, if the organization implemented a control activity whereby
its sales manager reviews and investigates a report of invoices with unusually high or low gross
margins, mere inquiry of the sales manager as to whether he or she investigates discrepancies is
inadequate. During the inquiry process, the practitioner should corroborate the responses received
by performing other procedures, such as inspecting reports or other documentation used in or
generated by the performance of the control.
The nature of controls influences the nature of the tests of controls that management can perform.
For example, management may examine documents regarding controls for which documentary
evidence exists. However, documentary evidence regarding the control environment (such as
management's philosophy and operating style) may not exist. In circumstances where
documentary evidence of controls or the performance of controls does not exist and is not
expected to exist, management's tests of controls will consist of inquiries of appropriate personnel
and observation of activities. Inspecting selected correspondence, such as legal claims and
company replies to personnel inquiries, and observing actions taken in response to asserted issues
may provide additional assurance concerning the control environment.
In performing tests of preventive and detective controls, management may conclude that a
deficient preventive control is compensated for by an effective detective control and, therefore, not
- 31 -
a significant deficiency or material weakness. For example, a monthly reconciliation control
procedure (a detective control) would detect an out-of-balance situation resulting from an
unauthorized transaction being initiated due to an ineffective authorization procedure (a preventive
control). In making a determination that the detective control is effective, management must
ensure that the detective control is sufficient to achieve the control objective to which the
preventive control relates. However, in this case, management’s reliance on high-level analytical
procedures alone would not be sufficiently precise to achieve the control objective.
An internal control deficiency may consist of either a design or operating deficiency. A design
deficiency exists when either a necessary control is missing or an existing control is not properly
designed so that even when the control is operating as designed the control objective is not always
met. An operating deficiency exists when a properly designed control is not operating as designed,
is not consistently applied, or the person performing a control does not possess the necessary
authority or qualifications to perform the control effectively. Internal control deficiencies relevant to
internal control over financial reporting could adversely affect the organization’s ability to initiate,
record, process, and report financial data consistent with the assertions of management in the
financial statements. Internal control deficiencies relevant to financial reporting range from
inconsequential internal control deficiencies to material weaknesses in internal control.
In making the judgment as to which internal control deficiencies are significant deficiencies,
management must consider various factors such as the organization’s size, complexity and
diversity of activities, and structure. A significant degree of professional judgment is required in
evaluating whether an internal control deficiency is a significant deficiency. Factors management
may consider include:
• The likelihood that the internal control deficiency could result in a misstatement;
• The magnitude of potential misstatements resulting from the internal control deficiency;
- 32 -
• The importance of the control that is deficient, including the degree to which other effective
controls achieve the same control objective;
• The nature of the account balances or classes of transactions affected by the internal
control deficiency and the financial statement assertions involved; and
The ineffective design of a significant control generally is a significant deficiency (and potentially a
material weakness) absent other effective controls that achieve the same control objective.
- 33 -
Part 3 - Internal Control Standards
300 Introduction
The Internal Control Standards are management’s formal control activities applicable to all
significant AES financial processes. The Standards have been divided into a “business cycle”
format for ease of implementation, reference, and evaluation. A “business cycle” has been defined
as a series of sequential or stand-alone sub-cycles that represent a process from the initiation to
the completion of a specific transaction. For example, the Procurement Cycle includes purchasing,
receiving/acceptance, invoice processing/accounts payable, and cash disbursement sub-cycles.
The control activities within each business cycle have been written in a manner to satisfy the basic
control objectives of any system of internal control and to meet the requirements of the Sarbanes-
Oxley Act. These control objectives are:
2. Safeguarding assets
3. Authorizing transactions
Specific control objectives, consistent with the objectives above, are organized by and applicable to
each sub-cycle within a business cycle. Each control objective has control risks and relevant
control activities to address those risks. The Internal Control Standards include both policies and
procedures. Policy-related Standards have been addressed in additional detail in AES’s “Manual
of Financial Policies,” which became effective on July 1, 2003.
Procedure-related Standards are basic, written broadly, and, therefore, should be interpreted
broadly. Management neither attempted to describe nor intended to prescribe a specific, one-size-
fits-all application of each procedure. How these Standards are built into the many diverse
business processes throughout AES is a matter of each Business Leader’s professional judgment.
These Standards do not “stand-alone.” Rather, they complement other elements of AES’s internal
control framework, which includes, among other things, standard operating procedures, financial
policies, personnel policies, and the Code of Business Conduct and Ethics.
- 34 -
301 GENERAL CONTROL REQUIREMENTS
The following general control requirements, which apply to all financial cycles, will be adopted by
all business units.
301.1 All employees must comply with the AES Code of Business Conduct and Ethics. Senior
level employees will periodically be required to confirm compliance with the Code.
301.2 Policy and procedure manuals must be adhered to by all AES business units. Policies
and procedures established within business units must, at a minimum, meet, and not be
in conflict with, the control requirements specified by this Guide and the AES Manual of
Financial Policies. Policies and procedures must be periodically reviewed and updated.
301.3 Adequate segregation of duties and control responsibilities must be established and
maintained in all functional areas. In general, custodial, processing/operating, and
accounting responsibilities should be separated to promote independent review and
evaluation of Company operations. For example, individuals assigned the responsibility
for receiving and depositing cash receipts (custodians) should not be responsible for
posting to the accounts receivable sub-ledger (accounting) or preparing customer billings
(processing/operations). Where adequate segregation cannot be achieved, other
compensating controls must be established and documented.
301.4 No person shall, directly or indirectly, falsify or cause to be falsified any books, records, or
accounts of the Company.
301.5 All business units must develop a system of internal controls to ensure that the assets
and records of the Company are adequately protected from loss, destruction, theft,
alteration, or unauthorized access.
301.6 All business units will develop procedures for documenting and reporting to operating
management any occurrences of fraud, embezzlement, or unlawful or unethical practices.
Reports of all significant occurrences must be forwarded to the Corporate Legal Group.
General Controls - 1
302 TREASURY CYCLE
The Treasury Cycle includes the functions associated with: determining AES’s cash and
investment management, evaluating and selecting appropriate forms of financing, monitoring
compliance with financing covenants, payment of dividends, and accounting for treasury
transactions. The following standards regarding the documentation, authorization and accounting
for such treasury functions will be followed.
302.A - CASH
Control Objective #1 – Cash and cash equivalents (i.e., financial instruments of high
liquidity and safety) must be managed effectively and efficiently
Control Risks: Control Activities:
•Poor cash management may impair the Company’s ability to 1. Management has established cash management objectives,
timely acquire resources or honor its current obligations (e.g. minimum balances, account requirements, liquidity
resulting in potential lawsuits, liens, business interruptions, requirements, etc.) responsibility, and authority
bankruptcy, etc. 2. Cash and revolver (credit line) positions are monitored daily
•Poor cash management may impair the Company’s ability to
continue as a going concern
•Short-term borrowings (i.e., working capital) may be obtained at
high costs or on terms that are unacceptable by management,
(e.g., restrictive covenants, difficult repayment terms, etc.)
•Failure to invest excess cash may result in either physical or
purchasing power losses
•Excessive and unnecessary bank accounts may increase costs
(e.g., maintenance fees, transfer fees) and decrease control
(e.g., untimely reconciliations, undetected unauthorized access,
etc.)
•Present value (purchasing power) may not be protected in
periods of inflation
Treasury Cycle - 1
302.A - CASH
Control Objective #2 – Cash and cash equivalents must be safeguarded from theft or loss
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established criteria regarding authorization
•Cash may be misappropriated (i.e., diverted or disbursed for of cash transactions and access to cash (e.g., account transfers,
unauthorized purposes) wire transfers, certified checks, account maintenance, etc.)
•Ability to forecast cash accurately may be impaired 2. Management has established guidelines regarding petty cash
balances, custody, disbursements, and replenishments
3. Initiation of wire, bank, or account transfers are segregated
from the approval of transfers
4. Cash disbursements are not made payable to cash, bearer,
or left blank
5. Cash is physically safeguarded by financial institutions or
other designated, authorized custodians
6. Each bank account is reflected in the Company’s general
ledger
7. Banks are notified of personnel authorized to access cash,
open and maintain accounts, transfer funds, access balance, or
transaction information, etc.
8. Access to cash (i.e., bank accounts, bank transactions, petty
cash) is restricted to authorized personnel
9. Access codes (i.e., user names, passwords) for on-line bank
access are safeguarded from unauthorized use or access
10. Bank transactions (e.g., account transfers, wire transfers,
certified checks, account maintenance) are documented,
reviewed, and approved consistent with management’s
guidelines
11. Trade disbursements (e.g., payroll, payables) are issued
from zero-balance or imprest bank accounts
12. Only authorized disbursement amounts are transferred to
disbursement bank account
13. Petty cash disbursements and replenishments are
documented, reviewed, and authorized consistent with
management’s policy
Treasury Cycle - 2
302.A - CASH
Control Objective #3 – General ledger cash accounts must be current, accurate, and
complete
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established guidelines regarding the
•Public disclosures regarding liquidity may be incorrect frequency and timeliness of bank account reconciliations
•Documentation may not be available to facilitate bank 2. Management has established guidelines regarding the
reconciliations frequency, timeliness, and methods of cash equivalent
•Cash may not be managed efficiently or effectively valuations consistent with generally accepted accounting
principles
3. Cash account reconciliation duties are segregated from cash
access (i.e., deposits, disbursements, transfers) and bank
account maintenance duties
4. Bank and other custodial account balances are reconciled to
general ledger cash account balances (or to respective sub-
ledgers, which are also reconciled to the general ledger)
regularly. Reconciling items are promptly investigated and
resolved
5. Reconciling items are documented and reviewed
Control Objective #2 – Investments and related income, gains, and losses must be
accurately and promptly recorded
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established guidelines to receive, record,
•Funds may be diverted for unauthorized use and value investments consistent with generally accepted
accounting policies
2. Investment transactions (e.g., sales, purchases) are promptly
recorded and verified against source documents. Errors are
promptly corrected
3. Income (i.e., interest, dividends, etc.) and/or gains are
documented and promptly recorded to authorized accounts
4. Accruals are recorded for income (e.g., interest, dividends)
earned but not yet received
5. Accruals by investment are periodically reviewed and
recalculated (to ensure accuracy and completeness)
6. Write-offs or adjustments to investment accounts are
evaluated, documented, and approved consistent with
management’s policy
Treasury Cycle - 3
302.C - FINANCING AND DEBT COMPLIANCE
Control Objective #1 – Financing arrangements must be documented and authorized
Control Risks: Control Activities:
•Financing costs, terms, and conditions may be unreasonable 1. Management has established criteria regarding
•Restrictions and covenants (e.g., legal, loan, etc.) may be documentation, review, and authorization of financing
violated resulting in default arrangements
•Financing needs may not be satisfied resulting in inadequate 2. Financing necessity is documented (e.g., need for and use of
capital for business operations proceeds)
•Inability to satisfy financing terms may result in bankruptcy 3. Financing arrangements are reviewed and approved by
authorized personnel consistent with management’s policy
4. Financing arrangement documents are accumulated and
monitored on a regular basis
5. Financing arrangements are evaluated against current
covenants or other restrictions
Treasury Cycle - 4
302.C - FINANCING AND DEBT COMPLIANCE
Control Objective #3 – The Company must comply with applicable financing restrictions,
covenants, and reporting requirements
Control Risks: Control Activities:
•Noncompliance may result in fines, penalties, or other liabilities 1. Management has established guidelines and responsibility to
•Noncompliance that constitutes a covenant breach may result accumulate and monitor compliance with financing covenants
in default and bankruptcy 2. Management has established policies for payment of
•Noncompliance may damage banking/capital markets dividends consistent with legal, financial, governmental,
relationships and limit future access to capital markets regulatory, or other restrictions and requirements
•Noncompliance may result in lack of full disclosure 3. Financing covenants are regularly monitored consistent with
terms prescribed by financing agreements and/or
management’s policy
4. Compliance assessments are documented, reviewed, and
approved
5. Financing transactions are evaluated in light of existing
agreements to avoid covenant or restriction violations. Results
of reviews are documented and retained
6. Areas of potential noncompliance are timely summarized and
communicated to appropriate personnel
7. Dividend payments are made in accordance with
management’s established policies
8. Independent review and recalculation is performed of
financial covenants (on a regular basis)
Treasury Cycle - 5
302.D - CURRENCY RISK MANAGEMENT
Control Objective #2 – Hedge transactions must be accurately, completely, and timely
recorded
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established hedge accounting guidelines
consistent with generally accepted accounting principles
2. Hedge transactions (purchases, sales, income, gains and
losses, etc.) are timely recorded in the accounting records
3. Recorded transactions are supported by source documents
4. Accruals are recorded for income earned (or expenses
incurred) but not yet received (or paid)
5. Payments or receipts from exercised instruments are
documented, authorized, and timely recorded
6. Hedge transactions are summarized and communicated to
facilitate accurate financial disclosure
7. Experts (either internal or external) are consulted to
determine the proper valuation and accounting for monetary risk
instruments
Treasury Cycle - 6
303 PROCUREMENT CYCLE
The Procurement Cycle includes the functions associated with: initiating requests for materials,
equipment, supplies, or services; monitoring approved suppliers; placing orders for goods;
receiving, inspecting, or accepting the material or services; accounting for the proper amounts due
to suppliers; and processing payments. The following standards regarding the documentation,
authorization, and accounting for such procurement functions will be followed.
303.A - PURCHASING
Control Objective #1 – Purchase requisitions must be adequately documented and properly
authorized
Control Risks: Control Activities:
•Purchases may not be made in accordance with management's 1. Management has established and communicated requisition
business objectives limits and authority
•Unnecessary goods/services or unnecessary quantities may be 2. Management has established guidelines regarding required
requisitioned documentation of purchase requisitions (e.g., specific
•Purchases may exceed available funds description of items requested, estimated prices, quantity,
•Incorrect items or quantities may be requisitioned potential suppliers, due date, project/account numbers, narrative
•Unauthorized changes may be made after management's justification, and current inventory quantity)
approval 3. Purchase limits (e.g., budgets, not-to-exceed limits, ceilings)
•Unauthorized and illegal items may be purchased are established for each requisition
•Budget and requisition limits may be ignored, resulting in 4. Standard purchase requisition forms are used
purchases in excess of approved or available funds 5. Purchase requisitions are reviewed and approved
•Purchased items may violate the Foreign Corrupt Practices Act 6. All required requisition information is complete prior to review
("FCPA") and approval
•Purchased items may be charged to the wrong account/project
number
Procurement Cycle - 1
303.A - PURCHASING
Control Objective # 2 – Supplier selection should be competitive and/or value-based
Control Risks: Control Activities:
•The Company does not receive the 'best value' (i.e., most 1. Supplier selection duties are segregated from requisitioning
favorable combination of price, terms, conditions, quality, and and review and approval duties
service) available in the marketplace
•Dependence on a sole vendor may cause business
interruptions if that vendor goes out of business or is unable to
deliver
•Kick-backs or other improper payments may be received by a
Company employee in exchange for sub-optimal purchase
arrangements
•Sole source arrangements may violate laws, regulations, or
contract requirements
•Purchased items not meeting quality standards may cause
business interruptions (e.g., shut-downs, excessive scrap or
rework) and/or substandard finished products
Control Objective #4 – Purchase orders ("POs") must contain firm prices, terms, and
conditions
Control Risks: Control Activities:
•Disputes may cause losses 1. Management has established PO approval authority and
•The Company may have no recourse against suppliers that fail limits
to honor their obligations, resulting in unrecoverable losses 2. Management has established authority regarding physical
access to purchasing system and controlled documents (e.g.,
password control)
3. Purchase order preparation duties are segregated from
requisition, accounts payable, and disbursement duties
4. Standard PO forms are used
5. POs are confirmed against supplier selection results and the
approved Supplier List
6. POs are reviewed to verify PO values do not exceed
requisition limit
7. POs are reviewed to verify required information is complete
and accurate
Procurement Cycle - 2
303.A - PURCHASING
Control Objective #5 – Purchase orders must be timely issued and monitored
Control Risks: Control Activities:
•Untimely POs may cause business interruptions 1. Management has established guidelines regarding the
•POs not provided to accounts payable in a timely manner may transmittal, distribution, and monitoring of approved POs
cause payments to be untimely resulting in late fees and/or 2. POs are assigned unique sequential numbers
penalties 3. A log is maintained for all approved POs
•POs not provided to receiving in a timely manner may cause 4. The PO log is routinely updated to reflect PO transmittals,
unnecessary returns or untimely acceptance of received items) receipts, and supplier payments
5. PO copies are promptly provided to accounts payable
6. PO copies are provided to either receiving (for deliverable
items) or requester (for service items)
Procurement Cycle - 3
303.B - RECEIVING/ACCEPTANCE
Control Objective #1 – Received items must be safeguarded and timely accepted or
returned
Control Risks: Control Activities:
•Receipts not recorded on a timely basis may result in untimely 1. Management has established guidelines for the acceptance
supplier payment of items received pursuant to an approved PO
•Unordered items may be received and paid for 2. Access to the receiving area is restricted to authorized
•Acceptance of incorrect quantities, incorrect items, or items not personnel
meeting quality standards or specifications may cause business 3. Received items are physically secured and safeguarded
interruptions or inventory surpluses 4. Receiving reports are generated only after receipt of goods
•Cancelled or duplicate orders may be received and accepted and compared to packing slip
•Untimely receiving and acceptance may cause financial 5. Accepted items are documented on sequentially numbered
misstatements or business interruptions receiving report
•Received items may be stolen, lost, or destroyed 6. Received reports are matched to approved POs
•Returned items may be incorrectly included within receiving 7. Copies of receiving reports are promptly distributed to
records and paid for purchasing and accounts payable department
•Appropriate credits (or supplemental shipments) may not be 8. The receiving report log is reviewed periodically for continuity
obtained for order discrepancies of report numbers. Missing reports are investigated and
•Damaged goods that are unusable by the Company may be resolved
accepted 9. Items received without an authorized PO, of unacceptable
quality, or not meeting specifications are returned to the supplier
10. Returned items are not reflected on a receiving report; they
are documented on sequentially numbered return reports
11. Purchasing/accounts payable personnel are promptly
notified of returned/rejected items
12. The return report log is reviewed periodically for continuity of
report numbers. Missing reports are investigated and resolved
Procurement Cycle - 4
303.C - INVOICE PROCESSING/ACCOUNTS PAYABLE
Control Objective #1 – The accounts payable sub-ledger must be accurate, complete, and
current
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established guidelines for processing
•Supplier invoices may not be paid in a timely manner resulting supplier invoices (i.e., under POs) and check requests (i.e., no
in interest charges, fines, penalties, or other liabilities PO, unmatched invoices), which may include proper account
•Relevant tax information (e.g., services reportable on 1099s, coding, required documentation, and appropriate authorizations
sales tax, use tax, etc.) may be omitted or untimely reported 2. Management has established criteria regarding acceptance of
resulting in fines or penalties discounts and the timing of supplier payments
•Advantageous discounts may be foregone, resulting in 3. Management has established procedures for developing,
increased payments summarizing, and reporting required tax information (sales or
use tax)
4. Accounts payable duties are segregated from purchasing and
receiving duties
5. Supplier payables are recognized when invoices (e.g., price,
quantity) match PO and receiving report (3-part match)
consistent with management's guidelines
6. Invoices related to check requests (i.e., no PO) are
recognized as payables only when invoice is authorized
consistent with management's guidelines
7. Invoices are reviewed for clerical accuracy
8. Invoices are promptly recorded in the appropriate period
9. Freight bills are compared to supporting shipping or receiving
documentation
10. Adjustments to accounts payable are documented,
reviewed, and approved
11. Debit balances are periodically reviewed and investigated
12. The accounts payable sub-ledger is periodically reconciled
to the general ledger control account
13. Accruals are recorded for shipped items acquired F.O.B. -
Shipping Point
14. Accruals are recorded for items delivered but not yet
accepted at the end of an accounting period
15. Account codings are verified against the standard chart of
accounts
16. Cutoff reviews are performed to verify that obligations are
recognized in the proper time period
17. Open accounts payable (i.e., unmatched invoices, POs, or
receiving reports) are periodically reviewed, investigated, and
resolved
Control Objective #2 – Accounts payable files are timely closed, segregated, and
safeguarded subsequent to payment
Control Risks: Control Activities:
•Duplicate payments may be made 1. Management has established guidelines to ensure that
•Financial statements may be misstated accounts payable files are timely closed, segregated, and
safeguarded subsequent to payment
2. The accounts payable system prevents duplicate entry of
supplier invoices
3. Paid invoices are defaced
4. Paid voucher packages are removed from open accounts
payable files
Procurement Cycle - 5
303.D - CASH DISBURSEMENTS
Control Objective #1 – Accounts payable disbursements (i.e., checks and wire transfers)
must be documented and authorized
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has designated signature (checks) and approval
•Payments may be made to an unauthorized party (wire transfers) authority and established authority limits
•Checks may be recorded twice or unrecorded 2. Checks are not made payable to "cash" or "bearer"
•Duplicate payments may be made 3. Invoice approval duties are segregated from disbursement
•Cash may not be disbursed in a timely manner and/or recorded duties
in the wrong time period 4. Disbursements are authorized consistent with management's
policy
5. Dual signatures/authorizations are required for disbursements
in accordance with limits prescribed by management's policy
6. Disbursements are reviewed for unusual or anomalous items
7. Disbursements are accurately calculated and recorded in the
appropriate period
Signed checks are matched with supplier remittance advice and
transmitted to the payee
8. For cash forecasting purposes, cash disbursement
requirements are promptly communicated to the treasury
department
9. Proper payee information is verified/reviewed prior to
payment
10. Supplier account data is verified prior to initiating wire
transfers
11. Posted checks are periodically reviewed for alterations (e.g.,
unauthorized/altered signatures, amount paid, payee, etc.)
Procurement Cycle - 6
304 REVENUE CYCLE
The Revenue Cycle includes the functions associated with: acquiring and accepting orders;
granting customer credit; delivering goods, equipment, or services; billing and recording sales
transactions; maintaining and monitoring accounts receivable; instituting effective collection
procedures; and recording and controlling cash receipts. The following standards regarding the
documentation, authorization, and accounting for such revenue functions will be followed.
Revenue Cycle - 1
304.A - CUSTOMER ORDER/CONTRACT ACCEPTANCE
Control Objective #2 – Orders (including changes or cancellations thereto) must be
documented and approved (including evidence of customer authorization)
Control Risks: Control Activities:
•Incomplete or inaccurate order information may cause 1. Management has established guidelines regarding
inaccurate or untimely order fulfillment documentation and safekeeping of customer orders (e.g.,
•Incomplete or inaccurate customer contact information may customer/client legal name, shipping and billing addresses,
impair billing and collection efforts delivery terms (including schedule/due dates), credit checks and
•Financial statements may be misstated approvals, tax information, agreed prices, agreed quantity,
authorizations, related party identifications, order access, etc.)
2. Orders are reviewed to ensure required information and valid
customer authorization is documented
3. Orders are reviewed for accuracy and completeness and
approved before release to operations
4. Order copies are promptly and accurately transmitted to
operations and accounts receivable
5. Order changes that affect order fulfillment are promptly
communicated to operations and accounts receivable
6. Orders are tracked using unique sequential order numbers
7. Order numbers are periodically inventoried. Missing order
numbers (e.g., neither open, closed, nor voided) are promptly
investigated and resolved
8. Access to customer files and specific orders is restricted to
authorized personnel (e.g., system is password protected)
Revenue Cycle - 2
304.B - ORDER/CONTRACT FULFILLMENT
Control Objective #2 – Billing department must be timely notified of order fulfillment
Control Risks: Control Activities:
•Financial misstatements may occur (i.e., revenues and assets 1. Management has established guidelines or methods by which
either not recognized or recognized in the wrong period) fulfilled orders are communicated to billing department
•Cash flows may be unfavorably impacted 2. Fulfilled customer orders are timely transmitted to the billing
•Goods or services may not be billed department
304.C - BILLING
Control Objective #1 – Sales invoices must accurately, completely, and timely reflect
amounts due to the Company 1) for products or services rendered and/or 2) as required by
law, regulation, or contract
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established guidelines regarding the
•Untimely or incorrect invoices may result in either unbilled or preparation, review, and approval of customer billings (e.g.,
uncollectible receivables and misstated revenue timing, content, authorization, etc.)
•Revenues and receivables may be recorded for unfulfilled 2. For demand-based (i.e., indefinite quantity) orders, billed
orders quantities are reviewed for consistency with historical or usual-
•Products or services may not be billed and-customary quantities; exceptions are investigated
•Cash flows may be adversely impacted 3. Standard invoice forms are used
•The company may face fines, penalties, or other liabilities for 4. Invoices are timely delivered to the customer
not accurately billing amounts required by law, regulation, or 5. Invoices are reviewed for consistency with the terms and
contract conditions set forth in customer orders/contracts
•Inaccurate invoices may cause increased need for (or burden 6. Invoices are properly authorized
on) customer service personnel 7. Invoices reflect prices consistent with negotiated agreement
(i.e., contract terms) or set by law or regulation
8. Remittance address of Company lockbox account or other
authorized recipient is clearly stated on invoice
9. Payment due dates are clearly indicated on invoice
10. Meter reports are periodically reviewed to ensure all issued
meters have been timely read
11. Access to invoices and the billing system is limited to
authorized personnel
12. Invoices are physically safeguarded
13. Meter reading data for a particular period are reconciled to
billings for that same period. Differences are investigated and
resolved
14. Cumulative usage (i.e., meter reading data) for a particular
period is compared to production/delivery for that same period.
Differences are promptly investigated and resolved
Revenue Cycle - 3
304.C - BILLING
Control Objective #2 – Revenue must be timely and accurately recognized consistent with
fulfilled orders/contracts
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established and communicated revenue
recognition guidance consistent with generally accepted
accounting principles (e.g., accounting periods, SAB 101, etc.)
2. Invoice values are posted to accounts receivable and revenue
in the period in which they were billed
3. Revenues recorded in connection with customer orders (i.e.,
not long-term contracts) are reviewed for conformance with
management's revenue recognition guidance
4. Billed and unbilled revenues recognized under long-term
contracts are reviewed in accordance with management's
revenue recognition guidance
5. Unbilled revenue and receivables are supported by evidence
that they have been earned
6. Amounts billed on behalf of third parties (e.g., taxes) are
excluded from recognized revenues
Control Objective #2 – A sufficient valuation reserve (i.e., allowance for bad debt) must
reflect anticipated uncollectible accounts
Control Risks: Control Activities:
•Financial statements may be misstated 1. Management has established valuation reserve criteria and
•Failure to assess the collectability of accounts receivable may identified thresholds for management review and authorization
result in unexpected account write-offs of account write-offs
2. Account write-offs are reviewed and approved consistent with
management's policy
Revenue Cycle - 4
304.E - COLLECTIONS
Control Objective #1 – Reasonable and prudent efforts must be taken to collect delinquent
accounts receivable
Control Risks: Control Activities:
•Collectable accounts receivable may be incorrectly or 1. Management has established guidelines regarding 1) the
prematurely written off circumstances necessitating and the terms of flexible payment
•Costs to monitor and resolve delinquent accounts may exceed arrangements, 2) when to write-off receivables, and 3) when to
the amounts collected discontinue customer relationships
2. Collection duties are segregated from order/contract
acceptance, billing, and cash receipts duties
3. Delinquent accounts are monitored
4. Delinquent accounts are promptly notified (e.g., customers
are contacted by collection personnel, duplication invoices sent,
etc.)
5. Excessively delinquent accounts are closed; product
repossession or service cancellation work orders are prepared
and communicated to operations
6. Write-off decisions are documented (e.g., consultation with
legal department, cost to collect > amount due), reviewed, and
authorized
Revenue Cycle - 5
305 FIXED ASSETS AND LEASING CYCLE
The Fixed Assets and Leasing Cycle includes functions associated with: recording asset
acquisitions, depreciation, transfers, and dispositions; determining the appropriate lease
accounting treatment; accumulating construction work-in-process costs; ensuring that all recorded
assets exist and are in use and that all assets not in use will be disposed of appropriately. The
following standards regarding the documentation, authorization, and accounting for such fixed
asset and leasing functions will be followed.
305.D - LEASES
Control Objective #1 – Leases must be appropriately classified (i.e., either operating or
capital) and accurately and timely recorded consistent with that classification
Control Risks: Control Activities:
•Value of lease payments may not be commensurate with rights 1. Management has established lease classification and
of lessee accounting guidelines consistent with generally accepted
•Lease termination costs may be excessive accounting principles
•Required condition of returned item may be unattainable or 2. Operating lease payments are recognized as expenses in the
costly to attain period incurred
•Alterations of or additions to leased items may convey to lessor 3. Payments under capital leases are recognized as reductions
•Lease may contain unfavorable/unreasonable maintenance to lease liabilities and interest expense
requirements (e.g., frequency, extent, provider) 4. Items acquired under capital leases are capitalized and
•Lease costs may be excessive among alternatives depreciated consistent with management's capitalization and
•Improper disclosure of lease commitments depreciation policies
5. Obligations under leases are periodically summarized and
communicated for financial disclosure purposes
6. Lease classification and accounting treatment is reviewed
subsequent to lease amendments
305.F - DISPOSALS
Control Objective #1 – Asset disposals (e.g., transferred, sold, scrapped) must be
adequately documented and authorized
Control Risks: Control Activities:
•Assets may be misappropriated 1. Management has established documentation, evaluation, and
•The Company may not receive reasonable value for the authorization guidelines regarding the disposal of assets
disposed asset 2. Fixed asset disposal duties are segregated from fixed asset
•Assets with future or alternate uses may be prematurely or custodial duties
inappropriately disposed 3. Approved asset disposal requests are provided to fixed asset
•Financial statements may be misstated accounting personnel
305.H - SECURITY
Control Objective #1 – Fixed assets and leased items must be safeguarded from loss, theft,
or destruction
Control Risks: Control Activities:
•Operations may be interrupted 1. Physical access to high-value assets and facilities are
•Unanticipated cash outflows may occur (to replace assets) restricted to authorized personnel
•Unanticipated financial losses may occur (write-off of net book 2. Periodically, fixed assets are physically inventoried against
value) fixed asset records (i.e., fixed asset sub-ledger). Differences
•Insurance coverage may be inadequate or excessive are investigated and resolved
•Unauthorized access to and/or disclosure of 3. Manual adjustments to the fixed asset sub-ledger as a result
confidential/proprietary items may adversely affect the of unreconciled physical inventory differences are documented,
Company's competitive position and/or reputation reviewed, and authorized
The Payroll Cycle includes the functions associated with: maintaining employee personnel files;
reporting hours worked; preparing payroll checks; accurately accounting for payroll costs;
distributing checks to employees; and ensuring physical security of payroll and personnel
information. The following standards regarding the documentation, authorization, and accounting
for such payroll functions will be followed.
Payroll Cycle - 1
306.A - PERSONNEL, COMPENSATION, AND BENEFITS
Payroll Cycle - 2
306.B - PAYROLL PREPARATION
Control Objective #1 – Employee time records must be accurate, complete, authorized, and
timely submitted prior to pay dates
Control Risks: Control Activities:
•Financial statements may be misstated 1. Time card approval duties are segregated from payroll
•Unauthorized overtime, vacation, or sick hours may adversely processing duties
impact productivity 2. Individual electronic time records are accessible only by
•Incorrect time records may result in cost disallowances or unique user IDs and passwords or electronic card readers
unfavorable audit findings (regulated businesses) 3. Access to all electronic time records is limited to authorized
•Employees may be incorrectly paid personnel
4. Where electronic time cards are not used, standard manual
time cards are used
5. Employee time cards (either manual or electronic), including
overtime, are reviewed and approved by authorized personnel
6. Only approved time charges are authorized for payment
7. Time cards include applicable account number/charge code
references (if necessary)
8. Time summary reports are prepared and reviewed for
unusual or anomalous time charges (e.g., time < standard
hours, excessive overtime, excessive sick time). Appropriate
items are investigated and resolved
Payroll Cycle - 3
306.B - PAYROLL PREPARATION
Control Objective #2 – The payroll sub-ledger (i.e., payroll account distribution) must reflect
accurately and completely the obligations of the Company to 1) employees, 2) benefit
provider(s), and 3) relevant government agencies
Control Risks: Control Activities (Continued):
•Financial statements may be misstated 1. Payroll preparation duties are segregated from payroll
•Accruals may be incorrectly calculated disbursement and human resource duties
•Incorrect payments to benefit providers may result in loss of (or 2. Payroll Master File is reconciled to the Personnel Master File
interruption of) benefit coverage before each pay cycle
•Incorrect payments to government agencies may result in fines, 3. Changes to the Payroll Master File are summarized,
penalties, or other liabilities reviewed, and verified to documentation in individual employee
•Incorrect compensation and/or incorrect amounts withheld from files. Errors are corrected promptly
employees (e.g., inapplicable taxes, unelected benefits, etc.) 4. Payroll obligations are calculated using data from the Payroll
may cause employee discontent Master File and authorized employee time records
5. Employees (quantity and names) in Payroll Master File are
reconciled to employee time records (i.e., hash totals). Missing
or duplicate employees are promptly investigated and resolved
(hourly only)
6. Active employees with no current time cards are paid
consistent with management's guidelines
7. Payroll registers are reviewed for duplicate or anomalous
payments. Such occurrences are promptly investigated and
resolved
8. Payroll data transmissions (i.e., time summaries, Payroll
Master File) to 3rd party payroll preparer are reconciled when
sent and received
9. Withholding tables (e.g., tax rates, benefit costs) are updated
timely, as required
10. Payroll records are safeguarded from loss, theft, or
destruction
11. Access to payroll records is limited to authorized personnel
12. Payroll registers are reconciled to the payroll sub-ledger
prior to posting to the general ledger
13. Unscheduled payroll disbursements and payroll adjustments
are documented, reviewed, and approved by authorized
personnel
14. The payroll sub-ledger is timely posted and reconciled to the
general ledger. Differences are investigated and resolved
15. Period-end accruals are made for payroll-related obligations
incurred but not yet paid
16. Periodic employee earnings summaries are timely prepared
and provided to employees, government agencies, and other
required recipients in accordance with laws, regulations, or other
contractual arrangements
17. Employee compensation and withholdings in the Payroll
Master File are periodically reconciled to individual personnel
files
Payroll Cycle - 4
306.C - PAYROLL DISBURSEMENTS
Control Objective #1 – Payroll disbursements must reflect the satisfaction of Company
obligations with respect to 1) employees, 2) benefit provider(s), and 3) relevant taxing
authorities
Control Risks: Control Activities:
•Unauthorized use or issuance of payroll checks may result in 1. Management has established guidelines regarding the timing,
cash misappropriations methods, and safeguards over payroll disbursements
•Cash disbursements may be inconsistent with recognized 2. Payroll disbursement duties are segregated from personnel,
expenses and liabilities payroll preparation, and payroll distribution duties
3. All payroll disbursements (both manual and electronic) are
reconciled to the payroll register. Differences are promptly
investigated and resolved
4. Checks are signed only after printing and review
5. Manual or dual signatures are required for adjustment checks
and checks above a specific threshold
6. Payroll checks (both "live" and blank) and signature stamps
are physically safeguarded from loss, theft, or destruction
7. Access is restricted to checks, check signing equipment, and
signature stamps
8. Checks are numbered sequentially
9. Check numbers are periodically reconciled. Missing checks
are investigated and resolved
10. Voided, spoiled, or cancelled payroll checks are defaced
and retained
11. Payroll disbursements are paid from an imprest or zero-
balance bank account
Payroll Cycle - 5
Part 4 – Reference Materials
400 Glossary of Key Terms
Business Cycle A business process comprised of one or more sub-cycles (i.e., the
Revenue Cycle consists of several sub-cycles, including customer
order/contract acceptance, order/contract fulfillment, billing, accounts
receivable, etc., that together represent a business cycle).
Control Activities One of the five internal control framework components. Policy and
procedures designed to achieve a control objective and mitigate an
identified control risk
Glossary – 1
Control Environment One of the five internal control framework components. The attitude and
actions of the board and management regarding the significance of
control within the organization. The control environment establishes the
foundation for an internal control framework by providing the discipline
and structure for the achievement of control objectives.
Control Risk 1) A negative consequence that may result from not achieving a specific
control objective. 2) The risk related to ineffective internal controls.
Design 1) Intent. As used in the definition of internal control, the internal control
system design is intended to provide reasonable assurance as to
achievement of objectives; when the intent is realized, the system can be
deemed effective. 2) Plan; the way a system is supposed to work,
contrasted with how it actually works.
Disclosure Controls and Controls and other procedures of a publicly-traded company that are
Procedures designed to ensure that information required to be disclosed by the
company in the reports filed or submitted by it under the Exchange Act is
recorded, processed, summarized, and reported within the time periods
specified in the SEC’s rules and forms. Disclosure controls and
procedures include, without limitation, controls and procedures designed
to ensure that information required to be disclosed by a company…is
accumulated and communicated to the company’s management,
including its principal executive and financial officers, as appropriate to
allow timely decisions regarding required disclosure.
Glossary – 2
Effected Used with an internal control system: devised and maintained.
Effective Internal Control Internal control can be judged effective in each of the three control
categories, respectively, if the board of directors and management have
reasonable assurance that:
Ethical Values Moral values that enable a decision maker to determine an appropriate
course of behavior; these values should be based on what is “right,”
which may go beyond what is “legal.”
Financial Reporting Used with “objectives” or “controls”: having to do with the reliable
preparation of published financial statements.
Inconsequential Control An internal control deficiency that alone or aggregated does not adversely
Deficiency affect the entities ability to initiate, record, process, and report financial
data.
Information and One of the five internal control framework components. Supports all other
Communication framework components by identifying, capturing, processing, and
communicating relevant external and internal information throughout the
organization in a timely manner.
Inherent Limitations Those limitations of all internal control systems. The limitations relate to
the limits of human judgment, resource constraints and the need to
consider the cost of controls in relation to expected benefits, the reality
that breakdowns can occur, and the possibility of management override
and collusion.
Glossary – 3
Internal Accounting Term initially used by the US Congress in the Foreign Corrupt Practices
Controls Act of 1977; the substance of this term has been incorporated into and
superseded by the term “internal controls over financial reporting.”
Internal Control An integrated system of internal control that includes five basic
Framework components (i.e., control environment, risk assessment, control activities,
information and communication, monitoring) that, working together, help
an organization successfully achieve its three basic business objectives
(i.e., effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with laws and regulations). This framework
allows an organization to establish, maintain, and evaluate the
effectiveness of internal controls.
Glossary – 4
Internal Control Over A process designed by, or under the supervision of, the registrant’s
Financial Reporting principal executive and principal financial officers, or persons
performing similar functions, and effected by the registrant’s board of
directors, management, and other personnel, to provide reasonable
assurance regarding the reliability of financial reporting and the
preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and
includes those policies and procedures that:
Manual Controls Controls performed manually, not by computer (contrast with Computer
Controls).
Glossary – 5
Materiality A judgment regarding the significance of an item (e.g., amount, fact,
circumstance, etc.) for public financial reporting and disclosure purposes.
An item is material if 1) in light of the surrounding circumstances, the
magnitude of an item is such that it is probable that the judgment of a
reasonable person relying upon the report would have been changed or
influenced by the inclusion or correction of the item (FASB), 2) there is a
substantial likelihood that a fact would have been viewed by a reasonable
investor as having significantly altered the “total mix” of information made
available (US Supreme Court).
Material Weakness A significant deficiency in one or more of the internal control components
that alone or in the aggregate precludes the organization’s internal control
from reducing to an appropriately low level the risk that material
misstatements in the financial statements will not be prevented or
detected on a timely basis.
Preventive Control A control designed to avoid an unintended event or result (contrast with
Defective Control).
Published Financial Financial statements, interim and condensed financial statements, and
Statements selected data derived from such statements, such as earnings releases,
reported publicly.
Reasonable Assurance The concept that internal control, no matter how well designed and
operated, cannot guarantee that an organization’s objectives will be met.
This is because of Inherent Limitations in all internal control systems.
Glossary – 6
Reliability of Financial Used in the context of published financial statements, reliability is
Reporting defined as the preparation of financial statements fairly presented in
conformity with generally accepted (or other relevant and appropriate)
accounting principles and regulatory requirements for external purposes,
within the context of materiality. Supporting fair presentation are the five
basic financial statement assertions: existence or occurrence,
completeness, rights and obligations, valuation or allocation, and
presentation and disclosure.
Risk Assessment One of the five internal control framework components. Management’s
identification and analysis of relevant risks to achieving business
objectives. Risk and objectives are linked to activities at all levels of the
organization.
Self-Assessment A process by which process owners evaluate, report on, and improve the
design and operating effectiveness of internal controls.
Significant Deficiency An internal control deficiency that could adversely affect the
organization’s ability to initiate, record, process, and report financial data
consistent with the assertions of management in the financial statements.
A significant deficiency could arise from a single deficiency or an
aggregation of deficiencies. See also Inconsequential Control
Deficiency and Material Weakness.
Glossary – 7